Abstract. Synthesizing monitor circuits for LTL formulas is expensive, because the number of flip-flops in the circuit is exponential in the length of the formula. As a result, the IEEE standard PSL recommends to restrict monitoring to the simple subset and use the full logic only for static verification. We present a novel construction for the synthesis of monitor circuits from specifications in LTL. In our construction, only subformulas with unbounded-future operators contribute to the exponential blowup. We split the specification into a bounded and an unbounded part, apply specialized constructions for each part, and then compose the results into a monitor for the original specification. Since the unbounded part in practical specifications is often very small, we argue that, with the new construction, it is no longer necessary to restrict runtime verification to the simple subset.
Introduction
In runtime verification, we monitor the running system and check on-the-fly whether the desired properties hold. Unlike in static verification, where the verification algorithm is executed at design-time and can therefore afford to spend significant time and resources, runtime verification algorithms must run in synchrony with the monitored system and usually even share the resources of the implementation platform.
For specifications in succinct temporal logics, such as LTL this is problematic, because one can easily specify properties that are hard to monitor. For example, a simple cache property like "it is always the case that if the present input vector has previously been seen in the last 100 steps, a cache hit is reported" can be specified with an LTL formula that is linear in the size of the input vector, but the construction of a deterministic monitor automaton would yield an intractable number of states, because every possible combination of the vectors needs a separate state (cf. [1] ).
In the IEEE standard PSL [2] , which is based on LTL, these considerations have led to the recommendation that only a restricted sublogic, the so-called simple subset, is to be used in runtime verification (cf. [3] ). The simple subset restricts the use of disjunctions in the specification. While the simple subset has been shown to lead to small monitoring circuits, the restriction is often unfortunate, especially when specifications are shared between model checking and runtime verification. Rather than stating, for example, that a disjunction of temporal output patterns is safe, the simple subset requires that every output pattern be described as a deterministic consequence of a specific input pattern.
From an automata-theoretic standpoint, the temporal formulas in the simple subset correspond to universal automata, where the transitions relate states to conjunctions of successor states. There is a linear translation from temporal formulas in the simple subset to universal automata, and universal automata can be implemented with a linear number of flip-flops. For unrestricted formulas, on the other hand, a direct translation results in an alternating automaton, whose transitions have both conjunctions and disjunctions. It is the translation from alternating to universal automata that causes the exponential blow-up.
However, it is well-known that the membership problem for alternating automata can be solved directly, without a translation to universal automata and in linear time, as long as the relevant part of the input word is available in reverse order. Rather than evaluating in a forward manner, which corresponds to determinization, the automaton is simply evaluated backward, like a combinatorial circuit. The question arises, if, by using this alternative membership test, one can avoid the exponential blow-up in the size of the monitoring circuit. Is the restriction to the simple subset in fact unnecessary?
In this paper, we present a new monitoring approach for general temporal specifications that avoids the translation to universal automata when possible. For example, the truth value of the cache specification at some position i is determined by the observations at positions i, i + 1, . . . , i + 99. The specification can therefore be evaluated by unrolling the alternating automaton over 100 steps, avoiding the exponential increase in the size of the circuit.
To make this idea precise, we define, for each subformula of a specification, its temporal horizon, which indicates a future point in time by which the value of the subformula for the present position is guaranteed to be determined. Subformulas with finite horizons define languages that are finite themselves.
The study of events characterized by finite languages goes back to Kleene's definite events [4] and the locally testable events of McNaughton and Papert [5] . In the terminology of McNaughton and Papert, a set E of words is called a locally testable event in the strict sense if there exists a finite language L, such that all subwords of each word in E have a prefix in L. McNaughton and Papert construct an automaton that maintains an input buffer that is large enough to capture the largest words in L. In each step, a combinatorial circuit checks if the pipeline content belongs to L.
