A LTL Fragment for GR(1)-Synthesis by Morgenstern, Andreas & Schneider, Klaus
Johannes Reich and Bernd Finkbeiner (Eds): International
Workshop on Interactions, Games and Protocols (iWIGP)
EPTCS 50, 2011, pp. 33–45, doi:10.4204/EPTCS.50.3
c© A. Morgenstern and K. Schneider
This work is licensed under the
Creative Commons Attribution License.
A LTL Fragment for GR(1)-Synthesis
Andreas Morgenstern and Klaus Schneider
University of Kaiserslautern
P.O. Box 3049
67653 Kaiserslautern, Germany
email: {morgenstern,schneider}@cs.uni-kl.de
The idea of automatic synthesis of reactive programs starting from temporal logic (LTL) specifica-
tions is quite old, but was commonly thought to be infeasible due to the known double exponential
complexity of the problem. However, new ideas have recently renewed the interest in LTL synthesis:
One major new contribution in this area is the recent work of Piterman et al. who showed how poly-
nomial time synthesis can be achieved for a large class of LTL specifications that is expressive enough
to cover many practical examples. These LTL specifications are equivalent to ω-automata having a
so-called GR(1) acceptance condition. This approach has been used to automatically synthesize im-
plementations of real-world applications. To this end, manually written deterministic ω-automata
having GR(1) conditions were used instead of the original LTL specifications. However, manually
generating deterministic monitors is, of course, a hard and error-prone task. In this paper, we there-
fore present algorithms to automatically translate specifications of a remarkable large fragment of
LTL to deterministic monitors having a GR(1) acceptance condition so that the synthesis algorithms
can start with more readable LTL specifications.
1 Introduction
In the last decades, the influence of computer systems on our everyday life has been constantly growing.
As computer systems enter more and more safety-critical areas, their correctness is essentially important
to avoid malfunctioning systems. Thus, one of the main challenges in computer science is the design
of provably correct systems. Many of these safety-critical computer systems are reactive embedded
systems. These are non-terminating systems that interact with their environments during their infinite
computations. Typically, concurrency and infinite computations with respect to the environment make it
difficult to analyze and design such systems correctly.
There are currently two main approaches to the design of provably correct reactive systems: In the
first approach, called formal verification, one checks that a manually written implementation satisfies
a given specification that is typically formulated in the temporal logic LTL [21, 9]. In the second ap-
proach, called LTL synthesis, a provably correct implementation is automatically derived from the given
LTL specification. While formal verification is nowadays even routinely used in safety-critical system
designs, LTL synthesis is still immature. Of course, the double exponential complexity of LTL synthe-
sis compared to the single exponential one of LTL model checking is one reason for this situation. We
believe, however, that the applicability of tools based on both methods can be significantly improved by
better data structures and algorithms.
For example, a major breakthrough in formal verification has been achieved by symbolic represen-
tations of states and transitions with propositional formulas which became known as symbolic model
checking [7]. With the advent of these succinct data structures and efficient decision procedures for
propositional formulas, it has become possible to verify complex systems. In a similar way, new meth-
ods for SAT checking and SMT solvers opened the way to verify even larger systems.
34 A LTL Fragment for GR(1)-Synthesis
It is natural to try to make use of such data structures and algorithms also for LTL synthesis. However,
this is not directly possible, since the currently available LTL synthesis procedures consist of two steps:
The first step is the translation of the LTL specification to an equivalent ω-automaton. The usual trans-
lation procedures generate a nondeterministic automaton that can be directly used for symbolic model
checking. However, nondeterministic automata can, in general, not be used for LTL synthesis. Even
though there are pseudo-deterministic automata like the good-for-games automata that can still be used
for LTL synthesis, the second step usually consists of a determinization of the obtained automata (since
deterministic automata can be definitely used without further restrictions). The problem is, however,
that determinization is considerably more complex for ω-automata than for automata on finite words. In
particular, a major drawback of the currently known determinization procedures is their explicit repre-
sentation of the automata that does not make use of symbolic data structures. Since a translation from
LTL to deterministic automata may lead to automata having a double exponential size in terms of the
length of the formula, explicit state space representations are limited to handle very small LTL formulas.
One possibility to overcome the complexity problem of LTL synthesis is to consider restricted classes
of LTL. For example, [1, 14] consider subsets of LTL to obtain deterministic automata with less than
double exponential size. Wallmeier et al. [27] developed a synthesis algorithm to synthesize request-
response specifications which are of the form G(ϕi → Fψi) for multiple i which leads to a synthesis
procedure with only exponential complexity. Piterman et. al proposed in [20] an approach to synthesize
generalized reactivity formulas with rank 1 (abbreviated as GR(1) formulas), i. e. formulas of the form(∧N
i=0 GFϕi
)→ (∧Mj=0 GFϕ j). Their algorithm runs in time K3 where K is the size of the state space
of the design. If a collection Φi of LTL formulas representing assumptions on the environment, and a
collectionΨ j of formulas representing conclusions for the system, can all be represented by deterministic
Bu¨chi automata, this approach can be used to obtain a synthesis procedure for the entire LTL specification(∧N
i=0Φi
)→ (∧Mj=0Ψ j).
