Abstract. We introduce a new approach for the synthesis of Mealy machines from specifications in linear-time temporal logic (LTL), where the number of cycles in the state graph of the implementation is limited by a given bound. Bounding the number of cycles leads to implementations that are structurally simpler and easier to understand. We solve the synthesis problem via an extension of SAT-based bounded synthesis, where we additionally construct a witness structure that limits the number of cycles. We also establish a triple-exponential upper and lower bound for the potential blow-up between the length of the LTL formula and the number of cycles in the state graph.
Introduction
There has been a lot of recent progress in the automatic synthesis of reactive systems from specifications in temporal logic [4, 6, 7, 8, 11] . From a theoretical point of view, the appeal of synthesis is obvious: the synthesized implementation is guaranteed to satisfy the specification. No separate verification is needed.
From a practical point of view, the value proposition is not so clear. Instead of writing programs, the user of a synthesis procedure now writes specifications. But many people find it much easier to understand the precise meaning of a program than to understand the precise meaning of a temporal formula. Is it really justified to place higher trust into a program that was synthesized automatically, albeit from a possibly ill-understood specification, than in a manually written, but well-understood program? A straightforward solution would be for the programmer to inspect the synthesized program and confirm that the implementation is indeed as intended. However, current synthesis tools fail miserably at producing readable code.
Most research on the synthesis problem has focused on the problem of finding some implementation, not necessarily a high-quality implementation. Since specification languages like LTL restrict the behavior of a system, but not its structure, it is no surprise that the synthesized implementations are often much larger and much more complex than a manual implementation. There has been some progress on improving other quality measures, such as the runtime performance [4] , but very little has been done to optimize the structural quality of the synthesized implementations (cf. [13] ). Can we develop synthesis algorithms that produce implementations that are small, structurally simple, and therefore easy to understand? A first step into this direction is Bounded Synthesis [8] . Here, we bound the number of states of the implementation and can therefore, by incrementally increasing the bound, ensure that the synthesized solution has minimal size.
In this paper, we go one step further by synthesizing implementations where, additionally, the number of (simple) cycles in the state graph is limited by a given bound. Reducing the number of cycles makes an implementation much easier to understand. Compare the three implementations of the TBURST4 component of the AMBA bus controller shown in Figure 1 : standard synthesis with Acacia+ produces the state graph on the left with 14 states and 61 cycles. Bounded Synthesis produces the middle one with 7 states and 19 cycles. The graph on the right, produced by our tool, has 7 states and 7 cycles, which is the minimum.
An interesting aspect of the number of cycles as a parameter of the implementations is that the number of cycles that is potentially needed to satisfy an LTL specification explodes in the size of the specification: we show that there is a triple exponential lower and upper bound on the number of cycles that can be enforced by an LTL specification. The impact of the size of the specification on the number of cycles is thus even more dramatic than on the number of states, where the blow-up is double exponential.
Our synthesis algorithm is inspired by Tiernan's cycle counting algorithm from 1970 [16] . Tiernan's algorithm is based on exhaustive search. From some arbitrary vertex v, the graph is unfolded into a tree such that no vertices repeat on any branch. The number of vertices in the tree that are connected to v then corresponds to the number of cycles through v in the graph. Subsequently, v is removed from the graph, and the algorithm continues with one of the remaining vertices until the graph becomes empty. We integrate Tiernan's algorithm into the Bounded Synthesis approach. Bounded Synthesis uses a SAT-solver to simultaneously construct an implementation and a witness for the correctness of the implementation [8] . For the standard synthesis from an LTL specification ϕ, the witness is a finite graph which describes an accepting run of the universal tree automaton corresponding to ϕ. To extend the idea to Bounded Cycle Synthesis, we define a second witness that proves the number of cycles, as computed by Tiernan's algorithm, to be equal to or less than the given bound. An example state graph with three cycles is shown on the left in Figure 2 . The witness consists of the three graphs shown on the right in Figure 2 . The first graph proves that vertex 1 is on two cycles (via vertex 2 and vertices 2 and 3). The second graph proves that vertex 2 is on a further cycle, not containing vertex 1, namely via vertex 3. There are no further cycles through vertex 3. Our experiments show that Bounded Cycle Synthesis is comparable in performance to standard Bounded Synthesis. The specifications that can be handled by Bounded Cycle Synthesis are smaller than what can be handled by tools like Acacia+, but the quality of the synthesized implementations is much better. Bounded Cycle Synthesis could be used in a development process where the programmer decomposes the system into modules that are small enough so that the implementation can still be inspected comfortably by the programmer (and synthesized reasonably fast by using the Bounded Cycle Synthesis approach). Instead of manually writing the code for such a module, the programmer has the option of writing a specification, which is then automatically replaced by the best possible implementation.
