Symbolic Controller Synthesis for LTL Specifications by Morgenstern, Andreas
Symbolic Controller Synthesis for
LTL Specifications
Andreas Morgenstern
February 2010
Vom Fachbereich Informatik der Technischen Universita¨t Kaiserslautern
zur Erlangung des akademischen Grades
Doktor der Ingenieurwissenschaften (Dr. Ing.)
genehmigte Dissertation
Datum der wissenschaftlichen Aussprache: 12.02.2010
Erster Berichterstatter: Prof. Dr. Klaus Schneider
Zweiter Berichterstatter: Prof. Dr. Roderick Bloem
D 386
ii


Abstract
It is an old dream in computer science to automatically generate a system from a
formal specification or at least to automatically check whether a system is guaranteed
to satisfy a specification.
The second problem is known as the verification problem and powerful tools exist
that automatically check the correctness of a system with respect to a given declarative
specification.
In this thesis we consider the first problem with respect to a given declarative
specification in linear temporal logic (LTL). We refer to this problem as the controller
synthesis problem why others prefer to use names like ’realizability’ or ’supervisor
synthesis’. The controller synthesis problem is to check whether an (incomplete)
implementation of a system can be refined by a controller such that a given property
holds, and if so, to automatically construct this controller. Although the idea to
automatically synthesize an implementation from a formal declaration is nearly 50
years old, it has not yet made its way to practice.
A major breakthrough in verification has been achieved by considering symbolic
representations of states and transitions by propositional formulas which lead to the
invention of symbolic model checking. With the advent of succinct data structures and
efficient decision procedures for propositional formulas, which are the heart of almost
all approaches to hardware verification, it has become possible to verify complex
systems.
The currently available procedures to the controller synthesis problem consist of
two steps: Similar to verification, the first step consists of translating the LTL for-
mula to an equivalent nondeterministic ω-automaton. While this automaton can be
directly used for symbolic model checking, only deterministic automata (or pseudo-
deterministic automata like the good-for-games automata) can be used for construct-
ing a controller.
Hence, the second step involves a determinization of the obtained nondeterministic
automaton, which is remarkably difficult for those kinds of ω-automata that are re-
quired in the general case. A major drawback of the currently known determinization
procedures is their explicit representation of the automata. And since a translation
from LTL to deterministic automata may lead to a state space of doubly exponen-
tial size in the length of the formula, these approaches are limited to very small LTL
formulas with only few temporal operators.
v
Since symbolic methods have been the breakthrough in model checking, the research
studied in this thesis focuses on approaches that can be implemented symbolically,
e. g. by BDDs.
On the one hand, we concentrate on determinization procedures that are amenable
to a symbolic implementation. We present two different determinization procedures.
The first determinization construction determines the location of a LTL formula in the
temporal logic hierarchy in order to avoid the considerably difficult determinization
constructions needed in the general case. Our procedure uses instead a symbolical
implementation of the Rabin-Scott subset construction or the Breakpoint construction
to efficiently generate deterministic automata.
It is well-known that the automata that are generated from a LTL formula have
special properties. Our second determinization construction makes use of such a
special property in order to develop a symbolic determinization construction for full
LTL.
Another important ingredient to bring controller synthesis from theory closer to
practice is the use of minimization techniques. Here we concentrate on simulation
based minimization techniques, since related techniques have been successfully used
to minimize automata for the closely related model-checking problem. In particular,
we consider the minimization problem of parity automata and give solutions based
on direct, reverse and fair simulation.
vi
Danksagung
Mein Dank gilt allen, die auf ihre Weise zum Gelingen meiner Promotion beigetragen
haben. Im Besonderen mo¨chte ich mich bei Prof. Dr. Klaus Schneider bedanken, der
mir die Mo¨glichkeit ero¨ffnet hat, diese Arbeit zu erstellen. Ohne seine Ratschla¨ge und
seine Unterstu¨tzung wa¨re diese Arbeit niemals entstanden. Fu¨r die Zweitbegutach-
tung mo¨chte ich mich bei Prof. Dr. Roderick Bloem bedanken, der durch hilfreiche
Kommentare sehr zur Verbesserung der Arbeit beigetragen hat. Mein weiterer Dank
geht an Prof. Dr. Markus Nebel, der sich als Vorsitzender der Promotionskommision
zur Verfu¨gung gestellt hat.
Des Weiteren mo¨chte ich mich bei meinen Kollegen in unserer Arbeitsgruppe be-
danken, die mir in vielen Gespra¨chen neue Denkansto¨ße geliefert haben.
Abschließend mo¨chte ich mich bei meiner Familie fu¨r ihre langja¨hrige Unterstu¨tzung
danken. Ohne die Hilfe meiner Eltern, meiner Frau Corinna und unseres Sohnes Lukas
ha¨tte ich diese Arbeit wohl nie fertiggestellt.
vii

Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries 11
2.1 Linear Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 ω-Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 From Infinite Words to ω-Automata . . . . . . . . . . . . . . . 13
2.2.2 Symbolically Represented ω-Automata . . . . . . . . . . . . . 17
2.3 From LTL to Nondeterministic ω-Automata . . . . . . . . . . . . . . 18
2.3.1 From LTL to Unambiguous ω-Automata . . . . . . . . . . . . 19
2.4 Relating the Automata Hierarchy and the Temporal Logic Hierarchy 22
2.5 Infinite Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.5.1 Turn-Based Games . . . . . . . . . . . . . . . . . . . . . . . . 25
2.5.2 Controller Synthesis as a Two-Player Game . . . . . . . . . . 26
2.5.3 LTL-Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.6 Essentials of the Synchronous Programming Language Quartz . . . . 30
3 Minimization of ω-Automata 35
3.1 Simulation Relations as a Two-Player Game . . . . . . . . . . . . . . 36
3.1.1 The Basic Simulation Game . . . . . . . . . . . . . . . . . . . 37
3.1.2 Simulation Games as Turn-Based Games . . . . . . . . . . . . 41
3.2 Basic Properties of Simulation Relations . . . . . . . . . . . . . . . . 42
3.3 Quotient Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3.1 Merging of States may Destroy Determinism . . . . . . . . . . 45
3.3.2 A Quotient Construction that Preserves Determinism . . . . . 45
3.4 Direct and Left-Hand Delayed Simulation . . . . . . . . . . . . . . . . 48
3.5 Reverse Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.1 Basic Properties of Reverse Simulation Relations . . . . . . . 54
3.5.2 Reducing Reverse Simulation Games to Turn-Based Games . . 55
ix
Contents
3.5.3 Minimizing ω-Automata with Reverse Direct and Left-Hand
Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.5.4 Reverse Right-Hand Delayed Simulation . . . . . . . . . . . . 58
3.6 Fair Simulation for Co-Bu¨chi Automata . . . . . . . . . . . . . . . . . 59
3.7 Fair Simulation for Parity Automata . . . . . . . . . . . . . . . . . . 61
3.7.1 Merging States using Fair Simulation . . . . . . . . . . . . . . 62
3.7.2 Removing Edges using Fair Simulation . . . . . . . . . . . . . 64
3.7.3 A Fair Minimization algorithm . . . . . . . . . . . . . . . . . 65
4 Symbolic Determinization via the Automaton Hierarchy 67
4.1 A Semi-Symbolic Subset Construction . . . . . . . . . . . . . . . . . 68
4.2 A Semi-Symbolic Breakpoint Construction . . . . . . . . . . . . . . . 73
4.3 Removing Dependent Variables . . . . . . . . . . . . . . . . . . . . . 76
5 Symbolic Determinization via Unambiguous Bu¨chi Automata 77
5.1 Properties of Unambiguous Automata . . . . . . . . . . . . . . . . . . 78
5.2 Determinizing Nonconfluent Automata . . . . . . . . . . . . . . . . . 81
5.3 Symbolic Implementation . . . . . . . . . . . . . . . . . . . . . . . . 88
6 Symbolic Controller Synthesis 93
6.1 The Averest Framework . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.2 Why monolithic approaches fail . . . . . . . . . . . . . . . . . . . . . 94
6.3 A Modular Approach to Determinization . . . . . . . . . . . . . . . . 94
6.3.1 Handling Safety and Liveness formulas . . . . . . . . . . . . . 95
6.3.2 Handling Co-Bu¨chi and Bu¨chi specifications . . . . . . . . . . 96
6.3.3 Handling LTL Formulas that do not belong to a lower Borel Class 96
6.4 Solving Generalized Parity Games . . . . . . . . . . . . . . . . . . . . 97
6.5 Generating Circuits from BDDs . . . . . . . . . . . . . . . . . . . . . 98
7 Experimental Results 99
7.1 The Effect of Different Determinization Constructions . . . . . . . . . 99
7.2 The Effect of Minimization . . . . . . . . . . . . . . . . . . . . . . . . 104
7.2.1 Minimizing Co-Bu¨chi Automata . . . . . . . . . . . . . . . . . 104
7.2.2 Minimizing Parity Automata . . . . . . . . . . . . . . . . . . . 110
7.3 AMBA AHB Case Study . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.4 Dining Philosophers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7.5 NIM Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.6 Island Traffic Control Problem . . . . . . . . . . . . . . . . . . . . . . 121
7.7 Synthesis of a Sorting Network . . . . . . . . . . . . . . . . . . . . . . 128
7.7.1 Zero-one Principle . . . . . . . . . . . . . . . . . . . . . . . . 130
x
Contents
7.7.2 Problems to Define Skeletons for Sorting Networks . . . . . . 131
7.7.3 A Skeleton for Sorting Networks . . . . . . . . . . . . . . . . . 133
7.7.4 Experimental Result for Sorting Networks . . . . . . . . . . . 134
8 Conclusion and Outlook 139
xi

List of Figures
2.1 Nondeterministic Automaton for Until . . . . . . . . . . . . . . . . . 19
2.2 Nondeterministic Automaton for Next . . . . . . . . . . . . . . . . . 19
2.3 Run Tree with a Uniquely Determined Run of the Automaton of Fig.
2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4 Run Tree with Two Runs of the Automaton of Fig. 2.1 . . . . . . . . 21
2.5 Automaton for the Conjunction of Finitely Many Fairness Constraints 22
2.6 Hierarchy of ω-automata and Temporal Logic Hierarchy . . . . . . . . 23
2.7 Classes of Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . 23
2.8 A Parity Game for which simple Pre-Operators fail . . . . . . . . . . 29
3.1 Defining Strategies for the Basic Simulation Game . . . . . . . . . . . 40
3.2 Merging of Fair Simulation Equivalent States may Destroy Determinism 45
3.3 Determinism is Preserved by Replacing Edges . . . . . . . . . . . . . 46
3.4 The Difference between Canonical Quotient and Successor Quotient . 47
3.5 Defining Strategies using the Puppeteer Metaphor . . . . . . . . . . . 50
3.6 A Bu¨chi automaton that is not safe under minimization chosen with
reverse left-hand delayed simulation . . . . . . . . . . . . . . . . . . . 59
3.7 Strategy for the Automaton from Figure 3.6 . . . . . . . . . . . . . . 60
3.8 Problematic Family of Co-Bu¨chi Automata for Fair-Simulation . . . . 61
4.1 Nondeterministic Safety Automaton . . . . . . . . . . . . . . . . . . . 72
4.2 Deterministic Safety Automaton for Figure 4.1 . . . . . . . . . . . . . 73
4.3 Nondeterministic Co-Bu¨chi Automaton for F (a ∧ G¬b) . . . . . . . . 75
4.4 Deterministic Co-Bu¨chi Automaton for F (a ∧ G¬b) . . . . . . . . . . 76
5.1 Situation in the proof of Lemma 4 . . . . . . . . . . . . . . . . . . . . 79
5.2 A Nonconfluent Automaton that is Ambiguous . . . . . . . . . . . . . 79
5.3 Determinizing Non-Confluent Automata . . . . . . . . . . . . . . . . 84
5.4 Another Example for the Determinization of Non-Confluent Automata 91
5.5 Deterministic Automaton for the Automaton of Figure 5.4 . . . . . . 92
7.1 Experiments performed with different Determinization Constructions 101
7.2 Experiments with nonconfluent Determinization . . . . . . . . . . . . 103
xiii
List of Figures
7.3 Experiments performed with forward simulation relations on Co-Bu¨chi
Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7.4 The effect of reverse simulation . . . . . . . . . . . . . . . . . . . . . 109
7.5 Minimizing parity automata . . . . . . . . . . . . . . . . . . . . . . . 111
7.6 Time Spent During Synthesis on the AMBA Case Study . . . . . . . 116
7.7 Experimental Result for Dining Philosophers . . . . . . . . . . . . . . 118
7.8 Experimental Result for the NIM Game . . . . . . . . . . . . . . . . 122
7.9 Island Traffic Control Problem . . . . . . . . . . . . . . . . . . . . . . 123
7.10 Running Time on the ITC Case Study . . . . . . . . . . . . . . . . . 128
7.11 A Comparator Node . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7.12 A Sorting Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7.13 Upper and Lower bounds for optimal depth sorting networks . . . . . 130
7.14 Permutation matrix for the sorting network of Figure 7.12 . . . . . . 134
7.15 Time to synthesize a sorting network . . . . . . . . . . . . . . . . . . 136
7.16 The Synthesized Sorting Network for Array Size 3 and Depth 3 . . . 137
7.17 The Synthesized Sorting Network for Array Size 3 and Depth 4 . . . 137
7.18 The Synthesized Sorting Network for Array Size 4 and Depth 3 . . . 138
7.19 The Synthesized Sorting Network for Array Size 4 and Depth 4 . . . 138
xiv
1 Introduction
1.1 Motivation
In the last decades, the influence of computer systems on our everyday life has been
constantly growing. As computer systems enter more and more safety critical areas
their correctness is of urgent importance. Malfunctioning systems may lead to loss of
life if those systems are used in transportation or military systems like the control of an
aircraft or the controller of a cruise missile. Malfunctioning systems may also lead to
loss of money. Consider for example the Ariane 5 incident caused by a computer error
or the Pentium bug that made it necessary to exchange millions of malfunctioning
processors. Another important area where computer systems play a vital role is the
international financial market. Errors in computer systems may lead to the loss of
billions of dollars.
Thus, one of the main challenges in computer science is the design of provably cor-
rect systems. Most of these safety critical computer systems and protocols are reactive
in nature; i. e. systems of non-terminating processes that interact with each other over
an infinite run. Parallelism and an incomplete view of the processes with respect to
the environment make it difficult to analyze and design such systems correctly.
There are currently two main approaches to the design of systems that are guar-
anteed to satisfy a specification. The first approach is verification that checks that a
manually written implementation satisfies a specification. The second approach that
is followed by this thesis is to automatically synthesize a correct implementation from
a given declarative specification. We refer to this problem as the controller synthesis
problem why others prefer to use names like ’realizability’ or ’supervisor synthesis’. In
comparison to verification, the controller synthesis problem can be formulated as fol-
lows: The verification problem is to check for a given implementationM and a given
LTL property ϕ, whether M satisfies ϕ in any environment, which is usually written
asM |= ϕ . The more general synthesis problem is to check whether an (incomplete)
implementation1 M can be restricted by a controller C such that a given property ϕ
holds, i.e., whether there exists a system C such that (M ‖ C) |= ϕ holds. This means
that the combined behavior of C and M has to satisfy ϕ in any environment.
For the specification of the temporal behavior of reactive systems, different kinds
1M may also be only the model of the environment.
1
1 Introduction
of specification logics including µ-calculus, monadic second order logics, ω-automata
and temporal logics have been considered (see [91] for a recent overview) and pow-
erful verification procedures are already available. In particular, model checking of
linear time temporal logic LTL [80, 24] became one of the most comfortable standard
verification techniques. To check whether a systemM satisfies a LTL property ϕ, the
negation ¬ϕ is usually first translated to an equivalent nondeterministic ω-automaton
A¬ϕ so that the emptiness of the product M×A¬ϕ can be checked in a second step.
Algorithms that translate the LTL formulas to symbolically2 represented nondeter-
ministic ω-automata have been developed [106, 21, 53, 90, 91, 10] to benefit from
symbolic set representations [13]. As the use of symbolic methods in verification was
the major breakthrough to handle real-world problems, the computation of symbolic
descriptions of the automata is, from a practical point of view, very important to deal
with large state spaces.
In general, there are two approaches to the synthesis problem of LTL specifica-
tions: The first approach is based on a reduction to the emptiness problem of ω-tree
automata [81], and the second approach is based on a reduction to the solution of
ω-regular games [16, 37] . While in principle the two approaches are equivalent, there
are subtle differences.
In this thesis, we follow the second approach: the controller synthesis game is played
by two players, the controller C and its environment E . While the environment E tries
to violate the specification ϕ, the controller C tries to satisfy it. The controller C wins
if it manages to determine the systems state such that irrespectively of the actions
chosen by E , the combined behavior E ‖ M ‖ C satisfies the specification ϕ.
In contrast to the verification problem, the solution of games with LTL winning
conditions is so far not well supported by tools. The currently available procedures
consist of two steps: Similar to verification, the first step consists of translating
the LTL formula ϕ to an equivalent nondeterministic ω-automaton Aϕ. While this
automaton Aϕ can be directly used for symbolic model checking, only deterministic
automata (or pseudo-deterministic automata like the good-for-games automata [46])
can be used for constructing a ω-regular game from the obtained automaton Aϕ and
the incomplete implementation M.
Hence, the second step involves a determinization of Aϕ, which is remarkably diffi-
cult for those kinds of ω-automata [102, 91] that are required in the general case. In
particular, Safra’s construction [88] is often used which (in the worst case) generates
for a Bu¨chi automaton with n states an equivalent deterministic Rabin automaton
with 12n · n2n states and n acceptance pairs. However, Safra’s construction is ex-
2For an LTL formula ϕ, these procedures compute in time O(|ϕ|) a symbolic description of a
nondeterministic ω-automaton Aϕ. The symbolic description of the automaton Aϕ has size
O(|ϕ|) and encodes O(2|ϕ|) states. Symbolically represented nondeterministic ω-automata are
related to alternating ω-automata [105] (but are not the same).
2
1.2 Related Work
tremely difficult to implement [54] and not amenable to a symbolic implementation
and therefore, no powerful tools exist. In particular, a major drawback of the proposed
implementations of Safra’s construction is that they use an explicit representation of
the automata, since the states of Safra’s automaton consist of trees whose nodes are
labeled with sets of states. As a consequence, they are limited to very small LTL
formulas with only few temporal operators.
Since symbolic methods have been the breakthrough in model checking, the research
studied in this thesis focuses on approaches that can be implemented symbolically,
e. g. with BDDs. On the one hand, we concentrate on determinization procedures
that are amenable to a symbolic implementation. Another important ingredient to
bring controller synthesis from theory closer to practice is the use of minimization
techniques. Here we concentrate on simulation based minimization techniques, since
related techniques have been successfully used to minimize automata for the closely
related model-checking problem.
1.2 Related Work
The history of controller synthesis started with a seminal paper of Church [20] in 1962
that considered the synthesis problem regarding specifications written in monadic
second order theory of one successor (S1S). Given a relation R ⊆ (2I)ω × (2O)ω
that is represented by a formula in S1S, Church’s problem is to find a strategy γ :
(2I)? → 2O that generates for every finite sequence i = i(0), i(1) · · · ∈ (2I)? of input
signals read so far a response in 2O such that the specification is satisfied. Hence,
the strategy generates a sequence of output signals o = o(0)o(1) · · · ∈ (2O)ω with
o(t) = γ(i(0)i(1) . . . i(t−1)) for every t that satisfies the specification, i. e. (i, o) ∈ R
holds. Church’s problem was solved independently by Rabin [82] using tree automata
and from Bu¨chi and Landweber [16] using infinite games. Since those seminal works,
the close relation between finite automata over infinite objects and finite games of
infinite length became apparent [39], and both areas have often inspired each other.
In the meantime, the verification community developed easy to grasp specification
logics like the linear temporal logic LTL [80] and the branching time logic CTL [24]. It
is a long standing debate which of the two to favor [107]. While the model-checking
problem of CTL can be solved in linear time, its restricted syntax makes writing
specifications in CTL rather complicated. Specifying is easier in linear temporal logic
LTL with the drawback that the model-checking problem for LTL rises from linear
time to PSPACE [96]. Despite this heavy theoretical upper bound, model checking
of LTL has become more successful than CTL model checking.
Inspired by those developments of new specification languages, progress was also
made in the context of synthesis. Closed synthesis is the case of a single process with-
3
1 Introduction
out any interaction with the environment. It was solved in the early 80’s for CTL [25],
LTL [112] and for the modal µ-calculus [56] by a reduction to the satisfiability problem
of the corresponding logic. Open synthesis concerns systems that interact with their
environment and is thus suitable to represent the synthesis of reactive systems. In
the late 80’s, Pnueli and Rosner [81] provided a solution to the open synthesis prob-
lem for linear temporal logic LTL by a reduction to the emptiness problem of Rabin
tree automata. Furthermore, Rosner proved the problem to be 2EXPTIME-complete
[86]. The first exponent is due to the translation of LTL to nondeterministic Bu¨chi
automata and the second due to the needed determinization step.
At the same time, Ramadge and Wonham [85] introduced the problem of controller
synthesis which deals with the construction of a controller for a plant. They considered
simple safety specifications of the form Gϕ and showed that the controller synthesis
problem of this restricted class is solvable in linear time.
One possibility to overcome the complexity issues of LTL synthesis is to consider
restricted classes of LTL. E.g. [63, 3] consider restricted classes of LTL to obtain
deterministic automata with less than double-exponential size. Wallmeier et al. [110]
developed a synthesis algorithm to synthesize request-response specifications which
are of the form G(ϕi → Fψi) for multiple i which leads to a synthesis procedure
with only exponential complexity. Piterman et. al proposed in [79] an approach
to synthesize generalized Streett formulas with rank (1), i. e. formulas of the form(
N∧
i=0
GFϕi
)
→
(
M∧
j=0
GFϕj
)
. Their algorithm runs in time K3 where K is the size of
the state space of the design. If a collection Φi of LTL formulas representing assump-
tions on the environment and a collection Φj of formulas representing guarantees for
the controller can all be represented using deterministic Bu¨chi automata, this ap-
proach can be used to obtain a synthesis procedure for
(
N∧
i=0
Φi
)
→
(
M∧
j=0
Ψj
)
. In
[11, 12, 50] Bloem et al developed a tool ’Anzu’ for the synthesis of specifications of
this form. To this end, a deterministic Bu¨chi automaton (termed monitor there) has
to be manually generated for each formula Φi and Ψj. This process of generating a
deterministic automaton manually is considerably hard in general [59], since it also
involves a determinization step. Another drawback is that the specification is now
not an easy to grasp property in linear temporal logic but instead a deterministic
monitor. This adds another potential source for errors since the equivalence between
the original specification and this deterministic monitor is in most cases not obvious
at all. Although most specifications can be brought into the proper form3, it is not
3We want to emphasize that the set of specifications considered there is much smaller than the set
of specifications considered by us in Chapter 4.
4
1.2 Related Work
possible to obtain a synthesis procedure for full LTL from that approach.
Work concentrating on the synthesis of full LTL is rare. One reason for the high
complexity of LTL synthesis is the determinization step. Emerson and Sistla devel-
oped in [27] a determinization procedure specifically for the Bu¨chi automata that
stem from LTL formula. They made the useful observation that those automata have
a special structure which we term nonconfluent in Chapter 5. Using this property
they obtained a determinization procedure that transforms nonconfluent automata to
deterministic Rabin automata involving a (necessary [59]) exponential blowup. Since
the states of this deterministic Rabin automaton are trees that encode different runs
of the nondeterministic automaton, this procedure is not amenable to a symbolic im-
plementation. In 1988, Safra [88] presented the first determinization procedure for
arbitrary Bu¨chi automata that was asymptotically optimal. The main disadvantage
of Safra’s solution is that the obtained deterministic Rabin automaton has as states
trees of subsets of states of the original nondeterministic automaton which makes it
hard for a symbolic implementation. Only recently, nearly 20 years after its publi-
cation, Safra’s construction has been implemented [54]. However, since they used an
explicit representation of the deterministic automaton, this tool is limited to small
LTL formulas with only few temporal operators. The same disadvantage of not be-
ing amenable to a symbolic implementation holds also for other variants of Safra’s
construction that were later given e. g. by Muller and Schupp [75] and by Piterman
[78].
Since the determinization step seems to be one major hurdle for the synthesis of
full LTL, a recent research trend is to replace determinization by lightweight ’pseudo’-
determinization procedures. In [60] Kupferman and Vardi present an approach that
avoids Safra’s determinization and goes through universal co-Bu¨chi word and weak
alternating tree automata instead. This approach has been refined in a couple of
works [58] to allow compositional synthesis or to allow also controller synthesis [57]4.
Jobstmann and Bloem developed in [49] optimizations for this Safraless approach
and developed the tool ’Lilly’. This tool was the first implementation that is able
to synthesize designs that satisfy arbitrary LTL specifications. Although Kupferman
and Vardi’s approach is potentially amenable to a symbolic implementation, the tool
’Lilly’ is implemented explicitly, thus limited also to small LTL formulas.
In [46], Henzinger and Piterman introduced nondeterministic automata that are
good for games (GFG). These automata fairly simulate their deterministic equivalent
and can be used to solve the game as a replacement for the deterministic automata. An
algorithm is given in [46] that constructs GFG automata from nondeterministic Bu¨chi
4The main disadvantage regarding controller synthesis is that the bound used in this so-called
Safraless approach also depends on the number of states of the system (which is typically much
larger than the specification). Hence we need a good approximation for the number of states of
the system, otherwise the bound would become too large to be reasonable.
5
1 Introduction
automata. Since this construction may be implemented symbolically, it is expected
to perform better in practice. However, I am not aware of an implementation of this
construction.
For simpler classes of ω-automata like safety or co-Bu¨chi automata, simpler deter-
minization procedures can be used. In particular, the Rabin-Scott subset construc-
tion can be used to determinize safety automata and Miyano and Hayashi’s break-
point constructions can be used to perform this task for co-Bu¨chi automata. There
are already symbolic versions of variants of the subset and breakpoint construction
[5, 10]. In [10], procedures are described to compute a symbolically represented non-
deterministic automaton from an alternating automaton, i.e., a nondeterminization
procedure. Although there are some similarities to the procedure given in Chapter 4,
non-determinization of alternating automata and determinization of nondeterministic
automata is different for ω-automata [105]. Closer to our determinization procedure
is [5] which generates a deterministic automaton for the safety fragment, and thus
implements the subset construction. However, they also start with an alternating
automaton which is then translated to an explicitly represented nondeterministic au-
tomaton. The nondeterministic automaton is generated on the fly, thus avoiding the
construction of the whole explicit automaton. However, this step crucially relies on
a translation from alternating automata to the corresponding nondeterministic au-
tomata while our procedure is independent of the previous translation from temporal
logic to nondeterministic automata. In particular, it is not obvious how the work [5]
could be generalized to more expressive classes like co-Bu¨chi automata.
Typically, specifications are not given as one large formula, but instead they con-
sist of several relatively small sub-formulas. In [98] an algorithm for LTL synthesis is
presented that assumes that the overall specification is given as a conjunction of LTL
formulas. Instead of performing determinization for the whole specification, the algo-
rithm generates deterministic automata using the approach of [78] explicitly. Those
explicitly represented automata are then encoded symbolically to obtain a generalized
parity game which is then solved using the generalized parity algorithm given in [19].
Our algorithm assumes a similar setting. We also assume that the specification is a
conjunction of LTL formulas. The determinization is also performed only on those
small sub-formula to keep the automata size of the sub-automata small. The au-
tomaton for the overall specification is then obtained by combining the deterministic
automata. However, the main difference is that we never represent the automata
explicitly, so that we expect that our algorithm scales better. Unfortunately, the tool
[98] is not publicly available so that we cannot make comparisons.
One of the most important applications of controller synthesis is error localization
and error correction [51, 52]. Whenever it is detected that an (manually written)
implementation is faulty by model checking, the designer is often left alone to actually
locate the error. Although most model checkers generate a counterexample that shows
6
1.3 Structure of the Thesis
why a specification is violated, it is still hard to detect where the fault is actually
located. By iteratively replacing fault candidates with synthesized controllers (which
are guaranteed to satisfy the specification by construction), it is possible to give a
clue where the fault is actually located and even a hint how to fix the error. Although
fault localization is an important application, we do not treat this application in this
thesis and leave this for future work.
1.3 Structure of the Thesis
This section reflects the structure of this thesis. The core of this thesis is based on
several papers we published in the recent years. Chapter 2 introduces the necessary
concepts to understand this work. This thesis consists of three different main parts.
Chapter 3 summarizes my work on the minimization of parity automata. Chapter 4
presents a determinization procedure based on the automata hierarchy [18] that has
been partly published in [72]. In Chapter 5, a new determinization procedure that is
amenable to a symbolic implementation is presented. To this end, we make use of the
fact that the automata obtained from LTL formulas have a special structure. This
Chapter is based on [71]. In Chapter 6 the presented approaches are summarized
to obtain an algorithm to solve controller synthesis problems. Finally, in Chapter 7
experiments performed with the obtained controller synthesis algorithm are listed.
1.4 Contributions
In the following section, the three main parts of this thesis are summarized. First, we
summarize the contributions regarding the minimization of parity automata. Then we
discuss the work done to translate a large fragment of LTL to symbolically represented
automata which is described in detail in Chapter 4. The third part of this thesis is
denoted to a new determinization procedure for a special class of automata that are
generated from LTL formulas described in Chapter 5.
Minimizing Parity Automata
In the worst case, the generation of a deterministic automaton equivalent to a given
LTL formula may result in an automaton with O(22
|ϕ|
) states. Minimizing automata
is thus especially beneficial for the intermediate nondeterministic automaton. Since
all our intermediate automata can be rather easily translated to parity automata, we
study the minimization problem for parity automata.
In this work, we study simulation relations [69] as a tool for minimizing automata.
Simulation relations capture the notion that the moves of one automaton can be
7
1 Introduction
mimicked by the moves of another automaton. Our approach to simulation relations
is game-based and follows the ideas of [45, 28]. That is, we define simulation via a
game of two players, the Spoiler and the Duplicator. We say that an automaton sim-
ulates another automaton if the Duplicator, controlling the nondeterministic choices
of the first automaton, has a winning strategy against the Spoiler who controls the
nondeterministic choices of the second automaton.
We consider three notions of simulation relations that correspond to the respective
notions for Bu¨chi automata. First direct simulation for parity automata is intro-
duced. Although direct simulation is weaker than delayed simulation (it allows less
minimization), it might be sometimes more appropriate, since it can be calculated
in linear time whereas delayed simulation needs quadratic time. The second contri-
bution of this Chapter is the presentation of reverse simulation for parity automata.
First in the style presented in [99] of a direct simulation where a good transition in
the simulated automaton must be directly matched by a good transition in the sim-
ulating automaton. Second also in the relaxed notation of delayed simulation, where
the match is post-poned to the future of the game5.
Finally, fair simulation for parity automata is considered. However, since we are
particularly interested in algorithms that are well suited for a symbolic implementa-
tion, we do not consider a direct generalization of results obtained in [40] regarding
the minimization of Bu¨chi automata. The approach of [40] uses backtracking on indi-
vidual states for the solution of the minimization problem which is not suitable for a
symbolic implementation. Nevertheless in Section 3.7 an algorithm is presented that
allows to efficiently perform fair simulation minimization with good minimization re-
sults. In particular all merging of states that are possible due to delayed simulation
are also detected using the algorithm introduced in this chapter.
Generating Deterministic ω-Automata for most LTL Formulas by
Considering the Automata Hierarchy
It has already been outlined that a main ingredient of nearly all controller synthesis
algorithms are efficient determinization procedures. The first determinization proce-
dure used in this thesis is based on the temporal logic hierarchy [65, 18, 90, 91].
It was well-known since [65] that for every formula from the temporal logic class a
deterministic automaton from the corresponding class exists. However, it was previ-
ously unnoticed that by employing Boolean combinations of co-Bu¨chi formula, we can
avoid complex determinization procedures like the one invented by Safra. In order
to develop a Safraless determinization construction for every formula of the temporal
logic hierarchy, we proceed as follows:
5For Bu¨chi automata, the two notations are equivalent.
8
1.4 Contributions
We first determine the class of the given LTL formula in the temporal logic hierarchy.
Every formula in this hierarchy turned out to be a boolean combination of formulas
that can be translated to nondeterministic co-Bu¨chi6 automata. In [90, 91], algorithms
are presented that run in linear time and produce linear sized symbolic descriptions
of these co-Bu¨chi automata. After this step, we can use the well-known breakpoint
construction [70] of Miyano and Hayashi to determinize these automata and finally,
we compute the boolean closure of the obtained deterministic automata, which is
straightforward for deterministic automata.
Thus, we are able to translate every formula of the temporal logic hierarchy to an
equivalent deterministic ω-automaton (either Rabin or Streett). Due to results of [65],
we can moreover translate every LTL formula to a formula contained at least in the
highest class of this hierarchy. However, such a translation requires a determinization
step, and therefore, it is not useful for our purpose. Thus, we currently have the
restriction that given LTL formulas must already syntactically belong to one of the
classes of the hierarchy. In practice, we found that this is almost always the case,
and in some other cases, it was not too difficult to rewrite the formula to achieve this
membership (checking the equivalence of the rewritten LTL formulas is feasible by
model checking).
A major ingredient to obtain a symbolic determinization construction is investi-
gated in Chapter 4 where it is shown how the ordinary Rabin-Scott subset construction
[84] can be implemented in a semi-symbolic manner. For a given symbolically rep-
resented nondeterministic automaton that can be represented by BDDs, we directly
construct symbolic descriptions of the deterministic automata that are constructed by
the subset construction. Although we can not avoid one exponential step (namely the
enumeration of the reachable states of the nondeterministic automaton), we achieved
that the symbolic description of the deterministic automaton can be obtained without
building it explicitly. Thus, we avoid the enumeration of the exponentially larger state
space of the deterministic automaton. All steps except for the enumeration of the
reachable states of the nondeterministic automaton are symbolically implemented.
A new Determinization Procedure for Unambiguous Bu¨chi
Automata
Although nearly all formulas commonly used in practice belongs to one of the classes of
the temporal logic hierarchy (or can be rather easily translated to a formula belonging
to one of the classes), there may be still cases where such a manual rewriting step
6While Bu¨chi automata demand that a run of a word must infinitely often visit a set of designated
states, co-Bu¨chi automata impose the stronger requirement that designated states are only finitely
often visited.
9
1 Introduction
is undesirable. In Chapter 5, therefore a new determinization procedure for Bu¨chi
automata that stem from the translation of arbitrary LTL formulas by the ‘symbolic’
translation of [21] is presented. It is well-known that the ω-automata that stem from
LTL formulas are a special class that has several characterizations. Many translation
procedures from LTL generate unambiguous automata [17] where every accepted word
has a unique accepting run [91, 2] (although there may be additional non-accepting
runs for the same word).
The above unambiguous property allows us to develop a determinization procedure
that exploits symbolic set representations. In particular, it does not rely on Safra trees
as used by Safra’s original procedure [88] or by the improved version of Piterman [78].
The states of the deterministic automata obtained by these procedures are trees of
subsets of states of the original automaton. In contrast, our procedure generates
deterministic automata whose states consist of tuples of subsets of states, allowing a
straight-forward symbolic implementation.
10
2 Preliminaries
In this chapter, the necessary theoretical background for this thesis is described. We
give a short introduction to linear temporal logic, followed by an introduction to the
theory of ω-automata. Another paragraph of this introductory chapter is concerned
with the presentation of infinite games. Finally we give a short introduction to our
language quartz which is used to develop the examples of the experimental section.
2.1 Linear Temporal Logic
Linear temporal logic (LTL) [80] is a popular language for the specification of temporal
properties. In general, the formulas of a logic depend on the set of atomic formulas,
i. e. available variables and constants, and on the set of available operators. LTL
provides different kinds of operators that can be classified into the groups of boolean
operators and future and past temporal operators. In the following, we assume that
we are given a fixed set of variables V and provide the definitions with respect to this
set of variables.
We use the following standard set of boolean operators with the usual semantics:
1, 0 denote the constants true and false while ¬, ∧ and ∨ denote negation, conjunction
and disjunction. Common abbreviations are ϕ → ψ := ¬ϕ ∨ ψ and ϕ ↔ ψ := (ϕ →
ψ) ∧ (ψ → ϕ). We sometimes use ϕ for ¬ϕ for a propositional formula ϕ. An
assignment ϑ over V is a subset of V . The set of propositional formulas over V is
denoted with LVProp.
After having defined the propositional part of LTL, we can now formally define the
syntax:
Definition 1 (Syntax of Linear Temporal Logic LTL). The set of LTL formulas over
a set of variables V is the smallest set with the following properties:
• 1, 0 ∈ LTL
• V ⊆ LTL
• boolean operators: ¬ϕ, ϕ ∧ ψ, ϕ ∨ ψ∈ LTL, if ϕ, ψ ∈ LTL
• future temporal operators: Xϕ, [ϕ U ψ], [ϕ B ψ] ∈ LTL, if ϕ, ψ ∈ LTL
11
2 Preliminaries
• past temporal operators: ←−Xϕ, ←−Xϕ, [ϕ←−U ψ] ,[ϕ←−B ψ] ∈ LTL, if ϕ, ψ ∈ LTL
The semantics of LTL is usually given with respect to a path through a structure
(i. e. a Kripke structure or an Automaton).
Definition 2 (Path). Given a set of atomic propositions V, an infinite path is a
function pi : N→ 2V . For reasons of simplicity, pi(i) is often denoted by pi(i) for i ∈ N.
Using this notation, paths are often given in the form pi(0)pi(1) . . . . The path starting
at t is given as : (pi, t) := pi(t)pi(t+1) . . .
Notice that a path as defined above is nothing but a sequence of assignments over
the variables V . The semantics of LTL is informally given as follows (see e. g. [91] for
a precise definition): Xϕ holds at a path pi at position t0 if ϕ holds at position t0 + 1
on the path. [ϕ U ψ] holds at t0 iff ψ holds for some position δ ≥ t0 and ϕ holds
invariantly for every position t with t0 ≤ t < δ i. e. ϕ holds until ψ holds. The weak
before operator [ϕ B ψ] holds at t0 iff either ϕ holds before ψ becomes true for the
first time after t0 or ψ never holds after t0.
In addition to the future time temporal operators, there are also the corresponding
past time temporal operators. These are defined analogously with the only difference
that the direction of the flow of time is reversed. For example, [ϕ
←−
U ψ] holds on a
path at position t0 iff there is a point of time δ with δ ≤ t such that ψ holds on that
path at position δ and ϕ holds for all positions t with δ < t ≤ t0. The past time
analogon of the next-time operator is called the previous operator:
←−
Xϕ holds on a
path at position t0 iff t0 > 0 and ϕ holds at position t0 − 1. Additionally, there is a
weak variant, where
←−
Xϕ holds on a path at position t0 iff t0 = 0 holds or ϕ holds at
position t0 − 1.
Other operators can be defined in terms of the above ones:
Gϕ = [0 B ¬ϕ] ←−Gϕ = [0←−B ¬ϕ]
Fϕ = [1 U ϕ]
←−
F ϕ = [1
←−
U ϕ]
[ϕ B ψ] = ¬ [¬ϕ U ψ] [ϕ←−B ψ] = ¬[¬ϕ←−U ψ]
[ϕ U ψ] = [ψ B (¬ϕ ∧ ¬ψ)] [ϕ←−U ψ] = [ψ ←−B (¬ϕ ∧ ¬ψ)]
[ϕ B ψ] = [¬ψ U (ϕ ∧ ¬ψ)] [ϕ←−B ψ] = [¬ψ ←−U (ϕ ∧ ¬ψ)]
[ϕ W ψ] = [(ϕ ∧ ψ) B (¬ϕ ∧ ψ)] [ϕ←−W ψ] = [(ϕ ∧ ψ)←−B (¬ϕ ∧ ψ)]
[ϕ W ψ] = [¬ψ U (ϕ ∧ ψ)] [ϕ←−W ψ] = [¬ψ ←−U (ϕ ∧ ψ)]
For example, [ϕ U ψ] is the weak until operator that can be alternative defined as
[ϕ U ψ] := [ϕ U ψ] ∨ Gϕ, i. e. the event ψ that is awaited for need not hold in the
12
2.2 ω-Automata
future. To distinguish weak and strong operators, the strong variants of a temporal
operator are underlined throughout this thesis (as shown above).
2.2 ω-Automata
In this section, finite automata over infinite words, called ω-automata [103], are in-
troduced. To this end, words, semi-automata, runs and paths are introduced first.
Then, these definitions are used to define ω-automata.
2.2.1 From Infinite Words to ω-Automata
Definition 3 (Words). In the following, we fix a finite set of input variables VΣ =
{i1, . . . im} that define a finite set Σ = 2VΣ, called the alphabet. The elements of Σ
are called letters. Obviously, each letter is an assignment over VΣ. A finite word α
over an alphabet Σ of length |α| = n + 1 is a function α : {0, . . . n} → Σ. The finite
word of length 0 is called the empty word (denoted by ). An infinite word α over
an alphabet Σ is a function α : N → Σ. Its length is denoted by |α| = ∞. Thus
every (finite or infinite) word is a (finite or infinite) concatenation of letters, i.e. a
concatenation of assignments over the variables in VΣ.
For reasons of simplicity, α(i) is often denoted by α(i) for i ∈ N. Using this no-
tation, words are often given in the form α(0)α(1) . . . α(n) or α(0)α(1) . . . . The set of
all finite words over Σ is denoted by Σ∗, and the set of all infinite words over Σ is
denoted by Σω.
Counting of letters starts with zero, i.e. α(i−1) refers to the i-th letter of α. Further-
more, α(i... ) denotes the suffix of α starting at position i, i.e. α(i... ) = α(i)α(i+1) . . . .
The finite word α(i)α(i+1) . . . α(j) is denoted by α(i..j). Notice that in case j < i the
expression α(i..j) evaluates to the empty word . For two words α1, α2, we use α1α2
for the concatenation of α1 and α2. Finally, we write a
ω for the infinite word α with
α(j) = a for all j. We also write β = (α)ω for the infinite concatenation of a finite
word α.
Unlike classical automata, ω-automata read a given infinite word. The acceptance
of a given word is defined via an acceptance condition on the infinite run of the word.
To this end, we may use linear temporal logic as a unified framework to reason about
the infinite runs of the automata and thus need a labeling function that maps states
to assignments, i. e. propositional variables that hold in that state.
Definition 4 (Semi-automaton). Let Q be a finite set of state variables. Let VΣ be a
finite set of input variables disjoint from Q that defines an alphabet Σ = 2VΣ. Then,
a semi-automaton A = (S, I,R, λ) over the alphabet Σ is given by
13
2 Preliminaries
• a finite set of states S ,
• a set of initial states I ⊆ S,
• a transition relation R ⊆ S × Σ× S and
• a labeling function λ : S → 2Q
Using standard terminology, we say that A is deterministic, if exactly one initial
state exists and for each s ∈ S and each input σ ∈ Σ there does exist exactly one
s′ ∈ S such that (s, σ, s′) ∈ R holds. In this case, we also write the transition relation
as a function δ : S × Σ→ S. Otherwise,we say that A is non-deterministic. We will
sometimes also need a semi-automaton that is obtained from A by modifying the set
of initial states. To this end, for A = (S, I,R, λ) and a set of states I ′ ⊆ S, define
AI′ := (S, I ′,R, λ). If I ′ = {q} is a singleton set, we omit the brackets and simply
write Aq := (Q, {q},R, λ).
The acceptance of a word is defined with respect to the set of runs:
Definition 5 (Run of an Infinite Word). Given a semi-automaton A = (S, I,R, λ)
and an infinite word α : N → Σ over Σ. Then each infinite word β : N → S with
β(0) ∈ I and ∀t. (β(t), α(t), β(t+1)) ∈ R is called a run of α through A. The set of all
runs of α through A is hence defined as follows:
RUNA(α) :=
{
β : N→ S | β(0) ∈ I ∧ ∀t. (β(t), α(t), β(t+1)) ∈ R}
The infinity set of a run β is defined as :
INF(β) := {s ∈ S | β(t) = s for infinitely many t ∈ N}
The difference between classical finite automata and ω-automata is that ω-automata
run over an infinite word whereas finite automata run over a finite word. Since there is
no ’final’ state in an infinite run, the acceptance of an infinite word must consider the
(infinite) sequence of states that are visited by the ω-automaton. Notice that each run
uniquely defines a path over the variables Q, since every state is uniquely equipped
with an assignment by the labeling function. To this end, let β = β(0)β(1) . . . be a
run of a semi-automaton. We extend the labeling function to runs by defining
λ(β) = λ(β(0))λ(β(1)) . . .
Notice that λ(β) is a path over Q, called the trace of β. Since every trace of a semi-
automaton A over a word α is a path over Q, we can use LTL to specify the acceptance
conditions for ω-automata1.
1The acceptance of a word is then specified with the set of runs (thus the set of paths) over this
word.
14
2.2 ω-Automata
Since every state is uniquely determined by the labellng function, each propositional
formula ϕ over Q together with the labeling function defines a set of states Fϕ by
Fϕ := {q ∈ 2Q | λ(q) |= ϕ}. Having this view, the classical acceptance conditions can
be formalized as a LTL-formula as shown in the following definition:
Definition 6 (Classical Acceptance Conditions [61, 109, 102, 65, 91]). Let Φi and
Ψi for all i ∈ {0, . . . f} be propositional formulas over the state variables Q, then we
define the following classes of acceptance conditions:
• Safety condition: GΦ0
• Liveness condition : FΦ0
• Bu¨chi condition [14, 15]: GFΦ0
• Persistence condition [66] : FGΦ0
• Rabin condition[83] :
f∨
j=0
GFΦj ∧ FGΨj
• Streett condition[101] :
f∧
j=0
GFΦj ∨ FGΨj
• Prefix conditions[100] :
f∧
j=0
GΦj ∨ FΨj
Hence, taking a closer look at the definition of LTL it is not hard to see that the
following holds:
• A run is accepted by a safety condition Gϕ iff the run exclusively runs through
the set Fϕ
• A run is accepted by a liveness condition Fϕ iff the run visits the set Fϕ at least
once.
• A run is accepted by a Bu¨chi condition GFϕ iff the run visits at least one state
of the set Fϕ infinitely often.
• A run is accepted by a persistence (or Co-Bu¨chi) condition FGϕ iff the run visits
only states of the set Fϕ infinitely often, i. e. each state from the complement
set Fϕ is visited only finitely often.
• A run is accepted by a Rabin condition, if there is an index j ∈ {0, . . . f} such
that the trace infinitely often satisfies Φj and after some time always satisfies
Ψj. In other words, for some j, the run must visit at least one state from FΦj
infinitely often and may only finitely often visit a state from F¬Ψj .
15
2 Preliminaries
• The dual of a Rabin condition is a Streett condition that demands for every j
that if some set F¬Φj is visited infinitely often, then also FΨj is visited infinitely
often.
• Finally, a prefix condition (or Staiger-Wagner condition[100] is satisfied by a
run such that for all j either all positions of the trace satisfy Φj or at some
position Ψj holds. That is, the run visits either only states from FΦj or at least
once a state from FΨj .
Another form of acceptance conditions is the parity condition [73] that has become
popular during the last years. A parity condition is conveniently defined via a coloring
function.
Definition 7 (Coloring Function). Let f ∈ N be a natural number. Then, any
function Ω : S → {0, . . . f} is called a coloring function. The number Ω(s) for s ∈ S
is called the color of state s.
The acceptance of a parity condition is defined as follows:
Definition 8 (Parity Acceptance). Given a semi-automaton A = (S, I,R, λ) and a
coloring function Ω. Define the minimal color that is visited infinitely often during a
run β by
MINΩ(β) = min{Ω(s) | s ∈ INF(β)}
Then the parity acceptance condition is defined as follows: A run β of A satisfies the
parity condition, iff MINΩ(β) is even.
In the following, we identify a parity condition with its coloring function, and write
e. g. β |= Ω whenever β satisfies the parity condition. An acceptance component is
now defined as follows:
Definition 9 (Acceptance Component). Let A = (Q, I,R, λ) be a semi-automaton.
Then the set of all acceptance conditions acA over A is given by:
• If ϕ is an LTL formula over Q, then ϕ ∈ acA
• Any parity condition Ω over Q is in acA
• if ϕ, ψ ∈ acA, then φ ∧ ψ ∈ acA and φ ∨ ψ ∈ acA
• if ϕ ∈ acA, then ¬ϕ ∈ acA
With the help of the preceding definitions, we can formally define ω-automata :
16
2.2 ω-Automata
Definition 10 (ω-Automata). An existential 2 ω-automaton A = (S, I,R, λ,Φ) is a
tuple where (S, I,R, λ) is a semi-automaton and Φ is an acceptance condition.
We sometimes also specify safety, liveness, Bu¨chi or co-Bu¨chi automata by a set of
states Fϕ that define a propositional formula ϕ over Q and write A = (S, I,R,Fϕ)
i. e. we omit the labeling function. Similarly, we omit sometimes the labeling functions
when dealing with parity automata and write A = (S, I,R,Ω)
Definition 11 (Acceptance of a Word by an ω-Automaton). Given an ω-automaton
A = (S, I,R, λ,Φ) and a run β of A over a word α. Then the following rules define
the acceptance of β by A, β |= A:
• β |= ϕ iff L(β) |= ϕ if φ ∈ LTL
• β |= Ω iff β |= Ω for a parity condition Ω
• β 6|= ϕ iff not β |= ϕ
• β |= ϕ ∧ ∨ψ iff β |= ϕ and β |= ψ
• β |= ϕ ∨ ψ iff β |= ϕ or α |= ψ
A word α over Σ is accepted by A, α |= A iff there is a run of β of A over α such
that β |= A. The language of A is the set of accepted words, i. e. Lang(A) := {α ∈
Σ | α |= A}.
The above acceptance conditions define corresponding automaton classes. We denote
the set of (non)deterministic safety, liveness, Bu¨chi, persistence, Rabin, Streett and
parity automata with (N)DetG, (N)DetF, (N)DetGF, (N)DetFG, (N)Detprefix, (N)DetRabin,
(N)DetStreett and (N)DetParity. Conjunctions of Bu¨chi conditions are often called gen-
eralized Bu¨chi conditions while generalized parity conditions are either conjunctions
or disjunctions of parity conditions.
2.2.2 Symbolically Represented ω-Automata
In this section, we briefly describe how we represent ω-automata on infinite words
using BDDs. We assume that the input alphabet is encoded using boolean variables
VΣ. To represent the state transition relation of the automata, we introduce two
2Some works related with ω-automata consider ∀-automata[64] that have an acceptance condition
that must be fulfilled by all runs of a word. Usually, however, automata are considered that only
require that a word has at least one run that fulfills the specified acceptance condition. In this
thesis, we will only consider the second case, i.e. we restrict our attention to those automata
that require that at least one accepting run exists.
17
2 Preliminaries
state sets of propositional variables, one for the current and one for the next point of
time. Using these propositional variables, we are able to encode the initial states, the
transition relation and the acceptance condition using boolean functions which can
be represented with BDDs or handled by SAT solvers.
Definition 12 (Automaton Formula). Given a finite set of variables Q with Q ∩
VΣ = {}, a propositional formula I over Q ∪ VΣ, a propositional formula R over
Q∪ VΣ ∪ {v′ | v ∈ Q∪ VΣ}, and a LTL- formula F over Q∪ VΣ, then A∃ (Q, I,R,F)
is an (existential) automaton formula.
We will sometimes also need the evaluation of a propositional formula at the next
point of time. Thus, for every propositional formula ϕ, we use [ϕ]q1,...,qmq′1,...,q′n
to mean the
formula that is obtained from ϕ by replacing every state variable q ∈ Q by q′.
2.3 From LTL to Nondeterministic ω-Automata
Symbolic methods have become state of the art in modern model checkers. Nearly
all symbolic model checkers like NuSMV or Cadence-SMV use the algorithm of [21]
to translate LTL formulas to symbolically represented generalized Bu¨chi automata
[87]. As explained in [90, 91], this ‘standard’ translation procedure from LTL to ω-
automata traverses the syntax tree of the LTL formula in a bottom-up manner and
abbreviates each sub-formula that starts with a temporal operator. For example, the
sub-formula [ϕ U ψ] is thereby abbreviated by a new state variable q such that the
following holds:
q ↔ ψ ∨ ϕ ∧ q′
The transition relation is then equivalent to
R :≡ q ↔ ψ ∨ ϕ ∧ q′
so that we obtain the automaton shown in Figure 2.13 .
To define the acceptance condition, we have to add the fairness constraint Fi :≡
(q → ψ) as a new set of accepting states 4. The sub-formula [ϕ U ψ] is also abbreviated
by a new state variable q with the same update of the transition relation. However,
we add the fairness constraint Fi :≡ (ϕ→ q).
3To simplify the picture, we didn’t used the set based notation, i.e. the set {} is represented by q
and similar in Figure 2.2 with q1q2.
4Notice that any fairness constraint ξ that is a formula over both state and input variables can be
easily replaced by a formula that is defined over the state variables alone by adding a new state
variable q′ with the constraint q′ ↔ ξ .
18
2.3 From LTL to Nondeterministic ω-Automata
q q
ϕ ∧ ψ
ψ ϕ ∨ ψ
ψ
ψ ϕ q ↔ ψ ∨ ϕ ∧ q′
0 0 q ↔ 0
0 1 q ↔ q′
1 0 q ↔ 1
1 1 q ↔ 1
Figure 2.1: Nondeterministic Automaton for [ϕ U ψ]
q1q2 q1q2
q1q2 q1q2
ϕ
ϕ
ϕ
ϕ
ϕ
ϕ
ϕ (q1 ↔ ϕ) ∧ (q1′ ↔ q2)
0 (q1 ↔ 0) ∧ (q1′ ↔ q2)
1 (q1 ↔ 1) ∧ (q1′ ↔ q2)
Figure 2.2: Nondeterministic Automaton for Xϕ
A sub-formula Xϕ introduces two new state variables q1 and q2 where the transition
relation R is defined as:
R :≡ (q1 ↔ ϕ) ∧ (q1′ ↔ q2)
and no fairness constraint is generated so that we obtain the automaton in Figure
2.2.
In the general case, every elementary sub-formula is abbreviated in a bottom-up
traversal through the syntax tree. During that traversal, for every elementary sub-
formula a new state variable and a new fairness constrained is introduced as described
above. Hence we obtain a so-called generalized Bu¨chi automaton with multiple fair-
ness constraints. However, it is well-known that multiple fairness constraints can
be easily transformed to an automaton having a single acceptance condition. For
more information regarding the translation procedure, see the detailed explanations
in Chapter 5.4.1 of [91].
2.3.1 From LTL to Unambiguous ω-Automata
It is well-known that the ω-automata that stem from LTL formulas are a special class
that has already found several characterizations. Due to results of [67], the automata
can be characterized as non-counting automata, and in terms of alternating automata,
19
2 Preliminaries
the class of linear weak or very weak automata has been defined [68, 35, 77, 74]. More-
over, many translation procedures from LTL generate unambiguous automata [17]
where every accepted word has a unique accepting run [91, 2] (although there may be
additional non-accepting runs for the same word). In Chapter 5, a new determiniza-
tion procedure is presented that makes use of the fact that the automata obtained by
the translation procedure of the previous section yield unambiguous automata, which
is shown in the following paragraph.
Definition 13 (Unambiguous Automata). An ω-automaton A = (Q, I,R,L,F) is
called unambiguous if every word α ∈ Lang(A) labels exactly one accepting run5.
To give an intuitive idea why the automata constructed from LTL formulas by the
’standard translation’ procedure are unambiguous, reconsider the automaton of Fig-
ure 2.2 that is obtained by translating the formula [ϕ U ψ] to a non-deterministic
automaton.
As can be seen by Figure 2.1, the input ϕ ∧ ¬ψ demands that the current state
is maintained, but allows the automaton to be in any of the two states. The other
three classes of inputs uniquely determine the current state, but leave the successor
state completely unspecified. As a consequence, input words that infinitely often
satisfy ¬(ϕ ∧ ¬ψ), i.e., ¬ϕ ∨ ψ, do only have one (infinite) run, while the remaining
input words that satisfy ϕ ∧ ¬ψ from a certain point of time on do have two runs
that are of the form ξqω and ξqω with the same finite prefix ξ. However, the fairness
constraint F = q → ϕ is satisfied by only one of the two runs6. Hence, the automaton
is unambiguous. A similar consideration shows that the automaton of Figure 2.2 is
also unambiguous.
An example run tree (that encodes all the runs of a given word) is shown in Fig. 2.3.
It can be seen that there is a uniquely determined run, since all other nondeterministic
choices lead to finite paths. Another example run tree that contains two infinite runs
is shown in Figure 2.4. Although this run tree has two infinite runs, the automaton is
still unambiguous since the fairness constraint assures that only one of the two runs
is accepting.
As every automaton Aϕ obtained by the translation of a LTL formula ϕ is a product
of the unambiguous automata shown in Figures 2.1 and 2.2, and as the product
automaton of two unambiguous automata is also unambiguous, it follows that the
automata Aϕ obtained by the above ‘standard’ translation are unambiguous. The
following proposition has been shown in [91] as Theorem 5.42:
5Notice that our definition of unambiguous automata slightly differs from the one given in [17]. An
automaton is unambiguous according to [17] if every word has exactly one run starting in any
state. We demand this only for initial runs.
6And this also holds when we abbreviate the fairness constraint with a new propositional variable
q′ ↔ (q → ϕ) which we neglect here to simplify the pictures.
20
2.3 From LTL to Nondeterministic ω-Automata
q
q
q
q
q
q
q
q
q
q
q
q
q
q
q
q
ψ
ψ
ψ
ψ ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ψ
ϕψ
ψ
ϕψ
Figure 2.3: Run Tree with a Uniquely Determined Run of the Automaton of Fig. 2.1
q
q
q
q
q
q
q
q
q
q
q
q
q
q
q
q
ψ
ψ ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
ϕψ
Figure 2.4: Run Tree with Two Runs of the Automaton of Fig. 2.1
Proposition 1. Given a formula Φ ∈ LTL, we can construct a nondeterministic
generalized Bu¨chi automaton A∃ (Q,ΦI ,ΦR,ΦF) in time O(|Φ|) with |Q| ≤ |Φ| state
variables which is unambiguous. Therefore, A∃ (Q,ΦI ,ΦR,ΦF) is a symbolic repre-
sentation of a nondeterministic automaton with O(2|Φ|) states.
The resulting automaton of the above translation is a generalized Bu¨chi automaton,
since we obtain an accepting set of states (actually edges) for every occurrence of an
until-operator. Thus, the acceptance condition is given as a formula F = ∧ni=1 GFΦi.
It is however straightforward to replace a conjunction of fairness constraints with a
single fairness constraint [91]. To this end, we generate the deterministic automaton
with n+ 1 states q1 . . . qn, qa shown in Figure 2.5.
Whenever the automaton reaches a state labeled with qi, it waits until Φi is read
and remains in qi as long as this event does not occur. Hence, if qa holds infinitely
often, each of the events Φi must occur infinitely often. Since the automaton is
deterministic, its runs are uniquely determined. This means that every run of the
product of this automaton with the original unambiguous automaton is also uniquely
determined, hence it is unambiguous 7.
7We use the usual automaton product, which can be alternatively seen as a conjunction of symbol-
ically represented automata, i. e. the conjunctions of the formulas representing initial states and
transition relation.
21
2 Preliminaries
q1
¬Φ1
q2
¬Φ2
q3
q4
...
qn−1
¬Φn−1
qn
qa
Φ1
Φ2
Φ3
¬Φ4
Φ4Φn−2
Φn
Φn ¬Φn−1
Φn−1
1
Figure 2.5: Automaton for the Conjunction of Finitely Many Fairness Constraints
2.4 Relating the Automata Hierarchy and the
Temporal Logic Hierarchy
It is well known that different acceptance conditions lead to different automaton
classes [18, 91] with different power. The expressiveness of these classes is illustrated
in Figure 2.6, where C1 w C2 means that for any automaton in C1, there is an equivalent
one in C2. Moreover, we define C1 ≈ C2 := C1 w C2 ∧ C2 w C1 and C1  C2 := C1 w
C2 ∧ ¬(C1 ≈ C2). As can be seen, the hierarchy consists of six different classes, and
each class has a deterministic representative.
In [90, 18], a corresponding hierarchy of temporal logics has been defined. It is
shown now how this temporal logic hierarchy can be used to obtain an efficient de-
terminization construction for a rich fragment of LTL. Hence, we want to complete
the picture from Figure 2.6: we show that for every formula of a temporal logic class
a corresponding deterministic automaton can be obtained.
Following [90], we define the hierarchy of temporal formulas by the grammar rules
of Figure 2.7:
Definition 14 (Temporal Logic Classes). We define the logics TLκ for κ ∈ {G, F,
Prefix, FG, GF, Streett} by the grammar rules given in Figure 2.7, where TLκ is the set
22
2.4 Relating the Automata Hierarchy and the Temporal Logic Hierarchy
NDetG
DetG
NDettotalF
DetF
DetPrefix
DetGF
NDetPrefix
NDetF
(N)DetFG
NDetGF
(N)DetStreett
(N)DetRabin
(N)DetParity
TLG
TLF
TLPrefix
TLStreett
TLGF
TLFG