The work reported in [20] has been extensively used. Its feasibility was demonstrated in [4, 5, 11]
which considers ARM’s Advance Micro-System Bus Architecture as well as a case study of a generalized
buffer example included in IBM’s RuleBase system. In those case studies, an implementation realizing
the given formal specification has been derived and has been afterwards converted to a circuit. In fact,
those case studies have been the first real-life blocks that have been automatically synthesized from
high-level temporal logic specifications. Further applications include usage in the context of production
of robot systems [28].
The main drawback of previously published works using the GR(1)-approach of Piterman et al. is
that the unavoidable determinization step was carried out manually by a human developer, since no tool
support for the translation of temporal logic formulas to corresponding ω-automata was available. The
translation to deterministic automata is considerably hard in general [12] and may introduce errors due
to the human intervention.
To eliminate this drawback from the GR(1)-approach, we present in this article a remarkable large
subset of LTL that can be translated to sets of deterministic Bu¨chi automata representing the assumptions
on the environment and the guarantees a system has to satisfy. To this end, we reconsider the temporal
logic hierarchy that has been investigated by Chang, Manna, Pnueli, Schneider and others [15, 8, 16,
17, 22, 23]. This temporal logic hierarchy defines subsets of LTL that correspond to the well-known
automaton hierarchy, consisting of safety, guarantee/liveness, fairness/response/Bu¨chi, persistence/co-
Bu¨chi properties as well as their boolean closures (obligation and reactivity properties). Using a syntactic
characterization of this hierarchy [22, 23], we can, in particular, syntactically determine for given LTL
formulas whether the formula can be represented by a deterministic Bu¨chi automaton. Hence, given a
set of formulas representing assumptions and conclusions, we can determine whether they can be used
A. Morgenstern and K. Schneider 35
as an input for GR(1)-synthesis. Clearly, since we only check this syntactically, it may be the case that
we reject formulas that could be used for GR(1)-synthesis, but we never produce an error. In practice, it
turned out that essentially no GR(1) formula is rejected by our syntactic check.
The syntactic approximation to determine GR(1) membership is one contribution of this paper. An-
other one is the observation that the negation of each formula that can be translated to a deterministic
Bu¨chi automaton can be translated to a non-deterministic co-Bu¨chi automaton. It is well-known that
non-deterministic co-Bu¨chi automata can be determinized by the Breakpoint construction [18] that is
well-suited for a symbolic implementation [19, 6]. From this co-Bu¨chi automaton, we can easily obtain
a deterministic Bu¨chi automaton (again via negation, which is trivial for deterministic automata [23]) that
is equivalent to the original formula. Hence, our second observation leads to a very efficient translation
procedure for the identified LTL formulas to deterministic Bu¨chi and co-Bu¨chi automata.
We have implemented this synthesis procedure that (1) syntactically determines whether a formula
can be represented with a GR(1)-property and (2) applies the mentioned symbolic determinization pro-
cedure for Bu¨chi/co-Bu¨chi automata. Finally, we apply the GR(1)-synthesis using an existing implemen-
tation of the GR(1)-Synthesis approach [3].
2 Preliminaries
2.1 Linear Temporal Logic LTL
For a given set of Boolean variables V, we define the set of LTL formulas by the following recursive
definition:
Definition 1 (Syntax of Linear Temporal Logic (LTL)) The set of LTL formulas over a set of variables
V is the smallest set with the following properties:
• 1,0 ∈ LTL
• a ∈ LTL for a ∈V
• boolean operators: ¬ϕ , ϕ ∧ψ , ϕ ∨ψ ∈ LTL if ϕ,ψ ∈ LTL
• future temporal operators: Xϕ , [ϕ U ψ], [ϕ B ψ] if ϕ,ψ ∈ LTL
• past temporal operators: ←−Xϕ ,←−Xϕ , [ϕ ←−U ψ], [ϕ ←−B ψ] if ϕ,ψ ∈ LTL
The semantics of LTL can be given with respect to a path through a structure (e.g. an ω-automaton),
where a path is an infinite word over the alphabet 2V.
Xϕ holds on a path pi at position t0 if ϕ holds at position t0+1 on the path. [ϕ U ψ] holds at t0 iff ψ
holds for some position δ ≥ t0 and ϕ holds invariantly for every position t with t0 ≤ t < δ i. e. ϕ holds
until ψ holds. The weak before operator [ϕ B ψ] holds at t0 iff either ϕ holds before ψ becomes true for
the first time after t0 or ψ never holds after t0.
In addition to the future time temporal operators, there are also the corresponding past time temporal
operators. These are defined analogously with the only difference that the direction of the flow of time
is reversed. For example, [ϕ
←−
U ψ] holds on a path at position t0 iff there is a point of time δ with δ ≤ t
such that ψ holds on that path at position δ and ϕ holds for all positions t with δ < t ≤ t0. The past time
correspondence of the next-time operator is called the previous operator:
←−
Xϕ holds on a path at position
t0 iff t0 > 0 and ϕ holds at position t0− 1. Additionally, there is a weak variant, where←−Xϕ holds on a
path at position t0 iff t0 = 0 holds or ϕ holds at position t0−1.