Preliminaries
The non-negative integers are denoted by N. An alphabet Σ is a non-empty finite set. Σ ω denotes the set of infinite words over Σ. If α ∈ Σ ω , then α n accesses the n-th letter of α, starting at α 0 . For the rest of the paper we assume Σ = 2 I∪O to be partitioned into sets of input signals I and output signals O.
A Mealy machine M is a tuple (I, O, T, t I , δ, λ) over input signals I and output signals O, where T is a finite set of states, t I ∈ T is the initial state, δ : T × 2 I → T is the transition function, and λ : T × 2 I → 2 O is the output function. Thereby, the output only depends on the current state and the last input letter. The size of M, denoted by |M|, is defined as |T |. A path p of a Mealy machine M is an infinite sequence p = (t 0 , σ 0 )(t 1 , σ 1 )(t 2 , σ 2 ) . . . ∈ (T × Σ) ω such that t 0 = t I , δ(t n , I ∩ σ n ) = t n+1 and λ(t n , I ∩ σ n ) = O ∩ σ n for all n ∈ N. We use π 1 (p) = σ 0 σ 1 σ 2 . . . ∈ Σ ω , to denote the projection of p to its second component. P(M) denotes the set of all paths of a Mealy machine M.
Specifications are given in Linear-time Temporal Logic (LTL). The atomic propositions of the logic consist of the signals I ∪ O, resulting in the alphabet Σ = 2 I∪O . The syntax of an LTL specification ϕ is defined as follows:
The size of a specification ϕ is denoted by |ϕ| and is defined to be the number of sub-formulas of ϕ. The semantics of LTL are defined over infinite words α ∈ Σ ω . We define the satisfaction of a word α at a position n ∈ N and a specification ϕ, denoted by α, n ϕ, for the different choices of ϕ, respectively, as follows:
An infinite word α satisfies ϕ, denoted by α ϕ, iff α, 0 ϕ. The language L(ϕ) is the set of all words that satisfy ϕ, i.e., L(ϕ) = {α ∈ Σ ω | α ϕ}. Beside the standard operators, we have the standard derivatives of the boolean operators, as well as ϕ ≡ true U ϕ and ϕ ≡ ¬ ¬ϕ. A Mealy machine M is an implementation of ϕ iff π 1 (P(M)) ⊆ L(ϕ).
Let G = (V, E) be a directed graph. A (simple) cycle c of G is a a tuple (C, η), consisting of a non-empty set C ⊆ V and a bijection η : C → C such that
where η n denotes n times the application of η. In other words, a cycle of G is a path through G that starts and ends at the same vertex and visits every vertex of V at most once. We say that a cycle c = (C, η) has length n iff |C| = n.
We extend the notion of a cycle of a graph G to Mealy machines M = (I, O, T, t I , δ, λ), such that c is a cycle of M iff c is a cycle of the graph (T, E) for E = {(t, t ′ ) | ∃ν ∈ 2 I . δ(t, ν) = t}. Thus, we ignore the input labels of the edges of M. The set of all cycles of a Mealy machine M is denoted by C(M).
A universal co-Büchi automaton A is a tuple (Σ, Q, q I , ∆, R), where Σ is the alphabet, Q is a finite set of states, q 0 ∈ Q is the initial state, ∆ ⊆ Q × Σ × Q is the transition relation and R ⊆ Q is the set of rejecting states. A run r = (q 0 , σ 0 )(q 1 , σ 1 )(q 2 , σ 2 ) . . . ∈ (Q × Σ) ω of A is an infinite sequence such that q 0 = q I and (q n , σ n , q n+1 ) ∈ ∆ for all n ∈ N. A run r is accepting if it has a suffix q n q n+1 q n+2 . . . ∈ (Q \ R) ω for some n ∈ N. An infinite word α ∈ Σ ω is accepted by A if all corresponding runs, i.e., all runs r = (q 0 , σ 0 )(q 1 , σ 1 )(q 2 , σ 2 ) . . . with α = σ 0 σ 1 σ 2 . . ., are accepting. The language L(A) of A is the set of all α ∈ Σ ω , accepted by A.
The run graph G of a universal co-Büchi automaton A = (2 I∪O , Q, q I , ∆, R) and a Mealy machine M = (I, O, T, t I , δ, λ) is a directed graph G = (T × Q, E),
A run graph is accepting iff there is no cycle of G, which contains a rejecting vertex. If the run graph is accepting, we say, M is accepted by A.
