1 Introduction

Many standard algorithms in the fields of verification and synthesis of reactive systems [15, 37, 41, 44] are based on the theory of \(\omega \)-automata, which are automata accepting infinite words. For logical specification languages such as linear temporal logic (LTL), many verification systems, including Spin [5] or Prism [30], use logic-to-automata translations internally to verify a given system against the specification.

As classical automata-based solutions to reactive synthesis and probabilistic verification use deterministic automata [37, 44], the question of whether and how \(\omega \)-automata can be determinized efficiently is a major research area [31, 36, 38, 40, 42]. The first single-exponential and asymptotically optimal determinization for Büchi automata was presented in [40]. It produces Rabin automata, whose acceptance condition is a generalization of the Büchi condition.

The high state-complexity of determinization and most logic-to-automata translations have raised the question of more succinct representations of \(\omega \)-automata. Using generalized acceptance conditions (e.g. generalized Büchi [16] or generalized Rabin [10, 12]) and transition-based [22], rather than state-based, conditions are common techniques in this direction. An even more general approach has led to the HOA-format [1], which represents the acceptance condition as a positive Boolean formula over standard Büchi (\({{\text {Inf}}}\)) and co-Büchi (\({{\text {Fin}}}\)) conditions, also called Emerson-Lei conditions [20, 41]. This standardized format has proven to be very useful: together with a vast body of work on heuristics and dedicated procedures it has led to practically usable and mature tools and libraries such as Spot [18] and Owl [29] which support a wide range of operations on \(\omega \)-automata.

While determinization algorithms have made large steps towards practical feasibility, another line of work has considered automata with restricted forms of nondeterminism, which, while being nondeterministic, nevertheless share some of the desired properties of deterministic automata. In this spirit, the classes of good-for-MDP [24] and good-for-games [28] automata can be used for quantitative probabilistic model checking of Markov decision processes [23, 43], while limit-deterministic Büchi automata can be used for qualitative model-checking [15]. Another important class in this context are unambiguous automata, which also share some good algorithmic properties of deterministic automata [13], and are useful for probabilistic verification of Markov chains [4]. Dedicated translations from LTL directly to (limit-) deterministic [21] and unambiguous [25] automata have been studied.

This paper considers the problems of determinizing and limit-determinizing transition based Emerson-Lei automata (TELA). In contrast to limit-determinization, the theoretical complexity of determinization is well understood (a tight, double-exponential, bound was given in [40, 41]). However, it has not been studied yet from a practical point of view, which is the aim of this paper. All presented algorithms have been implemented, and are openly accessible together with the experimental evaluation [27].

1.1 Contribution

Three new translations from TELA to GBA are proposed, and an example is given in which they perform exponentially better than state-of-the-art implementations. We demonstrate how they can be used to build novel determinization approaches for TELA. The determinization procedures are based on a product construction which combines multiple GBA. Our experiments show that this approach often outperforms approaches based on determinizing a single GBA. A simple adaptation of the product construction produces limit-deterministic TELA of single-exponential size (in contrast to the double-exponential worst-case complexity of full determinization). We show that deciding whether \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) holds is NP-complete if the TELA \(\mathscr {A}\) is limit-deterministic, and in P if the acceptance of \(\mathscr {A}\) is fin-less (Proposition 5.3). Finally, a limit-determinization construction for TELA based on the breakpoint-construction is presented. We show that a version of this procedure yields good-for-MDP Büchi automata (Definition 5.4). Thereby \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A}))\) is computable in single-exponential time for any MDP \(\mathscr {M}\) and TELA \(\mathscr {A}\) (Theorem 5.3). The experimental evaluation compares the performance of the different constructions using three benchmark sets.

This article is an extended version of the conference paper [26] which provides full proofs (including some technical lemmas which were omitted in the conference version) and further examples. The experiments are also extended to an additional benchmark set.