Figure 2.6: Hierarchy of ω-automata and Temporal Logic Hierarchy
PG ::= VΣ | ¬PF | PG ∧ PG | PG ∨ PG
| ←−XPG | [PG ←−U PG]
| ←−XPG | [PG ←−U PG]
| XPG | [PG U PG]
PF ::= VΣ | ¬PG | PF ∧ PF | PF ∨ PF
| ←−XPF | [PF ←−U PF]
| ←−XPF | [PF ←−U PF]
| XPF | [PF U PF]
PPrefix ::= PG | PF | ¬PPrefix | PPrefix ∧ PPrefix | PPrefix ∨ PPrefix
PGF ::= PPrefix
| ¬PFG | PGF ∧ PGF | PGF ∨ PGF
| ←−XPGF | ←−XPGF | XPGF
| [PGF ←−U PGF] | [PGF ←−U PGF]
| [PGF U PGF] | [PGF U PF]
PFG ::= PPrefix
| ¬PGF | PFG ∧ PFG | PFG ∨ PFG
| ←−XPFG | XPFG | ←−XPFG
| [PFG ←−U PFG] | [PFG ←−U PFG]
| [PFG U PFG] | [PG U PFG]
PStreett ::= PGF | PFG | ¬PStreett | PStreett ∧ PStreett | PStreett ∨ PStreett
Figure 2.7: Classes of Temporal Logic
of formulas that can be derived from the nonterminal Pκ (VΣ represents any variable
v ∈ VΣ).
TLG is the set of formulas where each occurrence of a weak/strong temporal future
operator is positive/negative, and similarly, each occurrence of a weak/strong tempo-
ral future operator in TLF is negative/positive. Hence, both logics are dual to each
other, which means that one contains the negations of the other one. TLPrefix is the
boolean closure of TLG (and TLF). The logics TLGF and TLFG are constructed in the
same way as TLG and TLF; however, there are two differences: (1) these logics allow
occurrences of TLPrefix where otherwise variables would have been required in TLG
23
2 Preliminaries
and TLF, and (2) there are additional ‘asymmetric’ grammar rules. It can be easily
shown that TLGF and TLFG are also dual to each other, and their intersection strictly
contains TLPrefix. Finally, TLStreett is the boolean closure of TLGF and TLFG.
It is well known that every formula of LTL can be rewritten to a formula from
TLStreett [65]. However, known rewriting procedures from full LTL to TLStreett either
use deterministic automata [91] as an intermediate step or use rewriting steps that
are nonelementary [38]. Hence those known procedures do not describe a reasonable
way to obtain a deterministic automaton for full LTL. It is however remarkable that
almost all formulas that occur in practice belong to TLStreett. If a given formula
should not belong to TLStreett, it is often straightforward to rewrite it to an equivalent
TLStreett formula. For example, the formula GF [a U b] that demands that infinitely
often [a U b] holds is equivalent to the TLStreett formula GF [a U b]∨FG [a U b]. Clearly,
there are many formulas outside TLStreett, but we claim that these formulas seldom
occur in practice. We substantiate our claim in Chapter 7 by showing a large diversity
of specifications all belonging to TLStreett.
In the following it is sketched how arbitrary formulas from TLκ can be translated to
automata from Detκ. In [90, 91] several translation procedures are given to translate
formulas from TLκ to equivalent NDetκ automata. In particular, translation proce-
dures are given that translate TLG and TLFG formulas to safety, i. e. NDetG or to
co-Bu¨chi, i. e. NDetFG automata. Both translation procedures are modifications of the
translation procedure sketched in Section 2.3.
Theorem 1 ([91]). Given a formula Φ ∈ TLκ, with κ ∈ {G,FG} we can construct a
nondeterministic ω-automaton A∃ (Q, I,R,F) of the class NDetκ in time O(|Φ|) with
|Q| ≤ |Φ| state variables. Therefore, A∃ (Q, I,R,F) is a symbolic representation of
a nondeterministic automaton with O(2|Φ|) states.
Moreover, it can be shown that nondeterministic safety automata of the class NDetG
can be determinized using the subset construction [84] and that Miyano and Hayashi’s
breakpoint construction is sufficient to determinize NDetFG automata using time O(2
n)
where n is the number of states of the nondeterministic automaton.
Since TLPrefix and TLStreett are the boolean closures of TLG/TLF and TLFG/TLGF, re-
spectively, deterministic automata for TLPrefix and TLStreett can be obtained by boolean
combinations of DetG/DetF and DetFG/DetGF automata.
To this end, it is shown in [91] how arbitrary boolean combinations of Gϕ and Fϕ
with propositional formulas ϕ are translated to equivalent DetPrefix automata, and
analogously, how arbitrary boolean combinations of GFϕ and FGϕ with propositional
formulas ϕ are translated to equivalent DetStreett automata. Moreover, it is shown
how acceptance conditions can be converted in more powerful acceptance conditions
so that we obtain the following theorem:
24
2.5 Infinite Games
Theorem 2 (Temporal Logic and Automaton Hierarchy). Given a formula Φ ∈
TLκ, we can construct a deterministic ω-automaton A∃ (Q, I,R,F) of the class Detκ
in time O(2|Φ|) with |Q| ≤ O(3|Φ|) state variables. Therefore, A∃ (Q, I,R,F) is a
symbolic representation of a deterministic automaton with 2O(3
|Φ|) states.
2.5 Infinite Games
In this thesis, we reduce different problems to the solution of infinite two player games.
In particular, in Chapter 3, the minimization problem of parity automata is reduced
to the solution of so-called simulation games and the controller synthesis problem can
be regarded as a two-player game between a system and its environment (see Section
2.5.2). The games considered in this thesis have in common that they can be reduced
to a special form of two-player infinite games, namely turn-based games, where both
players move alternately.
2.5.1 Turn-Based Games
Definition 15 (Two-Player Turn-Based Games). A two-player turn-based game is a
tuple G = (V ,V0,V1,R,L,Φ) over a set of state variables Q where
• V = V0 ∪ V1 is a finite set of locations or vertices with V0 ∩ V1 = ∅,
• Vi are the locations of V that correspond with player i (where i ∈ {0, 1}),
• R ⊆ V × V is the transition relation,
• L : V → 2Q is the label function and
• Φ is an acceptance condition.
A play is a maximal sequence of locations pi = v(0)v(1) . . . such that for all i ≥ 0, we
have (v(i), v(i+1)) ∈ R. A play pi is winning for player 0 if L(pi) |= Φ or pi is finite and
pi ends in a state of player 1. Otherwise, player 1 wins.
A strategy for player 0 is a partial function γ : V∗V0 → 2V such that whenever f(piv)
is defined and v′ ∈ γ(piv), we have (v, v′) ∈ R. We extend the label function to plays
in the usual way. The strategy γ is called memoryless, if the successor state chosen
by player 0 depends only on the current location v, i.e., γ is a function γ : V0 → 2V .
A strategy is said to be finite memory or forgetful, if there exists a finite set M , an
initial memory element mI ∈M , and functions τ : V ×M →M and ξ : V ×M → 2V
such that the following holds: If pi = v(0)v(1) . . . v(j−1) is a prefix of a play and the
25
2 Preliminaries
sequence m0,m1, . . .mj is determined by m0 = mI and mi+1 = τ(v(i),mi), then
γ(pivj) = ξ(vj,mj) holds.
A play pi = v(0)v(1) . . . is γ-conform, if whenever v(i) ∈ V0 holds, then we have
v(i+1) ∈ γ(v(0) . . . v(i)). The strategy γ is winning from v, if every γ-conform play that
starts in v is winning for player 0. We say that player 0 wins from v if she has a
winning strategy from v. The winning region of player 0 is the set of locations from
which player 0 wins. We denote the winning region of player 0 by W0. Strategy,
winning and winning regions are defined analogously for player 1.
We solve a game by computing the winning regions W0 and W1. The winning
regions of the games that we consider are disjoint, i.e. these games are determined
[39, 26].
The winning condition Φ specifies the type of the game, e.g. a Bu¨chi condition
specifies a Bu¨chi game. Many algorithms have been developed to solve two-player
turn-based games [37, 108, 89]. We are particularly interested in Bu¨chi games [104]
and generalized parity games [19] since the simulation games of Section 3 and the
controller synthesis problem can be reduced to them.
2.5.2 Controller Synthesis as a Two-Player Game
As already outlined in the introduction, the controller synthesis problem solves a
more general problem than the model checking problem. Instead of giving a yes/no
answer or a counterexample to show how a specification is violated, the controller
synthesis problem asks how the system can be modified to fulfill the specification,
i. e. to construct a controller C such that M× C |= Φ. To this end, we assume that
our original semi-automaton has some input variables that are termed controllable.
Those controllable input variables represent choices of the controller whereas the other
input variables are chosen by the environment. In this thesis, the controller synthesis
problem is reduced to the decision of the winner in an infinite two player game between
the controller and the environment of the system. To this end, the so called Moore
game is defined. While solving the game, i. e. deciding whether the controller or the
environment wins, a strategy C in the form of a Moore machine for the controller can
be synthesized such that M×C |= Φ.
Intuitively, a Moore game is an incompletely specified finite state machine together
with a specification, thus an ω-automaton over the alphabet Σ = 2Vu∪Vc . The environ-
ment chooses the uncontrollable inputs whereas the controller chooses the controllable
inputs. To ease notation, let Σc = 2
Vc and Σu = 2
Vu be the controllable and uncon-
trollable input alphabet. Formally, the Moore game is introduced in the following:
Definition 16 (Moore Game ). A Moore game G = (Vc, Vu,S, sI , δ,Λ,Φ) over a set
of state variables VS consists of the following components:
26
2.5 Infinite Games
• a finite set of uncontrollable input variables Vu that are determined by the envi-
ronment
• a finite set of controllable input variables Vc that are determined by the Con-
troller
• a finite set of states S
• an initial state sI ∈ S,
• a (deterministic) transition function δ : S × Σc × Σu → S
• a labeling function Λ : S → 2VS
• a winning condition Φ given by an acceptance component over VS.
The challenge of the controller is to find proper values for the input variables Vc such
that the specification Φ is satisfied, while the environment tries to force a violation of
Φ. We look at Moore games from the view of the controller, however, the definitions
of plays and strategies can be dually given for the environment, too.
Given a game G = (Vc, Vu,S, sI , δ,Λ,Φ), a (finite state) strategy is a tuple γ =
(S, tI , τ) where Q is a finite set of states, qI ∈ Q is the initial state and τ : S ×Q →
2(Σc×Q) is the move function. Intuitively, a strategy automaton is a Moore machine
that fixes a set of possible responses to an environment input, and its response may
depend on a finite memory of the past. Note that strategies are nondeterministic,
but we can easily extract a deterministic strategy by fixing the strategy to one of
the possible responses. The strategy is nondeterministic because this simplifies the
symbolic calculation 8.
A play on G respecting γ is an infinite sequence pi = (s(0), q(0))
c(0),u(0)−−−−−→(s(1), q(1))
c(1),u(1)−−−−−→..
such that s(0) = sI , q(0) = qI , (c(i), q(i+1)) ∈ τ(s(i), q(i)) and s(i+1) = δ(s(i), c(i), u(i)). A
play is winning if pi is infinite and s(0), s(1) . . . |= Φ. Notice that if τ(q(i), s(i)) = ∅ the
strategy does not suggest a proper choice of the input variables and the game is lost.
A strategy γ is winning if all plays according to γ are winning. The set of all winning
states is the winning region. A game G is winning (or won) if the initial state sI is
in the winning region. A memoryless strategy is a finite state strategy with only one
state. A memoryless strategy will be written as a function γ : S → 2Σc and a play of
a memoryless strategy as a sequence pi = s(0)
c(0),u(0)−−−−−→s(1)
c(1),u(1)−−−−−→ . . . .
We say that G is controllable if the controller has a winning strategy. Otherwise we
say that G is uncontrollable. The type of winning condition defines the name of the
game. Thus we speak e. g. of a Bu¨chi game when dealing with a Moore game whose
acceptance condition is a Bu¨chi condition.
8Although possible in theory, we do not consider Mealy games here, since the product of two Mealy
automata may lead to causality problems.
27
2 Preliminaries
Solving Simple Moore Games
There are already algorithms for the solution of simple Moore games like Bu¨chi games.
Whenever those algorithms are symbolically implemented, they rely on some form
of predecessor function. For example, the algorithms presented in [49, 110] use a
predecessor function ♦cF := {s | ∃c ∈ Σc∀u ∈ Σu. δ(s, c, u) ∈ F} to calculate the set
of states from which the controller can force a visit to a target set F in one step.
This pre-operator gives correct results for simpler games like Bu¨chi or co-Bu¨chi
games where the calculation of the winner of the game depends only on one player
and where the winner is always decided on the whole game graph. However, in a parity
game, the winner of the game is determined by successively calculating attractors to
the minimal color that occurs in a subgame S ′. Thus, we need predecessor functions
for both the controller and the environment. A possible definition that also considers
the subgame would be:
♦c′F := {s | ∃c ∈ Σc.∀u ∈ Σu. (δ(q, c, u) ∈ S ′ → δ(q, u, c) ∈ F)} (2.1)
whereas the corresponding function for the Environment would be:
♦u′F :=
{
s | ∀c ∈ Σc. (∃u ∈ Σu. δ(s, c, u) ∈ S ′)→ (∃u′ ∈ Σu. δ(s, c, u′) ∈ S ′)
}
To see that these predecessor functions give not the correct results for every parity
game, consider the parity game in Figure 2.8 together with the coloring function
Ω(q0) = 0, Ω(q1) = 1 and Ω(q2) = 2. Clearly, the controller can win this game by
always choosing c. However, the predecessor function ♦c′ and ♦u′ give the wrong
result that q1 is winning for the environment. The problem is that after q0 has been
removed by the Attractor to the states with the minimal color 0, the remaining sub-
game contains only the states {q1} and {q2}. In the iterative step of the (generalized)
parity games in which the subgame {q1, q2} is considered, the information that choos-
ing c in {q1} is winning is lost. And no matter how we define a predecessor function
that is solely based on states (and not on tuples (q, c) that store the move chosen by
controller), we can find a game that gives a wrong result.
Another alternative algorithm for the solution of Moore games is given in [22] where
a game µ-calculus is introduced. This game µ-calculus is the ordinary µ-calculus
where the predecessor functions are replaced by predecessor functions similar as in
equation (2.1). Then it is shown that the same µ-calculus formula can be used for
both model-checking and for game-solving provided some syntactic criterion on the
µ-calculus formula is satisfied. It is moreover shown how parity conditions can be
translated to the game µ-calculus so that a solution of parity games is possible. This
game µ-calculus formula describes a symbolic algorithm for the solution of parity
games that suffers not from the above sketched problem with subgames. However
28
2.5 Infinite Games
q1
q2q0
u
u ∧ c
u ∧ c
1 1
Figure 2.8: A Parity Game for which simple Pre-Operators fail
one particular drawback of this syntactic criterion is that arbitrary conjunctions are
not possible. Therefore a straightforward solution of Streett games or generalized
conjunctive parity games can not be obtained using the approach of [22].
Hence, instead of providing a specialized pre-operator, we use a reduction to turn-
based games to solve Moore games. This reduction is straightforwardly obtained from
related constructions given in [28].
Reducing Moore Games to Turn-Based Games
In the following, we show how every Moore game can be transformed to a turn-based
game.
Definition 17 (Turn-Based Moore Game).
For every Moore game G = (Vc, Vu,S, sI , δ,L,Φ) we define the turn-based controller
Game Gt = (V ,V0,V1,R,L′,Φ) as follows:
• V1 = 2VS
• V0 = {(s, c) | s ∈ S ∧ c ∈ Σc}
• V = V1 ∪ V0
• R =
( {(s, (s, c))}∪
{((s, c), s′) | ∃c ∈ Σc.δ(s, c, u) = s′}
)
• L′(s) = L(s) and L′(s, c) = L(q)
Thus, the positions of Player 0, the controller are the states of the Moore game and
environment starts from vertices (s, c) so that the controllable event chosen by the
controller is memorized. The following is easily seen:
29
2 Preliminaries
Proposition 2. Given a Moore game and its corresponding turn-based game. Then
Controller wins the Moore game from position sI if and only if Player 0 wins from
position sI in the turn-based game.
Thus we can use the large arsenal of algorithms for infinite turn-based games [37,
108, 89] also to solve Moore games9.
2.5.3 LTL-Games
The scope of this thesis are specifications of the Moore game that are given as LTL for-
mulas. To use the algorithms from the literature to solve infinite games, i. e. Bu¨chi or
(generalized) parity algorithms, we have to translate this LTL formulas to a determin-
istic automaton. The state space of this deterministic automaton is then combined
with the original Moore game according to the following definition:
Definition 18 (Product Games). Given a Moore game G = (Vc, Vu,S, sI , δ,L,Φ)
over a set of variables VS and a deterministic ω-automaton A = (Q, {qI}, ξ, λ, ϕ)
whose input alphabet is VS such that for every path pi over VS we have that pi |= Φ iff
pi |= A, we define the product game
G× A = (Vu, Vc,S ×Q, (sI , qI), δ′, λ, ϕ) with δ′((s, q), u, c) = (δ(s, c, u), ξ(q, u, c))
Notice that the product game is a Moore game as before and that the controller is
winning from the initial state sI if and only if it is winning from the initial state (sI , qI)
of the product game. Thus, an efficient solution to the controller synthesis problem
for LTL can be reduced to the task of finding deterministic ω automata that are equiv-
alent to a given LTL formula. We thus consider efficient (symbolic) determinization
procedure in in Chapters 4 and 5. However, our considerations for an efficient gen-
eration of deterministic ω-automata starts in Chapter 3 where we present techniques
to efficiently minimize parity automata. Since all our intermediate automata of the
determinization procedures can be easily translated to a parity automaton, this is an
important step in our overall algorithm.
2.6 Essentials of the Synchronous Programming
Language Quartz
Synchronous languages are becoming more and more attractive for the design and the
verification of reactive real time systems. There are imperative languages like Esterel
9In a symbolic implementation adding the controllable variables as one part of the state space is
not harmful, essentially the transition relations stay the same.
30
2.6 Essentials of the Synchronous Programming Language Quartz
[9], data flow languages like Lustre [43], and graphical languages like some Statechart
[44] variants as SyncCharts [4].
Synchronous languages are very appealing for the design of reactive systems since
they provide language constructs for parallel execution of processes. Moreover, they
are usually equipped with a formal semantics which allows both analysis with e. g. veri-
fication or controller synthesis but also makes it easy to automatically obtain hardware
from a synchronous program.
For our experiments, we used the synchronous language Quartz [92] to develop
the system for the controller synthesis game. From the quartz program we obtain a
symbolic description of a Moore automaton that exactly describes the behavior of the
Quartz program. Hence, although we use Quartz as a way to develop the systems, the
algorithms developed during this thesis are general in the sense that they only assume
a description of the system as a transition system. Nevertheless, for understanding
some of the examples, a basic knowledge of the constructs of Quartz may be useful.
The common paradigm of synchronous languages is the perfect synchrony [42, 7]
which means that the execution of programs is divided into macro steps that are
usually interpreted as logical time. As this logical time is the same in all concur-
rent threads, these threads run in lockstep, which leads to a deterministic form of
concurrency. Macro steps are divided into finitely many micro steps that are atomic
actions of the programs. Moreover, variables change synchronously in macro steps,
i.e., variables have unique values in each macro step.
In the following, we give a brief overview of the synchronous programming language
Quartz. We do however not describe the entire language, and refer instead to [92].
Provided that S, S1, and S2 are statements, ` is a location variable, x is a variable, σ
is a boolean expression, and α is a type, then the following are statements (keywords
given in square brackets are optional):
• nothing (empty statement)
• x = τ and next(x) = τ (assignments)
• assume(ϕ) (assumptions)
• assert(ϕ) (assertions)
• ` : pause (start/end of macro step)
• if (σ) S1 else S2 (conditional)
• S1;S2 (sequential composition)
• do S while(σ) (iteration)
31
2 Preliminaries
• S1 ‖ S2 (synchronous concurrency)
• [weak] [immediate] abort S when (σ) (abortion)
• [weak] [immediate] suspend S when (σ) (suspension)
• {α x; S} (local variable y with type α)
The pause statement defines a control flow location ` which is a boolean variable that
is true iff the control flow is currently at the statement ` : pause. Since all other
statements are executed in zero time, the control flow can only rest at these positions
in the program, and therefore the possible control flow states are the subsets of the
set of locations.
There are two variants of assignments; and both evaluate the right-hand side τ in
the current macro step. While immediate assignments x = τ immediately transfer
the value of τ to the left-hand side x, delayed assignments next(x) = τ transfer this
value in the following step.
In case the value of a variable is not determined by an assignment, a default value
is determined by the declaration of the variable. To this end, declarations provide
a storage class in addition to the type of a variable. There are two storage classes,
namely mem and event that choose the previous value or a default value (determined
by the type), respectively, in case no assignment determines the value of a variable.
Available types are booleans, signed and unsigned integers (both with limited and
unlimited bounds), bitvectors, as well as arrays and tuples of types.
In addition to the control flow constructs that are well-known from other imperative
languages like conditionals, sequences and loops, Quartz offers synchronous concur-
rency S1 ‖ S2 and sophisticated preemption and suspension statements, as well as
further statements to allow comfortable descriptions of reactive systems (see [92] for
the complete syntax and semantics). In S1 ‖ S2, both substatements S1 and S2 must
run in lockstep as long as both are active, and the statement terminates when the last
one of these substatements terminates. Preemption statements attach a guard to a
statement and either suspend or abort it if that guard is true. The immediate forms
do already check for preemption at starting time, while the default is to check the
preemption only after starting time. The weak variants allow all actions of the data
flow to take place even at the time of preemption, while the strong variant forbids
them at the time of preemption.
As mentioned above, synchronous programs offer many advantages for system de-
sign, but they also challenge the compilers: In particular, schizophrenia and causality
problems must be addressed. Schizophrenia problems occur if a statement is (re)-
started at the time of its termination, so that the compiler has to keep track of
different incarnations of the statement. In particular, local variable declarations have
32
2.6 Essentials of the Synchronous Programming Language Quartz
to be handled with some care to distinguish different incarnations of the local vari-
ables. Causality problems occur if an action modifies variables that are responsible
for triggering the execution of the action. Hence, an action may disable its execution
or it may justify its execution, which are both unwanted behaviors. The causality
analysis has to determine that the actions of a synchronous program can be executed
in a causal order where all trigger conditions are determined before the corresponding
actions are executed.
33

