Bounded Synthesis of Register Transducers by Khalimov, Ayrat et al.
ar
X
iv
:1
80
9.
05
01
7v
1 
 [c
s.F
L]
  2
8 A
ug
 20
18
Bounded Synthesis of Register Transducers
Ayrat Khalimov1, Benedikt Maderbacher2, Roderick Bloem2
2 Graz University of Technology, Austria
1 Hebrew University, Israel
Abstract. Reactive synthesis aims at automatic construction of systems
from their behavioural specifications. The research mostly focuses on syn-
thesis of systems dealing with Boolean signals. But real-life systems are
often described using bit-vectors, integers, etc. Bit-blasting would make
such systems unreadable, hit synthesis scalability, and is not possible
for infinite data-domains. One step closer to real-life systems are register
transducers [12]: they can store data-input into registers and later output
the content of a register, but they do not directly depend on the data-
input, only on its comparison with the registers. Previously [6] it was
proven that synthesis of register transducers from register automata is
undecidable, but there the authors considered transducers equipped with
the unbounded queue of registers. First, we prove the problem becomes
decidable if bound the number of registers in transducers, by reducing the
problem to standard synthesis of Boolean systems. Second, we show how
to use quantified temporal logic, instead of automata, for specifications.
1 Introduction
Reactive synthesis [3] frees hardware and software developers from tedious and
error-prune coding work. Instead, the developer specifies the desired behaviour of
a system, and a synthesizer produces the actual code. The research in reactive
synthesis is mostly focused on synthesis of transducers dealing with Boolean
inputs and outputs. However, most programs and hardware designs use not only
Booleans, but also bit-vectors, integers, reals. Bit-blasting into Booleans makes
synthesized programs unreadable and hinders the synthesis scalability.
One step closer to real-life systems are register transducers [12]. Such trans-
ducers are equipped with registers; they can read the data-input from an infinite
domain; they can store the data-input into a register and later output it; they
do not depend on the exact data-input value, but on its comparison with the
registers. Thus, a transition of a register transducer can say “in state q: if the
data-input not equals to register #1, then output the value of register #1, store
the data-input into register #2, and go into state q′”. Examples of a register
transducer and automaton are in Figures 2 and 1.
In [6], the authors introduced the problem of synthesis of register transducers.
But their transducers are equipped with an unbounded queue of registers: they
can push the data-input into the queue, and later compare the data-input with
the values in the queue. For specifications, the authors use register automata
with a fixed number of registers (thus, no queue). The authors show that the
synthesis problem is undecidable; the proof relies on unboundedness of the queue.
0 This is a full version of our ATVA’18 paper.
We prove the problem becomes decidable if bound the number of registers in
transducers. Namely, we reduce synthesis of k-register transducers wrt. register
automata to synthesis of Boolean transducers wrt. Boolean automata, i.e., to
standard synthesis. The reduction relies on two ideas.
The first (folklore) idea is: instead of tracking the exact register values and
data-inputs, track only the equivalences between register values and the data-
input. The second idea is: instead of checking automaton non-emptiness, we
check automaton non-emptiness modulo words of k-register transducers. Every
such word can be enhanced with assignment actions of the transducer that re-
sulted in producing the word.
In the second part, we suggest a temporal logic that “works well” with our
approach. Among several logics suitable to the context of infinite data [17,11,5,4],
we have chosen IPTL [17] (called VLTL in [11]), because of its naturalness. Using
this logic, we can state properties like ∀d ∈ D : G(i = d → F(o = d)): “every
data-value appearing on the input eventually appears on the output”. We show
how to convert a formula in this logic into a register automaton (in incomplete
way; there can be no complete way) that can be used by our synthesis approach.
2 Definitions
Fix a data-domain D throughout the paper, which is an infinite set of elements
(data-values). Calligraphic writing like i, o, d, r denotes data-variables or objects
closely related to them. Sets of such objects are also written in calligraphic, like
D, R, P, etc. Define N = {1, 2, ...}, N0 = {0, 1, 2, ...}, [k] = {1, ..., k} for k ∈ N;
B = {true, false}, and we often use the subscripted variants, Bi = Bo = B, to
clarify when B is related to object i or o. For an automaton A, let L(A) denote
the set of its accepting words.
2.1 Register Automata
A register automaton works on words from (2P × DP)ω, where P is a set of
Boolean signals and P is a set of data-signals. To simplify the presentation, we
assume there are only two data-signals (P = {i, o}), which makes the words to
be from (2P ×D2)ω. When reading a word, a register automaton can store the
value of data-signal i into its registers. Later it can compare the content of its
registers with the current value of i. Register automata do not depend on actual
data-values—only on the comparison with the register values. Below is a formal
definition.
A (universal co-Bu¨chi/non-deterministic Bu¨chi) word automaton with k reg-
isters is a tuple A = 〈P,P,R, d0, Q, q0, δ, F 〉, where
– P is a set of Boolean signals ;
– P = {i, o} is a set of data-signals ;
– R = {r1, ..., rk} is a set of registers ;
– d0 ∈ D is an initial data-value for every register;
– Q is the set of states and q0 ∈ Q is an initial state;
2
q0 q1
¬store
req
store
¬grant ∨ o 6= r
¬store
Fig. 1: A universal co-Bu¨chi 1-register automaton: P = {req, grant}, R = {r},
F = {q1}. The labels ¬store and store have a special meaning: store means
that the automaton stores the value of data-input i into register r; ¬store
means it does not. The expression o 6= r means that the component Bo of
the transition is false. For guards and Boolean signals, the labeling is sym-
bolic. Formally, the set of transitions is
{
(q0, p, bi, bo, false, q0) : (bi, bo) ∈ B
2, p ∈
2P
}
∪
{
(q0, p, bi, bo, true, q1) : (bi, bo) ∈ B
2, req ∈ p ∈ 2P
}
∪
{
(q1, p, bi, bo, false, q1) :
(bi, bo) ∈ B
2, p ∈ 2P , grant 6∈ p ∨ bo = false
}
.
– F ⊆ Q is a set of accepting states ;
– δ : Q×2P×Bki ×B
k
o → 2
B
k×Q is a transition function. Intuitively, in a state, an
automaton reads a finite letter from 2P (which describes all Boolean signals
whose current value is true) and a data-letter fromD2 (a data-value for i and
a data-value for o). Then the automaton compares the data-letter with the
content of the registers. Depending on this comparison (component Bki ×B
k
o ,
called guard), the automaton transits into several (for universal automaton)
or one of (for non-deterministic automaton) successor states, and for each
successor state, stores the value of data-signal i into one, several, or none of
the registers (defined by component Bk, called assignment or store).
An example of a register automaton is in Figure 1.
A configuration is a tuple (q, d¯) ∈ Q ×Dk, and (q0, d
k
0 ) is initial. A path is
an infinite sequence (q0, d¯0)
(l0,i0,o0,a¯0)
−→ (q1, d¯1)
(l1,i1,o1,a¯1)
−→ ... such that for every
j ∈ N0:
– qj ∈ Q, d¯j ∈ D
k, lj ∈ 2
P , ij ∈ D, oj ∈ D, and a¯j ∈ B
k;
– (qj+1, a¯j) ∈ δ
(
qj , lj , ij = d¯j[1], ..., ij = d¯j[k], oj = d¯j [1], ..., oj = d¯j[k]
)
;
– d¯0 = d
k
0 ; and
– for every n ∈ [k]: d¯j+1[n] =
{
ij if a¯j[n] = true,
d¯j[n] otherwise.