1.2 Related work

The upper-bound for determinization of TELA [40, 41] relies on a translation to GBA which first transforms the acceptance formula into disjunctive normal form (DNF). We refine this idea by discussing and comparing several ways of performing this transformation. In particular, we present different strategies to remove \({{\text {Fin}}}\)-atoms from the acceptance formula, which is a necessary ingredient of the approach. The removal of Fin-atoms is also discussed in [17, Sect. 4.5], together with a transformation into Büchi automata which relies on computing the conjunctive normal form of the acceptance formula after removing Fin-atoms. Our fin-removal strategies build on the ideas of [17], but our transformation to GBA avoids the CNF conversion and therefore sometimes produces exponentially smaller automata. Furthermore, we extend it to produce limit-deterministic automata. Translations from LTL to TELA have been proposed in [9, 32, 35], and all of them use product constructions to combine automata for subformulas.

The emptiness-check for \(\omega \)-automata under different types of acceptance conditions has been studied in [2, 10, 12, 19], where [2] covers the general case of Emerson-Lei conditions and also considers qualitative probabilistic model checking using deterministic TELA. The generalized Rabin condition from [10, 12] is equivalent to the DNF that we use and it is a special case of the hyper-Rabin condition for which the emptiness problem is in P [11, 20]. Probabilistic model checking for deterministic automata under this condition is considered in [12], while [10] is concerned with standard emptiness while allowing nondeterminism. In contrast to the above works, we consider probabilistic model checking for nondeterministic automata under general Emerson-Lei conditions. A procedure to transform TELA into parity automata is presented in [39], but it does not guarantee the output to be deterministic.

The first limit-determinization procedure for nondeterministic Büchi automata was presented in [14, 15], and it relies on the idea of combining a copy of the automaton with its breakpoint automaton. This idea was also used in [7, 23]. We lift it to Emerson-Lei automata by using multiple different breakpoint automata, corresponding to different parts of the Emerson-Lei condition.

1.3 Outline

After the preliminaries in Section 2, we present the new translation approaches to construct GBA in Sect. 3. In Sect. 4, we show how to use them to determinize TELA and introduce the determinization based on a product construction. The translations to limit-deterministic TELA and good-for-MDP automata are contained in Sect. 5. Finally, we compare the different approaches in our experimental evaluation in Sect. 6 before we conclude the paper in Sect. 7.

2 Preliminaries

The infinite words over a finite alphabet \(\Sigma \) are denoted by \(\Sigma ^{\omega }\). If \(w = w_0 w_1 w_2 \ldots \in \Sigma ^{\omega }\), we define \(w[j..] = w_j w_{j+1} \ldots \) and \(w[j..m] = w_j w_{j+1} \ldots w_m\), for any \(j,m \in \mathbb {N}\) such that \(j \le m\).

2.1 Automata on infinite words

A transition-based Emerson-Lei automaton (TELA) \(\mathscr {A}\) is a tuple \((Q, \Sigma , \delta , I, \alpha )\), where Q is a finite set of states, \(\Sigma \) is a finite alphabet, \(\delta \subseteq Q \times \Sigma \times Q\) is the transition relation, \(I \subseteq Q\) is the set of initial states and \(\alpha \) is a symbolic acceptance condition over \(\delta \), defined by:

If \(\alpha \) is , , \({{\text {Inf}}}(T)\) or \({{\text {Fin}}}(T)\), then it is called atomic. We denote by \(\vert \alpha \vert \) the number of atomic conditions contained in \(\alpha \), where multiple occurrences of the same atomic condition are counted multiple times. Symbolic acceptance conditions describe sets of transitions \(T \subseteq \delta \). Their semantics is defined recursively as follows:

Two acceptance conditions \(\alpha \) and \(\beta \) are \(\delta \)-equivalent (\(\alpha \equiv _{\delta } \beta \)) if for all \(T \subseteq \delta \) we have \(T \models \alpha \iff T \models \beta \). A run of \(\mathscr {A}\) for an infinite word \(u = u_0 u_1 \ldots \in \Sigma ^\omega \) is an infinite sequence of transitions \(\rho = (q_0, u_0, q_1)(q_1, u_1, q_2)\ldots \in \delta ^\omega \) that starts with an initial state \(q_0 \in I\). The set of transitions that appear infinitely often in \(\rho \) are denoted by \(\inf (\rho )\). A run \(\rho \) is accepting (\(\rho \models \alpha \)) \({{\,\textrm{iff }\,}}\) \(\inf (\rho ) \models \alpha \). The language of \(\mathscr {A}\), denoted by \(\mathscr {L}(\mathscr {A})\), is the set of all words for which there exists an accepting run of \(\mathscr {A}\). The sets of infinite words which are the language of some TELA are called \(\omega \)-regular. A TELA \(\mathscr {A}\) is deterministic if the set of initial states contains exactly one state and the transition relation is a function \(\delta : Q \times \Sigma \rightarrow Q\). It is complete, if for all \((q,a) \in Q \times \Sigma \): \(\delta \cap \{(q,a,q') {\mid } q' \in Q\} \ne \varnothing \). A Büchi condition is an acceptance condition of the form \({{\text {Inf}}}(T)\) and a generalized Büchi condition is a condition of the form \(\bigwedge _{1 \le i \le k} {{\text {Inf}}}(T_i)\). We call the sets \(T_i\) appearing in a generalized Büchi condition its acceptance sets. Rabin (resp. Street) conditions are of the form \(\bigvee _{1 \le i \le k} ({{\text {Fin}}}(F_i) \wedge {{\text {Inf}}}(T_i))\) (resp. \(\bigwedge _{1 \le i \le k} ({{\text {Fin}}}(F_i) \vee {{\text {Inf}}}(T_i))\)).

2.2 Probabilistic systems

A labeled Markov decision process (MDP) \(\mathscr {M}\) is a tuple \((S,s_0,{\text {Act}},P,\Sigma ,L)\) where S is a finite set of states, \(s_0 \in S\) is the initial state, \({\text {Act}}\) is a finite set of actions, \(P : S \times {\text {Act}}\times S \rightarrow [0,1]\) defines the transition probabilities with \(\sum _{s' \in S} P(s,\alpha ,s') \in \{0,1\}\) for all \((s,\alpha ) \in S \times {\text {Act}}\) and \(L : S \rightarrow \Sigma \) is a labeling function of the states into a finite alphabet \(\Sigma \). Action \(\alpha \in {\text {Act}}\) is enabled in s if \(\sum _{s' \in S} P(s,\alpha ,s') = 1\), and \({\text {Act}}(s) = \{\alpha \mid \alpha \text { is enabled in } s\}\). A path of \(\mathscr {M}\) is an infinite sequence \(s_0 \alpha _0 s_1 \alpha _1 \ldots \in (S \times {\text {Act}})^{\omega }\) such that \(P(s_i,\alpha _i,s_{i+1}) > 0\) for all \(i \ge 0\). The set of all paths of \(\mathscr {M}\) is denoted by \({\text {Paths}}(\mathscr {M})\) and \({\text {Paths}}_{{\text {fin}}}(\mathscr {M})\) denotes the finite paths. Given a path \(\pi = s_0 \alpha _0 s_1 \alpha _1 \ldots \), we let \(L(\pi ) = L(s_0)L(s_1) \ldots \in \Sigma ^{\omega }\).

A Markov chain is an MDP with \(|{\text {Act}}(s)| \le 1\) for all states s. A scheduler of \(\mathscr {M}\) is a function \(\mathfrak {S}: (S\times {\text {Act}})^*\times S \rightarrow {\text {Act}}\) such that \(\mathfrak {S}(s_0 \alpha _0 \ldots s_n) \in {\text {Act}}(s_n)\). It induces a Markov chain \(\mathscr {M}_{\mathfrak {S}}\) and thereby a probability measure over \({\text {Paths}}(\mathscr {M})\). The probability of a set of paths \(\Pi \) starting in \(s_0\) under this measure is \(\Pr _\mathscr {M}^{\mathfrak {S}}(\Pi )\). For an \(\omega \)-regular property \(\Phi \subseteq \Sigma ^{\omega }\) we define \(\textbf{Pr}^{\max }_{\mathscr {M}}(\Phi ) = \sup _{\mathfrak {S}}\Pr _{\mathscr {M}}^{\mathfrak {S}}(\{\pi \mid \pi \in {\text {Paths}}(\mathscr {M}) \text { and } L(\pi ) \in \Phi \})\). We denote by \(\Pr ^{\mathfrak {S}}_{\mathscr {M},s}(\Phi )\) and \(\textbf{Pr}^{\max }_{\mathscr {M},s}(\Phi )\) the corresponding values in the MDP one gets by setting the initial state in \(\mathscr {M}\) to \(s \in S\), and omit the \(\mathscr {M}\) in the subscript if it is clear from the context. In a Markov chain, which has a unique scheduler, we omit the superscripts. We refer to [3, Chapter 10] for more details.

