One Theorem to Rule Them All: A Unified Translation of LTL into ω-Automata

05/02/2018 ∙ by Javier Esparza, et al. ∙ Technische Universität München 0

We present a unified translation of LTL formulas into deterministic Rabin automata, limit-deterministic Büchi automata, and nondeterministic Büchi automata. The translations yield automata of asymptotically optimal size (double or single exponential, respectively). All three translations are derived from one single Master Theorem of purely logical nature. The Master Theorem decomposes the language of a formula into a positive boolean combination of languages that can be translated into ω-automata by elementary means. In particular, Safra's, ranking, and breakpoint constructions used in other translations are not needed.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Linear temporal logic (LTL) (Pnueli, 1977) is a prominent specification language, used both for model checking and automatic synthesis of systems. In the standard automata-theoretic approach (Vardi and Wolper, 1986) the input formula is first translated into an -automaton, and then the product of this automaton with the input system is further analyzed. Since the size of the product is often the bottleneck of all the verification algorithms, it is crucial that the -automaton is as small as possible. Consequently, a lot of effort has been spent on translating LTL into small automata, e.g. (Couvreur, 1999; Daniele et al., 1999; Etessami and Holzmann, 2000; Somenzi and Bloem, 2000; Gastin and Oddoux, 2001; Giannakopoulou and Lerda, 2002; Fritz, 2003; Babiak et al., 2012; Duret-Lutz et al., 2016).

While non-deterministic Büchi automata (NBA) can be used for model checking non-deterministic systems, other applications such as model checking probabilistic systems or synthesis usually require automata with a certain degree of determinism, such as deterministic parity automata (DPA) or deterministic Rabin automata (DRA) (Baier and Katoen, 2008), deterministic generalized Rabin automata (DGRA) (Chatterjee et al., 2013), limit-deterministic (or semi-deterministic) Büchi automata (LDBA) (Vardi, 1985; Courcoubetis and Yannakakis, 1995; Hahn et al., 2015; Sickert et al., 2016), unambiguous Büchi automata (Baier et al., 2016) etc. The usual constructions that produce such automata are based on Safra’s determinization and its variants (Safra, 1988; Piterman, 2006; Schewe, 2009). However, they are known to be difficult to implement efficiently, and to be practically inefficient in many cases due to their generality. Therefore, a recent line of work shows how DPA (Esparza et al., 2017; Křetínský et al., 2017), DRA and DGRA (Křetínský and Esparza, 2012; Křetínský and Ledesma-Garza, 2013; Esparza and Křetínský, 2014; Esparza et al., 2016), or LDBA (Kini and Viswanathan, 2015; Sickert et al., 2016; Kini and Viswanathan, 2017) can be produced directly from LTL, without the intermediate step through a non-deterministic automaton. All these works share the principle of describing each state by a collection of formulas, as happens in the classical tableaux construction for translation of LTL into NBA. This makes the approach particularly apt for semantic-based state reductions, e.g., for merging states corresponding to equivalent formulas. These reductions cannot be applied to Safra-based constructions, where this semantic structure gets lost.

In this paper, we provide a unified view of translations of LTL into NBA, LDBA, and DRA enjoying the following properties, absent in former translations:

Asymptotic Optimality.

D(G)RA are the most compact among the deterministic automata used in practice, in particular compared to DPA. Previous translations to D(G)RA were either limited to fragments of LTL (Křetínský and Esparza, 2012; Křetínský and Ledesma-Garza, 2013; Babiak et al., 2013), or only shown to be triply exponential (Esparza and Křetínský, 2014; Esparza et al., 2016). Here we provide constructions for all mentioned types of automata matching the optimal double exponential bound for DRA and LDBA, and the optimal single exponential bound for NBA.

Symmetry.

The first translations (Křetínský and Esparza, 2012; Křetínský and Ledesma-Garza, 2013) used auxiliary automata to monitor each Future- and Globally-subformula. While this approach worked for fragments of LTL, subsequent constructions for full LTL (Esparza and Křetínský, 2014; Esparza et al., 2016; Sickert et al., 2016) could not preserve the symmetric treatment. They only used auxiliary automata for -subformulas, at the price of more complex constructions. Our translation re-establishes the symmetry of the first constructions. It treats and equally (actually, and more generally, it treats each operator and its dual equally), which results into simpler auxiliary automata.

Independence of Syntax.

Previous translations were quite sensitive to the operators used in the syntax of LTL. In particular, the only greatest-fixed-point operator they allowed was Globally. Since formulas also had to be in negation normal form, pre-processing of the input often led to unnecessarily large formulas. While our translations still requires negation normal form, it allows for direct treatment of Release, Weak until, and other operators.

Unified View.