Bounds on the number of cycles
Our goal is to synthesize systems that have a simple structure. System quality most certainly has other dimensions as well, but structural simplicity is a property of interest for most applications.
The purpose of this section is to give theoretical arguments why the number of cycles is a good measure: we show that the number of cycles may explode even in cases where the number of states is small, and even if the specification enforces a large implementation, there may be a further explosion in the number of cycles. This indicates that bounding the number of cycles is important, if one wishes to have a structurally simple implementation. On the other hand, we observe that bounding the number of states alone is not sufficient in order to obtain a simple structure.
Similar observations apply to modern programming languages, which tend to be much better readable than transition systems, because their control constructs enforce a simple cycle structure. Standard synthesis techniques construct transition systems, not programs, and therefore lose this advantage. With our approach, we get closer to the control structure of a program, without being restricted to a specific programming language.
Upper bounds
First, we show that the number of cycles of a Mealy machine M, implementing an LTL specification ϕ, is bounded triply exponential in the size of ϕ. To this end, we first bound the number of cycles of an arbitrary graph G with bounded outdegree.
On graphs with arbitrary outdegree, the maximal number of cycles is given by a fully connected graph, where each cycle describes a permutation of states, and vice versa. Hence, using standard math we obtain an upper bound of 2 n log n cycles for a graph with n states. However, our proof uses a more involved argument to improve the bound even further down to 2 n log(m+1) for graphs with bounded outdegree m. Such an improvement is desirable, as for LTL the state graph explodes in the number of states, while the outdegree is constant in the number of input and output signals. Lemma 1. Let G = (V, E) be a directed graph with |V | = n and with maximal outdegree m. Then G has at most 2 n log(m+1) cycles.
Proof. We show the result by induction over n. The base case is trivial, so let n > 1 and let v ∈ V be some arbitrary vertex of G. By induction hypothesis, the subgraph G ′ , obtained from G by removing v, has at most 2
cycles. Each of these cycles is also a cycle in G, thus it remains to consider the cycles of G containing v. In each of these remaining cycles, v has one of m possible successors in G ′ and from each such successor v ′ we have again
Hence, if we redirect these cycles to v instead of v ′ , i.e., we insert v before v ′ in the cycle, then we cover all possible cycles of G containing v 1 . All together, we obtain an upper bound of
We obtain an upper bound on the number of cycles of a Mealy machine M.
Proof. The Mealy machine M has an outdegree of 2 |I| and, thus, by Lemma 1, the number of cycles is bounded by 2
Finally, we are able to derive an upper bound on the implementations realizing a LTL specification ϕ.
Theorem 1. Let ϕ be a realizable LTL specification. Then there is a Mealy machine M, realizing ϕ, with at most triply exponential many cycles in |ϕ|.
Proof. From [14, 15, 8] we obtain a doubly exponential upper bound in |ϕ| on the size of M. With that, applying Lemma 2 yields the desired result. ⊓ ⊔
Lower bounds
It remains to prove that the bound of Theorem 1 is tight. To this end, we show that for each n ∈ N there is a realizable LTL specification ϕ with |ϕ| ∈ Θ(n), such that every implementation of ϕ has at least triply exponential many cycles in n. The presented proof is inspired by [1] , where a similar argument is used to prove a lower bound on the distance of the longest path through a synthesized implementation M. We start with a gadget, which we use to increase the number of cycles exponentially in the length of the longest cycle of M.
Lemma 3. Let ϕ be a realizable LTL specification, for which every implementation M has a cycle of length n. Then there is a realizable specification ψ, such that every Mealy machine M ′ implementing ψ contains at least 2 n many cycles.
Proof. Let a and b be a fresh input and output signals, respectively, which do not appear in ϕ, and let M = (I, O, T, t I , δ, λ) be an arbitrary implementation of ϕ. We define ψ ::= ϕ ∧ (a ↔ b) and construct the implementation M ′ as
where λ ′ ((t, s), ν) = λ(t, I ∩ ν) ∪ s and
We obtain that M ′ is an implementation of ψ. The implementation remembers each input a for one time step and then outputs the stored value. Thus, it satisfies (a ↔ b). Furthermore, M ′ still satisfies ϕ. Hence, ψ must be realizable, too. Next, we pick an arbitrary implementation M ′′ of ψ, which must exist according to our previous observations. Then, after projecting away the fresh signals a and b from M ′′ , we obtain again an implementation for ϕ, which contains a cycle (C, η) of length n, i.e., C = {t 1 , t 2 , . . . , t n }. We obtain that M ′′ contains at least the cycles
which concludes the proof, since |C| = 2 n . ⊓ ⊔ Now, with Lemma 3 at hand, we are ready to show that the aforementioned lower bounds are tight. The final specification only needs the temporal operators , and , i.e., the bound already holds for a restricted fragment of LTL.