36 A LTL Fragment for GR(1)-Synthesis
Other operators can be defined in terms of the above ones:
Gϕ = [0 B ¬ϕ] ←−Gϕ = [0←−B ¬ϕ]
Fϕ = [1 U ϕ]
←−
F ϕ = [1
←−
U ϕ]
[ϕ B ψ] = ¬ [¬ϕ U ψ] [ϕ ←−B ψ] = ¬[¬ϕ ←−U ψ]
[ϕ U ψ] = [ψ B (¬ϕ ∧¬ψ)] [ϕ ←−U ψ] = [ψ ←−B (¬ϕ ∧¬ψ)]
[ϕ B ψ] = [¬ψ U (ϕ ∧¬ψ)] [ϕ ←−B ψ] = [¬ψ ←−U (ϕ ∧¬ψ)]
[ϕ W ψ] = [(ϕ ∧ψ) B (¬ϕ ∧ψ)] [ϕ ←−W ψ] = [(ϕ ∧ψ)←−B (¬ϕ ∧ψ)]
[ϕ W ψ] = [¬ψ U (ϕ ∧ψ)] [ϕ ←−W ψ] = [¬ψ ←−U (ϕ ∧ψ)]
For example, [ϕ U ψ] is the weak until operator that can be alternatively defined as [ϕ U ψ] := [ϕ U ψ]∨
Gϕ , i. e. the event ψ that is awaited for need not hold in the future. To distinguish weak and strong
operators, the strong variants of a temporal operator are underlined in this paper (as done above).
2.2 ω-Automata
Definition 2 (ω-Automata ) A ω-automaton A = (Q,Σ,I ,R,A ) over the alphabet Σ is given by a
finite set of states Q, a set I of initial states, a transition relation R ⊆Q×Σ×Q and an acceptance
condition A :Qω →{0,1}.
Given an automaton A= (Q,Σ,I ,R,A ) and an infinite word α = a0,a1, . . . over Σ. Each infinite
word β = q0,q1, . . . with q0 ∈I and qi+1 ∈ δ (qi,αi) for i > 0 is called a run of α through A. The run is
accepting if A (β ) = 1. We say that A accepts α whenever an accepting run of α through A exists.
Using standard terminology, we say that A is deterministic, if exactly one initial state exists and for
each q ∈Q and each input σ ∈ Σ there exists exactly one s′ ∈S with (s,σ ,s′) ∈ R. In that case we
write A= (Q,Σ,q0,δ ,A ) with an initial state q0 and a deterministic transition function δ :Q×Σ→Q.
In the following, we assume that Q = 2V for a set V of state variables. Moreover, we assume sets X
and Y of input and output variables that form the inputsX = 2X and outputs Y = 2Y of the system such
that Σ =X ×Y . Having this view, we define a state set Qϕ to contain exactly those states where the
propositional encoding of the state variables V satisfy ϕ . Thus, we can conveniently define acceptance
conditions by LTL specifications.
2.3 Classical Acceptance Conditions
In the past, several kinds of acceptance conditions have been proposed and their different expressive-
nesses have been studied in depth. In particular, the following acceptance conditions have been consid-
ered [26, 25, 23].
• A run is accepted by a safety condition Gϕ if the run exclusively runs through the setQϕ .
• A run is accepted by a liveness condition Fϕ if the run visits at least one state of the setQϕ at least
once.
• A run is accepted by a prefix1 condition ∧i (Gϕi∨Fψi) if for all i either the run exclusively runs
through the setQϕi or visitsQψi at least once.
1These condititions are also called Staiger-Wagner or obligation conditions.
A. Morgenstern and K. Schneider 37
• A run is accepted by a Bu¨chi condition GFϕ if the run visits at least one state of the set Qϕ
infinitely often.
• A run is accepted by a co-Bu¨chi condition FGϕ if the run visits only states of the setQϕ infinitely
often.
• Finally, a run is accepted by a Streett (or reactivity) condition ∧ fi=0 GFϕ j ∨FGψi if for all i either
the run visits at least one state fromQϕi or the run visits only states of the setQψi infinitely often.
2.4 GR(1)-Specifications for LTL Synthesis
The task of LTL synthesis is to develop a system that controls the output variables Y so that no matter
how the environment chooses the input variables X , a LTL specification is satisfied. Thus, instead of
using one of the classical acceptance conditions, it is more convenient for synthesis to consider spec-
ifications of the form ϕ → ψ where ϕ represents assumptions on the environment and ψ represents
conclusions/guarantees the system has to satisfy. In particular, Generalized Reactivity (1) acceptance
[4, 5, 11, 20] attracted some interest in the community: here the assumptions and guarantees are all
Bu¨chi conditions, i. e. we seek a system satisfying the following acceptance condition:
GR(1) :=
(
n∧
i=1
GFpi
)
→
(
m∧
j=1
GFq j
)
(1)
The class of specifications to which the algorithms of [4, 5, 11, 20] can be applied is much more general
than the limited form presented in equation 1: The algorithm can be applied to any specification of the
form (
∧n
i=1ϕi)→ (
∧m
i=1ψ j) where each ϕi, ψ j is specified by a deterministic Bu¨chi automaton.