3 Minimization of ω-Automata
The algorithms for the solution of LTL controller synthesis problems presented in this
thesis make use of different intermediate ω-automata. The approach of Chapter 4
translates fragments of LTL to nondeterministic co-Bu¨chi automata which are then
determinized using the breakpoint construction [70] while our second determinization
procedure from Chapter 5 translates nondeterministic Bu¨chi automata to determin-
istic parity automata. Since both determinization procedures are in the worst case
exponential, minimization procedures are especially beneficial for the nondetermin-
istic automata. Although the size of symbolic representations like BDDs are not
directly related to the number of states, the experiments in Chapter 7 confirm that
controller synthesis of real life designs is nearly impossible using non-minimized au-
tomata whereas it becomes feasible when we use the minimization techniques pre-
sented in this chapter.
In contrast to deterministic finite automata on finite words, there is in general no
unique minimal automaton for ω-automata. Moreover, even for those automata that
belong to the class of deterministic weak automata and for which we know that a
minimal automaton exists, the problem is known to be PSPACE-hard (this is even
true for nondeterministic automata on finite words). Therefore, heuristics are used
to minimize the state space of ω-automata. In this chapter, we study simulation
relations [69] as a tool for minimizing automata. Simulation relations capture the
notion that the moves of one automaton can be mimicked by the moves of another
automaton. Thus simulation relations can be used to check language inclusion be-
tween automata [23] and can thus be used for model-checking where both the system
and the specification are given as automata. We are interested in simulation relations
because they can be used to efficiently minimize ω-automata.
There are quite many works related with the minimization problem of ω-automata.
Somenzi and Bloem consider in [99] direct and reverse simulation for Bu¨chi automata
and use them to minimize nondeterministic automata obtained from LTL formulas. In
[40], a relaxed notation, termed fair simulation, is considered. Since it is known that
fair simulation is not language-preserving under quotient construction, the authors
use additional checks to calculate a language equivalent minimized Bu¨chi automaton.
Etessami, Wilke and Schuller introduce in [28] an intermediate notation of simulation,
called delayed simulation, that is finer than direct simulation but not as coarse as fair
simulation. This intermediate simulation relation produces a language equivalent
35
3 Minimization of ω-Automata
Bu¨chi automaton under quotient construction.
In [33, 30, 31] it is shown how the results regarding delayed simulation can be
generalized for alternating Bu¨chi automata. Finally, in [34, 32] delayed simulation is
introduced for alternating parity automata. Since nondeterministic parity automata
are special cases of alternating parity automata, the results of [34, 32] do also apply
here.
In this chapter, the remaining cases for (nondeterministic) parity automata are
considered. First, direct simulation is introduced for parity automata. Although
direct simulation is weaker than delayed simulation (it allows less minimization),
we use it as a preprocessing step, since it can be calculated in linear time whereas
delayed simulation needs quadratic time. The second contribution of this chapter is
the presentation of reverse simulation for parity automata: First, in the style presented
in [99] of a direct simulation where a good transition in the simulated automaton must
be directly matched by a good transition in the simulating automaton. Second, also
in the relaxed notation of delayed simulation where this match of a good transitions
is post-poned1.
Since fair simulation has been shown to be the most efficient simulation relation
for state space minimization of Bu¨chi automata, the last paragraph of this chapter
considers fair simulation minimization of parity automata. However, since we are par-
ticularly interested in algorithms that are well suited for a symbolic implementation,
we do not consider a direct generalization of results obtained in [40] regarding the
minimization of Bu¨chi automata. The approach of [40] uses backtracking on individ-
ual states which is not amenable for a symbolic implementation. Instead, in Section
3.7 a surprisingly simple condition is introduced that can be used to iteratively min-
imize an automaton using fair simulation with intermediate checks that the result is
correct.
The next section starts with the introduction of simulation relations as games,
following related constructions given in [28].
3.1 Simulation Relations as a Two-Player Game
Following related work, we define simulation relations via infinite games. To handle
the parity condition appropriately, we will first define an ordering on the natural
numbers (also used e. g. in [32]) that takes the parity condition into account.
Definition 19 (Reward Order). The reward order ≤Ω⊂ N× N is defined as follows:
m ≤Ω n if and only iff
• m is even and n is odd, or
1For Bu¨chi automata, the two notations are equivalent.
36
3.1 Simulation Relations as a Two-Player Game
• m and n are even and m ≤ n
• m and n are odd and n ≤ m
for all m,n ∈ N.
That means, 0 <Ω 2 <Ω 4 <Ω . . . <Ω 5 <Ω 3 <Ω 1. Thus, every even number
is better than every odd number and while the even numbers are ordered according
to the standard order on N, the order for the odd numbers is reversed. We will also
phrase n <Ω m as n is better than m, while terms like minimum and smaller then
will always be used with respect to the standard order ≤.
For the remainder of this chapter, it is assumed that all dead-ends have been re-
moved from the corresponding automata, i. e. given a parity automaton
A = (S, I,R,Ω) it must hold that for every state s ∈ S there must exist an input
a ∈ Σ and a successor state s′ ∈ S so that (s, a, s′) ∈ R holds.
3.1.1 The Basic Simulation Game
Following [28, 32], the simulation relations are defined via a game between two Play-
ers, the Spoiler and the Duplicator. Spoiler seeks to show that automaton A is not
simulated by A′. While performing this task, Spoiler controls the simultaneous in-
puts for both automata and the nondeterministic choices of A while Duplicator tries
to mimic each move of Spoiler through the nondeterministic choices that A′ allows.
This intuitive idea is captured by the following definition:
Definition 20 (Basic Game). Let A = (S, I,R,Ω),A′ = (S ′, I ′,R′,Ω′) be two par-
ity automata over the alphabet Σ and s(0) and s′(0) be arbitrary states of A and A′
respectively. The basic game G(A,A
′)
(
s(0), s′(0)
)
is played by two players, Spoiler and
Duplicator, in rounds, where, at the beginning of and at the end of each round, two
pebbles, Red and Blue, are placed on two states. At the start round 0, Red and Blue
are placed on s(0) and s′(0), respectively. Assume that at the beginning of round i, Red
is on state s(i) and Blue is on s′(i). Then:
1. Spoiler chooses a letter α(i) ∈ Σ.
2. Spoiler chooses a transition (s(i), α(i), s(i+1)) ∈ R and moves Red to s(i+1).
3. Duplicator, responding, must choose a transition (s′(i), α(i), s′(i+1)) ∈ R′ labeled
by the same input letter and moves Blue to s′(i+1). If no α(i)-transition starting
from s′(i) exists, then the game halts and Spoiler wins.
4. The starting position for the next round is (s(i+1), s′(i+1)).
37
3 Minimization of ω-Automata
Intuitively, Spoiler produces, letter by letter, an ω-word over Σ as simultaneous inputs
for the two automata A and A′. Spoiler controls the nondeterministic choices of A
while Duplicator controls the nondeterministic choices of A′. The first round begins
with the pair (s(0), s′(0)). If, at any point during the course of the game, Duplicator
cannot proceed any more, she looses early. This corresponds to the case that from
s(0) there exists a word α that labels a run starting in s(0), but no run of A′ labeled
with α starts in s′(0). When the player proceed as above and Duplicator does not
loose early, the players produce an infinite sequence (s(0), α(0), s′(0))(s(1), α(1), s′(1)) . . .
from (S × Σ× S ′)ω that induce two runs pi = s(0)s(1) . . . of A and pi′ = s′(0)s′(1) . . .
of A′, respectively. This sequence determines the winner, depending on the type of
simulation we are interested in and is thus denoted with outcome of the game.
Definition 21 (Simulation Games). Let A and A′ be parity automata, let (s(0), s′(0)) ∈
S × S ′ and let (s(0), α(0), s′(0))(s(1), α(1), s′(1)) . . . be an outcome of G(A,A′) (s(0), s′(0)) .
Let pi = s(0)s(1) . . . and pi′ = s′(0)s′(1) . . . .
1. The direct (strong) simulation game, denoted by G
(A,A′)
di
(
s(0), s′(0)
)
, is the basic
game G(A,A
′)
(
s(0), s′(0)
)
extended by the rule that Duplicator is winning iff,
for all i, Ω(s(i)) ≥Ω Ω′(s′(i)).
2. The left-hand delayed simulation game, denoted by G
(A,A′)
del
(
s(0), s′(0)
)
, is the basic
game G(A,A
′)
(
s(i), s′(i)
)
extended by the rule that the outcome is winning for
Duplicator iff for all i, if Ω(s(i)) <Ω Ω(s
′(i)), then for some j > i we have
• Ω(s(j)) is odd and
• Ω(s(j)) ≤ min{Ω(s(i)),Ω(s′(i))}
3. The right-hand delayed simulation game, denoted by G
(A,A′)
der
(
s(0), s′(0)
)
, is the
basic game G(A,A
′)
(
s(i), s′(i)
)
extended by the rule that the outcome is winning
for Duplicator iff for all i, if Ω(s(i)) <Ω Ω(s
′(i)), then for some j > i we have
• Ω(s′(j)) is even and
• Ω(s′(j)) ≤ min{Ω(s(i)),Ω(s′(i))}
4. The delayed simulation game,denoted by G
(A,A′)
de
(
s(0), s′(0)
)
, is the basic game
G(A,A
′)
(
s(i), s′(i)
)
extended by the rule that the outcome (pi, pi′) is winning for
Duplicator iff
for all i, if Ω(s(i)) <Ω Ω(s
′(i)), then for some j > i we have
• Ω(s(j)) is odd and Ω(s(j)) ≤ min{Ω(s(i)),Ω(s′(i))} or
• Ω(s′(j)) is even and Ω(s′(j)) ≤ min{Ω(s(i)),Ω(s′(i))}
38
3.1 Simulation Relations as a Two-Player Game
5. The fair simulation game, denoted by G
(A,A′)
f
(
s(0), s′(0)
)
, is the basic game
G(A,A
′)
(
s(i), s′(i)
)
extended by the rule that Duplicator is winning iff
if MINΩ(pi) is even, we have MIN
′
Ω(pi
′) is even.
Direct simulation is more or less the direct adaption of direct simulation from Bu¨chi
automata to parity automata. That is, whenever Spoiler visits a state, simultaneously
Duplicator must visit a state that is better according to the ordering <Ω . In partic-
ular, whenever Spoiler visits a state s with even color, Duplicator must visit a state
s′ with an even color such that the color of s′ is smaller than the color of s. If Spoiler
visits a state with odd color, Duplicator must choose a state with even color or a state
with a bigger color. This ensures that whenever A accepts, then also A′ accepts.
Delayed simulation comes in three variants: Whenever we found that Spoiler visits
a better state than Duplicator, i. e. that Ω(s(i)) <Ω Ω(s
′(i)), this bad event must be
recovered later on. Left-hand delayed simulation waits for a smaller odd color on
the side of Spoiler (the left hand side) which ensures that the color of state s(i) has
no effect. Similar, right-hand delayed simulation waits for a smaller even color on
the right side so that the color s′(i) has no effect. Finally, (full) delayed simulation
combines the two by allowing this recovering on both sides.
The most relaxed notation is fair simulation. Here a play is won for Duplicator
iff either the minimal color visited infinitely often by Spoiler is odd (i. e. A does not
accept) or the minimal color visited infinitely often by Duplicator is also even (i. e. A′
does accept).
Having defined the games, we can in a straightforward way define strategies. The
idea of strategies is sketched in Figure 3.1. In the first round, the strategy γ de-
fines the (uniquely defined) successor state s′(0) based only on the actual state where
Spoiler is in. In the second round, all information gained so far during the game,
i. e. s(0), s′(0), α(0), s(1) are used to define the successor state s′(1) = γ(s(0)s′(0)α(0)s(1))
and so on. Finally, the decision which successor to choose for Duplicator is based on
all information gathered so far, i. e. in that case we have
s′(i+1) = γ(s(0)s′(0)α(0)s(1)s′(1), α(1) . . . α(i)s(i+1)) 2. If we have a memoryless strategy,
the decision is based simply on the actual state where Spoiler is in, the input Spoiler
chooses and the state Duplicator is in, which means that in the figure the two edges
from . . . to γ disappear.
This intuitive idea is formalized in the following definition:
Definition 22 (Strategy for Simulation Games). Let ? in {di, de, del, der, f}. A strat-
egy for Duplicator in Game G
(A,A′)
?
(
s(0), s′(0)
)
is a partial function γ : S(S ′ΣS)∗ → S ′
which, given the history of the game up to a certain point, determines the next
move of Duplicator. Formally, γ is a strategy for Duplicator if γ(s(0)) = s′(0) and
2We did not draw every edge to the last γ to simplify the picture.
39
3 Minimization of ω-Automata
Spoiler:
Duplicator:
s(0)
s′(0)
γ
s(1)
s′(1)
γ
. . .
. . .
s(i)
s′(i)
s(i+1)
s′(i+1)
γ
α(0)
α(0)
α(1)
α(1)
α(i)
α(i)
Figure 3.1: Defining Strategies for the Basic Simulation Game
(s′(i), α(i), s′(i)) ∈ R′ holds for every sequence s(0)s′(0)α(0)s(1)s′(1)α(1), . . . α(i−1)s(i) with
(s(j), α(j), s(j+1)) ∈ R and s(j) = γ(s(0)s′(0)α(0)s(1)s′(1)α(1) . . . α(j−1)s(j)) for every j ≤ i.
A strategy is memoryless, if whenever η, η′ ∈ S(S ′ΣS)∗ and γ(η) = γ(η′) = s′ it holds
that for every s ∈ S and every a ∈ Σ we obtain γ(ηs′sa) = γ(η′s′sa). i. e. Du-
plicator chooses the next state only based on the current state she is in and on the
input and next state chosen by Spoiler. In this case, we usually write γ as a function
γ : S ′ × Σ× S → S ′. Strategies for Spoiler are defined analogously.
Observe that the existence of a strategy implies that Duplicator has a way of playing
such that the game does not halt. A strategy γ for Duplicator is a winning strategy
if, no matter how Spoiler plays, Duplicator always wins. Formally, a strategy γ for
Duplicator is winning if for all α = α(0)α(1) . . . whenever pi = s(0)s(1) . . . is a run
through A and pi′ = s′(0)s′(1)s′(2) . . . is the run defined by
s′(i+1) = γ(s(0)s′(0)α(0)s(1)s′(1)α(1) . . . α(i), s(i+1)) (3.1)
then (pi, pi′) is winning for Duplicator (as specified in Definition 21).
Intuitively, an automaton A′ simulates another automaton A, iff Duplicator has a
winning strategy in the simulation game. That is, she can mimic every run generated
by Spoiler over A with a corresponding run of A′.
In the following, if not otherwise stated, ? is always a element from {di, de, del, der, f}.
Definition 23 (Simulation Relations). Let A, A′ be parity automata. A state s′ of A′
? simulates a state s of A, iff there is a winning strategy for Duplicator in G
(A,A′)
? (s, s′).
We denote such a relationship by s(A,A′)? s′. If A,A′ are clear from the context, we
sometimes omit them. Finally, we define s≈(A,A′)? s′ iff s(A,A
′)
? s′ and s′(A
′,A)
? s. In
40
3.1 Simulation Relations as a Two-Player Game
that case we say that s and s′ are simulation equivalent. We will later show that this
is an equivalence relation.
An automaton A is simulated by another automaton A′, if for every si ∈ I some
s′i ∈ I ′ exists such that si(A,A
′)
? s′i. We denote such relationships between automata
with AA′. Moreover, we define A≈?A′ if AA′ and A′A holds.
Delayed simulation has been introduced in [32, 34] and has been used for the mini-
mization of alternating parity automata. Since alternating automata are more general
than nondeterministic automata, their results do also apply here. For this reason, de-
layed simulation will not be considered here in detail. However, since the proofs for
delayed left-hand and reverse delayed left-hand simulation are completely analogous
in some parts, we will also demonstrate some properties of delayed left-hand simula-
tion. This also sheds a light on the difference and commons of the different forms of
simulation relations.
We will start our considerations by a reduction of the simulation games to turn-
based games. This enables us to use the well-known algorithms for turn-based games
for the solution of the simulation games.
3.1.2 Simulation Games as Turn-Based Games
Although the simulation games introduced before have some similarity to the turn-
based games we introduced in Section 2.5.1 they differ in the way how the winner
of a game is defined. Thus, in the following, a reduction of simulation games to the
infinite games introduced in previous sections is presented. The basic games can be
translated to a turn-based game with the techniques presented in [28]:
Definition 24 (Turn-Based Game for the Basic Simulation Game).
Let A = (S, I,R,Ω), A′ = (S ′, I ′,R′,Ω′) be two parity automata over the alphabet Σ.
We define a turn-based game G = (V ,V0,V1, E,Φ) to simulate the basic simulation
game as follows:
V0 = {v(s,s′,a) | s ∈ S ∧ s′ ∈ S ′ ∧ ∃r. (r, a, s) ∈ R}
V1 = {v(s,s′) | s ∈ S ∧ s′ ∈ S ′}
E = {(v(s1,s′1,a), v(s1,s′2)) | (s′1, a, s′2) ∈ R′}
∪ {(v(s1,s′1), v(s2,s′1,a)) | (s1, a, s2) ∈ R}
Intuitively, Duplicators role is taken by player 0 in the turn-based game. Consider
a simulation game that has reached position (r, r′). Simultaneously, the turn-based
game has reached position v(r,r′) which is a player 1 (Spoilers) node. Now Spoiler
chooses a transition (r, a, s) ∈ R and moves the red token to s. In the turn-based
41
3 Minimization of ω-Automata
game, player 1 goes to node v(s,r′,a) which is a player 1 node. From that node,
Duplicator (player 1) chooses a transition (r′, a, s′) ∈ R′ and moves to node v(s,s′).
So far we have said nothing about the acceptance condition. This acceptance
condition is defined to respect the acceptance of the respective simulation game.
Clearly, a direct simulation game is a safety game with the safety condition that in
each round i, we have Ω(s(i)) ≥Ω Ω′(s′(i)). Moreover, it is not hard to see that the fair
simulation game is a disjunctive generalized parity game with the disjunctive parity
condition [Ω,Ω′], i. e. Duplicator wins whenever either the parity condition Ω of A is
not satisfied or the parity condition Ω′ of A′ is satisfied.
A slight modification of Lemma 4 of [28] shows that the number of edges of the
turn-based game is O(mn) where n = max{|S| , |S ′|}, m = max{|R| , |R′|}. Thus the
following proposition follows directly from the corresponding complexity bounds of
safety and generalized parity games given e. g. in [28, 19].
Proposition 3. Let A,A′ as before. Let n = max{|S| , |S ′|}, m = max{|R| , |R′|},
d = max{|Ω| , |Ω′|}. Then the greatest direct simulation relation (A,A′)di can be calcu-
lated symbolically in time O(nm) and the greatest fair simulation relation (A,A′)f can
be calculated symbolically in time O((nm)4d+1) · 2d!
d!2
.
3.2 Basic Properties of Simulation Relations
In the following, some basic properties of simulation relations are proved, in particular
that the simulation equivalence is really an equivalence relation. After that, three
different quotient constructions are given. The following lemma is a generalization of
Proposition 3 from [28]:
Lemma 1. Let A be a parity automaton.
1. For ? in {di, del, der, de, f}, (A,A)? is a reflexive, transitive relation.
2. The simulation relations are ordered by containment : di ⊆ der ⊆ de ⊆ f
and di ⊆ del ⊆ de ⊆ f
3. For ? ∈ {di, del, der, de, f}, if q?s′, then Lang(As) ⊆ Lang(As′)
4. For ? in {di, der, del, de, f}, ≈(A,A)? is an equivalence relation.
Proof. To ease notation, we omit the (A,A′) and denote the simulation relation with
?
42
3.2 Basic Properties of Simulation Relations
1. Reflexivity is obvious. To show transitivity, suppose that s(i)?s′(i)?s′′(i). for
some ? ∈ {di, del, der, de, f}. Then, by definition, Duplicator has winning strate-
gies in the games G
(A,A)
? (s, s′) and G
(A,A)
? (s′, s′′), say γ and γ′. We combine
these to get a winning strategy γ′′ for duplicator in the game G(A,A)? (s, s′′) as
follows: if
γ(s(0)s′(0)α(0)s(1)s′(1)α(1) . . . s′(i)α(i)s(i+1)) = s′(i+1) (3.2)
and
γ′(s′(0)s′′(0)α(0)s′(1)s′′(1)α(1) . . . s′′(i)α(i)s′(i+1)) = s′′(i+1)
then we define
γ′′(s(0)s′′(0)α(0)s(1)s′′(1)α(1) . . . s′′(i)α(i)s(i+1)) = s′′(i+1). (3.3)
It is easy to see that this defines a strategy for Duplicator. To see that γ′′ is
in fact winning, let pi = s(0)s(1) . . . be a run through A over α(0)α(1) . . . and
let pi′′ = s′′(i)s′′(1) . . . be the run defined by equation (3.3). We need to argue
that (pi, pi′′) is winning for Duplicator. By induction, one easily proves that if
pi′ = s′(i)s′(1) . . . is defined by (3.1), then s′′(i+1) is totally defined by γ′, i. e.
s′′(i+1) = γ′(s′(0)s′′(0)α(0)s′(1)s′′(1)α(1) . . . s′′(i)α(i)s′(i+1)).
This means that (pi, pi′) is winning for Duplicator in G(A,A)?
(
s(i), s′(i)
)
and (pi′, pi′′)
is winning for Duplicator in G
(A,A)
?
(
s′(i), s′(i)
)
. For instance, when ? = f , this
implies the following: if pi is an accepting run of As(i) , i. e. MINΩ(pi) is even,
then necessarily MINΩ(pi
′) is even since Duplicator wins in G(A,A)?
(
s(i), s′(i)
)
.
This implies that also MINΩ(pi
′′) must be even, since otherwise γ′ would be no
winning strategy in G
(A,A)
?
(
s′(i), s′(i)
)
. A similar argument shows the case for
direct and delayed simulation.
2. The cases for inclusion of right-hand and left-hand delayed simulation in delayed
simulation has been shown in [34]. The rest of the inclusions follows from the
definition of the winning conditions since those are also ordered by containment.
That is, whenever Duplicator wins the direct (delayed) simulation game, he also
wins the delayed (and fair simulation) game.
3. To prove part 3, assume ? ∈ {di, der, del, de, f}, s(i)?s′(i) and α ∈ Lang(As)
with α = α(0)α(1) . . . . Then, there exists a winning strategy γ for Duplicator in
G
(A,A)
? (s, s′) and an accepting run pi = s(0)s(1) . . . of A starting with s(0) = q.
Assume Spoiler plays in G
(A,A)
? (s, s′) and Duplicator replies this according to
γ. Then a run pi′ = s′(i)s′(1) . . . of A′ is built up according to (3.1). Since pi is
accepting and γ is winning, pi′ will also be accepting.
43
3 Minimization of ω-Automata
4. ≈? is an equivalence relation since it is reflexive, transitive and symmetric.
3.3 Quotient Constructions
Having defined an equivalence relation enables us to define the usual quotient con-
struction, termed the naive quotient in [31].
Definition 25 (Quotient Structure for Parity Automata). Let A = (S, I,R,Ω) be a
parity automaton. Let ζ be an equivalence relation on S. We denote the equivalence
class of s ∈ S with [s], i. e. [s] = {s′ ∈ S | (s, s′) ∈ ζ}. The quotient structure A/ζ is
defined as:
• S/ζ = {[s] | s ∈ S}
• I/ζ = {[s] | s ∈ I}
• R/ζ = {[s1], a, [s2]) | ∃s′1 ∈ [s1],∃s′2 ∈ [s2]. (s′1, a, s′2) ∈ R}
• Ω/ζ([s]) = min{Ω(s′) | s′ ∈ [s]}
In a symbolic implementation, it is easier to represent an equivalence class with one
representative instead of a set. This leads to the definition of a canonical selection
function and a canonical quotient construction (see e. g. [91]).
Definition 26 (Canonical Selection Function and Canonical Quotient Structure).
Given a parity automaton A = (Q, I,R,Ω) and an equivalence relation ζ. Each func-
tion % : Q → Q is called a canonical selection function for ζ iff the following conditions
are met:
• ∀s ∈ Q.(s, %(s)) ∈ ζ
• ∀s1, s2 ∈ Q.(s1, s2) ∈ ζ → (%(s1) = %(s2))
For a canonical selection function % : Q → Q, we define the canonical quotient
automaton A/% as follows:
• Q/% = {%(s) | s ∈ Q}
• I/% = {%(s) | s ∈ I}
• R/% = {(%(s1), a, %(s2)) | (s1, a, s2) ∈ R}
• Ω/%(s) = Ω(s)
If the canonical selection function always selects a representative with minimal color,
the two definitions are obviously equivalent (see also [91]).
44
3.3 Quotient Constructions
s0
s1s2
s3s4
a
b
ΣΣ
Σ
a
b
s0
[s1]
s3s4
Σ
ΣΣ
Σ
a
b
Figure 3.2: Merging of Fair Simulation Equivalent States may Destroy Determinism
3.3.1 Merging of States may Destroy Determinism
It is well known that the (canonical) quotient construction returns a deterministic
automaton in case of the greatest simulation relation equivalence with respect to
direct, delayed or fair simulation if it is used for the minimization of a deterministic
automaton. This is due to the fact that if two states are simulation equivalent in the
greatest simulation relation, then also all successors must be simulation equivalent
and are thus merged to one (equivalence class) state. However, this need not hold if
we do not use the largest simulation relation.
Even correct merges of fair simulation equivalent states may destroy determinism
which is demonstrated by the left automaton in Figure 3.2. Here we have a Bu¨chi
automaton where the accept states are marked by a double circle. Clearly, all states
are fair simulation equivalent, however, the automaton that is obtained by merging all
states accepts all words and thus is not correct. Hence, a possible approach regarding
fair simulation, followed also by [40], is to use smaller simulation relations. In that
case nondeterminism may occur. When we merge the states s2 and s1 to one state,
the automaton shown in the right of Figure 3.2 is obtained. This automaton is correct
but nondeterministic.
3.3.2 A Quotient Construction that Preserves Determinism
In order to preserve determinism, we develop in the following a new quotient con-
struction. The principle behind this construction is that instead of merging states,
we replace ingoing transitions. To give an intuitive idea for this construction, consider
again the automaton in Figure 3.2. By first replacing any ingoing edge to s2 by an
45
3 Minimization of ω-Automata
s0
s1s2
s3s4
Σ
ΣΣ
Σ
a
b
s0
s1s2
s3s4
Σ
ΣΣ
Σ
a
b
Figure 3.3: Determinism is Preserved by Replacing Edges
edge to s1, the automaton in the left of Figure 3.3 is obtained. Any initial state can
be interpreted as having an ingoing edge. This ingoing edge may be replaced by an
edge to s1 so that we obtain the automaton on the right of Figure 3.3. At the end,
the states s0 and s2 are no longer reachable and can be removed.
This intuitive idea of replacing ingoing edges is used to obtain the following defini-
tion which is a modification of the canonical quotient construction:
Definition 27 (The Successor Quotient for Parity Automata). Given a parity au-
tomaton A = (S, I,R,Ω) and an equivalence relation ζ together with a canonical se-
lection function % : S → S. The successor quotient A÷% is defined as:
• S÷% = {%(s) | s ∈ S}
• I÷% = {%(s) | s ∈ I}
• R÷% = {(s1, a, %(s2)) | (s1, a, s2) ∈ R ∧ s1 = %(s1)}
• Ω÷%(s) = Ω(s)
The difference between the canonical quotient structure and the successor quotient
structure are not obvious, and best explained with some diagrams. First examine
Figure 3.4. Here, some part of an automaton is drawn. We have two equivalence
classes s˜1 = {s1, s11, s12} and s˜2 = {s2, s21, s22}. As the canonical selection function,
we take ρ1(s1) = ρ1(s11) = ρ1(s12) = s1 and ρ1(s2) = ρ(s21) = ρ(s22) = s2. The
automata obtained from the canonical and the successor quotient construction are
drawn in the top-right of this Figure. As another example, if we choose ρ2(s1) =
ρ2(s11) = ρ2(s12) = s12 and ρ2(s2) = ρ2(s21) = ρ2(s22) = s21, we would obtain the two
46
3.3 Quotient Constructions
s1
s11
s12
s2
s21
s22
a
b
c
b
(a) Original automaton
s1 s2
a, b, c
(b) Automaton obtained by
Definition 26 and ρ1
s1 s2
a
(c) Automaton obtained by
Definition 27 and ρ1
s12 s21
a, b, c
(d) Automaton obtained by
Definition 26 and ρ2
s12 s21
b, c
(e) Automaton obtained by
Definition 27 and ρ2
Figure 3.4: The Difference between Canonical Quotient and Successor Quotient
automata shown in the bottom-right of this figure, since every outgoing edge of s12
to a successor state in s˜2 is preserved.
Although we do not add all transitions compared to the canonical quotient con-
struction, the following theorem states that with respect to the largest simulation
equivalence relation, the automata are direct simulation equivalent.
Theorem 3. Let A be a parity automaton, ? ∈ {di, de, del, der, f}. Let % be a canonical
selection function for ≈? that selects for any equivalence class a minimal representa-
tive, i. e. a state with minimal color in the equivalence class. Then,any state si in A/%
is direct simulation equivalent to the state of the same name in A÷%.
Proof. Obviously, we have that any state in A/% direct simulates the state of the
same name in A÷%. For the opposite direction, we define the following (memoryless)
strategy for Duplicator in G(A/%,A÷%)
(
[s
(0)
i ], s
(0)
i
)
: γ(s, a, [s′]) = %(s′). Any infinite
play in which Duplicator plays according to this strategy is obviously winning for her,
since the colors seen on both sides are the same. Thus assume that pi is a finite prefix
of a game in which Duplicator plays according to this strategy. Let ([s], s) be the
47
3 Minimization of ω-Automata
last position of this prefix where Spoiler chooses a transition ([s], a, [s′]) ∈ R/% but
there is no transition (s, a, %(s′)) ∈ R÷%. According to the definition of R/% , there
must exist sˆ, sˆ′ ∈ S/% such that (i) sˆ≈?s and (sˆ, a, sˆ′) ∈ R. Since the equivalence
relation is maximal, this implies that for some state s′ with sˆ′≈?s′ we have that
(s, a, s′) ∈ R. According to the definition of A÷%, this implies that there must also
exist a transition from s to s′, since s′ is the lowest representative of the equivalence
class, a contradiction to our assumption.
An important consequence of this theorem is that the only modification we need
to consider is the replacement of an ingoing transition from one state s to a state
t while still being sure that any minimization that would be possible according to
one of the largest simulation equivalence relations is detected in that way. Although
the successor quotient construction is not really needed to show direct and left-hand
delayed simulation, only considering the replacement of ingoing edges simplifies some
of the proofs in the following, so that we have introduced it already here.
Before we start with the main parts, we define also a simplified successor quotient,
in which exactly one state s is made superfluous by replacing each ingoing edge to s
by a transition to t.
Definition 28. For a parity automaton A = (S, I,R,Ω) and two states s, t ∈ S, we
define As→t = (Ss→t, Is→t,Rs→t,Ωs→t) by
• Ss→t = S \ {s}
• Is→t =