Theorem 2. For every n > 1, there is a realizable specification ϕ n with |ϕ n | ∈ Θ(n), for which every implementation M n has at least triply exponential many cycles in n.
Proof. According to Lemma 3, it suffices to find a realizable ϕ n , such that ϕ n contains at least one cycle of length doubly exponential in n. We choose
The specification describes a monitor, which checks whether the invariant ϕ prem n → ϕ con n over the input signals I is satisfied or not. Thereby, satisfaction is signaled by the output s, which needs to be triggered infinitely often, as long as the invariant stays satisfied.
In the following, we denote a subset x ⊆ I x by the n-ary vector x over {0, 1}, where the i-th entry of x is set to 1 if and only if x i ∈ x.
The specification ϕ n is realizable. First, consider that to check the fulfillment of ϕ prem n (ϕ con n ), an implementation M needs to store the set of all requests a ( c), whose 1-positions have not yet been released by a corresponding response b ( d). Furthermore, to monitor the complete invariant ϕ prem n → ϕ con n , M has to guess at each point in time, whether ϕ prem n will be satisfied in the future (under the current request a), or not. To realize this guess, M needs to store a mapping f , which maps each open request a to the corresponding set of requests c 2 . This way, M can look up the set of requests c, tracked since the last occurrence of a, whenever a gets released by a corresponding vector b. If this is the case, it continues to monitor the satisfaction of ϕ con n (if not already satisfied) and finally adjusts the output signal s, correspondingly. Note that M still has to continuously update and store the mapping f , since the next satisfaction of ϕ prem n may already start while the satisfaction of current ϕ con n is still checked. There are double exponential many such mappings f , hence, M needs to be at least doubly exponential in n.
It remains to show that every such implementation M contains a cycle of at least doubly exponential length. By the aforementioned observations, we can assign each state of M a mapping f , that maps vectors a to sets of vectors c. By interpreting the vectors as numbers, encoded in binary, we obtain that
n } . Next, we again map each such mapping f to a binary sequence
m with m = 2 n . Thereby, a bit b i of b f is set to 1 if and only if i ∈ f (i). It is easy to observe, that if two binary sequences are different, then their related states have to be different as well.
To conclude the proof, we show that the environment has a strategy to manipulate the bits of associated sequences b f via the inputs I. With these two operations, the environment can enforce any sequences of sequences b f , including a binary counter counting up to 2 2 n . As different states are induced by the different sequences, we obtain a cycle of doubly exponential length in n by resetting the counter at every overflow.
⊓ ⊔ 2 Our representation is open for many optimizations. However, they will not affect the overall complexity result. Thus, we ignore them for the sake of readability here. 
The trade-off between states and cycles
We conclude this section with some observations regarding tradeoffs between the problem of synthesizing implementations, which are minimal in the number of states, versus the problem of synthesizing implementations, which are minimal in the number of cycles. The main question we answer, is whether we can achieve both: minimality in the number of states and minimality in the number of cycles. Unfortunately, this is not possible, as shown by Theorem 3.
Theorem 3. For every n > 1, there is a realizable LTL specification ϕ n with |ϕ| ∈ Θ(n), such that -there is an implementation of ϕ consisting of n states and -there is an implementation of ϕ containing m cycles, -but there is no implementation of ϕ with n states and m cycles.
Proof. Consider the specification
over I = {a} and O = {b, c}, where i denotes i times the application of . The specification ϕ n is realizable with at least n = 2k + 1 states. The corresponding Mealy machine M n is depicted in Figure 3 . However, M n has m = 2 k many cycles. This blowup can be avoided by spending the implementation at least one more state, which reduces the number of cycles to m = 1. The result M ′ n is also depicted in Figure 3 .
⊓ ⊔
Our results show that the number of cycles can explode (even more so than the number of states), and that sometimes this explosion is unavoidable. However, the results also show that there are cases, where the cycle count can be improved by choosing a better structured solution. Hence, it is desirable to have better control over the number of cycles that appear in an implementation. In the remainder of the paper, we show how to achieve this control.