In our setting, the languages recognizable by such an automaton correspond to LTL formulas of the form G φ, where φ contains only bounded future operators. In this paper, we extend this idea to allow the bounded subformulas to occur within general temporal formulas. For each subformula with finite horizon
suffix transducer (S) µ S Fig. 1 . Overview of the monitor construction.
t we introduce a pipeline and a combinatorial circuit that computes, online as new elements enter the pipeline, a Boolean value that corresponds to the truth of the formula from the perspective of t steps ago in the past. From the delayed truth values of the subformulas we extrapolate the current truth value of the formula. This is possible because the truncated-path semantics [6] (as used, for example, in PSL) provides default values for subformulas that refer to the future beyond the current cut-off point. The truncated-paths semantics distinguishes between strong and weak subformulas: for example, the strong specification "X X p" is true only if the visible trace is at least two positions long and p holds in the second position. Negation flips between the strong and weak interpretation. Given a pipeline that contains the delayed truth values of the subformulas, we can therefore construct an extrapolation circuit that applies, at each position, the truncated-trace semantics instantly to the entire path suffix stored in the pipeline. Figure 1 gives an overview of our construction. We say a subformula is bounded if its horizon is finite, and unbounded otherwise. We call the part of the monitor that deals with the pipeline storage and the evaluation of the bounded formulas the suffix transducer S: for some infinite trace σ, the suffix transducer evaluates the suffix of σ, from the delayed position in the trace onward, to derive the truth value of the bounded-future formulas.
Correspondingly, the part of the monitor that deals with unbounded formulas is called the prefix transducer P: the prefix transducer evaluates the prefix of σ, up to the currently observed position i, to derive the truth value of the complete specification. The prefix transducer is based on a universal automaton U(ϕ), which checks whether a given prefix of the trace satisfies ϕ.
The extrapolation function, denoted by µ P in Figure 1 , evaluates the part of the trace that is currently stored in the pipeline, i.e., the difference between the delayed position considered by U(ϕ) and the present position i.
The resulting circuit has the following properties. If the specification is (1) simple, (2) bounded, or (3) a combination thereof (a formula that is simple except for subformulas that are not simple but bounded), the circuit is polynomial in the specification. If the specification is (4) neither simple nor bounded, then the circuit is exponential in the size of the specification after removing all bounded subformulas.
While the possibility of an exponential blow-up is thus not excluded, it is our experience that even case (4) rarely leads to a blow-up in practice. Specifications that are neither simple nor bounded mostly occur when the correct behavior is specified in terms of a correlation of different events such as "G((AorB) U(CorD))," where the events A, B, C and D are specified by bounded formulas expressing certain finite input or output patterns that constitute events. Once the bounded subformulas have been removed, the specification becomes very small and the resulting monitoring circuit typically fits easily on an FPGA board.
Related Work. Monitoring LTL is a key problem in runtime verification (cf. [7, 8, 9, 10, 11] ). The two most prominent tools for the synthesis of monitor circuits from the simple subset of PSL are FoCs [12] , developed at IBM Haifa, and MBAC by Boulé and Zilic [13] . For unrestricted temporal logic, an automata-theoretic construction (based on determinization) is due to Armoni et al. [14] . Our prefix transducer is inspired by this construction.
More generally, the problem of translating LTL and logics based on LTL to automata occurs in both runtime verification and model checking. Constructions aimed at model checking (cf. [15, 16, 17, 18] ) are, however, not immediately applicable to runtime verification. First, such constructions typically only produce nondeterministic automata, rather than deterministic monitors. Hence, a further exponential determinization step is required to obtain a monitor. Second, these constructions typically produce automata over infinite words rather than automata or transducers over finite words.
Our approach is based on the truncated-path semantics [6] used in PSL. The truncated-path semantics differs from the bad-prefix semantics used in several monitoring approaches (cf. [8, 19, 20] ), where a finite-word automaton is constructed that recognizes the "bad prefixes" of the language of an infinite-word automaton, i.e., the set of prefixes that cannot be extended to accepted infinite words [1] . In the truncated-path semantics, strong specifications may be violated on a prefix even if a satisfying extension exists.
Locally testable events were introduced by [21] and [5] and broadly studied in the literature (refer e.g. to [22] ). In [23] Kupferman, Lustig, and Vardi point out the particular relevance of locally testable events in a strict sense (as introduced in [5] ), which they call locally checkable properties. They emphasize the low memory footprint of monitors for locally checkable properties, since their size depend only on the number of variables and the length of the pipeline.
The key contribution of this paper is to exploit the local testablility of bounded subformulas that occur within general temporal properties by the introduction of a pipeline into the monitoring circuit. Because bounded subformulas are evaluated directly, based on the pipeline content, rather than folded into the determinization of the prefix transducer, the resulting circuit can be exponentially smaller than the circuits constructed by previous approaches.