Definition 3 ([13]) Assume we are given n deterministic Bu¨chi automata Aa1, . . .A
a
n for the environ-
ment’s assumptions and m deterministic Bu¨chi automata Ag1, . . .A
g
m for the system’s guarantees with
Aai = (Q
a
i ,Σ,qa0,i,δ
a
i ,GFpi) and A
a
j = (Q
a
j ,Σ,qa0, j,δ
a
j ,GFq j). Then, we define an automaton A
GR(1) =
(Q,Σ,δ ,q0,A ) as the product of all automata Aai and A
g
j where the state space isQ =Q
a
1×·· ·×Qan×
Qg1 × ·· ·×Qgm, the transition function is δ ((qa1, . . .qgm),σ) = (δ a1 (qa1,σ), . . . ,δ gm(qgm,σ)) and the initial
state is q0 = (qa0,1, . . .q
g
0,m). The acceptance condition A = (
∧n
i=1 GFpi)→
(∧m
j=1 GFq j
)
is a GR(1)
condition.
Thus, a run of AGR(1) is accepting if either all setsQq j are visited infinitely often or at least some setQpi
is visited only finitely often.
2.5 Games
A game G = (Q,Σ,q0,δ ,A ) is a deterministic ω-automaton with an input alphabet Σ =X ×Y . A
play of G is an infinite sequence of states pi = q0q1q2 · · · ∈Qω where qi+1 = δ (qi,σi) for i ≥ 0. The
letters σi = (xi,yi) are successively chosen by the players: in each step, the environment first chooses xi,
and then the system chooses yi. A play pi is won by the system ifA (pi) = 1. Otherwise, the game is won
by the environment. Note that the environment cannot react to the outputs generated by the system and
thus acts like a Moore machine. In contrast, the system we would like to synthesize acts like a Mealy
machine.
We solve the game, attempting to decide whether the game is winning for the environment or the
system. If the environment is winning, the specification is unrealizable. If the system is winning, we
38 A LTL Fragment for GR(1)-Synthesis
NDetG
DetG
NDettotalF
DetF
DetPrefix
DetGF
NDetPrefix
NDetF
(N)DetFG
NDetGF
(N)DetStreett
TLG
TLF
TLPrefix TLStreett
TLGF
TLFG






Figure 1: (Borel) Hierarchy of ω-Automata and Temporal Logic
synthesize a winning strategy (which is essentially a Mealy automaton) using the algorithms given in
[4, 5, 11, 20].
Previous works regarding the synthesis with respect to GR(1)-synthesis had to manually generate the
deterministic automata. In this paper, we show how to automatically obtain deterministic Bu¨chi automata
from a fragment of LTL using the well-known Breakpoint construction. This fragment of LTL is a natural
fragment of LTL embedded in the well-known temporal-logic hierarchy [15, 8, 16, 17, 22, 23].
3 Temporal Logic vs. Automaton Hierarchy
3.1 The Automaton Hierarchy
The classical acceptance conditions, i.e., safety, guarantee/liveness, fairness/response/Bu¨chi, persistence/co-
Bu¨chi properties, define the corresponding automaton classes (N)DetG, (N)DetF, (N)DetGF, and (N)DetFG,
respectively. Moreover, their boolean closures can be represented by the automaton classes (N)DetPrefix
and (N)DetStreett whose acceptance conditions have the forms
∧ f
j=0 Gϕ j ∨Fψ j and
∧ f
j=0 GFϕ j ∨FGψ j,
respectively.
The expressiveness of these classes is illustrated in Figure 1, where C1 w C2 means that for any
automaton in C1, there is an equivalent one in C2. Moreover, we define C1 ≈ C2 := C1 w C2∧C2 w C1
and C1  C2 := C1 w C2∧¬(C1 ≈ C2). As can be seen, the hierarchy consists of six different classes,
and each class has a deterministic representative.
3.2 The Temporal Logic Hierarchy
In [8, 22, 23], corresponding hierarchies for temporal logics have been defined. Following [22, 23], we
define the hierarchy of temporal logic formulas syntactically by the grammar rules of Fig. 2:
Definition 4 (Temporal Logic Classes) For κ ∈ {G, F, Prefix, FG, GF, Streett}, we define the logics
TLκ by the grammars given in Fig. 2, where TLκ is the set of formulas that can be derived from the
nonterminal Pκ (VΣ represents any variable v ∈VΣ).