I \ {s} if t ∈ I
(I \ {s}) ∪ {t} if s ∈ I ∧ t 6∈ I
I else
• Rs→t ⇔ (R(p, a, q) ∧ q 6= s) ∨ (q = t ∧R(p, a, s))
• Ω(q)s→t = Ω(q) if q 6= s
3.4 Direct and Left-Hand Delayed Simulation
We will start our considerations by the following lemma that shows that whenever we
have a direct or left-hand delayed simulation strategy to show that s?t we also have
a strategy that can avoid a transition (r, a, s) provided there is a transition (r, a, t).
Lemma 2. Let A = (S, I,R,Ω) be a parity automaton. For p, q, r, s, t ∈ S and some
? ∈ {di, del}, assume that p?q, s?t and {(r, a, s), (r, a, t)} ⊆ R′. Then, there exists
a winning strategy γ′ in G(A,A)? (p, q) such that γ′(ηrau) 6= s for every u ∈ S and every
η ∈ S(S ′ΣS)∗, i. e. Duplicator never chooses transition (r, a, s).
48
3.4 Direct and Left-Hand Delayed Simulation
Proof. Assume that γ is a memoryless winning strategy for Duplicator in G
(A,A)
? (s, t)
which must exist since s?t 3. Let γ0 be a winning strategy for Duplicator in
G
(A,A)
? (p, q). We construct a winning strategy for Duplicator in G
(A,A)
? (p, q) which
never chooses transition (r, a, s). To give an intuitive idea for the construction, con-
sider Figure 3.5.
The leftmost column gives the position of Spoiler in the original game, while the
second column give the position of Duplicator that would be obtained if she would
play according to the original strategy γ0. When in this game transition (r, a, s)
would be chosen for the first time, we start a puppeteer game where Spoiler starts
from position s and Duplicator from position t (point k in the figure). We term the
two players in that game Spoiler puppet and Duplicator puppet. In the puppeteer
game, the positions of Spoiler puppet equals the positions q
(i)
0 of Duplicator in the
second row and the positions q
(i)
1 are obtained from q
(i)
0 by an application of γ. Hence,
the second and the third row can be seen as a γ-consistent play of the simulation
game G
(A,A)
? (s, t) which gives a justification for the term puppeteer game. In the
original simulation game, the transitions chosen by Duplicator have to be chosen to
mimic the one chosen by Duplicator puppet in the rightmost puppeteer game. This
is true unless in the puppeteer game, the transition (r, a, s) would be chosen. In that
case, a new puppeteer game is started (see again Figure 3.5, here position l) and
the decision in the original game is now based on this new puppeteer game. Hence,
in Figure 3.5 solid lines indicate transitions in the automaton, other lines indicate
strategy usage. Accordingly, the transitions of Spoiler in the simulation game are
given by the leftmost solid lines and the transitions of Duplicator by the rightmost
solid lines.
Notice that all puppeteer games can be recalculated in each step solely based on the
history of the play. Nevertheless, in order to check how many puppet games are used,
Duplicator may use a memory variable n which simplifies some of the definitions.
Formally, we use the following to define our strategy γ′: We denote with p the
positions of Spoiler in the simulation game between p and q over a word α. We
denote with q0 the positions of Duplicator that would be obtained if played according
to the original strategy γ0, i. e. we set p
(0) = p. We define q
(0)
0 = q and for every i > 0
set
q
(i)
0 = γ0(p
(0)q
(0)
0 α
(0)p(1)q
(1)
0 α
(1) . . . q
(i−1)
0 α
(i−1)p(i))
Finally, we initialize the variable to count the number of puppet games by n(0) = 0
and update n by the following rule for i > 0:
n(i) =
{
n(i−1) + 1 if q(i)
n(i−1) = r ∧ α(i−1) = a ∧ q
(i)
n(i−1) = s
q(i) else
3It is not really necessary that the strategy is memoryless, but simplifies some of the considerations.
49
3 Minimization of ω-Automata
p=p(0) q=q
(0)
0
p(1) q
(1)
0
. . . . . .
p(k−1) q(k−1)0 = r
p(k) q
(k)
0 = s q
(k)
1 = t
p(k+1) q
(k+1)
0 q
(k+1)
1
. . . . . . . . .
p(l−1) q(l−1)0 q
(l−1)
1 = r
p(l) q
(l)
0 q
(l)
1 = s q
(l)
2 = t
α(0) α(0)
w w
α(k−2) α
(k−2)
a a
a
α(k) α(k) α(k)
w w w
α(l−2) α(l−2) α
(l−2)
a a a
a
γ0
γ0
γ0 γ
γ0 γ
γ0 γ
γ0 γ γ
Figure 3.5: Defining Strategies using the Puppeteer Metaphor.
50
3.4 Direct and Left-Hand Delayed Simulation
In puppeteer game j, the positions of Spoiler puppet are given by qj−1 and the
positions of Duplicator puppet are chosen according to the memoryless strategy γ
unless transition (r, a, s) is chosen. Formally, we define for every 0 < j < n(i−1):
q
(i)
j =
{
t if n(i−1) < j
γ(q
(i−1)
j , α
(i−1), q(i)j−1) else
that means, unless the puppet game starts, i. e. j ≥ n(i−1) , the position of Duplica-
tor is set arbitrarily to t which is the starting point of each puppet game. Finally,
the strategy of Duplicator is determined in each step by q
(i)
n(i)
, i. e. the position of
Duplicator puppet in the last puppet game, i. e. we set
γ′
(
p(0)q
(0)
n(0)
α(0)p(1)q
(1)
n(1)
α(1) . . . p(i)
)
= q
(i)
n(i)
Notice that for every puppet game j and every position i, we have
(q
(i)
j , α
(i), q
(i+1)
j ) ∈ R: for j = 0 this follows from the fact that γ0 is a strategy and
for j > 0 this follows from the validity of γ. Moreover, whenever a new puppet game
starts, in the previousl last puppet game, transition (r, a, s) is taken, whereas in the
overall simulation game, transition (r, a, t) is taken instead. Hence, γ′ defines a valid
strategy for the simulation game.
We now show that γ′ is winning and consider the case of left-hand delayed simu-
lation (the case for direct simulation is shown analogously). Obviously, if no puppet
game is started, simply strategy γ0 is played and Duplicator is winning without using
transition (r, a, s). Otherwise, according to the definition of left-hand delayed simula-
tion, whenever for some puppet game i we have that Ω(q
(j)
i ) <Ω Ω(q
(j)
i+1), there must
exist some position k such that Ω(q
(k)
i ) is odd and Ω(q
(k)
i ) ≤ min{Ω(q(j)i ),Ω(t(j)i+1)},
since γ is a winning strategy. Assume now that Ω(p(i)) <Ω Ω(q
(i)
g(i)
), i. e. in the overall
simulation game, duplicator visits a state worse than the state visited by spoiler. Let
o be the lowest odd color in any puppeteer game and j be the minimal position of
o. Obviously we have that o ≤ Ω
(
q
(i)
g(i)
)
. According to the previous remark we must
have that for some position i′ > i we have that Ω(q(i
′)
j−1) is odd and Ω(q
(i′)
i−1) < o. Using
the same argument at most i times, we finally reach a position i′′ > i such that Ω(p(i
′′)
is odd and Ω(p(i
′′)) < o ≤ Ω
(
q
(i)
g(i)
)
.
Notice that a similar result does not hold for the other simulation relations. Direct
and left-hand delayed simulation are restricted notions in the sense that whenever
something bad happens, i. e. whenever we have that Spoiler visits a better state than
Duplicator in one round, the only chance for Duplicator to win is that Spoiler visits a
51
3 Minimization of ω-Automata
bad state later. This is in contrast to the other simulation relations where Duplicator
can assure winning by her own will (as long as she follows the same word).
This lemma allows us to formulate the following theorem which shows that we can
remove a redundant transition without affecting the simulation relations:
Theorem 4. Let A = (S, I,R,Ω) be a parity automaton. For r, s, t ∈ S and some
? ∈ {di, del}, assume that s?t and (r, a, t) ∈ R. Let R′ be obtained from R by
removing all transitions (r, a, s) except for transition (r, a, t). Let I ′ = I \{s} if t ∈ I
and I ′ = I else. Let A′ = (S, I ′,R′,F). Then, the following holds:
1. p(A,A)? q if and only if p(A
′,A′)
? q
2. Any state in A′ is ?-equivalent to the state of the same name in A.
Proof. The only if direction of the first part is trivial. The other direction can be
seen by Lemma 2 since a strategy to show p(A,A)? q that never uses transition (r, a, s)
can also be used to show p(A′,A′)? q. Finally, in a same manner we can use Lemma
2 to generate a strategy to show both p(A,A′)? p and p(A
′,A)
? p by using the identity
function as γ0.
The following corollary holds because simulation implies language equivalence.
Corollary 1. Let A and A′ as in Theorem 4. Then, Lang(A) = Lang(A′).
Theorem 4 obviously works in both directions. Hence, instead of removing a transition
from r to s whenever s?t andR(r, a, t), we can also add a transition from r to t when
R(r, a, s) and s?t holds. Repeated application of this transformation gives us the
following corollary, which implies that we can remove any of two simulation-equivalent
states.
Corollary 2. Let A be a parity automaton, ? ∈ {di, del}. Let s, t ∈ S such that s 6= t
and s≈(A,A)? t. Let As→t be the automaton given in Definition 28 where any transition
to s has been replaced by a transition to t.
• any state in As→t is ?-equivalent to the state of the same name in A.
• Lang(A) = Lang(As→t)
When we perform the calculation of the greatest direct (left-hand delayed) simulation
equivalence, the repeated application of this corollary allows us to use the successor
quotient construction for minimization with respect to direct and delayed simulation.
So, we obtain:
52
3.5 Reverse Simulation
Theorem 5. Let A be a parity automaton, ? ∈ {di, del}. Let ? ∈ {di, der}. Let ζ be
the largest simulation relation with respect to ? and ρ be a canonical selection function
for ζ. Then, any state in A÷ζ is is ?-equivalent to the state of the same name in A .
Thus there are at least two mechanisms to minimize parity automata using direct
simulation: first two di, del simulation-equivalent states can be merged (respectively,
one can choose one representative for every simulation-equivalence class) and second,
every transition to s can be removed provided there are simultaneous transitions to t
and s?t for ? ∈ {di, del}.
3.5 Reverse Simulation
In this paragraph, reverse simulation for parity automata is considered. Reverse sim-
ulation has been introduced in [99] for Bu¨chi automata. Instead of calculating the
simulation relations in the order of the transition relation, reverse simulation is calcu-
lated backwards, i. e. the simulation games are defined in a way that Spoiler, when in
state s instead of choosing a successor t in some transition (s, a, t) ∈ R, chooses some
predecessor r from some transition (r, a, s) ∈ R and Duplicator must also respond
with a predecessor state. In this section, three variants of reverse simulation will be
introduced, namely the counterparts of direct simulation and left- (right-) hand de-
layed simulation. While reverse direct and left-hand delayed simulation can be used
for state space minimization, a counterexample will show that this is not true for
right-hand delayed simulation. Similar as in the preceding paragraph, we restrict our
attention to removing and replacing of edges.
The following definition introduces reverse simulation games.
Definition 29 (Reverse Simulation Games).
Let A = (S, I,R,Ω),A′ = (S ′, I ′,R′,Ω′) be two parity automata over the alphabet Σ
and s(0) and s′(0) be arbitrary states of A and A′ respectively. The reverse basic
game
←−
G (A,A
′)
(
s(0), s′(0)
)
is played by two players, Spoiler and Duplicator, in rounds,
where, at the beginning and at the end of each round, two pebbles, Red and Blue, are
placed on two states. At the start, round 0, Red and Blue are placed on s(0) and s′(0),
respectively. Assume that, at the beginning of round i, Red is on state s(i) and Blue
is on s′(i). Then:
1. Spoiler chooses a letter α(i) ∈ Σ.
2. Spoiler chooses a transition (s(i+1), α(i), s(i)) ∈ R and moves Red to s(i+1).
3. Duplicator, responding, must choose a transition (s′(i+1), α(i), s′(i)) ∈ R′ such
that the following holds: if s(i+1) ∈ I, then also s′(i+1) ∈ I ′. Duplicator moves
53
3 Minimization of ω-Automata
Blue to s′(i+1). If no such α(i)-transition going to s′(i+1) exists, then the game
halts and Spoiler wins.
4. The starting position for the next round is (s(i+1), s′(i+1)).
For ←−? ∈ {←−di ,←−del,←−der,←−de,←−f } the corresponding reverse simulation games←−
G
(A,A′)
←−?
(
s(0)s′(0)
)
are defined by replacing G
(A,A′)
?
(
s(0)s′(0)
)
with
←−
G
(A,A′)
←−?
(
s(0)s′(0)
)
in
Definition 21. Additionally, strategies can be defined analogously as for the forward
simulation relations.
Finally, the reverse simulation relations are obtained by the following definition:
Definition 30 (Reverse Simulation Relations). Let A, A′ be parity automata. A state
s′ of A′ reverse direct, reverse left-hand, reverse right-hand simulates, reverse delayed
, reverse fair simulates a state s of A, iff there is a winning strategy for Duplicator
in
←−
G
(A,A′)
? (s, s′) where ? ∈ {←−di ,←−del,←−der,←−de,←−f }. We denote such a relationship by
s(A,A′)←−? s′. If A,A′ are clear from the context, we sometimes omit them. The reverse
simulation relation between automata and the reverse simulation equivalence is defined
analogously to Definition 23.
As before, Spoiler produces, letter by letter, an ω-word over Σ as simultaneous inputs
for the two automata A and A′. However, instead of producing two ordinary runs
over A,A′ in forward order, two runs (←−pi ,←−pi′ ) in backward order are produced.
Notice that in contrast to the forward simulation relations, reverse simulation does
not imply language containment. It only implies finitary language containment. This
is the reason why fair simulation is not considered in a reverse fashion. Fair simulation
is only useful if it is possible to check whether the two automata are still language
equivalent. Since this is not possible using reverse fair simulation, fair simulation
will not be considered here. Moreover, we will show that even reverse right hand
simulation relations can not be used for state space minimization by a simple quotient
construction as will be shortly shown, so even the full reverse delayed simulation
relation is useless.
3.5.1 Basic Properties of Reverse Simulation Relations
However, the following proposition that is shown in analogy to Lemma 1 states that
reverse simulation relations in two directions are in fact equivalence relations.
Proposition 4. Let A be a parity automaton.
1. For ? in {←−di ,←−der,←−del,←−de,←−f }, ≈(A,A)? is an equivalence relation.
2. The simulation relations are ordered by containment : ←−
di
⊆ ←−
der
⊆ ←−
de
⊆ ←−
f
and ←−
di
⊆ ←−
de
⊆ ←−
de
⊆ ←−
f
54
3.5 Reverse Simulation
3.5.2 Reducing Reverse Simulation Games to Turn-Based
Games
In a similar manner as for the forward simulation games, we can reduce the reverse
simulation game to a turn-based game:
Definition 31 (Turn-Based Game for the Reverse Basic Game).
Let A = (S, I,R,Ω),A′ = (S ′, I ′,R′,Ω′) be two parity automata over the alphabet Σ.
We define a turn-based game G = (V ,V0,V1, E,Φ) to simulate the basic simulation
game as follows:
V0 = {v(s,s′,a) | s ∈ S ∧ s′ ∈ S ′ ∧ ∃t. (s, a, t) ∈ R}
V1 = {v(s,s′) | s ∈ S ∧ s′ ∈ S ′ ∧ s ∈ I → s′ ∈ I}
E = {(v(s2,s′1,a), v(s2,s′2)) | (s′2, a, s′1) ∈ R′ ∧ s2 ∈ I → s′2 ∈ I}
∪ {(v(s1,s′1), v(s2,s′1,a)) | (s2, a, s1) ∈ R}
Thus, the first difference is that the two players choose transitions in reverse order and
the second difference is that Duplicator may only choose an initial state as successor
whenever Spoiler has managed the game on his side to an initial state as well.
The acceptance conditions for the direct simulation game is again the same safety
condition as for the forward direct simulation, namely that Ω(s) ≤Ω Ω(s′) for every
v(s,s′).
In order to define an acceptance condition for the reverse left hand simulation game,
we use the memory technique introduced in [32] for delayed reverse simulation games,
i. e. we add a memory variable k that is used to remember when a position v(s,s′) has
been reached such that Ω(s) <Ω Ω(s
′), i. e. a bad event according to the reverse left-
hand simulation has occurred. To this end, the smaller of the two values are stored
in the memory variable k. If at some point during the play, a position vs,s′ is reached
such that Ω(s) < k and Ω(s) is even, the memory variable is cleared, indicated by
√
.
If the value
√
is read infinitely often, the game is won. Thus, we obtain the following
modified game graph:
Definition 32 (Turn-Based Game for the Reverse Left-Hand Game).
Let A = (S, I,R,Ω),A′ = (S ′, I ′,R′,Ω′) be two parity automata over the alphabet Σ
with d = max{|Ω| , |Ω′|}. We define a turn-based game G = (V ,V0,V1, E,Φ) to
simulate the basic simulation game as follows:
V0 = {v(s,s′,a,k) | s ∈ S ∧ s′ ∈ S ′ ∧ ∃t. (t, a, s) ∈ R}
V1 = {v(s,s′,k) | s ∈ S ∧ s′ ∈ S ′ ∧ s ∈ I → s′ ∈ I}
E = {(v(s2,s′1,a,k), v(s2,s′2,k′)) | (s′2, a, s′1) ∈ R′ ∧ s2 ∈ I → s′2 ∈ I}
∪ {(v(s1,s′1,k), v(s2,s′1,a,k′)) | (s2, a, s1) ∈ R}
55
3 Minimization of ω-Automata
such that k, k′ satisfies the following constraints:
• k, k′ ∈ {0, . . . d} ∪ {√}
• if we reach a position v(s1,s′1,k), the next value k′ is defined by:
– k′ =
√
if k =
√
and Ω(s1) ≥Ω Ω(s′1)
– k′ = min(Ω(s1),Ω(s′1)) if Ω(s1) <Ω Ω(s
′
1)
– k′ =
√
if k 6= √, Ω(s1) ≥Ω Ω(s′1) and Ω(s1) < k is odd
• k′ = k if we reach a position v(s,s′,a,k).
The acceptance condition is a Bu¨chi condition stating that
√
is visited infinitely often
during a play.
Proposition 5. Let A,A′ as before. Let n = max{|S| , |S ′|}, m = max{|R| , |R′|},
d = max{|Ω| , |Ω′|}. Then the greatest reverse direct simulation relation (A,A′)←−
di
can
be calculated symbolically in time O(nm) and the greatest reverse left hand simulation
relation (A,A′)←−
del
can be calculated symbolically in time O((mnd)2).
Proof. The turn-based game associated with reverse direct simulation relation is a
safety game with at most nm states. The corresponding game can be solved in time
O(mn). The turn-based game associated with reverse left hand simulation is a Bu¨chi
game with O(mnd) states and O(mnd) transitions. Thus the corresponding game can
be solved in time O((mnd)2).
In Section 3.5.4 it is shown that reverse right hand delayed simulation can not be
used for state space reduction, so that we do not consider a reduction to turn-based
games here.
3.5.3 Minimizing ω-Automata with Reverse Direct and
Left-Hand Simulation
Similar to the forward simulation, if s(A,A)←−? t for ? ∈ {
←−
di ,
←−
del} and we have simultane-
ous transitions from both s and t to some state u, the (back)-transition (s, a, u) need
not be taken by the strategy showing that s(A,A)←−? t holds.
Proposition 6. Let A = (S, I,R,Ω) be a parity automaton. For p, q, s, t, u ∈ S and
some ←−? ∈ {←−di ,←−del}, assume that p←−? q, s←−? t and {(s, a, u), (t, a, u)} ⊆ R′. Then,
there exists a winning strategy γ′ in G(A,A)? (p, q) such that γ′(ηuar) 6= s for every
r ∈ S and every η ∈ S(S ′ΣS)∗, i. e. transition (s, a, u) is never chosen in the play.
56
3.5 Reverse Simulation
Proof sketch. The proof of Lemma 2 remains valid if one replaces every ingoing edge
with an outgoing edge.
As it is the case for the forward simulation relations, the following theorem is the
counterpart of Theorem 4.
Theorem 6. Let A = (S, I,R,Ω) be a parity automaton. For s, t, u ∈ S and some
←−? ∈ {←−di ,←−del}, assume that s←−? t. Let R′ be obtained from R by removing all tran-
sitions (s, a, u) provided there is a transition (t, a, u). Let A′ = (S, I,R′,F). Then,
the following holds:
1. If p(A,A)←−? q then p
(A′,A′)
←−? q.
2. Any state in A′ is ←−? -equivalent to the state of the same name in A.
3. We have Lang(A) = Lang(A′).
Proof. The first two parts of the theorem are shown analogously to the proof of
Theorem 4. The only difference is that the runs are generated in reverse order and
we have to additionally keep track of the initial states. We will thus concentrate on
language equivalence. Lang(A′) ⊆ Lang(A) is clear since we only remove transitions.
For the opposite direction, let α ∈ Lang(A) and pi = p(0)p(1) . . . be the run of A over
α. For the first case, assume that transition (s, a, u) is only taken finitely often in pi
and let i be the last position where this happens. Then p(i+1) . . . is a run of A′ as
well. Moreover, since u is reverse simulation equivalent in A and A′, there must exist
a (finite) run pi′ of A′ labeled with α(0), . . . α(i) that leads to u. So pi′p(i+1)p(i+2) . . . is a
run of A′ over α that is accepting. At the second case, the transition (s, a, u) is taken
infinitely often in pi. Since pi is an accepted run, there must exist a position i0 such that
the minimal color seen after i0 is even, say e. Let I = {i1, i2, . . . } be the set of positions
where transition (s, a, u) is taken and between two consecutive visits to (s, a, u) the
color e is seen. Notice that since u is reverse-simulation equivalent in A and A′, for
every i ∈ I, there must exist a run pii of A′ ending in u, labeled with α(0)α(1) . . . α(i)
that describes a winning strategy in the reverse simulation game. Assume now that
there does exist positions i, j ∈ I such that i0 < i < j and for some position i ≤ t ≤ j
we have that Ω(pi(t)) = e, Ω(pi
(t)
j ) is odd and Ω(pi
(t)
j ) < e. Notice that since e is the
minimal color seen after i0, we have that Ω(pi
(t′)) > e for every t′ ∈ {i, i + 1, . . . , j}.
That means that the infinite run pi(j)pi(j−1) . . . pi(t)pi(t−1) . . . pi(i)
(
pi(j−1)pi(j−2) . . . pi(j)
)ω
describes a winning strategy for Spoiler in the reverse simulation game starting in
u = pi(j), since the bad event at position t is not recovered later on, a contradiction
to pij describing a winning strategy.
That means that at those positions where pi visits the minimal color e, every pij
visits an even smaller color e′. Moreover, assuming that at some other position an
57
3 Minimization of ω-Automata
odd color smaller than e is visited on pij (in the interval of interest) leads to the same
contradiction as before. That means that there does exist a position j′0 such that
the minimal color seen on every pij after position j
′ is even. We now construct from
the infinitely many finite runs pi′i for every initial state q0 an infinite tree as follows:
Let Q(0) = {(q0, 0)} and Q(i) =
{
(q, i) | q = pi(i)j for some j ∈ N
}
and i > 0. We
connect (q, i) and (q′, i + 1) whenever there is some path pij such that q = pi(i) and
q′ = pi(i+1). Clearly, for at least one initial state, the constructed tree is infinite and
finite branching, since A′ is finite and we have infinitely many indices in I. Thus,
according to Ko¨nigs Lemma, this tree must contain an infinite path pi′. Since we
constructed those infinite path from the finite paths pij, the minimal color seen on pi
′
must be even after position j′0 as well.
In analogy to forward simulation, we only need to retain one state in every reverse-
similar equivalence class:
Corollary 3. Let A = (S, I,R,Ω) be a parity automaton and s, t ∈ S such that s 6= t
and s≈(A,A)←−? t for ←−? ∈ {
←−
di ,
←−
del}. Let A′ = (S, I,R′,Ω) be defined by
R′(q, a, q′)⇔ (R(q, a, q′) ∧ q 6= s) ∨ (q = t ∧R(s, a, q′))
i. e. we remove any transition starting from s and add those transition to the set of
transitions starting in t. Then
• any state in A′ is ?-equivalent to the state of the same name in A and
• Lang(A) = Lang(A′).
3.5.4 Reverse Right-Hand Delayed Simulation
To see that reverse right-hand simulation is useless for state space reduction in any
sense, consider the Bu¨chi automaton shown in the left of Figure 3.6 where we have
drawn accepting states with a double circle. Clearly, this automaton accepts only
words that end with infinitely many a. The problem is that s3 and s1 are reverse
right-hand simulation equivalent. To see that the two states are reverse right hand
equivalent, a winning strategy of Duplicator has to choose the same successor state
that has been chosen by Spoiler. More specifically, we have the rules defined in Figure
3.7 for the first step of every play. Thus, after the first step, the states of Spoiler and
Duplicator coincide, so winning is obvious. But merging the two states will lead to
the automaton shown on the right of the figure4 which also accepts e. g. bω, so that
we see that the automata are no longer equivalent.
4Remember that marked states of Bu¨chi automata have color 0, so the merged state inherits the
marking from state s3.
58
3.6 Fair Simulation for Co-Bu¨chi Automata
sI s2
s1
s3
b
b
b
a
b
a
b
b
a b
(a) Non-Minimized Automaton
sI s2
s3
b
b
a
a, b
b
(b) Minimized Automaton
Figure 3.6: A Bu¨chi automaton that is not safe under minimization chosen with re-
verse left-hand delayed simulation
3.6 Fair Simulation for Co-Bu¨chi Automata
The following sections considers minimization of parity automata with respect to fair
simulation. To this end, it is first investigated in this section whether fair simula-
tion can be directly used for merging fair-simulation equivalent states for co-Bu¨chi
automata. We give a negative answer to this question which gives the counterpart
of the well-known fact that fair-simulation is not safe for quotients with respect to
Bu¨chi automata [28].
A co-Bu¨chi condition is given with respect to a marked state set F such that no
non-marked state is visited infinitely often. Co-Bu¨chi automata can be regarded as
parity automata where the color 2 is assigned to marked states while color 1 is assigned
to non-marked states. Thus fair simulation is well-defined for co-Bu¨chi automata. We
will nevertheless redefine it in the following, to simplify the following considerations:
Definition 33 (Fair Simulation Game for Co-Bu¨chi Automata). The fair simulation
game for co-Bu¨chi automata, or the persistence simulation game, denoted by
G
(A,A′)
pe
(
s(0), s(0
′)
)
, is the basic game G(A,A
′)
(
s(0), s(0
′)
)
extended by the rule that the
outcome (pi, pi′) is winning for Duplicator iff whenever there exists an i such that
s(j) ∈ F for every j > i, there exists an i′ such that s′(j′) ∈ F ′ for every j′ > i′
59
3 Minimization of ω-Automata
To show that s3←−
der
s1
transition chosen by Spoiler transition chosen by Duplicator
(s3, b, sI) (s1, b, sI)
(s3, b, s2) (s1, b, s2)
(s3, a, s3) (s1, a, s3)
To show that s1←−
der
s3
transition chosen by Spoiler transition chosen by Duplicator
(s1, b, sI) (s3, b, sI)
(s1, b, s2) (s3, b, s2)
(s1, b, s1) (s3, b, s2)
(s1, a, s3) (s3, a, s3)
Figure 3.7: Strategy to show Right-Hand Simulation Equivalence of s1 and s3 of the
Automaton of Figure 3.6
When considering Bu¨chi automata, there is also the known definition of delayed sim-
ulation given in [28] that coincides with our definition of (left-hand) delayed simu-
lation. Delayed simulation for Bu¨chi automata is intuitively defined as: whenever
Spoiler chooses a transition to a marked state, then at some point later, Duplicator
must also reach a marked state.
Since this definition has some similarity to the definition of persistence simulation for
co-Bu¨chi automata, it might be possible that fair simulation can be used to merge
two persistence-simulation equivalent states of a co-Bu¨chi automaton. The following
proposition shows that this is not the case:
Theorem 7. For n ≥ 2, there is a co-Bu¨chi automaton An with n states, each of
which persistence simulates every other state, but no co-Bu¨chi automaton with fewer
than n states accepts Lang(An).
Proof. Consider the automaton An shown in Figure 3.8. It has n states and an
alphabet Σ = {a1, . . . an−1}. To see that every state of An persistence simulates any
other state, first note that because the automaton is deterministic Duplicator has no
choice in her strategy. Consider an accepting run chosen by Spoiler. It is not hard
to see that in this case Spoiler must choose some ai such that the word labeling the
run is of the form w = Σ∗aωi . Thus after finitely many rounds, the red pebble of
Spoiler ends up in state si. Then, after at most n− 1 steps, the blue pebble will also
reach state si (irrespectively where it is when the red pebble enters state si). Thus,
irrespectively at which position Duplicator starts, she has a winning strategy.
60
3.7 Fair Simulation for Parity Automata
sn
s1
a1
s2
s3
a3
s4
s5
...
sn−1
Σ
Σ \ a1
Σ \ a2
Σ \ a3Σ \ a4
Σ \ an−1
a2
a4
a5
an−1
Figure 3.8: Problematic Family of Co-Bu¨chi Automata for Fair-Simulation
Now notice that the Language Lang(An) =
⋃n−1
i=1 Σ
∗aωi . It is not too hard to see that
there is no co-Bu¨chi automaton recognizing Lang(An) with fewer than n states.
This proposition shows that, in general, we can not hope to minimize a (co)-Bu¨chi
automaton and thus also not a parity automaton with fair simulation and quotienting
alone5.
3.7 Fair Simulation for Parity Automata
It is known that fair simulation (for Bu¨chi automata) can be used for state space re-
ductions provided some post-processing is done that ensures that the fair simulation
equivalence is preserved [40]. The algorithm of [40] incrementally calculates the fair
simulation relation. Whenever two states are found to be fair simulation equivalent,
it is checked by adding and removing transitions whether fair simulation between the
modified automaton and the original automaton is still preserved. This addition and
removal of transitions is done in a manner such that the parity progress measure of
5One might get confused that the same might also hold for (left-hand) delayed simulation. This is
not true. Whenever Ω(p(i)) <Ω Ω(s
(i)) for co-Bu¨chi automata and Ω(p(i)) is even, this implies
that a matching good state for Spoiler must have priority 0 which is obviously not possible.
61
3 Minimization of ω-Automata
the underlying parity game is preserved provided the merge is correct. This allows to
iteratively calculate the whole fair simulation relation with intermediate checks in a
factor of k of the time complexity for calculating the fair simulation alone where k is
the number of failed modifications. If a merge is later found to be wrong, i. e. language
equivalence is not preserved, backtracking is used to return to a valid configuration.
This backtracking on individual states is not well suited for a symbolic implementa-
tion. Hence we develop here an alternative that is not based on individual states but
instead on the set of all states reachable from a merge candidate.
3.7.1 Merging States using Fair Simulation
We start our considerations with the following proposition that easily follows from
previous results, since fair simulation implies language inclusion :
Proposition 7. Let A , A′. If AfA′ then Lang(A) ⊆ Lang(A′)
This proposition allows us to check validity of a whole set of proposed changes
to an automaton at once. To this end we could check whether the quotient of A
with respect to fair simulation is equivalent to the original automaton. Whenever the
check succeeds we now that all merges are correct. However, if it fails we would know
nothing. We will generalize this proposition in the following to obtain a more refined
check.
The first lemma that we need is a generalization of the transitivity of fair simulation:
Lemma 3. Let A = (S, I,R,Ω), A′ = (S ′, I ′,R′,Ω′) be parity automata. If s(A,A)f s′
and s′(A,A′)f s′′, then s(A,A
′)
f s
′′.
Proof sketch. The proof of Lemma 1 remains unchanged for this case.
Now we can formulate the following theorem that states that we can safely replace
any transition from s to a transition to t for fair-simulation equivalent states t if state
t in the modified automaton still fair simulates his counterpart in the unmodified
automaton.
Theorem 8. Let A be a parity automaton, let s, t ∈ S such that s 6= t, s≈(A,A)f t.
If t≈(A,As→t)f t then any state in As→t is fair simulation equivalent to the state of the
same name in A.
Proof. We denote with t′ ∈ Ss→t the state corresponding to t ∈ S. We first show
one direction, the other direction can be shown analogously. More specifically, let
t′(As→t,A)f t. We show that this is enough to guarantee that any state in As→t is fair
simulated by the state of the same name in A. To do this, let p′(0) ∈ As→t be any state
in As→t and p(0) ∈ S be the corresponding state. We want to show that Duplicator
62
3.7 Fair Simulation for Parity Automata
has a winning strategy in G
(A,As→t)
f
(
p′(0), p(0)
)
. The critical points in this case is that
t′ is visited in the simulation game, since transitions may not be part of the original
automaton.
Since s and t are fair simulation equivalent in the original automaton, we have
t(A,A)f s. Thus, by transitivity, we have t′(As→t,A)f s. Let γs be the strategy to show
t′(As→t,A)f s, and γt be the strategy to show t′(As→t,A)f t. Intuitively, as long as t′ is
not visited by Spoiler in G
(A,As→t
f
(
t′(0), p(0)
)
, Duplicator simply takes as successor the
corresponding state from the original automaton. However, if at some point this is not
the case, according to the definition ofR′, the original automaton has a transition that
ends in s or ends in t. But then, we can continue the play with one of the strategies
γs or γt. To do this, Duplicator uses a memory variable τ . At the beginning, we
set τ =
√
. Now assume, we are in state (p′(i), p(i)) and Spoiler chooses transition
(p′(i), α(i), p′(i+1)). The next value of τ , denoted withτ ′ is determined by:
τ ′ =

√
if τ =
√∧ p′(i+1) 6= t′
s if τ = s ∨ p′(i+1) = t′ ∧ (p(i), α(i), s) ∈ R
t if τ = t ∨ p′(i+1) = t′ ∧ (p(i), α(i), t) ∈ R
The strategy is now defined as follows:
γ(p(i)a(i)p′(i+1)) =
{
p(i+1) if τ ′ =
√
γτ ′(p
(i), a(i), p′(i+1)) else
Notice that γ′ is well defined, because when τ =
√∧τ ′ 6= √ for the first time i, the run
pi′ = p′(0) . . . p′(i) that is induced by Spoiler during the play must have visited t′, i. e. we
have p′(i) = t′. This implies that either (p(i−1), α(i−1), s) ∈ R′ or (p(i−1), α(i−1), t) ∈ R′.
After that point, the strategy simply mimics one of the strategies γs or γt. Thus γ is
winning since both strategies are winning and the winning condition of fair simulation
does not depend on a finite prefix.
The other direction is shown analogously by assuming that t(A,As→t)f t′ and showing
that then any state in the original automaton is fair simulated by the state of the
same name in the minimized automaton.
This theorem seems to be very powerful. But it has one drawback that is discussed
in the following: Let % be a selection function that selects t as a representative for
an equivalence class. Assume that in A÷% some state r is reachable from t that is
wrongly merged with some state q. This means that the language accepted from r
has changed and might potentially change the language accepted from t on. In some
(although very unlikely but still possible) cases it might now happen that when we
redo the merge of r and q, we might destroy the fair simulation equivalence of t with
its counterpart in the original automaton.
63
3 Minimization of ω-Automata
So at first sight it seems that we need to check each merge individually. However,
this is not the case. If from t only states are reachable that pass the check of Theo-
rem 8, we can be sure that the subautomaton that is reachable from %(t) will never
again change and thus this merge is indeed correct. This is captured in the following
corollary.
Corollary 4. Let ≈⊆ ≈(A,A)f , i. e. it holds that if s ≈ t, then s≈(A,A)f . Let % be a
canonical selection function for ≈. Let
ζ(s) =
{
%(s) if ∀α ∈ Σ∗∀q ∈ S.(%(s), α, %(q)) ∈ R÷% → %(q)≈(A,A÷%)f %(q)
s else
Then, any state in A÷ζ is fair simulation equivalent to the state of the same name in
A.
Notice that this check can be done by a simple reachability analysis of the state space,
so that we obtain an efficient procedure to check multiple changes at one.
3.7.2 Removing Edges using Fair Simulation
Similar to merging states using fair simulation, we can also check removing edges.
This is the topic of this subsection.
Theorem 9. Let A = (S, I,R,Ω) be a parity automaton. Let r, s, t ∈ S such that
s(A,A)f t. Let R′ be obtained from R by removing one transition (r, a, s) provided there
is a transition (r, a, t). Let A′ = (S, I,R′,Ω). Denote with q the states from A and
with q′ the corresponding state in A′. Then, the following holds: If r(A,A′)f r′ then
q≈(A,A′)f q′ for any state q′ ∈ S ′.
Proof. Obviously, since we remove an edge in A′, it is clear that q′(A,A′)f q for any
state q′ ∈ S ′. The other direction is shown as in the proof of Theorem 8, i. e. as long
as Duplicator needs not to take some transition (r, a, s), Duplicator responds with the
same transition, otherwise she continues playing according to the winning strategy
that shows that rfr′.
Since removing more edges makes it harder to show fair simulation, when we found
that a state in the more minimized automaton still simulates the original state, this
implies that we can safely remove the edge also in a less minimized automaton. This
is stated in the following corollary.
Corollary 5. Let A = (S, I,R,Ω) be a parity automaton, and E = {s, t ∈ S |
s(A,A)f t}t. Let R′ be obtained from R by removing one or more transitions (r, a, s)
64
3.7 Fair Simulation for Parity Automata
provided there is a transition (r, a, t) for a pair (s, t) ∈ E. Let A′ = (S, I,R′,Ω).
Denote with q the states from A, with q′ (q′′) the corresponding state in A′ (A′′). Then,
the following holds: If r(A,A′)f r′ then any removal of an edge (r, a, s) preserves fair
simulation equivalence, i. e. any state in A′′ that is obtained by removing a transition
(r, a, s) as in A′ is fair-simulation equivalent to the state of the same name in A.
3.7.3 A Fair Minimization algorithm
In this section we describe a method to minimize a parity automaton using the tech-
niques presented before. To perform fair simulation minimization, the fair simulation
relation of the automaton A is calculated which gives us the fair simulation equivalent
states. We perform the successor quotient construction where we replace any state
in an equivalence class by a state with minimal color from that class. Afterwards
we check which states are still fair simulation equivalent in both automata. The
states that have only good successors according to this check are merged according
to Corollary 4. Notice that after this step, every pair of states that are left-hand
(or right-hand) delayed equivalent are merged, since in that case all successors must
be also left-hand (right-hand) equivalent. Afterwards, we pick one equivalence class,
merge all states to a minimal representative and check whether the merge succeeded.
This is done until we find an equivalence class where this check fails. For this equiv-
alence class, we can still perform minimization, by performing the check according to
Theorem 8 for every pair (s, t) we want to merge. When we find a merge that is in-
correct, we can update the equivalence relation and restart the process. After having
performed merging of states, we perform removal of edges according to Corollary 5.
The overall algorithm is sketched in Algorithm 1.
In practice, the chances that merges succeed are quite high. Nevertheless, assume
that the number of possible merges of state pairs are k. In the worst case, we have
to check all equivalence classes but one before we find the equivalence class that is
responsible for a non-successful merge. Clearly, the number of nontrivial equivalence
classes is smaller than k. Thus, the overall running time of the algorithm from step
1 until 6 is reached is in a factor of O(k) times in the time of performing the fair
simulation equivalence calculation alone. Clearly, k ∈ O(|R|). Since we can not
remove more than |S| states or |R| transitions, the overall run time of this algorithm
is in a factor of O(|R|2) of performing the fair simulation calculation on A alone. Since
the calculation of the fair simulation relation is exponential in the number of colors,
this quadratic factor does not dominate the overall running time of the algorithm.
Theorem 10. Let A be a parity automaton. Let n = |S|, m = |R|, d = |Ω|. Then
the algorithm from Figure 1 has a worst case running time of O((nm)4d ·m4) · 2d!
d!2
.
65
3 Minimization of ω-Automata
Algorithm 1 A fair minimization algorithm
Input: A parity automaton A
Output: a minimized parity automaton equivalent to A
1. calculate a canonical selection function % for ≈(A,A)f
2. if A÷%≈fA return A÷%
3. calculate the refinement ζ for % according to Corollary 4, i. e. merge the states
with fair simulation equivalent successors
4. let A′ = A÷ζ
5. For every r ∈ S such that %(r) = s for some s 6= r (s represents a nontrivial
equivalence class ) do
5.1. let ζ(s′) =
{
s if %(s′) = r
s′ else
5.2. if A′÷ζ≈fA′ then
5.2.1. let A′ = A′÷ζ
5.2.2. restrict % to the states in A′÷ζ
5.2.3. goto 5
5.3. else
5.3.1. for every pair (s, t) such that s≈ft
• if A′s→t≈fA′ then let A′ = A′s→t
• else
– remove (s, t) from the equivalence class, i. e. set %(s) = s
– goto 2
6. Remove edges from A′ according to Corollary 5
7. if A′ contains less states or less transitions than A, continue with step 1 with A′
as A, otherwise return A′ as the simplified automaton.
66
4 Symbolic Determinization via the
Automaton Hierarchy
We have already outlined in the introduction that all algorithms for the solution
of the controller synthesis problem rely on some form of (pseudo)-determinization.
However, the determinization of ω-automata is considerably more difficult than the
determinization of automata on finite words, which is usually done by the well-known
Rabin-Scott [84] subset construction. In order to translate nondeterministic Bu¨chi
automata to deterministic ω-automata, more difficult algorithms like Safra’s algorithm
[88] have to be used. However, these algorithms are difficult to implement [41, 110, 54]
due to the used complex data structures, which do not allow the use of symbolic set
representations like BDDs. As a consequence, the related tools are limited to very
small LTL formulas which limits their application in practice.
Due to the lack of efficient determinization algorithms, a recent research trend is
to avoid determinization [60, 46] and to integrate the applications with lightweight
parts of the determinization procedures. However, at least for model-checking, exper-
imental results [95] indicate that the more deterministic an automaton is, the more
efficiently it can be handled. In [5] it is shown that for SAT-based model checking of
safety properties, the SAT-Algorithm terminates much faster if one uses deterministic
automata instead of nondeterministic automata, although the deterministic automata
may be exponentially larger than the nondeterministic ones.
A different approach to deal with the determinization problem is to consider re-
stricted classes of LTL properties [91, 3], so that simpler kinds of ω-automata with
simpler determinization procedures can be used. It is well-known that simple modifi-
cations of the Rabin-Scott subset construction (including the breakpoint construction
of Miyano and Hayashi [70]) can be used for the determinization of some of these
classes. In order to apply these determinization procedures to translate LTL formulas
to deterministic ω-automata, we exploit the temporal logic hierarchy of [65, 18, 90, 91]
as described in Section 2.4. This hierarchy is based on the definition of six classes
of temporal logics TLκ such that all formulas of TLκ can be efficiently translated to
the corresponding automaton class Detκ. Due to results of [65], it moreover follows
that if a temporal logic formula can be translated to Detκ, then it is equivalent to a
formula in TLκ.
Thus we can compute for every formula ϕ ∈ TLκ an equivalent deterministic ω-
67
4 Symbolic Determinization via the Automaton Hierarchy
automaton Aϕ ∈ Detκ. Moreover, it is already known that the subset and the break-
point constructions are sufficient for this purpose, so that there is no need to imple-
ment Safra’s considerably more difficult determinization procedure for this purpose.
However, a critical issue of the known translations from the classes TLκ to Detκ is still
their complexity: It is well-known [3] that there exists formulas Φ ∈ TLκ such that
all equivalent deterministic automata have at least 22
Ω|Φ|
states. Symbolic transla-
tion procedures from TLκ to NDetκ elegantly circumvent a first bottleneck. However,
all determinization procedures including the subset and the breakpoint construction
are given for explicitly represented automata, so that this advantage can no longer
be exploited. Even worse, the resulting deterministic automata are also given in an
explicit representation, so that naive implementations really suffer from the double
exponential complexity. For this reason, a major improvement is obtained by the
results of this chapter that show how the subset and the breakpoint construction
can be implemented in a semi-symbolic way: For a given symbolically represented
nondeterministic automaton A∃ (Q, I,R,F) with reachable states {ϑ1, . . . , ϑn}, we
directly construct symbolic descriptions of the deterministic automata that are con-
structed by the subset and the breakpoint constructions. Although we can not avoid
one exponential step (namely the enumeration of the reachable states1), we achieved
that the symbolic description of the deterministic automaton can be obtained without
enumerating its states. All steps except for the enumeration of the reachable states
of the nondeterministic automaton are symbolically implemented. As a result, we ob-
tain highly efficient determinization procedures that allow us to translate large LTL
formulas to equivalent deterministic automata. In the following, we describe these
algorithms in detail, but we assume that the reader is familiar with the subset and
the breakpoint construction.
This chapter is divided in three parts: the first part describes the semi-symbolic
subset construction. Based on the subset construction, a semi-symbolic variant of the
breakpoint construction is obtained. Finally, we describe how by a dependent variable
analysis we can reduce the number of propositional variables needed to encode the
state transition diagrams of the deterministic automaton.
4.1 A Semi-Symbolic Subset Construction
In Section 2.4, we have sketched by results from [90, 91] that we can compute for every
formula ϕ ∈ TLκ an equivalent deterministic ω-automaton Aϕ ∈ Detκ. Besides the
translation procedures already given in [90, 91], the main ingredient is the use of the
subset and the breakpoint constructions for ω-automata [84, 70, 91]. The remaining
1Notice that together with the constructions given in Chapter 3 we only have to enumerate the
simulation equivalent states.
68
4.1 A Semi-Symbolic Subset Construction
problem is that these procedures are only described in the literature for explicitly
given automata.
In this section, we therefore explain how these algorithms can be implemented in
a semi-symbolic manner2. Our algorithms are symbolic in the sense that they can
make effective use of symbolic set representations as given by BDDs. However, as
we have to explicitly enumerate the reachable states at some point, not all parts of
the algorithm can be implemented with symbolic methods. Hence, we obtain semi-
symbolic algorithms.
As already explained, our algorithms expect a symbolic representation of a non-
deterministic automaton, i.e. a formula A∃ (Q, I,R,F), where I is a propositional
formula over the state variables Q, and where the acceptance condition F is based
on a propositional formula Fϕ over the state variables Q that is used to construct a
safety, liveness, fairness or co-Bu¨chi property F . In the following, we assume that
Q = {q1, . . . , qm} and that VΣ = {x1, . . . , xk} holds and for notational reasons, we
identify F with Fϕ.
The first step of our algorithms consists of computing the reachable states of the
automaton. To this end, we first eliminate all variables that are not state variables,
i.e., we define R∃ :≡ ∃x1 . . . xk. R, and compute then the reachable states. The
reachable states can be computed as the fixpoint of the µ-calculus formula µx. I∨←−♦x3,
but since we additionally eliminate deadend states, we compute Sreach :≡ (νy.♦y) ∧
(µx. I ∨ ←−♦x) instead. Using symbolic methods, the result Sreach is a propositional
formula over the state variables Q.
Having computed the reachable states Sreach of the automaton, we now perform
a onehot encoding of the original nondeterministic automaton A∃ (Q, I,R,F). To
this end, we have to explicitly enumerate the reachable states which are the variable
assignments of the state variables Q that satisfy the formula Sreach. We identify a
variable assignment with a set ϑ ⊆ Q such that exactly the variables contained in
ϑ are true. Thus, assume the reachable states are {ϑ1, . . . , ϑn}. We now introduce
new state variables Qoh = {p1, . . . , pn} such that each pi is identified with a single
reachable state, i. e. we use a one-hot encoding. To generate an encoding with the new
state variables, we use the minterms of the states ϑ ⊆ Q from the original variables
to map old states to new onehot states:
mtQ(ϑ) :≡
(∧
x∈ϑ
x
)
∧
 ∧
x∈Q\ϑ
¬x

