Abstract
The topic of this paper is the determinization problem of \(\omega \)automata under the transitionbased EmersonLei acceptance (called TELA), which generalizes all standard acceptance conditions and is defined using positive Boolean formulas. Such automata can be determinized by first constructing an equivalent generalized Büchi automaton (GBA), which is later determinized. The problem of constructing an equivalent GBA is considered in detail, and three new approaches of solving it are proposed. Furthermore, a new determinization construction is introduced which determinizes several GBA separately and combines them using a product construction. An experimental evaluation shows that the product approach is competitive when compared with stateoftheart determinization procedures. The second part of the paper studies limitdeterminization of TELA and we show that this can be done with a singleexponential blowup, in contrast to the known doubleexponential lowerbound for determinization. Finally, one version of the limitdeterminization procedure yields goodforMDP automata which can be used for quantitative probabilistic model checking.
1 Introduction
Many standard algorithms in the fields of verification and synthesis of reactive systems [15, 37, 41, 44] are based on the theory of \(\omega \)automata, which are automata accepting infinite words. For logical specification languages such as linear temporal logic (LTL), many verification systems, including Spin [5] or Prism [30], use logictoautomata translations internally to verify a given system against the specification.
As classical automatabased solutions to reactive synthesis and probabilistic verification use deterministic automata [37, 44], the question of whether and how \(\omega \)automata can be determinized efficiently is a major research area [31, 36, 38, 40, 42]. The first singleexponential and asymptotically optimal determinization for Büchi automata was presented in [40]. It produces Rabin automata, whose acceptance condition is a generalization of the Büchi condition.
The high statecomplexity of determinization and most logictoautomata translations have raised the question of more succinct representations of \(\omega \)automata. Using generalized acceptance conditions (e.g. generalized Büchi [16] or generalized Rabin [10, 12]) and transitionbased [22], rather than statebased, conditions are common techniques in this direction. An even more general approach has led to the HOAformat [1], which represents the acceptance condition as a positive Boolean formula over standard Büchi (\({{\text {Inf}}}\)) and coBüchi (\({{\text {Fin}}}\)) conditions, also called EmersonLei conditions [20, 41]. This standardized format has proven to be very useful: together with a vast body of work on heuristics and dedicated procedures it has led to practically usable and mature tools and libraries such as Spot [18] and Owl [29] which support a wide range of operations on \(\omega \)automata.
While determinization algorithms have made large steps towards practical feasibility, another line of work has considered automata with restricted forms of nondeterminism, which, while being nondeterministic, nevertheless share some of the desired properties of deterministic automata. In this spirit, the classes of goodforMDP [24] and goodforgames [28] automata can be used for quantitative probabilistic model checking of Markov decision processes [23, 43], while limitdeterministic Büchi automata can be used for qualitative modelchecking [15]. Another important class in this context are unambiguous automata, which also share some good algorithmic properties of deterministic automata [13], and are useful for probabilistic verification of Markov chains [4]. Dedicated translations from LTL directly to (limit) deterministic [21] and unambiguous [25] automata have been studied.
This paper considers the problems of determinizing and limitdeterminizing transition based EmersonLei automata (TELA). In contrast to limitdeterminization, the theoretical complexity of determinization is well understood (a tight, doubleexponential, bound was given in [40, 41]). However, it has not been studied yet from a practical point of view, which is the aim of this paper. All presented algorithms have been implemented, and are openly accessible together with the experimental evaluation [27].
1.1 Contribution
Three new translations from TELA to GBA are proposed, and an example is given in which they perform exponentially better than stateoftheart implementations. We demonstrate how they can be used to build novel determinization approaches for TELA. The determinization procedures are based on a product construction which combines multiple GBA. Our experiments show that this approach often outperforms approaches based on determinizing a single GBA. A simple adaptation of the product construction produces limitdeterministic TELA of singleexponential size (in contrast to the doubleexponential worstcase complexity of full determinization). We show that deciding whether \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) holds is NPcomplete if the TELA \(\mathscr {A}\) is limitdeterministic, and in P if the acceptance of \(\mathscr {A}\) is finless (Proposition 5.3). Finally, a limitdeterminization construction for TELA based on the breakpointconstruction is presented. We show that a version of this procedure yields goodforMDP Büchi automata (Definition 5.4). Thereby \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A}))\) is computable in singleexponential time for any MDP \(\mathscr {M}\) and TELA \(\mathscr {A}\) (Theorem 5.3). The experimental evaluation compares the performance of the different constructions using three benchmark sets.
This article is an extended version of the conference paper [26] which provides full proofs (including some technical lemmas which were omitted in the conference version) and further examples. The experiments are also extended to an additional benchmark set.
1.2 Related work
The upperbound for determinization of TELA [40, 41] relies on a translation to GBA which first transforms the acceptance formula into disjunctive normal form (DNF). We refine this idea by discussing and comparing several ways of performing this transformation. In particular, we present different strategies to remove \({{\text {Fin}}}\)atoms from the acceptance formula, which is a necessary ingredient of the approach. The removal of Finatoms is also discussed in [17, Sect. 4.5], together with a transformation into Büchi automata which relies on computing the conjunctive normal form of the acceptance formula after removing Finatoms. Our finremoval strategies build on the ideas of [17], but our transformation to GBA avoids the CNF conversion and therefore sometimes produces exponentially smaller automata. Furthermore, we extend it to produce limitdeterministic automata. Translations from LTL to TELA have been proposed in [9, 32, 35], and all of them use product constructions to combine automata for subformulas.
The emptinesscheck for \(\omega \)automata under different types of acceptance conditions has been studied in [2, 10, 12, 19], where [2] covers the general case of EmersonLei conditions and also considers qualitative probabilistic model checking using deterministic TELA. The generalized Rabin condition from [10, 12] is equivalent to the DNF that we use and it is a special case of the hyperRabin condition for which the emptiness problem is in P [11, 20]. Probabilistic model checking for deterministic automata under this condition is considered in [12], while [10] is concerned with standard emptiness while allowing nondeterminism. In contrast to the above works, we consider probabilistic model checking for nondeterministic automata under general EmersonLei conditions. A procedure to transform TELA into parity automata is presented in [39], but it does not guarantee the output to be deterministic.
The first limitdeterminization procedure for nondeterministic Büchi automata was presented in [14, 15], and it relies on the idea of combining a copy of the automaton with its breakpoint automaton. This idea was also used in [7, 23]. We lift it to EmersonLei automata by using multiple different breakpoint automata, corresponding to different parts of the EmersonLei condition.
1.3 Outline
After the preliminaries in Section 2, we present the new translation approaches to construct GBA in Sect. 3. In Sect. 4, we show how to use them to determinize TELA and introduce the determinization based on a product construction. The translations to limitdeterministic TELA and goodforMDP automata are contained in Sect. 5. Finally, we compare the different approaches in our experimental evaluation in Sect. 6 before we conclude the paper in Sect. 7.
2 Preliminaries
The infinite words over a finite alphabet \(\Sigma \) are denoted by \(\Sigma ^{\omega }\). If \(w = w_0 w_1 w_2 \ldots \in \Sigma ^{\omega }\), we define \(w[j..] = w_j w_{j+1} \ldots \) and \(w[j..m] = w_j w_{j+1} \ldots w_m\), for any \(j,m \in \mathbb {N}\) such that \(j \le m\).
2.1 Automata on infinite words
A transitionbased EmersonLei automaton (TELA) \(\mathscr {A}\) is a tuple \((Q, \Sigma , \delta , I, \alpha )\), where Q is a finite set of states, \(\Sigma \) is a finite alphabet, \(\delta \subseteq Q \times \Sigma \times Q\) is the transition relation, \(I \subseteq Q\) is the set of initial states and \(\alpha \) is a symbolic acceptance condition over \(\delta \), defined by:
If \(\alpha \) is , , \({{\text {Inf}}}(T)\) or \({{\text {Fin}}}(T)\), then it is called atomic. We denote by \(\vert \alpha \vert \) the number of atomic conditions contained in \(\alpha \), where multiple occurrences of the same atomic condition are counted multiple times. Symbolic acceptance conditions describe sets of transitions \(T \subseteq \delta \). Their semantics is defined recursively as follows:
Two acceptance conditions \(\alpha \) and \(\beta \) are \(\delta \)equivalent (\(\alpha \equiv _{\delta } \beta \)) if for all \(T \subseteq \delta \) we have \(T \models \alpha \iff T \models \beta \). A run of \(\mathscr {A}\) for an infinite word \(u = u_0 u_1 \ldots \in \Sigma ^\omega \) is an infinite sequence of transitions \(\rho = (q_0, u_0, q_1)(q_1, u_1, q_2)\ldots \in \delta ^\omega \) that starts with an initial state \(q_0 \in I\). The set of transitions that appear infinitely often in \(\rho \) are denoted by \(\inf (\rho )\). A run \(\rho \) is accepting (\(\rho \models \alpha \)) \({{\,\textrm{iff }\,}}\) \(\inf (\rho ) \models \alpha \). The language of \(\mathscr {A}\), denoted by \(\mathscr {L}(\mathscr {A})\), is the set of all words for which there exists an accepting run of \(\mathscr {A}\). The sets of infinite words which are the language of some TELA are called \(\omega \)regular. A TELA \(\mathscr {A}\) is deterministic if the set of initial states contains exactly one state and the transition relation is a function \(\delta : Q \times \Sigma \rightarrow Q\). It is complete, if for all \((q,a) \in Q \times \Sigma \): \(\delta \cap \{(q,a,q') {\mid } q' \in Q\} \ne \varnothing \). A Büchi condition is an acceptance condition of the form \({{\text {Inf}}}(T)\) and a generalized Büchi condition is a condition of the form \(\bigwedge _{1 \le i \le k} {{\text {Inf}}}(T_i)\). We call the sets \(T_i\) appearing in a generalized Büchi condition its acceptance sets. Rabin (resp. Street) conditions are of the form \(\bigvee _{1 \le i \le k} ({{\text {Fin}}}(F_i) \wedge {{\text {Inf}}}(T_i))\) (resp. \(\bigwedge _{1 \le i \le k} ({{\text {Fin}}}(F_i) \vee {{\text {Inf}}}(T_i))\)).
2.2 Probabilistic systems
A labeled Markov decision process (MDP) \(\mathscr {M}\) is a tuple \((S,s_0,{\text {Act}},P,\Sigma ,L)\) where S is a finite set of states, \(s_0 \in S\) is the initial state, \({\text {Act}}\) is a finite set of actions, \(P : S \times {\text {Act}}\times S \rightarrow [0,1]\) defines the transition probabilities with \(\sum _{s' \in S} P(s,\alpha ,s') \in \{0,1\}\) for all \((s,\alpha ) \in S \times {\text {Act}}\) and \(L : S \rightarrow \Sigma \) is a labeling function of the states into a finite alphabet \(\Sigma \). Action \(\alpha \in {\text {Act}}\) is enabled in s if \(\sum _{s' \in S} P(s,\alpha ,s') = 1\), and \({\text {Act}}(s) = \{\alpha \mid \alpha \text { is enabled in } s\}\). A path of \(\mathscr {M}\) is an infinite sequence \(s_0 \alpha _0 s_1 \alpha _1 \ldots \in (S \times {\text {Act}})^{\omega }\) such that \(P(s_i,\alpha _i,s_{i+1}) > 0\) for all \(i \ge 0\). The set of all paths of \(\mathscr {M}\) is denoted by \({\text {Paths}}(\mathscr {M})\) and \({\text {Paths}}_{{\text {fin}}}(\mathscr {M})\) denotes the finite paths. Given a path \(\pi = s_0 \alpha _0 s_1 \alpha _1 \ldots \), we let \(L(\pi ) = L(s_0)L(s_1) \ldots \in \Sigma ^{\omega }\).
A Markov chain is an MDP with \({\text {Act}}(s) \le 1\) for all states s. A scheduler of \(\mathscr {M}\) is a function \(\mathfrak {S}: (S\times {\text {Act}})^*\times S \rightarrow {\text {Act}}\) such that \(\mathfrak {S}(s_0 \alpha _0 \ldots s_n) \in {\text {Act}}(s_n)\). It induces a Markov chain \(\mathscr {M}_{\mathfrak {S}}\) and thereby a probability measure over \({\text {Paths}}(\mathscr {M})\). The probability of a set of paths \(\Pi \) starting in \(s_0\) under this measure is \(\Pr _\mathscr {M}^{\mathfrak {S}}(\Pi )\). For an \(\omega \)regular property \(\Phi \subseteq \Sigma ^{\omega }\) we define \(\textbf{Pr}^{\max }_{\mathscr {M}}(\Phi ) = \sup _{\mathfrak {S}}\Pr _{\mathscr {M}}^{\mathfrak {S}}(\{\pi \mid \pi \in {\text {Paths}}(\mathscr {M}) \text { and } L(\pi ) \in \Phi \})\). We denote by \(\Pr ^{\mathfrak {S}}_{\mathscr {M},s}(\Phi )\) and \(\textbf{Pr}^{\max }_{\mathscr {M},s}(\Phi )\) the corresponding values in the MDP one gets by setting the initial state in \(\mathscr {M}\) to \(s \in S\), and omit the \(\mathscr {M}\) in the subscript if it is clear from the context. In a Markov chain, which has a unique scheduler, we omit the superscripts. We refer to [3, Chapter 10] for more details.
3 From TELA to generalized Büchi automata
We present four different constructions to transform TELA into equivalent GBA. One of them is the construction that is implemented by Spot, the other ones are new. First, we define some operations on TELA, which we combine later to define our constructions.
3.1 Operations on EmersonLei automata
The first operator splits a TELA along the toplevel disjuncts of its acceptance condition. Let \(\mathscr {A} = (Q, \Sigma , \delta , I, \alpha )\) be a TELA where \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\) and the \(\alpha _i\) are arbitrary acceptance conditions. We define \({\text {split}}(\mathscr {A}) := (\mathscr {A}_1, \ldots , \mathscr {A}_m)\) with \(\mathscr {A}_i = (Q, \Sigma , \delta , I, \alpha _i)\) for \(1 \le i \le m\), and \({\text {split}}(\mathscr {A})[i]{:}{=} \mathscr {A}_i\).
Lemma 3.1
If \(\mathscr {A}\) is a TELA, then
Proof
“\(\subseteq \)”: Let \(\rho \) be a run of \(\mathscr {A}\) for w such that \(\rho \models \alpha \). Then, it follows that \(\rho \models \alpha _i\) for some \(1 \le i \le m\). But then \(\rho \) is also an accepting run of \({\text {split}}(\mathscr {A})[i]\) and hence \(w \in \mathscr {L}({\text {split}}(\mathscr {A})[i])\).
“\(\supseteq \)”: Let \(\rho \) be an accepting run of \({\text {split}}(\mathscr {A})[i]\) for some \(1 \le i \le m\). Then \(\rho \models \alpha _i\), and hence \(\rho \models \alpha \). It follows that \(\rho \) is an accepting run of \(\mathscr {A}\). \(\square \)
The analogous statement does not hold for conjunction and intersection (see Example 3.1). In other words, the intersection of languages of automata one gets by splitting along a toplevel conjunction is not necessarily the language of the original automaton. This is because a conjunctive acceptance formula requires the existence of a run satisfying all conjuncts.
Example 3.1
Consider the automaton \(\mathscr {A}\) with acceptance condition \(\alpha \) as shown in Fig. 1, and observe that we have \(\mathscr {L}(\mathscr {A}) = \varnothing \). Splitting the acceptance condition of \(\mathscr {A}\) leads to the acceptance conditions \(\alpha _1\) and \(\alpha _2\). We call the corresponding automata that use these two acceptance conditions \(\mathscr {A}_1\) and \(\mathscr {A}_2\). Note, that \(\mathscr {A}_1\) and \(\mathscr {A}_2\) use the same transition system as \(\mathscr {A}\). The automata \(\mathscr {A}_1\) and \(\mathscr {A}_2\) both accept the word \(a^\omega \), i.e. \(\mathscr {L}(\mathscr {A}_1) \cap \mathscr {L}(\mathscr {A}_2) = \{a^{\omega }\}\). Hence, we have \( \mathscr {L}(\mathscr {A}) \ne \mathscr {L}(\mathscr {A}_1) \cap \mathscr {L}(\mathscr {A}_2)\).
We also need constructions to realize the union of a sequence of automata. This can either be done using the sum (i.e. disjoint union) or the disjunctive product of the state spaces. We define a general sum (simply called sum) operation and one that preserves GBA acceptance (called GBAspecific sum). The disjunctive product construction for TELA is mentioned in [17] and similar constructions are used in [32, 35]. While the sum operations yield smaller automata in general, only the product construction preserves determinism.
Definition 3.1
Let \(\mathscr {A}_i = (Q_i, \Sigma , \delta _i, I_i, \alpha _i)\), with \(i \in \{0,1\}\), be two complete TELA with disjoint statespaces. The sum of \(\mathscr {A}_0\) and \(\mathscr {A}_1\) is defined as follows:
with \(\alpha _\oplus = (\alpha _0 \wedge {{\text {Inf}}}(\delta _0)) \vee (\alpha _1 \wedge {{\text {Inf}}}(\delta _1) \big )\).
If \(\alpha _i = {{\text {Inf}}}(T_1^i) \wedge \ldots \wedge {{\text {Inf}}}(T_k^i)\), with \(i \in \{0,1\}\), (i.e. both automata are GBA), then we can use the GBAspecific sum:
with \(\alpha _{GBA} = ({{\text {Inf}}}(T_1^0 \cup T_1^1) \wedge \ldots \wedge {{\text {Inf}}}(T_k^0 \cup T_k^1))\).
The disjunctive product is defined as follows:
and \({\uparrow _{}\!\!(\alpha _i)}\) is constructed by replacing every occurring set of transitions T in \(\alpha _i\) by
Proposition 3.1
Let \(\mathscr {A}_i = (Q_i, \Sigma , \delta _i, I_i, \alpha _i)\), with \(i \in \{0,1\}\), be two complete TELA with disjoint statespaces. The following statements hold:
 1.:

\(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \oplus \mathscr {A}_1)\)
 2.:

Assume that \(\alpha _i = {{\text {Inf}}}(T_1^i) \wedge \ldots \wedge {{\text {Inf}}}(T_k^i)\), for \(i \in \{0,1\}\). Then we have: \(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1)\)
 3.:

\(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \otimes \mathscr {A}_1)\)
Proof
1.) This is clear as any accepting run of \(\mathscr {A}_i\) (for \(i \in \{0,1\}\)) can be mapped directly to an accepting run of \(\mathscr {A}_0 \oplus \mathscr {A}_1\), and an accepting run \(\mathscr {A}_0 \oplus \mathscr {A}_1\) corresponds to an accepting run of one of the automata \(\mathscr {A}_0,\mathscr {A}_1\).
2.) “\(\subseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}_0\) (w.l.o.g). Then \(\inf (\rho ) \cap T_j^0 \ne \varnothing \) holds for all \(1 \le j \le k\), and hence also \(\inf (\rho ) \cap (T_j^0 \cup T_j^{1}) \ne \varnothing \). But then \(\rho \) is also an accepting run of \(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1\).
“\(\supseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1\). Then \(\inf (\rho ) \cap (T_j^0 \cup T_j^{1})\) holds for all \(1 \le j \le k\). Recall that we have \(\delta _0 \cap \delta _1 = \varnothing \). We have either \(\inf (\rho ) \subseteq \delta _0\) or \(\inf (\rho ) \subseteq \delta _1\) and \(T_j^i \subseteq \delta _i\) for all \(1 \le j \le k\) and \(i \in \{0,1\}\). As a consequence, there exists \(i \in \{0,1\}\) such that \(\inf (\rho ) \cap T_j^i\) for all \(1 \le j \le k\). But then \(\rho \) is an accepting run of \(\mathscr {A}_i\).
3.) “\(\subseteq \)”: Let \(\rho = q_0 q_1 \ldots \) be an accepting run of \(\mathscr {A}_0\) (w.l.o.g.) for w. As \(\mathscr {A}_1\) is complete, we find a run \(\rho ^*\) of \(\mathscr {A}_0 \otimes \mathscr {A}_1\) for w such that \(\rho ^* = (q_0,q_0') (q_1,q_1') \ldots \), where \(q_0' q_1' \ldots \) is a run of \(\mathscr {A}_1\) for w. As \(\rho \models \alpha _0\), it follows that \(\rho ^* \models \uparrow _{}\!\!(\alpha _0)\) and hence \(\rho ^*\) is an accepting run of \(\mathscr {A}_0 \otimes \mathscr {A}_1\).
“\(\supseteq \)”: Let \(\rho ^* = (q_0,q_0') (q_1,q_1') \ldots \) be an accepting run of \(\mathscr {A}_0 \otimes \mathscr {A}_1\) for w and assume, w.l.o.g., that \(\rho ^* \models \uparrow _{}\!\!(\alpha _0)\). Then \(q_0 q_1 \ldots \), as a run for w, models \(\alpha _0\) and hence it is an accepting run of \(\mathscr {A}_0\). \(\square \)
Note, that the acceptance \(\alpha _{GBA}\) contains the same number of atomic acceptance conditions as \(\mathscr {A}_0\) and \(\mathscr {A}_1\), i.e. the acceptance condition does not increase when \(\oplus _{GBA}\) is used to combine two GBA.
The additional \({{\text {Inf}}}(\delta _0)\) and \({{\text {Inf}}}(\delta _1)\) atoms in the acceptance condition of \(\mathscr {A}_0 \oplus \mathscr {A}_1\) are essential (see Example 3.2).
Example 3.2
Consider the TELA \(\mathscr {A}_0\) and \(\mathscr {A}_1\) in Fig. 2 and Fig. 2, which both accept the empty language. If we unify the state spaces and disjunct the acceptance conditions we get the TELA in Fig. 2. However, this automaton accepts the language \(a^\omega \ne \mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1)\).
We can apply the GBAspecific sum to any two GBA by adding \({{\text {Inf}}}(\delta _i)\) atoms until the acceptance conditions are of equal length. Many of our constructions will require the acceptance condition of the TELA to be in DNF. We will use the following normal form throughout the paper (also called generalized Rabin in [10, 12]).
Definition 3.2
(DNF for TELA) Let \(\mathscr {A} = (Q, \Sigma ,\delta , I,\alpha )\) be a TELA. We say that \(\mathscr {A}\) is in DNF if \(\alpha \) is of the form \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\), with \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) and such that all \(k_i \ge 1\).
A single \({{\text {Fin}}}\) atom in each disjunct is enough because \({{\text {Fin}}}(T_1) \wedge {{\text {Fin}}}(T_2) \equiv _{\delta } {{\text {Fin}}}(T_1 \cup T_2)\) holds for all \(T_1,T_2,\delta \). Taking \(k_i \ge 1\) is also no restriction, as we can add “\(\wedge \, {{\text {Inf}}}(\delta )\)” to any disjunct. Using standard Boolean operations one can transform a TELA with acceptance \(\beta \) into DNF by just translating the acceptance formula into a formula \(\alpha \) of the above form, with \(\alpha  \le 2^{\beta }\) and each disjunct contains at most \(\beta \) atomic acceptance conditions.
3.1.1 Finless acceptance
To transform a TELA in DNF (see Definition 3.2) into an equivalent one without \({{\text {Fin}}}\)atoms we use the idea of [10, 17]: a main copy of \(\mathscr {A}\) is connected to one additional copy for each disjunct \(\alpha _i\) of the acceptance condition, in which transitions from \(T_0^i\) are removed. The acceptance condition ensures that every accepting run leaves the main copy eventually. Figure 3 shows an example.
Definition 3.3
Let \(\mathscr {F}_i = (Q_i, \Sigma , \delta _i, I_i, \phi _i)\), defined using \(Q_i = \{q^{(i)} \mid q \in Q\}\), \(\delta _i = \{(q^{(i)},a,{q'^{(i)}}) \mid (q,a,q') \in \delta \setminus T^i_0\}\) and \(\phi _i = \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(U^i_j)\), where \(U^i_j = \{(q^{(i)},a,{q'^{(i)}}) \mid (q,a,q') \in T_j^i \setminus T^i_0\}\). Let

