1. Introduction
Linear temporal logic (LTL) (Pnueli, 1977) is a prominent specification language, used both for model checking and automatic synthesis of systems. In the standard automatatheoretic approach (Vardi and Wolper, 1986) the input formula is first translated into an automaton, and then the product of this automaton with the input system is further analyzed. Since the size of the product is often the bottleneck of all the verification algorithms, it is crucial that the automaton is as small as possible. Consequently, a lot of effort has been spent on translating LTL into small automata, e.g. (Couvreur, 1999; Daniele et al., 1999; Etessami and Holzmann, 2000; Somenzi and Bloem, 2000; Gastin and Oddoux, 2001; Giannakopoulou and Lerda, 2002; Fritz, 2003; Babiak et al., 2012; DuretLutz et al., 2016).
While nondeterministic Büchi automata (NBA) can be used for model checking nondeterministic systems, other applications such as model checking probabilistic systems or synthesis usually require automata with a certain degree of determinism, such as deterministic parity automata (DPA) or deterministic Rabin automata (DRA) (Baier and Katoen, 2008), deterministic generalized Rabin automata (DGRA) (Chatterjee et al., 2013), limitdeterministic (or semideterministic) Büchi automata (LDBA) (Vardi, 1985; Courcoubetis and Yannakakis, 1995; Hahn et al., 2015; Sickert et al., 2016), unambiguous Büchi automata (Baier et al., 2016) etc. The usual constructions that produce such automata are based on Safra’s determinization and its variants (Safra, 1988; Piterman, 2006; Schewe, 2009). However, they are known to be difficult to implement efficiently, and to be practically inefficient in many cases due to their generality. Therefore, a recent line of work shows how DPA (Esparza et al., 2017; Křetínský et al., 2017), DRA and DGRA (Křetínský and Esparza, 2012; Křetínský and LedesmaGarza, 2013; Esparza and Křetínský, 2014; Esparza et al., 2016), or LDBA (Kini and Viswanathan, 2015; Sickert et al., 2016; Kini and Viswanathan, 2017) can be produced directly from LTL, without the intermediate step through a nondeterministic automaton. All these works share the principle of describing each state by a collection of formulas, as happens in the classical tableaux construction for translation of LTL into NBA. This makes the approach particularly apt for semanticbased state reductions, e.g., for merging states corresponding to equivalent formulas. These reductions cannot be applied to Safrabased constructions, where this semantic structure gets lost.
In this paper, we provide a unified view of translations of LTL into NBA, LDBA, and DRA enjoying the following properties, absent in former translations:
Asymptotic Optimality.
D(G)RA are the most compact among the deterministic automata used in practice, in particular compared to DPA. Previous translations to D(G)RA were either limited to fragments of LTL (Křetínský and Esparza, 2012; Křetínský and LedesmaGarza, 2013; Babiak et al., 2013), or only shown to be triply exponential (Esparza and Křetínský, 2014; Esparza et al., 2016). Here we provide constructions for all mentioned types of automata matching the optimal double exponential bound for DRA and LDBA, and the optimal single exponential bound for NBA.
Symmetry.
The first translations (Křetínský and Esparza, 2012; Křetínský and LedesmaGarza, 2013) used auxiliary automata to monitor each Future and Globallysubformula. While this approach worked for fragments of LTL, subsequent constructions for full LTL (Esparza and Křetínský, 2014; Esparza et al., 2016; Sickert et al., 2016) could not preserve the symmetric treatment. They only used auxiliary automata for subformulas, at the price of more complex constructions. Our translation reestablishes the symmetry of the first constructions. It treats and equally (actually, and more generally, it treats each operator and its dual equally), which results into simpler auxiliary automata.
Independence of Syntax.
Previous translations were quite sensitive to the operators used in the syntax of LTL. In particular, the only greatestfixedpoint operator they allowed was Globally. Since formulas also had to be in negation normal form, preprocessing of the input often led to unnecessarily large formulas. While our translations still requires negation normal form, it allows for direct treatment of Release, Weak until, and other operators.
Unified View.
Our translations rely on a novel Master Theorem, which decomposes the language of a formula into a positive boolean combination of “simple” languages, in the sense that they are easy to translate into automata. This approach is arguably simpler than previous ones (it is certainly simpler than our previous papers (Esparza et al., 2016; Sickert et al., 2016)). Besides, it provides a unified treatment of DRA, NBA, and LDBA, differing only in the translations of the “simple” languages. The automaton for the formula is obtained from the automata for the “simple” languages by means of standard operations for closure under union and intersection.
On top of its theoretical advantages, our translation is comparable to previous DRA translations in practice, even without major optimizations. Summarizing, we think this paper finally achieves the goals formulated in (Křetínský and Esparza, 2012), where the first translation of this kind—valid only for what we would now call a small fragment of LTL—was presented.
Structure of the Paper.
Section 2 contains preliminaries about LTL and automata. Section 3 introduces some definitions and results of (Esparza et al., 2016; Sickert et al., 2016). Section 4 shows how to use these notions to translate four simple fragments of LTL into deterministic Büchi and coBüchi automata; these translations are later used as building blocks. Section 5 presents our main result, the Master Theorem. Sections 6, 7, and 8 apply the Master Theorem to derive translations of LTL into DRA, NBA, and LDBA, respectively. Section 9 compares the paper to related work and puts the obtained results into context. The appendix of the accompanying technical report (Esparza et al., 2018) contains the few omitted proofs and further related material.
2. Preliminaries
2.1. Languages and Automata
Let be a finite alphabet. An word over is an infinite sequence of letters . We denote the finite infix by , and the infinite suffix by . An language is a set of words.
For the sake of presentation, we introduce automata with accepting conditions defined on states. However, all results can be restated with accepting conditions defined on transitions, more in line with other recent papers and tools (DuretLutz et al., 2016; Komárková and Křetínský, 2014; Babiak et al., 2015).
Let be a finite alphabet. A nondeterministic preautomaton over is a tuple where is a finite set of states, is a transition function, and is a set of initial states. A transition is a triple such that . A preautomaton is deterministic if is a singleton and is a singleton for every and .
A run of on an word is an infinite sequence of states with for all and we denote by the set of states occurring infinitely often in . An accepting condition is an expression over the syntax with . Accepting conditions are evaluated on runs and the evaluation relation is defined as follows:
iff  
iff  
iff  or  
iff  and 
An accepting condition is a