Based on these definitions, the re-encoding of A∃ (Q, I,R,F) as a onehot automaton
2We assume that the reader is familiar with the subset and the breakpoint construction.
3For a set of states x,
←−♦x denotes the existential successor states of x.
69
4 Symbolic Determinization via the Automaton Hierarchy
can be easily done as follows:
Definition 34 (Symbolic Onehot Encoding).
Given an automaton A = A∃ (Q, I,R,F) with the reachable states {ϑ1, . . . , ϑn} and
new state variables Qoh = {p1, . . . , pn}. Then, we define the following automaton
Aoh = A∃ (Qoh, Ioh,Roh,Foh):
• OneHot(Qoh) :≡
n∧
i=1
(
pi →
n∧
j=1,j 6=i
¬pj
)
• H :≡
n∨
j=1
pj ∧mtQoh(ϑj)
• Ioh :≡ OneHot(Qoh) ∧ ∃q1 . . . qm. H ∧ I
• Foh :≡ ∃q1 . . . qm. H ∧ F
• Roh :≡ [(OneHot(Qoh))]q1,...,qmq′1,...,q′n ∧
n∨
i=1
pi
′ ∧ ηi, where
ηi :≡ ∃q1 . . . qmq1′ . . . qm′. H ∧R ∧ [(mtQoh(ϑi))]q1,...,qmq′1,...,q′n
We will state below that Aoh encodes the same state transition system as A, but its
encoding with the variables Qoh is a onehot encoding, i.e., each reachable state of Aoh
corresponds with one of its state variables pi. To see this, consider first the acceptance
condition Foh: Note that Foh can be rewritten as
∨n
j=1 pj ∧ ∃q1 . . . qm. mtQoh(ϑj) ∧ F .
The subformula mtQoh(ϑi) ∧ F is false in case that ϑi is a variable assignment that
does not satisfy F . Otherwise, mtQoh(ϑi) ∧ F is equivalent to mtQoh(ϑi). Thus, the
existential quantification used in the definition of Foh yields 1 if ϑi belongs to F
(since every minterm mtQoh(ϑi) is satisfiable), and yields 0 if ϑi does not belong to
F . Consequently, Foh is equivalent to the disjunction of those pj that correspond to
states ϑj of F , i.e. Foh ⇔
∨
ϑi∈F pi.
The construction of Ioh follows the same pattern, and only adds the constraint that
at most one of the state variables pi may be active
4.
Finally, for the correctness of Roh, note that ηi is equivalent to
n∨
j=1
pj ∧ ∃q1 . . . qmq′1 . . . q′m. mtQoh(ϑj) ∧R ∧ [(mtQoh(ϑi)]q1,...,qmq′1,...,q′n︸ ︷︷ ︸
τj,i)
τj,i is thereby the condition on the input variables VΣ = {x1, . . . , xk} that must hold
to enable the transition from state pj to state pi. Hence, ηi lists all possibilities to
4We have to establish OneHot(Qoh) as an invariant, and therefore add this constraint to the initial
states and the (next) states reachable from other states in ROH.
70
4.1 A Semi-Symbolic Subset Construction
reach state pi from any other reachable state. It is easily seen that Roh maintains the
invariant that at most one of the state variables pi can be active due to the conjunct
[OneHot(Qoh)]
q1,...,qm
q′1,...,q′n
which is obtained from OneHot(Qoh) by replacing each current
state variable by the corresponding next state variable.
Theorem 11. (Symbolic Onehot Encoding) For every automaton A, the automa-
ton Aoh as constructed in Definition 34 is isomorphic to A. Moreover, its encoding is
a onehot encoding, i.e., each state is encoded by a singleton set of the state variables.
The well-known subset construction that is usually used for the determinization of
automata can be symbolically done for automata that are given by a onehot encoding.
As we know by Definition 34 how arbitrary automata can be re-encoded with a onehot
encoding, we are able to obtain the following symbolic subset construction:
Definition 35 (Symbolic Subset Construction).
Given an automaton A = A∃ (Q, I,R,F) with the reachable states {ϑ1, . . . , ϑn} and
new state variables Qdet = {p1, . . . , pn}, we define the following automaton
Adet = A∃ (Qdet, Idet,Rdet,Fdet):
• H :≡
n∨
j=1
pj ∧mtQdet(ϑj)
• Idet :≡
n∧
i=1
pi ↔ ∃q1 . . . qm. mtQdet(ϑi) ∧ I
• Fdet :≡ ∃q1 . . . qm. H ∧ F
• Rdet :≡
n∧
i=1
pi
′ ↔ ηi, with
ηi :≡ ∃q1 . . . qmq1′ . . . qm′. H ∧R ∧ [mtQdet(ϑi)]q1,...,qmq′1,...,q′n
As can be seen, the initial condition and the transition relation of Adet are given
as equation systems, which is beneficial for many applications. The ideas of the
construction are very similar to those used for Definition 34. To explain them, we
consider A in the re-encoded form Aoh, so that we can identify the states ϑi with the
state variables pi.
The initial superstate of the usual subset construction is the set of initial states
I, i.e., the initial condition is ∧ni=1 pi ↔ αi, where αi ∈ {1, 0}, so that αi = 1 iff
ϑi ∈ I. By the explanations we gave after Definition 34, it is easily seen that our
above construction is therefore correct. The correctness of Fdet is immediately clear.
The transition relation of the usual subset construction is determined as follows:
The successor states of a superstate Θ ⊆ Qdet under the input condition τj,i are given
71
4 Symbolic Determinization via the Automaton Hierarchy
{} {q1}
{q0} {q0, q1}
¬b
¬b
b
b
¬(a ∨ b)
¬(a ∨ b)
a ∨ b
Figure 4.1: Nondeterministic ω-Automaton obtained from ϕ :≡ X [a U b]
as the set of states pj that have a transition under the input condition τj,i to a state
pj ∈ Θ. Our definition of Rdet directly implements this: in the next step, all pi are
true (thus belong to the superstate Θ) where ηi holds. As already explained before,
ηi is equivalent to
∨n
j=1 pj ∧ τj,i.
Therefore, the above definition implements the subset construction in a symbolic
way. We therefore can now state the following theorem:
Theorem 12 (Symbolic Subset Construction). For every automaton A, the automa-
ton Adet as constructed in Definition 35 is deterministic and is a symbolic description
of the automaton obtained by the well-known subset construction [84, 91].
Since the subset construction can not only be used to determinize automata on finite
words, but also ω-automata of the classes NDetG, NDetF, and NDetPrefix [91], we can
already handle these classes with the construction given in Definition 35.
As an example, consider the LTL formula ϕ :≡ X [a U b]. Using the translation
given in [91], we obtain the following equivalent nondeterministic safety automaton
Aϕ = A∃ ({q0, q1}, q1, (q0 ↔ b ∨ a ∧ q0′) ∧ (q1 ↔ q0′), 1) .
Its state transition diagram is given in Figure 4.1, and its acceptance condition simply
demands that there must be an infinite run. Using the above algorithm, we obtain the
following equation systems for Adet (where we encoded p0 ∼ ϑ0 = {}, p1 ∼ ϑ1 = {q1},
p2 ∼ ϑ2 = {q0}, and p3 ∼ ϑ3 = {q0, q1}):
Idet =

p0 ↔ 0
p1 ↔ 1
p2 ↔ 0
p3 ↔ 1
Rdet =

p0
′ ↔ p0 ∧ ¬b ∨ p2 ∧ b
p1
′ ↔ p0 ∧ ¬b ∨ p2 ∧ b
p2
′ ↔ p1 ∧ ¬(a ∨ b) ∨ p3 ∧ (a ∨ b)
p3
′ ↔ p1 ∧ ¬(a ∨ b) ∨ p3 ∧ (a ∨ b)
72
4.2 A Semi-Symbolic Breakpoint Construction
{} {p1, p3} Qdet
{p2, p3}
1
¬(a ∨ b)
b
1
a ∧ ¬b
1
Figure 4.2: Deterministic ω-Automaton for ϕ :≡ X [a U b] obtained from the subset
construction with the acceptance condition G(p0∨p1∨p2∨p3) and Qdet :=
{p0, p1, p2, p3}.
The state transition diagram of this deterministic automaton is shown in Figure 4.2.
4.2 A Semi-Symbolic Breakpoint Construction
In order to handle further classes of the temporal logic hierarchy, we show in the next
definition how the breakpoint construction for the determinization of DetFG can be
implemented in a symbolic manner. Again, by using dualities between the classes, we
are then able to handle the classes TLGF,TLFG and TLStreett.
Definition 36 (Symbolic Breakpoint Construction). Given A = A∃ (Q, I,R,F) with
the reachable states {ϑ1, . . . , ϑn} so that F is the set {ϑn+1−`, . . . , ϑn}. Using new
state variables Qbpt = {p1, . . . , pn, b1, . . . , b`} and the definitions of Idet and Rdet of
Definition 35, we define Abpt = A∃ (Qbpt, Idet ∧ Ibpt,Rdet ∧Rbpt,Fbpt) as follows:
• H :≡
n∨
j=1
pj ∧mtQdet(ϑj)
• Ibpt :≡
∧`
i=1
bi ↔ 0
73
4 Symbolic Determinization via the Automaton Hierarchy
• Fbpt :≡ ¬
∨`
i=1
bi
• Rbpt :≡
∧`
i=1
bi
′ ↔
(
Fbpt ∧ ηi ∨ ¬Fbpt ∧ [ηi]%
)
, with
ηi :≡ ∃q1 . . . qmq1′ . . . qm′. H ∧R ∧ [(mtQdet(ϑi))]q1,...,qmq′1,...,q′n
and % is the substitution that maps each p1, . . . , pn−` to 0 and pn+1−`, . . . , pn to
b1, . . . , b`, respectively
The idea behind the breakpoint construction is to maintain pairs of sets of states,
where the first component is computed by the subset construction. The second com-
ponent is the set of states that have never left the set of designated states since the
last breakpoint, where a breakpoint is a state whose second component is empty.
States of Abpt correspond with subsets of Qbpt which may be considered as pairs
of subsets of {p1, . . . , pn} and {b1, . . . , b`}. A breakpoint is a pair (S1, S2) where S2
represents an empty state set, i.e., all of the variables bj are false and Fbpt evaluates
to true. Whenever a breakpoint is reached, the second set is filled with the designated
successors of the first set. In this case, we evaluate the status of the bj according to
the variables pi, thus all we have to do is to copy the formula representing the tran-
sition relation of the subset construction. Otherwise, the usual subset construction
is performed on the second step in the explicit breakpoint construction. To calculate
the transition relation in our symbolic setting, it is sufficient to eliminate transitions
from non-accepting states (which is done by setting pi = 0) and then replacing each
occurrence of pi for ϑi ∈ F by the corresponding bi.
Hence, also the breakpoint construction can be implemented in a symbolic manner.
It is well-known that Abpt may have at most O(3
n) reachable states, while the au-
tomaton Adet obtained from the subset construction may have at most O(2
n) reachable
states.
Theorem 13 (Symbolic Breakpoint Construction). For every automaton A, the au-
tomaton Abpt as constructed in Definition 36 is deterministic and is a symbolic de-
scription of the automaton obtained by the well-known breakpoint construction [70,
91].
As an example for the application of the symbolic breakpoint construction, consider
the LTL formula ϕ := G (a→ Fb) from TLGF. Since this formula corresponds to a
deterministic Bu¨chi automaton, the first step consists of negating the formula. We
obtain ϕ = F (a ∧ G¬b). Using the translation given in [91], we obtain the equivalent
nondeterministic co-Bu¨chi automaton Aϕ = A∃ ({q0, q1, q2},¬q1 ∧ ¬q2,ΦR,FGq2) with
74
4.2 A Semi-Symbolic Breakpoint Construction
{q0}
{}
{q2} {q1, q2}
1
b
a ∧ b
a ∧ b a ∧ b
b
a ∧ b
a ∧ b
Figure 4.3: Nondeterministic Co-Bu¨chi automaton obtained from ϕ :≡ F (a ∧ G¬b)
ΦR = (q0 ↔ b ∨ q0′)∧
(q1 ↔ (q0 ∨ ¬a) ∧ q1′)∧
(q2
′ ↔ (q2 ∨ ((q0 ∨ ¬a)→ q1))
Its state transition diagram is given in Figure 4.3. We encode this automaton using
onehot variables p0 ∼ ϑ0 = {q0}, p1 ∼ ϑ1 = {}, p2 ∼ ϑ2 = {q2} and p3 ∼ ϑ3 = {q1, q2}.
Additionally we introduce the Breakpoint variables b2 and b3 for the accepting states
ϑ2 and ϑ3. Using the symbolic breakpoint construction of Definition 36, we obtain
the following equation system for Abpt:
Ibpt =

p0 ↔ 1
p1 ↔ 1
p2 ↔ 0
p3 ↔ 0
b2 ↔ 0
b3 ↔ 0
Rbpt =

p0
′ ↔ p0
p1
′ ↔ p0 ∧ b ∨ p1 ∧ ¬a ∧ ¬b
p2
′ ↔ p1 ∧ (a ∧ ¬b) ∨ p2 ∧ ¬b
p3
′ ↔ p1 ∧ (a ∧ ¬b) ∨ p2 ∧ (a ∧ ¬b) ∨ p3 ∧ ¬a ∧ ¬b
b2
′ ↔ ¬(b2 ∨ b3) ∧ p1 ∧ (a ∧ ¬b) ∨ p2 ∧ ¬b ∨ (b2 ∨ b3) ∧ b2 ∧ ¬b
b3
′ ↔ ¬(b2 ∨ b3) ∧ (p1 ∧ (a ∧ ¬b) ∨ p2 ∧ (a ∧ ¬b) ∨ p3 ∧ ¬a ∧ ¬b)
∨(b2 ∨ b3) ∧ (b2 ∧ ¬b ∨ b3 ∧ ¬a ∧ ¬b)
75
4 Symbolic Determinization via the Automaton Hierarchy
{p0, p1}
{p0, p2, p3, b2, b3}
b ∨ a
a ∧ ¬b b
¬b
Figure 4.4: Deterministic Co-Bu¨chi automaton obtained from ϕ :≡ F (a ∧ G¬b)
The acceptance condition is given by Fbpt = b2 ∨ b3 so that we obtain the automaton
given in Figure 4.4. To obtain an automaton for our original formula ϕ, all we have to
do is to dualize the acceptance condition. Thus Aϕ = A∃ (Qbpt, Ibpt,Rbpt,GF¬Fbpt)
is equivalent to ϕ.
Although the automaton is minimal in the sense that it has a minimal number of
states, it is not minimal regarding the number of state variables. Therefore, we present
in the following a way to minimize the number of state variables by a dependent
variable analysis.
4.3 Removing Dependent Variables
After computing the determinized automaton, we perform dependent variable analysis
[47] on the set of reachable states to simplify the representation of the propositional
formula that are used to encode the transition relation.
Definition 37 ([47]). Given a Boolean function f over x0, x1, . . . , xn, a variable xi
is functionally dependent in f iff ∀xi. f = 0.
Notice that if xi is functionally dependent, it is uniquely determined by the remaining
variables of f and can be replaced by a suitable function g(x0, x1, . . . xi−1, xi+1, . . . xn).
It has been shown in [47] that removing dependent variables can dramatically speed
up the overall running time of BDD based model checking, so that we perform it here
on the small subautomata that are obtained after minimization.
Example 1. A dependent variable analysis on the automaton from Figure 4.4 is quite
efficient and yields a deterministic automaton formula
A∃ ({p}, p, p′ ↔ b ∨ p ∧ ¬a,GFp)
76
5 Symbolic Determinization via
Unambiguous Bu¨chi Automata
In Chapter 4 a determinization procedure is presented that syntactically localizes a
LTL formula in the temporal logic hierarchy and based on this knowledge chooses
an appropriate determinization procedure, i. e. either the subset or the breakpoint
construction. Although nearly all formulas commonly used in practice belongs to one
of the classes of the temporal logic hierarchy (or can be rather easily translated to a
formula belonging to one of the classes), there may be still cases where such a manual
rewriting step is undesirable.
In this chapter, we therefore present a new determinization procedure for Bu¨chi
automata that stem from the translation of arbitrary LTL formulas by the ‘standard’
translation of [21] that is sketched in Section 2.3.1. It is well-known that the ω-
automata that stem from LTL formulas are a special class that has already found
several characterizations. Due to results of [67], the automata can be characterized as
non-counting automata, and in terms of alternating automata, the class of linear weak
or very weak automata has been defined [68, 35, 77, 74]. Moreover, many translation
procedures from LTL generate unambiguous automata [17] where every accepted word
has a unique accepting run [91, 2] (although there may be additional non-accepting
runs for the same word). The determinization procedure presented in this chapter
makes use of the fact that the automata generated from LTL are unambiguous. With-
out useless states, the transition relation of an unambiguous automaton has a certain
form that we call non-confluence (see Definition 38 for a precise definition):
An automaton is non-confluent if whenever two runs of the
same infinite word meet at a state q, then they must share the
entire finite prefix up to state q.
The above non-confluence property allows us to develop a determinization proce-
dure that exploits symbolic set representations. In particular, it does not rely on
Safra trees as used by Safra’s original procedure [88] or by the improved version of
Piterman [78]. The states of the deterministic automata obtained by these procedures
are trees of subsets of states of the original automaton. In contrast, our procedure
generates deterministic automata whose states consist of n-tuples of subsets of states,
where n is the number of states of the nondeterministic automaton.
77
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
The non-confluence property has already been used in [27] to obtain a deterministic
(Rabin) automaton from a nondeterministic Bu¨chi automaton. However, the algo-
rithm of [27] still uses a tree structure and is therefore not well suited for a symbolic
implementation. In contrast, our automata are amenable to a symbolic implementa-
tion and are additionally defined with the simpler parity acceptance condition which
further reduces the complexities for game solving and emptiness checks.
The outline of this chapter is as follows: In the next section, the relationship be-
tween unambiguous automata and non-confluence is discussed. Here, we show first
that unambiguity implies non-confluence (but not vice versa) and that the minimiza-
tion techniques presented in Chapter 3 preserves the unambiguous property. The
core of this chapter is the determinization procedure described in Section 5.2 that is
a specialization of Safra’s procedure for non-confluent automata. In Section 5.3, we
discuss a symbolic implementation of this algorithm.
5.1 Properties of Unambiguous Automata
The unambiguous automata have some special features that makes them very appeal-
ing. One is that every finite prefix of a run is uniquely determined by the last visited
state. This is captured in the following definition:
Definition 38 (Non-Confluent Automata).
An ω-automaton A = (S, I,R,F) is called non-confluent if for every word α the fol-
lowing holds: if ξ1 and ξ2 are two runs of A on α that intersect at a position t0
(i.e. ξ
(t0)
1 = ξ
(t0)
2 holds), then we have ξ
(t)
1 = ξ
(t)
2 for every t ≤ t0.
To simplify some of the considerations, it is assumed that the Bu¨chi automata that
are considered in the following do not have useless states. That means that for any
state q ∈ S the following holds:
• q is reachable from at least one initial state
• Lang(Aq) 6= ∅
Without useless states, unambiguity implies non-confluence:
Lemma 4. Any unambiguous automaton A = (S, I,R,F) without useless states is
non-confluent.
Proof. Assume for contradiction that A is unambiguous, has no useless state, but is
not non-confluent. Because of the latter, there is a word α with two runs ξ1 and ξ2,
a position t1 ∈ N with ξ(t1)1 = ξ(t1)2 = q, but there is also a t0 < t1 with ξ(t0)1 6= ξ(t0)2 so
that we obtain the situation shown in Figure 5.1. Since ξ
(t1)
1 = ξ
(t1)
2 = q is not useless,
78
5.1 Properties of Unambiguous Automata
ξ
(t0)
1
q
ξ
(t0)
2
α(0,...,(t0−1))
α(0,...,(t0−1))
α(t0,...,(t1−1))
α(t0,...,(t1−1))
ξ1
ξ2
β
Figure 5.1: Situation in the proof of Lemma 4
{q0}
q1 q2
{q′0}
q′2 q
′
3
b
a
c b
c
a
ab
Figure 5.2: A Nonconfluent Automaton that is Ambiguous
there must exist a word β that is accepted from q. Since the prefixes ξ
(0,...,(t0−1))
1 and
ξ
(0,...,(t0−1))
2 for reading α
(0,...,(t0−1)) start in initial states and end in q, we can construct
two different runs for α(0,...,(t0−1))β. Thus, A cannot be unambiguous.
Clearly, there exists unambiguous automata that are not non-confluent. We can
make an unambiguous and non-confluent automaton confluent by adding a self-loop
to a non-accepting state. Moreover, non-confluence does not imply unambiguity as
Figure 5.2 shows. This automaton is non-confluent but ambiguous, since two runs
exist for abω.
As already outlined, minimizing automata is crucial to obtain manageable deter-
ministic automata. The following theorem shows that the unambiguity property is
stable under minimization according to the forward simulation relations.
Theorem 14 (Minimizing Unambiguous Automata). Let A = (S, I,R,F) be an un-
ambiguous automaton with (p, q) ∈ S such that any state in Ap→q is fair-simulation
79
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
equivalent to the state of the same name in A. Then Ap→q is unambiguous.
Proof. Assume by contradiction that there does exist two different runs pi1, pi2 of Ap→q
labeled with the same accepted word α. We consider first the case that at the initial
position the two runs differ. Since every state in Ap→q is fair simulation equivalent to
the state of the same name in A, A must accept α from both states pi
(0)
1 and pi
(0)
2 , a
contradiction to A being unambiguous.
Otherwise, there must exist a minimal position t0 such that pi
(t0)
1 6= pi(t0)2 and for
every n < n0 we have pi
(t)
1 = pi
(t)
2 . That implies that from both states pi
(t0)
1 and pi
(t0)
2 ,
the same word α(t0... ) is accepted by A since the states are fair simulation equivalent in
both automata. If both runs pi
(0...t0)
1 and pi
(0...t0)
2 are runs of A we get a contradiction
to the unambiguity of A. Otherwise there must exist a maximal position t < t0
such that pi
(t)
1 = pi
(t)
2 = q, and for some state u ∈ S we have pi(t+1)1 = pi(t+1)1 = u
and (q, α(t), u) /∈ R. But then we must have that (p, α(t), u) ∈ R. Let α0 be any
word leading to p ∈ A and pi0 be the corresponding run. Since we have chosen t
maximal, the word α0α
(t... ) is accepted by A with the two different runs pi0ppi
(t+1... )
1
and pi0ppi
(t+1... )
2 , a contradiction to A being unambiguous.
Since any simplification of an automaton is either the merge of two states p, q as
done in Ap→q that preserves fair-simulation equivalence of any state or the removal of
transitions (that can clearly not destroy unambiguity), this theorem implies that the
forward simulation minimizations do not destroy the unambiguity of an automaton.
Notice that the previous theorem does not hold for non-confluent automata: fair
minimizing a non-confluent automaton might destroy the non-confluence property.
To see this, consider again the non-confluent, but ambiguous automaton given in
Figure 5.2. Since q2 and q
′
2 are direct-simulation equivalent, we can merge the two
states. It is however straightforward to see that the obtained automaton is no longer
non-confluent.
The following theorem shows that minimization with respect to reverse simulation
preserves non-confluence1.
Theorem 15. Let A = (S, I,R,F) be a non-confluent Bu¨chi automaton and s, t ∈ S
such that s 6= t and s≈(A,A)←−
del
t. Let A′ = (S \ {s}, I,R′,F) be defined by
R′(q, a, q′) :⇔ (R(q, a, q′) ∧ q 6= s) ∨ (q = t ∧R(s, a, q′))
i. e. we remove any transition starting from s and add those transition to the set of
transitions starting in t. Additionally, we remove any dead-end from A′. Then A′ is
non-confluent.
1We do not yet know whether unambiguity is also preserved. However, non-confluence is everything
that we need for our determinization construction.
80
5.2 Determinizing Nonconfluent Automata
Proof. Notice that since s and t are reverse left-hand simulation equivalent, every
state in A′ is reverse left-hand simulation equivalent to the state of the same name
in A according to Theorem 6. Assume by contradiction that A′ is confluent and
let pi, τ be two different runs of A′ over the same finite word α such that for some
t0 ∈ N we have pi(t0) 6= τ (t0) and pi(t0+1) = τ (t0+1). Since states of the same name in
A and A′ are reverse left-hand simulation equivalent, there must exist two different
runs over α in A that lead to pi(t0) and τ (t0). If we have (pi(t0), α(t0), pi(t0+1)) ∈ R and
(τ (t0+1), α(t0), τ (t0+1)) ∈ R, we have constructed two different runs over the same word
α(0...t0) leading to pi(t0+1) = τ (t0+1). Otherwise, either pi(t0) = t or τ (t0) = t. Without
loss of generality, assume that pi(t0) = t, the other case is handled analogously. Notice
that according to the definition of A′, there must exist a transition (s, α(t0), pi(t0+1)) ∈
R. Notice that t of A′ is reverse-simulation equivalent to the state of the same name
in A and s and t are reverse-simulation equivalent to t in A. Hence s≈(A,A′)←−
del
t. This
means that there must also exist a path in A labeled with the same word α that leads
to s in A. Since we removed any dead-end from A′, s is removed from A′ which gives
us that τ (t0) 6= s. But since τ (t0) is reverse simulation equivalent in A and A′, there
must also exist a path in A that is labeled with α(0...t0−1) and leads to τ (t0). That
means that we have constructed two different runs of A labeled with the same word
that lead to pi(t0+1) = τ (t0+1), a contradiction to A being non-confluent.
Since the Bu¨chi automata that are obtained from a LTL formula are unambiguous,
we can first minimize the automata with respect to some forward simulation relation
(which preserves unambiguity) and later with reverse simulation (which at least pre-
serves non-confluence). This is important in the next paragraph where the knowledge
that an automaton is non-confluent is used to develop a determinization procedure2.
5.2 Determinizing Nonconfluent Automata
The well-known subset construction [84] collects the sets of states that the nonde-
terministic automaton A = (S, I,R,F) can reach after having read a finite input
word from one of its initial states I. Thus, every state s˜ ⊆ S of the deterministic
automaton A˜ is a set of states of S. The final states F˜ are those states s˜ ⊆ S that
contain an accepting state of A, i.e. where s˜ ∩ F 6= ∅ holds.
The acceptance condition of a Bu¨chi automaton A = (S, I,R,F) is also specified
with a set of accepting states F . However, the subset construction is not sufficient to
handle the Bu¨chi acceptance, so that the more complex construction of Safra [88] is
often used instead. The idea of Safra’s construction is to define so-called breakpoints
2Thus non-confluence can be seen as a technical vehicle to state that each finite run of an unam-
biguous automaton is uniquely determined by the last visited state.
81
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
on the path ξ˜ of a word α through A˜ so that all paths ξ contained in ξ˜ must visit at
least once the accepting states F in between two subsequent breakpoints. A path ξ˜
is then accepting iff it visits infinitely often breakpoints with non-empty state sets.
To this end, the states of the automaton obtained by Safra’s construction are trees of
subsets of states.
Our determinization procedure is a specialization of Safra’s procedure for non-
confluent automata. Given a nondeterministic Bu¨chi automaton with n states, the
states of the constructed automaton are n-tuples of pairs with (Si, fi, ei) where Si ⊆ S
and fi, ei ∈ {0, 1} flag the visit of accepting states or the clearance of a set. We start
with the initial state ((I, 0, 1), (∅, 0, 1), . . . , (∅, 0, 1). To compute the successor of a
state ((S0, e0, f0), . . . , (Sn−1, en−1, fn−1) under input σ, we first compute the existential
successors S ′i := suc
R,σ
∃ (Si) for the subsets of states which is the set
sucR,σ∃ (Si) = {q′ ∈ S | ∃q ∈ S.(q, σ, q′) ∈ R}. (5.1)
Hence, the first state set S0 of a tuple state is the result of the subset construction,
i.e., it contains the sets of states that A can reach after having read a finite input word
from one of its initial states I. The other sets Si with i > 1 are subsets of S0 that
are generated as follows: whenever the set of successors of Si is empty, i. e. whenever
sucR,σ∃ (Si) = ∅, we flag e′j for j ≥ i. Now, whenever e′i 6= 0, the ordinary subset
construction is applied, i. e. we set S ′i = suc
R,σ
∃ (Si). Otherwise, all runs of some
set on the left (or the runs of the set Si itself) reached a dead-end. In this case
simply the subset construction of the direct right neighbor is taken over, i. e. we set
S ′i = suc
R,σ
∃ (Si+1). In case we are on the rightmost set Sn−1, we take over the marked
states of S0 so that this marking gets noticed on a state set on the right. We can
however cleanup the states S0, . . . Sn−1, so that not all combinations of state sets can
occur: As A is non-confluent, we know that a finite run is uniquely characterized by
its last visited state. Hence, if a state occurs in a set Si and parallel in some Sj , then
we know that both sets follow the same run. Hence whenever we find that a state set
Si contains only states that also occur in a state set Sj for j > i, we know that all
runs in Si has visited a marked state recently. Accordingly we mark Si as accepting
by setting its mark f ′i := 1 and remove the states Si from Sj′ for every j
′ > i. As a
consequence each Si must contain at least one q ∈ Si that is not contained in any Sj
where i < j. This shows that n state sets are sufficient3.
If an entry Si never becomes empty after a certain position on a path ξ˜ and is
3In [71] we presented a determinization procedure based on the same idea that did not use the
empty-flag. The construction given there has a error in that it needs n+ 1 state sets and not n
state sets. This is due to the reason that whenever all state sets are full (but one of them will
dead-end), the construction of [71] will not notice a new marking, since in [71] marked states are
only introduced in empty sets. Having the empty flag avoids this additional set.
82
5.2 Determinizing Nonconfluent Automata
marked infinitely often, then we know that ξ˜ is introduced infinitely often in M and
hence ξ˜ contains an accepting run of A.
This intuitive idea if formalized in the following definition:
Definition 39 (Determinization of Non-Confluent Automata). Given a nondetermin-
istic Bu¨chi automaton A = (S, I,R,F) with |S| = n, we construct a deterministic
parity automaton P = (S ′, sI ,∆,Ω) as follows:
• The states of the parity automaton are n-tuples of subsets of S augmented with
two boolean flags:
S ′ = {((S0, e0, f0), . . . , (Sn−1, en−1, fn−1) | Si ⊆ S ∧ fi, ei ∈ {0, 1}}.
• The initial state is sI = ((I, 1, 0), (∅, 1, 0), . . . , (∅, 1, 0)).
• The transition function ∆ is determined by the following rules: Given a state
s = ((S0, e0, f0), . . . , (Sn−1, en−1, fn−1)), the successor state
s′ = ((S ′0, e
′
0, f
′
0), . . . , (S
′
n−1, e
′
n−1f
′
n−1)) of automaton P when reading input σ is
determined by the following rules for i = 0 . . . n− 1
e′i :=
(
sucR,σ∃ (Si) = ∅
)
∨ e′i−1
f ′i :=

(
sucR,σ∃ (Si) \ F
)
⊆
(
n⋃
j=i+1
sucR,σ∃ (Sj)
)
if e′i = 0
0 else
S ′0 = suc
R,σ
∃ (Si)
S ′(i,i/∈{0,n}) =
({
sucR,σ∃ (Si) if e
′
i = 0
sucR,σ∃ (Si+1) else
)
\
i−1⋃
j=0,f ′j=1
S ′j
S ′n−1 =
({
sucR,σ∃ (Sn−1) if e
′
n−1 = 0
sucR,σ∃ (S0) ∩ F else
)
\
n−2⋃
j=0,f ′j=1
S ′j
• To determine the color of a state s = ((S0, e0, f0), . . . , (Sn−1, en−1, fn−1) set e =
min{i | ei = 1} and f = min{i | fi = 1}. We define:
Ω(s) :=