Let Σ = 2P × D2. A word is a sequence from Σω. A word is accepted by a
universal co-Bu¨chi register automaton iff every path—whose projection into Σ
equals to the word—does not visit a state from F infinitely often; otherwise
the word is rejected. A word is accepted by a non-deterministic Bu¨chi register
automaton iff there is a path—whose projection into Σ equals to the word—that
visits a state from F infinitely often; otherwise the word is rejected. For example,
the universal co-Bu¨chi register automaton in Figure 1 accepts the word
({req}, 5i, ∗o)({req, grant}, 6i, 5o)({grant}, ∗i, 6o)(∅, ∗i, ∗o)
ω, where D = N0, we
write subscripts i and o for clarity, and ∗ is anything from D (not necessary the
same). The automaton describes the words where every req is followed by grant
with the data-value of o being equal to the data-value of i at the moment of the
3
s0 s1
¬req/¬grant
¬store
req/¬grant
store
req/grant
store
¬req/grant
¬store
Fig. 2: A 1-register transducer: I = {req}, O = {grant}, R = {r}. The
meaning of store and ¬store is as in the previous figure. The labeling wrt.
guards and Boolean signals is symbolic. The transducer always outputs the
value of its only register (not shown). Formally, the set of transitions is{
(s0,∅, bi,∅, 1, false, s0) : bi ∈ B
}
∪
{
(s0, {req}, bi,∅, 1, true, s1) : bi ∈ B
}
∪{
(s1, {req}, bi, {grant}, 1, true, s1):bi ∈B
}
∪
{
(s1,∅, bi, {grant}, 1, false, s0) :bi ∈B
}
.
request. Such words can be described by a formula ∀d ∈ D : G
(
req ∧ i = d →
XF(grant ∧ o = d)
)
, but we postpone the discussion of logic until Section 4.
2.2 Register Transducers
Register transducers is an extension of standard transducers (Mealy machines) to
an infinite domain. A register transducer can store the input data-value into its
registers. It can only output the data-value that is currently stored in one of its
registers. Similarly to register automata, the transitions of register transducers
depend on the comparison of the data-input with the registers, but not on the
actual data-values. Let us define register transducers formally.
A k-register transducer is a tuple T = 〈I, O,I,O,R, d0, S, s0, τ〉 where:
– I and O are sets of Boolean signals, called Boolean inputs and outputs ;
– I and O are sets of data-signals, called data-inputs and data-outputs ; we
assume that I = {i} and O = {o}.
– S is a (finite or infinite) set of states and s0 ∈ S is initial ;
– R = {r1, ..., rk} is a set of registers ;
– d0 ∈ D is an initial data-value for every register;
– τ : S×2I×Bki → (2
O× [k]×Bk×S) is a transition function. Intuitively, from
a state the transducer reads the values of the Boolean inputs (component 2I)
and compares the content of the registers with the data-value of i (component
Bki , called guard). Depending on that information, the transducer transits
into a unique successor state (component S), stores the data-value of i into
one, several, or none of the registers (component Bk, called assignment or
store), outputs a value for each Boolean output (component 2O), and outputs
a data-value stored in one of the registers (component [k]).
Figure 2 shows an example of a register transducer.
A configuration is a tuple (s, d¯) ∈ Q×Dk; (s0, d
k
0 ) is called initial. A path is
a sequence (s0, d¯0)
(i0,o0,i0,o0,a¯0)
−→ (s1, d¯1)
(i1,o1,i1,o1,a¯1)
−→ ... where for every j ∈ N0:
– sj ∈ S, d¯j ∈ D
k, ij ∈ 2
I , oj ∈ 2
O, ij ∈ D, oj ∈ D, a¯j ∈ B
k;
– let (out, out, store, succ) = τ(sj , ij, ij = d¯j [1], ..., ij = d¯j [k]). Then:
– sj+1 = succ;
4
– a¯j = store;
– oj = d¯j [out];
– oj = out;
– d¯0 = d
k
0 ; and
– for every n ∈ [k]: d¯j+1[n] =
{
ij if a¯j[n] = true,
d¯j[n] otherwise.
Notice that a value of the data-output refers to the current register values, not
the updated ones. I.e., outputting a data-value happens before storing.
For example, a path of the register transducer in Figure 2 can start with
(s0, 0)
({req},∅,5i ,0o,true)
−→ (s1, 5)
({req},{grant},6i ,5o,true)
−→ (s1, 6)
(∅,{grant},4i,6o,false)
−→ (s0, 6),
where we assumed that D = N0, d0 = 0, and the subscripts i and o are for clarity.
A word is a projection of a transducer path into 2I∪O × D2. A register
transducer satisfies a register automaton A, written T |= A, iff all transducer
words are accepted by the automaton. For example, the register transducer from
Figure 2 satisfies the automaton from Figure 1.
2.3 Synthesis Problem
In this section, we define the model checking problem, bounded, and unbounded-
but-finite synthesis problems. All the problems take as input a universal register
automaton: one argument in favour of universal rather than non-deterministic
automata is that the property “every data-request is eventually data-granted”can
be expressed with a universal automaton, but not with a nondeterministic au-
tomaton.
Model checking and cutoffs. The model-checking problem is:
– Given: a register transducer T , a universal co-Bu¨chi register automaton A.
– Return: “yes” if T |= A, otherwise “no”.
The model-checking problem is decidable, which follows from the following.
Kaminski and Francez [12, Prop.4] proved the following cutoff result (adapted
to our notions): if a data-word over an infinite domain D is accepted by a non-
deterministic Bu¨chi k-register automaton, then there is an accepting data-word
over a finite domainDk+1 of size k+1. (Actually, their result is for words of finite
length, but can be extended to infinite words.) Further, if we look at a given
universal co-Bu¨chi kA-register automaton A as being non-deterministic Bu¨chi A˜,
then L(A˜) = L(A), i.e., it describes the error words. To do model checking, as
usual, (1) build the product of the A˜ and a given kT -register transducer T , then
(2) check its emptiness and return “the transducer is correct” iff the product is
empty. The product is easy to build, this is an easy extension of the standard
product construction, we note only that it is a non-deterministic Bu¨chi (kA+kT )-
register automaton. Finally, to check emptiness of the product we can use the
cutoff result, namely, restrict the data-domain to have (kA+kT +1) data-values.
This reduces product emptiness to standard emptiness of register-less automata.
The case of deterministic Rabin register automata and transducers with more
than single data-input and data-output was studied in [14], but the proof idea
is similar.
5
In this paper we focus on the synthesis problem defined below.
Synthesis. The bounded synthesis problem is:
– Given: a register-transducer interface (the number of registers kT , Boolean
and data-inputs, Boolean and data-outputs), a universal co-Bu¨chi register
automaton A.
– Return: a kT -register transducer T of a given interface such that T |= A,
otherwise “unrealizable”.
If the number of registers kT is not given (thus we ask to find any such kT which
makes the problem realizable, or return “unrealizable” if no such kT exists), then
we get the (finite but unbounded) synthesis problem.
A related synthesis problem (let us call it “infinite synthesis problem”) was
studied in [6], but for a slightly different model of register transducers. There, the
transducers operate an unbounded queue of registers (thus, it may use an infinite
number of registers). They prove the infinite synthesis problem is undecidable
and suggest an incomplete synthesis approach.
In the next sections, we show that the bounded synthesis problem is de-
cidable, and suggest an approach that reduces it to the synthesis problem of
register-less transducers wrt. register-less automata. The (unbounded) synthesis
problem is left open.
But before proceeding to our solution, let us remark why the cutoff result
does not immediately give a complete synthesis procedure.