A. Morgenstern and K. Schneider 39
PG ::= VΣ | ¬PF | PG∧PG | PG∨PG
| ←−X PG | [PG←−U PG]
| ←−X PG | [PG←−U PG]
| XPG | [PG U PG]
PF ::= VΣ | ¬PG | PF∧PF | PF∨PF
| ←−X PF | [PF←−U PF]
| ←−X PF | [PF←−U PF]
| XPF | [PF U PF]
PPrefix ::= PG | PF | ¬PPrefix | PPrefix∧PPrefix | PPrefix∨PPrefix
PGF ::= PPrefix
| ¬PFG | PGF∧PGF | PGF∨PGF
| ←−X PGF | ←−X PGF | XPGF
| [PGF←−U PGF] | [PGF←−U PGF]
| [PGF U PGF] | [PGF U PF]
PFG ::= PPrefix
| ¬PGF | PFG∧PFG | PFG∨PFG
| ←−X PFG | XPFG | ←−X PFG
| [PFG←−U PFG] | [PFG←−U PFG]
| [PFG U PFG] | [PG U PFG]
PStreett ::= PGF | PFG | ¬PStreett | PStreett∧PStreett | PStreett∨PStreett
Figure 2: Syntactic Characterizations of the Classes of the Temporal Logic Hierarchy
Typical safety conditions like Gϕ or G [a U b] that state that something bad never happens, are contained
in TLG. Liveness conditions like Fϕ are contained in TLF. Finally, fairness conditions like GFϕ that de-
mand that something good infinitely often happens, are contained in TLGF while stabilization/persistence
properties like FGϕ that demand that after a finite interval, nothing bad happens are contained in TLFG.
3.3 Relating the Temporal Logic and the Automata Hierarchy
In [22, 23] several translation procedures are given to translate formulas from TLκ to equivalent (N)Detκ
automata. In particular, the following is an important result:
Theorem 1 (Temporal Logic and Automaton Hierarchy) Given a formulaΦ∈TLκ , we can construct
a deterministicω-automatonA=(2Q,I ,R,λ ,A ) of the class Detκ in time O(2|Φ|)with |Q| ≤ 2|Φ| state
variables. Therefore, A = (2Q,I ,R,λ ,A ) is a symbolic representation of a deterministic automaton
with O(22
|Φ|
) states.
The above results are already proved in detail in [23], where translation procedures from TLκ to NDetκ
have been constructed. Moreover, it has been shown in [23] that the subset construction can be used to de-
terminize the automata that stem from the classes TLG and TLF and that the Miyano-Hayashi breakpoint
construction is sufficient to determinize the automata that stem from the translation of formulas from
TLFG and TLGF. Since TLPrefix and TLStreett are the boolean closures of TLG∪TLF and TLFG∪TLGF,
respectively, the remaining results for TLPrefix and TLStreett follow from the boolean combinations of
DetG/DetF and DetFG/DetGF, respectively.
The final step consists of computing the boolean closure of the acceptance conditions. To this end,
it is shown in [23] how arbitrary boolean combinations of Gϕ and Fϕ with propositional formulas ϕ
are translated to equivalent DetPrefix automata, and analogously, how arbitrary boolean combinations of
GFϕ and FGϕ with propositional formulas ϕ are translated to equivalent DetStreett automata.
4 A LTL Fragment for GR(1)-Synthesis
Using the previously mentioned temporal logic hierarchy, we define a fragment of LTL that can be easily
translated to a set of deterministic Bu¨chi automata for the assumptions and a set of deterministic Bu¨chi
automata for the guarantees (Figure 3).
40 A LTL Fragment for GR(1)-Synthesis
PG ::= VΣ | ¬PF | PG∧PG | PG∨PG
| ←−X PG | [PG←−U PG]
| ←−X PG | [PG←−U PG]
| XPG | [PG U PG]
PF ::= VΣ | ¬PG | PF∧PF | PF∨PF
| ←−X PF | [PF←−U PF]
| ←−X PF | [PF←−U PF]
| XPF | [PF U PF]
PPrefix ::= PG | PF | ¬PPrefix | PPrefix∧PPrefix | PPrefix∨PPrefix
PGF ::= PPrefix
| ¬PFG | PGF∧PGF | PGF∨PGF
| ←−X PGF | ←−X PGF | XPGF
| [PGF←−U PGF] | [PGF←−U PGF]
| [PGF U PGF] | [PGF U PF]
PFG ::= PPrefix
| ¬PGF | PFG∧PFG | PFG∨PFG
| ←−X PFG | XPFG | ←−X PFG
| [PFG←−U PFG] | [PFG←−U PFG]
| [PFG U PFG] | [PG U PFG]
PAssume ::= PGF | PAssume∧PAssume PGuarantee ::= PGF | PGuarantee∧PGuarantee
PGR(1) ::= PAssume→ PAssert
Figure 3: A LTL Fragment for GR(1)-Synthesis
NDetG
DetG
NDettotalF
DetF
DetPrefix
DetGF
NDetPrefix
NDetF
(N)DetFG
(N)DetStreett(1)
(N)DetGR(1)
NDetGF
(N)DetStreett
TLG
TLF
TLPrefix TLStreettTLGR(1)
TLGF
TLFG







Figure 4: (Borel) Hierarchy of ω-Automata and Temporal Logic with GR(1)
As can be seen, our LTL fragment is naturally embedded in the temporal logic hierarchy. The formu-
las that syntactically belong to our LTL fragment are those formulas that are derived from the nonterminal
PGR(1), thus, these are implications of formulas that are derived from the nonterminals PAssume and PAssert,
respectively, which are both conjunctions of TLGF-formulas.