1 if e = 0
2 ∗ i if f < e ∧ f = i
2 ∗ i− 1 if e ≤ f ∧ e = i
83
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
We have already given some explanations regarding the transition relation. However,
to give a connection to the formal definition, notice that
⋃i−1
j=0,f ′j=1
S ′j is for every set
Si the set of states on the left that have currently set the flag signal f , i. e. for which
it is currently detected that every surviving run has visited a marked state recently.
According to the previous explanation, those states need only be considered once in
the tuple, so that we remove them from S ′i.
For the definition of the coloring function, notice that the clearance of a state set Si
noticed by the flag ei is a bad event that unwinds a previously marking fi. Moreover,
notice that if S0 = ∅, the state s is a rejecting sink state, since from that point on
we have S ′0 = ∅ for every successor state.This state corresponds to a situation in the
nondeterministic automaton where all runs lead to a dead end.
As a first example for the construction, consider the Bu¨chi automaton together
with its deterministic automaton given in Figure 5.3. To improve readability, we
omitted the boolean flags, and instead overlined those state sets Si where ei holds
and underlined those state sets Si where fi holds. This example gives a justification
why we need the flags ei: Without the flag e0, both states at the bottom of the deter-
ministic automaton would merge to one single state which would make it impossible
to determine whether the run should be accepted or not. Having the flag, it is clear
that whenever the run enters state ({q0, q1}, {q1}), the run previously ending in q1 has
reached a dead-end and thus the run is not accepting.
q0 q1
a, b
b
a
(a) Nondeterministic Automa-
ton
({q0, q1}, ∅)
({q0, q1}, {q1})
({q0, q1}, {q1})
a, b
b
a
ab
(b) Corresponding Deterministic Automaton
Figure 5.3: Determinizing Non-Confluent Automata
As a second example, consider the automaton in Figure 5.4. This automaton ac-
84
5.2 Determinizing Nonconfluent Automata
cepts every word that either ends with suffix abω or cbω or that contains infinitely
many occurrences of a. On the right of this figure an example run with intermediate
steps (in gray) is shown. The first interesting transition if the first occurrence of c.
Here the run that was previously in q1 dead-ends and hence in an intermediate step,
the rightmost subset becomes empty. At the end of this step, this set is filled with the
marked successors of S0 under c which gives us the state drawn in the middle of the
run. The next transition, labeled with b is even more interesting: as an intermediate
step, state set S1 gets filled with the successors of S2, which gives us the intermediate
state ({q0, q1, q2}, {q2}, ∅). As the final step of this transition, the marked successors
of set S0 under b, namely q1 determine the new entry of S2. Finally, the last drawn
transition is obtained due to the following rules: q2 has no a-successor, hence S1 is
cleared. The successors of q1 are {q0, q1, q2} so in an intermediate step we obtain the
state ({q0, q1, q2}, ∅, {q1, q2, q3}). Now we check that every (non-marked) state of S0
occurs also on the right, which leads to the marking of S1 and finally to the state in
the bottom. The complete deterministic automaton is shown in Figure 5.5.
After having defined our determinization construction formally and give some ex-
planatory examples,the following Lemma states some important properties of the
construction:
Lemma 5. Given a non-confluent Bu¨chi automaton A = (S, I,R,F), and the corre-
sponding deterministic automaton P = (S, sI ,∆,Ω) as given in Definition 39. Then,
for every infinite word α : N → Σ, and the corresponding run pi = s(0)s(1) . . . of
P over α with s(t) = ((S
(t)
0 , e
(t)
0 , f
(t)
0 ), . . . (S
(t)
n−1, e
(t)
n−1, f
(t)
n−1)) and for every t ∈ N, the
following holds:
1. For all i > 0 and t ∈ N, we have S(t)i ⊆ S(t)0 .
2. For all i and t ∈ N with S(t)i 6= ∅, there exists a q ∈ S(t)i such that q /∈ S(t)j for
all i < j < n.
3. For every t0 ∈ N and for every 0 ≤ i < n, we have:
q ∈ S(t0)i ⇒
( ∃ξ : N→ S. [ξ(0) ∈ I] ∧ [ξ(t0) = q]∧[∀t < t0.ξ(t+1) ∈ R(ξ(t), α(t))]
)
4. Let t0 < t1 be positions such that
• S(t0)i and S(t1)i are marked, i.e. f (t0)i = 1 and f (t1)i = 1
• e(t)i = 0 for t0 ≤ t ≤ t1
• f (t)j = 0 for j < i and t0 ≤ t ≤ t1
85
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
Then, each finite run ξ of A with ξ(t0) ∈ S(t0)i and ξ(t1) ∈ S(t1)i must have visited
F at least once between t0 and t1.
5. For all t ∈ N and 0 ≤ j < n we have: If q ∈ S(t)j ∩ F , then either q ∈ S(t)n−1 or
there exists some 0 ≤ i < n such that fi = 1 and q ∈ S(t)i .
Proof. Properties 1 and 2 follow directly from the definition of the transition function
of P. Property 3 holds trivially for S0: as long as the run continues (i.e. it does
not end in a deadend state), we have S0 6= ∅ according to the definition of ∆. Thus
S
(t+1)
0 = suc
δ,α(t)
∃ (S
(t)
0 ) for every t ∈ N. For i > 0 the result follows from Property 1.
To prove Property 4, consider a run ξ of A with ξ(t0) ∈ S(t0)i and ξ(t1) ∈ S(t1)i . For
every position t between t0 and t1 we have (1) e
(t)
i = 0 and (2) f
(t)
j = 0 for every j < i.
We thus have S
(t+1)
i = suc
R,α(t)
∃ (S
(t)
i ) for every t ∈ {t0, . . . , t1 − 1}. In this case, we
have ξ(t) ∈ S(t)i for every t ∈ {t0, . . . , t1}. Since f (t0)i = 1, we have ξ(t0) /∈ S(t0)j for every
j > i according to the definition of fi. Let t
′ > t0 be the first position after t0 where
ξ(t
′+1) ∈ ⋃nj=i+1 S(t′)j . Such a position t′ must exist in the run of P, since Si is marked
at position t1. There must either exist an index j > i such that ξ
(t′+1) ∈ R(S(t′)j , α(t′))
or ξ(t
′+1) ∈ F ∩ sucR,α(t
′)
∃ (S
(t′)
0 ). We will now show that the first case is impossible,
leading to our desired result that ξ visits F at least once between t0 and t1. Assume
by contradiction that ξ(t
′+1) ∈ sucR,α(t
′)
∃ (S
(t′)
j ). Then there must exist a state q ∈ S(t
′)
j
such that ξ(t
′+1) ∈ R(q, α(t′)). Thus, according to Property 3 there does exist a run ξ′
that leads to q, i.e. ξ′(t
′) = q. However, continuing this run with R(q, α(t′)) leads to
ξ′(t
′+1). Either ξ′ and ξ coincide which leads to a contradiction to t′+ 1 being the first
position where ξ(t
′+1) is introduced in some Sj, j > i or they do not coincide which is
a contradiction to A being non-confluent.
To prove Property 5, we distinguish two cases: First case is that e(n−1) = 1. Now ac-
cording to property 1 we have S
(t)
j ⊆ S(t)0 and moreover, we have S(t)0 = sucR,σ∃ (S(t−1)0 )
for every t > 0. Thus, we have S
(t)
n−1 = suc
R,σ
∃ (S0) ∩ F which gives us q ∈ S(t)n−1. For
the other case, notice that e(n−1) = 0 implies that e(i) = 0 for every 0 ≤ i < n. This
means that S
(t)
i 6= ∅ for every 0 ≤ i < n. According to property 2 every subset must
contain one unique state. This implies that either S
(t)
i = {q} in which case we have
f
(t)
i = 1. Otherwise we have
∣∣∣∣∣
n−1⋃
i=1
S
(t)
i
∣∣∣∣∣ ≥ n− 1 and q is the unique state of S(t)0 . But
then any state except q is contained in some set S
(t)
i which means that f
(t)
0 = 1.
With the help of this lemma, we are prepared to show the correctness of our deter-
minization procedure:
86
5.2 Determinizing Nonconfluent Automata
Theorem 16. The deterministic parity automaton P constructed for an arbitrary
non-confluent Bu¨chi automaton A as described in Definition 39 is equivalent to A.
Proof.
Lang(P) ⊆ Lang(A): Let α ∈ Lang(P) and pi = s(0)s(1) . . . bet the corresponding run
of P over α with s(t) = ((S
(t)
0 , e
(t)
0 , f
(t)
0 ), . . . (S
(t)
n−1, e
(t)
n−1, f
(t)
n−1)) for every t ∈ N.
Since α is accepted, there does exist t0 and a minimal color such that Ω(s
(t)) = 2i
for infinitely many t and Ω(s(t)) ≤ 2i for every t > t0. Thus, we have that
S
(t)
j 6= ∅ and e(t)j = 0 for every j < i and every t > t0 and moreover, we have
that f
(t)
i = 1 for infinitely many t. Let t1 < t2 < · · · be the infinitely many
i-breakpoints, i.e. positions where f
(t)
i is marked. Define Q
(0) = I = S(0)0 and
for each t > 1 define Q(j) = S
(tj)
i . For each initial state, we construct a tree as
follows: the vertices are taken from the set
{
(q, t) | q ∈ Q(t)}. As the parent of
(q, t+1) (with q ∈ Q(t+1)) we pick one of the pairs (p, t) such that p ∈ Q(t) holds
and that there is a run ξ of A on α[t, t+1] between p and q according to Property
3 of Lemma 5. Clearly, these trees are finitely branching, since each Si is finite.
Moreover, for at least one initial state q0 the corresponding tree must have an
infinite number of vertices, because we have an infinite sequence of breakpoints
and S
(t)
j 6= ∅ for every j ≤ i. Therefore, we conclude by Ko¨nigs lemma that
there is an initial state such that there is an infinite path (q0, 0), (q1, 1), · · ·
through the tree we have constructed for q0. This infinite path corresponds to
an infinite run of A on α. Recall now that according to the construction of the
tree the finite pieces of the run that connect qi to qi+1 while consuming the word
α(ti), · · ·α(ti+1−1) visit, at least once, the set of accepting states between ti and
ti+1 due to Property 4. Since we have an infinite number of breakpoints, we
have constructed an accepting run of A.
Lang(A) ⊆ Lang(P): Given a word α ∈ Lang(A) with an accepting run ξ. Since ξ is
an accepting run of α we have S
(t)
0 6= ∅ for every t. If S0 is marked infinitely
often, we are done. Otherwise, let t0 be the first visit of ξ of an accepting state
after the last time where S0 is marked. According to property 5 of Lemma 5
there must exist some i > 1 such that ξ(t) ∈ S(t)i . Let j be the minimal index
such that ξ(t0) ∈ S(t0)j . According to the definition of the subset construction,
since ξ is an infinite run, either Sj contains the run ξ from t0 on, i. e. ξ
(t) ∈ S(t)j
for every t ≥ t0 or there must exist some index 0 < i < j and a position t′0 such
that e
(t′0)
i = 1 or f
(t′0)
i = 1. We can not have f
(t′0)
i = 1 since in that case there
must have been two different runs that lead to ξ(t
′
0) namely the run followed by
Sj and the run followed by Si, a contradiction to the non-confluence property
87
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
or to the minimality of j. Thus the only chance that ξ(t0) /∈ S(t0)j is that the
run ξ has moved to the left neighbor S
(t0)
j−1. However, this move to the left can
happen at most j − 1 times, since S(t)0 6= ∅. Thus, we see that there must exist
a minimal index i1 > 0 such that ξ
(t) ∈ S(t)i for every t > t0 and for every
0 < i < i0 we must have e
(t)
i = 0 for every t > t0. We again distinguish two
cases: either f
(t)
i0
= 1 infinitely often, in case P accepts or there must exist
a position t1 > t0 such that f
(t1)
i0
= 0 but ξ(t1) ∈ F . Again, ξ(t1) must be
introduced in some S
(t1)
j1
for some j1 > i0 according to property (5) of Lemma
5 and we are in a completely analogous situation as before. Repeating this
argumentation n = |S| times means that all Si, i ∈ {0, . . . , n} follow run ξ and
never get empty according to our assumption. According to Lemma 5 every
state set contains at least one unique state. Thus either some f
(t)
i = 1 at some
position t for some i < n−1, a contradiction to our assumption, or S(t)n−1 can not
contain more than one state in every position t > tn. But then S
(t)
n−1 is marked
in those positions where this uniquely defined state q ∈ S(t)n−1 is a marked state
of the nondeterministic automaton, so that we see that the automaton accepts
in that case as well.
Concerning the complexity, we have the following result:
Theorem 17. Given a non-confluent Bu¨chi automaton with n states, the construction
given in Definition 39 yields a deterministic parity automaton with at most n · 2(n+n2)
states and 2n+ 1 colors.
Proof. There are 2n possibilities for the marking variables fi. Moreover, in every state
the ei are uniquely determined by the minimal index j such that ei = 1. So the empty
flags give a multiplicator of n. Finally, the membership of a state q in one of the n
state sets can be represented with n boolean variables, which requires n2 variables for
the n states. All in all, this yields the upper bound n · 2(n+n2) for the possible states
of P.
5.3 Symbolic Implementation
For the symbolic implementation, we introduce for every state ϑk ∈ S exactly n state
variables qki that represent that ϑ
k ∈ Si. Additionally we need the corresponding next
state variables ϑki
′
. We moreover introduce state variables ei and fi for 0 ≤ i < n that
represent the flags. Assume we have calculated formulas for the subset construction
88
5.3 Symbolic Implementation
according to Chapter 4, i. e. for every state ϑk ∈ S we have calculated a formula ϕk
such that the transition function δ of the subset construction is given by a function
of the input and state variables of the first set by
δ ≡
∧
ϑk∈S
ϑk0
′ ↔ ϕk0
For every set i, let ϕi be the corresponding formula of ϕ for set i. The state variables of
our determinization construction can then be determined by the following equations:
The first set is determined by the following equations:
e0
′ ↔
∧
ϑk∈S
¬ϕk0
f0
′ ↔¬e0 ∧
∧
ϑk∈S\F
(
ϕk0 →
n−1∨
j>0
ϕkj
)
qk0
′ ↔ϕk0
For every 0 < i < n, the flag variables are determined by :
ei
′ ↔ei−1′ ∨
∧
ϑk∈S
¬ϕki
fi
′ ↔¬ei ∧
∧
ϑk∈S\F
(
ϕki →
n−1∨
j>i
ϕkj
)
For every 0 < i < (n− 1), the state variables are determined by :
qki
′ ↔ (¬ei′ ∧ ϕki ∨ ei′ ∧ ϕk((i+1) mod n)) ∧∧
j<i
¬(f ′j ∧ ϕkj )
For the last state variables, we obtain for the marked variables ϕi ∈ F :
qkn−1
′ ↔ (¬en−1′ ∧ ϕkn−1 ∨ en−1′ ∧ ϕk0) ∧ ∧
j<(n−1)
¬(f ′j ∧ ϕkj )
For the last state variables, we obtain for the unmarked variables:
qkn−1
′ ↔ (¬en−1′ ∧ ϕkn−1) ∧ ∧
j<(n−1)
¬(f ′j ∧ ϕkj )
89
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
Notice that since sucR,σ∃ (Si) are determined by the ordinary subset construction, the
different ϕi determine exactly suc
R,σ
∃ (Si), thus the conjunction of the equations given
above is equivalent to the definition of the deterministic parity automaton in Defini-
tion 39. Finally, the coloring function Ω can be represented using 2n+ 1 boolean for-
mulas over the flag variables by setting Φ0 = ¬e0∧f0, Φ1 = e0∨e1 , Φ2 = ¬e0∧¬e1∧f1
and Φ2i =
∧i
j=0(¬ej ∧ ¬fj) ∧ fi and Φ2i−1 =
∧i−1
j=0(¬ej ∧ ¬fj ∧ ei) for 2 ≤ i < n.
90
5.3 Symbolic Implementation
q0
q1 q2
b, c
b, c c
a
a
a
b
(a) A Non-Confluent Automaton
({q0, q1}, ∅, ∅)
({q0, q1}, ∅, {q1})
({q0, q1}, ∅, ∅)
({q0, q1, q2}, ∅, {q1, q2})
({q0, q1, q2}, {q2}, ∅)
({q0, q1, q2}, {q2}, {q1})
({q0, q1, q2}, ∅, {q1, q2, q3})
({q0, q1, q2}, ∅, ∅)
b
c
b
a
c
b
a
(b) Intermediate Steps of the Determinization Construction
Figure 5.4: Another Example for the Determinization of Non-Confluent Automata
91
5 Symbolic Determinization via Unambiguous Bu¨chi Automata
({q0, q1}, ∅, ∅)
({q0, q1, q2}, ∅, {q1, q2}) ({q0, q1}, ∅, {q1})
({q0, q1, q2}, ∅, ∅)
({q0, q1, q2}, {q2}, {q1})
({q0, q1, q2}, {q2}, {q1})
a, c b
ab, c
a
b
cb
c
b
a
a
b
c
a
c
Figure 5.5: Deterministic Automaton for the Automaton of Figure 5.4
92
6 Symbolic Controller Synthesis
This chapter is intended to summarize the presented approaches in one single Algo-
rithm. First we briefly sketch how the developed tool is embedded in the Averest
framework developed by the Embedded Systems group of the University of Kaiser-
slautern. Then, it is shown why it is infeasible to generate deterministic automata
from one monolithic automaton. Thus, we focus on a modular approach to the deter-
minization problem, so that we obtain a deterministic automaton that is composed of
many small deterministic automata. The last two paragraphs are denoted to the so-
lution of the obtained games. To this end, first it is shortly sketched how the solution
of subgames that are obtained by subformula of the overall specification can be used
to restrict the game graph. The obtained strategy is nondeterministic in the sense
that multiple (equally good) controllable events may be enabled in the same state.
We shortly sketch how to obtain a deterministic strategy using an approach presented
in [12] that can then be used to obtain a description in e. g. Verilog or VHDL.
6.1 The Averest Framework
Averest[36] is a set of tools for the specification, verification, and implementation of
reactive systems. It includes a compiler and a simulator for synchronous programs,
a symbolic model checker and a tool for hardware-software synthesis. Averest can be
used for modeling and verifying finite as well as infinite state systems at various lev-
els of abstraction. In particular, Averest is not only well-suited for hardware design,
but also for modeling communication protocols, concurrent programs, software in em-
bedded systems, etc. The design flow using Averest consists of the following steps:
First, the system is described as a program in our synchronous language Quartz, a
descendant of Esterel [92]. Then, the program is translated to a transition system
in the Averest Interchange Format (AIF) using the Quartz compiler Ruby. This in-
termediate description can be directly used for verification with the symbolic model
checker Beryl to check whether the system satisfies its specifications. Afterwards, the
tool Topaz can be used to generate an implementation in hardware or software with
output formats VHDL, Verilog or ISO-C. The compiler Ruby does not only compile
a Quartz program to a transition system, but also provides procedures to translate
LTL specifications to symbolically represented ω-automata as described in sections
93
6 Symbolic Controller Synthesis
2.3.1 and 2.4. The tool developed during this thesis is called Opal and is an exten-
sion of Ruby that uses the basic functionality of Ruby to generate nondeterministic
automata. In the following, the different steps of Opal are described in more detail.
The implementation and experiments reported in this thesis have been made on top
of version 1.9 of Averest.
6.2 Why monolithic approaches fail
Typically, the input for a controller synthesis problem consists of assumptions Φe the
environment is supposed to fulfill and guarantees Φc that the controller must enforce
provided the assumptions hold. While in theory one could join all specifications and
then determinize them, the high complexity of determinization makes this approach
infeasible. For example consider the following conjunction of LTL properties that
belong to the guarantees of the controller:
G (s1 → (Xr1 ∨ XXr1 ∨ XXXr1))∧
G (s2 → (Xr2 ∨ XXr2 ∨ XXXr2))∧
G (s3 → (Xr3 ∨ XXr3 ∨ XXXr3))
Each conjunct leads to an automaton with four states, however the conjunction of the
three formulas leads to an automaton with 64 states. And none of the states simulates
another one (intuitively speaking, each state waits for exactly one combination of the
variables si, ri, so that we really obtain 64 states and thus at least 64 state variables for
the deterministic automaton. Thus, determinizing the whole automaton is in general
infeasible. Hence, we generate the deterministic automaton for each part separately
which results in 12 state variables which are easily manageable using modern BDD
packages.
6.3 A Modular Approach to Determinization
Specifications are often made up of several relatively simple components- for instance,
a collection of LTL properties whose conjunction should be satisfied. Thus, given a
Moore game G = (Vc, Vu,S, sI , δ,Φ) over a set of state variables Q, we consider
specifications
Φ =
N∧
j=0
Φj
Instead of translating the whole specification at once, we generate separate deter-
ministic automata for every part. Clearly, since we allow any LTL property, we may
94
6.3 A Modular Approach to Determinization
have to perform the determinization procedure outlined in Chapter 5 to translate Φj.
This is the case if Φj is a single formula ϕ where the top-level operator is a temporal
operator and ϕ belongs not to one of the lower Borel classes TLGF or TLGF. In prac-
tice, this is nearly never the case. Instead, mostly also the subformula are a boolean
combination of smaller formulas. Instead of handling them all at once, we break also
them into smaller parts so that we obtain for every Φj a collection ϕ1 . . . ϕk of LTL
properties that all start with a temporal operator, and that either belong to one of
the classes TLG, TLF, ϕi ∈ TLGF, TLFG or to none of these classes.
6.3.1 Handling Safety and Liveness formulas
In the general case, we can translate safety formulas using the approach described in
Chapter 4. Thus, we first translate ϕi to a nondeterministic safety automaton. Al-
though safety automata can not be transformed to a parity automaton, it is possible to
minimize them using direct simulation1. After minimization, we perform the ordinary
subset construction and afterwards minimize the automaton again using the direct
simulation relation. However, one important subclass of properties does not scale well
using this approach. Since many specifications are of the form if something now hap-
pens, in the next step something else happens, we treat this subclass separately. This
subclass can be formally described by boolean combinations of formula of the form
ψ, Xξ where both ψ and φ are boolean formula over the input variables. In that case,
every X operator doubles the state space of the non-deterministic automaton and thus
leads to a Blowup in the number of BDD-variables of the deterministic automaton.
Even worse, the simulation relations can neither minimize the nondeterministic nor
the deterministic automaton since the two states that occur because of a Xa can not
be equivalent since one of the two will lead to a non-satisfying loop. Thus, the basic
translation procedure really suffers from a double-exponential blowup. Instead, we
translate those formulas by abbreviating each variable a that is not under the scope
of a X variable by a previous variable ap such that the following holds:
ap
′ ↔ a
and replace any subformula Xa with a. We moreover introduce a new fresh variable
p that is true as long as φ holds and in case φ is violated, remains false forever.
Proposition 8. Given a formula Gϕ where ϕ is a boolean combination of formulas
v ∈ Va and Xv ∈ V. Then Gϕ is initially equivalent to the symbolically represented
1Indeed, the nondeterministic automata generated by the translation procedures given in [91] trans-
lates the safety fragment to an automaton with the trivial acceptance condition G1, so that even
the ordinary simulation relation as described in [28] could be applied.
95
6 Symbolic Controller Synthesis
deterministic automaton A∃ (Q, I,R,Ψ) where Q = {ap | a ∈ V} ∪ {p}, I = p ∧∧
a∈V ¬ap , Ψ = G(p) and the transition relation is defined by
R = p′ ↔ ϕ′ ∧
(∧
a∈V
ap
′ ↔ a
)
Here ϕ′ is obtained from ϕ by replacing any occurrence of a′ with a and any occurrence
of a formula a ∈ V with ap
Obviously, this leads to an automaton that has at most |a| + 1 state variables, thus
the automaton is only exponential in the size of the specification. Nevertheless, if
many subformula a exist but little subformula Xa, the ordinary translation may give
better results, so that this translation is optional in our algorithm 2.
For liveness formulas ϕi, we translate ¬ϕi and dualize the corresponding determin-
istic safety automaton to obtain a deterministic liveness automaton.
6.3.2 Handling Co-Bu¨chi and Bu¨chi specifications
For co-Bu¨chi specification, we use the translation from TLFG to nondeterministic co-
Bu¨chi automata and minimize this automaton using the minimization techniques of
Chapter 3. The minimized automaton is then determinized using the breakpoint
construction and again minimized. Bu¨chi specifications are translated using the dual
deterministic automaton of the formula obtained from negating the formula.
6.3.3 Handling LTL Formulas that do not belong to a lower
Borel Class
If a subformula Φi does not belong to one of the lower borel classes, we have to resort
on the determinization procedure from Chapter 5. Thus we first translate Φi to a
nonconfluent Bu¨chi automaton and minimize it. This nondeterministic automaton is
determinized using the procedure described in Chapter 5 . However, we do not need
to construct the whole automaton at once. Instead, we construct the automaton for
a fixed bound k and check whether every marking of a state has been noticed by a
state set. If so, we return this automaton, otherwise we do the same with an increased
bound. Afterwards, we use the minimization techniques of Chapter 3 to minimize the
obtained parity automaton.
2We could have also defined a similar class for liveness, however, since this type nearly never occurs
in practice, we neglect this.
96
6.4 Solving Generalized Parity Games
Although this procedure gives back a parity automaton that is from a theoretical
point of view more efficient than a Streett automaton, the heavy complexity of deter-
minization makes even this approach infeasible in practice. Thus we break up also the
formulas Φi into smaller parts until every subformula starts with a temporal operator.
Those subformula are then translated as explained before. It is well known that every
parity automaton can also be interpreted as a Streett or a Rabin automaton. We
thus interpreted the obtained automaton as a Streett automaton and combine the de-
terministic Streett automata to obtain a Streett automaton for Φi that is afterwards
translated to a generalized parity automaton.
6.4 Solving Generalized Parity Games
Instead of solving the whole generalized parity game at once using the approach de-
scribed in Section 2.5.3, we first solve the subgames that are obtained by constructing
the game for the subformula Φj. For safety games, we know from [8] that any safety
strategy is most permissive, which means that the strategy allows as many moves as
possible. Thus after pruning the Game with the safety strategy, we know that the
remaining game satisfies the safety specification while we have not lost any possibility
to ensure the overall strategy. This is captured in the following proposition3 :
Proposition 9. Given a Moore game G = (Vc, Vu,S, sI , δ,Φ) where Φ = Gϕ∧Ψ with
a propositional formula ϕ. Let G′ = (Vu, Vc,S, s′I , δ′,Ψ) be obtained by pruning the
state set according to the winning strategy of Gϕ. Then, any winning strategy of G′
is also a winning strategy for G.
After having performed this reduction for the safety specifications, we also solve the
corresponding subgames for each separate subformula. The set of states that are
loosing for the controller need not be considered in the overall game. Obviously, also
the states from which the environment can force a visit to those loosing states need
also not considered, thus we also remove the attractor set to those states. However,
unlike in the safety case, the sub-specification still needs to be considered in the
overall game. Afterwards, we solve the reduced overall game using the generalized
parity game algorithm of [19] with a slight but important exception. Whenever we
have a parity condition where the lowest odd color labels no state, we can reduce the
number of colors according to the following proposition.
Proposition 10. Given a Moore game G = (Vc, Vu,S, sI , δ,Φ) where Φ = Ω0∧Φ′ is a
generalized parity condition with a parity condition Ω0 where {s ∈ S | Ω(s) = 1} = ∅.
3In [97], a similar observation is used to prune the state space. Their work has been published
during the evaluation of this thesis.
97
6 Symbolic Controller Synthesis
Then Φ is equivalent to Ω′0 ∧ Φ′ where
Ω′0(s) =
{
0 if Ω0(s) = 2 or Ω0(s) = 0
Ω0(s)− 2 else
In the experiments section, we will see e. g. by the AMBA example that this mod-
ification enables us to solve much larger examples than without.
6.5 Generating Circuits from BDDs
The output of the generalized parity algorithm is a BDD over the (current state)
variables Vu, Vc,S and over newly introduced state variables VM to encode counter
variables that are used to switch between the sub-strategies calculated by the gener-
alized parity algorithm. A slight modification of the algorithm given in Figures 2 and
3 of [12] allows us to generate for every controllable input variable c a BDD ϕc with
the meaning that c should hold whenever ϕc holds. We then write those BDDs to a
file in our Averest interchange format [36]. The tool Topaz in our averest tool set can
be used to obtain either Verilog, VHDL or C code from the generated file.
98
7 Experimental Results
This chapter describes the experiments performed using the controller synthesis al-
gorithm that was developed during this thesis. All experiments have been performed
on a 3.0 GHz Quad Core Pentium Duo with 16 GB of RAM.
The first part investigates the effect of using the different determinization construc-
tions presented in this thesis. To this end, the 23 specifications that come with the
Lily tool [49] are used as a benchmark set. Those specifications are used for pure LTL
synthesis, i. e. there is no system interacting with the environment, only the controller
and the environment. In this section, we give also a comparison to the tool Lily.
In a similar manner, we compare the minimization techniques in Section 7.2 on
this Benchmark set and additionally use some of the case studies developed later to
evaluate the minimization power.
The rest of this chapter are five case studies. The task for the first case study is
to synthesize a controller for the AMBA AHB-case study from [12], which is also an
example of pure synthesis. Finally, we present four examples for controller synthesis
that come from different application domains. The first controller synthesis problem
is the well-known dining philosopher problem. The second problem we consider is
constructing a winning strategy for the NIM-Game. From a practical point of view the
most interesting problem is the Island Traffic Control problem. Finally, we consider
the synthesis of a sorting network using controller synthesis.
7.1 The Effect of Different Determinization
Constructions
As a first benchmark set, the 23 examples included with the LTL synthesis tool Lily
[49] has been used to evaluate the performance of the determinization procedures
presented in this thesis. All Lily examples are contained in the temporal logic hierar-
chy, i. e. are boolean combinations of co-Bu¨chi specifications. Those 23 handwritten
formulas are mostly traffic light examples or arbiters.
Example 2. Example 10 of the formula included in Lily is the following LTL specifi-
cation:
(GFreq ∨ Fcancel)→ (GFgrant ∨ Gack)
99
7 Experimental Results
Example 3. Example 23 of the formula included in Lily is the following LTL specifi-
cation

G(¬r1 ∨ ¬r2)∧
G(¬r1 ∨ ¬r3)∧
G(¬r1 ∨ ¬r4)∧
G(¬r2 ∨ ¬r3)∧
G(¬r2 ∨ ¬r4)∧
G(¬r3 ∨ ¬r4)
→

G(r1→ (X(g1) ∨ X(X(g1)) ∨ X(X(X(g1)))))∧
G(r2→ (X(g2) ∨ X(X(g2)) ∨ X(X(X(g2)))))∧
G(r3→ (X(g3) ∨ X(X(g3)) ∨ X(X(X(g3)))))∧
G(r4→ (X(g4) ∨ X(X(g4)) ∨ X(X(X(g4)))))∧
G(¬g1 ∨ ¬g2)∧
G(¬g1 ∨ ¬g3)∧
G(¬g1 ∨ ¬g4)∧
G(¬g2 ∨ ¬g3)∧
G(¬g2 ∨ ¬g4)∧
G(¬g3 ∨ ¬g4)

To analyze the effect of using the nonconfluent determinization instead of the much
simpler breakpoint or subset construction, we performed three different experiments
on each of the formulas where the runtimes are summarized in Figure 7.1. The first
column gives the number of the example. The second column gives some information
about the formula in form temporal operators, boolean operators and number of input
variables. The third column gives the number of X operators inside the formula. The
fourth column gives the number of subformulas. The conjunction of those subformula
form the overall specification. Notice that the number of temporal operators includes
the number of X operators while the number of boolean operators do not include the
conjuncts stemming from the top-level conjuncts. The next column indicates how
many subformulas are not safety formula followed by a column indicating whether
the example consists solely of prefix formula1. The next two columns give the time
for determinization followed by the overall time needed to perform the task. When a
column contains no entry, this means that the runtime took more than 1 hour.
We ran our algorithm with different determinization constructions. Algorithm Nonc
uses the determinization construction given in Chapter 5. Algorithm Nonc2 addition-
ally turned on the splitting of boolean optimizations. Finally, algorithm Opal uses the
minimal possible determinization construction on every subformula. For all experi-
ments the special treatment of safety formula is turned off and we used fair simulation
minimization.
In all experiments we performed, using the lowest possible determinization con-
struction is beneficial and significantly outperforms the approaches that use the non-
confluent determinization construction. The effect significantly grows with the size of
1Recall that for prefix formula, only the ordinary subset-construction is used.
100
7.1 The Effect of Different Determinization Constructions
N
o.
T
,B
,A
P
X
su
b
f
N
oS
p
N
on
cD
et
T
N
on
c2
D
et
T
O
p
al
D
et
T
N
on
cT
N
on
c2
T
O
p
al
T
L
il
y
T
L
1
12
,5
,4
8
3
3
√
0.
48
0.
46
0.
1
0.
5
0.
49
0.
12
0.
13
L
2
12
,5
,4
8
3
3
√
0.
5
0.
5
0.
09
0.
53
0.
52
0.
11
0.
12
L
3
12
,5
,4
9
1
1
0.
52
0.
09
0.
57
0.
13
0.
65
L
4
16
,1
0,
4
12
1
1
0.
47
0.
1
0.
52
0.
13
1.
31
L
5
20
,1
1,
4
11
1
1
√
0.
59
0.
09
0.
67
0.
16
0.
98
L
6
18
,1
4,
4
14
1
1
0.
58
0.
11
0.
72
0.
19
1.
98
L
7
16
,1
5,
4
11
1
1
0.
52
0.
09
0.
6
0.
14
0.
87
L
8
4,
1,
2
0
1
1
0.
32
0.
01
0.
01
0.
33
0.
02
0.
02
0.
07
L
9
8,
6,
2
0
1
1
11
.9
8
0.
12
0.
02
12
.0
2
0.
15
0.
06
0.
22
L
10
6,
3,
2
0
1
1
50
.3
3
0
0
50
.3
8
0.
01
0.
02
0.
39
L
11
4,
3,
2
0
1
1
4.
91
0.
14
0.
02
4.
94
0.
15
0.
03
0.
66
L
12
5,
4,
2
0
1
1
18
6.
87
0.
15
0.
03
18
6.
9
0.
16
0.
03
0.
19
L
13
4,
3,
2
0
1
2
10
.7
2
0.
02
0.
01
10
.7
3
0.
03
0.
03
0.
03
L
14
9,
3,
4
0
3
3
0.
57
0.
01
0
0.
59
0.
03
0.
03
0.
26
L
15
9,
5,
4
0
5
5
0.
27
0.
16
0.
03
0.
29
0.
19
0.
08
0.
18
L
16
15
,9
,6
0
9
7
0.
37
0.
22
0.
02
0.
43
0.
29
0.
1
1
L
17
13
,5
,5
0
6
3
0.
62
0
0.
01
0.
65
0.
03
0.
05
0.
37
L
18
21
,1
0,
7
0
10
4
1
0
0
1.
05
0.
04
0.
06
1.
67
L
19
10
,7
,4
0
1
1
0.
17
0.
03
0.
26
0.
1
2.
46
L
20
17
,2
0,
5
6
1
1
0.
12
0.
03
0.
18
0.
12
4.
38
L
21
40
,3
8,
8
24
1
1
√
0.
2
0.
06
1.
2
0.
29
8.
11
L
22
22
,1
8,
4
12
1
1
0.
24
0.
04
0.
37
0.
14
9.
98
L
23
8,
5,
2
4
1
1
34
.7
5
0.
08
0.
01
34
.7
8
0.
11
0.
05
0.
28
F
ig
u
re
7.
1:
E
x
p
er
im
en
ts
p
er
fo
rm
ed
w
it
h
d
iff
er
en
t
D
et
er
m
in
iz
at
io
n
C
on
st
ru
ct
io
n
s
101
7 Experimental Results
the formula. When all optimizations are turned on, our tool is significantly faster com-
pared to the explicitly implemented tool Lily. The difference grows again significantly
with the size of the formula which is best seen by the bigger formula 19-22. When
the splitting of boolean formula is turned on, also the nonconfluent determinization
performs well compared to the explicit tool Lily. Only for the smaller examples L1-L3
the tool Lily is faster than our tool based on the nonconfluent determinization.
The picture changes when we turn off the boolean splitting of formula. In that case,
our tool was not able to solve 9 Problems within one hour, indeed the construction
of the deterministic automaton was not possible in either case. Since this is a quite
surprising result, we try to analyze this behavior in the following. In table 7.2 we
give the results of the experiments we performed with nonconfluent determinization
when both the nondeterministic automata and the deterministic parity automata
are minimized using fair simulation. Here, the columns have the following meaning:
NDet, NMin, Det and DetMin gives states and transitions of the nondeterministic,
nondeterministic minimized, deterministic and deterministic minimized automaton
The corresponding runtimes needed to perform those procedures are termed NDetT,
NMinT, DetT and and DetMinT respectively. Additionally, we give the time to
construct the deterministic automaton (DetT), the time to solve the game (Solve)
and the overall time.
There are nine formulas, for which the determinization construction can not be
finished. Included are the examples 20 and 21 where even the generation of the non-
determinisitc automaton was not possible in a reasonable amount of time.We believe
that this inability to construct the minimized nondeterministic automaton has to do
with the state-based acceptance that we need. In our current implementation, every
acceptance condition of the generalized Bu¨chi automaton as well as the initial condi-
tion needs to be abbreviated using new propositional variables. All failed instances
contain rather many X operators which we believe is the main source for our problems:
in contrast to model-checking where only one state variable is introduced for each X
operator, we have to use 2 new state variables for each X which seems to blow-up the
BDDs.
If the sizes of the automata are rather small, we are able to generate the determin-
istic automata in a reasonable amount of time. However, as the sizes of the automata
grows, the nonconfluent symbolic determinization procedure from Chapter 5 comes
to its limit 2 which is reached when the nondeterministic automaton has more than
approximately 15 states.
We believe that this unfavorable behavior has two reasons: the first reason is that
the state variables of the deterministic automaton are highly interconnected with each
2The nondeterministic states given in table NMin do not necessarily mean that an automaton of
this size is determinized, since e. g. example 1 consists of three sub-automata.
102
7.1 The Effect of Different Determinization Constructions
N
o.
T
,B
,A
P
X
su
b
f
N
oS
p
N
D
et
N
M
in
D
et
D
et
M
in
M
in
D
T
D
et
T
M
in
D
T
S
ol
ve
O
ve
ra
ll
L
1
12
,5
,4
8
3
3
√
26
.0
(1
00
.0
)
21
.0
(4
2.
0)
19
.0
(1
32
.0
)
13
.0
(8
4.
0)
0.
3
0.
48
0.
3
0.
01
0.
5
L
2
12
,5
,4
8
3
3
√
26
.0
(1
24
.0
)
21
.0
(4
6.
0)
19
.0
(1
32
.0
)
13
.0
(8
4.
0)
0.
35
0.
5
0.
35
0.
02
0.
53
L
3
12
,5
,4
9
1
1
10
36
.0
(9
80
.0
)
38
.0
(1
09
.0
)
D
et
fa
il
ed
L
4
16
,1
0,
4
12
1
1
12
0.
0(
10
36
.0
)
47
.0
(1
05
.0
)
D
et
fa
il
ed
L
5
20
,1
1,
4
11
1
1
√
10
48
.0
(2
82
0.
0)
98
.0
(4
69
.0
)
D
et
fa
il
ed
L
6
18
,1
4,
4
14
1
1
10
72
.0
(2
91
6.
0)
11
4.
0(
47
7.
0)
D
et
fa
il
ed
L
7
16
,1
5,
4
11
1
1
10
48
.0
(1
49
2.
0)
76
.0
(1
53
.0
)
D
et
fa
il
ed
L
8
4,
1,
2
0
1
1
9.
0(
9.
0)
4.
0(
8.
0)
13
.0
(5
2.
0)
6.
0(
24
.0
)
0.
28
0.
32
0.
28
0.
01
0.
33
L
9
8,
6,
2
0
1
1
10
49
.0
(4
4.
0)
13
.0
(4
1.
0)
28
.0
(1
12
.0
)
12
.0
(4
8.
0)
9.
02
11
.9
8
9.
02
0.
04
12
.0
2
L
10
6,
3,
2
0
1
1
12
.0
(1
1.
0)
5.
0(
9.
0)
70
.0
(1
12
0.
0)
14
.0
(2
24
.0
)
48
.5
2
50
.3
3
48
.5
2
0.
05
50
.3
8
L
11
4,
3,
2
0
1
1
18
.0
(2
38
.0
)
8.
0(
13
3.
0)
32
.0
(5
12
.0
)
12
.0
(1
92
.0
)
2.
87
4.
91
2.
87
0.
03
4.
94
L
12
5,
4,
2
0
1
1
11
.0
(4
1.
0)
7.
0(
27
.0
)
19
4.
0(
31
04
.0
)
12
.0
(1
92
.0
)
17
0
18
6.
87
17
0
0.
03
18
6.
9
L
13
4,
3,
2
0
1
2
12
.0
(2
8.
0)
12
.0
(2
8.
0)
15
6.
0(
62
4.
0)
8.
0(
32
.0
)
5.
2
10
.7
2
5.
2
0.
01
10
.7
3
L
14
9,
3,
4
0
3
3
18
.0
(1
8.
0)
8.
0(
16
.0
)
26
.0
(1
04
.0
)
12
.0
(4
8.
0)
0.
51
0.
57
0.
51
0.
02
0.
59
L
15
9,
5,
4
0
5
5
18
.0
(6
8.
0)
14
.0
(5
4.
0)
44
.0
(1
76
.0
)
20
.0
(8
0.
0)
0.
17
0.
27
0.
17
0.
02
0.
29
L
16
15
,9
,6
0
9
7
27
.0
(1
02
.0
)
21
.0
(8
1.
0)
66
.0
(2
64
.0
)
30
.0
(1
20
.0
)
0.
22
0.
37
0.
22
0.
06
0.
43
L
17
13
,5
,5
0
6
3
18
.0
(1
8.
0)
8.
0(
16
.0
)
26
.0
(1
04
.0
)
12
.0
(4
8.
0)
0.
56
0.
62
0.
56
0.
03
0.
65
L
18
21
,1
0,
7
0
10
4
27
.0
(2
7.
0)
12
.0
(2
4.
0)
39
.0
(1
56
.0
)
18
.0
(7
2.
0)
0.
92
1
0.
92
0.
04
1.
05
L
19
10
,7
,4
0
1
1
14
5.
0(
53
6.
0)
18
.0
(1
55
.0
)
D
et
fa
il
ed
L
20
17
,2
0,
5
6
1
1
N
D
et
fa
il
ed
L
21
40
,3
8,
8
24
1
1
√
N
D
et
fa
il
ed
L
22
22
,1
8,
4
12
1
1
19
8.
0(
60
5.
0)
86
.0
(1
41
.0
)
D
et
fa
il
ed
L
23
8,
5,
2
4
1
1
69
.0
(2
05
.0
)
42
.0
(3
0.
0)
60
.0
(2
40
.0
)
14
.0
(5
6.
0)
30
.4
9
34
.7
5
30
.4
9
0.
03
34
.7
8
F
ig
u
re
7.
2:
E
x
p
er
im
en
ts
p
er
fo
rm
ed
w
it
h
n
on
co
n
fl
u
en
t
d
et
er
m
in
iz
at
io
n
w
h
er
e
b
o
ol
ea
n
sp
li
tt
in
g
is
tu
rn
ed
off
103
7 Experimental Results
other: First, whenever a state set on the left is marked, we have to remove the corre-
sponding state from a set. On the other hand, they are also coupled to the variables
for the right neighbor sets, in case a dead-end set takes over its neighbor. Another
reason for the bad behavior is that we can not minimize the obtained automata on-
the-fly. Given a nondeterministic automaton with n states, we need nearly never
construct a deterministic automaton with n subsets of states. Instead we generate
subautomata with k < n state sets as described in Chapter 6. However, we can not
build up the overall automaton from minimized sub-automata so that we first have
to construct the overall automaton which is afterwards minimized.
Nevertheless, we believe that the nonconfluent determinization in connection with
the splitting of boolean formula is able to perform quite well in practice: It has
been already noticed by others [6] that all commonly used formulas in practice nearly
never contain more than 3 temporal operators and instead are composed of Boolean
combinations of smaller sub-formula. Thus, by enabling the splitting of Boolean
combinations of formulas, we are able to solve most of the problems occurring in
practice which is demonstrated by the experiments we performed on the Lily examples.
7.2 The Effect of Minimization
This section is intended to experimentally evaluate the performance of the various
minimization procedures developed in Chapter 3. First, it is investigated how these
algorithms perform on co-Bu¨chi automata, followed by a section denoted to the min-
imization of parity automata.
7.2.1 Minimizing Co-Bu¨chi Automata
The determinization construction from Chapter 4 uses Boolean combinations of co-
Bu¨chi automata to generate deterministic automata for formulas of the temporal
logic hierarchy. Since this determinization construction is the most important from
a practical point of view, optimizations for this construction are essential for a good
overall performance. Accordingly, we investigate in this section the effect of the
minimization techniques of Chapter 3 on co-Bu¨chi automata.
Comparing Forward Simulation Relations
As a first experiment to evaluate the effect of minimization, we used the different
minimization procedures on the 23 formulas that have been given before. Those ex-
104
7.2 The Effect of Minimization
N
o.
N
D
et
D
iN
D
iD
D
iD
iD
D
iN
T
D
eN
T
F
aN
T
D
iD
T
D
eD
T
F
aD
T
D
iS
D
eS
F
aS
L
1
28
(6
96
)
20
(6
8)
11
(6
8)
9(
52
)
0
0
0
0
0
0.
01
0.
02
0.
02
0.
02
L
2
28
(7
20
)
20
(9
2)
11
(6
8)
9(
52
)
0
0.
01
0
0
0.
01
0.
02
0.
02
0.
02
0.
02
L
3
32
(7
32
)
24
(1
04
)
14
(8
0)
12
(6
4)
0
0
0
0
0
0.
01
0.
04
0.
04
0.
04
L
4
28
(7
16
)
20
(8
8)
14
(8
0)
12
(6
4)
0.
01
0.
01
0.
01
0.
01
0.
01
0.
02
0.
03
0.
03
0.
03
L
5
36
(8
08
)
28
(1
80
)
15
(1
04
)
13
(8
8)
0.
01
0
0.
01
0.
01
0
0.
03
0.
07
0.
08
0.
07
L
6
44
(8
40
)
36
(2
12
)
16
(1
08
)
14
(9
2)
0
0
0
0
0.
01
0.
02
0.
08
0.
08
0.
08
L
7
36
(8
14
)
28
(1
86
)
15
(1
04
)
13
(8
8)
0
0.
01
0
0
0.
01
0.
01
0.
05
0.
05
0.
05
L
9
13
(1
70
)
7(
26
)
6(
24
)
5(
20
)
0
0
0
0
0
0.
01
0.
04
0.
04
0.
04
L
11
12
(1
66
)
6(
22
)
4(
16
)
4(
16
)
0
0
0
0
0
0
0.
01
0.
02
0.
02
L
12
12
(1
66
)
6(
22
)
4(
16
)
4(
16
)
0
0
0
0
0.
01
0
0.
01
0.
01
0.
01
L
15
16
(1
82
)
10
(3
8)
10
(4
0)
10
(4
0)
0
0.
01
0.
01
0
0.
02
0.
01
0.
04
0.
04
0.
04
L
16
24
(2
73
)
15
(5
7)
15
(6
0)
15
(6
0)
0.
01
0
0
0.
01
0.
01
0
0.
1
0.
09
0.
08
L
19
20
(2
57
)
11
(4
1)
10
(4
0)
8(
32
)
0
0
0
0
0.
01
0
0.
08
0.
07
0.
08
L
20
14
(1
03
)
11
(3
1)
9(
28
)
9(
28
)
0
0.
01
0.
01
0
0.
02
0.
02
0.
09
0.
08
0.
08
L
21
64
(2
40
)
64
(2
40
)
20
(8
0)
20
(8
0)
0
0.
02
0.
01
0
0.
02
0.
01
0.
21
0.
21
0.
21
L
22
53
(2
56
)
46
(1
12
)
18
(6
0)
18
(6
0)
0
0
0.
03
0
0
0.
03
0.
09
0.
1
0.
1
L
23
32
(5
6)
20
(5
6)
7(
28
)
7(
28
)
0
0
0
0
0
0
0.
02
0.
02
0.
02
A
2
27
3(
70
99
)
33
(1
26
0)
24
(1
03
6)
14
(7
16
)
0.
05
0.
04
0.
05
0.
05
0.
04
0.
05
0.
71
0.
69
0.
67
A
3
27
5(
24
11
0)
35
(3
27
1)
27
(2
58
4)
17
(2
26
4)
0.
04
0.
03
0.
04
0.
05
0.
04
0.
05
6
5.
91
5.
74
A
4
27
7(
46
78
9)
37
(5
95
0)
30
(4
64
4)
20
(4
32
4)
0.
08
0.
06
0.
05
0.
09
0.
07
0.
06
10
.5
2
11
.0
3
10
.2
5
A
5
27
9(
18
28
28
)
39
(2
19
89
)
33
(1
69
44
)
23
(1
66
24
)
0.
28
0.
29
0.
27
0.
33
0.
35
0.
33
41
.7
9
42
.1
1
39
.9
A
6
28
1(
36
42
11
)
41
(4
33
72
)
36
(3
33
40
)
26
(3
30
20
)
0.
48
0.
5
0.
49
0.
61
0.
63
0.
61
59
.8
6
22
1.
88
21
9.
04
A
7
33
5(
84
45
77
)
95
(2
03
73
8)
86
(3
32
28
8)
76
(3
31
96
8)
73
.9
3
76
.5
6
75
.4
3
74
.2
9
76
.8
6
75
.7
4
40
1.
05
38
2.
34
37
8.
81
P
3
24
(5
46
)
15
(1
14
)
15
(1
20
)
15
(1
20
)
0.
01
0
0.
01
0.
01
0
0.
01
0.
06
0.
06
0.
05
P
4
32
(7
28
)
20
(1
52
)
20
(1
60
)
20
(1
60
)
0.
01
0.
01
0
0.
01
0.
01
0
0.
13
0.
13
0.
11
P
5
40
(9
10
)
25
(1
90
)
25
(2
00
)
25
(2
00
)
0
0.
01
0
0
0.
02
0
0.
34
0.
32
0.
31
F
ig
u
re
7.
3:
E
x
p
er
im
en
ts
p
er
fo
rm
ed
w
it
h
fo
rw
ar
d
si
m
u
la
ti
on
re
la
ti
on
s
on
C
o-
B
u¨
ch
i
A
u
to
m
at
a
105
7 Experimental Results
periments are summarized in the table shown in Figure 7.3 3. Moreover, we performed
several experiments on the AMBA case study and the Dining Philosophers case study
that are also given in the same table.. The headings of the columns represent the
following measurements, where x stands for either direct (Di), delayed (De) and fair
(fa) simulation.
No. - Gives the experiment where Lx means Lily experiment x, Ax the AMBA case
study with x masters and Px Philosophers case study with x philosophers.
NDet - Gives the total number of nondeterministic states and transitions
xN - the number of states / transitions of the minimized nondeterministic automaton.
xD - gives the number of states and transitions of the non-minimized deterministic
automaton from the x-minimized nondeterministic one
xxD - gives the x-minimized deterministic automaton from the x-minimized nonde-
terministic one
xNT - gives the time to perform nondeterministic minimization
xDT - gives the time to perform deterministic minimization
xS - gives the time for game solving
For every automaton, we used the lowest possible determinization construction,
i. e. for safety and liveness automata we used the subset construction and for co-Bu¨chi
automata, we used the breakpoint construction. We evaluate here the difference when
the minimization used is direct, delayed or fair simulation.
Surprisingly, the three minimization procedures performed equally well. They gen-
erated the same number of states and transitions for every automaton we considered4.
We did not check for every example whether the generated automata are the same
for every minimization procedure, but randomly picked some of them and checked
that they are indeed the same. Surprisingly, the minimized deterministic automata
(shown in column DiDiD) had sometimes even less states and transitions than the
nondeterministic automaton (shown in column DiN). The runtimes of the three min-
imization procedures do also not differ that much. When they differ, it seems that
3L8,L10, L13,L14, L17 and L18 contained only formulas that can be directly translated to a formula
of the form GFϕ for a propositional ϕ or directly to a transition system as described by Proposition
8 so that we left them out here.
4In the table, we show only the numbers for direct simulation, but the numbers are the same for
delayed and fair simulation
106
7.2 The Effect of Minimization
this is more an error in measurement then a real difference. Since all minimization
procedures generate the same automata, the solution time is also always the same.
We performed the same experiments also on the AMBA and dining philosophers
case study with the same result. Neither do the automata differ nor the runtime.
107
7 Experimental Results
The effect of Reverse Simulation
We performed the same experiments with reverse simulation turned on. Not too
surprising, the three different forward simulation relations performed also equally well
when used together with reverse simulation. Accordingly, we show only the number of
states and transitions for direct simulation so that we only give the results for direct
simulation in connection with reverse simulation and neglect the other simulation
relation.
Comparing the automata sizes and runtimes when reverse simulation is turned on
with the sizes and times where it is turned of gives some interesting results. For
the Lily examples (shown in Figure 7.4), no surprise happened. Reverse simulation
only minimized the number of transitions of the nondeterministic automaton. This
intermediate minimization had no effect on the size of the deterministic automaton
(see column DiDiD without and DiRDiD with reverse simulation) and accordingly
also not on the runtime for synthesis.
We won’t go into detail for those experiments and instead take a look at the AMBA
case study that are also given in that table. Here, reverse simulation can both reduce
the number of states and transitions of the nondeterministic automaton. However,
this intermediate reduction does not lead to a reduction in the number of states and
transitions of the deterministic automaton. Indeed the deterministic automata are
exactly the same whether or not reverse simulation is enabled or not5.
One notices that, although the automata generated with or without reverse simu-
lation are equivalent, the runtimes for game solving differs. But this has to do with a
different encoding of the automata that lead to different variable orders in the BDD
and has nothing to do with reverse simulation. This is best seen by the AMBA ex-
ample. Here we generate for n masters the same automata as for n+ 1 masters, but
every sub-automaton is multiplicated n + 1 times instead of n times. Nevertheless,
for 5 masters, the runtimes with reverse simulation is slower than without, while the
situation is reversed for other number of masters.
5 We believe that this has to do with the special nonconfluent structure of the automata that
we use, or equivalently, the reverse determinism of those automata. In [111] Watson mentions
that in order to perform minimization of finite automata (which our safety automata essentially
are), one can use the following steps: reverse the automaton (i. e. every ingoing edge is now an
outgoing edge), do the subset construction, reverse the automaton and afterwards do again a
subset construction. It is not hard to see that the automaton that is obtained before the last
subset construction is reverse deterministic. So applying a subset construction (or the closely
related breakpoint construction) on a reverse deterministic automaton seems to be indeed a
minimization step. However, this observation is only a conjecture that should be closer examined
outside of this thesis.
108
7.2 The Effect of Minimization
N
o.
N
D
et
D
iN
D
iR
N
D
iD
D
iR
D
D
iD
iD
D
iR
D
iD
D
iR
N
T
D
iN
T
D
iR
N
T
D
iD
T
D
iR
D
T
D
iS
D
iR
S
L
1
28
(6
96
)
20
(6
8)
20
(3
4)
11
(6
8)
11
(6
8)
9(
52
)
9(
52
)
0.
01
0
0.
01
0
0.
01
0.
02
0.
02
L
2
28
(7
20
)
20
(9
2)
20
(3
8)
11
(6
8)
11
(6
8)
9(
52
)
9(
52
)
0.
03
0
0.
03
0
0.
03
0.
02
0.
02
L
3
32
(7
32
)
24
(1
04
)
24
(4
4)
14
(8
0)
14
(8
0)
12
(6
4)
12
(6
4)
0
0
0
0
0
0.
04
0.
05
L
4
28
(7
16
)
20
(8
8)
20
(4
4)
14
(8
0)
14
(8
0)
12
(6
4)
12
(6
4)
0.
01
0.
01
0.
01
0.
01
0.
01
0.
03
0.
03
L
5
36
(8
08
)
28
(1
80
)
28
(6
2)
15
(1
04
)
15
(1
04
)
13
(8
8)
13
(8
8)
0
0.
01
0
0.
01
0
0.
07
0.
07
L
6
44
(8
40
)
36
(2
12
)
36
(6
6)
16
(1
08
)
16
(1
08
)
14
(9
2)
14
(9
2)
0.
02
0
0.
02
0
0.
02
0.
08
0.
07
L
7
36
(8
14
)
28
(1
86
)
28
(6
5)
15
(1
04
)
15
(1
04
)
13
(8
8)
13
(8
8)
0
0
0
0
0
0.
05
0.
06
L
9
13
(1
70
)
7(
26
)
7(
18
)
6(
24
)
6(
24
)
5(
20
)
5(
20
)
0
0
0
0
0
0.
04
0.
03
L
11
12
(1
66
)
6(
22
)
6(
14
)
4(
16
)
4(
16
)
4(
16
)
4(
16
)
0
0
0
0
0
0.
01
0.
01
L
12
12
(1
66
)
6(
22
)
6(
14
)
4(
16
)
4(
16
)
4(
16
)
4(
16
)
0
0
0
0
0.
01
0.
01
0.
01
L
15
16
(1
82
)
10
(3
8)
10
(3
0)
10
(4
0)
10
(4
0)
10
(4
0)
10
(4
0)
0
0
0
0
0
0.
04
0.
04
L
16
24
(2
73
)
15
(5
7)
15
(4
5)
15
(6
0)
15
(6
0)
15
(6
0)
15
(6
0)
0.
01
0.
01
0.
01
0.
01
0.
01
0.
1
0.
09
L
19
20
(2
57
)
11
(4
1)
11
(2
9)
10
(4
0)
10
(4
0)
8(
32
)
8(
32
)
0
0
0
0
0
0.
08
0.
09
L
20
14
(1
03
)
11
(3
1)
11
(2
1)
9(
28
)
9(
28
)
9(
28
)
9(
28
)
0.
01
0
0.
01
0
0.
01
0.
09
0.
08
L
21
64
(2
40
)
64
(2
40
)
64
(5
6)
20
(8
0)
20
(8
0)
20
(8
0)
20
(8
0)
0.
03
0
0.
03
0
0.
03
0.
21
0.
23
L
22
53
(2
56
)
46
(1
12
)
46
(3
9)
18
(6
0)
18
(6
0)
18
(6
0)
18
(6
0)
0.
03
0
0.
03
0
0.
03
0.
09
0.
09
L
23
32
(5
6)
20
(5
6)
20
(1
4)
7(
28
)
7(
28
)
7(
28
)
7(
28
)
0.
01
0
0.
01
0
0.
01
0.
02
0.
02
A
2
27
3(
70
99
)
33
(1
26
0)
18
(5
80
)
24
(1
03
6)
26
(1
10
0)
14
(7
16
)
14
(7
16
)
0.
04
0.
05
0.
04
0.
05
0.
04
0.
66
0.
64
A
3
27
5(
24
11
0)
35
(3
27
1)
20
(1
65
5)
27
(2
58
4)
29
(2
64
8)
17
(2
26
4)
17
(2
26
4)
0.
03
0.
03
0.
03
0.
03
0.
03
5.
51
3.
91
A
4
27
7(
46
78
9)
37
(5
95
0)
22
(3
08
6)
30
(4
64
4)
32
(4
70
8)
20
(4
32
4)
20
(4
32
4)
0.
06
0.
05
0.
06
0.
07
0.
09
12
.8
3
10
.8
7
A
5
27
9(
18
28
28
)
39
(2
19
89
)
24
(1
16
37
)
33
(1
69
44
)
35
(1
70
08
)
23
(1
66
24
)
23
(1
66
24
)
0.
24
0.
27
0.
24
0.
33
0.
29
50
.4
4
12
8.
87
A
6
28
1(
36
42
11
)
41
(4
33
72
)
26
(2
30
36
)
36
(3
33
40
)
38
(3
34
04
)
26
(3
30
20
)
26
(3
30
20
)
0.
44
0.
47
0.
44
0.
57
0.
54
54
.0
9
49
.6
6
A
7
33
5(
84
45
77
)
95
(2
03
73
8)
80
(1
63
43
4)
86
(3
32
28
8)
88
(3
32
35
2)
76
(3
31
96
8)
76
(3
31
96
8)
1,
08
3.
09
68
.5
8
1,
08
3.
09
68
.8
9
1,
08
3.
43
52
8.
12
40
9.
37
P
3
24
(5
46
)
15
(1
14
)
15
(9
0)
15
(1
20
)
15
(1
20
)
15
(1
20
)
15
(1
20
)
0.
01
0.
01
0.
01
0.
01
0.
01
0.
06
0.
06
P
4
32
(7
28
)
20
(1
52
)
20
(1
20
)
20
(1
60
)
20
(1
60
)
20
(1
60
)
20
(1
60
)
0.
02
0.
01
0.
02
0.
01
0.
02
0.
13
0.
08
P
5
40
(9
10
)
25
(1
90
)
25
(1
50
)
25
(2
00
)
25
(2
00
)
25
(2
00
)
25
(2
00
)
0.
02
0
0.
02
0
0.
02
0.
34
0.
28
F
ig
u
re
7.
4:
T
h
e
eff
ec
t
of
re
ve
rs
e
si
m
u
la
ti
on
109
7 Experimental Results
7.2.2 Minimizing Parity Automata
The situation totally changes when we consider parity automata. In Figure 7.5 the
experimental results are given when parity automata are generated using the noncon-
fluent determinization where the splitting of boolean formula is turned on. We gen-
erated the nondeterministic automaton using fair simulation and reverse simulation.
Accordingly, we obtain for every minimization construction the same (non-minimized)
deterministic parity automaton.
Direct and delayed simulation is able to reduce the size of the automata modestly,
where delayed simulation performs slightly better on the AMBA case study. However,
fair simulation is able to minimize the automata much better than the other simu-
lation relations. But this reduction comes at a price. The computation time for fair
simulation is in most cases much higher than the computation time for the other two
simulation relations. However, this higher computation time for minimization is well
invested when it comes to controller synthesis. Here the fair simulation minimized
games are much faster solved than the other games. Given that for big examples like
the AMBA case study or the Philosophers case study, the overall computation time
is dominated by the solution of games and not by the minimization, we conclude that
fair simulation is a valuable tool to reduce the time needed to synthesize a controller.
After having evaluated the different determinization constructions and the different
minimization constructions, the last parts of this chapter are devoted to different case
studies that demonstrate the feasibility of controller synthesis. For those case studies,
we used fair simulation in connection with the determinization construction based
on the hierarchy. Again, each of the formula already belonged to the temporal logic
hierarchy so that no manual rewriting was necessary.
110
7.2 The Effect of Minimization
N
o.
N
D
et
F
aN
F
aD
F
aD
iD
F
aD
eD
F
aF
aD
D
iD
T
D
eD
T
F
aD
T
D
iS
D
eS
F
aS
L
1
24
(8
4)
21
(7
2)
26
(1
88
)
23
(1
64
)
23
(1
64
)
13
(8
4)
0.
01
0.
18
0.
34
0.
03
0.
03
0.
02
L
2
24
(1
08
)
21
(9
6)
26
(1
88
)
23
(1
64
)
23
(1
64
)
13
(8
4)
0.
12
0.
27
0.
42
0.
04
0.
04
0.
01
L
3
24
(1
08
)
21
(9
6)
31
(2
08
)
28
(1
84
)
28
(1
84
)
18
(1
04
)
0.
06
0.
38
0.
5
0.
16
0.
13
0.
08
L
4
24
(1
04
)
21
(9
2)
37
(2
32
)
34
(2
08
)
34
(2
08
)
24
(1
28
)
0.
11
0.
29
0.
49
0.
11
0.
13
0.
05
L
5
32
(1
96
)
29
(1
84
)
39
(2
80
)
36
(2
56
)
36
(2
56
)
26
(1
76
)
0.
14
0.
31
0.
5
0.
17
0.
19
0.
12
L
6
40
(2
28
)
37
(2
16
)
41
(2
88
)
38
(2
64
)
38
(2
64
)
28
(1
84
)
0.
04
0.
38
0.
41
0.
27
0.
2
0.
19
L
7
32
(2
02
)
29
(1
90
)
39
(2
80
)
36
(2
56
)
36
(2
56
)
26
(1
76
)
0.
02
0.
32
0.
5
0.
19
0.
19
0.
07
L
9
8(
28
)
6(
25
)
20
(8
0)
18
(7
2)
18
(7
2)
10
(4
0)
0.
03
0.
06
0.
08
0.
14
0.
12
0.
04
L
10
1(
1)
1(
1)
2(
4)
2(
4)
2(
4)
2(
4)
0
0
0.
01
0.
01
0.
01
0
L
11
8(
28
)
6(
26
)
18
(7
2)
16
(6
4)
16
(6
4)
8(
32
)
0
0.
07
0.
1
0.
1
0.
09
0.
01
L
12
8(
28
)
6(
26
)
18
(7
2)
16
(6
4)
16
(6
4)
8(
32
)
0.
01
0.
07
0.
1
0.
09
0.
08
0.
01
L
13
2(
2)
2(
2)
4(
8)
4(
8)
4(
8)
4(
8)
0
0
0.
01
0.
02
0.
02
0.
03
L
15
12
(4
4)
10
(4
2)
24
(9
6)
22
(8
8)
22
(8
8)
14
(5
6)
0.
01
0.
07
0.
13
0.
39
0.
41
0.
08
L
16
18
(6
6)
15
(6
3)
36
(1
44
)
33
(1
32
)
33
(1
32
)
21
(8
4)
0.
02
0.
07
0.
16
4.
16
4.
29
0.
08
L
19
12
(4
2)
9(
37
)
31
(1
24
)
28
(1
12
)
28
(1
12
)
16
(6
4)
0.
01
0.
11
0.
15
0.
2
0.
14
0.
08
L
20
8(
22
)
7(
21
)
17
(5
2)
16
(4
8)
16
(4
8)
12
(3
2)
0.
01
0.
06
0.
08
0.
2
0.
25
0.
09
L
21
64
(2
40
)
64
(2
40
)
40
(1
60
)
40
(1
60
)
40
(1
60
)
40
(1
60
)
0.
04
0.
18
0.
2
1.
19
0.
69
1.
19
L
22
44
(1
01
)
41
(9
9)
36
(1
20
)
34
(1
12
)
34
(1
12
)
26
(8
0)
0.
02
0.
16
0.
18
0.
67
0.
59
0.
11
L
23
16
(8
)
6(
8)
11
(4
4)
10
(4
0)
10
(4
0)
8(
32
)
0.
01
0.
06
0.
07
0.
02
0.
04
0.
02
A
2
27
0(
22
95
)
19
(7
84
)
38
(1
86
8)
26
(1
48
4)
24
(1
35
6)
16
(8
44
)
0.
08
0.
1
0.
16
1.
79
1.
74
0.
65
A
3
27
2(
48
94
)
21
(2
47
1)
41
(5
72
0)
29
(5
33
6)
27
(4
82
4)
19
(2
77
6)
0.
09
0.
14
0.
23
40
.8
1
12
.8
8
3.
89
A
4
27
4(
83
57
)
23
(4
71
8)
44
(1
08
52
)
32
(1
04
68
)
30
(9
44
4)
22
(5
34
8)
0.
16
0.
22
0.
3
49
.3
9
50
.3
14
.1
5
A
5
27
6(
29
10
0)
25
(1
81
65
)
47
(4
15
84
)
35
(4
12
00
)
33
(3
71
04
)
25
(2
07
20
)
0.
89
0.
91
0.
81
73
5.
38
69
5.
52
77
.8
4
P
3
24
(1
56
)
15
(1
08
)
45
(3
60
)
42
(3
36
)
42
(3
36
)
30
(2
40
)
0.
02
0.
14
0.
26
35
.6
4
29
.9
8
0.
2
F
ig
u
re
7.
5:
M
in
im
iz
in
g
p
ar
it
y
au
to
m
at
a
111
7 Experimental Results
7.3 AMBA AHB Case Study
ARM’s Advanced Micro-controller Bus Architecture (AMBA) [62] defines the Ad-
vanced High performance Bus (AHB), an on-chip communication standard that con-
nects devices like processor cores, caches and DMA Arbiters. It is possible to connect
up to 16 Masters and up to 16 slaves to the bus. While the masters initiate com-
munication with a slave of their choice, the slaves are passive and respond only to a
request. AHB is a pipelined bus, that means that multiple masters can access the
bus while one of the masters is transferring data and yet another master transfers
address information. A bus access can be a single transfer or a burst which consists
of a specified or unspecified number of transfers.
The controller we want to synthesize here needs to implement an arbiter that han-
dles the different requests coming from the masters. This case study has been chosen
as an example of a specification that has industrial size in order to evaluate whether
synthesis of real world examples is possible. It has been already used as a case study
in [12, 48] from where the formal specification is taken. We will give a short summary
and refer the interested reader to [48] which gives a detailed description of the prob-
lem. In the following we give a description of the signals used in the specification.
The notation S[n : 0] denotes an (n+1)-bit signal.
• hbusreqi - a request from Master i to access the bus (driven by the masters)
• hlocki - a request to receive a locked (uninterruptible) access to the bus (driven
by the masters)
• hmaster[3:0] - the master that currently owns the bus (driven by the arbiter)
• hready - high if the slave has finished processing the current data (driven by
the arbiter)
• hgranti - signals that if hready is high, hmaster=i will hold in the next tick
(driven by the arbiter)
• hmastlock - indicates that the current master is performing a locked access
(driven by the arbiter)
• hburst[1:0] - one of SINGLE (a single transfer), BURST4 (a four-transfer burst
access) or INCR (unspecified length burst) (driven by the arbiter)
To formalize the specification, additional signals driven by the arbiter has been intro-
duced in [12, 48].
• start indicates the start of an access
112
7.3 AMBA AHB Case Study
• locked indicates that the bus will be locked at the next start of an access
• decide indicates the time slot in which the arbiter decides who the next arbiter
will be.
Since some guarantees the controller has to satisfy may only be satisfiable in case some
assumptions on the environment holds, we start in the following by the assumptions
on the environment, followed by the guarantees for the controller:
A1: During a locked unspecified length burst, leaving busreq high locks the bus. This
is forbidden by the standard.
G ((hmastlock ∧ hburst==incr)→ XF¬busreq)
A2: Leaving hready low is forbidden by the standard.
GFhready
A3: The lock signal is asserted by a master at the same time as the bus request.
N∧
i=0
G (hlock[i]→ hbusreq[i])
A4: All inputs are initially low.
N∧
i=0
(¬hbusreq[i] ∧ ¬hlock[i] ∧ ¬hready)
G1: A new access can only start when hready is high.
G (¬hready → ¬ start)
G2: When a locked unspecified length burst starts, a new access can only start after
the current master (hmaster) releases the bus by lowering hbusreq[hmaster].
G ((hmastlock ∧ hburst==INCR ∧ start)→ X [¬hbusreq B start])
G3: When a length-four locked burst starts, no other access starts until the end of
the burst. The burst ends after the fourth occurrence of hready. 6
G
 hmastlock ∧ hburst == BURST4 ∧ start→hready ∧ X [¬start U[3] hready ∧ ¬start]∨
X
[¬start U[4] hready ∧ ¬start]