Remark 1 (Cutoffs and synthesis). The cutoff result makes the data-domain fi-
nite, so let the values of the registers be part of the transducer states. Then a
transducer has to satisfy the three conditions below, where condition (3) explains
why the cutoff does not work with this naive approach.
(1) “The register values are updated according to transducer store actions.”
Introduce new Boolean outputs describing the current values of the trans-
ducer registers, and new Boolean outputs describing the store action. Then
it is easy to encode the above requirement using a register-less automaton.
(2) “The value of the data-output always equals the value of one of the registers.”
With the Boolean outputs introduced in item (1), this can be easily encoded
using a register-less automaton.
(3) “The transitions depend on the guard, but not on the value of data-input.”
When considered alone, this requirement can be implemented using the
partial-information synthesis approach [13], where we search for a trans-
ducer that can access the guard, but not the actual value of data-input.
But the partial-information synthesis approach does not allow for having
partial information for transitions (needed to implement item (3)), yet full
information for outputs (needed to implement items (1) and (2)).
Nevertheless, with the cutoff it is easy to get an incomplete synthesis approach
with SMT-based bounded synthesis [7] that allows you to fine-tune transition
and output functions dependencies.
6
3 Solving the Bounded Synthesis Problem
Our approach is 5 points long.
(1) We start by defining a Boolean associate AB of a universal co-Bu¨chi regis-
ter automaton A, which is a standard register-less universal co-Bu¨chi automaton
derived from the description of A. Of course, we cannot directly use the Boolean
associate AB to answer questions about A, because AB lacks the semantics of
A. We also define a Boolean associate TB for every register transducer T . In
the end, we will synthesize TB that satisfies a certain register-less automaton.
For examples of such associates, look at the automaton and transducer on Fig-
ures 1 and 2 as being standard, register-less, where store is a Boolean signal and
has no special meaning. (2) We introduce a verifier automaton V , which tracks
the equivalences between the registers RA of A: two registers fall into the same
equivalence class iff they hold the same data-value. The automaton AB@V is AB
enhanced with this equivalence-class information. It has enough information to
answer the questions like “does A have a rejecting word?” and model checking
wrt. A. This is because every Boolean path of AB@V corresponds to some data-
path in A, and vice versa (which was not the case for AB and A). But AB@V
is not suited for synthesis—we cannot synthesize from AB@V—for one of the
two reasons: either we would have to allow the transducers to control the store
actions of A, which brings unsoundness, or we would have to allow the envi-
ronment to provide the input guards that do not correspond to any data-value,
which brings incompleteness. (3) We add kT fresh registers R
T to A that will be
controlled by a transducer. To this end, we define the automaton Tall: it reads
data-words enhanced with store information of a transducer, and filters out data-
words that do not belong to any of the kT -register transducers (e.g., data-words
that have a value for o that was not seen before on i). We define A ⊗Tall, whose
language is L(A)∩L(Tall)1. (4) We enhance the Boolean associate (A ⊗ Tall)B of
A ⊗Tall with information about equivalences between the registers RT and RA;
the resulting automaton is called (A ⊗Tall)B@W , where W is a verifier similar
to V but tailored towards synthesis. (5) Finally, we hide the information that
should not be visible to a transducer, namely information related to the automa-
ton registers RA. The resulting automaton is called H = hideA((A ⊗ T
all)B@W )
and it is such that ∃T : T |= A iff ∃TB : TB |= H . Furthermore, H , when viewed
as a register automaton, is determinizable, and L(H) ⊆ L(A)1.
3.1 Boolean Associates of Register Automata and Transducers
The transition functions of k-register automata do not contain any infinite
objects—data-values appear only in the semantics. Let us define Boolean as-
sociates of register automata and transducers.
Given a k-register automaton A = 〈P,P,R, d0, Q, q0, δ, F 〉, let Boolean au-
tomaton AB = 〈PB, Q, q0, δB, F 〉 be a standard register-less automaton where:
– let Gi = {gir1 , ..., girk}, Go = {gor1 , ..., gork}, Asgn = {ar1 , ..., ark}. Then:
1 Actually, their alphabets differ, so this statement assumes A with extended alphabet.
7
– PB = P ∪Gi ∪Go ∪ Asgn,
– δB : Q× 2
PB → 2Q contains (q, l ∪ gi ∪ go ∪ a, q
′) ∈ δB iff (q, l, b¯i, b¯o, a¯, q
′) ∈ δ,
where l ∈ 2P , gi ∈ 2
Gi , go ∈ 2
Go , a ∈ 2Asgn, b¯i = (gir1 ∈ gi, ..., girk ∈ gi) ∈ B
k,
b¯o = (gor1 ∈ go, ..., gork ∈ go) ∈ B
k, a¯ = (ar1 ∈ a, ..., ark ∈ a) ∈ B
k. Informally,
we take the assignment component (on the right side) of δ and move it to the
left side of δB, and introduce new Boolean signals to describe the Boolean
components.
For convenience, we say that a letter gi ∈ 2
Gi encodes the guard (gir1 ∈ gi, ..., girk ∈
gi) ∈ B
k, and vice versa; similarly for a letter from 2Go and 2Asgn.
A Boolean path is an infinite sequence q0
l0∪gi0∪go0∪a0
−→ q1
l1∪gi1∪go1∪a1
−→ ... from
(Q× 2PB)ω that satisfies δB. When necessary to distinguish paths of register au-
tomata (which are in (Q×Dk×2P×D2)ω) from Boolean paths, we call the former
data-paths. A data-path (q0, d¯0)
(l0,i0,o0,a¯0)
−→ (q1, d¯1)
(l1,i1,o1,a¯1)
−→ ... corresponds to a
Boolean path q0
l0∪gi0∪go0∪a0
−→ q1
l1∪gi1∪go1∪a1
−→ ... where gij encodes the guard
(ij = d¯j[1], ..., ij = d¯j[k]), goj encodes the guard (oj = d¯j [1], ..., oj = d¯j [k]), and
aj ∈ 2
Asgn encodes a¯j ∈ B
k, for j ∈ N0. From the definition of paths of register
automata on page 3, it follows that for every path of a register automaton, there
exists a path in the associated Boolean automaton to which the data-path corre-
sponds. Consider the reverse direction, where we say that a Boolean path corre-
sponds to a data-path iff the data-path corresponds to it. The reverse direction
does not necessarily hold: there is a register automaton A (e.g., with 2 registers)
where some Boolean paths of AB do not have a corresponding data-path in A.
This is because the letters of a Boolean path can describe contradictory guards.
For example, let a transition in a Boolean path have a¯ = (true, true), meaning
that in a data-path the value of data-input is stored into the registers r1 and r2.
Hence, in the next transition of the data-path, i = r1 ⇔ i = r2 must hold, but
the Boolean path may have gi = {gir2} (describing the guard i 6= r1 ∧ i = r2).
Thus, we got the following.
Observation 1.
– For every register automaton A, every data-path in A has exactly one corre-
sponding Boolean path in AB.
– There exists a register automaton A where some Boolean paths of AB do not
correspond to any data-path of A.
A Boolean word is a projection of a Boolean path into 2PB ; note that it
contains information about assignment actions.