Our translations rely on a novel Master Theorem, which decomposes the language of a formula into a positive boolean combination of “simple” languages, in the sense that they are easy to translate into automata. This approach is arguably simpler than previous ones (it is certainly simpler than our previous papers (Esparza et al., 2016; Sickert et al., 2016)). Besides, it provides a unified treatment of DRA, NBA, and LDBA, differing only in the translations of the “simple” languages. The automaton for the formula is obtained from the automata for the “simple” languages by means of standard operations for closure under union and intersection.

On top of its theoretical advantages, our translation is comparable to previous DRA translations in practice, even without major optimizations. Summarizing, we think this paper finally achieves the goals formulated in (Křetínský and Esparza, 2012), where the first translation of this kind—valid only for what we would now call a small fragment of LTL—was presented.

Structure of the Paper.

Section 2 contains preliminaries about LTL and -automata. Section 3 introduces some definitions and results of (Esparza et al., 2016; Sickert et al., 2016). Section 4 shows how to use these notions to translate four simple fragments of LTL into deterministic Büchi and coBüchi automata; these translations are later used as building blocks. Section 5 presents our main result, the Master Theorem. Sections 6, 7, and 8 apply the Master Theorem to derive translations of LTL into DRA, NBA, and LDBA, respectively. Section 9 compares the paper to related work and puts the obtained results into context. The appendix of the accompanying technical report (Esparza et al., 2018) contains the few omitted proofs and further related material.

2. Preliminaries

2.1. -Languages and -Automata

Let be a finite alphabet. An -word over is an infinite sequence of letters . We denote the finite infix by , and the infinite suffix by . An -language is a set of -words.

For the sake of presentation, we introduce -automata with accepting conditions defined on states. However, all results can be restated with accepting conditions defined on transitions, more in line with other recent papers and tools (Duret-Lutz et al., 2016; Komárková and Křetínský, 2014; Babiak et al., 2015).

Let be a finite alphabet. A nondeterministic pre-automaton over is a tuple where is a finite set of states, is a transition function, and is a set of initial states. A transition is a triple such that . A pre-automaton is deterministic if is a singleton and is a singleton for every and .

A run of on an -word is an infinite sequence of states with for all and we denote by the set of states occurring infinitely often in . An accepting condition is an expression over the syntax with . Accepting conditions are evaluated on runs and the evaluation relation is defined as follows:

 iff
iff
iff or
iff and

An accepting condition is a

  • Büchi condition if for some set of states.

  • coBüchi condition if for some set of states.

  • Rabin condition if for some and some sets of states.

An -automaton over is a tuple where is a pre-automaton over and is an accepting condition. A run of is accepting if . A word is accepted by if some run of on is accepting. An -automaton is a Büchi (coBüchi, Rabin) automaton if its accepting condition is a Büchi (coBüchi, Rabin) condition.

Limit-Deterministic Büchi Automata.

Intuitively, a NBA is limit-deterministic if it can be split into a non-deterministic component without accepting states, and a deterministic component. The automaton can only accept by “jumping” from the non-deterministic to the deterministic component, but after the jump it must stay in the deterministic component forever. Formally, a NBA is limit-deterministic (LDBA) if can be partitioned into two disjoint sets , s.t.

  1. and for every , , and

  2. for all .

2.2. Linear Temporal Logic

We work with a syntax for LTL in which formulas are written in negation-normal form, i.e., negations only occur in front of atomic propositions. For every temporal operator we also include in the syntax its dual operator. On top of the next operator , which is self-dual, we introduce temporal operators (eventually), (until), and (weak until), and their duals (always), (release) and (strong release). The syntax may look redundant but as we shall see it is essential to include and and very convenient to include and .

Syntax and semantics of LTL.

A formula of LTL in negation normal form over a set of atomic propositions () is given by the syntax:

where . We denote the set of subformulas of . A subformula of is called proper if it is neither a conjunction nor a disjunction, i,e., if the root of its syntax tree is labelled by either , , or a temporal operator. The satisfaction relation between -words over the alphabet and formulas is inductively defined as follows:

Two formulas are equivalent if they are satisfied by the same words. We also introduce the stronger notion of propositional equivalence:

Definition 2.1 (Propositional Equivalence).

Given a formula , we assign to it a propositional formula as follows: replace every maximal proper subformula by a propositional variable . Two formulas are propositionally equivalent, denoted , iff and are equivalent formulas of propositional logic. The set of all formulas propositionally equivalent to is denoted by .

Example 2.2 ().

Let with and . We have . Thus is propositionally equivalent to and .

Observe that propositional equivalence implies equivalence, but the converse does not hold.