Temporal Specifications
Our approach is based on LTL with an bounded and an unbounded version of the temporal operators.
1 Definition 1 (Syntax). Given a set of atomic propositions AP , let ϕ 1 and ϕ 2 be temporal formulas, and let i, j ∈ N ∪ {∞}. Then the following are temporal formulas over AP :
The main operator of the logic is the Until operator ϕ 1 U (l,u) ϕ 2 , which we use in its parameterized form, where l, u ∈ N ∪ {∞} indicate a lower and upper bound, respectively, of the interval within which ϕ 2 must hold. As usual, the Until operator subsumes the Next, Eventually, and Always operators:
We call a formula simple if the operand of every negation and the right-hand operand of every Until is a Boolean expression over AP . The size |ϕ| of a formula ϕ is the number of subformulas plus, for parameterized subformulas, the sum of all constants.
We use a truncated semantics [6] , defined over finite words from the alphabet 2 AP . We denote the length of a finite or infinite word σ by |σ|, where the empty word has length | | = 0, a finite word σ = σ(0), σ(1), σ(2), . . . σ(n − 1) has length |σ| = n and an infinite word σ = σ(0), σ(1), σ(2), . . . has length |σ| = ∞. For a finite or infinite word σ and i < j ≤ |σ|, σ (i,j) = σ(i), σ(i + 1), . . . , σ(j) denotes the subword of length j − i + 1 starting at index i. σ (i,... ) = σ(i), σ(i + 1), . . . denotes the suffix of σ starting at index i.
The truncated semantics is defined with respect to a context indicating either weak or strong strength. We use σ s |= ϕ to denote that σ satisfies formula ϕ strongly, and σ w |= ϕ to denote that σ satisfies ϕ weakly. We say σ satisfies ϕ, denoted by σ |= ϕ, iff σ satisfies ϕ strongly. Negation switches between the weak and strong contexts: Definition 2 (Semantics). A finite word σ over AP satisfies a temporal formula ϕ, denoted by σ |= ϕ, iff σ s |= ϕ, where s |= and w |= are defined as follows:
there is an i such that l ≤ i ≤ u and σ (i,... )
where p ∈ AP and ϕ 1 and ϕ 2 are temporal formulas.
Monitoring Temporal Specifications
Monitoring a specification ϕ means to decide for each prefix of a (possibly infinite) word over 2 AP whether the prefix satisfies ϕ.
Definition 3 (The Monitoring Problem). Given a temporal formula ϕ over a set of atomic propositions AP , and a word σ over 2 AP , the monitoring problem consists of constructing a word σ over 2 {ϕ} such that ϕ ∈ σ (i) iff σ(0, i) |= ϕ.
A characteristic of the monitoring problem is that, since the length of the trace σ may grow beyond any bound, the space complexity of any reasonable solution must be constant in |σ|. This entails that the problem should be solved online, i.e., by reading new observations as they become available.
We now give an overview of our monitoring approach. As shown in Figure 1 , our construction is split into two parts: the suffix transducer S, which evaluates the bounded subformulas on the suffix of the trace, and the prefix transducer P, which evaluates the complete specification on the prefix that has been seen so far. To formally describe the interface between the two transducers, we need a few auxiliary definitions.
Let ϕ be a temporal formula. The set of strong subformulas Sub s (ϕ) contains all subformulas that occur in the scope of an even number of negations (including 0). The set of weak subformulas Sub w (ϕ) contains all subformulas that occur in the scope of an odd number of negations. The set of subformulas is the union
For each temporal formula ϕ, we define the horizon of ϕ as the number of steps into the future the truth value of the formula may depend on, i.e.,
The separation formulas form the interface between the prefix and suffix transducers. Reading an input word σ over 2 AP , the suffix transducer computes, for each separation formula γ ∈ Γ c (where c ∈ {s, w}), each position i, and each offset j ≤ H, the value of the additional propositions γ, j, c , such that γ, j, c is true iff the truncated suffix σ (i−H+j,i) satisfies γ (strongly or weakly, depending on c). Reading an input word over 2 AP , where
the prefix transducer then treats the separation formulas as atomic propositions. is weak, b occurs both as a strong and a weak subformula, but only as a maximal weak subformula. Reading an input word over AP = {a, b}, the suffix transducer produces an output word over
The overall monitoring problem is solved by the functional composition of the suffix and prefix transducers. The resulting transducer is implemented in hardware through a linear translation to a circuit built from flip-flops and Boolean gates. In the following sections we describe the construction of the prefix and suffix transducers and the translation to the circuit in more detail.