Similarly we define Boolean transducers. Given a k-register transducer T =
〈I, O,I,O,R, d0, S, s0, τ〉, a Boolean transducer TB = 〈IB, OB, S, s0, τB〉 is a stan-
dard register-less transducer where: IB = I ∪ Gi, Gi = {gir1 , ..., girk}, OB =
O ∪ Asgn ∪ Ok, Asgn = {ar1, ..., ark}, and Ok has enough Boolean signals to
encode the numbers [k]. The transition function τB : S× 2
IB → S× 2OB contains
(s, l∪ gi, o∪ ok ∪a, s
′) iff (s, l, b¯i, o, o˜k, a¯, s
′) ∈ τ where s, s′ ∈ S, l ∈ 2I , a ∈ 2Asgn
encodes a¯ ∈ Bk, gi ∈ 2
Gi encodes b¯i ∈ B
k, and ok ∈ 2
Ok encodes o˜k ∈ [k]. A
8
Boolean path is an infinite sequence s0
l0∪gi0,o0∪ok0∪a0
−→ s1
l1∪gi1,o1∪ok1∪a1
−→ ... from
(S × 2IB × 2OB)ω that satisfies τB.
Because every register transducer can be viewed as a register automaton, a
similar observation holds for the register transducers.
3.2 Verifier to Remove Inconsistent Guards (Vk and AB@Vk)
We introduce the automaton called verifier that filters out the Boolean paths of
AB that do not correspond to any data-paths.
Vk. Given k ∈ N, the verifier is a deterministic looping register-less automaton
Vk = 〈PV , Π, pi0, δV 〉 where
– Π is the set of all possible partitions of {r1, ..., rk}; the initial state pi0 =
{{r1, ..., rk}} contains the only partition. Later, we will a partition-state to
track if the registers have the same value.
– PV = Gi ∪Go ∪Asgn where Gi = {gir1 , ..., girk}, Go = {gor1 , ..., gork}, Asgn =
{ar1 , ..., ark}.
– δV : Π × 2
PV → Π contains pi
gi∪go∪a
−→ pi′ where:
• the guard-letter gi ∪ go respects the current partition:
∗ for every rm = rn of pi (i.e., belonging to the same partition):
girm∈ gi ⇔ girn∈ gi and gorm∈ go ⇔ gorn∈ go;
∗ for every rm 6= rn of pi (i.e., belonging to different partitions):
girm∈ gi ⇒ girn 6∈ gi and gorm∈ go ⇒ gorn 6∈ go;
• the successor partition respects the assignment-letter a, formalized as
follows. For every m, n in [k], let emn denote that pi contains rm = rn,
and e′mn is for pi
′. The value e′mn is uniquely defined:
e′mn = (arm∧arn)∨(¬arm∧arn∧girm)∨(arm∧¬arn∧girn)∨(¬arm∧¬arn∧emn).
This definition, together with the previous item, ensures that all e′mn
together form a partition (e.g., it is impossible to get e′1,2 ∧ e
′
2,3 ∧¬e
′
1,3).
– The acceptance condition (not shown in the tuple) defines every path (infi-
nite by definition) to be accepting; hence, every word that has a path in the
automaton is accepted.
An example of a verifier is in Figure 3.
AB@Vk. Given a verifier Vk =
〈
PV , QV , qV0 , δ
V
〉
and a register-less universal co-
Bu¨chi automaton AB =
〈
PA, QA, qA0 , δ
A, FA
〉
, let AB@V denote the universal
co-Bu¨chi automaton 〈P,Q, q0, δ, F 〉 where:
– P = PV ∪ PA;
– Q = QV ×QA, q0 = (q
V
0 , q
A
0 );
– δ : Q × 2P → 2Q has
(
(qV , qA), p, (q
′
V , q
′
A)
)
iff (qV , p ∩ 2
PV , q′V ) ∈ δ
V and
(qA, p ∩ 2
PA , q′A) ∈ δ
A; and
– F = QV × FA.
Since PA = P ′ ∪ Gi ∪ Go ∪ Asgn (where P
′ are the Boolean signals of the
register automaton A) and PV = Gi ∪Go ∪Asgn, the automaton AB@Vk works
9
{{x, y}} {{x}, {y}}
axay¬(gixgiy)∨
axgiy¬gix∨
aygix¬giy
¬giy¬gix(ay 6↔ ax)
¬ax¬ay(gix ↔ giy)∨
axay¬gix¬giy∨
gixgiy
¬ax¬ay¬(gixgiy)∨
¬ayax¬giy∨
¬axay¬gix
Fig. 3: A verifier automaton (a register-less deterministic looping automaton) for
2-register automata with R = {x, y}. The edges have symbolic labels. Later, the
left state {{x, y}} will be used to denote that the registers x and y store the
same value, while the right state {{x}, {y}} will denote that they store different
values. The automaton has similar restrictions for o (not shown).
on words from (P ′ ∪ Gi ∪ Go ∪ Asgn)
ω. The words of AB@Vk that do not fall
out of Vk are called consistent, otherwise inconsistent. Notice that falling out
of the verifier component favours accepting; L(AB@Vk) = L(Vk) ∪ L(AB), or,
equivalently, L(AB@Vk) = L(Vk) ∩ L(AB). Thus, the rejected words of AB@Vk
are consistent and are rejected by AB.
Observation 2. For every universal co-Bu¨chi k-register automaton A:
– every data-path of A has exactly one corresponding Boolean path in AB@Vk;
– every Boolean path of AB@Vk has either one or infinitely many corresponding
data-paths in A.
Proof. The first item follows from the definition of a data-pata. Consider the
second item. Consider a Boolean path of AB@Vk
(q0, Π0)
l0∪gi0∪go0∪a0
−→ (q1, Π1)
l1∪gi1∪go1∪a1
−→ ...
(where qj is a state of AB, Πj is a state of Vk, lj ∈ 2
P , gij ∈ 2
Gi , goj ∈ 2
Go , and
aj ∈ 2
Asgn, for every j ∈ N0). We construct a corresponding data-path of A
(q0, d¯0)
(l0,i0,o0,a¯0)
−→ (q1, d¯1)
(l1,i1,o1,a¯1)
−→ ... :
– d¯0 = d
k
0 ;
– a¯j ∈ B
k encodes aj ∈ 2
Asgn,
– d¯j+1 is uniquely defined by d¯j, ij , and a¯j ; and
– ij and oj are arbitrary such that (d¯j , ij , oj) satisfies the guards encoded by gij
and goj . Such values exist, because Πj and gij and goj are non-contradictory.
Note that there are >1 possible values for ij (in fact, infinitely many) iff gij
encodes the guard
∧
m∈[k] i 6= rm (i.e., false
k); similarly for oj .
The observation, together with the definition of acceptance by Vk, implies
the following.
Corollary 1. For every universal co-Bu¨chi k-register automaton A:
AB@Vk has a rejected Boolean word ⇔ A has a rejected data-word.
10
If we look at the dual automaton A¯ (non-deterministic Bu¨chi) and the dual
AB@Vk, then the corollary states that non-emptiness of non-deterministic Bu¨chi
register automata is decidable. This result was earlier established in [12, Thm.1]
using cutoffs (we discussed cutoffs on page 5). Our verifier uses a similar insight,
but it is handy in the context of synthesis.
3.3 Focusing on Transducer Data-Words (Tall and A ⊗ Tall)
In the end, we will have a register-less automaton H , from which we will a
Boolean associate of a register transducer. In the Boolean associate, the assign-
ment actions are modelled as Boolean outputs. Therefore, the automaton H
should have Boolean signals expressing the assignment actions of the Boolean
transducer. The automaton Tall fulfills this purpose: it adds kT fresh registers
to A that will be controlled by transducers via fresh Boolean signals.