6
[
ϕ U[n] ψ
]
means that ϕ holds until n occurrences of ψ occurred. This means e. g. that
[
ϕ U[3] ψ
]
is rewritten to [ϕ U X [ϕ U X([ϕ U ψ])]].
113
7 Experimental Results
G4: When hready is high, hmaster is set to the master that is currently granted the
bus.
N∧
i=0
(hready→ (hgrant[i]↔ X(hmaster == i))
G5: Whenever hready is high, the signal hmastlock copies the signal locked to ensure
that an uninterrubtable access to the bus is possible.
G (hready→ (locked↔ X(hmastlock)))
G6: If the arbiter does not start a new access, hmaster and hmastlock do not change.
N∧
i=0
G
(
X
(
¬start→
(
X(hmaster == i)↔ (hmaster == i)∧
X(hmastlock)↔ hmastlock
)))
G7: When the arbiter decides to grant the bus, it uses locked to remember whether
a locked access was requested.
N∧
i=0
G ((decide ∧ X(hgrant[i]))→ (hlock[i]↔ X(locked)))
G8: The grant or locked signals change only if decide is high.
N∧
i=0
G
(
(¬decide)→
(
X(hgrant[i])↔ hgrant[i]
X(locked)↔ locked
))
G9: The bus is fair, i. e. every request that is active and not lowered is eventually
served 7.
N∧
i=0
GF (¬hbusreq[i] ∨ hgrant[i])
G10: The bus is not granted without a request, except to master 0. If there is no
request, the bus is given to master 0.
N∧
i=1
G (¬hgrant[i]→ [¬hgrant[i] U hbusreq[i]])∧
G
(
decide ∧
N∧
i=0
(¬hbusreq[i]→ X(hgrant[0]))
)
7We have slightly rewritten the equivalent specification given in [48] to improve the synthesis
problem. Actually the input file for Anzu [48] used also this rewritten specification.
114
7.3 AMBA AHB Case Study
G11: An access by master 0 starts in the first clock tick which means that a decision
is taken. All other signals are initially low.
decide ∧ start ∧ hgrant[0] ∧ ¬hmastlock ∧
N∧
i=1
¬hgrant[i]
It actually turned out that not all assumptions are necessary to satisfy the guarantees.
Assumptions 3 and 4 are superfluous so that we left them out in the experiments.
However, Assumptions 1 and 2 are necessary to satisfy Guarantee 9 so that we change
Guarantee 9 to :
G 9’:
N∧
i=0
(
(GFhready ∧ G ((hmastlock ∧ hburst==incr)→ XF¬busreq))→
(GF (¬hbusreq[i] ∨ hgrant[i]))
)
The overall specification is now given as:
8∧
i=1
Gi ∧G9′
We ran our algorithm three times to evaluate the performance of the optimiza-
tions given in Chapter 6. The first optimization we consider is the removal of colors
whenever the minimal color of the environment does not label a state of the subgame
according to Proposition 10. The second optimization refers to Proposition 9 and
means that we first perform the calculation of the winning set of the safety-fragment
before solving the overall game. Figure 7.68 shows the time needed to synthesize an
arbiter for those specifications. In the first column, the safety optimization is turned
on, but not the removal of colors. In the second column, the removal of colors is
enabled but not the safety handling. In the third column, both optimizations are
turned on. Finally the last column displays the runtime of Anzu [12]. Remember
that Anzu is a tool that is also symbolically implemented and uses the specialized
generalized Streett(1) approach of Piterman et. al [79]. But instead to our tool, the
deterministic automata have to be generated manually.
Without the color-optimization, our algorithm is not able to perform the task for
more than 5 masters. The problem is that when the color-optimization is turned off,
the generalized parity algorithm does much unnecessary work and indeed generates
8Here TO means that the task could not performed within 20 hours, whereas MO means that more
than 2 GB of memory has been used which also terminated the process.
115
7 Experimental Results
No color-unoptimized safety-unoptimized all-optimized anzu
AMBA2 2.6 2.09 1.36 2.36
AMBA3 9.77 26.23 6.47 17.14
AMBA4 62.34 38,98 13.03 52.83
AMBA5 2881 335.30 67.77 131.71
AMBA6 TO 581.09 81.61 716.88
AMBA7 TO 3949.44 823.82 1338.13
AMBA8 TO 42757.21 5594.70 4542.37
AMBA9 TO TO 2749.62 3363.56
AMBA10 TO TO 678.46 6163.66
AMBA11 TO TO 982.48 9475.98
AMBA12 TO TO 7544.34 MO
AMBA13 TO TO 2161.24 16683.55
AMBA14 TO TO 2293.57 46514.46
AMBA15 TO TO 2022.44 MO
Figure 7.6: Time Spent During Synthesis on the AMBA Case Study
for k masters k! sub-strategies. Joining those k! sub-strategies to an overall strategy
is impossible for larger numbers of k. Although this blowup is in general unavoidable,
since the memory needed to win Streett games is factorial in the number of Streett
games, the color-optimization manages to avoid the introduction of unnecessary sub-
strategies so that for k masters, k sub-strategies suffice. This has to do with the
special structure of Guarantee 99 that has the form
∧n
i=0 Φi → Ψi. In the special
case of the AMBA example, all Φi are the same. So indeed, the Streett conditions of
the AMBA example have a restricted form that can be used efficiently: states that
do not satisfy Φi need only be considered once in the generalized parity algorithm
and afterwards can be removed according to Property 10. We believe that this is
not only a special case of the AMBA example, but often occurs when one considers
specifications with assumptions on the environment that will always be the same for
all Streett conditions.
The safety-optimization is not as important as the color-optimization but never-
theless it is impossible to generate an arbiter for more than 8 masters without it.
Hence, turning both optimizations on leads to an enormous performance boost. Not
only are we able to solve the AMBA problem for up to 15 masters, which is the
maximal number of masters the specification allows, but we are also faster than the
tool Anzu which is specifically tailored for those form of specifications and where the
9All other guarantees are purely safety guarantees
116
7.4 Dining Philosophers
deterministic automata are generated manually. As can be seen, this superiority of
our algorithm comes mainly from the ability to solve safety games separately and
from the color-optimization.
7.4 Dining Philosophers
Although the dining philosophers problem is more whimsical than practical, it is
similar to realistic problems in which different processes requires simultaneous access
to more than one resource. Consequently, the problem is often used to illustrate and
compare different synchronization mechanisms. We use it here as a tutorial example
since it is rather small and shows well how the environment can be modeled using
a Quartz program. Moreover, in contrast to the other examples, multiple resources
must be arbitrated by the controller. The dining philosopher problem is formulated
as follows:
Five philosophers sit around a circular table. Each philoso-
pher spends his life either thinking or eating. In the center
of the table is a plate of spaghetti. Each philosopher must
use two forks to be able to eat the spaghetti. Unfortunately,
only one fork is available for each philosopher, each placed in
between two pairs of philosophers. The problem is to write a
controller that assures that every philosopher that is hungry
must eventually be able to eat, i. e. he may acquire both forks
on the left and right of him. Thus we must avoid the unfortu-
nate situation that the philosophers are all hungry, but none
is able to eat because every one tries to pick up a fork which
prevents his neighbor from eating.
We model this environment using the Quartz program given in Listing 7.1. Everything
that is done here is to simply model the assumption that whenever one philosopher n
wants to require the forks, he can eat in the next step whenever the controller grants
fork n and fork n+ 1, thus the forks directly on his left and on his right which is done
in parallel. As the formal specification we want to assure that every philosopher who
wants to require the forks is able to eat which is formalized as follows:
Φ =
N∧
i=0
G (req[i]→ F(eat[i]))
However, this specification alone is not controllable. We grant the forks only whenever
at that point of time the philosopher still leaves req high. Hence, we have to add the
117
7 Experimental Results

module Phi losopher (bool ? grant [N] , req [N] , & eat [N] )
{
loop{
p a r a l l e l (nat [ sizeOf (N−1) ] i=0 . . (N−1) )
{
next ( eat [ i ] )=req [ i ] & grant [ i ]
& ( ! grant [ ( i +1)%N ] ) ;
}
pause ;
}
}
 	 
Listing 7.1: Dining Philosophers
additional constraint that the request is not lowered until the respective philosopher
is allowed to eat.
Φ =
N∧
i=0
(G (req[i]→ [req[i] U eat[i]]))→ (G (reg[i]→ F(eat[i])))
0 5 10 15
0
500
1,000
1,500
Number of Philosophers
ti
m
e[
s]
Figure 7.7: Experimental Result for Dining Philosophers
The different runtimes for the experiments performed on the dining philosophers
case study are shown in Figure 7.7. Quite surprisingly, the time needed to solve the
118
7.5 NIM Game
problem remains nearly constant with the difference of 15 philosophers where a large
peak can be seen. For 16 philosophers the synthesis time is again modestly. However,
for larger number of Philosophers than 16 we were not able to finish the synthesis
task within one hour.
7.5 NIM Game
The roots of the NIM game are unclear. Some variants of NIM have been played since
ancient times. It is especially popular in mathematical game theory because it is a
game that is fairly easy to describe and thus as early as 1901 the complete theory for
the game has been developed.
NIM is a two-player turn-based game in which players alter-
nately remove objects from heaps. On each turn, one of the
two players chooses a heap and a non-zero number of objects
that he removes from this heap. The player who removes the
last object wins the game.
The key to the theory of the game is based on an exclusive or (xor) calculation on
the heap sizes which is often called the NIM-sum. The NIM-sum is calculated by
the digit-wise calculation of the exclusive or over the digits of the heap sizes, e. g. if
the heap sizes are (in binary form) 011,100,101 we obtain 010. The winning strategy
(for any of the two players) is to finish every move with a NIM-sum of 0. Whenever
the NIM-sum of the game is 0 at the beginning, the player that starts has a winning
strategy. So e. g. when heap i contains 2i + 1 objects at the beginning, the start
player has a winning strategy for 3 heaps, no winning strategy for 4 heaps but again a
winning strategy for 5 heaps. We model this game with the Quartz program given in
Listing 7.2 where the Controller takes the role of player A. During the initialization
phase, the heap on position i is filled with 2i + 1 objects. The two player alternate
in turns. From outside, we trigger the Boolean variable first that determines whether
the controller chooses its move first. Whenever one of the player moves, it is checked
whether he chooses more than 0 objects and whether the heap on position i contains
more objects than the player wants to remove. If so, it is a valid move and the next
player takes over, otherwise the player chooses again. The game ends, if EndOfGame
is true, which stands for
EndOfGame :=
rows∧
i=0
Board[i]==0
119
7 Experimental Results

module NIM Game(nat [ sizeOf ( rows ) ] ?rowA , rowB ,
nat [ sizeOf ( s i z e ) ] ?numA,numB,
nat [ sizeOf ( s i z e ) ] &Board [ rows ] , & NIM Sum,
bool &turnA )
{
// I n i t i a l i z a t i o n
turnA = f i r s t ;
p a r a l l e l (nat [ sizeOf ( rows ) ] i=0 . . rows )
Board [ i ] = 2∗ i +1;
// now p lay the game
while ( ! EndOfGame) {
i f ( turnA ) {
i f ( (numA<=Board [ rowA ] ) & (numA>0) ) {
next ( Board [ rowA ] ) = Board [ rowA]−numA;
next ( turnA ) = fa l se ;
}
else
next ( turnA ) = true ;
}
else {
i f ( (numB<=Board [ rowB ] ) & (numB>0) ) {
next ( Board [ rowB ] ) = Board [ rowB]−numB;
next ( turnA ) = true ;
}
else
next ( turnA )=fa l se ;
}
pause ;
}
}
 	 
Listing 7.2: Quartz Implementation of the NIM Game
120
7.6 Island Traffic Control Problem
Since moves of a player take effect at the beginning of the next round (every assign-
ment is a next-assignment), the specification to fulfill is
G(EndOfGame→ ¬turnA)
However, this specification alone is not sufficient to generate a valid controller. Each
player can stop the game from making progress by choosing to remove either zero
objects from a heap or more objects than present on a heap. Since this is the fastest
way to win, the controller that is constructed from our algorithm for this specification
chooses always zero objects. However, since the opponent player can do the same,
replacing the G operator with an F operator generates an uncontrollable specification.
Instead, we modify the specification to:
G(((turnA− > (numA ≤ Board[rowA] ∧ numA > 0))) ∧ G(EndOfGame→ ¬ turnA)
This case study is interesting, since we can in an elegantly easy way turn a controllable
problem into an uncontrollable problem without changing the transition relation of the
game by letting either the controller or the environment choose first (Remember that
the start player has a winning strategy if and only if the NIM-sum at the beginning
is 0).
As our experiment (shown in Figure 7.8) indicates, the total runtimes do not differ
whether the environment or controller chooses first. The only difference is due to
the strategy construction in case the problem instance is controllable, however, this
difference is in the order of milliseconds for the small examples and is not a large
factor in the overall solution time.
7.6 Island Traffic Control Problem
The island traffic controller problem goes back to [29] and has been considered several
times as an example of a model checking problem [93, 94, 114, 113]. Like any traffic
light control problem, it is a metaphor for coordinating access to a restricted resource,
namely a one-lane tunnel between an island and a mainland. Hence, the controller of
the tunnel must either grant access to the tunnel for the cars that start from the island
or for those that start from the mainland, but never for both directions at the same
time. At each end of the tunnel, there is a traffic light which is controlled by signals
ml red light, ml green light for the mainland side and il red light, il green light on
the island side. Moreover, on both sides of the tunnel, there are sensors that detect
whether a car is in front of the traffic light and wants to enter the tunnel (signals
il enter and ml enter), and whether a car is leaving the tunnel at this side (signals
il leave and ml leave). We assume that the sensors are fast enough to detect different
121
7 Experimental Results
3 4 5 6 7 8
0
50
100
150
Number of Heaps
ti
m
e[
s]
Controller chooses first
Environment chooses first
Figure 7.8: Experimental Result for the NIM Game
cars, e. g. whenever a car wants to enter the tunnel from the island, it will drive over
the sensor, signal il enter will become true and remain true until the car leaves the
sensor when it becomes false until the next car arrives on the sensor. The task of the
island traffic controller problem is to implement a control system that satisfies certain
safety conditions, namely the island and the mainland side should not have green
lights at the same point of time, and a change from red to green light should only be
possible when the tunnel is empty. Moreover, there is a constraint on the maximal
number of cars on the island that should never exceed a threshold N. Clearly, we
want the system to be fair, i. e. no traffic light should be indefinitely long red on any
side.
Our Averest tool set [92] contains a solution of the island traffic control problem
implemented in Quartz. In this solution the control problem is divided into three
processes, one for managing exclusive access to the tunnel, and two for handling the
sensor signals at the island/ mainland side i. e. the traffic light controllers. Addi-
tionally, two counters IC and TC are present for counting the number of cars on the
island and inside the tunnel respectively. We remove the manager for tunnel access
but keep the counters and the handling of the sensors inside the Quartz program.
We start our considerations by introducing the signals used in the implementation.
Since many signals are present on both sides, we will only introduce them once,
122
7.6 Island Traffic Control Problem
Figure 7.9: Island Traffic Control Problem
e. g. X red light means either red light signal on the island (il red light) or on the
mainland (ml red light) side. We start by the sensor signals:
• X enter - car wants to enter the tunnel from X side
• X leave - car leaves the tunnel to X side
The following signals are outputs of the traffic light controller:
• X red light - used to switch on the red traffic lights
• X green light - used to switch on the green traffic lights
• X use - tunnel is in use from X side, i. e. still some car is inside
• X req - request to access the tunnel
• tc dec,tc inc - decrement/ increment tunnel counter
123
7 Experimental Results

module Counter (event inc , dec , nat [ sizeOf (MaxCars+1) ] &v ) {
loop{
i f ( inc & ! dec )
next ( v ) = v+1;
else i f ( ! i nc & dec )
next ( v ) = v−1;
pause ;
}
}
 	 
Listing 7.3: Implementation of the Counters
• ic dec,ic inc - decrement/ increment island counter
Finally, the following signals are used by the arbiter to satisfy his guarantees:
• X grant - grant access to the tunnel for the X side
• X release - X side should release access to the tunnel
We use the same implementation for the counters (Listing 7.3) and for the traffic
lights (Listing 7.4) on both sides of the tunnel. The implementation of the counters
is straightforward, however, the implementation of the traffic light controllers needs
some more attention. We have two loops that are working in parallel. The first loop
handles the correct behavior of the use variable such that whenever a car is entering
the tunnel (in the second loop) this flag remains true until all cars have left the tunnel.
The second loop is divided in two phases: the green and the red light phase. While
the controller is in the red light phase, cars can only leave the tunnel. We wait until
signal leave is true, then we decrement the tunnel counter (signal tc dec) and remain
waiting until the car leaves the sensor (signal leave becomes false). A similar behavior
can be observed in the green light phase with the difference that now also the island
counter needs to be changed. To handle this, we introduce a signal ic change. In case
of the mainland controller, this signal is mapped to ic inc and for the island controller
to ic dec. This has the effect that whenever a car enters the tunnel in island direction,
the island counter is incremented and in the other direction decremented. Thus the
island counter does not only count the number of cars on the island, but also the
number of cars traveling to the island. This allows us to use the same traffic light
controller for both sides, in opposition to e. g. [114] where two different controllers
where given10.
10Nevertheless, in a hardware implementation, both controllers need to be present, and thus, there
are also variables in the BDD representing the implementation.
124
7.6 Island Traffic Control Problem

module T r a f f i c L i g h t C o n t r o l l e r
(event grant , r e l e a s e , enter , l eave , &g r e e n l i g h t , &r e d l i g h t ,
&use ,&req , &t c i n c ,& tc dec ,& i c change ) {
loop{
i f ( use & tc>0) emit next ( use ) ; pause ;
} | |
loop{
// Red l i g h t phase : cars can only l e a v e the tunne l .
weak abort loop{
while ( ! l e ave ) {
pause ;
emit r e d l i g h t ;
i f ( ente r ) emit req ;
}
emit t c de c ;
while ( l e ave ) {
pause ;
emit r e d l i g h t ;
i f ( ente r ) emit req ;
}
}
when ( ! l e ave & grant ) ;
// Green l i g h t phase : cars can only en ter the tunne l .
weak abort loop{
while ( ! ente r ) {
pause ;
emit g r e e n l i g h t ; emit use ;
}
emit i c change ; emit t c i n c ;
while ( ente r ) {
pause ;
emit g r e e n l i g h t ; emit use ;
}
}
when( r e l e a s e ) ;
}
}
 	 
Listing 7.4: Implementation of the Island and Mainland Controller
125
7 Experimental Results
In the following, a specification for the tunnel access controller is developed. To
be able to synthesize a controller, we need to impose some assumptions on the en-
vironment. Those assumptions correspond to the behavior of the sensors in the real
physical world. For example, since ic leave and ml leave are input signals, they might
potentially also hold in case the tunnel is empty, but this can never be the case in real-
ity. This gives us the first assumption on the environment, the others are formulated
using a similar pattern:
EmptyTunnel: No car can leave the tunnel when the tunnel is empty:
G ((tc == 0)→ (¬il leave ∧ ¬ml leave))
EmptyIsland: No car can leave the island when the island is empty:
G (ic == 0)→ ¬il enter)
FiniteTunnelLeaving: No car remains indefinitely long in the tunnel:
G ((il red light ∧ml red light)→ F(tc == 0))
LeaveIsland No car remains indefinitely long on the island:
G ((ic > 0)→ F(il leave))
Notice that the last assumption prevents the system from blocking because otherwise
a full island would mean that no new car would be allowed to enter the island.
After having defined the assumptions, the following specifications describe the con-
ditions that should be guaranteed by the tunnel access controller :
Lightsignal : The traffic lights should not be green on both sides :
G (¬(il green light ∧ml green light))
ChangeLight: The traffic light should change from red to green only when the tunnel
is empty:
G
(
((ml red light ∧ Xml green light)→ (tc == 0))
∧ ((il red light ∧ Xil green light)→ (tc == 0))
)
IslandNotOverCrowded: The maximal number of cars on the island is N :
G (ic ≤ N)
126
7.6 Island Traffic Control Problem
IslandFair: No car should wait infinitely long on the island side :
G (il enter→ F(il green light))
MainlandFair: No car should wait infinitely long on the mainland :
G (ml enter→ F(ml green light))
The overall specification is the conjunction of the following formula:
• Lightsignal
• ChangeLight
• EmptyTunnel→ IslandNotOverCrowded
• (EmptyTunnel ∧ FiniteTunnelLeaving)→ IslandFair
• (EmptyTunnel ∧ FiniteTunnelLeaving ∧ LeaveIsland)→MainlandFair
The specification given above is nearly independent on the number of cars that
are handled by the arbiter. In particular, the only thing that changes for different
numbers of cars are the binary encoding of the counter variables. Thus, the number
of state variables obtained from the specifications stays the same for every amount
of cars. However, the number of state variables from the Quartz program linearly
grows with the number of cars, respecting the formula k = 19 + 2 · log2 n when n is
the number of cars and k is the number of state variables. In Figure 7.10 we have
shown the runtime of our synthesis algorithm on the island traffic control problem.
This example showed some unexpected behavior. As expected, the runtime grows
with the number of cars to be handled. However, there are two sinks at 7 cars and
at 13 cars that we can not satisfactorily explain. We believe that this has to do with
the underlying BDD package to handle the propositional formula that symbolically
encode the transition system. Since the counters are binary encoded, different car
sizes may lead to totally different BDDs where the sizes need not directly depend on
the number of cars11. This behavior is however not special to controller synthesis,
but is also commonly seen in symbolic model checking.
11To e. g. represent 4 cars , we need to represent the values {0, . . . 4} and accordingly need 3 BDD
variables which gives us the don’t care values {5, 6, 7}. Those don’t care values can be used by
the BDD package to generate more or less efficient variable orderings.
127
7 Experimental Results
2 4 6 8 10 12 14 16
0
20,000
40,000
no of cars
ti
m
e[
s]
Figure 7.10: Running Time on the ITC Case Study
7.7 Synthesis of a Sorting Network
The problems considered so far are taken from two domains: either a strategy for a
game is sought or an arbiter needs to be implemented. When really a piece of code is
needed that satisfies a certain requirement, arbitration is a typical application domain
of controller synthesis. However, controller synthesis is not limited to this application
domain. In principle, arbitrary algorithms can be generated provided we can specify
the correct behavior in LTL. This section is intended to investigate whether it is
possible to generate a sorting algorithm using controller synthesis. This example
shows that although controller synthesis is able to synthesize a valid controller, there
is still much manual work to do in order to provide a skeleton so that the controller
synthesis algorithm provides a meaningful result.
In order to apply controller synthesis to the problem of sorting an array, a skeleton
is needed that defines the available choices of the controller. An interesting skeleton
for this task is a sorting network [55] that can implement parallel sorting algorithms.
A sorting network is a network of wires and comparator modules to sort a sequence
of numbers. The importance of sorting networks is that they allow a parallel imple-
mentation of sorting algorithms in hardware or on parallel computers. Any sorting
network is build up from comparator nodes as shown in Figure 7.11 and wires that
connect these comparator nodes.
A comparator node has inputs x0, x1 and outputs y0, y1. The maximum of the
values x0, x1 is forwarded to y0 and the minimum to y1. In other words, the minimum
value sinks to y0 which is indicated by an arrow between the two connecting lines
128
7.7 Synthesis of a Sorting Network
x0
x1
y0
y1
Figure 7.11: A Comparator Node
x0
x1
x2
x3
t00
t01
t02
t03
t10
t12
t11
t13
t21
t22
y0
y1
y2
y3
Figure 7.12: A Sorting Network
between inputs and outputs.
An example of a sorting network is given in Figure 7.12. First, the values x0
and x1 are compared which gives us the intermediate results t
0
0 and t
0
1. In a second
comparator node, the intermediate results t02 and t
0
3 are obtained from x2 and x3. In
a second step, the intermediate results t10 and t
1
2 are calculated from t
0
0 and t
0
2. The
rest of the intermediate results are obtained analogously until the sorted array finally
arrives at the outputs y0, . . . y3.
In realizations of sorting networks, and on parallel computers, it is possible to do
non-overlapping comparisons at the same time; thus it is natural to try to minimize
the delay time. The delay time of a sorting network depends on the maximum number
of comparators in contact with any path through the network, where a path is any
route from the inputs to the outputs that possibly switches wires at the comparators.
Consider again the network from Figure 7.12. Since the inputs and outputs of the
129
7 Experimental Results
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Upper 0 1 3 3 5 5 6 6 7 7 7 8 9 9 9 9
Lower 0 1 3 3 5 5 6 6 7 7 7 7 7 7 7 7
Figure 7.13: Upper and Lower bounds for optimal depth sorting networks
comparator nodes that calculate t0, t1 and the comparator node that calculate t2, t3
are independent, those two sorting operations can be performed in parallel without
any additional delay time.
The maximum number of comparators in a row is often denoted the depth of a net-
work, whereas the size denotes the total number of comparators used. The efficiency
of a sorting network can be measured by its total size or by its depth. In Figure 7.12,
the maximal depth is 3 while its size is 5.
The asymptotically best known sorting network, the AKS network [1] achieves
depth O(log n) and size O(n log n) for n inputs, which is asymptotically optimal. Al-
though theoretically optimal, the AKS network has little practical application because
of a big constant hidden in the O-notation.
Finding sorting networks with little size and depth remains a fundamental open
problem. For up to 10 inputs, optimal sorting networks are known. Figure 7.13 gives
an overview of upper and lower bounds for up to 16 inputs [76].
The scope of this section is to investigate whether it is possible to automatically
synthesize a sorting network using controller synthesis. In particular, we would like
to investigate whether it is possible to synthesize a network with a maximal given
depth. By iteratively increasing this bound on the depth we seek to find minimal
depths for sorting networks.
7.7.1 Zero-one Principle
Proving the correctness of sorting networks is a hard task due to the intrinsic space
explosion of a sorting networks. There are n! permutations of numbers in an n-wire
network and testing them all is nearly infeasible with any tool that can be used for
the analysis of systems. Hence, an important abstraction that we use also here is the
zero-one principle:
Theorem 18 ([55]). If a sorting network sorts every sequence of 0’s and 1’s, then it
sorts every arbitrary sequence of values.
Thus, instead of sorting arbitrary arrays, we concentrate on arrays with boolean val-
ues. Thanks to the zero-one principle, this is no restriction. The sorting networks for
130
7.7 Synthesis of a Sorting Network
boolean inputs that we automatically obtain from our controller synthesis procedure
are thus equally well suited for inputs with arbitrary values.
7.7.2 Problems to Define Skeletons for Sorting Networks
As a first try to synthesize a sorting network, we used the Quartz program given in
Listing 7.5. It consists of three different modules, CMP represents a comparator node
that are used in the main module sorter. Moreover, it is simplified in the sense that
in every step, at most one comparison may take place.
In that module, first the input given in the array a is stored in an array b. This
ensures that the environment can not falsify the specification by choosing another
input than in the first step. This input is also copied to the array s that represents
the wires (respectively the results carried by the wires in different stages) of our sorting
network. As controllable inputs we have indices i0, i1, j0 and j1 that represent the
input (i0, i1) respectively the output (j0, j1) wires of the comparator node at the
currently active stage of the sorting network. Moreover, we have the controllable
event ready that signals that the controller has finished its operation. As additional
output signals we have error and counter.
The error signal is needed to prevent the controller from doing illegal wire connec-
tions. First it prevents write conflicts [92]. Write conflicts occur in a Quartz program
when two different values are assigned to the same variable. This corresponds to the
case in the physical world that two different output signals are connected to the same
wire. Clearly, this makes no sense in the physical world and neither in the transition
relation that is obtained from the Quartz program. Having a write conflict makes
the result of the controller synthesis procedure unpredictable since in that case the
transition relation obtained from the Quartz program is not properly defined [92].
Additionally, it is checked by error that the values chosen by the controller are proper
indices to access the array
Finally, the counter signal is used to count the number of different stages in the
sorting network, i. e. the number of comparisons done.
We used the following specifications:
Guarantee 1: The algorithm terminates.
F(ready)
Guarantee 2: When ready is emitted, array s is sorted.
G
(
ready→
SIZE−1∧
i=0
(s[i] ≤ s[i+ 1])
)
131
7 Experimental Results

module Sor t e r (bool a [ SIZE ] , & b [ SIZE ] , & s [ SIZE ] , →
nat [ sizeOf ( SIZE ) ] ? i0 , ? i1 , ? j0 , ? j1 , event ? ready , event & →
co r r e c t , event & error , nat [ sizeOf (DEPTH) +1] &counter ) {
// i n i t i a l i z a t i o n
p a r a l l e l (nat [ sizeOf (SIZE−1) ] i=0 . . ( SIZE−1) )
{
next ( s [ i ] ) = a [ i ] ;
next (b [ i ] ) = a [ i ] ;
}
pause ;
while ( ! ready ) {
i f ( ( j 0==j1 ) | ( j0>SIZE ) | ( j1>SIZE ) ) emit e r r o r ;
else
CMP(b , s , i0 , i1 , j0 , j 1 ) ;
next ( counter )=counter +1;
pause ;
}
Monitor (b , s , c o r r e c t ) ;
}
module CMP(nat [ 1 ] b [ SIZE ] , & s [ SIZE ] , nat [ sizeOf ( SIZE ) ] i0 , →
i1 , j0 , j 1 ) {
i f ( ! e r r o r )
i f (b [ i 0 ] > b [ i 1 ] )
next ( s [ j 1 ] ) = b [ i 0 ] ;
next ( s [ j 0 ] ) = b [ i 1 ] ;
}
else {
next ( s [ j 1 ] ) = b [ i 1 ] ;
next ( s [ j 0 ] ) = b [ i 0 ] ;
}
}
 	 