3 From TELA to generalized Büchi automata

We present four different constructions to transform TELA into equivalent GBA. One of them is the construction that is implemented by Spot, the other ones are new. First, we define some operations on TELA, which we combine later to define our constructions.

3.1 Operations on Emerson-Lei automata

The first operator splits a TELA along the top-level disjuncts of its acceptance condition. Let \(\mathscr {A} = (Q, \Sigma , \delta , I, \alpha )\) be a TELA where \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\) and the \(\alpha _i\) are arbitrary acceptance conditions. We define \({\text {split}}(\mathscr {A}) := (\mathscr {A}_1, \ldots , \mathscr {A}_m)\) with \(\mathscr {A}_i = (Q, \Sigma , \delta , I, \alpha _i)\) for \(1 \le i \le m\), and \({\text {split}}(\mathscr {A})[i]{:}{=} \mathscr {A}_i\).

Lemma 3.1

If \(\mathscr {A}\) is a TELA, then

$$\begin{aligned} \mathscr {L}(\mathscr {A}) = \bigcup _{1 \le i \le m} \mathscr {L}\big ({\text {split}}(\mathscr {A})[i]\big ).\end{aligned}$$


\(\subseteq \)”: Let \(\rho \) be a run of \(\mathscr {A}\) for w such that \(\rho \models \alpha \). Then, it follows that \(\rho \models \alpha _i\) for some \(1 \le i \le m\). But then \(\rho \) is also an accepting run of \({\text {split}}(\mathscr {A})[i]\) and hence \(w \in \mathscr {L}({\text {split}}(\mathscr {A})[i])\).

\(\supseteq \)”: Let \(\rho \) be an accepting run of \({\text {split}}(\mathscr {A})[i]\) for some \(1 \le i \le m\). Then \(\rho \models \alpha _i\), and hence \(\rho \models \alpha \). It follows that \(\rho \) is an accepting run of \(\mathscr {A}\). \(\square \)

The analogous statement does not hold for conjunction and intersection (see Example 3.1). In other words, the intersection of languages of automata one gets by splitting along a top-level conjunction is not necessarily the language of the original automaton. This is because a conjunctive acceptance formula requires the existence of a run satisfying all conjuncts.

Example 3.1

Consider the automaton \(\mathscr {A}\) with acceptance condition \(\alpha \) as shown in Fig. 1, and observe that we have \(\mathscr {L}(\mathscr {A}) = \varnothing \). Splitting the acceptance condition of \(\mathscr {A}\) leads to the acceptance conditions \(\alpha _1\) and \(\alpha _2\). We call the corresponding automata that use these two acceptance conditions \(\mathscr {A}_1\) and \(\mathscr {A}_2\). Note, that \(\mathscr {A}_1\) and \(\mathscr {A}_2\) use the same transition system as \(\mathscr {A}\). The automata \(\mathscr {A}_1\) and \(\mathscr {A}_2\) both accept the word \(a^\omega \), i.e. \(\mathscr {L}(\mathscr {A}_1) \cap \mathscr {L}(\mathscr {A}_2) = \{a^{\omega }\}\). Hence, we have \( \mathscr {L}(\mathscr {A}) \ne \mathscr {L}(\mathscr {A}_1) \cap \mathscr {L}(\mathscr {A}_2)\).

Fig. 1
figure 1

An example showing that the analogue of Lemma 3.1 for conjunction and intersection is not correct.

We also need constructions to realize the union of a sequence of automata. This can either be done using the sum (i.e. disjoint union) or the disjunctive product of the state spaces. We define a general sum (simply called sum) operation and one that preserves GBA acceptance (called GBA-specific sum). The disjunctive product construction for TELA is mentioned in [17] and similar constructions are used in [32, 35]. While the sum operations yield smaller automata in general, only the product construction preserves determinism.

