LTL to Deterministic Emerson-Lei Automata

LTL to Deterministic Emerson-Lei Automata

David Müller Technische Universität DresdenThis work is funded by the DFG-project BA-1679/12-1 and partially funded by the DFG Research Training Group \csq@thequote@oinit\csq@thequote@oopenQuantLA: Quantitative Logics and Automata\csq@thequote@oclose (GRK 1763) david.mueller2@tu-dresden.de Technische Universität München    Salomon Sickert Technische Universität MünchenThis work is funded by the DFG Research Training Group \csq@thequote@oinit\csq@thequote@oopenPUMA: Programm- und Modell-Analyse\csq@thequote@oclose (GRK 1480) sickert@in.tum.de
Abstract

We introduce a new translation from linear temporal logic (LTL) to deterministic Emerson-Lei automata, which are -automata with a Muller acceptance condition symbolically expressed as a Boolean formula. The richer acceptance condition structure allows the shift of complexity from the state space to the acceptance condition. Conceptually the construction is an enhanced product construction that exploits knowledge of its components to reduce the number of states. We identify two fragments of LTL, for which one can easily construct deterministic automata and show how knowledge of these components can reduce the number of states. We extend this idea to a general LTL framework, where we can use arbitrary LTL to deterministic automata translators for parts of formulas outside the mentioned fragments. Further, we show succinctness of the translation compared to existing construction. The construction is implemented in the tool Delag, which we evaluate on several benchmarks of LTL formulas and probabilistic model checking case studies.

1 Introduction

Deterministic -automata play an essential role in the verification of probabilistic systems and in the synthesis of reactive systems, which generally prohibit a direct use of non-deterministic automata. However, determinisation of non-deterministic automata may cause an exponential blow-up, which makes these applications computationally hard. Hence there exists a long line of research aiming at shrinking the size of the generated deterministic automata as far as possible. All these translations have in common that they target a specific acceptance condition, such as Rabin, Streett, or Parity, and thus have to sometimes store progress information of the acceptance condition in the state.

In this work, we reexamine the Muller acceptance condition with a crucial twist: Instead of an explicit representation, we represent the acceptance condition in a symbolic fashion, as presented in [3], which we call Emerson-Lei acceptance. Moving to a compactly expressed acceptance condition allows us to reduce the number of states and to use fewer acceptance sets compared to existing translations, although there is a well-known exponential lower bound for the size of deterministic -automata starting from a non-deterministic -automaton [26]. Of course algorithms need to be adapted to this more complex scenario, but we present examples where this reduces the time needed for probabilistic model checking.

Related Work.

There are two lines of research to cope with the exponential blow-up caused by determinisation of -automata. The first explores restricted forms of non-determinism that are still usable for probabilistic verification, such as limit-deterministic automata [32, 6, 29, 30] or good-for-games-automata [15, 19] for Markov decision processes, or unambiguous Büchi automata for Markov chains [5]. The authors of [14] try to avoid the full Safra’s determinisation by under-approximating and over-approximating it via break-point and powerset construction. In the context of synthesis, one can evade determinisation using universal co-Büchi tree automata instead of deterministic parity automata [20].

The second line of research aims at reducing the size of the state space of the resulting deterministic automaton. The most prominent determinisation method, Safra’s determinisation, translates a non-deterministic Büchi into a deterministic Rabin automaton [27]. This translation is implemented in ltl2dstar with several heuristics [17, 18]. In the last decades there has been a lot of progress on determinisation of Büchi automata refining Safra’s construction [24, 16, 22, 28, 25, 12]. While there still remains the exponential lower bound, efficient implementations are also available in SPOT [7]. There has been also work on direct translations starting with fragments or even full LTL, see the history of Rabinizer [4, 10]. The approach of [29] originates from the same family of translations, which together with [9], yields an asymptotically optimal translation from LTL (via limit-deterministic automata) to Parity automata, which is implemented in ltl2dpa. The authors of [23] follow a compositional approach where the LTL formula is brought into a normal form, decomposed, and then subformulas are translated separately. However, all these constructions target a specific acceptance condition structure — Rabin, Streett, or Parity — and thus sometimes need to encode the progress of the acceptance condition in the state space of the resulting automaton.

LTL

(co-)safety

TELA

fairness

fairness

TELA

unsupportedfragment

TELA

TELAfor

s

p

Figure 1: The input LTL formula is split up, each subformula is translated independently, and then a product automaton is constructed, as can be seen for the example .
Contribution.