In this section, we show how to synthesize an implementation M from a given LTL specification ϕ, while giving a guarantee on the size and the number of cycles of M. We first show how to guarantee a bound on the number of states of M, by reviewing the classical Bounded Synthesis approach. Our encoding uses Mealy machines as implementations, and Boolean Satisfiability (SAT) as the underlying constraint system. We then review the classical algorithm to count the cycles of M and show how this algorithm gets embedded into a constraint system, such that we obtain a guarantee on the number of cycles of M.
Bounded Synthesis
In the bounded synthesis approach [8] , we first translate a given LTL specification ϕ into an equivalent universal co-Büchi automaton A, such that L(A) = L(ϕ). Thus, we reduce the problem to finding an implementation M that is accepted by A, i.e., we look for an implementation M such that the run graph of M and A contains no cycle with a rejecting vertex. This property is witnessed by a ranking function, which annotates each vertex of G by a natural number that bounds the number of possible visits to rejecting states. The annotation itself is bounded by n · k, where n is the size bound on M and k denotes the number or rejecting states of A.
Fix some set of states T with |T | = n and let A = (2 I∪O , Q, q I , ∆, R). Then, to guess a solution within SAT, we introduce the following variables:
-trans(t, ν, t ′ ) for all t, t ′ ∈ T and ν ∈ 2 I , for the transition relation of M. -label(t, ν, x) for all t ∈ T , ν ∈ 2 I and x ∈ O, for the labels of each transition. -rgstate(t, q) for all t ∈ T and q ∈ Q, to denote the reachable states of the run graph G of M and A. Only reachable states have to be annotated. -annotation(t, q, i) for all t ∈ T , q ∈ Q and 0 < i ≤ log(n · k), denoting the annotation of a state (t, q) of G. Thereby, we use a logarithmic number of bits to encode the annotated value in binary. We use annotation(t, q) • m for • ∈ {<, ≤, =, ≥, >}, to denote an appropriate encoding of the relation of the annotation to some value m or other annotations annotation(t ′ , q ′ ).
Given a universal co-Büchi automaton A and a bound n on the states of the resulting implementation, we encode the Bounded Synthesis problem via the SAT formula F BS (A, n), consisting of the following constraints:
-The target of every transition is unambiguous:
where exactelyOne : X → B(X) returns a SAT query, which ensures that among all variables of the set X exactly one is true and all others are false.
-The initial state (t I , q I ) of the run graph for some arbitrary, but fix, t I ∈ T is reachable and annotated by one. Furthermore, all annotations are bounded by n · k:
-Each annotation of a vertex of the run graph bounds the number of visited accepting states, not counting the current vertex itself:
t∈T, q∈Q
where ≺ q equals < if q ∈ R and equals ≤ otherwise. Furthermore, we use the function label(t, σ) to fix the labeling of each transition, i.e., label(t, σ) = x∈O∩σ label(t, I ∩ σ, x) ∧ x∈O σ ¬label(t, I ∩ σ, x).
Theorem 4 (Bounded Synthesis [8]).
For each bound n ∈ N and each universal co-Büchi automaton A, the SAT formula F BS (A, n) is satisfiable if and only if there is a Mealy machine M with |M| = n, which is accepted by A.
Counting Cycles
Before we bound the number of cycles of a Mealy machine M, we review Tiernan's classical algorithm [16] to count the number of cycles of a directed graph G. The algorithm not only gives insights into the complexity of the problem, but also contains many inspirations for our latter approach. Algorithm 1. Given a directed graph G = (V, E), we count the cycles of G using the following algorithm:
(1) Initialize the cycle counter c to c := 0 and some set P to P := ∅.
(2) Pick some arbitrary vertex v r of G, set v := v r and P := {v r }.
(3a) If v ′ = v r , increase c by one. (3b) Oherwise, add v ′ to P and recursively execute (3). Afterwards, reset P to its value before the recursive call. The algorithm starts by counting all cycles that contain the first picked vertex v r . This is done by an unfolding of the graph into a tree, rooted in v r , such that there is no repetition of a vertex on any path from the root to a leaf. The number of vertices that are connected to the root by an edge of E then represents the corresponding number of cycles through v r . The remaining cycles of G do not contain v r and, thus, are cycles of the sub-graph G ′ without v r , as well. Hence, we count the remaining cycles by recursively counting the cycles of G ′ . The algorithm terminates as soon as G ′ gets empty. The algorithm is correct [16] , but has the drawback, that the unfolded trees, may become exponential in the size of the graph, even if none of their vertices is connected to the root, i.e., even if there is no cycle to be counted. For an example consider the induced graph of M ′ n , as depicted in Figure 3 . However, this drawback can be avoided by first reducing the graph to all its strongly connected components (SCCs) and then by counting the cycles of each SCC separately [17, 12] . A cycle never leaves an SCC of the graph.