Tall. Let kT ∈ N and let Asgn
T = {arT1 , ..., arTkT
} be fresh Boolean signals. Tall
is a deterministic co-Bu¨chi kT -register automaton 〈P,P,R, d0, Q, q0, δ, F 〉 with
P = I ∪O ∪ AsgnT , P = {i, o}, Q = {q0, }, F = { }. The transition function
Q× 2I∪O∪Asgn
T
× BkTi × B
kT
o → Q× B
kT
– for every g¯i ∈ B
kT
i , g¯o ∈ {g¯ ∈ B
kT | ∃j.g¯[j] = true}, and a ∈ 2Asgn
T
, contains
(q0, a¯) where a¯[j] = true iff arTj ∈ a for every j ∈ [kT ];
– when g¯o does not satisfy the above condition, it transits from q0 to  ;
– it self-loops in  without storing for every letter.
In words: Tall ensures that the value of data-output o comes from a register and
the assignment actions are synced with the Boolean signals AsgnT .
Observation 3. Let kT ∈ N, then: for every w ∈ (2
I∪O∪AsgnT ×D2)ω:
w |= Tall ⇔ ∃T : w ∈ L(T ),
where T is a kT -register transducer (possibly, |S| =∞) whose output is extended
with AsgnT signals that are synced with T ’s assignment actions.
In the observation, T might need infinitely many states, because an accepting
path of Tall on w might exhibit “irregular” storing behaviour, which cannot be
expressed by a finite-state transducer (recall that transducers are deterministic).
That is a minor technical detail though.
A ⊗Tall. The product A ⊗Tall of a universal co-Bu¨chi register automaton A =〈
PA,P,RA, d0, Q
A, qA0 , δ
A, FA
〉
and Tall =
〈
PT ,P,RT , d0, Q
T , qT0 , δ
T , FT
〉
, where
PT = PA ∪ AsgnT , is a universal co-Bu¨chi (kA + kT )-register automaton
〈P,P,R, d0, Q, q0, δ, F 〉, where P = P
T , R = RA ∪˙ RT , Q = QA×QT , q0 =
(qA0 , q
T
0 ), F = F
A×QT ∪QA×FT , and the transition function
δ : Q× 2I∪O∪Asgn
T
× BkA+kTi × B
kA+kT
o → 2
Q×BkA×BkT
respects both δA and δT .
11
Observation 4. For every kT ∈ N, universal co-Bu¨chi kA-register automaton
A, and w ∈ (2P
A∪AsgnT ×D2)ω:
w |= A ⊗Tall ⇔ w |= Tall and w|2PA |= A,
where w|2PA is a projection of w into 2
PA .
3.4 Synthesis-tailored Verifier (ATB@W )
For brevity, let AT denote A ⊗ Tall, and let ATB be its Boolean associate.
The automaton ATB@W that will be introduced in this section closely re-
sembles ATB@Vk and AB@Vk, but it is better suited for synthesis.
Recall from Section 3.1 that every TB generates words from (2
I∪GTi ×2O∪Asgn
T∪OkT )ω,
where AsgnT = {arT1 , ..., arTkT
}, GTi = {girT1 , ..., girTkT
}, and OkT has enough
Boolean signals to encode the numbers [kT ]. For synthesis we want our target
specification automaton to have the same alphabet. The automaton ATB@Vk
uses o-guards instead of signals Ok, hence we introduce the automaton ATB@W
(we do not introduce W separately).
Suppose we have ATB@Vk = 〈P,Q, q0, δ, F 〉 with P = I ∪ O ∪ G
T
i ∪ G
A
i ∪
GTo ∪ G
A
o ∪ Asgn
T ∪ AsgnA and δ : Q × 2P → 2Q. The automaton ATB@W =
〈P ′, Q, q0, δ
′, F 〉 has the same states, but P ′ = (P \ (GTo ∪ G
A
o )) ∪ OkT and the
transition function δ′ is derived from δ as follows. For every (pi, q)
(i,o,gi,go,a)
−→
(pi′, q′) of δ (where pi and pi′ are partitions of RA ∪ RT , q and q′ are states of
ATB, i ∈ 2
I , o ∈ 2O, gi ∈ 2
GAi ∪G
T
i , go ∈ 2
GAo ∪G
T
o , a ∈ 2Asgn
A∪AsgnT ):
– let J = {j1, ..., jl} ⊂ N be such that go contains o = r
T
j for every j ∈ J ;
– for every j ∈ J , add to δ′ the transition (pi, q)
(i,o,gi ,j˜,a)
−→ (pi′, q′), where j˜ ∈
2OkT encodes the number j ∈ [kT ].
– Note that if J is empty (go requires that
∧
t∈[kT ]
o 6= rTt ), then we do not add
transitions to δ′, because no transducer can produce such a value for o.
Notice that ATB@W , just like ATB@Vk, accepts inconsistent words (those
fall out of the original Vk). Inconsistency in those words can come from signals
GAi ∪ G
T
i . Later, these Boolean signals will either be hidden (G
A
i ) or under
environment control (GTi ), which means that a transducer will not be able to
sabotage the specification by producing inconsistent words.
The following observation resembles Observation 2, but focuses on kT -register
transducers.
Observation 5. For every universal co-Bu¨chi kA-register automaton A, kT ∈ N:
– every data-path of A ⊗Tall has exactly one corresponding Boolean path in
ATB@W ;
– every Boolean path of ATB@W has either one or infinitely many correspond-
ing data-paths in A ⊗Tall.
12
3.5 Synthesis Using Automaton hideA(ATB@W )
We cannot use ATB@W for synthesis, because it uses Boolean signals that are not
visible to transducers (underlined): I∪O∪GAi ∪G
T
i ∪G
A
o ∪OkT ∪Asgn
A∪AsgnT .
Let us show that the simple hiding operation resolves the issue.
Given ATB@W = 〈P,Q, q0, δ, F 〉 with P = I ∪ O ∪ G
A
i ∪ G
T
i ∪ G
A
o ∪ OkT ∪
AsgnA∪AsgnT , the automaton hideA(ATB@W ) is a universal co-Bu¨chi automa-
ton 〈P ′, Q, q0, δ
′, F 〉 with P ′ = I ∪O ∪GTi ∪OkT ∪ Asgn
T and
δ′ : Q× 2I × 2O × 2G
T
i × 2OkT × 2Asgn
T
→ 2Q
consists of transitions q
(i,o,gTi ,j,a
T )
−→ Q′ that satisfy the following: the destination
set Q′ ⊆ Q contains all successor states of every transition of ATB@W starting
in q and having the same common labels:
Q′ =
⋃
gAi ∈2
GA
i ,gAo ∈2
GAo ,aA∈2AsgnA
δ(q, i, o, gAi , g
T
i , g
A
o , j, a
T , aA).
Observation 6. For every universal co-Bu¨chi register automaton A, kT ∈ N:
– every path of ATB@W corresponds to exactly one path of hideA(ATB@W );
– every path of hideA(ATB@W ) corresponds to at least one path of ATB@W .
Proof. The first item follows from the definition of hideA(ATB@W ).
Consider the second item. Fix a path p = q1
σ1→ q2
σ2→ ... of hideA(ATB@W ).
By definition, for every transition qj
σj
→ qj+1 of hideA(ATB@W ), there must be
some transition qj
σ′j
→ qj+1 of ATB@W , where σ
′
j and σj agree on the values of
shared signals. Hence, in order to get the desired path of ATB@W , we do the
following: for every j, arbitrary choose σ′j ∈ 2
I∪O∪GAi ∪G
T
i ∪G
A
o ∪OkT ∪Asgn
A∪AsgnT
that satisfies δATB@W and agrees with σj ∈ 2
I∪O∪GTi ∪OkT ∪Asgn
T
on the values
of shared signals.