Büchi condition if for some set of states.

coBüchi condition if for some set of states.

Rabin condition if for some and some sets of states.
An automaton over is a tuple where is a preautomaton over and is an accepting condition. A run of is accepting if . A word is accepted by if some run of on is accepting. An automaton is a Büchi (coBüchi, Rabin) automaton if its accepting condition is a Büchi (coBüchi, Rabin) condition.
LimitDeterministic Büchi Automata.
Intuitively, a NBA is limitdeterministic if it can be split into a nondeterministic component without accepting states, and a deterministic component. The automaton can only accept by “jumping” from the nondeterministic to the deterministic component, but after the jump it must stay in the deterministic component forever. Formally, a NBA is limitdeterministic (LDBA) if can be partitioned into two disjoint sets , s.t.

and for every , , and

for all .
2.2. Linear Temporal Logic
We work with a syntax for LTL in which formulas are written in negationnormal form, i.e., negations only occur in front of atomic propositions. For every temporal operator we also include in the syntax its dual operator. On top of the next operator , which is selfdual, we introduce temporal operators (eventually), (until), and (weak until), and their duals (always), (release) and (strong release). The syntax may look redundant but as we shall see it is essential to include and and very convenient to include and .
Syntax and semantics of LTL.
A formula of LTL in negation normal form over a set of atomic propositions () is given by the syntax:
where . We denote the set of subformulas of . A subformula of is called proper if it is neither a conjunction nor a disjunction, i,e., if the root of its syntax tree is labelled by either , , or a temporal operator. The satisfaction relation between words over the alphabet and formulas is inductively defined as follows:
Two formulas are equivalent if they are satisfied by the same words. We also introduce the stronger notion of propositional equivalence:
Definition 2.1 (Propositional Equivalence).
Given a formula , we assign to it a propositional formula as follows: replace every maximal proper subformula by a propositional variable . Two formulas are propositionally equivalent, denoted , iff and are equivalent formulas of propositional logic. The set of all formulas propositionally equivalent to is denoted by .
Example 2.2 ().
Let with and . We have . Thus is propositionally equivalent to and .
Observe that propositional equivalence implies equivalence, but the converse does not hold.
3. The “after” Function
We recall the definition of the“after function” , read “ after ” (Esparza and Křetínský, 2014; Esparza et al., 2016). The function assigns to a formula and a finite word another formula such that, intuitively, holds for iff holds “after reading ”, that is, iff .^{1}^{1}1There is a conceptual correspondences to the derivatives of (Brzozowski, 1964) and af directly connects to the classical “LTL expansion laws” (Baier and Katoen, 2008). Furthermore, the yet to be introduced relates to (Antimirov, 1996) in a similar way.
Definition 3.1 ().
Let be a formula and a single letter. The formula is inductively defined as follows:
Furthermore, we generalize the definition to finite words by setting and for every and every finite word . Finally, we define the set of formulas reachable from as .
Example 3.2 ().
Let . We then have , , , and .
The following lemma states the main properties of af, which are easily proved by induction on the structure of . For convenience we include the short proof in the appendix of (Esparza et al., 2018).
Lemma 3.3 ().
(Esparza et al., 2016)