As a result, we obtain an improved algorithm, which is exponential in the size of G, but linear in the number of cycles m. Furthermore, the time between two detections of a cycle, during the execution, is bounded linear in the size of the graph G.
Bounded Cycle Synthesis
We combine the insights of the previous sections to obtain a synthesis algorithm, which not only bounds the number of states of the resulting implementation M but also bounds the number of cycles of M. We use the unfolded trees from the previous section as our witnesses.
We call a tree that witnesses m cycles in G, all containing the root r of the tree, a witness-tree T r,m of G. Formally, a witness-tree T r,m of G = (V, E) is a labeled graph T r,m = ((W, B ∪ R), τ ), consisting of a graph (W, B ∪ R) with m = |R| and a labeling function τ : W → V , such that:
1. The edges are partitioned into blue edges B and red edges R.
All red edges lead back to the root:
R ⊆ W × {r} 3. No blue edges lead back to the root:
Each non-root has at least one blue incoming edge:
. Each vertex has at most one blue incoming edge:
6. The graph is labeled by an unfolding of G:
7. The unfolding is complete:
. Let w i , w j ∈ W be two different vertices that appear on a path from the root to a leaf in the r-rooted tree (W, B) 3 . Then the labeling of w i and w j differs, i.e., τ (v i ) = τ (v j ). 9. The root of the tree is the same as the corresponding vertex of G, i.e., τ (r) = r. Proof. Let T r,m = ((W, R ∪ B), τ ). Assume for the sake of contradiction that G has more than m cycles and let c = (C, η) be an arbitrary such cycle. By the completeness of T r,m , there is path w 0 w 1 . . . w |C|−1 with w 0 = r and τ (w i ) = η i (r) for all 0 ≤ i < |C|. From w i = r and Condition 2, it follows (w i−1 , w i ) ∈ B for all 0 < i < |C|. Further, η |C| (r) = r and thus (w |C|−1 , w 0 ) ∈ R. Hence, by the tree shape of (W, B), we get |R| > m, yielding the desired contradiction. ⊓ ⊔ From Lemma 4 and 5 we derive that T r,m is a suitable witness to bound the number of cycles of an implementation M. Furthermore, from Lemma 4 we also obtain an upper bound on the size of T r,m .
We proceed with our final encoding. Therefore, we first construct a simple directed graph G out of the implementation M. Then, we guess all the sub-graphs, obtained from G via iteratively removing vertices, and split them into their corresponding SCCs. Finally, we guess the witness-tree for each such SCC.
To keep the final SAT encoding compact, we even introduce some further optimizations. First, we do not need to introduce a fresh copy for each SCC, since the SCC of a vertex is always unique. Thus, it suffices to guess an annotation for each vertex, being unique for each SCC. Second, we have to guess n trees T i,ri , each one consisting of at most i·n vertices, such that the sum of all i is equal to the overall number of cycles m. One possible solution would be to overestimate each i by m. Another possibility would be to guess the exact distribution of the cycles over the different witness-trees T i,ri . However, there is a smarter solution: we guess all trees together in a single graph bounded by m · n. Additionally, to avoid possible interleavings, we add an annotation of each vertex by its corresponding witness-tree T i,ri . Hence, instead of bounding the number of each T i,ri separately by i, we just bound the number of all red edges in the whole forest by m. This way, we not only reduce the size of the encoding, but also skip the additional constrains, which would be necessary to sum the different witness-tree bounds i to m, otherwise.
Let T be some ordered set with |T | = n and S = T × {1, 2, . . . , m}. We use T to denote the vertices of G and S to denote the vertices of the forest of T i,ri s. Further, we use M = T × {1} to denote the roots and N = S \ M to denote the non-roots of the corresponding trees. We introduce the following variables:
-edge(t, t ′ ) for all t, t ′ ∈ T , denoting the edges of the abstraction of M to G. -bedge(s, s ′ ) for all s ∈ S and s ′ ∈ N , denoting a blue edge. -redge(s, s ′ ) for all s ∈ S and s ′ ∈ M , denoting a red edge. -wtree(s, i) for all s ∈ S, 0 < i ≤ log n, denoting the witness-tree of each s.