Concerning the automata hierarchy, we can translate these formulas to automata with a GR(1)-acceptance
condition, i.e. a generalization of a Streett(1) condition. In [2], it is shown that a GR(1)-condition can
be equivalently expressed by a Streett(1)-condition, i. e. a Streett condition with only one acceptance
pair. Hence, we obtain the ”enriched” automata hierarchy shown in Figure 4 together with the following
corollary that easily follows from Theorem 1:
Corollary 1 Given a PGR(1)-formula of the formΦ= (ϕ1∧ . . .∧ϕn)→ (ψ1∧ . . .∧ψm), we can compute
n deterministic Bu¨chi automata A aϕ1 , . . .A
a
ϕn and m deterministic Bu¨chi automata A
g
ψ1 , . . .A
g
ψn such that
Aϕi (Aψ j ) is initially equivalent to ϕi (resp. ψ j). Hence the GR(1)-automaton obtained from those
automata according to Definition 3 is initially equivalent to Φ.
A. Morgenstern and K. Schneider 41
5 Experiments
In our previous work, we had already implemented a toolset Averest [24] whose inputs are programs
written in the Esterel-like synchronous programming language Quartz [24]. Averest compiles the syn-
chronous programs to guarded actions which can be used in turn to generate sequential and concurrent
software, hardware or symbolic transition relations for formal verification. Specifications can be given
in various temporal logics and the µ-calculus. Averest provides a lot of translations from temporal logic
to either ω-automata or directly to the µ-calculus (see [23] for these translations).
For this paper, we implemented an additional tool Quartz2Marduk that takes as input a set of LTL
formulas that represent assumptions and assertions/guarantees of a GR(1) specification (see example
shown in Figure 5). We then check whether these specifications belong to the class that can be used
for GR(1)-synthesis. If so, we automatically generate deterministic automata that are equivalent to the
specification. The automata are automatically minimized using a form of delayed simulation [10] and
are afterwards used to generate a file as input to the Marduk2 tool [3]. Marduk is a re-implementation of
Anzu [11] with some new features. It is basically a BDD-based implementation of the algorithm given
in [20].
Included with Marduk came two case studies that are described in [4, 5, 11]. The first case study is
the GenBuf example that is used asa tutorial in IBMs RuleBase system. The second example is ARM’s
Advanced Microcontroller Bus Architecture (AMBA) which defines the Advanced High performance Bus
(AHB), an on-chip communication standard that connects devices like processor cores, caches and DMA
arbiters.
In [4, 5, 11] temporal logic specifications for those case studies are given along with some hints how
deterministic automata for these specifications can be manually obtained. Marduk came with an input
file that already contained those manually generated deterministic automata. In our tool, all we had to do
is to simply write down the temporal logic specifications given in [4, 5, 11] and compile it to a Marduk
input file.
After having compiled the Marduk input files, we ran Marduk with dynamic variable ordering en-
abled, leaving the other options untouched. The results of our experiments is given in table 6. The first
column given there is the name of the case study, the second column is the time (in seconds) our tool
needed to perform determinization. The third column lists the number of state variables that where gen-
erated by our tool and the manual generated deterministic automata.The next column lists the number
of BDD Nodes for the generated strategy. Finally, the last column lists the runtime of Marduk for the
automatically generated automata and the respective time for the manually generated automata. In the
table, TO means that the synthesis procedure could not be finished within 50000 seconds3.
6 Discussion
The GR(1)-approach is one of the most successful approaches to LTL synthesis today [4, 5, 11] that
has already found applications apart from its primary target [28]. One interesting question regarding
the GR(1)-synthesis approach is its good algorithmic behavior of having a cubic runtime despite the
fact that many specifications can be rewritten to a deterministic automaton having a GR(1)-acceptance
2Actually, our current implementation generates an Anzu [11] file and we use a tool included with Marduk to translate this
Anzu file to a Marduk file.
3We can not satisfactorily explain why the synthesis for the AMBA model needed more time for 6 masters than for 7 masters
using our determinization procedure. However, the same holds for the manually generated automata where this observation can
be done for 8 respectively for 9 masters. However, a similar observation was also reported in [5].
42 A LTL Fragment for GR(1)-Synthesis
Figure 5: An Example Quartz File with a GR(1) Specification having only Assertions
condition. This question has been answered in [2] where it is shown that in fact an automaton with
GR(1)-acceptance condition is equivalent to a Streett automaton having only one acceptance pair.