We present a translation from LTL to deterministic Emerson-Lei automata that trades a compact state space for a more complex acceptance condition structure. There has been previously the idea of a product construction relying on known translations in [3] to obtain a more complex acceptance condition. Here, we give a direct translation of fragments of LTL without an intermediate step over non-deterministic automata. We consider special liveness properties in particular and give a translation based on buffers. For safety and cosafety LTL formulas we rely on the function [10, 29] computing the left-derivative directly on the formula. Additionally, if we encounter a subformula not contained in our supported fragments for a direct translation, we rely on external tools for translation, and compose a deterministic automaton for the overall formula. A general scheme for our approach is depicted in Figure 1, which we implemented in the tool Delag (Deterministic Emerson-Lei Automata Generator).

We conducted several experiments to evaluate the practical impact of this idea: At first we compared the size of the automata measured in state space size as well as acceptance sizes for our tool and several other tools like SPOT and Rabinizer. Secondly, we performed a case study (IEEE 802.11 Wireless LAN Handshaking protocol) and also compared it with SPOT and Rabinizer. On both sides, we could show the potential of Delag, i.e., allowing arbitrary acceptance conditions to obtain smaller automata. The implementation and additional material can be found at [2].

2 Preliminaries

2.1 Linear Temporal Logic

We consider standard linear temporal logic (LTL) with all negations pushed down to the propositions.

Definition 1 (Ltl).

A formula of LTL in negation normal form over a finite set of atomic propositions is given by the syntax:

Furthermore, we introduce the abbreviations: , . An -word is an infinite sequence of sets of atomic propositions and we denote the infinite suffix by . The satisfaction relation between -words and formulas is inductively defined as follows:

Two formulas are called equivalent, denoted , if for all . is defined as the set of temporal subformulas () not nested within the scope of another temporal operator, e.g., .

2.2 Fragments of LTL

We study several syntactic fragments of LTL. Let us denote by the syntactic restriction of LTL to the temporal operators of . Furthermore we allow to denote prefixes that are applied to all formulas by a subscript: . We now identify three (well-known) syntactic LTL fragments commonly used in system property specifications:

  • safety:

  • reachability (or cosafety):

  • fairness:

We now show that the last fragment can be simplified to formulas without nested and :

Theorem 1 (Fairness LTL Normal Form).

Let be an formula. Then there exists an equivalent formula that is a boolean combination of formulas in .

Proof.

Exhaustive application of the following folklore equivalence-preserving rewrite rules, described in [11, 31, 21], brings every fairness LTL formula into the desired normal form:

with and denoting the translation into conjunctive and disjunctive normal form. ∎

This translation might cause an exponential blow-up in formula size due to the translation into conjunctive and disjunctive normal form. However, the construction for fairness LTL to deterministic automata we present is only dependent on the size of the alphabet and the nesting depth of the -operators, which are both unchanged (or even decreased) by the translation. Further from now on we assume all fairness LTL formulas are rewritten to this normal form.

Apart from the rules listed above, our implementation uses several well-known simplification rules to rewrite formulas outside of the fairness fragment to formulas within, e.g., and .

2.3 Deterministic Emerson-Lei Automata

Emerson-Lei automata are Muller automata with their acceptance condition expressed as a generic acceptance condition (see [3]): Instead of representing every Muller set explicitly a symbolic representation is used. We will take as acceptance condition a Boolean combination over the atomic propositions and where is an arbitrary subset of transitions of an -automaton . We denote the set of all generic acceptance conditions by .

Definition 2 (Deterministic Transition-Based Emerson-Lei Automata).

A deterministic transition-based Emerson-Lei automaton (TELA) is a tuple where is a finite set of states, is an alphabet, is a transition function, is the initial state, and is a generic acceptance condition. Furthermore we use a superscript to denote a component of a specific automaton, e.g., is the transition function of .

For convenience we sometimes interpret the transition function as a relation and write instead of . A run of a TELA on the -word is an infinite sequence of transitions respecting the transition function, i.e. for every . We denote by the set of transitions occurring infinitely often in the run. A run is called accepting for if and accepting for if . For arbitrary acceptance conditions , i.e., Boolean combinations of and , a run is accepting if satisfies in the expected way. All well-known acceptance conditions, such as Büchi, Rabin, Streett, and Parity, can be expressed easily using this mechanism.

Since and are dual, one can complement a deterministic TELA just by complementing the acceptance condition, i.e., replacing every occurrence of with , every occurrence of with , and every disjunction with conjunction and every conjunction with a disjunction.