As before, we use wtree(s)•x to relate values with the underlying encoding. -visited(s, t) for all s ∈ S and t ∈ T , denoting the set of all vertices t, already visited at s, since leaving the root of the corresponding witness-tree. -rbound(c, i) for all 0 < c ≤ m, 0 < i ≤ log(n · m), denoting an ordered list of all red edges, bounding the red edges of the forest. -scc(k, t, i) for all 0 < k ≤ n, t ∈ T, and 0 ≤ i < log n, denoting the SCC of t in the k-th sub-graph of G. The sub-graphs are obtained by iteratively removing vertices of T , according to the pre-defined order. This way, each sub-graph contains exactly all vertices that are larger than the root.
Note that by the definition of S we introduce m explicit copies for each vertex of G. This is sufficient, since each cycle contains each vertex at most once. Thus, the labeling τ of a vertex s can be directly derived from the first component of s.
Given a universal co-Büchi automaton A, a bound n on the states of the resulting implementation M, and a bound m on the number of cycles of M, we encode the Bounded Cycle Synthesis problem via the SAT formula F BS (A, n) ∧ F CS (A, n, m) ∧ F SCC (n). The constraints of F CS (A, n, m), bounding the cycles of the system, are given by Table 1 . The constraints of F SCC (n), enforcing that each vertex is labeled by a unique SCC, is given in Appendix A.
Theorem 5. For each pair of bounds n, m ∈ N and each universal co-Büchi automaton A with |A| = k, the formula F = F BS (A, n) ∧ F CS (A, n, m) ∧ F SCC is satisfiable if and only if there is a Mealy machine M with |M| = n and |C(M)| = m, accepted by A. Furthermore, F consists of x variables with x ∈ O(n 3 + n 2 (m 2 + 2 |I| )+ n|O|+ nk log(nk)) and |F | ∈ O(n 3 + n 2 (m 2 + k|Σ|)). Table 1 . Constraints of the SAT formula FCS(A, n, m).
r∈T wtree((r, 1)) = r Roots indicate the witness-tree.
s∈S, (r,1)∈M redge(s, (r, 1)) → wtree(s) = r Red edges only connect vertices of the current Ti,r i .
Blue edges only connect vertices of the current Ti,r i .
Every non-root has exactly one blue incoming edge.
(t,c)∈S, r∈T, redge((t, c), (r, 1)) → edge(t, r) Red edges are related to the edges of the graph G.
Blue edges are related to the edges of the graph G.
(t,c)∈S, r∈T, t≥r
Every possible red edge must be taken.
Every possible blue edge must be taken. Only non-roots of the corresponding sub-graph can be successors of a root.
Every vertex appears at most once on a path from the root to a leaf.
The list of red edges is complete. (f (s) maps each state of S to a unique number in {1, . . . , n · m}) 0<c≤m rbound(c) < rbound(c + 1)
Red edges are strictly ordered. co-Büchi automata. The created SAT queries are solved by MiniSat (v.2.2.0) [5] and clasp (v.3.1.4) [9] , where the result of the faster solver is taken. The benchmarks are given in TLSF [10] and represent a decomposition of Arm's Advanced Microcontroller Bus Architecture (AMBA) [2] . They are created from the assumptions and guarantees presented in [11] , which were split into modules, connected by new signals. A detailed description of the benchmarks is given in [10] .
All experiments were executed on a Unix machine, operated by a 64-bit kernel (v4.1.12) running on an Intel Core i7 with 2.8GHz and 8GB RAM. Each experiment had a time limit of 1000 seconds and a memory limit of 8GB. When counting cycles of a solution, the limit was set to 10000000 cycles.
The results of the evaluation are shown in Table 2 , which displays the sizes of the intermediate universal co-Büchi tree automata A U CT , the sizes of the synthesized implementations M, the number of cycles of each implementation M, and the overall synthesis time. Thereby, for each instance, we guessed the minimal number of states for the Bounded Synthesis approach and, additionally, the minimal number of cycles for the Bounded Cycle Synthesis approach, to obtain a single satisfiable instance. Further, to verify the result, we also created the unsatisfiable instance, where the state bound was decreased by one in the case of Bounded Synthesis and the cycle bound was decreased by one in the case of Bounded Cycle Synthesis. Note that these two instances already give an almost complete picture, since for increased and decreased bounds the synthesis times behave monotonically. Hence, increasing the bound beyond the first realizable instance increases the synthesis time. Decreasing it below the last unsatisfiable instance decreases the synthesis time. The results for the TBURST4 component are additionally depicted in Figure 1 .