Automata and Transducers

Alternating and Universal Automata
While our constructions are based on automata transformations, our target is a circuit that monitors the given specification. For this reason we define automata in a symbolic setting that facilitates the eventual translation to a circuit: rather than referring to an explicit alphabet, our automata are defined over the set AP of atomic propositions. We use AP to denote the set {a, ¬a | a ∈ AP } of literals.
An alternating automaton on finite words over a set AP of atomic propositions is a tuple A = (Q, I, F, δ), where Q is a finite set of states, q 0 ∈ Q is the initial state, F ⊆ Q is a subset of final states, and δ : Q → B + (Q ∪ AP ) is the transition condition, where B + (X) denotes the set of positive Boolean expressions over X, i.e., the formulas built from elements of X using ∨, ∧, true and false. An alternating automaton A is called universal, if δ(q) can be written as a conjunction where each conjunct is an element of B + (AP ∪ {q }) for some q ∈ Q.
The direction of evaluation in an automaton is backward. A run of A on a finite input word σ is a Q-labeled tree, such that (1) all nodes at level |σ| (i.e., all nodes where the path from the root has length |σ| + 1) are childless and are labeled with states in F ; (2) the root is labeled with q 0 ; and the following condition holds for every node n on some level i = 0, . . . , |σ| − 1: let n be labeled with state q. Then the set S, consisting of the states on the children of n and the elements of σ(i) satisfies δ(q), i.e., replacing every state or atomic proposition in δ(q) with true if it is an element of S and with false if it is not, results in a Boolean expression equivalent to true. The set of words that are accepted by A is called the language of A, denoted by L(A).
Corresponding to an evaluation in a strong or weak context, we translate a temporal formula ϕ into one of two alternating automata A s (ϕ) or A w (ϕ): automaton A s (ϕ) accepts a finite word σ iff σ satisfies ϕ strongly; analogously, A w (ϕ) accepts σ iff σ satisfies ϕ weakly. As detailed in the following theorem, the translation is a simple linear-time induction: Theorem 1. For each temporal formula ϕ over AP there are two alternating automata A s (ϕ) and A w (ϕ) over AP such that, for every finite word σ,
The sizes of A s (ϕ) and A w (ϕ) are linear in the size of ϕ. If ϕ is simple, then A s (ϕ) and A w (ϕ) are universal.
Since the context of a temporal formula is, by default, strong, we define the alternating automaton associated with a formula ϕ as A(ϕ) = A s (ϕ).
Example 2. Consider the temporal formula ϕ = F a ∨ G b, which is equivalent to true U (0,∞) a ∨ ¬(true U (0,∞) ¬b). The alternating automaton A(ϕ) = ({s 0 , s 1 , s 2 }, s 0 , δ, F = {s 2 }), with δ : Every alternating automaton can be translated into an equivalent universal automaton by a simple subset construction.
Theorem 2. For each alternating automaton A there exists a universal automaton U such that L(A) = L(U). The size of U is exponential in the size of A.
Transducers
Automata evaluate the words in a backward manner: the transition expression δ(q) is a Boolean expression over the input and the successor states. We now change the direction of the evaluation. In order to evaluate a word in forward direction, a state machine is equipped with a next-state function τ which defines for each state q a Boolean expression over the input and the predecessor states.
A state machine over a set AP of atomic propositions is a tuple M = (Q, Q 0 , τ ), where Q is a set of states, Q 0 ⊆ Q is a subset of initial states, and τ : Q → B + (Q ∪ AP ) is the next-state function. The motivation for this definition is that we wish to simulate universal automata in hardware, by representing each state as a flip-flop. The states of the state machine can thus be seen as the states of a universal automaton, and sets of states as the states of an implicit determinization.