3 Construction

The automaton is constructed from an LTL formula as a product of smaller automata for each temporal subformula. We identified several fragments of LTL in the preliminaries and now present specialised constructions for each of them. While the standard product construction yields an automaton in the size of the product of all automata in the worst-case, the structure of the formula enables us to propagate information, such that we can suspend or disable automata of the product depending on the context.

Consider the following parametric formula: . We will later demonstrate that the propagation of information allows us to construct a Büchi automaton of size , while SPOT in the standard configuration yields automata of size and only after enabling simulation-based reductions this decreases to sizes comparable to our automata. Let us now examine the construction, while we translate the formula .

3.1 Fairness-LTL

First, we consider the fairness fragment and show that there is a natural way to represent it as deterministic automata. In particular, if we look at Boolean combinations of fairness-LTL formulas (), we obtain an acceptance condition mirroring the structure of the input formula. Furthermore, if the formula does not contain any , the automata we obtain is a single-state automaton. For all other formulas we need to store a bounded history in the form of a FIFO-buffer of seen sets of atomic propositions (or valuations). We will now establish the tools necessary to compute the structure of such a buffer. We use the following operations defined on finite and infinite sequences of sets (assuming ):

Relevant History.

Let us consider our example formula: . In order to check whether holds we just need to know whether and holds. The rest of the can be projected away. The relevant history for an LTL formula is a finite word over and masks all propositions that are irrelevant for evaluating . We compute the relevant history recursively from the structure of the formula:

Lemma 1.

Let be an formula and let be a -word. Then if and only if .

Proof.

By induction on . For succinctness we just exhibit two cases and all other cases are analogous.

Case . Then iff iff iff iff .

Case . Then iff iff iff iff . ∎

The TELA we are constructing keeps a buffer masked by . Intuitively the automaton delays the decision whether holds by steps and then decides whether it holds true, instead of non-deterministically guessing the future and verifying this guess as done in standard LTL translations.

Definition 3.

Let be an formula over and let . We then define one TELA for :

Observe that we must take the closure of before intersecting with the buffer. Otherwise we might lose information while propagating letters from the back to the front of the buffer. Further, we can always drop the last set of letters of the relevant history, since a transition-based acceptance is used. In the context of state-based acceptance this needs to be also stored in the buffer.

Let us apply this construction to our example: . First, we get . Second, since we always drop the last set of letters, we have and . Thus we obtain the TELA automaton shown in Figure 1(a), which is in fact a Büchi automaton.

Theorem 2.

Let be an formula over .

Proof.

Assume holds. Thus we have and we obtain by using Lemma 1. Thus there exists a finite word with (1) , (2) , and (3) . Thus infinitely often takes the (shortened) transition . Due to (2) we have and thus . The other direction is analogous. ∎

Since is equivalent to , we immediately obtain also a translation for . We only need to change the acceptance condition to with .

(a)

(b)
Figure 2: Automata for and . Bold edges denote accepting transitions.

3.2 Safety- and Cosafety-LTL

Translating safety LTL to deterministic automata is a well-studied problem. Since these languages can be defined using bad prefixes, meaning once a bad prefix has been read, the word is rejected, most automata generated by most available translations will have a single rejecting sink. All other states and transitions are then either rejecting or accepting. We use the straight-forward approach to apply the -function from [10] to obtain a deterministic automaton for cosafety LTL formulas and by duality also for automata for safety languages. The -function computes the left-derivative of a language expressed as an LTL formula.

Definition 4 ([10], Definition 7).

Let be a formula of , then

Theorem 3 ([10], Theorem 2).

Let be a formula of , then

For the cosafety formula we then obtain the automaton of Figure 1(b) with the accepting sink . This approach also immediately tells us, when a run is accepting by looking at the state.

3.3 General LTL

If the translation encounters a subformula not covered by Section 3.1 and Section 3.2, it resorts to an external general purpose LTL to deterministic automaton translation. Here no restrictions on the type of the automaton are made, since all of them — Rabin, Streett, Parity, Büchi — can be interpreted as a TELA.

3.4 Product construction

Standard Construction.

All these deterministic automata are then combined using a product construction. We first introduce the standard product construction for Emerson-Lei Automata that is similar to the product construction for Muller automata and then move on to the enhanced construction.

Definition 5.

Let be a formula and for every let be a deterministic TELA recognising . The deterministic TELA for the product automaton is defined as:

We denote by the current state of the automaton in the product state , meaning . Since all are deterministic, is also deterministic. We denote by the states of and by the initial state of . Further is defined as the set of all from the initial state reachable states. The acceptance condition is recursively computed over the structure of with denoting the lifting of the acceptance condition:

Theorem 4.

Let be an LTL formula. Then

Enhanced Construction.