\(Q' = Q \cup \bigcup _{1 \le i \le m} Q_{i}\)

\(\delta ' = \delta \cup \bigcup _{1 \le i \le m}\big (\delta _{i} \cup \{(q, a, {q'^{(i)}}) \mid (q, a, q') \in \delta \} \big )\)

\(\alpha ' ~\!= \bigvee _{1 \le i \le m} \phi _i\)

\(\alpha '' = \bigwedge _{1\le j \le k} {{\text {Inf}}}(U_j^1 \cup \ldots \cup U_j^m)\), with \(k = \max _{i} k_i\) and \(U_j^i = \delta _i\) if \(k_i < j \le k\).
The construction \({\text {removeFin}}(\mathscr {A})\) already appears in [10, 17]. The automaton \({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A})\) uses the same transition system but a different acceptance condition.
Lemma 3.2
If \(\mathscr {A}\) is a TELA:
\(\mathscr {L}(\mathscr {A}) = \mathscr {L}({\text {removeFin}}(\mathscr {A})) = \mathscr {L}({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A}))\).
Proof
We first prove that \(\mathscr {L}(\mathscr {A}) = \mathscr {L}({\text {removeFin}}(\mathscr {A}))\).
“\(\subseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}\) for u, and assume that \(\rho \models {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) (the i’th disjunct of acceptance condition \(\alpha \), which is in DNF). It follows that there exists a position K after which \(\rho \) sees no transitions in \(T_0^{i}\). We construct an accepting run \(\rho '\) of \({\text {removeFin}}(\mathscr {A})\) for u: for the first K positions, it copies \(\rho \) in the main copy Q. Then, it moves to \(Q_i\), and continues to simulate the moves of \(\rho \). From that fact that \(\rho \) sees infinitely many transitions in each set \(T_j^i\), it follows that \(\rho '\) models \(\phi _i\) and hence is accepting.
“\(\supseteq \)”: Let \(\rho '\) be an accepting run of \({\text {removeFin}}(\mathscr {A})\) for u, i.e. \(\rho ' \models \phi _i\) for some \(1 \le i \le m\). It follows that \(\rho '\) eventually moves to \(Q_i\), because \(\phi _i\) contains at least one \({{\text {Inf}}}\)atom whose all transitions are fully included in \(Q_i\). As no other copy is reachable from \(Q_i\), \(\rho '\) stays in \(Q_i\) thereafter. Recall that copy \(Q_i\) does not contain any transition in \(T_0^{i}\). Projecting the part of \(\rho '\) which is in \(Q_i\) onto the corresponding transitions in Q yields a run \(\rho \) for u in \(\mathscr {A}\). From the definition of \(\phi _i\) and the fact that \(\rho '\) models \(\phi _i\) it follows directly that \(\rho \) models \(\alpha _i\), and hence \(\rho \) is accepting.
We show \(\mathscr {L}({\text {removeFin}}(\mathscr {A})) = \mathscr {L}({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A}))\) by proving that for all runs \(\rho \) in \((\delta ')^{\omega }\) we have
First, assume that \(\rho \models \alpha '\), which implies that there exists an \(1 \le i \le m\) such that \(\rho \models {{\text {Inf}}}(U_j^i)\) for all \(1 \le j \le k_i\). It follows that \(\inf (\rho ) \subseteq \delta _i\) and hence also \(\rho \models {{\text {Inf}}}(U_j^i)\) for all \(k_i < j \le k\). But then clearly \(\rho \models {{\text {Inf}}}(U_j^1 \cup \ldots \cup U_j^m)\) for all \(1 \le j \le k\) and hence \(\rho \models \alpha ''\).
Now assume that \(\rho \models \alpha ''\). Then, in particular we have \(\rho \models {{\text {Inf}}}(U_1^1 \cup \ldots \cup U_1^m)\), which implies that \(\rho \models {{\text {Inf}}}(U_1^i)\) for some \(1 \le i \le m\). By construction of \({\text {removeFin}}(\mathscr {A})\) it follows that \(\inf (\rho ) \subseteq \delta _i\) and \(\inf (\rho ) \cap \delta _{i'} = \varnothing \), for \(i' \ne i\). As a consequence we have \(\inf (\rho ) \cap U_j^{i'} = \varnothing \) for all \(1 \le j \le k\) and \(i' \ne i\). The only possibility for \(\rho \) to satisfy all conjuncts in \(\alpha ''\) is to satisfy \(\inf (\rho ) \cap {{\text {Inf}}}(U_j^i) \ne \varnothing \) for all \(1 \le j \le k\). But then it follows that \(\rho \models \phi _i\) and hence \(\rho \models \alpha '\). \(\square \)
Observe that, in contrast to \({\text {removeFin}}\), \({\text {removeFin}}_{{\text {GBA}}}\) always produces GBA. Both constructions consist of \(m+1\) copies of \(\mathscr {A}\) (with \({{\text {Fin}}}\)transitions removed). Each disjunct of the acceptance condition of \({\text {removeFin}}(\mathscr {A})\) contains at most as many atomic conditions than the corresponding disjunct of the acceptance condition of \(\mathscr {A}\).
3.2 Construction of generalized Büchi automata
3.2.1 Construction of spot
The transformation from TELA to GBA from [17] is implemented in Spot[18]. It transforms the automaton into DNF and then applies (an optimized version of) \({\text {removeFin}}\). The resulting finless acceptance condition is translated into conjunctive normal form (CNF). As \({{\text {Inf}}}(T_1) \vee {{\text {Inf}}}(T_2) \equiv _{\delta } {{\text {Inf}}}(T_1 \cup T_2)\) holds for all \(\delta \), one can rewrite any finless condition in CNF into a conjunction of \({{\text {Inf}}}\)atoms, which is a generalized Büchi condition. When starting with a TELA \({\mathscr {B}}\) with acceptance \(\beta \) and N states, one gets a GBA with \(N \, 2^{O(\beta )}\) states and \(2^{O(\beta )}\) acceptance sets, as the finremoval may introduce exponentially (in \(\beta \)) many copies, and the CNF may also be exponential in \(\beta \).
Transforming a finless automaton into a GBA by computing the CNF has the advantage of only changing the acceptance condition, and in some cases it produces simple conditions directly. For example, Spot’s TELA to GBA construction transforms a Rabin into a Büchi automaton, and a Streett automaton with m acceptance pairs into a GBA with m accepting sets. However, computing the CNF may also incur an exponential blowup (Fig. 4 shows such an example).
3.2.2 Copybased approaches
We now describe three approaches (remFin\(\rightarrow \)split\(\alpha \), split\(\alpha \) \(\rightarrow \)remFin and remFin\(\rightarrow \)rewrite\(\alpha \)), which construct GBA with at most \(\beta \) acceptance sets. On the other hand, they generally produce automata with more states than the approach that is implemented in Spot. They are based on [41] which first translates copies of \(\mathscr {A}\) (corresponding to the disjuncts of the acceptance condition) to GBA, and then takes their sum. However, it is not specified in [41] how exactly \({{\text {Fin}}}\)atoms should be removed (they were concerned only with the theoretical complexity). We define:
where the acceptance condition \(\alpha \) of \(\mathscr {A}\) is the DNF of \(\beta \).
With \({\text {removeFin}}\) as defined in Definition 3.3, the approaches remFin\(\rightarrow \)split\(\alpha \) and split\(\alpha \) \(\rightarrow \)remFin produce the same automata (after removing nonaccepting SCC’s), and all three approaches create O(m) copies of \(\mathscr {A}\).
We now analyze the number of acceptance sets of the resulting GBA conditions of the different approaches. The acceptance condition of \({\text {removeFin}}(\mathscr {A})\) is in DNF and each disjunct contains at most \(\beta \) atomic acceptance conditions. Therefore, the sum of the first approach combines m GBA, which each have at most \(\beta \) acceptance sets. The acceptance condition of \({\text {split}}(\mathscr {A})[i]\) contains at most \(\beta \) atomic acceptance conditions for each i. As \({\text {removeFin}}\) does not increase the length of the acceptance condition, the sum of the second approach combines m GBA, which each have at most \(\beta \) acceptance sets. It follows directly from the definition of \({\text {removeFin}}_{{\text {GBA}}}\) (see Definition 3.3) that the acceptance condition of \({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A})\) contains as many acceptance sets as the largest disjunct of the acceptance condition of \(\mathscr {A}\), which is bounded by \(\beta \). Therefore, the number of acceptance sets in the acceptance conditions is bounded by \(O(\beta )\) for all three approaches.
Our implementation uses an optimized variant of the function \({\text {removeFin}}\), as provided by Spot, which leads to different results for all three approaches.
4 Determinization
4.1 Determinization via single GBA
The standard way of determinizing TELA is to first construct a GBA, which is then determinized. Dedicated determinization procedures for GBA with N states and K acceptance sets produce deterministic Rabin automata with \(2^{O(N (\log N + \log K))}\) states [42]. For a TELA \(\mathscr {B}\) with n states and acceptance \(\beta \), the above translations yield GBA with \(N = n \, 2^{O(\beta )}\) and \(K = 2^{O(\beta )}\) (Spot’s construction) or \(N = n \, 2^{O(\beta )}\) and \(K = O(\beta )\) (copybased approaches). We evaluate the effect of the translations to GBA introduced in the previous chapter in the context of determinization in Sect. 6.
4.2 Determinization via a product construction
Another way to determinize a TELA \(\mathscr {A}\) in DNF is to determinize the automata \({\text {split}}(\mathscr {A})[i]\) one by one and then combining them with the disjunctive product construction of Definition 3.1:
where “\({\text {det}}\)” is any GBAdeterminization procedure. Let \({\mathscr {B}}\) be a TELA with acceptance \(\beta \) and n states, and let \(\alpha \) be an equivalent condition in DNF with m disjuncts. Then, for all the automata \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\), the number of states is bounded by O(n) and the number of acceptance sets of the GBA conditions is bounded by \(O(\beta )\). Assuming an optimal GBAdeterminization procedure, the product combines m automata with \(2^{O(n (\log n + \log \beta ))}\) states and hence the result has \(\big (2^{O(n \, (\log n + \log \beta ))}\big )^m = 2^{O ( 2^{\beta } \cdot n (\log n + \log \beta ))}\) states.
5 Limitdeterministic TELA
Limitdeterminism has been studied mainly for Büchi automata [15, 43, 44], and we define it here for general TELA.
Definition 5.1
A TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\alpha )\) is called limitdeterministic if there exists a partition \(Q_N,Q_D\) of Q such that
 1:

\(\delta \cap (Q_D \times \Sigma \times Q_N) = \varnothing \),
 2:

for all \((q,a) \in Q_D \times \Sigma \) there exists at most one \(q'\) such that \((q,a,q') \in \delta \), and
 3:

\(\inf (\rho ) \cap (Q_N \times \Sigma \times Q_N) = \varnothing \) holds for every accepting run \(\rho \) of \(\mathscr {A}\).
This is a semantic definition and as checking emptiness of deterministic TELA is already coNPcomplete, checking whether a TELA is limitdeterministic is as well. To establish this result, we first show that a canonical partition into nondeterministic and deterministic parts of the state space exists. Let \(\mathscr {A} = (Q,I,\Sigma ,\delta ,\alpha )\) be a fixed TELA. We say that a state \(q \in Q\) is deterministic if it has at most one successor in \(\delta \) for each symbol, and define:
and \(Q_N^* = Q \setminus Q_D^*\). The sets \(Q_D^*\) and \(Q_N^*\) can be computed in polynomial time using an SCC analysis of the underlying graph of \(\mathscr {A}\).
Lemma 5.1
A TELA \(\mathscr {A}\) is limitdeterministic iff the partition \(Q_D^*,Q_N^*\) satisfies conditions 13 of Definition 5.1.
Proof
The direction from right to left is immediate. We now show that if there exists a partition \(Q_D,Q_N\) which satisfies 13, then so does \(Q_D^*, Q_N^*\). By construction, \(Q_D^*, Q_N^*\) satisfy conditions 1. and 2. As every state in \(Q_D\) is only allowed to reach deterministic states, it follows that \(Q_D \subseteq Q_D^*\) and hence \(Q_N^* \subseteq Q_N\). But then it follows from the fact that every accepting run of \(\mathscr {A}\) eventually leaves \(Q_N\) forever, that it also eventually leaves \(Q_N^*\) forever. This shows that the partition \(Q_D^*, Q_N^*\) satisfies condition 3. \(\square \)
Proposition 5.1
Checking limitdeterminism for TELA is coNPcomplete.
Proof
As we have seen above, checking whether \(\mathscr {A}\) is limitdeterministic amounts to checking whether \(Q_D^*, Q_N^*\) satisfies conditions 13 of Definition 5.1. Conditions 12 hold by construction. To check condition 3 one can construct an automaton \(\mathscr {N}\) which contains all states and transitions of \(Q_N^*\) and replaces all transitions out of \(Q_N^*\) by a transition to a rejecting trap state (this may need a simple rewrite of the acceptance condition). Then, condition 3 holds if and only if \(\mathscr {N}\) accepts the empty language, which can be checked in coNP for TELA (this follows from NPcompleteness of the nonemptiness problem [20, Thm. 4.7]).
For coNPhardness, we reduce from the emptiness problem of TELA, which is coNPhard. First observe that an automaton \(\mathscr {A}\) in which \(Q_D^*\) is empty is limitdeterministic if and only if \(\mathscr {L}({{\mathscr {A}}}) = \varnothing \). So it suffices to translate an arbitrary TELA \(\mathscr {B}\) into a TELA \(\mathscr {A}\) in which \(Q_D^*\) is empty, and such that \(\mathscr {L}({{\mathscr {B}}}) = \varnothing \) iff \(\mathscr {L}({{\mathscr {A}}}) = \varnothing \). To do this we add a nondeterministic SCC to \(\mathscr {B}\), a transition from each original state in \(\mathscr {B}\) to that SCC, and make sure using the acceptance condition that no run which gets trapped in the new SCC is accepting. \(\square \)
A syntactic definition for TELA in DNF, which implies limitdeterminism, is provided in Definition 5.2.
Definition 5.2
A TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,\{q_0\},\alpha )\) in DNF, with \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\), \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) and \(k_i \ge 1\) for all i, is syntactically limitdeterministic if there exists a partition \(Q_N,Q_D\) of Q satisfying 1. and 2. of Definition 5.1 and additionally \(T^i_j \subseteq Q_D \times \Sigma \times Q_D \text { for all } i \le m \text { and } 1 \le j \le k_i\).
This property implies limitdeterminism because each disjunct of the acceptance formula contains at least one atomic \(\inf (T_i^j)\) formula (for \(1 \le i \le m\) and \(1 \le j \le k_i\)), and all transitions in \(T_i^j\) are included in the deterministic part of the automaton.
5.1 Limitdeterminization
Let \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\bigvee _{1 \le i \le m} \alpha _i)\) be a fixed TELA in DNF for the entire section, where \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) for \(1 \le i \le m\). Additionally, define \(\mathscr {A}_i = {\text {split}}(\mathscr {A})[i]\). Replacing the product by a sum in the productbased determinization of the last section yields single exponential limitdeterministic automata (in contrast to the doubleexponential lowerbound for determinization).
Proposition 5.2
The automaton \(\bigoplus _{1 \le i \le m} {\text {det}}({\text {removeFin}}(\mathscr {A}_i))\) is limitdeterministic and has \(m \cdot 2^{O(n \, (\log n + \log k))}\) states, where \(k = \max \{k_i \mid 1 \le i \le m\}\), \(n = Q\) and “det” is an optimal, i.e. singleexponential, determinization procedure for GBA.
Proof
The resulting automaton is limitdeterministic as the only nondeterminism in the transition system consists in the choice of the initial component. Its state space is of size \(\sum _{1 \le i \le m} {\text {det}}(\mathscr {A}_i)\) and hence in \(m \cdot 2^{O(n \, (\log n + \log k))}\), as GBA can be determinized with a blow up of \(2^{O(n \, (\log n + \log k))}\) states [42]. \(\square \)
If “\(\det \)” is instantiated by a GBAdeterminization that produces Rabin automata, then the result is in DNF and syntactically limitdeterministic. Indeed, in this case the only nondeterminism is the choice of the initial state. But “\(\det \)” can, in principle, also be replaced by any limitdeterminization procedure for GBA.
We now extend the limitdeterminization constructions of [15] (for Büchi automata) and [6, 7, 23] (for GBA) to EmersonLei conditions in DNF. These constructions use an initial component and an accepting breakpoint component [33] for \(\mathscr {A}\), which is deterministic. The following construction differs in two ways: there is one accepting component per disjunct of the acceptance condition, and the accepting components are constructed from \(\mathscr {A}\) without considering the \({{\text {Fin}}}\)transitions of that disjunct. We will use the subset transition function \(\theta \) associated with \(\delta \), defined by: \(\theta (P,a) = \bigcup _{q \in P}\{ q' \mid (q,a,q') \in \delta \}\) for \((P,a) \in 2^Q \times \Sigma \), and additionally we define \(\theta _T(P,a) = \bigcup _{q \in P}\{ q' \mid (q,a,q') \in \delta \cap T \}\). These functions are extended to finite words in the standard way. The following definitions refer to the fixed automaton \(\mathscr {A}\) as defined in the beginning of the section.
Definition 5.3
Let \(\theta _i = \theta _{\delta \setminus T_0^i}\). The i’th accepting breakpoint component of \(\mathscr {A}\) is \(\mathfrak {B}_{i} = (Q_i,\Sigma ,\delta _i,\{p_0\},{{\text {Inf}}}(\delta ^{{\text {break}}}_i))\), with \(p_0 = (I,\varnothing ,1)\), \(Q_i = \{(R,B,l) \in 2^Q \times 2^Q \times \{1, \ldots , k_i\} \mid B \subseteq R \}\), and
In a state (R, B, l) of the above construction, intuitively R is the set of states reachable for the word seen so far in \(\mathscr {A}\) without using transitions from \(T_0^i\), while B are the states in R which have seen a transition in \(T_l^i\) since the last “breakpoint”. The breakpointtransitions are \(\delta ^{{\text {break}}}_i\), which occur when all states in R have seen an accepting transition since the last breakpoint (namely if \(R = B\)). The standard breakpoint construction underapproximates the language of a given GBA, in general.
We define two limitdeterministic Büchi automata (LDBA) \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) where \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is additionally goodforMDP (GFM) [24]. This means that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) can be used to solve certain quantitative probabilistic model checking problems (see Sect. 5.2). Both use the accepting breakpoint components defined above. While \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) simply uses a copy of \(\mathscr {A}\) as initial component, \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) uses the deterministic subsetautomaton of \(\mathscr {A}\) (it resembles the cutdeterministic automata of [6]). Furthermore, to ensure the GFM property, there are more transitions between initial and accepting copies in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\). The construction of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) extends the approach for GBA in [23] (also used for probabilistic model checking) to TELA. We will distinguish elements from sets \(Q_i\) for different i from Definition 5.3 by using subscripts (e.g. \((R,P,l)_i\)) and assume that these sets are pairwise disjoint.
Definition 5.4
Let \(Q_{{\text {acc}}} = \bigcup _{1 \le i \le m} Q_i\), \(\delta _{{\text {acc}}} = \bigcup _{1 \le i \le m} \delta _i\) and \(\alpha _{{\text {acc}}} = {{\text {Inf}}}(\bigcup _{1 \le i \le m} \delta ^{{\text {break}}}_i)\). Define
As \(\delta _i^{{\text {break}}} \subseteq \delta _{{\text {acc}}}\) for all i, both \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) are syntactically limitdeterministic. The proofs of correctness are similar to ones of the corresponding constructions for GBA [6, Thm. 7.6]. We show later in Theorem 5.2 that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is GFM.
Theorem 5.1
The automata \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) are syntactically limitdeterministic and satisfy \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {A})\). Their number of states is bounded by \((n + 3^n \, m \, k)\) for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \((2^n + 3^n \, m \, k) \in O(\alpha ^2 \cdot 3^n)\) for \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), with \(k = \max \{k_i \mid 1 \le i \le m\}\).
Before giving a proof of Theorem 5.1 we prove two lemmas related to the breakpoint construction, which will be necessary for the correctness part of Theorem 5.1. The functions \(\theta \) and \(\theta _i\) are defined as in Definition 5.3.
The proofs of the lemmas follow known arguments for the correctness of limitdeterminization for Büchi and generalized Büchi automata (see [15, Sect. 4.2] and [6, Sects. 7.4 and 7.6]). Still, the extension to EmersonLei requires additional arguments and hence we give the proofs here in our notation for completeness. The first lemma extends [6, Lemma 7.1].
Lemma 5.2
For every accepting run \(\rho = q_0q_1 \ldots \) of \(\mathscr {A}\) for \(w = w_0 w_1 \ldots \in \Sigma ^{\omega }\) there exists an \(1 \le i \le m\) such that \(\rho \models \alpha _i\), and a \(K \ge 0\) such that:

for all \(l \ge K\): \((q_l,w_l,q_{l+1}) \notin T_0^i\),

for all \(l \ge K\) there exists \(u > l\) such that \(\theta _i(\{q_{l}\},w[l..u]) = \theta _i(\{q_{K}\},w[K..u])\).
Proof
As \(\rho \) is accepting there must exist an \(1 \le i \le m\) such that \(\rho \models \alpha _i\), which implies \(\rho \models {{\text {Fin}}}(T_0^i)\). Fix such an i. Then, the existence of a K (let us call it \(K_1\)) satisfying the first condition follows directly. Fix such a \(K_1\).
Next, we claim that a \(K_2 \ge K_1\) exists which satisfies both conditions. The first condition is satisfied by all \(K_2 \ge K_1\), so we turn to the second condition. Suppose, for contradiction, that for all \(K_2 \ge K_1\) there exists \(l_1 \ge K_2\) such that for all \(u > l_1\) we have \(\theta _i(\{q_{l_1}\},w[l_1..u]) \ne \theta _i(\{q_{K_2}\},w[K_2..u])\). Clearly then \(\theta _i(\{q_{l_1}\},w[l_1..u]) \subset \theta _i(\{q_{K_2}\},w[K_2..u])\) holds, as \(q_{l_1} \in \theta _i(\{q_{K_2}\},w[K_2..{l_1{}1}])\). Applying the same argument lets us find \(l_2 \ge l_1\) such that for all \(u > l_2\) we have \(\theta _i(\{q_{l_2}\},w[l_2..u]) \subset \theta _i(\{q_{l_1}\},w[l_1..u])\). Iterating this argument yields an infinitely descending chain, which is impossible as all considered sets are finite. It follows that there exists a \(K_2 \ge K_1\) satisfying both conditions, which concludes the proof. \(\square \)
The following lemma shows one direction of the correctness part of Theorem 5.1.
Lemma 5.3
\(\mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) \subseteq \mathscr {L}(\mathscr {A})\) and \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) \subseteq \mathscr {L}(\mathscr {A})\).
Proof
We give the argument only for \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), as it is the same for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) with simple modifications. Any accepting run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for any \(w_0 w_1 \ldots \in \Sigma ^{\omega }\) has the form
where the first part from I to \(Q_k\) is a path through the initial component of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), and the subsequent part is a path through some accepting breakpoint component \(\mathfrak {B}_i\), with \(1 \le i \le m\). As \(\mathfrak {B}_i\) is the standard breakpoint automaton for \(\mathscr {A}\) under acceptance \(\alpha _i\) and after removing transitions in \(T_0^i\), it follows from the soundness of the known construction [6, Lemma 7.3] that there exists a run \(\rho \) through \(\mathscr {A}\) from some state \(q \in P_0\) for the word \(w[k{+}1..]\) such that \(\rho \models \alpha _i\) and \(\rho \) sees no transition in \(T_0^i\). Furthermore, clearly any state in \(P_0\) is reachable from I with a path labeled by w[0..k]. Concatenating such a path with the run \(\rho \) yields an accepting run of \(\mathscr {A}\) for \(w_0 w_1 \ldots \). \(\square \)
Now we are in a position to prove Theorem 5.1. The last part of the proof follows the proof of [6, Lemma 7.2].
Proof of Theorem 5.1
As \(\delta _i^{\textrm{break}} \subseteq \delta _i\) holds for all i, and the breakpoint components are deterministic, both \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) are syntactically limitdeterministic. The bound \((2^n + 3^n \, m \, k)\) on the states of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) follows as the statespace of \(\mathfrak {B}_i\) is bounded by \(3^n \cdot k\) (this uses that \(B \subset R\) holds for states (R, B, l) of \(\mathfrak {B}_i\), and \(l \le k\)) for all i, and there are m breakpoint components. Additionally, the initial component is a direct subset construction of \(\mathscr {A}\), adding another \(2^n\) states. For \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\), the initial component is of size n, hence the number of states is bounded by \( (n + 3^n \, m \, k)\).
It remains to show that \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {A})\). The inclusions in \(\mathscr {L}(\mathscr {A})\) follow by Lemma 5.3. For the other direction, let \(\rho = q_0q_1 \ldots \) be an accepting run of \(\mathscr {A}\) for \(w = w_0 w_1 \ldots \in \Sigma ^{\omega }\). By Lemma 5.2 there exist \(1 \le i \le m\) and \(K \ge 0\) such that:

\(\rho \models \alpha _i\)

for all \(l \ge K\): \((q_l,w_l,q_{l+1}) \notin T_0^i\),

for all \(l \ge K\) there exists \(u > l\) such that
$$\begin{aligned}\theta _i(\{q_{l}\},w[l..u]) = \theta _i(\{q_{K}\},w[K..u]).\end{aligned}$$
We define a run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for w as follows. For the first \(K{}1\) steps, it remains inside the initial component. It will reach a state \(P \subseteq Q\) with \(q_{K{}1} \in P\). Then it takes the transition \(\bigl (P,w[K{}1],(\{q_{K}\},\varnothing ,0)_i\bigr )\), and continues deterministically thereafter in component \(\mathfrak {B}_i\). This transition is in \(\delta _{{\text {bridge}}}^{{\text {GFM}}}\) as \((q_{K{}1},w[K{}1],q_K) \in \delta \), and hence \(\{q_K\} \subseteq \theta (P,w[K{}1])\). We claim that the remaining run
of \(\mathfrak {B}_{i}\) sees infinitely many transitions in \(\delta _i^{{\text {break}}}\).^{Footnote 1} For contradiction, suppose that this is not the case. Then, there exists \(N > K\) such that for all \(j \ge N\) we have \(B_j \subset R_j\) and \(h_j = h_{j+1}\). As \(\rho \models \alpha _i\) holds, there must exist \(N_1 > N\) satisfying \((q_{N_1},w[N_1],q_{{N_1}{+}1}) \in T_{i}^{h_j}\). It follows that \(q_{{N_1}{+}1} \in B_{{N_1}{+}1}\). By the third property above, however, there exists \(u > N_{1}{+}1 \ge K\) such that
This contradicts \(B_u \subset R_u\). Hence, the constructed run is an accepting run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for w, which finishes the proof of \(\mathscr {L}({{\mathscr {A}}}) = \mathscr {L}({\mathscr {G}^{{\text {GFM}}}_{{\mathscr {A}}}})\).
A run for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) can be constructed in the same way, with the only exception that the initial part of the run is set to be \(q_0 \ldots q_{K1}\) (rather than the unique path in the subsetconstruction for prefix \(w[0..{K{}2}]\)). \(\square \)
As a direct corollary of Theorem 5.1 we get that TELA can be transformed into LDBA of singleexponential size.
Corollary 5.1
Given TELA \({\mathscr {B}}\) (not necessarily in DNF) with acceptance condition \(\beta \) and N states, there exists an equivalent LDBA with \(2^{O(\beta  + N)}\) states.
5.2 Probabilistic model checking
This section discusses how the above constructions can be used for probabilistic model checking. We will use a product between an MDP \(\mathscr {M}\) and a nondeterministic automaton \(\mathscr {A}\) which was introduced in [28]. The construction is such that schedulers of the MDP are forced to resolve the nondeterminism of \(\mathscr {A}\) by choosing the next state of the automaton. We assume that the automaton used to build the product has a single initial state, which holds for \(\mathscr {G}^{{\text {GFM}}}_\mathscr {A}\).
Definition 5.5
Given an MDP \(\mathscr {M}= (S,s_0,{\text {Act}},P,\Sigma ,L)\) and TELA \(\mathscr {G} = (Q,\Sigma ,\delta ,\{q_0\},\alpha )\) we define the MDP \(\mathscr {M}\times \mathscr {G} = (S \times Q, (s_0,q_0), {\text {Act}}\times Q, P^{\times }, \Sigma , L^{\times })\) with \(L^{\times }((s,q)) = L(s)\) and
We define the accepting paths \(\Pi _{acc}\) of \(\mathscr {M}\times \mathscr {G}\) to be:
As a first application, consider the qualitative model checking problem which asks to decide \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\), under the assumption that \(\mathscr {A}\) is a limitdeterministic TELA. While NPhardness follows from the fact that the problem is already hard for deterministic TELA [34, Thm. 5.13], we now show that it is also in NP. Furthermore, it is in P for automata with a finless acceptance condition. This was already known for LDBA [15], and our proof uses similar arguments.
Proposition 5.3
Deciding \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {A})) > 0\), given MDP \(\mathscr {M}\) and a limitdeterministic TELA \(\mathscr {A}\), is NPcomplete. If \(\mathscr {A}\) has a finless acceptance condition, then the problem is in P.
Proof
NPhardness for general limitdeterministic TELA follows directly from NPhardness for deterministic TELA (see [34, Thm. 5.13]). For the upperbounds we use the fact discussed above that if \(\mathscr {A}\) is limitdeterministic, then we can compute a partition \(Q_D,Q_N\) satisfying conditions 13 of Definition 5.1 in polynomial time.
In NP for limitdet. TELA. We now show that the problem of computing \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {A})) > 0\) is in NP if TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\alpha )\) is limitdeterministic. Let \(Q_N,Q_D\) be a partition of Q satisfying conditions 13 of Definition 5.1 and let \(\mathscr {M}\times \mathscr {A}\) be the productMDP defined in Definition 5.5 for a given MDP \(\mathscr {M}= (S,s_0,{\text {Act}},P,\Sigma ,L)\). Recall that an endcomponent of \(\mathscr {M}\) is a nonempty subset \(S' \subseteq S\) together with a subset of the enabled actions \(T(s) \subseteq {\text {Act}}(s)\) for each state \(s \in S'\) such that the underlying graph is strongly connected and closed under probabilistic transitions [3, Definition 10.117]. An endcomponent \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\) naturally induces a set of transitions of \(\mathscr {A}\), which we denote by \({\text {atrans}}({{\mathscr {E}}})\).
Claim. \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) holds iff there exists a reachable endcomponent \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\) such that \({\text {atrans}}({{\mathscr {E}}}) \models \alpha \).
Proof of claim. “\(\Longleftarrow \)”: Let (s, q) be a state contained in such an endcomponent \({\mathscr {E}}\). As \({\mathscr {E}}\) is assumed to be reachable, there exists a finite path \(\pi = s_0 \alpha _0 s_1 \alpha _1 \ldots s_n \alpha _n s\) through \(\mathscr {M}\) and a corresponding path \(q_0 \xrightarrow {L(s_0 \ldots s_{n})} q\) through \(\mathscr {A}\). We start defining a scheduler \(\mathfrak {S}_1\) on \(\mathscr {M}\) which chooses action \(\alpha _i\) for all prefixes of length i, if \(0 \le i \le n\) and \(\alpha _i\) is enabled. Clearly, \(\mathfrak {S}_1\) achieves a positive probability to realize the prefix \(\pi \). As \({\mathscr {E}}\) is an endcomponent, we can construct a scheduler \(\mathfrak {S}\) on \(M \times \mathscr {A}\) from state (s, q) such that with probability one the set of transitions visited infinitely often is the set of all transitions of \({\mathscr {E}}\) [3, Lemma 10.119]. Scheduler \(\mathfrak {S}\) induces a scheduler \(\mathfrak {S}_2\) on \(\mathscr {M}\) from s which satisfies:
Combining schedulers \(\mathfrak {S}_1\) and \(\mathfrak {S}_2\) yields a scheduler witnessing \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\).
“\(\implies \)”: Every path \(\pi \) from s in \(\mathscr {M}\) induces a unique path \(p_q(\pi )\) from (s, q) in \(\mathscr {M}\times \mathscr {A}\), if \(q \in Q_D\) (assuming that \(\mathscr {A}\) is complete). We let \({\text {Limit}}(\pi )\) be the pair (A, T) where A is the set of states appearing infinitely often in path \(\pi \) and \(T : A \rightarrow 2^{{\text {Act}}}\) is the set of actions appearing infinitely often for each of the states in A. Given a state \(q \in Q_D\) and an endcomponent \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\), we let
where \(I \xrightarrow {L(\pi _1)}_{\mathscr {A}} q\) means that a path in \(\mathscr {A}\) exists which starts in some state in I, ends in q and is labeled by \(L(\pi _1)\). Let \(\mathfrak {S}\) be a scheduler on \(\mathscr {M}\) satisfying \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\). The \(\mathfrak {S}\)paths \(\pi \) in \(\mathscr {M}\) satisfying both
have probability zero. This is because a path \(\pi \) satisfies the following property with probability one under \(\mathfrak {S}\): for all \(i \ge 0\) and \(q \in Q_D\): \({\text {Limit}}(p_q(\pi [i..]))\) forms an endcomponent in \(\mathscr {M}\times \mathscr {A}\). It follows that there exists \(q \in Q_D\) and an endcomponent \({\mathscr {E}}\) of \(\mathscr {M}\times {\mathscr {A}}\) satisfying \({\text {atrans}}(\mathscr {E}) \models \alpha \) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(X_{q,\mathscr {E}}) > 0\). But then \({\mathscr {E}}\) must also be reachable in \(\mathscr {M}\times \mathscr {A}\), which concludes the proof of the claim.
It is a direct consequence now that the problem is in NP, as we can guess the endcomponent \({\mathscr {E}}\) and then check in polynomial time whether \({\text {atrans}}({{\mathscr {E}}}) \models \alpha \) holds.
In P for finless limitdet. TELA. If \(\alpha \) is finless, then the existence of an endcomponent \({\mathscr {E}}\) with \({\text {atrans}}({\mathscr {E}}) \models \alpha \) is equivalent to the existence of a maximal endcomponent satisfying the same property. This is because finless properties are preserved when adding additional transitions. As all maximal endcomponents can be enumerated in polynomial time (see Algorithm 47 in [3]), it follows by the above claim that \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) can be decided in polynomial time in this case. \(\square \)
Our next aim is to show that the maximal probability in an MDP to satisfy a property specified as a TELA can be computed in singleexponential time. As a means to this end we will show that the automaton \(\mathscr {G}^{{\text {GFM}}}_\mathscr {A}\), as defined in Definition 5.4, is goodforMDP (GFM) [24]. As before, we start with a TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\bigvee _{1 \le i \le m} \alpha _i)\) in DNF, with \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) for \(1 \le i \le m\).
The GFMproperty is defined using the product construction introduced above (Definition 5.5). A Büchi automaton \(\mathscr {G}\) is called goodforMDP (GFM) iff \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {G})) = \textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}}(\Pi _{acc})\) holds for all MDP \(\mathscr {M}\) [24]. The inequality “\(\ge \)” holds for all automata [28, Thm. 1], but the other direction requires, intuitively, that a scheduler on \(\mathscr {M}\times \mathscr {G}\) is able to safely resolve the nondeterminism of the automaton based on the prefix of the run. This is trivially satisfied by deterministic automata, but goodforgames automata also have this property [28]. Limitdeterministic Büchi automata are not GFM in general, for example, \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) may not be (see Example 5.1).
The proof proceeds by fixing an arbitrary MDP \(\mathscr {M}\) and showing that \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}}(\Pi _{acc})\). To this end it is enough to show that for any finitememory scheduler \(\mathfrak {S}\) on \(\mathscr {M}\) one finds a scheduler \(\mathfrak {S'}\) on \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}\) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \Pr ^{\mathfrak {S}'}_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}}(\Pi _{acc})\). The restriction to finitememory schedulers is allowed because the maximal probability to satisfy an \(\omega \)regular property is always attained by such a scheduler [3, Sects. 10.6.3 and 10.6.4].
To define \(\mathfrak {S}'\) we analyze the behaviour of \(\mathfrak {S}\) in the product \(\mathscr {M}\times \mathscr {D}\) of \(\mathscr {M}\) with a specific deterministic automaton \(\mathscr {D}\) for \(\mathscr {L}(\mathscr {A})\), which we introduce later. In particular, we show that for each accepting bottom strongly connected component B of the induced Markov chain of \(\mathscr {M}\times \mathscr {D}\) under \(\mathfrak {S}\) there exists an accepting breakpoint component \(\mathfrak {B}_i\) such that, with probability one, words generated by B are accepted by \(\mathfrak {B}_i\). To show this, we first prove a sufficient condition for a word to be accepted by \(\mathfrak {B}_i\).
Lemma 5.4
Let \(1 \le i \le m\), \(w \in \Sigma ^{\omega }\), \(0 = j_0< j_1< j_2 < \ldots \) be an increasing sequence of natural numbers and \(Q' \subseteq Q\) satisfying:

for all \(l \ge 0\): \(\theta _i(Q', w[j_l..{j_{l{+}1}{}1}]) = Q'\) and

for all \(l \ge 0\) and \(q' \in Q'\) there exists \(q \in Q'\) and a finite \(\theta _i\)path from q to \(q'\) in \(\mathscr {A}\) labeled by \(w[j_l..j_{l+1}{}1]\) which hits all transitionsets \(T_1^i, \ldots , T_{k_i}^i\).
Then, w is accepted from state \((Q',\varnothing ,0)\) in \(\mathfrak {B}_i\).
Proof
As the first component of states in \(\mathfrak {B}_i\) just simulates the subset transition function \(\theta _i\), the run from state \((Q',\varnothing ,0)\) of \(\mathfrak {B}_i\) for w has the form:
We show that each infix \((Q',B_l,h_l) \xrightarrow {w[j_l..j_{l{+}1}{}1]} (Q',B_{l{+}1},h_{l{+}1})\) of the run above sees a transition in \(\delta _i^{{\text {break}}}\). For contradiction, suppose that for some l this is not the case. Then, the third component is not changed in any transition of the corresponding infix run. Let
be the sequence of the run between \((Q_0,A_0,h_l) = (Q',B_l,h_l)\) and \((Q_M,A_M,h_l) = (Q',B_{l+1},h_l)\). Take an arbitrary element \(q' \in Q' \setminus B_{l+1}\) and let P be the source states of the incoming transitions of \(q'\) labeled by \(w[j_l{+}M{}1]\) wrt. \(\delta \setminus T_0^i\). As a consequence we have that \(P \cap A_{M{}1}\) is empty and no \(p \in Q_{M{}1}\) satisfies \((p,w[j_l{+}M{}1],q') \in T_{h_l}^i\). This is because otherwise we would either have \(q' \in B_{l+1}\) or see a breakpoint transition. In particular, there is no path from any \(p \in Q_{M{}1}\) to \(q'\) labeled by \(w[j_l{+}M{}1]\) that sees \(T_{h_l}^i\). We can continue this argument inductively until reaching \((Q_0,A_0,h_l)\) and conclude that there is no \(q \in Q'\) such that there exists a \(\theta _i\)path from q to \(q'\) labeled by \(w[j_l..j_{l+1}{}1]\) which sees some transition in \(T_{h_l}^i\). This is in contradiction with the second property above.
Hence, the run sees a transition in \(\delta _i^{{\text {break}}}\) infinitely often, which implies that it is accepting. \(\square \)
Recall that \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\) is a GBA with two components: the initial component \(Q_1\) is a copy of \(\mathscr {A}\) where no transition is accepting, and component \(Q_2\) is a copy of \(\mathscr {A}\) without the transitions of \(T_0^i\). The acceptance condition is the GBA condition \(\bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(U_{j}^i)\) where \(U_j^i\) is the set of transitions corresponding to \(T_j^i \setminus T_0^i\) in the component \(Q_2\).
Now let \(\mathscr {D}_i = {\text {det}}({\text {removeFin}}({\text {split}}(\mathscr {A})[i]))\) be the Rabin automaton one gets by applying the construction of [42] to \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). Their soundnessproof [42, Thm. 1] can be modified slightly to prove the following statement, where \(\gamma \) is the extended subset transition function of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). It shows that an accepting lassopath through \(\mathscr {D}_i\) induces a special path through the powerset automaton of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). As a consequence, the corresponding word is accepted by \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). Furthermore, the word labeling the loop of the lasso satisfies a condition which matches the one of Lemma 5.4, and hence is accepted by \(\mathfrak {B}_i\).
Lemma 5.5
Let \(\rho = d_0 d_1 \ldots \) be an accepting run of \(\mathscr {D}_i\) for w satisfying Rabin pair \({{\text {Inf}}}(D_1) \wedge {{\text {Fin}}}(D_2)\) and \(i_0\) be a position such that for all \(l \ge i_0\) we have \((d_l,w[l],d_{l{+}1}) \notin D_2\) and for infinitely many \(l \ge i_0\) we have \(d_{l} = d_{i_0}\).
Then, a sequence \(i_0< i_1 < i_2 \ldots \) and a \(Q' \subseteq Q_2\) exist such that

\(Q' \subseteq \gamma (I,w[0..i_0{}1])\),

for all \(l \ge 0\): \(Q' = \gamma (Q',w[i_l..i_{l+1}{}1])\) and for all \(q_2 \in Q'\) there exists \(q_1 \in Q'\) and a \(\gamma \)path from \(q_1\) to \(q_2\) labeled by \(w[i_l..i_{l+1}{}1]\) which hits all transitionsets \(U_1^i, \ldots , U_{k_i}^i\).
Proof
The following statement follows directly from the proof of [42, Thm. 1]: Let \(j_0< j_1 < \ldots \) be an infinite sequence of positions such that \((d_l,w[l],d_{l{+}1}) \notin D_2\) holds for \(l \ge j_0\) and the sequence \(d_{j_l}w[j_l]d_{j_l{+}1} \ldots d_{j_{l{+}1}}\) sees at least \(k_i\) transitions in \(D_1\) for all \(l\ge 0\). Then, there exists a sequence \(P_0, P_1 \ldots \), with all \(P_l \subseteq Q_1 \cup Q_2\), such that we have \(P_0 \subseteq \gamma (I,w[0..j_0{}1])\), \(P_{l{+}1} = \gamma (P_l,w[j_l..j_{l{+}1}{}1])\) and for all \(q_2 \in P_{l{+}1}\) there exists a \(q_1 \in P_l\) and a \(\gamma \)path from \(q_1\) to \(q_2\) labeled by \(w[j_l..j_{l{+}1}{}1]\) which hits all transition sets \(U_1^i,\ldots , U_{k_i}^i\). Furthermore, the sequence is such that if \(d_{j_l} = d_{j_p}\), then \(P_l = P_p\).
Clearly a sequence \(j_0< j_1 < \ldots \) exists satisfying the above assumption (as \(\rho \) is accepting) and which additionally has the property that \(d_{j_l} = d_{j_0}\) for all \(l \ge 0\) (by taking \(j_0 = i_0\) and the fact that infinitely many positions see \(d_{i_0}\)). We may conclude that the sequence \(P_0,P_1 \ldots \) exists as above and as \(d_{j_l} = d_{j_0}\) for all \(l \ge 0\), indeed \(P_0 = P_l\) for all l. So we may take \(Q' = P_0\), and the only thing left to show is that \(Q' \subseteq Q_2\) holds. This, however, follows from the fact that \(Q'\) is reachable from some accepting transition and hence must be included in the accepting part \(Q_2\) of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). \(\square \)
The above lemmas give a sufficient condition for a word to be accepted by \(\mathfrak {B}_i\) (Lemma 5.4), and show that words labeling a loop in the deterministic automaton \(\mathscr {D}_i\) induce a path through the powerset automaton of \({\text {remove\,\,Fin}}({\text {split}}(\mathscr {A})[i])\) (Lemma 5.5). Now, we show how these facts can be used to construct the scheduler \(\mathfrak {S}'\).
Recall that we are given a finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\) and to prove the GFMproperty we have to provide a scheduler \(\mathfrak {S}'\) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \Pr ^{\mathfrak {S}'}_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{acc})\). Let \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) be the product of the induced finite Markov chain \(M_{\mathfrak {S}}\) with \(\mathscr {D} = \bigotimes _{1 \le i \le m} \mathscr {D}_i\). The scheduler \(\mathfrak {S}'\) is constructed as follows. It stays inside the initial component of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and mimics the action chosen by \(\mathfrak {S}\) until the corresponding path in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) reaches an accepting bottom strongly connected component (BSCC) B. This means that the transitions of \(\mathscr {D}\) induced by B satisfy one of the Rabin pairs. The following lemma shows that in this case there exists a state in one of the accepting breakpoint components \(\mathfrak {B}_{i}\) to which \(\mathfrak {S}'\) can safely move.
Lemma 5.6
Let \(\mathfrak {s}\) be a state in an accepting BSCC B of \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) and \(\pi _1\) be a finite path that reaches \(\mathfrak {s}\) from the initial state of \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\). Then, there exists \(1 \le i \le m\) and \(Q' \subseteq \theta \bigl (I,L(\pi _1)\bigr )\) such that
Proof
There exists some Rabin pair \({{\text {Inf}}}(D'_1) \wedge {{\text {Fin}}}(D'_2)\) of \({\mathscr {D}}\) such that no transition of B is contained in \(D_2'\), and some transition of B is contained in \(D_1'\). By construction of \(\mathscr {D}\), this pair directly corresponds to a Rabin pair \({{\text {Inf}}}(D_1) \wedge {{\text {Fin}}}(D_2)\) of one of the components \(\mathscr {D}_i\) (as the acceptance condition of \(\mathscr {D}\) is essentially the disjunction of the acceptance conditions of the \(\mathscr {D}_i\)).
Hence for every path \(\pi _2\) through B starting in \(\mathfrak {s}\) which sees all transitions in B infinitely often we find an accepting run \(d_0 d_1 \ldots \) of \(\mathscr {D}_i\) for \(L(\pi _1 \pi _2)\) and a sequence \(j_0< j_1 < \ldots \) where \(j_0 = \pi _1\) and such that:

no transition of \(d_{j_0} d_{j_0{+}1} \ldots \) is included in \(D_2\),

for all \(l \ge 0\): \(d_{j_l} = d_{j_0}\) and the run \(d_0 d_1 \ldots \) sees an accepting transition in between position \(j_l\) and \(j_{l+1}\) for all \(l \ge 0\).
By Lemma 5.5 there exists a \(Q' \subseteq \gamma (I,L(\pi _1)) \cap Q_2\) such that for all \(l \ge 0\): \(Q' = \gamma (Q',w[j_l..j_{l+1}{}1])\) and for all \(q_1 \in Q'\) there exists a \(q_2 \in Q'\) and a finite \(\gamma \)path for \(w[j_l..j_{l+1}{}1]\) hitting all transitionsets \(U_1^i, \ldots , U_{k_i}^i\). Let \(Q''\) be the corresponding set of states of \(\mathscr {A}\), which implies \(Q'' \subseteq \theta (I,L(\pi _1))\). As \(Q' \subseteq Q_2\) we have: for all \(q_1 \in Q''\) there exists a \(q_2 \in Q''\) and a finite \(\theta _i\)path for \(w[j_l..j_{l+1}{}1]\) hitting all transitionsets \(T_1^i, \ldots , T_{k_i}^i\).
It follows that the conditions of Lemma 5.4 are satisfied and hence that \(L(\pi _2)\) is accepted from \((Q'',\varnothing ,0)\) in \(\mathfrak {B}_i\). \(\square \)
The lemma does not hold if we restrict ourselves to singleton \(\{q\} \subseteq \theta \bigl (I,L(\pi _1)\bigr )\) (see Example 5.1). Hence, restricting \(\delta _{{\text {bridge}}}^{{\text {GFM}}}\) to such transitions (as for \(\delta _{{\text {bridge}}}^{{\text {LD}}}\), see Definition 5.4) would not guarantee the GFM property.
Example 5.1
Consider the automaton \(\mathscr {A}\) with states \(\{\texttt{a}_i\texttt{b}_j \mid i,j \in \{1,2\}\} \cup \{\texttt{b}_i\texttt{a}_j \mid i,j \in \{1,2\}\}\), where \(\texttt{a}_i\texttt{b}_j\) has transitions labeled by \(a_i\) to \(\texttt{b}_j\texttt{a}_1\) and \(\texttt{b}_j\texttt{a}_2\). Transitions of states \(\texttt{b}_i\texttt{a}_j\) are defined analogously, and all states in \(\{\texttt{a}_i\texttt{b}_j \mid i,j \in \{1,2\}\}\) are initial (Fig. 5 shows the transitions of \(\texttt{a}_1\texttt{b}_1\)). All transitions are accepting for a single Büchi condition, and hence \(\mathscr {L}(\mathscr {A}) = (\{a_i b_j \mid i,j \in \{1,2\}\})^{\omega }\).
Consider the Markov chain \(\mathscr {M}\) in Fig. 5 (transition probabilities are all 1/2 and omitted in the figure). Clearly, \(\Pr _{\mathscr {M}}(\mathscr {L}(\mathscr {A})) = 1\). Figure 5 shows a part of the product of \(\mathscr {M}\) with the breakpoint automaton \(\mathfrak {B}\) for \(\mathscr {A}\) (Definition 5.3) starting from \(\bigl (a_1,(\{\texttt{a}_1\texttt{b}_1\},\varnothing ,0)\bigr )\). As \(\texttt{b}_1\texttt{a}_1\) and \(\texttt{b}_1\texttt{a}_2\) have no \(b_2\)transition, the state \(\bigl (b_2,(\{\texttt{b}_1\texttt{a}_1,\texttt{b}_1\texttt{a}_2\},\varnothing ,0)\bigr )\) is a trap state. Hence, the state \(\bigl (a_1,(\{\texttt{a}_1\texttt{b}_1\},\varnothing ,0)\bigr )\) generates an accepting path with probability at most 1/2. This holds for all states \(\bigl (s,(P',\varnothing ,0)\bigr )\) of \(\mathscr {M}\times \mathfrak {B}\) where \(P'\) is a singleton. But using \(\delta _{{\text {bridge}}}^{{\text {LD}}}\) to connect initial and accepting components implies that any accepting path sees such a state. Hence, using \(\delta _{{\text {bridge}}}^{{\text {LD}}}\) to define \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) would not guarantee the GFM property.
Using Lemma 5.6 we can define \(\mathfrak {S}'\) such that the probability accepting paths under \(\mathfrak {S}'\) in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is at least as high as that of paths with label in \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\). This is the nontrivial direction of the GFM property.
Lemma 5.7
For every finitememory scheduler \(\mathfrak {S}\) on \(\mathscr {M}\), there exists a scheduler \(\mathfrak {S}'\) on \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) such that:
Proof
Let \(\mathfrak {S}\) be a finitememory scheduler on \(\mathscr {M}\) and \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) be as above. As \(\mathfrak {S}\) uses only finite memory, the Markov chain \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) has finitely many states. This, in turn, implies that a BSCC will be reached with probability one.
We construct the scheduler \(\mathfrak {S}'\) as follows. For every finite path \(\pi _1\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) it needs to choose an action of \(\mathscr {M}\) and whether to move from the initial component to one of the breakpoint components (this is the only nondeterministic choice in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\)). The action of \(\mathscr {M}\) is always chosen in the same way as by \(\mathfrak {S}\) for the corresponding finite path of \(\mathscr {M}\). If the path in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) corresponding to \(\pi _1\) does not end in a BSCC, \(\mathfrak {S}'\) chooses to remain in the initial component. If it does reach a BSCC B we make a distinction on whether B is accepting or not. If B is not accepting, then \(\mathfrak {S}'\) can be defined arbitrarily for all prefixes that extend \(\pi _1\). If B is accepting, then let us assume that the last state visited by \(\pi _1\) is (s, P). Then P is exactly the set of states reachable in \(\mathscr {A}\) from I on a path labeled by \(L^{\times }(\pi _1)\). By Lemma 5.6 there exists \(1 \le i \le m\) and \(Q' \subseteq P\) such that the probability of generating a suffix \(\pi _2\) from state s in \(\mathscr {M}\) under scheduler \(\mathfrak {S}\) whose label is accepted in \(\mathfrak {B}_i\) from state \((Q',\varnothing ,0)\) is 1. Consequently, \(\mathfrak {S'}\) chooses \(\bigl (\theta (Q',L(s)),\varnothing ,0\bigr )_i\) as the successor state of the automaton and continues to simulate \(\mathfrak {S}\).
The induced probability of \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\) equals the probability of reaching an accepting BSCC in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\), as \(\mathscr {D}\) is a deterministic automaton for \(\mathscr {L}(\mathscr {A})\). By construction, the probability in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) under scheduler \(\mathfrak {S}'\) of generating a finite trace that reaches an accepting BSCC in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) equals this probability. Furthermore, after generating such a trace, \(\mathfrak {S}'\) moves to a state \(\bigl (s,(Q',\varnothing ,0)\bigr )\) where \((Q',\varnothing ,0)\) is a state of one of the automata \(\mathfrak {B}_i\) such that, by continuing to simulate \(\mathfrak {S}\), a suffix trace is generated with probability one which is accepted from \((Q',\varnothing ,0)\) in \(\mathfrak {B}_i\). As \(\mathfrak {B}_i\) is deterministic there is only one corresponding path for such a trace, and this path is accepting. It follows that the probability of generating a path in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) under \(\mathfrak {S}'\) whose induced path in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is accepting is at least as high as the induced probability of \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\). In other words we have \(\Pr _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}'}(\Pi _{acc}) \ge \Pr _{\mathscr {M}}^{\mathfrak {S}}(\mathscr {L}(\mathscr {A}))\), which concludes the proof. \(\square \)
Theorem 5.2
The automaton \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is goodforMDP.
Proof
To show that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is GFM, it suffices to show the following two statements:
 1:

For every finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\) there exists a scheduler \(\mathfrak {S}'\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) such that
$$\begin{aligned} \text {Prs}_{\mathscr {M}}^\mathfrak {S} (\mathscr {L}({\mathscr {A}})) \le \Pr \nolimits _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}'}{\Pi _{(acc)}} \end{aligned}$$  2:

For every finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) there exists a scheduler \(\mathfrak {G}'\) of \(\mathscr {M}\) such that
$$\begin{aligned} \Pr \nolimits _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}}{\Pi _{(acc)}} \le \text {Prs}_{\mathscr {M}}^{\mathfrak {S}'} (\mathscr {L}({\mathscr {A}})) \end{aligned}$$
1. is proved by Lemma 5.7 and 2. is proved for arbitrary automaton in [28, Thm. 1]. \(\square \)
To compute \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {B}))\) one can translate \(\mathscr {B}\) into an equivalent TELA \(\mathscr {A}\) in DNF, then construct \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and finally compute \(\textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{{\text {acc}}})\). The automaton \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is singleexponential in the size of \(\mathscr {B}\) by Theorem 5.1, and it is well known that \(\textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{{\text {acc}}})\) can be computed in polynomial time in the size of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) [3, Thm. 10.127].
Theorem 5.3
Given a TELA \(\mathscr {B}\) (not necessarily in DNF) and an MDP \(\mathscr {M}\), the value \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {B}))\) can be computed in singleexponential time.
6 Experimental evaluation
The product approach combines a sequence of deterministic automata using the disjunctive product. We introduce the langcover heuristic: the automata are “added” to the product one by one, but only if their language is not already subsumed by the automaton constructed so far. This leads to substantially smaller automata in many cases, but is only efficient if checking inclusion for the considered automata types is efficient. In our case this holds because we can reduce the needed checks to inclusion checks on Street automata, which are in P [2, Table 2]. Note, that this is not the case for arbitrary deterministic TELA, or nondeterministic automata.
6.1 Implementation
We compare the following implementations of the constructions discussed above.^{Footnote 2}Spot uses the TELA to GBA translator of Spot, simplifies (using Spot’s postprocessor with preference Small) and degeneralizes the result and then determinizes using a version of Safra’s algorithm [18, 38]. The \({\text {removeFin}}\) function that is used is an optimized version of Definition 3.3. If the input is a weak, Rabin or Street automaton, Spot uses dedicated algorithms instead of \({\text {removeFin}}\) to construct the GBA. In the constructions remFin\(\rightarrow \)split\(\alpha \), split\(\alpha \) \(\rightarrow \)remFin and remFin\(\rightarrow \)rewrite\(\alpha \), the first step is replaced by the corresponding TELA to GBA construction (using Spot’s function \({\text {removeFin}}\)). The product approach (also implemented using the Spotlibrary) is called product and product (no langcover) (without the langcover heuristic). The intermediate GBA are also simplified. The construction \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) is implemented in limitdet., using the Spotlibrary and parts of Seminator [8]. We compare it to limitdet. via GBA, which concatenates the TELA to GBA construction of Spot with the limitdeterminization of Seminator. Similarly, goodforMDP and goodforMDP via GBA are the construction \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) applied to \(\mathscr {A}\) directly, or to the GBA as constructed by Spot. Both constructions via GBA are in the worst case doubleexponential. No postprocessing, e.g. Spot’s postprocessor, is applied to any output automaton.
6.2 Experiments
Computations were performed on a computer with two Intel E52680 CPUs with 8 cores each at \(2.70\) GHz running Linux. Each individual experiment was limited to a single core, 15 GB of memory and 1200 seconds. We use versions 2.9.4 of Spot (configured to allow 256 acceptance sets) and 2.0 of Seminator.
Our first benchmark set (called random) consists of 1000 TELA with 4 to 50 states and 8 sets of transitions \(T_1, \ldots , T_8\) used to define the acceptance conditions. They are generated using Spot’s procedure random_graph() by specifying probabilities such that: a triple \((q,a,q') \in Q \times \Sigma \times Q\) is included in the transition relation (3/Q) and such that a transition t is included in a set \(T_j\) (0.2). We use only transition systems that are nondeterministic. The acceptance condition is generated randomly using Spot’s procedure acc_code::random(). We transform the acceptance condition to DNF and keep those acceptance conditions whose lengths range between 2 and 21 and consist of at least two disjuncts. To quantify the amount of nondeterminism, we divide the number of pairs of transitions with common starting point and symbol (that is, of the form \((q,a,q_1),(q,a,q_2)\), with \(q_1 \ne q_2\)) of the automaton by its number of states.
Table 1 shows that the product produces smallest deterministic automata overall. Spot produces best results among the algorithms that go via a single GBA. One reason for this is that after GBAsimplifications of Spot, the number of acceptance marks of the intermediate GBA are of about the same and Spot constructs GBA with fewer states. This difference in the number of states is expected, given the theoretical analysis in Sect. 3.2. The similarity of the numbers of acceptance marks is not supported by the theoretical analysis and can only be explained by Spot’s advanced GBAsimplification algorithms that might suit Spot ’s GBA better than the GBA constructed by the other approaches.
The limitdeterministic automata are in general much smaller than the deterministic ones, and limitdet via GBA. performs best in this category (see Fig. 6). However, the construction \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) (limitdet.) resulted in fewer time and memouts and, as shown in Fig. 6, it still produces for most cases outputs with fewer states than Spot .
For GFM automata we see that computing \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) directly, rather than first computing a GBA, yields much better results (goodforMDP vs. goodforMDP via GBA). However, the GFM automata suffer from significantly more time and memouts than the other approaches. The automata sizes are comparable with Spot ’s determinization (see Fig. 6). Given their similarity to the pure limitdeterminization constructions, and the fact that their acceptance condition is much simpler than for the deterministic automata, we believe that future work on optimizing this construction could make it a competitive alternative for probabilistic model checking using TELA.
We compare the two best performing determinization approaches, Spot and product, in more detail. Figure 6 shows that the results are widely spread, i.e. both approaches produce smaller results than the other one for a significant number of inputs. Figure 2 partitions the set of all input automata according to acceptance complexity (measured in the size of their DNF) and amount of nondeterminism. Each subset of input automata is of roughly the same size (159180). The number of timeouts and memouts increases with the amount of nondeterminism and the size of the input acceptance condition and reaches up to 42%. The values “states”, “time” and “acceptance” are the median value of the ratio of these metrics. If only one of the approaches was able to construct a result within the given time and memory bounds we define the ratio as 0 ( Spot did not construct a result) or infinity (product did not construct a result). If none of the approaches was able to construct a result, we do not consider this input automaton for the calculation. Values below 1 indicate that product produces smaller results and values above 1 indicate that Spot produces smaller results. The approach product produces for all subsets of input automata outputs with fewer states than Spot and the ratio of the computation time decreases the larger the amount of nondeterminism and the longer the acceptance condition is.
The second benchmark set (called DNF) consists of 500 TELA constructed randomly as above, apart from the acceptance conditions. They are in DNF with 23 disjuncts, with 23 \({{\text {Inf}}}\)atoms and 01 \({{\text {Fin}}}\)atoms each (all different). Such formulas tend to lead to larger CNF conditions, which benefits the new approaches. Table 1 shows that product produces way smaller results than Spot . Again, Table 2 partitions the set of input automata but we do not consider different lengths of acceptance conditions here because the subsets of input automata are already relatively small (140193). Again, product performs better for automata with more nondeterminism.
The third benchmark set consists of the sequence of automata described in Fig. 4. Figure 7 shows the results for such input automata with 125 states. For these automata, Spot first computes GBA with an exponential number of acceptance sets. As a consequence most input automata lead to a time or memout and, if the computation finishes, to large output automata. Therefore, our proposed alternative constructions can compute results for far larger input automata. The example also highlights the effect of the langcover heuristic: it benefits from the fact that the language of the input automaton under any individual disjunct of the DNF is the same. This is used to prune large parts of the statespace.
7 Conclusion
In this article, new approaches for determinization and limitdeterminization of transitionbased EmersonLei automata (TELA) have been suggested. One of these constructions produces limitdeterministic goodforMDP automata, which can be used for quantitative probabilistic verification. The constructions have all been implemented and evaluated experimentally. The evaluation shows promising results in particular when applying the new product construction for determinization of TELA. Furthermore, we show that the complexity of limitdeterminization of TELA is singleexponential rather than doubleexponential (as compared to full determinization).
The presented work opens the door to numerous research questions and directions. At first, a general study on what properties can be naturally encoded directly into nondeterministic TELA would be of interest. This could be combined with a general evaluation of the developed approaches against realworld examples. It would also be interesting to see, whether and how much the new constructions could be further improved by relying on determinization procedures for GBA that use a general acceptance condition (rather than Rabin or parity) to reduce the number of states. Such an analysis could pave the way to develop a heuristic that selects for every GBA the determinization procedure that leads to the best overall result. Another important direction would be to consider translations from LTL to compact, nondeterministic TELA, which could then be used within (probabilistic) modelchecking tools for LTL. A first step in this direction has already been made in [32]. Furthermore, the evaluation of goodforMDP automata in the context of probabilistic model checking is another future research direction.
Change history
02 March 2023
A Correction to this paper has been published: https://doi.org/10.1007/s11334022004591
Notes
Here we let the indices for R, B and h start with \(K{+}1\) so that they are in line with the position of the input word.
The source code and data of all experiments are available at [27].
References
Babiak T, Blahoudek F, DuretLutz A, Klein J, Křetínský J, Müller D, Parker D, Strejček J (2015) The hanoi omegaautomata format. In: Computer aided verification (CAV’15), LNCS. Springer
Baier C, Blahoudek F, DuretLutz A, Klein J, Müller D, Strejček J (2019) Generic emptiness check for fun and profit. In: Automated technology for verification and analysis (ATVA), LNCS. Springer
Baier C, Katoen JP (2008) Principles of model checking (representation and mind series). The MIT Press
Baier C, Kiefer S, Klein J, Klüppelholz S, Müller D, Worrell J (2016) Markov chains and unambiguous Büchi automata. In: Computer aided verification (CAV), LNCS. Springer
BenAri M (2008) Principles of the spin model checker. SpringerVerlag, London
Blahoudek F (2018) Automata for formal methods: little steps towards perfection. Ph.D. thesis, Masaryk University, Faculty of Informatics
Blahoudek F, DuretLutz A, Klokocka M, Kretínský M, Strejcek J (2017) Seminator: a tool for SemiDeterminization of OmegaAutomata. In: International conference on logic for programming, artificial intelligence and reasoning (LPAR), EPiC Series in Computing
Blahoudek F, DuretLutz A, Strejček J (2020) Seminator 2 can complement generalized Büchi automata via improved semideterminization. In: Lahiri SK, Wang C (eds) Computer aided verification. Springer International Publishing, Cham, pp 15–27
Blahoudek F, Major J, Strejček J (2019) LTL to smaller selfloop alternating automata and back. In: Theoretical aspects of computing (ICTAC), LNCS. Springer
Bloemen V, DuretLutz A, van de Pol J (2019) Model checking with generalized Rabin and Finless automata. Int J Soft Tools Technol Transf 21(3):307–324
Boker U (2018) Why these automata types? In: EPiC series in computing, 57, 143–163. EasyChair
Chatterjee K, Gaiser A, Křetínský J (2013) Automata with generalized Rabin pairs for probabilistic model checking and LTL synthesis. In: Computer aided verification (CAV), LNCS. Springer
Colcombet T (2015) Unambiguity in automata theory. In: J. Shallit, A. Okhotin (eds.) Descriptional complexity of formal systems, lecture notes in computer science, pp. 3–18. Springer International Publishing, Cham. https://doi.org/10.1007/9783319192253_1
Courcoubetis C, Yannakakis M (1988) Verifying temporal properties of finitestate probabilistic programs. In: [Proceedings 1988] 29th annual symposium on foundations of computer science, pp. 338–345 . 10.1109/SFCS.1988.21950
Courcoubetis C, Yannakakis M (1995) The complexity of probabilistic verification. J ACM 42(4):857–907
Couvreur JM (1999) Onthefly verification of linear temporal logic. In: Formal methods (FM), LNCS. Springer
DuretLutz A (2017) Contributions to LTL and \(\omega \)automata for model checking. Habilitation thesis, Université Pierre et Marie Curie
DuretLutz A, Lewkowicz A, Fauchille A, Michaud T, Renault É, Xu L (2016) Spot 2.0–A framework for LTL and \(\omega \)automata manipulation. In: Automated technology for verification and analysis (ATVA), LNCS. Springer
DuretLutz A, Poitrenaud D, Couvreur JM (2009) Onthefly emptiness check of transitionbased Streett automata. In: Automated technology for verification and analysis (ATVA), LNCS. Springer
Emerson EA, Lei CL (1987) Modalities for model checking: branching time logic strikes back. Sci Comput Program 8(3):275–306
Esparza J, Křetínský J, Sickert S (2018) One theorem to rule them all: a unified translation of LTL into \(\omega \)Automata. In: logic in computer science (LICS). ACM
Giannakopoulou D, Lerda F (2002) From states to transitions: improving translation of LTL formulae to Büchi automata. In: Formal techniques for networked and distributed sytems (FORTE), LNCS. Springer
Hahn EM, Li G, Schewe S, Turrini A, Zhang L (2015) Lazy probabilistic model checking without determinisation. In: Concurrency theory (CONCUR)
Hahn EM, Perez M, Schewe S, Somenzi F, Trivedi A, Wojtczak D (2020) GoodforMDPs automata for probabilistic analysis and reinforcement learning. In: Tools and algorithms for the construction and analysis of systems (TACAS), LNCS. Springer
Jantsch S, Müller D, Baier C, Klein J (2019) From LTL to unambiguous Büchi automata via disambiguation of alternating automata. In: ter Beek MH, McIver A, Oliveira JN (eds) Formal methods–the next 30 years, LNCS. Springer International Publishing, Cham, pp 262–279
John T, Jantsch S, Baier C, Klüppelholz S (2021) Determinization and limitdeterminization of emersonlei automata. In: Z. Hou, V. Ganesh (eds.) Automated technology for verification and analysis (ATVA), pp. 15–31. Springer International Publishing, Cham . https://doi.org/10.1007/9783030888855_2
John T, Jantsch S, Baier C, Klüppelholz S (2021) Determinization and limitdeterminization of EmersonLei automatasupplementary material (ATVA’21). https://doi.org/10.6084/m9.figshare.14838654.v1
Klein J, Müller D, Baier C, Klüppelholz S (2014) Are goodforgames automata good for probabilistic model checking? In: Language and automata theory and applications (LATA), LNCS. Springer
Křetínský J, Meggendorfer T, Sickert S (2018) Owl: a library for \(\omega \)words, automata, and LTL. In: Automated technology for verification and analysis, LNCS
Kwiatkowska M, Norman G, Parker D (2011) PRISM 4.0: verification of probabilistic realtime systems. In: Computer aided verification (CAV), LNCS. Springer
Löding C, Pirogov A (2019) Determinization of Büchi automata: unifying the approaches of Safra and MullerSchupp. In: International colloquium on automata, languages, and programming (ICALP), leibniz international proceedings in informatics (LIPIcs)
Major J, Blahoudek F, Strejček J, Sasaráková M, Zbončáková T(2019) ltl3tela: LTL to small deterministic or nondeterministic EmersonLei automata. In: Automated technology for verification and analysis (ATVA)
Miyano S, Hayashi T (1984) Alternating finite automata on \(\omega \)words. Theor Comput Sci 32(3):321330
Müller D (2019) Alternative automatabased approaches to probabilistic model checking. Ph.D. thesis, Technische Universität Dresden
Müller D, Sickert S (2017) LTL to deterministic EmersonLei automata. In: Games, automata, logics and formal verification (GandALF), EPTCS
Muller DE, Schupp PE (1995) Simulating alternating tree automata by nondeterministic automata: New results and new proofs of the theorems of Rabin. McNaughton and Safra. Theor Comput Sci 141(1):69–107
Pnueli A, Rosner R (1989) On the synthesis of a reactive module. In: Symposium on principles of programming languages (POPL). Association for computing machinery (ACM), New York, NY, USA
Redziejowski RR (2012) An improved construction of deterministic omegaautomaton using derivatives. Fundamenta Informaticae 119(3–4):393–406
Renkin F, DuretLutz A, Pommellet A (2020) Practical “Paritizing” of EmersonLei automata. In: Automated technology for verification and analysis (ATVA), LNCS. Springer
Safra S (1989) Complexity of automata on infinite objects. Ph.D. thesis, Weizmann Institute of Science, Rehovot, Israel
Safra S, Vardi MY (1989) On omegaautomata and temporal logic. In: Symposium on theory of computing (STOC). Association for computing machinery (ACM), New York, NY, USA
Schewe S, Varghese T (2012) Tight bounds for the determinisation and complementation of generalised Büchi Automata. In: Automated technology for verification and analysis (ATVA), LNCS. Springer
Sickert S, Esparza J, Jaax S, Křetínský J (2016) Limitdeterministic Büchi automata for linear temporal logic. In: Computer aided verification (CAV), LNCS. Springer
Vardi MY (1985) Automatic verification of probabilistic concurrent finite state programs. In: Symposium on foundations of computer science (SFCS)
Acknowledgements
We thank David Müller for suggesting to us the problem of determinizing EmersonLei automata and many discussions on the topic.
Funding
Open Access funding enabled and organized by Projekt DEAL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This work was funded by DFG grant 389792660 as part of TRR 248, the Cluster of Excellence EXC 2050/1 (CeTI, project ID 390696704, as part of Germany’s Excellence Strategy), DFGprojects BA1679/111 and BA1679/121, and the Research Training Group QuantLA (GRK 1763). The first author is supported by the European Union’s Horizon 2020 research and innovation programme under the Marie SkłodowskaCurie grant agreement No 956200.
The original article has been corrected.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
John, T., Jantsch, S., Baier, C. et al. From EmersonLei automata to deterministic, limitdeterministic or goodforMDP automata. Innovations Syst Softw Eng 18, 385–403 (2022). https://doi.org/10.1007/s11334022004457
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11334022004457
Keywords
 EmersonLei automata
 Determinization algorithms
 Limitdeterministic automata
 GoodforMDP automata
 Probabilistic model checking