On most benchmarks, Acacia+ solves the synthesis problem the fastest, followed by Bounded Synthesis and our approach. (On some benchmarks, Bounded Synthesis outperforms Acacia+.) Comparing the running times of Bounded Synthesis and Bounded Cycle Synthesis, the overhead for bounding the number of cycles is insignificant on most benchmarks. The two exceptions are ENCODE, which requires a fully connected implementation, and TBURST4, where the reduction in the number of cycles is substantial. In terms of states and cycles, our tool outperforms Bounded Synthesis on half of the benchmarks and it outperforms Acacia+ on all benchmarks.
The results of Acacia+ show that the number of cycles is indeed an explosive factor. However, they also show that this explosion can be avoided effectively.
Conclusions
We have introduced the Bounded Cycle Synthesis problem, where we limit the number of cycles in an implementation synthesized from an LTL specification. Our solution is based on the construction of a witness structure that limits the number of cycles. The existence of such a witness can be encoded as a SAT problem. Our experience in applying Bounded Cycle Synthesis to the synthesis of the AMBA bus arbiter shows that the approach leads to significantly better implementations. Furthermore, the performance of our prototype implementation is suffient to synthesize the components (in a natural decomposition of the specification) in reasonable time.
Both Bounded Synthesis and Bounded Cycle Synthesis can be seen as the introduction of structure into the space of implementations. Bounded Synthesis structures the implementations according to the number of states, Bounded Cycle Synthesis additionally according to the number of cycles. The double exponential blow-up between the size of the specification and the number of states, and the triple exponential blow-up between the size and the number of cycles indicate that, while both parameters provide a fine-grained structure, the number of cycles may even be the superior parameter. Formalizing this intuition and finding other useful parameters is a challenge for future work.
Our method does not lead to a synthesis algorithm in the classical sense, where just a specification is given and an implementation or an unsatisfiability result is returned. In our setting, the bounds are part of the input, and have to be determined beforehand. In Bounded Synthesis, the bound is usually eliminated by increasing the bound incrementally. With multiple bounds, the choice which parameter to increase becomes non-obvious. Finding a good strategy for this problem is a challenge on its own and beyond the scope of this paper. We leave it open for future research.
A SCC Encoding
In the following, we describe the SAT encoding to guess the SCC annotations F SCC (n) for each sub-graph of a given graph G, induced by the bound n ∈ N. Therefore, we fix a vertex v in each SCC and guess two spanning trees, rooted in v, with the second one being inverted, i.e., the edges lead back to the root. This ensures, that from the vertex v each other vertex is reachable and from each other vertex, v is reachable. The corresponding spanning trees then are witnesses for the guessed SCCs. To verify that we guessed maximal SSCs, we finally enforce that the DAG of all SCCs is totally ordered and that edges have to follow that order.
Let T be some set with |T | = n. We introduce the following variables for each sub-graph 0 < k ≤ n:
-forward(k, t, t ′ ) for all t, t ′ ∈ T , for the edges of the first spanning tree. -backward(k, t, t ′ ) for all t, t ′ ∈ T , for the edges of the second spanning tree. -frank(k, t, i) for all t ∈ T and 0 < i ≤ log n, denoting a ranking function that measures the distance from the root of the forward spanning tree. -brank(k, t, i) for all t ∈ T and 0 < i ≤ log n, denoting a ranking function that measures the distance to the root of the backward spanning tree.
We guss and verify the SCC annotation according to the following constraints:
-The SCCs are totally ordered:
-Each SCC has an SCC root, annotated with the smallest ranking:
0<i≤n t∈T scc(k, t) = i → t∈T (scc(k, t) = i ∧ frank(k, t) = 0)
-An SCC root is unique:
-The root is the same according to both rankings:
t∈T frank(k, t) = 0 ↔ brank(k, t) = 0 -SCC roots do not have incoming forward edges nor outgoing backward edges:
-All non-roots have exactely one incoming forward edge:
frank(k, t ′ ) = 0 → exactlyOne({forward(k, t, t ′ ) | t ∈ T }) -All non-roots have exactely one outgoing backward edge:
-Forward edges preserve the ranking:
-Backward edges preserve the ranking:
-Only edges of the same SCC can be connected by a forward edge:
-Only edges of the same SCC can be connected by a backward edge:
The resulting formula is quadratic in n for each 0 < k ≤ n and consists of n 2 many variables. Hence, the overall formula F SCC (n) consists of at most n 3 many variables and |F SCC (n)| ∈ O (n 3 ).