Listing 7.5: A wrongly Implemented Skeleton for Sorting Networks
132
7.7 Synthesis of a Sorting Network
Guarantee 3: The number of 0’s in s and b are equivalent in every step. 12
G
((
SIZE−1∑
i=0
s[i]=0
)
=
(
SIZE∑
i=0
b[i]=0
))
Guarantee 4: The controller chooses only proper values
G(¬error)
Guarantee 5: The algorithm terminates before BOUND is reached, i. e. the maximal
steps performed is lower than BOUND
G(counter < BOUND)
We run the controller synthesis algorithm for array sizes of up to 5 which is finished
in a couple of seconds. The generated controller is also correct, as we have checked
with SMV. However, it produces a controller that is useless at all. Instead of using
the CMP nodes as comparator nodes, the controller uses them simply to permute
the array and checks the correctness of the permutation directly on the array. For
example, if the array is sorted from the beginning, the controller does nothing at all.
This behavior can again be explained by the way the controller is constructed. Always
the fastest way to achieve a goal is chosen. If the array is sorted, nothing needs to
be done. However, obviously, this was not our intention. The problem is that in
writing specification Guarantee 2, we encoded any sorted array of a given length in
the transition relation. All the controller has to do is to modify s in a way that it is
equivalent to this part of the transition relation. Generating a sorting algorithm in
that way means that we have to encode all possible sorted arrays in the transition
relation, and thus we implemented a multiplexer for all possible inputs. Clearly, this
is infeasible for larger input sizes.
7.7.3 A Skeleton for Sorting Networks
Thus, another way to synthesize a sorting network is described in the following. In
the previous implementation, the decision which wires are connected to a comparator
node is done in multiple steps. Instead, now the connection between all the wires is
done in the first step using a permutation matrix and afterwards it is checked that
12The expression G
((
SIZE−1∑
i=0
s[i]=0
)
=
(
SIZE−1∑
i=0
b[i]=0
))
can be rewritten to a boolean expression
by enumerating every possible permutation of a boolean array with length SIZE-1.
133
7 Experimental Results
i P0,i P1,i P2,i
0 1 2 0
1 0 3 1
2 3 0 2
3 2 1 3
Figure 7.14: Permutation matrix for the sorting network of Figure 7.12
those connections are valid. A permutation matrix is a two dimensional array P
that describes the positions of the comparator nodes. Whenever in depth k there
is a comparator node that connects i and j, set Pk,i = j and Pk,j = i. Thus the
sorting network of Figure 7.12 would be represented by the permutation matrix given
in Figure 7.14, when we assume that the first two comparisons are done in parallel.
Using a permutation matrix we obtain the skeleton in Listing 7.6. As uncontrollable
inputs we have the input array. As controllable inputs we have a permutation matrix
P[DEPTH][SIZE]. In the first parallel statement, the inputs are compared according
to the permutation matrix P[0], so that the result of the comparator nodes are assigned
to the Wires[0], which is the first level of the sorting network. The if statement ensures
that P[0] represents a valid permutation of {0, . . . SIZE − 1}. This ensures that no
write conflict occurs. The rest of the levels W[1] . . . W[SIZE-1] of the sorting network
are calculated in a similar manner.
Since everything is calculated in the first step, the specification to synthesize a
sorting network is:
Guarantee 1: The result at the end of the network is sorted:
SIZE−2∧
i=0
(Wire[DEPTH − 1][i] ≤ Wire[DEPTH][i+ 1])
Guarantee 2: The result is a permutation of the inputs:((
SIZE−1∑
i=0
input[i]=0
)
=
(
SIZE−1∑
i=0
Wire[DEPTH][i]=0
))
7.7.4 Experimental Result for Sorting Networks
Having changed the skeleton in the described way, we performed several experiments
to evaluate the time needed to synthesize a sorting network. The runtime of our
algorithm is given in Figure 7.15 for different sizes and different depths. For size 5
134
7.7 Synthesis of a Sorting Network

module SortingNetwork (nat [ 1 ] input [ SIZE ] , nat [ sizeOf ( SIZE ) ] ? →
P[DEPTH] [ SIZE ] , nat [ 1 ] & Wire [DEPTH] [ SIZE ] ) implements →
SortSpec ( input , Wire ) {
p a r a l l e l (nat [ sizeOf (SIZE−1) ] i=0 . . ( SIZE−1) )
{ i f (P [ 0 ] [ P [ 0 ] [ i ]]== i )
{
i f (P [ 0 ] [ i ]== i ) Wire [ 0 ] [ i ]= input [ i ] ;
else i f ( i<P [ 0 ] [ i ] )
i f ( input [ i ]< input [P [ 0 ] [ i ] ] ) {
Wire [ 0 ] [ i ]= input [ i ] ;
Wire [ 0 ] [ P [ 0 ] [ i ] ]= input [P [ 0 ] [ i ] ] ;
}
else {
Wire [ 0 ] [ i ]= input [P [ 0 ] [ i ] ] ;
Wire [ 0 ] [ P [ 0 ] [ i ] ]= input [ i ] ;
}
}
}
p a r a l l e l (nat [ sizeOf (DEPTH−1) ] k=1 . . (DEPTH−1) )
{
p a r a l l e l (nat [ sizeOf (SIZE−1) ] i=0 . . ( SIZE−1) )
i f (P[ k ] [ P [ k ] [ i ]]== i )
{
i f (P[ k ] [ i ]== i ) Wire [ k ] [ i ]=Wire [ k−1] [ i ] ;
else i f ( i<P[ k ] [ i ] )
i f ( Wire [ k−1] [ i ]<Wire [ k−1] [P [ k ] [ i ] ] ) {
Wire [ k ] [ i ]=Wire [ k−1] [ i ] ;
Wire [ k ] [ P [ k ] [ i ] ]= Wire [ k−1] [P [ k ] [ i ] ] ;
}
else {
Wire [ k ] [ i ]=Wire [ k−1] [P [ k ] [ i ] ] ;
Wire [ k ] [ P [ k ] [ i ] ]= Wire [ k−1] [ i ] ;
}
}
}
}
 	 
Listing 7.6: A Skeleton for Sorting Networks
135
7 Experimental Results
Size Depth Time[seconds]
2 2 0
2 3 0
2 4 0
2 5 0
3 2 0
3 3 0
3 4 1
3 5 4
4 2 4
4 3 225
4 4 7295
5 2 24
5 3 2269
5 4 terminated
Figure 7.15: Time to synthesize a sorting network
and depth 4 our algorithm did not terminate within 24 hours while consuming 4 GB
of memory. Therefore we didn’t try our algorithm on larger sizes.
In the following, we take a closer look at the sorting networks generated for size 3
and 4, since they show some unexpected behavior.
Our algorithm correctly identifies that for array sizes of 3 and 4 it is impossible to
generate a sorting network with depth less than 3. For size 3 and depth 3, the sorting
network of Figure 7.16 is obtained.
We also tried our algorithm with size 3 and depth 4. In that case, a non-optimal
sorting network with respect to the delay time should be obtained. However, instead
of simply copying all entries in one step, as we expected, our algorithm generated
the sorting network of Figure 7.17. We believe that this has to do with the way a
deterministic solution is obtained after the strategy has been calculated. So, although
a solution that copies every entry once is a valid solution and thus also calculated in
the strategy, the function to select exactly one solution need not pick it.
For size 4 and depth 3, the sorting network from Figure 7.18 is obtained.
The result for size 4 and depth 4 is shown in Figure 7.19. The sorting network is
the same as for depth 3 regarding the first 3 levels of the sorting network. For the
last level (that is superfluous), the permutation matrix simply copies the last step.
Thus, the last two comparisons are done twice, so that they have no effect at all.
136
7.7 Synthesis of a Sorting Network
x0
x1
x2
y0
y1
y2
Figure 7.16: The Synthesized Sorting Network for Array Size 3 and Depth 3
x0
x1
x2
y0
y1
y2
Figure 7.17: The Synthesized Sorting Network for Array Size 3 and Depth 4
137
7 Experimental Results
x0
x1
x2
x3
y0
y1
y2
y3
Figure 7.18: The Synthesized Sorting Network for Array Size 4 and Depth 3
x0
x1
x2
x3
y0
y1
y2
y3
Figure 7.19: The Synthesized Sorting Network for Array Size 4 and Depth 4
138
8 Conclusion and Outlook
Automatic Synthesis of reactive systems from (temporal) logic specifications has ever
been a dream in computer science. However, due to the high complexity of the
problem, the synthesis problem was deemed to be infeasible in practice. Only recently,
researches has been attracted to the problem again and progress has been made to
make synthesis practical.
Inspired by [49] that investigated the minimization of tree automata in the con-
text of synthesis, the first topic considered in this thesis was minimization of parity
automata. We developed the theory of fair, reverse and direct simulation relations
for parity automata and demonstrated their effectiveness in Chapter 7. The exam-
ples considered indicate that for co-Bu¨chi automata, direct simulation minimization
is as good as fair simulation minimization or as the previously published delayed
simulation. For reverse simulation, we must conclude that their usefulness for con-
troller synthesis is very limited. Although reverse simulation can be used to minimize
the nondeterministic automaton, this minimization does not have an effect for the
deterministic automaton that stays the same whether reverse simulation is enabled
or not. Finally, we considered the fair simulation minimization of parity automata
and demonstrated that it is a valuable tool to minimize parity automata. Although
the time needed to perform fair simulation is much larger than the time needed to
perform delayed simulation, fair simulation minimization is beneficial for larger ex-
amples where the overall runtime is dominated by the synthesis procedure and not
the minimization procedure.
Inspired by some of the works targeted at an efficient determinization procedure,
we presented in this thesis two different determinization constructions. The first one
is based on the temporal logic hierarchy and has been demonstrated to be a valuable
tool to obtain a deterministic automaton for the formulas of the hierarchy. We have
shown how the subset and the breakpoint construction can be implemented efficiently
using symbolic methods and based on that procedure, our tool was able to clearly out-
perform the explicitly implemented tool Lily, the first implementation of a synthesis
procedure that could handle full LTL. Whenever a formula is not part of the temporal
logic hierarchy, more powerful determinization constructions need to be employed. To
this end, we developed in Chapter 5 a new determinization construction that makes
use of the fact that the nondeterministic Bu¨chi automata obtained by the ’standard’
translation yields unambiguous automata. This determinization construction has also
139
8 Conclusion and Outlook
been implemented. However, unlike the determinization construction based on the
temporal logic hierarchy, this determinization construction did not scale that well.
As one problem we identified that boolean combinations of temporal logic formulas
lead to an enormous blowup of the nondeterministic automata and thus makes the
determinization construction infeasible. By breaking up boolean combinations, we
were nevertheless able to synthesize controllers for most of the specifications that we
considered and also in that case, the Lily tool was clearly outperformed by our tool.
In practice, however, we do not believe that the unambiguous determinization con-
struction needs to be applied often. Most specifications commonly used consists of
a large safety fragment that can be handled even by the simple subset construction.
Nearly all other formulas occurring in practice belong to the class TLStreett so that the
efficient breakpoint construction can be used. In that case, when the overall specifi-
cation is made up of relatively small subformula, our approach scales rather well and
we are able to synthesize controllers for industry-sized specifications which we have
demonstrated with the AMBA case study.
This case study gave us also some interesting insights into some optimizations that
are from a theoretical point of view less interesting, but are necessary to put controller
synthesis forward to a valuable tool. Using the optimizations described in Chapter
6, we were even able to outperform the tool Anzu [12] that uses the much simpler
algorithm from [79] for the solution of games. This advantage of our algorithm has
to do with two optimizations on the generalized parity algorithm that we explored in
Chapter 6: once the ability to solve safety games separately and secondly a re-coloring
of (sub-) games that do not contain all colors .
The drawback of the tool Anzu is that the specifications that can be automatically
handled are very limited and every other specification must be manually brought into
the desired form. The approach of [79] assumes as input two sets of Bu¨chi conditions
Φ and Ψ that represent assumptions and guarantees, respectively. Thus, it is possible
to combine our approach of generating deterministic (co)-Bu¨chi automata by the
breakpoint construction with the approach of [79] to obtain more efficient synthesis
procedures.
This thesis shows the broad range of research options in LTL controller synthesis.
First there is a need in better determinization constructions. In particular, a deter-
minization construction that can be minimized on-the-fly would be rather useful for
the general case. Finally, new application domains like fault detection and automatic
repair of systems bear many interesting topics for future work. As other ways of fu-
ture work, we already mentioned the solution of infinite games that are the backbone
of the controller synthesis constructions. We expect that future research in the field
of game solving will lead to large improvements. In combination with the work done
in this thesis somewhere in the future controller synthesis may become a valuable tool
accompanying the well-established model checking.
140
Bibliography
[1] M. Ajtai, J. Komlos, and E. Szemeredi. An o(n log(n)) sorting network. In
Symposium on Theory of Computing (STOC), pages 1–9. ACM, 1983.
[2] C. Allauzen and M. Mohri. An efficient pre-determinization algorithm. In O.H.
Ibarra and Z. Dang, editors, Conference on Implementation and Application of
Automata (CIAA), volume 2759 of LNCS, pages 83–95, Santa Barbara, Cali-
fornia, USA, 2003. Springer.
[3] R. Alur and S. La Torre. Deterministic generators and games for LTL fragments.
ACM Transactions on Computational Logic (TOCL), 5(1):1–15, 2004.
[4] C. Andre´. SyncCharts: A visual representation of reactive behaviors. Research
Report tr95-52, University of Nice, Sophia Antipolis, France, 1995.
[5] R. Armoni, S. Egorov, R. Fraer, D. Korchemny, and M.Y. Vardi. Efficient LTL
compilation for SAT-based model checking. In International Conference on
Computer-Aided Design (ICCAD), pages 877–884, San Jose, California, USA,
2005. ACM/IEEE Computer Society.
[6] Michael Bauland, Martin Mundhenk, Thomas Schneider, Henning Schnoor, Ilka
Schnoor, and Heribert Vollmer. The tractability of model-checking for ltl: The
good, the bad, and the ugly fragments. Electron. Notes Theor. Comput. Sci.,
231:277–292, 2009.
[7] A. Benveniste, P. Caspi, S. Edwards, N. Halbwachs, P. Le Guernic, and R. de
Simone. The synchronous languages twelve years later. Proceedings of the IEEE,
91(1):64–83, 2003.
[8] J. Bernet, D. Janin, and I. Walukiewicz. Permissive strategies: from par-
ity games to safety games. RAIRO Theoretical Informatics and Applications,
36:251–275, 2002.
[9] G. Berry. The Esterel v5 language primer. http://www-sop.inria.fr/
esterel.org/, July 2000.
141
Bibliography
[10] R. Bloem, A. Cimatti, I. Pill, M. Roveri, and S. Semprini. Symbolic imple-
mentation of alternating automata. In O.H. Ibarra and H.-C. Yen, editors,
Conference on Implementation and Application of Automata (CIAA), volume
4094 of LNCS, pages 208–218, Taipei, Taiwan, 2006. Springer.
[11] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and M. Weiglhofer.
Automatic hardware synthesis from specifications: a case study. In R. Lauwere-
ins and J. Madsen, editors, Design, Automation and Test in Europe (DATE),
pages 1188–1193, Nice, France, 2007. IEEE Computer Society.
[12] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and M. Weiglhofer.
Specify, compile, run: Hardware from PSL. Electronic Notes in Theoretical
Computer Science (ENTCS), 190:3–16, 2007.
[13] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic
model checking: 1020 states and beyond. In Logic in Computer Science (LICS),
pages 1–33, Washington, DC, USA, 1990. IEEE Computer Society.
[14] J.R. Bu¨chi. Weak second-order arithmetic and finite automata. Zeitschrift fu¨r
mathematische Logik und Grundlagen der Mathematik, 6(1):66–92, 1960.
[15] J.R. Bu¨chi. Weak second order arithmetic and finite automata. Z. Math. Logik
Grundlagen Math., 6:66–92, 1960.
[16] J.R. Bu¨chi and L.H. Landweber. Solving sequential conditions by finite-state
strategies. Transactions of the American Mathematical Society, 138:295–311,
1969.
[17] O. Carton and M. Michel. Unambiguous Bu¨chi automata. Theoretical Computer
Science (TCS), 297(1-3):37–81, 2003.
[18] E.Y. Chang, Z. Manna, and A. Pnueli. Characterization of temporal property
classes. In W. Kuich, editor, International Colloquium on Automata, Languages
and Programming (ICALP), volume 623 of LNCS, pages 474–486, Vienna, Aus-
tria, 1992. Springer.
[19] K. Chatterjee, T.A. Henzinger, and N. Piterman. Generalized parity games. In
H. Seidl, editor, Foundations of Software Science and Computation Structures
(FOSSACS), volume 4423 of LNCS, pages 153–167, Braga, Portugal, 2007.
Springer.
[20] A. Church. Logic, arithmetic and automata. In International Cong. Math, pages
23–35, Stockholm, Sweden, 1962.
142
Bibliography
[21] E.M. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL model
checking. Formal Methods in System Design (FMSD), 10(1):47–71, February
1997.
[22] L. de Alfaro, T.A. Henzinger, and R. Majumdar. From verification to control:
Dynamic programs for omega-regular objectives. In Logic in Computer Science
(LICS), pages 279–290, Boston, Massachusetts, USA, 2001. IEEE Computer
Society.
[23] D.L. Dill, A.J. Hu, and H. Wong-Toi. Checking for language inclusion using
simulation preorders. In K.G. Larsen and A. Skou, editors, Computer Aided
Verification (CAV), volume 575 of LNCS, pages 255–265, Aalborg, Denmark,
1992. Springer.
[24] E.A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook
of Theoretical Computer Science, volume B: Formal Models and Semantics,
chapter 16, pages 995–1072. Elsevier, 1990.
[25] E.A. Emerson and E.M. Clarke. Using branching-time temporal logic to syn-
thesize synchronization skeletons. Science of Computer Programming, 2(3):241–
266, 1982.
[26] E.A. Emerson and C.S. Jutla. Tree automata, µ-calculus and determinacy. In
Foundations of Computer Science (FOCS), pages 368–377, San Juan, Puerto
Rico, 1991.
[27] E.A. Emerson and A.P. Sistla. Deciding branching time logic. In Symposium
on Theory of Computing (STOC), pages 14–24, 1984.
[28] K. Etessami, T. Wilke, and R.A. Schuller. Fair simulation relations, parity
games, and state space reduction for bu¨chi automata. SIAM Journal on Com-
puting (SICOMP), 34(5):1159–1175, 2005.
[29] K. Fisler and S.D. Johnson. Integrating design and verification environments
through a logic supporting hardware diagrams. In Computer Hardware Descrip-
tion Languages and Their Applications (CHDL), pages 669–674. IEEE Com-
puter Society, 1995. CHDL proceedings pp. 493-696 of the “ACV’95” held
August 29 to September 1, 1995, Chiba, Japan.
[30] C. Fritz. Constructing Bu¨chi automata from linear temporal logic using simu-
lation relations for alternating Bu¨chi automata. In O.H. Ibarra and Z. Dang,
editors, Conference on Implementation and Application of Automata (CIAA),
143
Bibliography
volume 2759 of LNCS, pages 35–48, Santa Barbara, California, USA, 2003.
Springer.
[31] C. Fritz. Concepts of automata construction from LTL. In G. Sutcliffe and
A. Voronkov, editors, Logic for Programming, Artificial Intelligence, and Rea-
soning (LPAR), volume 3835 of LNCS, pages 728–742, Montego Bay, Jamaica,
2005. Springer.
[32] C. Fritz. Simulation-Based Simplification of omega-Automata. PhD thesis, Tech-
nischen Fakulta¨t der Christian-Albrechts-Universita¨t zu Kiel, Germany, 2005.
[33] C. Fritz and T. Wilke. State space reductions for alternating Bu¨chi automata.
In M. Agrawal and A. Seth, editors, Foundations of Software Technology and
Theoretical Computer Science (FSTTCS), volume 2556 of LNCS, pages 157–
168, Kanpur, India, 2002. Springer.
[34] C. Fritz and T. Wilke. Simulation relations for alternating parity automata and
parity games. In O.H. Ibarra and Z. Dang, editors, Developments in Language
Theory (DLT), volume 4036 of LNCS, pages 59–70. Springer, 2006.
[35] P. Gastin and D. Oddoux. Fast LTL to Bu¨chi automata translation. In G. Berry,
H. Comon, and A. Finkel, editors, Computer Aided Verification (CAV), volume
2102 of LNCS, pages 53–65, Paris, France, 2001. Springer.
[36] Embedded Systems Group. The averest toolset. Website. Available online at
http://www.averest.org;.
[37] E. Gra¨del, W. Thomas, and T. Wilke. Automata, Logics, and Infinite Games,
volume 2500 of LNCS. Springer, Dagstuhl, Germany, 2002.
[38] D.P. Guelev. A syntactical proof of the canonical reactivity form for past linear
temporal logic. Journal of Logic and Computation, 18(9):615–623, 2008.
[39] Y.S. Gurevich and L. Harrington. Trees, automata, and games. In Symposium
on Theory of Computing (STOC), pages 60–65, San Francisco, California, USA,
1982.
[40] S. Gurumurthy, R. Bloem, and F. Somenzi. Fair simulation minimization. In
E. Brinksma and K.G. Larsen, editors, Computer Aided Verification (CAV),
volume 2404 of LNCS, pages 610–623, Copenhagen, Denmark, 2002. Springer.
[41] S. Gurumurthy, O. Kupferman, F. Somenzi, and M.Y. Vardi. On complementing
nondeterministic Bu¨chi automata. In D. Geist and E. Tronci, editors, Correct
144
Bibliography
Hardware Design and Verification Methods (CHARME), volume 2860 of LNCS,
pages 96–110, L’Aquila, Italy, 2003. Springer.
[42] N. Halbwachs. Synchronous programming of reactive systems. Kluwer, 1993.
[43] N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous dataflow
programming language LUSTRE. Proceedings of the IEEE, 79(9):1305–1320,
September 1991.
[44] D. Harel. Statecharts: A visual formulation for complex systems. Science of
Computer Programming, 8(3):231–274, 1987.
[45] T.A. Henzinger, O. Kupferman, and S.K. Rajamani. Fair simulation. In
A. Mazurkiewicz and J. Winkowski, editors, Concurrency Theory (CONCUR),
volume 1243 of LNCS, pages 273–287, Warsaw, Poland, 1997. Springer.
[46] T.A. Henzinger and N. Piterman. Solving games without determinization. In
Z. E´sik, editor, Computer Science Logic (CSL), volume 4207 of LNCS, pages
395–410, Szeged, Hungary, 2006. Springer.
[47] A.J. Hu and D.L. Dill. Reducing BDD size by exploiting functional dependen-
cies. In Design Automation Conference (DAC), pages 266–271, Dallas, Texas,
USA, 1993. ACM.
[48] B. Jobstmann. Applications and Optimizations for LTL Synthesis. PhD thesis,
IST - Institute for Software Technology, TU Graz, Graz, Austria, February
2007.
[49] B. Jobstmann and R. Bloem. Optimizations for LTL synthesis. In A. Gupta and
P. Manolios, editors, Formal Methods in Computer-Aided Design (FMCAD),
pages 117–124, San Jose, California, USA, 2006. IEEE Computer Society.
[50] B. Jobstmann, S. Galler, M. Weiglhofer, and R. Bloem. Anzu: A tool for
property synthesis. In W. Damm and H. Hermanns, editors, Computer Aided
Verification (CAV), volume 4590 of LNCS, pages 258–262, Berlin, Germany,
2007. Springer.
[51] B. Jobstmann, A. Griesmayer, and R. Bloem. Program repair as a game. In
K. Etessami and S.K. Rajamani, editors, Computer Aided Verification (CAV),
volume 3576 of LNCS, pages 226–238, Edinburgh, UK, 2005. Springer.
[52] B. Jobstmann, S. Staber, A. Griesmayer, and R. Bloem. Finding and fixing
faults. Journal of Computer and System Sciences (JCSS), 2009.
145
Bibliography
[53] Y. Kesten, A. Pnueli, and L. Raviv. Algorithmic verification of linear temporal
logic specifications. In K.G. Larsen, S. Skyum, and G. Winskel, editors, In-
ternational Colloquium on Automata, Languages and Programming (ICALP),
volume 1443 of LNCS, pages 1–16, Aalborg, Denmark, 1998. Springer.
[54] J. Klein and C. Baier. Experiments with deterministic ω-automata for formulas
of linear temporal logic. Theoretical Computer Science (TCS), 363(2):182–195,
October 2006. http://dx.doi.org/10.1016/j.tcs.2006.07.022.
[55] D.E. Knuth. The Art of Computer Programming, volume 2. Addison-Wesley,
1998.
[56] D. Kozen. Results on the propositional µ-calculus. Theoretical Computer Sci-
ence (TCS), 27(3):333–354, December 1983.
[57] O. Kupferman. Avoiding determinization. In Logic in Computer Science
(LICS), pages 243–254, Seattle, Washington, USA, 2006. IEEE Computer So-
ciety.
[58] O. Kupferman, N. Piterman, and M.Y. Vardi. Safraless compositional synthesis.
In T. Ball and R.B. Jones, editors, Computer Aided Verification (CAV), volume
4144 of LNCS, pages 31–44, Seattle, Washington, USA, 2006. Springer.
[59] O. Kupferman and M.Y. Vardi. Freedom, weakness, and determinism: From
linear-time to branching-time. In Logic in Computer Science (LICS), pages
81–92, Indianapolis, Indiana, USA, 1998. IEEE Computer Society.
[60] O. Kupferman and M.Y. Vardi. Safraless decision procedures. In Foundations
of Computer Science (FOCS), pages 531–540. IEEE Computer Society, 2005.
[61] L.H. Landweber. Decision problems for ω-automata. Mathematical Systems
Theory, 3(4):376–384, 1969.
[62] ARM Ltd. Amba specification (rev. 2). Website, 1999. Available online at
http://www.arm.com;.
[63] M. Maidl. The common fragment of CTL and LTL. In Foundations of Computer
Science (FOCS), pages 643–652, 2000.
[64] Z. Manna and A. Pnueli. Specification and verification of concurrent programs
by ∀-automata. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal
Logic in Specification, volume 398 of LNCS, pages 124–164, Altrincham, UK,
1989. Springer.
146
Bibliography
[65] Z. Manna and A. Pnueli. A hierarchy of temporal properties. In Principles of
Distributed Computing (PODC), pages 377–408, Quebec City, Quebec, Canada,
1990. ACM.
[66] Z. Manna and A. Pnueli. The temporal Logic of Reactive and Concurrent Sys-
tems. Springer, 1992.
[67] R. McNaughton and S. Papert. Counter-free Automata. MIT Press, 1971.
[68] S. Merz and A. Sezgin. Emptiness of linear weak alternating automata. Tech-
nical report, LORIA, 2003.
[69] R. Milner. An algebraic definition of simulation between programs. In Interna-
tional Joint Conference on Artificial Intelligence (IJCAI), pages 481–489, 1971.
[70] S. Miyano and T. Hayashi. Alternating automata on ω-words. Theoretical
Computer Science (TCS), 32:321–330, 1984.
[71] A. Morgenstern and K. Schneider. From LTL to symbolically represented de-
terministic automata. In F. Logozzo, D.A. Peled, and L.D. Zuck, editors, Ver-
ification, Model Checking, and Abstract Interpretation (VMCAI), volume 4905
of LNCS, pages 279–293, San Francisco, California, USA, 2008. Springer.
[72] A. Morgenstern, K. Schneider, and S. Lamberti. Generating deterministic ω-
automata for most LTL formulas by the breakpoint construction. In C. Scholl
and S. Disch, editors, Methoden und Beschreibungssprachen zur Modellierung
und Verifikation von Schaltungen und Systemen (MBMV), pages 119–128,
Freiburg, Germany, 2008. Shaker.
[73] A.W. Mostowski. Regular expressions for infinite trees and a standard form of
automata. In A. Skowron, editor, Computation Theory, volume 208 of LNCS,
pages 157–168. Springer, 1984.
[74] D.E. Muller, A. Saoudi, and P.E. Schupp. Alternating automata, the weak
monadic theory of the tree, and its complexity. In L. Kott, editor, International
Colloquium on Automata, Languages and Programming (ICALP), volume 226
of LNCS, pages 275–283, Rennes, France, 1986. Springer.
[75] D.E. Muller and P.E. Schupp. Simulating alternating tree automata by nonde-
terministic automata: New results and new proofs of the theorems by Rabin,
McNaughton, and Safra. Theoretical Computer Science (TCS), 141(1-2):69–108,
1995.
147
Bibliography
[76] I. Parberry. A computer assisted optimal depth lower bound for sorting networks
with nine inputs. In Supercomputing, pages 152–161, Reno, Nevada, USA, 1989.
ACM. http://doi.acm.org/10.1145/76263.76280.
[77] R. Pela´nek and J. Strejcek. Deeper connections between LTL and alternating
automata. In J. Farre´, I. Litovsky, and S. Schmitz, editors, Conference on
Implementation and Application of Automata (CIAA), volume 3845 of LNCS,
pages 238–249, Sophia Antipolis, France, 2006. Springer.
[78] N. Piterman. From nondeterministic Bu¨chi and Streett automata to determin-
istic parity automata. In Logic in Computer Science (LICS), pages 255–264,
Seattle, Washington, USA, 2006. IEEE Computer Society.
[79] N. Piterman, A. Pnueli, and Y. Sa’ar. Synthesis of reactive(1) designs. In E.A.
Emerson and K.S. Namjoshi, editors, Verification, Model Checking, and Abstract
Interpretation (VMCAI), volume 3855 of LNCS, pages 364–380, Charleston,
South Carolina, USA, 2006. Springer.
[80] A. Pnueli. The temporal logic of programs. In Foundations of Computer Science
(FOCS), pages 46–57, Providence, Rhode Island, USA, 1977. IEEE Computer
Society.
[81] A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Principles
of Programming Languages (POPL), pages 179–190, Austin, Texas, USA, 1989.
ACM.
[82] M.O. Rabin. Decidability of second-order theories and automata on infinite
trees. Transactions of the American Mathematical Society, 141:1025–1029, 1969.
[83] M.O. Rabin. Automata on infinite objects and Church’s problem. In Regional
Conference Series in Mathematics, volume 13. American Mathematical Society,
1972.
[84] M.O. Rabin and D. Scott. Finite automata and their decision problems. IBM
Journal of Research and Development, 3:115–125, 1959.
[85] P.J. Ramadge and W.M. Wonham. Supervisory control of a class of dis-
crete event processes. SIAM Journal of Control and Optimization (SICON),
25(1):206–230, 1987.
[86] R. Rosner. Modular Synthesis of Reactive Systems. PhD thesis, The Weizmann
Institute of Science, Israel, Rehovot, Israel, 1992.
148
Bibliography
[87] K.Y. Rozier and M.Y. Vardi. LTL satisfiability checking. In D. Bosnacki and
S. Edelkamp, editors, Model Checking Software (SPIN), volume 4595 of LNCS,
pages 149–167, Berlin, Germany, 2007. Springer.
[88] S. Safra. On the complexity of ω-automata. In Foundations of Computer Science
(FOCS), pages 319–327, 1988.
[89] S. Schewe. Solving parity games in big steps. In V. Arvind and S. Prasad,
editors, Foundations of Software Technology and Theoretical Computer Science
(FSTTCS), volume 4855 of LNCS, pages 449–460, New Delhi, India, 2007.
Springer.
[90] K. Schneider. Improving automata generation for linear temporal logic by con-
sidering the automata hierarchy. In R. Nieuwenhuis and A. Voronkov, editors,
Logic for Programming, Artificial Intelligence, and Reasoning (LPAR), volume
2250 of LNAI, pages 39–54, Havana, Cuba, 2001. Springer.
[91] K. Schneider. Verification of Reactive Systems - Formal Methods and Algo-
rithms. Texts in Theoretical Computer Science (EATCS Series). Springer, 2003.
[92] K. Schneider. The synchronous programming language Quartz. Internal Report
375, Department of Computer Science, University of Kaiserslautern, Kaiser-
slautern, Germany, 2009.
[93] K. Schneider and T. Kropf. The C@S system: Combining proof strategies for
system verification. In T. Kropf, editor, Formal Hardware Verification - Methods
and Systems in Comparison, volume 1287 of LNCS, pages 248–329. Springer,
state of the art report edition, August 1997.
[94] K. Schneider and G. Logothetis. Abstraction of systems with counters for
symbolic model checking. In M. Mutz and N. Lange, editors, Methoden und
Beschreibungssprachen zur Modellierung und Verifikation von Schaltungen und
Systemen (MBMV), pages 31–40, Braunschweig, Germany, 1999. Shaker.
[95] R. Sebastiani and S. Tonetta. More deterministic vs. smaller Bu¨chi automata
for efficient LTL model checking. In D. Geist and E. Tronci, editors, Correct
Hardware Design and Verification Methods (CHARME), volume 2860 of LNCS,
pages 126–140, L’Aquila, Italy, 2003. Springer.
[96] A.P. Sistla and E.M. Clarke. The complexity of propositional linear temporal
logics. Journal of the ACM (JACM), 32(3):733–749, July 1985.
149
Bibliography
[97] S. Sohail and F. Somenzi. Safety first: A two-stage algorithm for LTL games.
In Formal Methods in Computer-Aided Design (FMCAD), pages 77–84, Austin,
Texas, USA, 2009. IEEE Computer Society.
[98] S. Sohail, F. Somenzi, and K. Ravi. A hybrid algorithm for LTL games. In
F. Logozzo, D.A. Peled, and L.D. Zuck, editors, Verification, Model Checking,
and Abstract Interpretation (VMCAI), volume 4905 of LNCS, pages 309–323,
San Francisco, California, USA, 2008. Springer.
[99] F. Somenzi and R. Bloem. Efficient Bu¨chi automata from LTL formulae. In
E.A. Emerson and A.P. Sistla, editors, Computer Aided Verification (CAV),
volume 1855 of LNCS, pages 248–263, Chicago, Illinois, USA, 2000. Springer.
[100] L. Staiger and K.W. Wagner. Automatentheoretische Charakterisierungen
topologischer Klassen regula¨rer Folgenmengen. Elektronische Informationsver-
arbeitung und Kybernetik, 10:379–392, 1974.
[101] R.S. Streett. Propositional dynamic logic of looping and converse is elementarily
decidable. Information and Control, 54(1-2):121–141, 1982.
[102] W. Thomas. Automata on infinite objects. In J. van Leeuwen, editor, Handbook
of Theoretical Computer Science, volume B: Formal Models and Semantics,
chapter 4, pages 133–191. Elsevier, 1990.
[103] W. Thomas. Infinite trees and automaton definable relations over ω-words.
In C.Choffrut and T.Lengauer, editors, Symposium on Theoretical Aspects of
Computer Science (STACS), volume 415 of LNCS, pages 263–277. Springer,
1990.
[104] W. Thomas. On the synthesis of strategies in infinite games. In E.W. Mayr
and C. Puech, editors, Symposium on Theoretical Aspects of Computer Science
(STACS), volume 900 of LNCS, pages 1–13, Munich, Germany, 1995. Springer.
[105] T. Tuerk and K. Schneider. Relationship between alternating omega-automata
and symbolically represented nondeterministic omega-automata. Internal Re-
port 340, Department of Computer Science, University of Kaiserslautern,
Kaiserslautern, Germany, November 2005.
[106] M.Y. Vardi. An automata-theoretic approach to linear temporal logic. In
F. Moller and G. Birtwistle, editors, Logics for Concurrency - Structure ver-
sus Automata, volume 1043 of LNCS, pages 238–266. Springer, 1996.
150
Bibliography
[107] M.Y. Vardi. Branching vs. linear time: Final showdown. In T. Margaria and
W. Yi, editors, Tools and Algorithms for the Construction and Analysis of Sys-
tems (TACAS), volume 2031 of LNCS, pages 1–22, Genoa, Italy, 2001. Springer.
[108] J. Vo¨ge and M. Jurdzinski. A discrete strategy improvement algorithm for
solving parity games. In E.A. Emerson and A.P. Sistla, editors, Computer Aided
Verification (CAV), volume 1855 of LNCS, pages 202–215, Chicago, Illinois,
USA, 2000. Springer.
[109] K. Wagner. On ω-regular sets. Information and Control, 43(2):123–177, 1979.
[110] N. Wallmeier, P. Hu¨tten, and W. Thomas. Symbolic synthesis of finite-state
controllers for request-response specifications. In O.H. Ibarra and Z. Dang,
editors, Conference on Implementation and Application of Automata (CIAA),
volume 2759 of LNCS, pages 11–22, Santa Barbara, California, USA, 2003.
Springer.
[111] B.W. Watson. Directly constructing minimal DFAs: Combining two algorithms
by Brzozowski. In S. Yu and A. Pa˘un, editors, Conference on Implementation
and Application of Automata (CIAA), volume 2088 of LNCS, pages 311–317,
London, Ontario, Canada, 2001. Springer.
[112] P.L. Wolper. Synthesis of Communicating Processes from Temporal Logic Spec-
ifications. PhD thesis, University of California, Palo Alto, California, USA,
1982.
[113] Y. Xu, E. Cerny, X. Song, F. Corella, and O. Aı¨t Mohamed. Model checking
for a first-order temporal logic using multiway decision graphs. In A.J. Hu
and M.Y. Vardi, editors, Computer Aided Verification (CAV), volume 1427 of
LNCS, pages 219–231, Vancouver, British Columbia, Canada, 1998. Springer.
[114] Z. Zhou, X. Song, S. Tahar, E. Cerny, F. Corella, and M. Langevin. Formal
verification of the island tunnel controller using multiway decision graphs. In
M.K. Srivas and A. Camilleri, editors, Formal Methods in Computer-Aided De-
sign (FMCAD), volume 1166 of LNCS, pages 233–247, Palo Alto, California,
USA, 1996. Springer.
151