Lemma 1. For every kT -register transducer T and universal co-Bu¨chi kA-register
automaton A:(
∃w ∈ L(T ) : w 6|= A
)
⇔
(
∃wB ∈ L(TB) : wB 6|= hideA(ATB@W )
)
.
Proof. Both directions follow from the definitions and Observations 5 and 6.
Consider direction ⇐. The word wB ∈ (2
I∪O∪GTi ∪OkT ∪Asgn
T
)ω induces a
path pitb ∈ (S × 2
I∪O∪GTi ∪OkT ∪Asgn
T
)ω on TB and a rejected path pih ∈ (Qh ×
2I∪O∪G
T
i ∪OkT ∪Asgn
T
)ω on hideA(ATB@W ). By Observation 6, pih corresponds to
at least one path piatw ∈ (Qh×2
I∪O×GAi ∪G
T
i ∪G
A
o ∪OkT ∪Asgn
A∪AsgnT )ω of ATB@W .
By Observation 5, piatw corresponds to at least one data-path piat ∈ (Qat ×
2I∪O∪Asgn
T
×D2)ω of A ⊗Tall, which is rejected by A, because pih is rejected by
AB. Thus, we get w ∈ (2
I∪O×D2)ω from piat by projecting, which completes the
direction. Notice that a data-path pit ∈ (S × 2
I∪O∪AsgnT ×D2)ω of T induced
by w corresponds to the Boolean path pitb of TB induced by wB, despite the
particular choices of piatw and piat.
The other direction is similar.
13
A¬A
A⊗TallTall hideA(ATB@W )
T12
Fig. 4: Inclusion between languages. The automaton hideA(ATB@W ) is Boolean,
but here it is viewed as a register automaton. Also, the alphabet of A is extended
with AsgnT to coincide with that of A ⊗Tall and hideA(ATB@W ). Figure 5 justi-
fies the existence of point 1, which explains why hideA(ATB@W ) can be a strict
subset of A ⊗Tall. The snake line indicates “for every T : if it has point 1, then it
also has point 2” (by Lemma 1). Thus, if T |= A for some kT -register transducer,
then it must be located inside hideA(ATB@W ).
The lemma implies a solution to the bounded synthesis problem.
Theorem 1. For every universal co-Bu¨chi register automaton A and kT ∈ N:(
∃T : T |= A
)
⇔
(
∃TB : TB |= hideA(ATB@W )
)
,
where T is a kT -register transducer.
The right side of the theorem (the standard Boolean synthesis problem) holds
iff it holds for finite-state transducers (e.g., see [15]). Hence we get:
Corollary 2. A given instance of the bounded synthesis problem is realizable ⇔
it is realizable by a finite-state (|S| <∞) register transducer.
Let us consider the complexity of our approach. The automaton hideA(ATB@W )
has |QA| · |Π | states, where QA is the number of states in A and |Π | is the num-
ber of partitions of the set {1, ..., k} where k = kT + kA. The latter is a Bell
number [16] and is less than ( 0.792kln(k+1) )
k [2, Thm 2.1]. Hence the number of states
in hideA(ATB@W ) is less than |QA| · (
0.792k
ln(k+1) )
k, and the complexity of our ap-
proach is in synth(|QA| · (
0.792k
ln(k+1) )
k), where synth(m) = 2c·m is the complexity
of synthesis from a universal co-Bu¨chi automaton with m states [15, Thm.2] (c
is a constant). This is an upper bound, the lower bound is open, thus we get:
Corollary 3. The bounded synthesis problem can be solved in 2c·|QA|·(
0.792k
ln(k+1)
)k
time, where k = kA + kT , |QA| and kA is the number of states and registers in
a given universal automaton, and c is a constant.
Finally, Figure 4 depicts the relation between the languages of utilized au-
tomata. It shows that the approach makes use of determinizable subset ofA ⊗Tall.
14
q0
i 6= rA
¬storeA
q0, {{r
A, rT }} q0, {{r
A}, {rT }}
i 6= rT
¬storeT i 6= r
T
storeT
storeT
¬storeT
Fig. 5: Universal co-Bu¨chi register automata to show the existence of point 1 in
Fig.4. On the left is 1-register automaton A: it accepts the words where at some
moment the signal i equals to d0 (and no restrictions on the values of o). On the
right is hideA(ATB@W ) where kT = 1: when viewed as a register automaton, it
accepts the words where the first value of i is d0 (plus some restrictions on o).
Hence, L(hideA(ATB@W )) ( L(A ⊗T
all). The labels related to o are omitted.
4 Using Temporal Logic in our Synthesis Approach
We proceed to the topic of synthesis of register transducers from a temporal logic.
Section 4.1 defines a first-order linear temporal logic with equality, LTL(EQ)1
and its variants ∃LTL(EQ) and ∀LTL(EQ), known as IPTL in [17] and VLTL
in [11]. Then Section 4.2 defines register-guessing automata that can express
∃LTL(EQ) formulas. The sound and complete conversion of ∃LTL(EQ) into
register-guessing automata is described in Section 4.3. Then Section 4.4 describes
a sound but incomplete conversion of register-guessing automata into register au-
tomata, which implies the sound but incomplete conversion of ∃LTL(EQ) into
register automata (no complete conversion can exist). The latter automata are
consumed by our synthesizer.
Unless explicitly stated, all automata are non-deterministic Bu¨chi.
4.1 LTL(EQ) (also known as IPTL [17] and VLTL [11])
Let X be a set of data-variables and P be a set of Boolean propositions. An
LTL(EQ) (prenex-quantified) formula Φ is of the form (for every k ∈ N):
Φ = ∀x1...xk.cond.ϕ | ∃x1...xk.cond.ϕ
cond = true | x 6= x | cond ∧ cond
ϕ = true | p | i = x | o = x | ¬ϕ | ϕ ∧ ϕ | ϕ U ϕ | Xϕ
where x1, ...,xk,x ∈ X, p ∈ P , i and o are two data-propositions, and all the
data-variables appearing in ϕ are quantified. As usual, define Gϕ to be ¬Fϕ,
Fϕ = trueUϕ, ϕ1∨ϕ2 is ¬(¬ϕ1 ∧¬ϕ2), ϕ1 → ϕ2 is ¬ϕ1∨ϕ2, and false is ¬true.
Given w = w1w2... ∈ (2
P ×D{i,o})ω , define the satisfaction w |= Φ:
– w |= ∀x1...xk.cond.ϕ iff for all d1, ..., dk ∈ D either cond[x1 ← d1, ...,xk ← dk]
does not hold or w |= ϕ[x1 ← d1, ...,xk ← dk];
– w |= ∃x1...xk.cond.ϕ iff there exists d1, ..., dk ∈ D such that cond[x1 ←
d1, ...,xk ← dk] holds and w |= ϕ[x1 ← d1, ...,xk ← dk];
– let φ have the same grammar as ϕ except that instead of data-variables it
has data-values; then
1 The name LTL(EQ) is inspired by the names of logics in SMT-LIB [1].
15
– w |= true;
– w 6|= φ iff ¬(w |= φ);
– w |= ¬φ iff ¬(w |= φ);
– w |= p iff p ∈ w1;
– w |= φ1 ∧ φ2 iff w |= φ1 and w |= φ2;
– for every d ∈ D, w |= i = d iff in w1 the data-proposition i has the value d;
similarly for o;
– for i ∈ N, let w[i:] denote w’s suffix wiwi+1...; then
– w |= Xφ iff w[2:] |= φ; and
– w |= φ1 U φ2 iff ∃i ∈ N :
(
(w[i:] |= φ2) ∧ (∀j < i : w[j:] |= φ1)
)
.