For every formula , finite word , and infinite word : iff

For every formula and finite word : is a positive boolean combination of proper subformulas of .

For every formula : If has proper subformulas, then has at most size .
It is easy to show by induction that implies for every finite word . We extend to equivalence classes by defining . Sometimes we abuse language and identify a formula and its equivalence class. For example, we write “the states of the automaton are pairs of formulas” instead of “pairs of equivalence classes of formulas”.
4. Constructing DRAs for Fragments of LTL
We show that the function af can be used to construct deterministic Büchi and coBüchi automata for some fragments of . The constructions are very simple. Later, in Sections 6, 7, and 8 we use these constructions as building blocks for the translation of general LTL formulas. The fragments are:

The fragment and the fragment .
is the fragment of LTL restricted to temporal operators , on top of Boolean connectives , literals , and the next operator . is defined analogously, but with the operators . In the literature is also called syntactic cosafety and syntactic safety. 
The fragments and .
These fragments contain the formulas of the form , where , and , where .
The reason for the names and is that are leastfixedpoint operators, in the sense that their semantics is naturally formulated by least fixed points, e.g. in the calculus, while the semantics of is naturally formulated by greatest fixed points.
The following lemma characterizes the words satisfying a formula of these fragments in terms of the formulas .
Lemma 4.1 ().
(Esparza et al., 2016) Let and let be a word. We have:

iff .

iff .
Let and let be a word. We have:

iff .

iff
The following proposition constructs DBAs or DCAs for the fragments. The proof is an immediate consequence of the lemma.
Proposition 4.2 ().
Let .

The following DBA over the alphabet recognizes :

The following DBA over the alphabet recognizes :
Let .

The following DCA over the alphabet recognizes :

The following DCA over the alphabet recognizes :
Example 4.3 ().
Let . The DBA recognizing is depicted below. We use the abbreviations , , and .
Example 4.4 ().
Let . The DCA recognizing is depicted below. We use the abbreviations of Example 4.3 again.
Now consider the formula . It does not belong to any of the fragments due to the deeper alternation of the least and greatestfixedpoint operators: . If we construct we obtain a DCA isomorphic to the one above, because and are defined in the same way. However, the DCA does not recognize : For example, on the word , it loops on the middle state and accepts, even though . The reason is that checks that the greatest fixed point holds, and cannot enforce satisfaction of the leastfixedpoint formula .
If only we were given a promise that holds infinitely often, then we could conclude that such a run is accepting. We can actually get such promises: for NBA and LDBA via the nondeterminism of the automaton, and for DRA via the “nondeterminism” of the acceptance condition. In the next section, we investigate how to utilize such promises (Section 5.3) and how to check whether the promises are fulfilled or not (Section 5.4).
5. The Master Theorem
We present and prove the Master Theorem: A characterization of the words satisfying a given formula from which we can easily extract deterministic, limitdeterministic, and nondeterministic automata of asymptotically optimal size.
We first provide some intuition with the help of an example. Consider the formula , which does not belong to any of the fragments in the last section, and a word . Assume we are promised that along the subformula holds infinitely often (this is the case e.g. for ). In particular, we then know that holds infinitely often, and so we can “reduce” to , which belongs to the fragment .
Assume now we are promised that only holds finitely often (for example, because ). Even more, we are promised that along the suffix the formula never holds any more. How can we use this advice? First, reduces to by the fundamental property of af, Lemma 3.3(1). Further, a little computation shows that , and so that reduces to . Finally, using that never holds again, we reduce to which belongs to the fragment .
This example suggests a general strategy for solving :

Guess the set of leastfixedpoint subformulas of that hold infinitely often, denoted by , and the set of greatestfixedpoint subformulas that hold almost always, denoted by .

Guess a stabilization point after which the leastfixedpoint subformulas outside do not hold any more, and the greatestfixedpoint subformulas of hold forever.

Use these guesses to reduce to problems for formulas that belong to the fragments introduced in the last section.