For an input word σ, the state machine defines a run R 0 , R 1 , . . ., where each R i is a set of states. The run starts with the set of initial states R 0 = Q 0 , and for all i > 0, the set R i includes all states whose next-state function (with true substituted for all states in R i−1 and false substituted for all states not in R i−1 is satisfied: i.e.,
For a given universal automaton U = (Q, q 0 , F, δ), we define the state machine M = (Q, Q 0 , τ ) that simulates U: the next-state function τ is chosen to precisely provide those successor states that are needed to satisfy the transition function δ:
Finally, we define transducers, which are state machines that are additionally equipped with an output function: Let AP = AP I · ∪AP O be a set of atomic propositions that is partitioned into a set AP I of input propositions and a set AP O of output propositions. A transducer T = (Q, Q 0 , τ, {ϑ p } p∈AP O ) over AP is a state machine over AP I with an output function ϑ p :
For an input word σ over 2 AP I , the run R 0 , R 1 , . . . of the transducer is the run of the state machine. The transducer additionally defines an output word σ over 2 AP O , where, for all i ≥ 0, and all p ∈ AP O , p ∈ σ (i) iff σ(i) |= q∈Ri ϑ p (q).
The Suffix Transducer
We start by translating the specification into automata, using Theorems 1 and 2. Let ϕ be a temporal formula and let A(ϕ), U(ϕ), and M(ϕ) be the alternating automaton, the universal automaton, and the state machine, respectively, that are defined by ϕ.
When the transducer reads position i, it produces the truth values for all positions from i − H to the cut-off position i. For this purpose, the suffix transducer contains a pipeline, which stores, for each atomic proposition p, H copies 
be the alternating automata for formula γ in strong and weak context, respectively. We define, for each state q ∈ Q and each offset j ∈ {0, . . . , H}, Boolean expressions λ s (π, q, j), λ w (π, q, j) that indicate if the strong and weak automaton, respectively, starting in state q, accept the word represented by the pipeline content starting from position j. For c ∈ {s, w}:
The truth value of the atomic proposition γ, j, c in AP is then defined by the Boolean expression µ c (π, γ, j), where 
We construct the suffix transducer T (ϕ):
Theorem 3. For each temporal formula ϕ with separation formulas Γ s , Γ w , there exists a transducer T (ϕ) with input propositions AP and output propositions AP , such that the following holds for each γ, j, c ∈ AP , j ∈ {0, . . . , H}, i ≥ H − j, and each input word σ and output word O 0 , O 1 , . . .:
The set of states is formed by the possible pipeline contents. The transition function shifts the contents of the pipeline by one position and adds the new observation. The output interprets each atomic proposition γ, j, c in AP as µ c (π, γ, j).
The Prefix Transducer
The prefix transducer computes the truth value of the specification ϕ based on the extended trace provided by the suffix transducer. For this purpose, the separation formulas in the specification are replaced by atomic propositions. To ensure that the substitution respects the context, we introduce, in addition to the standard substitution operator ϕ[ψ → ψ ], which replaces every occurrence of ψ in ϕ with ψ , a strong and a weak version: In the strong substitution ϕ[ψ → ψ ] s , all occurrences of ψ that are in the scope of an even number of negations are replaced by ψ , in the weak substitution ϕ[ψ → ψ ] s , all occurrences of ψ that are in the scope of an odd number of negations are replaced by ψ . We generalize the substitution operators to sets of replacement pairs in the obvious way.
Let ϕ be a temporal formula. The prefix transducer is based on a simplified prefix formula ϕ p , where we replace every separation formula with a proposition from Γ s × {s} ∪ Γ w × {w}, i.e., with a proposition indicating the separation formula together with the strong or weak context.
Example 4. Consider again the specification from Example 1:
The idea for the construction of the prefix transducer is to check for the existence of a run of the universal automaton U(ϕ p ) on the prefix up to position i. Intuitively, the prefix is split into two parts. The first part, up to position (i − H), is handled by the state machine M(ϕ p ), which we run with a delay of H steps. In the transition function of the state machine, we therefore replace every proposition γ, c with the proposition γ, 0, c delivered by the suffix automaton.
The second part, from position (i − H) to position i, is handled by the output function of the transducer. For this purpose, we unroll the transition function of U(ϕ p ) for H steps, and accordingly replace, in the jth unrolling, the proposition γ, c with the proposition γ, j, c provided by the suffix automaton. Let U(ϕ p ) = (Q, q 0 , δ, F ). We define inductively:
Suppose the state machine has computed the state set S when reaching its delayed position (i−H). Then this partial run can be completed into an accepting run on the full prefix iff ν(q, 0) is true for all states q ∈ S.