Let ∃LTL(EQ) denote LTL(EQ) where formulas have existential quantifiers
only, and use ∀LTL(EQ) for universally quantified LTL(EQ) formulas.
4.2 Register Automata with Guessing but Without Storing
In this section we define a variation of register automata that have a non-
deterministically chosen initial register values that cannot be rewritten after-
wards. Such automata are a restricted version of variable automata [10].
A k-register-guessing automaton is a tuple A = 〈P,P,R, Q, q0, δ, F, E〉 (no-
tice: no initial register value d0 and a new element E) with transition function
δ of the form Q × 2P × Bki × B
k
o → 2
Q (notice: no assignment component on
the right), where E ⊆ R × R is an inequality set2, while all other components
are like for register automata. A path is defined similarly to a path of a register
automaton, except that
– an initial configuration (q0, d¯0) ∈ {q0}×D
k of the path is arbitrary provided
that d¯0 satisfies the inequality set: ∀(ri, rj) ∈ E : d¯0[i] 6= d¯0[j]; and
– the automaton never stores to the registers.
An accepting word is defined as for register automata.
4.3 Converting ∃LTL(EQ) into Register-Guessing Automata
This section describes the conversion of ∃LTL(EQ) formulas into register-guessing
automata with the same language. The fact that a conversion is possible was
noted in [8, Sec.4], however they did not describe the conversion itself.
Consider an ∃LTL(EQ) formula Φ = ∃x1...xk.cond.ϕ(i, o,x1, ...,xk). We will
use the notions of wB and ϕB defined below.
(wB) Given a word w ∈ (2
P ×D2)ω and x1, ...,xk ∈ D, let wB ∈ (2
P ×Bki ×B
k
o )
ω
be the word derived from w by replacing every value of i and o in w by the
vectors of Boolean values, (i = x1, ..., i = xk) and (o = x1, ..., o = xk).
(ϕB) In ϕ(i, o,x1, ...,xk), replace every expression i = xi with a new literal giri and
every expression o = xi with gori . This introduces 2k new Boolean proposi-
tions, let PB = P∪{gir1 , ..., girk}∪{gor1, ..., gork}. Let ϕB(gir1 , ..., girk , gor1 , ..., gork)
be the resulting LTL formula over Boolean propositions PB.
2 We can get away without using E (by encoding it into δ), but it proved to be
convenient in Section 4.4.
16
q0
q1true
i =
r1
q3
q5
q2 q4
true
i = r
1
i = r2
i = r1
¬e
e
o 6=
r1
Fig. 6: A 2-register-guessing automaton: P = {e}, R = {r1, r2}, E = {(r1, r2)}.
The edges have symbolic labels, e.g., the edge labeled with i = r1 encodes 16
edges, for different valuations of e, i = r2, o = r1, and o = r2.
To convert a formula ∃x1...xk.cond.ϕ into a k-register-guessing automaton A do
the following (conversion-1).
– Convert ϕB into an NBW automaton AB = 〈PB, Q, q0, δB, F 〉 using standard
approaches. Thus, for every wB ∈ 2
PB : wB |= AB iff wB |= ϕB.
– Treat AB as a k-register-guessing automaton A = 〈P,P,R, Q, q0, δ, F, E〉,
where E is derived from cond.
For example, the automaton in Figure 6 expresses the formula
¬∀x1 6= x2.G
[
i = x1 ∧ X i = x2 → XX¬e
i = x1 ∧ X i = x1 → XX(e ∧ o = x1)
]
that says: compare the data-input i at two consecutive points and then (i) when-
ever they are equal, raise e and output the data, (ii) otherwise, lower e.
Observation 7. For every w ∈ (2P ×D2)ω: w |= A ⇔ w |= ∃x1...xk.cond.ϕ.
4.4 Converting ∃LTL(EQ) into Register Automata
In this section, we describe a sound but incomplete conversion of register-guessing
automata into standard register automata. Together with conversion-1 from the
previous section, this gives the conversion of ∃LTL(EQ) formulas into register
automata. Note that no complete conversion of ∃LTL(EQ) formulas into register
automata exists: for example, the formula ∃x.G(i 6= x) has no equivalent register
automaton, although there is an equivalent register-guessing automaton.
In automata, we will use the definition of δ that is symbolic instead of explicit,
hence the transition functions of k-register-guessing automata and of k-register
automata are of the form Q × 2P × G → 2Q and Q × 2P × G → 2Q×B
k
,
(previously we had Bki × B
k
o instead of G), where g ∈ G has the form g = true |
g ∧ g | i ∼ r | o ∼ r where ∼ denotes = or 6=, and r ∈ R. Using the symbolic
definition rather than the explicit one is crucial in making our conversion more
applicable.
Given a k-register-guessing automatonA = 〈P,P,R, Q, q0, δ, F, E〉, construct
the k-register automaton A′ = 〈P,P,R, d0, Q
′, q′0, δ
′, F ′〉 (conversion-2):
17
– Q′ = Q × Bk. The Boolean component encodes, for every ri ∈ R, whether
the register ri is assigned a value or not (ignoring the initial values). The
initial state q′0 = (q0, false, ..., false). We call a register ri with bi = false
uninitialized.
– F ′ = {(q, b1, ..., bk) ∈ Q
′ | q ∈ F}.
– For every state (q, b1, ..., bk) ∈ Q
′ and A-transition q
(l,g)
−→ q′ (l ∈ 2P , g ∈ G):
• If g = true, then add to δ′ the transition (q, b1, ..., bk)
(l,g,falsek)
−→ (q′, b1, ..., bk).
• Otherwise, do the following.
∗ Abort point: if there exists i ∈ [k] such that bi = false and g contains
i 6= ri or o ∼ ri, then abort. Because the register ri is uninitalized
(bi = false), we cannot know the valuation of i 6= ri or o 6= ri. In
contrast, if the guard g contains i = ri, we can assume that it holds
and store i into ri (we cannot do this for o = ri, because the automata
do not allow for storing o).
∗ Add to δ′ the transition (q, b1, ..., bk)
(l,g′,a)
−→ (q′, b′1, ..., b
′
k) where for
every i ∈ [k]:
· b′i = true iff bi = true or g contains i = ri.
· The action a stores i into ri iff g contains i = ri and bi = false.
· The guard g′ contains i ∼ ri iff g contains i ∼ ri and bi = true;
similarly for o ∼ ri.
∗ Finally, we account for the inequality set E and update g′ as follows.
For every (ri, rj) ∈ E: if bi = true and the action a contains rj = i,
then add to g′ the expression i 6= ri.
(Here we assume that the A-transition is not contradictory, namely,
it is not the case that ∃(ri, rj) ∈ E : bi = false ∧ bj = false ∧ (i =
ri) ∈ g ∧ (i = rj) ∈ g. Such transitions cannot be executed in A and
can be removed beforehand.)
– Note that the automaton A′ never compares i nor o with a register that was
uninitialized. Therefore, the component d0 of A
′ can be anything from D.
The automaton A′ has |Q′| = |Q|·2k, but the number of reachable states is |Q| ·k,
because every A′-transition (q, b1, ..., bk)
(l,g,a)
−→ (q′, b′1, ..., b
′
k) satisfies (b
′
1, ..., b
′
k) ≥
(b1, ..., bk).
An example of the conversion is in Figure 7.
Observation 8. Given a register-guessing automaton A. If conversion-2 suc-
ceeds and produces a register automaton A′, then L(A) = L(A′),
Proof. We need to prove that ∀w ∈ (2P ×D2)ω : w |= A⇔ w |= A′.