Check that the guesses are correct.
In the rest of the section we develop this strategy. In Section 5.1 we introduce the terminology needed to formalize stabilization. Section 5.2 shows how to use a guess for or a guess for to reduce to a simpler problem or , where and are read as “ with advice ” and “ with advice ”, respectively. Section 5.3 shows how to use the advice to decide . Section 5.4 shows how to check that the advice is correct. The Master Theorem is stated and proved in Section 5.5.
5.1.  and stability.
Fix a formula . The set of subformulas of of the form , , and is denoted by . So, loosely speaking, contains the set of subformulas of with a leastfixedpoint operator at the top of their syntax tree. Given a word , we are interested in which of these formulas hold infinitely often, and which ones hold at least once, i.e., we are interested in the sets
Observe that . We say that is stable with respect to if .
Example 5.1 ().
For we have . Let and . We have and . So is stable with respect to , but is not.
Dually, the set of subformulas of of the form , , and is denoted by . This time we are interested in whether these formulas hold everywhere or almost everywhere, i.e., in the sets
(Observe that the question whether a formula like, say, , holds once or infinitely often makes no sense, because it holds once iff it holds infnitely often.) We have , and we say that is stable with respect to if .
Example 5.2 ().
Let , and as in Example 5.1. We have . The word is stable, but is not, because .
So not every word is stable or stable. However, as shown by the following lemma, all but finitely many suffixes of a word are  and stable.
Lemma 5.3 ().
For every word there exist indices such that for every the suffix is stable and the suffix is stable.
Proof.
We only prove the stability part; the proof of the other part is similar. Since for every , it suffices to exhibit an index such that for every . If then we can choose . So assume . By definition, every holds only finitely often along . So for every there exists an index such that for every . Let , which exists because is a finite set. It follows for every , and so every is stable. ∎
Example 5.4 ().
Let again . The word is neither stable nor stable, but all suffixes of are both stable and stable.
5.2. The formulas and .
We first introduce . Assume we have to determine if a word satisfies , and we are told that is stable. Further, we are given the set such that . We use this oracle information to reduce the problem to a “simpler” problem , where “simpler” means that is a formula of , for which we already know how to construct automata. In other words, we define a formula such that implies iff . (Observe that but , and so the latter, not the former, is the reason for the subscript in the notation .)
The definition of is purely syntactic, and the intuition behind it is very simple. All the main ideas are illustrated by the following examples, where we assume :

and . Then , which implies in particular . So we can reduce to , and so .

and . Then , and so . So we can reduce to the trivial problem , and so .

and . Then , and so . This does not imply , but implies that will hold in the future. So we can reduce to , a formula of , and so .
Definition 5.5 ().
Let be a formula and let . The formula is inductively defined as follows:

If , then .

If for then .

If for then
. 
If then

If then

If then
We now introduce, in a dual way, a formula such that implies iff .
Definition 5.6 ().
Let be a formula and let . The formula is inductively defined as follows:

If , then .

If for then .

If for then
. 
If then

If then

If then
Example 5.7 ().
Let . We have:
5.3. Utilizing and .
The following lemma states the fundamental properties of and . As announced above, for a stable word we can reduce the problem to , and for a stable word to . However, there is more: If we only know , then we can still infer from , only the implication in the other direction fails.
Lemma 5.8 ().
Let be a formula and let be a word.
For every :

If and , then .

If and , then .
In particular:

If then iff .
For every :

If and , then .

If and , then .
In particular:

If then iff .
Proof.
All parts are proved by a straightforward structural induction on . We consider only (a1), and only two representative cases of the induction. Representative cases for (a2), (b1), and (b2) can be found in the appendix of (Esparza et al., 2018).
(a1) Assume . Then for all . We prove the following stronger statement via structural induction on :
We consider one representative of the “interesting” cases, and one of the “straightforward” cases.
Case : Let arbitrary and assume . Then and so . We prove :
Case : Let arbitrary and assume :
Lemma 5.8 suggests to decide by “trying out” all possible sets . Part (a2) shows that the strategy of checking for every set if both and hold is sound.
Example 5.9 ().
Consider . Since , there are four possible ’s to be tried out: , , , and . For we get , indicating that if neither nor hold infinitely often, then cannot hold. For the other three possibilities ( holds infinitely often, holds infinitely often, or both) there are words satisfying , like , , and .
However there are still two questions open. First, is this strategy complete? Part (a3) shows that it is complete for stable words: Indeed, in this case there is a set such that
Comments
There are no comments yet.