In this article, we gave the corresponding temporal logic view: We presented a fragment of LTL that is
‘naturally’ embedded in the temporal logic hierarchy and that can be easily translated to a corresponding
deterministic GR(1)-automaton. We have implemented a tool that is able to translate any formula from
this fragment to a corresponding deterministic GR(1)-automaton. This is a useful improvement in the
expressivity and usage of the GR(1)-approach: instead of having the need to generate deterministic
automata manually, the input to our tool is a more readable LTL formula.
However, this higher expressivity comes to a cost: Not too surprisingly, running Marduk on the man-
ually generated automata took a significant smaller amount of time than on the automatically generated
automata and moreover, generated smaller BDDs for the strategies. However, the manually generated
automata have undergone heavy (hand-crafted) minimization steps4 and hence we expect that further im-
provements on the determinization or the minimization step of our tool could also significantly improve
our results.
7 Acknowledgements
We would like to thank Georg Hofferek for his kind help with the tool Marduk.
4Compare the difference in the runtime of the Anzu tool reported in [4] with the one reported in [5].
A. Morgenstern and K. Schneider 43
Model Det (s) State Vars Strategy Nodes Solve(t)
Auto Manu Auto Manu Auto Manu
GenBuf 2 0.1 12 3 8.755 3.344 0.86 0.25
GenBuf 3 0.1 12 3 19.087 4.237 1.96 0.3
GenBuf 4 0.2 12 3 25.653 5.546 2.12 0.63
GenBuf 5 0.2 12 3 39.356 11.916 12.88 1.34
GenBuf6 0.3 12 3 26.139 15.605 5.61 2.38
GenBuf7 0.3 12 3 117.625 18.894 41.92 3.75
GenBuf8 0.3 12 3 45.238 24.302 11.24 5.14
GenBuf9 0.3 12 3 27.507 24.493 12.7 7.8
GenBuf10 0.3 12 3 67.879 51.605 44.91 25.3
Amba2 0.6 9 7 38.107 50.816 3.0 1.97
Amba3 1.1 10 8 77.033 122.027 14.4 10.64
Amba4 1.8 11 9 451.456 503.622 66.9 98.32
Amba5 7.2 12 10 1.194.190 825.294 1221.7 381.34
Amba6 19.4 13 11 4.929.635 989.482 46815 420.96
Amba7 42.0 14 12 2.052.871 1.037.608 4555.2 904.78
Amba8 83.1 15 13 TO 3.625.518 TO 13617.19
Amba9 403.6 16 14 TO 1.331.441 TO 4215.94
Amba10 580.16 17 15 TO 3.034.060 TO 7325.85
Figure 6: Experimental Results
References
[1] R. Alur & S. La Torre (2004): Deterministic Generators and Games for LTL Fragments. ACM Transactions
on Computational Logic (TOCL) 5(1), pp. 1–15, doi:10.1145/963927.963928.
[2] R. Bloem, K. Chatterjee, K. Greimel, T.A. Henzinger & B. Jobstmann (2010): Robustness in the Presence
of Liveness. In T. Touili, B. Cook & P. Jackson, editors: Computer Aided Verification (CAV). LNCS 6174,
Springer, Edinburgh, UK, pp. 410–424, doi:10.1007/978-3-642-14295-6 36.
[3] R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. Ko¨nighofer, M. Roveri, V. Schuppan & R. Seeber (2010):
RATSY - A New Requirements Analysis Tool with Synthesis. In T. Touili, B. Cook & P. Jackson, editors:
Computer Aided Verification (CAV). LNCS 6174, Springer, Edinburgh, UK, pp. 425–429, doi:10.1007/978-
3-642-14295-6.
[4] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli & M. Weiglhofer (2007): Automatic hardware
synthesis from specifications: a case study. In R. Lauwereins & J. Madsen, editors: Design, Automation and
Test in Europe (DATE). IEEE Computer Society, Nice, France, pp. 1188–1193.
[5] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli & M. Weiglhofer (2007): Specify, Compile,
Run: Hardware from PSL. Electronic Notes in Theoretical Computer Science (ENTCS) 190, pp. 3–16,
doi:10.1016/j.entcs.2007.09.004.
[6] U. Boker & O. Kupferman (2009): Co-ing Bu¨chi Made Tight and Useful. In: Logic in Computer Science
(LICS). IEEE Computer Society, Los Angeles, California, USA, pp. 245–254, doi:10.1109/LICS.2009.32.
[7] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill & L.J. Hwang (1990): Symbolic Model Checking: 1020
States and Beyond. In: Logic in Computer Science (LICS). IEEE Computer Society, Washington, DC, USA,
pp. 1–33, doi:10.1109/LICS.1990.113767.
44 A LTL Fragment for GR(1)-Synthesis
[8] E.Y. Chang, Z. Manna & A. Pnueli (1992): Characterization of Temporal Property Classes. In W. Kuich,
editor: International Colloquium on Automata, Languages and Programming (ICALP). LNCS 623, Springer,
Vienna, Austria, pp. 474–486.
[9] E.A. Emerson (1990): Temporal and Modal Logic. In J. van Leeuwen, editor: Handbook of Theoretical
Computer Science, chapter 16. B: Formal Models and Semantics, Elsevier, pp. 995–1072.