Definition 3.1

Let \(\mathscr {A}_i = (Q_i, \Sigma , \delta _i, I_i, \alpha _i)\), with \(i \in \{0,1\}\), be two complete TELA with disjoint state-spaces. The sum of \(\mathscr {A}_0\) and \(\mathscr {A}_1\) is defined as follows:

$$\begin{aligned} \mathscr {A}_0 \oplus \mathscr {A}_1 = \big (Q_0 \cup Q_1, \Sigma , \delta _0 \cup \delta _1, I_0 \cup I_1, \alpha _\oplus ) \end{aligned}$$

with \(\alpha _\oplus = (\alpha _0 \wedge {{\text {Inf}}}(\delta _0)) \vee (\alpha _1 \wedge {{\text {Inf}}}(\delta _1) \big )\).

If \(\alpha _i = {{\text {Inf}}}(T_1^i) \wedge \ldots \wedge {{\text {Inf}}}(T_k^i)\), with \(i \in \{0,1\}\), (i.e. both automata are GBA), then we can use the GBA-specific sum:

$$\begin{aligned} \mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1 = \big (Q_0 \cup Q_1, \Sigma , \delta _0 \cup \delta _1, I_0 \cup I_1, \alpha _{GBA} \big ) \end{aligned}$$

with \(\alpha _{GBA} = ({{\text {Inf}}}(T_1^0 \cup T_1^1) \wedge \ldots \wedge {{\text {Inf}}}(T_k^0 \cup T_k^1))\).

The disjunctive product is defined as follows:

$$\begin{aligned}{} & {} \mathscr {A}_0 \otimes \mathscr {A}_1 = \big (Q_0 \times Q_1, \Sigma , \delta _\otimes , I_0 \times I_1,(\uparrow _{}\!\!(\alpha _0) \vee \uparrow _{}\!\!(\alpha _1))\big ) \\{} & {} \text { with} \end{aligned}$$
$$\begin{aligned} \delta _\otimes= & {} \{ \big ((q_0, q_1), a, (q_0', q_1')\big ) \bigm \vert \\{} & {} (q_0,a,q_0') \in \delta _0, (q_1,a,q_1') \in \delta _1 \}\end{aligned}$$

and \({\uparrow _{}\!\!(\alpha _i)}\) is constructed by replacing every occurring set of transitions T in \(\alpha _i\) by

$$\begin{aligned} \big \lbrace \big ((q_0, q_1), u, (q_0', q_1') \big ) \in \delta _\otimes \bigm \vert (q_i, u, q_i') \in T \big \rbrace .\end{aligned}$$

Proposition 3.1

Let \(\mathscr {A}_i = (Q_i, \Sigma , \delta _i, I_i, \alpha _i)\), with \(i \in \{0,1\}\), be two complete TELA with disjoint state-spaces. The following statements hold:


\(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \oplus \mathscr {A}_1)\)


Assume that \(\alpha _i = {{\text {Inf}}}(T_1^i) \wedge \ldots \wedge {{\text {Inf}}}(T_k^i)\), for \(i \in \{0,1\}\). Then we have: \(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1)\)


\(\mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1) = \mathscr {L}(\mathscr {A}_0 \otimes \mathscr {A}_1)\)


1.) This is clear as any accepting run of \(\mathscr {A}_i\) (for \(i \in \{0,1\}\)) can be mapped directly to an accepting run of \(\mathscr {A}_0 \oplus \mathscr {A}_1\), and an accepting run \(\mathscr {A}_0 \oplus \mathscr {A}_1\) corresponds to an accepting run of one of the automata \(\mathscr {A}_0,\mathscr {A}_1\).

2.) “\(\subseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}_0\) (w.l.o.g). Then \(\inf (\rho ) \cap T_j^0 \ne \varnothing \) holds for all \(1 \le j \le k\), and hence also \(\inf (\rho ) \cap (T_j^0 \cup T_j^{1}) \ne \varnothing \). But then \(\rho \) is also an accepting run of \(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1\).