Consider the direction ⇒. The acceptance w |= A means that there exists
R0 ∈ D
k and an accepting data-path p starting in configuration (q0,R0) and
corresponding to p the accepting Boolean path pB:
p = (q0,R0)
(l0,i0,o0)
−→ (q1,R0)
(l1,i1,o1)
−→ ...
pB = q0
(l0,g0)
−→ q1
(l1,g1)
−→ ...
18
q0, false, false
q1, true, false¬store1¬store2
sto
re1
¬st
ore2 q3, true, true
q5
q2, true, false q4, true, false
store
1¬store
2
i 6= r1
store2¬store1
i = r1
¬store1¬store2
¬e
e
o 6=
r1
¬store1¬store2
¬store1¬store2
Fig. 7: A 2-register automaton converted from the register-guessing automaton
in Figure 6.
(for every j ∈ N0: lj ∈ 2
P , ij ∈ D, oj ∈ D, and gj ∈ G). We build inductively
the accepting data-path p′ of A′ (and corresponding to p′ the Boolean path p′
B
):
p′ =
(
(q0, B0),R
′
0
) (l0,i0,o0,a′0)−→ ((q1, B1),R ′1) (l1,i1,o1,a′1)−→ ...
p′
B
= (q0, B0)
(l0,g
′
0,a
′
0)−→ (q1, B1)
(l1,g
′
1,a
′
1)−→ ...
(∀j ∈ N0: Bj ∈ B
k, a′j ∈ B
k, Rj ∈ D
k, and ij , oj, lj are as for p) as follows.
– The path p′ starts with B0 = false
k and R0 = d
k
0 .
– The construction of A′ uniquely defines a′j , g
′
j , and Bj+1 from Bj and gj .
– The value of R ′j+1 is uniquely defined by R
′
j, a
′
j , and i.
– By the construction, every g′j is less restricting or equal to gj, and we never
compare i or o with uninitialized registers. Because (ij , oj ,R0) |= gj, we have
that (ij , oj,R
′
j) |= g
′
j, for every j ∈ N0. Hence, every transition of p
′ is indeed
a transition of A′, and p′ is indeed a path of A′.
The direction ⇐ is similar to the above. The data-path p and corresponding
to p the Boolean path pB of A are uniquely constructed from a given data-path
p′ and corresponding to p′ the Boolean path p′
B
of A′. When proving that p is
indeed a path of A, we use the property of A′ that it never compares i nor o
with a register whose value was not written before.
Combined together, the conversions give us the following.
Theorem 2. Given an ∃LTL(EQ) Φ = ∃x1, ...,xk.cond.ϕ. If conversion-1 and
conversion-2 succeed and result in a register automaton A, then L(Φ) = L(A′).
5 Conclusion
In this paper we introduced a sound and complete approach to synthesis of reg-
ister transducers from specifications given as register automata. Although we
focused on automata with the co-Bu¨chi acceptance, others (e.g., parity) looks
doable. The approach works (incompletely) for specifications given as quantified
temporal logic formulas, by converting them into register automata. In particu-
lar, we investigated the two directions—richer automata and suitable temporal
logic—raised by Ehlers et al.[6, Sect.6].
19
We are working on extending the approach to automata with guards that, in
addition to =, have operators >, +, and on the question of decidability of the
unbounded-but-finite synthesis problem that is open. It would be interesting to
combine our approach with the approach to synthesis of reactive programs [9]. It
would also be interesting to do a synthesis case study, possibly for specifications
with costs.
Acknowledgements. We thank Orna Kupferman for comments on the early draft
and helpful discussions. This work was supported by the Austrian Science Fund (FWF)
under the RiSE National Research Network (S11406) and by the Hebrew University.
References
1. Barrett, C., Fontaine, P., Tinelli, C.: The Satisfiability Modulo Theories Library
(SMT-LIB) (2016), www.SMT-LIB.org
2. Berend, D., Tassa, T.: Improved bounds on bell numbers and on moments of sums
of random variables. Probability and Mathematical Statistics 30(2), 185–205 (2010)
3. Church, A.: Logic, arithmetic, and automata. In: International Congress of Mathe-
maticians (Stockholm, 1962), pp. 23–35. Institute Mittag-Leffler, Djursholm (1963)
4. Demri, S., D’Souza, D., Gascon, R.: Temporal logics of repeat-
ing values. J. Log. and Comput. 22(5), 1059–1096 (Oct 2012),
http://dx.doi.org/10.1093/logcom/exr013
5. Demri, S., Lazic´, R.: Ltl with the freeze quantifier and register au-
tomata. ACM Trans. Comput. Logic 10(3), 16:1–16:30 (Apr 2009),
http://doi.acm.org/10.1145/1507244.1507246
6. Ehlers, R., Seshia, S.A., Kress-Gazit, H.: Synthesis with identifiers. In: Interna-
tional Conference on Verification, Model Checking, and Abstract Interpretation.
pp. 415–433. Springer (2014)
7. Finkbeiner, B., Schewe, S.: Bounded synthesis. STTT 15(5-6), 519–539 (2013)
8. Frenkel, H., Grumberg, O., Sheinvald, S.: An automata-theoretic approach to mod-
eling systems and specifications over infinite data. In: Barrett, C., Davies, M.,
Kahsai, T. (eds.) NASA Formal Methods. pp. 1–18. Springer (2017)
9. Gerstacker, C., Klein, F., Finkbeiner, B.: Bounded Synthesis of Reactive Programs.
ArXiv e-prints (Jul 2018), to appear at ATVA’18
10. Grumberg, O., Kupferman, O., Sheinvald, S.: Variable automata over infinite al-
phabets. In: International Conference on Language and Automata Theory and
Applications. pp. 561–572. Springer (2010)
11. Grumberg, O., Kupferman, O., Sheinvald, S.: Model checking systems and speci-
fications with parameterized atomic propositions. In: International Symposium on
Automated Technology for Verification and Analysis. pp. 122–136. Springer (2012)
12. Kaminski, M., Francez, N.: Finite-memory automata. The-
oretical Computer Science 134(2), 329 – 363 (1994),
http://www.sciencedirect.com/science/article/pii/0304397594902429
13. Kupferman, O., Vardi, M.: Synthesis with incomplete informatio. In: 2nd Interna-
tional Conference on Temporal Logic. pp. 91–106. Manchester (July 1997)
14. Lazic´, R., Nowak, D.: A unifying approach to data-independence. In: Palamidessi,
C. (ed.) CONCUR 2000 — Concurrency Theory. pp. 581–596. Springer Berlin
Heidelberg, Berlin, Heidelberg (2000)
15. Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: Conference
Record of the Sixteenth Annual ACM Symposium on Principles of Programming
20
Languages, Austin, Texas, USA, January 11-13, 1989. pp. 179–190. ACM Press
(1989), http://doi.acm.org/10.1145/75277.75293
16. Wikipedia contributors: Bell number — Wikipedia, the free encyclopedia.
https://en.wikipedia.org/w/index.php?title=Bell_number&oldid=832584649
(2018), [Online; accessed 8-August-2018]
17. Wolper, P.: Expressing interesting properties of programs in propositional temporal
logic. In: Proceedings of the 13th POPL. pp. 184–193. ACM, New York, NY, USA
(1986), http://doi.acm.org/10.1145/512644.512661
A Change History
– Aug 19, 2018: fixed typos in Section 3.2 (it incorrectly used ATB@Vk instead of
AB@Vk).
– Aug 14, 2018: fixed a small bug in Section 3.4.
– Aug 9, 2018: rewriting into using universal instead of non-deterministic automata.
Added complexity result.
– Aug 2, 2018: the extended version of the final version submitted to ATVA.
21