[10] C. Fritz (2005): Simulation-Based Simplification of omega-Automata. Ph.D. thesis, Technischen Fakulta¨t der
Christian-Albrechts-Universita¨t zu Kiel, Germany.
[11] B. Jobstmann, S. Galler, M. Weiglhofer & R. Bloem (2007): Anzu: A Tool for Property Synthesis. In
W. Damm & H. Hermanns, editors: Computer Aided Verification (CAV). LNCS 4590, Springer, Berlin,
Germany, pp. 258–262, doi:10.1007/978-3-540-73368-3 29.
[12] O. Kupferman & M.Y. Vardi (1998): Freedom, Weakness, and Determinism: From Linear-Time to Branching-
Time. In: Logic in Computer Science (LICS). IEEE Computer Society, Indianapolis, Indiana, USA, pp.
81–92, doi:10.1109/LICS.1998.705645.
[13] R. Ko¨nighofer, G. Hofferek & R. Bloem (2009): Debugging formal specifications using simple counterstrate-
gies. In: Formal Methods in Computer-Aided Design (FMCAD). IEEE Computer Society, Austin, Texas,
USA, pp. 152–159, doi:10.1109/FMCAD.2009.5351127.
[14] M. Maidl (2000): The Common Fragment of CTL and LTL. In: Foundations of Computer Science (FOCS).
pp. 643–652.
[15] Z. Manna & A. Pnueli (1987): A Hierarchy of Temporal Properties. In: Principles of Distributed Computing
(PODC). p. 205, doi:10.1145/41840.41857.
[16] Z. Manna & A. Pnueli (1990): A hierarchy of temporal properties. In: Principles of Distributed Computing
(PODC). ACM, Quebec City, Quebec, Canada, pp. 377–408.
[17] Z. Manna & A. Pnueli (1991): Completing the temporal picture. Theoretical Computer Science (TCS) 83(1),
pp. 97–130, doi:10.1016/0304-3975(91)90041-Y.
[18] S. Miyano & T. Hayashi (1984): Alternating automata on ω-words. Theoretical Computer Science (TCS)
32, pp. 321–330, doi:10.1016/0304-3975(84)90049-5.
[19] A. Morgenstern, K. Schneider & S. Lamberti (2008): Generating Deterministic ω-Automata for most
LTL Formulas by the Breakpoint Construction. In C. Scholl & S. Disch, editors: Methoden und
Beschreibungssprachen zur Modellierung und Verifikation von Schaltungen und Systemen (MBMV). Shaker,
Freiburg, Germany, pp. 119–128.
[20] N. Piterman, A. Pnueli & Y. Sa’ar (2006): Synthesis of Reactive(1) Designs. In E.A. Emerson & K.S.
Namjoshi, editors: Verification, Model Checking, and Abstract Interpretation (VMCAI). LNCS 3855,
Springer, Charleston, South Carolina, USA, pp. 364–380, doi:10.1007/11609773 24.
[21] A. Pnueli (1977): The Temporal Logic of Programs. In: Foundations of Computer Science (FOCS). IEEE
Computer Society, Providence, Rhode Island, USA, pp. 46–57, doi:10.1109/SFCS.1977.32.
[22] K. Schneider (2001): Improving Automata Generation for Linear Temporal Logic by Considering the Au-
tomata Hierarchy. In R. Nieuwenhuis & A. Voronkov, editors: Logic for Programming, Artificial Intelli-
gence, and Reasoning (LPAR). LNAI 2250, Springer, Havana, Cuba, pp. 39–54, doi:10.1007/3-540-45653-
8 3.
[23] K. Schneider (2003): Verification of Reactive Systems - Formal Methods and Algorithms. Texts in Theoretical
Computer Science (EATCS Series), Springer.
[24] K. Schneider (2009): The Synchronous Programming Language Quartz. Internal Report 375, Department of
Computer Science, University of Kaiserslautern, Kaiserslautern, Germany.
[25] W. Thomas (1990): Automata on Infinite Objects. In J. van Leeuwen, editor: Handbook of Theoretical
Computer Science, chapter 4. B: Formal Models and Semantics, Elsevier, pp. 133–191.
[26] K. Wagner (1979): On ω-regular sets. Information and Control 43(2), pp. 123–177.
A. Morgenstern and K. Schneider 45
[27] N. Wallmeier, P. Hu¨tten & W. Thomas (2003): Symbolic Synthesis of Finite-State Controllers for Request-
Response Specifications. In O.H. Ibarra & Z. Dang, editors: Conference on Implementation and Application
of Automata (CIAA). LNCS 2759, Springer, Santa Barbara, California, USA, pp. 11–22, doi:10.1007/3-540-
45089-0 3.
[28] T. Wongpiromsarn, U. Topcu & R.M. Murray (2010): Receding horizon control for temporal logic specifi-
cations. In K.H. Johansson & W. Yi, editors: Hybrid Systems: Computation and Control (HSCC). ACM,
Stockholm, Sweden, pp. 101–110, doi:10.1145/1755952.1755968.