\(\supseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}_0 \oplus _{GBA}\mathscr {A}_1\). Then \(\inf (\rho ) \cap (T_j^0 \cup T_j^{1})\) holds for all \(1 \le j \le k\). Recall that we have \(\delta _0 \cap \delta _1 = \varnothing \). We have either \(\inf (\rho ) \subseteq \delta _0\) or \(\inf (\rho ) \subseteq \delta _1\) and \(T_j^i \subseteq \delta _i\) for all \(1 \le j \le k\) and \(i \in \{0,1\}\). As a consequence, there exists \(i \in \{0,1\}\) such that \(\inf (\rho ) \cap T_j^i\) for all \(1 \le j \le k\). But then \(\rho \) is an accepting run of \(\mathscr {A}_i\).

3.) “\(\subseteq \)”: Let \(\rho = q_0 q_1 \ldots \) be an accepting run of \(\mathscr {A}_0\) (w.l.o.g.) for w. As \(\mathscr {A}_1\) is complete, we find a run \(\rho ^*\) of \(\mathscr {A}_0 \otimes \mathscr {A}_1\) for w such that \(\rho ^* = (q_0,q_0') (q_1,q_1') \ldots \), where \(q_0' q_1' \ldots \) is a run of \(\mathscr {A}_1\) for w. As \(\rho \models \alpha _0\), it follows that \(\rho ^* \models \uparrow _{}\!\!(\alpha _0)\) and hence \(\rho ^*\) is an accepting run of \(\mathscr {A}_0 \otimes \mathscr {A}_1\).

\(\supseteq \)”: Let \(\rho ^* = (q_0,q_0') (q_1,q_1') \ldots \) be an accepting run of \(\mathscr {A}_0 \otimes \mathscr {A}_1\) for w and assume, w.l.o.g., that \(\rho ^* \models \uparrow _{}\!\!(\alpha _0)\). Then \(q_0 q_1 \ldots \), as a run for w, models \(\alpha _0\) and hence it is an accepting run of \(\mathscr {A}_0\). \(\square \)

Note, that the acceptance \(\alpha _{GBA}\) contains the same number of atomic acceptance conditions as \(\mathscr {A}_0\) and \(\mathscr {A}_1\), i.e. the acceptance condition does not increase when \(\oplus _{GBA}\) is used to combine two GBA.

The additional \({{\text {Inf}}}(\delta _0)\) and \({{\text {Inf}}}(\delta _1)\) atoms in the acceptance condition of \(\mathscr {A}_0 \oplus \mathscr {A}_1\) are essential (see Example 3.2).

Fig. 2
figure 2

An example showing why the conditions \({{\text {Inf}}}(\delta _0)\) and \({{\text {Inf}}}(\delta _1)\) are added to the acceptance condition of \(\mathscr {A}_0 \oplus \mathscr {A}_1\).

Example 3.2

Consider the TELA \(\mathscr {A}_0\) and \(\mathscr {A}_1\) in Fig. 2 and Fig. 2, which both accept the empty language. If we unify the state spaces and disjunct the acceptance conditions we get the TELA in Fig. 2. However, this automaton accepts the language \(a^\omega \ne \mathscr {L}(\mathscr {A}_0) \cup \mathscr {L}(\mathscr {A}_1)\).

We can apply the GBA-specific sum to any two GBA by adding \({{\text {Inf}}}(\delta _i)\) atoms until the acceptance conditions are of equal length. Many of our constructions will require the acceptance condition of the TELA to be in DNF. We will use the following normal form throughout the paper (also called generalized Rabin in [10, 12]).

Definition 3.2

(DNF for TELA) Let \(\mathscr {A} = (Q, \Sigma ,\delta , I,\alpha )\) be a TELA. We say that \(\mathscr {A}\) is in DNF if \(\alpha \) is of the form \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\), with \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) and such that all \(k_i \ge 1\).

A single \({{\text {Fin}}}\) atom in each disjunct is enough because \({{\text {Fin}}}(T_1) \wedge {{\text {Fin}}}(T_2) \equiv _{\delta } {{\text {Fin}}}(T_1 \cup T_2)\) holds for all \(T_1,T_2,\delta \). Taking \(k_i \ge 1\) is also no restriction, as we can add “\(\wedge \, {{\text {Inf}}}(\delta )\)” to any disjunct. Using standard Boolean operations one can transform a TELA with acceptance \(\beta \) into DNF by just translating the acceptance formula into a formula \(\alpha \) of the above form, with \(|\alpha | \le 2^{|\beta |}\) and each disjunct contains at most \(|\beta |\) atomic acceptance conditions.