An essential part of the enhanced product construction is the removal of unnecessary information from the product states. For this we introduce three additional states with special semantics: signalises that the component moved to an accepting trap, while expresses that the component moved to a rejecting trap. Alternatively, if a component got irrelevant for the acceptance condition it is also moved to . Lastly, says that the component was put on hold. More specifically, we put the fairness automata on hold, if a “neighbouring” automaton still needs to fulfil its goal, such as reaching an accepting trap. To make notation easier to read we assume that every automaton contains these states and all accepting sinks (or traps) have been replaced by and rejecting by .

In the following we use the following abbreviations to reason about LTL formulas:

  • () denotes the set of all conjuncts of a conjunction (disjuncts of a disjunction) outside the scope of a temporal operator, e.g. let , then and .

  • denotes the substitution of all formulas in the set with the formula , e.g. .

  • denotes the support of a formula, where the formula is viewed as a propositional formula, which means that temporal operators are also considered propositions, e.g. . This means every assignment can be restricted to the propositions of the support: , where denotes the conventional propositional satisfaction relation.

We use the following definitions to manipulate product states:

Definition 6 (Product State Modifications).

An of a product state tests a predicate on a formula-state pair and replaces with a new value obtained by the updater depending on , if it holds:

disables automata in that became irrelevant for the acceptance condition, meaning there are no longer in the support of the original formula after using knowledge from other automata. For this let us denote by all and by all .

starts (fairness) automata that are required for the acceptance but have been put on hold. This is the case, if automata with terminal acceptance for formulas in the same conjunction () have not yet reached or the dual case for disjunctions:

Definition 7 (Enhanced Product Automaton).

Let be a formula. The TELA for the enhanced product automaton is defined the same way as Definition 5 with the following changes:

Theorem 5.

Let be a formula.

If we apply this construction to we obtain the automaton shown in Figure 3. Observe that is put on hold until the automaton for reaches .

Figure 3: Enhanced Product Automaton for , only the accepting edges for are drawn.

3.4.1 Further Optimisations

There are two further optimisations we implement: First, we replace the local histories of each automaton for with one global history. Second, we piggyback the acceptance of (co-)safety automata on neighbouring fairness automata. Let be a conjunction, and . We then have and extend with . The same trick can be applied to and of course to the dual case with .

4 Succinctness

It is clear from Definition 5 that the presented translation uses at most acceptance sets for Boolean combinations of . We show succinctness compared to deterministic generalized Rabin automata or deterministic Streett automata, which might need an exponential sized acceptance condition for the same language, while the acceptance size only grows linearly for TELAs.

For this, we define two mutually recursive formula patterns modelling Rabin and Streett conditions:

We call the subformulas , leafs, and a set of leafs a good leaf set — denoted by —, if it is a minimal set satisfying , respectively .

Lemma 2.

For and there are good leaf sets.

Proof.

First note, that for each subformula of the form there is a doubling of good leaf sets in . This comes from the conjunction of the Streett pair and : To every good leaf set of one has to add either or to obtain a good leaf set for . On the other side,

Since we alternate between and , we have good leaf sets for (resp. ). ∎

W.l.o.g. we assume, that every good leaf set contains at most one subformula of the form . If there are more than one subformulas of this pattern, e.g. and , one can remove both and add . Note that this transformation does not reduce the number of good leaf sets, since no good leaf set is removed, and two good leaf sets cannot be reduced to the same good leaf set.

One can easily give a bijection from a Rabin pair to a good leaf set, negate to , and use the duality between Rabin and Streett automata. Overall, we get the following lemma:

Lemma 3.

For every , every generalized Rabin automaton equivalent to has at least acceptance pairs. For every , every Streett automaton equivalent to has at least acceptance pairs.

Note that and are Boolean combinations of formulas from . Since and do not contain a operator, the produced automaton of our construction has exactly one state. According to Section 3.1 one can see, that the structure of the formula is directly translated into the acceptance condition. Therefore, the length of the acceptance condition is equal to (resp. ).

5 Experimental Evaluation

Our experimental evaluation is two-part: At first, we evaluate our translation by comparing the automata sizes and acceptance sizes. The second contribution in our evaluation considers probabilistic model checking with the help of automata. For every experiment, we set a time limit of minutes and a memory limit of GB for every process.111All experiments were carried out on a computer with two Intel E5-2680 8-core CPUs at 2.70 GHz with 384GB of RAM running Linux.