The prefix transducer P with input propositions AP and output propositions AP is obtained from the state machine M(ϕ p ) by encoding the delay of H steps. For this purpose, the transducer starts by counting H steps. In the i th step the output is {ϕ} if ν(q, H −i) is true for all intial states of M(ϕ p ). Then it proceeds with the initial states of M(ϕ p ). The output is {ϕ} if the ν(q, 0) is true for all active states. Theorem 4. For each temporal formula ϕ with separation formulas Γ s , Γ w , there exists a transducer P(ϕ) with input propositions AP and output propositions AP O = {ϕ}, such that for all words σ over 2 AP , σ over 2 AP , and σ over 2 AP , if T (ϕ) produces output σ reading input σ, and P(ϕ) produces output σ reading input σ , then for all i ≤ |σ|, ϕ ∈ σ (i) iff σ(0, i) |= ϕ.
The Monitor Circuit
As shown in Figure 1 , the monitor circuit is built from four main components: the pipeline circuit for the the suffix transducer S, the output function of the suffix transducer, the state machine of the prefix transducer P, and the output function of the prefix transducer. The circuits for the pipeline and the prefix state machine maintain their internal state via D flip-flops, interconnected via Boolean circuits that implement the next-state function. The circuits for the output functions are pure Boolean circuits without internal state. The input gates of the output function of the prefix transducer P are connected to the outputs of the flip-flops for the state machine of P and the output gates of the output function of S. Its single output gate represents the output of the monitor for ϕ on the prefix of the current input.
This implementation of the monitor circuit is well-suited for reprogrammable hardware such as FPGAs. The actual translation of the Boolean functions into the specific hardware can be realized by standard tools for the computer-aided design of digital circuits.
The size of the circuits. The size of the pipeline circuit is linear in H · |ϕ|. The output circuit of S consists of sub-circuits for each separation formula and each position within the delayed fragment of the input trace. Each of these subcircuits is linear in the size of H and linear in the size of ϕ. Hence, the overall size for the output circuit is quadratic in H · |ϕ|.
The size of the circuit for the state machine of P is linear in |U(ϕ)| and hence linear in |ϕ| if ϕ is simple and exponential in |ϕ| otherwise. The size of the Boolean circuit that computes the output function of P is of the same order as the state machine of P multiplied by H.
Theorem 5. The number of gates of the monitoring circuit for a temporal specification ϕ is quadratic in H · |ϕ| if ϕ is simple except for bounded subformulas; otherwise, the number of gates is exponential in |ϕ|.
Experimental Results
Our implementation takes as input an LTL formula and produces synthesizable VHDL code for a cirucit that monitors the input formula. The code is then passed to a synthesis tool for a specific hardware platform. In this section we report on experimental results obtained with our implementation in conjunction with the Xilinx Virtex-5 FPGA synthesis tool.
Our benchmarks, shown in Figure 2 , include Etessami and Holzmann's list of commonly used LTL specifications [24] (formulas 1-12, adapted to our setting by the introduction of parametric bounds), as well as a variation of the cache specification from the introduction (formulas c n ). The formulas r n specify fair bounded response, a recurring pattern in many specifications. Table 1 The first two sections of the table compare, for formulas with bound 2, the performance of our construction (b = 2) with a direct approach (b = 2 direct), based on building a universal automaton without pipeline. The presence of already very moderate bounds or a small number of nested Next-modalities can yield a direct universalization of the alternating automaton of the specification infeasable. As long as the bounds (or Next-modalities) are properly nested within the unbounded operators, our construction circumvents the combinatorial blowup of the forward universalization and produces rather small monitors. Even for bounds up to several dozens or even hundreds of steps, our approach produces monitor circuits that fit on standard FPGAs. Bounds of this size are clearly far beyond what a forward universalization can handle with an reasonable amount of computational resources.
Our results also provide evidence that introducing bounds into a given specification can be helpful in order to simplify the monitoring. The third and fourth section of the table report on the performance for higher bounds (b = 40) and unbounded (b = ∞) formulas. For small specifications, bounds complicate the monitoring problem. For larger specifications, however, the combinatorial overhead introduced by the bounds, which is just polynomial, outplays the exponential blow-up caused by the richer combinatorial structure of the specification.