3. The “after” Function

We recall the definition of the“after function” , read “ after (Esparza and Křetínský, 2014; Esparza et al., 2016). The function assigns to a formula and a finite word another formula such that, intuitively, holds for iff holds “after reading ”, that is, iff .111There is a conceptual correspondences to the derivatives of (Brzozowski, 1964) and af directly connects to the classical “LTL expansion laws” (Baier and Katoen, 2008). Furthermore, the yet to be introduced relates to (Antimirov, 1996) in a similar way.

Definition 3.1 ().

Let be a formula and a single letter. The formula is inductively defined as follows:

Furthermore, we generalize the definition to finite words by setting and for every and every finite word . Finally, we define the set of formulas reachable from as .

Example 3.2 ().

Let . We then have , , , and .

The following lemma states the main properties of af, which are easily proved by induction on the structure of . For convenience we include the short proof in the appendix of (Esparza et al., 2018).

Lemma 3.3 ().

(Esparza et al., 2016)

  • For every formula , finite word , and infinite word : iff

  • For every formula and finite word : is a positive boolean combination of proper subformulas of .

  • For every formula : If has proper subformulas, then has at most size .

It is easy to show by induction that implies for every finite word . We extend to equivalence classes by defining . Sometimes we abuse language and identify a formula and its equivalence class. For example, we write “the states of the automaton are pairs of formulas” instead of “pairs of equivalence classes of formulas”.

4. Constructing DRAs for Fragments of LTL

We show that the function af can be used to construct deterministic Büchi and coBüchi automata for some fragments of . The constructions are very simple. Later, in Sections 6, 7, and 8 we use these constructions as building blocks for the translation of general LTL formulas. The fragments are:

  • The -fragment and the -fragment .
    is the fragment of LTL restricted to temporal operators , on top of Boolean connectives , literals , and the next operator . is defined analogously, but with the operators . In the literature is also called syntactic co-safety and syntactic safety.

  • The fragments and .
    These fragments contain the formulas of the form , where , and , where .

The reason for the names and is that are least-fixed-point operators, in the sense that their semantics is naturally formulated by least fixed points, e.g. in the -calculus, while the semantics of is naturally formulated by greatest fixed points.

The following lemma characterizes the words satisfying a formula of these fragments in terms of the formulas .

Lemma 4.1 ().

(Esparza et al., 2016) Let and let be a word. We have:

  • iff .

  • iff .

Let and let be a word. We have:

  • iff .

  • iff

The following proposition constructs DBAs or DCAs for the fragments. The proof is an immediate consequence of the lemma.

Proposition 4.2 ().

Let .

  • The following DBA over the alphabet recognizes :

  • The following DBA over the alphabet recognizes :

Let .

  • The following DCA over the alphabet recognizes :

  • The following DCA over the alphabet recognizes :

Example 4.3 ().

Let . The DBA recognizing is depicted below. We use the abbreviations , , and .

Example 4.4 ().

Let . The DCA recognizing is depicted below. We use the abbreviations of Example 4.3 again.

Now consider the formula . It does not belong to any of the fragments due to the deeper alternation of the least- and greatest-fixed-point operators: . If we construct we obtain a DCA isomorphic to the one above, because and are defined in the same way. However, the DCA does not recognize : For example, on the word , it loops on the middle state and accepts, even though . The reason is that checks that the greatest fixed point holds, and cannot enforce satisfaction of the least-fixed-point formula .

If only we were given a promise that holds infinitely often, then we could conclude that such a run is accepting. We can actually get such promises: for NBA and LDBA via the non-determinism of the automaton, and for DRA via the “non-determinism” of the acceptance condition. In the next section, we investigate how to utilize such promises (Section 5.3) and how to check whether the promises are fulfilled or not (Section 5.4).

5. The Master Theorem

We present and prove the Master Theorem: A characterization of the words satisfying a given formula from which we can easily extract deterministic, limit-deterministic, and nondeterministic automata of asymptotically optimal size.

We first provide some intuition with the help of an example. Consider the formula , which does not belong to any of the fragments in the last section, and a word . Assume we are promised that along the -subformula holds infinitely often (this is the case e.g. for ). In particular, we then know that holds infinitely often, and so we can “reduce” to , which belongs to the fragment .

Assume now we are promised that only holds finitely often (for example, because ). Even more, we are promised that along the suffix the formula never holds any more. How can we use this advice? First, reduces to by the fundamental property of af, Lemma 3.3(1). Further, a little computation shows that , and so that reduces to . Finally, using that never holds again, we reduce to which belongs to the fragment .

This example suggests a general strategy for solving :

  • Guess the set of least-fixed-point subformulas of that hold infinitely often, denoted by , and the set of greatest-fixed-point subformulas that hold almost always, denoted by .

  • Guess a stabilization point after which the least-fixed-point subformulas outside do not hold any more, and the greatest-fixed-point subformulas of hold forever.