5.1 Automata Sizes

For the comparison of the acceptance conditions, we rely on counting the number of and occurring in the acceptance condition. We compare our tool Delag with Rabinizer [10] and ltl2tgba of SPOT. Our benchmark consists of LTL formulas from [31, 8, 11] where for formulas Delag was able to translate a formula completely without using an external tool. For these formulas we do not need to rely on an external tool translating LTL to deterministic automata. Should we require external tools to translate parts of the formula, as described in Section 3.3, we use ltl2tgba of SPOT as fallback solution.

Overall, Delag produced automata with a minimal state space in cases, followed by ltl2tgba with formulas. For the comparison of the acceptance, Delag has delivered the smallest acceptance for formulas, whereas ltl2tgba could produce an automaton with a minimal acceptance condition for formulas. As it can be seen in Table 1 Delag, ltl2tgba and Rabinizer show roughly the same behavior, generating for vs. vs. formulas automata with size less or equal than , with a slight advantage for Delag producing more automata of size one.

#States Delag ltl2tgba Rabinizer Acc. size Delag ltl2tgba Rabinizer
Table 1: Overview of the number of automata generated by the tools Delag, ltl2tgba, Rabinizer with an upper bound of states (on the left side) and with an upper bound of the number of leafs in the acceptance condition.

The situation differs for the sizes of the acceptance condition: ltl2tgba generates automata with acceptance size whereas Delag generates automata with acceptance size . For bigger acceptance sizes the number of generated automata are similar for ltl2tgba and Delag. In comparison, Rabinizer tends to produce automata with bigger acceptance sizes.

For the formulas of Section 4 the results are as expected (see Table 2). Delag always produces the smallest acceptance with a one state automaton, whereas the acceptance sizes of the automata produced by Rabinizer grow faster, e.g., for and Rabinizer produces an automaton with acceptance size and , respectively. Both Delag and Rabinizer produce one state automata. ltl2tgba behaves differently: The state space size of the automata grows with : for ltl2tgba produces an automaton with states and an acceptance size of , whereas for the state space increased to states and an acceptance size of . For we were not able to produce automata with ltl2tgba.

Delag
ltl2tgba
Rabinizer
Table 2: Acceptance sizes for the alternating formula ; means time-out or mem-out.

For the evaluation of the history, we took the formula pattern :

Every subformula (or ) commits the first position or the -th position. So only two out of positions may be fixed, and hence we can share a lot of the state space between the formulas.

The results can be found in Table 3. The state space of ltl2tgba grows faster than Delag, the former being only capable to produce automata up to before hitting the memory limit. For Rabinizer, we were not able to produce automata for , since Rabinizer supports only a limited number of acceptance set. This shows, that the acceptance condition grows immensely.

Delag #States
Acc. size
ltl2tgba #States
Acc. size
Rabinizer #States
Acc. size
Table 3: Automata sizes and number of acceptance sets for ; means time-out or mem-out.

5.2 Prism Runtimes

We have implemented a routine for the analysis of MDPs in PRISM. Here we compare the behaviour of PRISM if the three tools Delag, ltl2tgba from SPOT, and Rabinizer are employed as automata generation tools. As case study we consider the IEEE 802.11 Wireless LAN Handshaking protocol. It describes a resolving mechanism to stop interference if two stations want to send a message at the same time. The key trick is, that all participating stations listen to interference, and if a message has become garbled, the stations waits a random amount of time (limited by an upper bound called Backoff) and then tries to resend the message. We used the following properties:

  • “If a message from sender has been garbled, it will be sent correctly in the future”

  • “Every sender sends at least one message correctly.” :

  • “The first time every station wants to send, the channel remains free for steps”
    where

  • “Every station, that wants to send a message infinitely often, is able to send a message correctly infinitely often ” :

  • “Every station satisfies both the reachability formula and the fairness formula

Every property can be translated directly by Delag without external tools, except , for which we translate the subformulas with ltl2tgba and then build the product. So should be seen as a benchmark for the product construction.

For all properties we asked for the minimal () or maximal () probability of the IEEE 802.11 handshaking model with two stations and a Backoff of at most to satisfy the property. If a formula has a window length (e.g. ) we uniformly choose . Table 4 lists some measured time values and automata/product sizes. All PRISM experiments were carried out with the hybrid engine, an engine that combines symbolic and explicit data structures offering a good compromise.

Property Delag ltl2tgba Rabinizer
BDD size BDD size BDD size
4 31,861 6.6 5 44,181 9.5 4 31,861 32.2
4 61,711 165.4 4 61,719 160.6 4 61,719 159.0
20 46,013 27.5 20 46,106 26.2 72 47,114 28.0
1 30,091 42.6 5 30,473 6.8 1 30