  • Use these guesses to reduce to problems for formulas that belong to the fragments introduced in the last section.

  • Check that the guesses are correct.

In the rest of the section we develop this strategy. In Section 5.1 we introduce the terminology needed to formalize stabilization. Section 5.2 shows how to use a guess for or a guess for to reduce to a simpler problem or , where and are read as “ with -advice ” and “ with -advice ”, respectively. Section 5.3 shows how to use the advice to decide . Section 5.4 shows how to check that the advice is correct. The Master Theorem is stated and proved in Section 5.5.

5.1. - and -stability.

Fix a formula . The set of subformulas of of the form , , and is denoted by . So, loosely speaking, contains the set of subformulas of with a least-fixed-point operator at the top of their syntax tree. Given a word , we are interested in which of these formulas hold infinitely often, and which ones hold at least once, i.e., we are interested in the sets

Observe that . We say that is -stable with respect to if .

Example 5.1 ().

For we have . Let and . We have and . So is -stable with respect to , but is not.

Dually, the set of subformulas of of the form , , and is denoted by . This time we are interested in whether these formulas hold everywhere or almost everywhere, i.e., in the sets

(Observe that the question whether a -formula like, say, , holds once or infinitely often makes no sense, because it holds once iff it holds infnitely often.) We have , and we say that is -stable with respect to if .

Example 5.2 ().

Let , and as in Example 5.1. We have . The word is -stable, but is not, because .

So not every word is -stable or -stable. However, as shown by the following lemma, all but finitely many suffixes of a word are - and -stable.

Lemma 5.3 ().

For every word there exist indices such that for every the suffix is -stable and the suffix is -stable.

Proof.

We only prove the -stability part; the proof of the other part is similar. Since for every , it suffices to exhibit an index such that for every . If then we can choose . So assume . By definition, every holds only finitely often along . So for every there exists an index such that for every . Let , which exists because is a finite set. It follows for every , and so every is -stable. ∎

Example 5.4 ().

Let again . The word is neither -stable nor -stable, but all suffixes of are both -stable and -stable.

5.2. The formulas and .

We first introduce . Assume we have to determine if a word satisfies , and we are told that is -stable. Further, we are given the set such that . We use this oracle information to reduce the problem to a “simpler” problem , where “simpler” means that is a formula of , for which we already know how to construct automata. In other words, we define a formula such that implies iff . (Observe that but , and so the latter, not the former, is the reason for the -subscript in the notation .)

The definition of is purely syntactic, and the intuition behind it is very simple. All the main ideas are illustrated by the following examples, where we assume :

  • and . Then , which implies in particular . So we can reduce to , and so .

  • and . Then , and so . So we can reduce to the trivial problem , and so .

  • and . Then , and so . This does not imply , but implies that will hold in the future. So we can reduce to , a formula of , and so .

Definition 5.5 ().

Let be a formula and let . The formula is inductively defined as follows:

  • If , then .

  • If for then .

  • If for then
    .

  • If then

  • If then

  • If then

We now introduce, in a dual way, a formula such that implies iff .

Definition 5.6 ().

Let be a formula and let . The formula is inductively defined as follows:

  • If , then .

  • If for then .

  • If for then
    .

  • If then

  • If then

  • If then

Example 5.7 ().

Let . We have:

5.3. Utilizing and .

The following lemma states the fundamental properties of and . As announced above, for a -stable word we can reduce the problem to , and for a -stable word to . However, there is more: If we only know , then we can still infer from , only the implication in the other direction fails.

Lemma 5.8 ().

Let be a formula and let be a word.
For every :

  • If and , then .

  • If and , then .

In particular:

  • If then iff .

For every :

  • If and , then .

  • If and , then .

In particular:

  • If then iff .

Proof.

All parts are proved by a straightforward structural induction on . We consider only (a1), and only two representative cases of the induction. Representative cases for (a2), (b1), and (b2) can be found in the appendix of (Esparza et al., 2018).

(a1) Assume . Then for all . We prove the following stronger statement via structural induction on :

We consider one representative of the “interesting” cases, and one of the “straightforward” cases.

Case : Let arbitrary and assume . Then and so . We prove :

Case : Let arbitrary and assume :

Lemma 5.8 suggests to decide by “trying out” all possible sets . Part (a2) shows that the strategy of checking for every set if both and hold is sound.

Example 5.9 ().

Consider . Since , there are four possible ’s to be tried out: , , , and . For we get , indicating that if neither nor hold infinitely often, then cannot hold. For the other three possibilities ( holds infinitely often, holds infinitely often, or both) there are words satisfying , like , , and .

However there are still two questions open. First, is this strategy complete? Part (a3) shows that it is complete for -stable words: Indeed, in this case there is a set such that