Fig. 3
figure 3

Example of applying \({\text {removeFin}}\) and \({\text {removeFin}}_{{\text {GBA}}}\) (Definition 3.3) to the automaton in (a). The result is the automaton in (b) with acceptance \(\alpha '\) (\({\text {removeFin}}\)), respectively \(\alpha ''\) (\({\text {removeFin}}_{{\text {GBA}}}\)).

3.1.1 Fin-less acceptance

To transform a TELA in DNF (see Definition 3.2) into an equivalent one without \({{\text {Fin}}}\)-atoms we use the idea of [10, 17]: a main copy of \(\mathscr {A}\) is connected to one additional copy for each disjunct \(\alpha _i\) of the acceptance condition, in which transitions from \(T_0^i\) are removed. The acceptance condition ensures that every accepting run leaves the main copy eventually. Figure 3 shows an example.

Definition 3.3

Let \(\mathscr {F}_i = (Q_i, \Sigma , \delta _i, I_i, \phi _i)\), defined using \(Q_i = \{q^{(i)} \mid q \in Q\}\), \(\delta _i = \{(q^{(i)},a,{q'^{(i)}}) \mid (q,a,q') \in \delta \setminus T^i_0\}\) and \(\phi _i = \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(U^i_j)\), where \(U^i_j = \{(q^{(i)},a,{q'^{(i)}}) \mid (q,a,q') \in T_j^i \setminus T^i_0\}\). Let

$$\begin{aligned} {\text {removeFin}}(\mathscr {A})&= (Q', \Sigma , \delta ', I, \alpha ') \text { and} \\ {\text {removeFin}}_{{\text {GBA}}}(\mathscr {A})&= (Q', \Sigma , \delta ', I, \alpha '') \text { where} \end{aligned}$$
  • \(Q' = Q \cup \bigcup _{1 \le i \le m} Q_{i}\)

  • \(\delta ' = \delta \cup \bigcup _{1 \le i \le m}\big (\delta _{i} \cup \{(q, a, {q'^{(i)}}) \mid (q, a, q') \in \delta \} \big )\)

  • \(\alpha ' ~\!= \bigvee _{1 \le i \le m} \phi _i\)

  • \(\alpha '' = \bigwedge _{1\le j \le k} {{\text {Inf}}}(U_j^1 \cup \ldots \cup U_j^m)\), with \(k = \max _{i} k_i\) and \(U_j^i = \delta _i\) if \(k_i < j \le k\).

The construction \({\text {removeFin}}(\mathscr {A})\) already appears in [10, 17]. The automaton \({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A})\) uses the same transition system but a different acceptance condition.

Lemma 3.2

If \(\mathscr {A}\) is a TELA:

\(\mathscr {L}(\mathscr {A}) = \mathscr {L}({\text {removeFin}}(\mathscr {A})) = \mathscr {L}({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A}))\).


We first prove that \(\mathscr {L}(\mathscr {A}) = \mathscr {L}({\text {removeFin}}(\mathscr {A}))\).

\(\subseteq \)”: Let \(\rho \) be an accepting run of \(\mathscr {A}\) for u, and assume that \(\rho \models {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) (the i’th disjunct of acceptance condition \(\alpha \), which is in DNF). It follows that there exists a position K after which \(\rho \) sees no transitions in \(T_0^{i}\). We construct an accepting run \(\rho '\) of \({\text {removeFin}}(\mathscr {A})\) for u: for the first K positions, it copies \(\rho \) in the main copy Q. Then, it moves to \(Q_i\), and continues to simulate the moves of \(\rho \). From that fact that \(\rho \) sees infinitely many transitions in each set \(T_j^i\), it follows that \(\rho '\) models \(\phi _i\) and hence is accepting.

\(\supseteq \)”: Let \(\rho '\) be an accepting run of \({\text {removeFin}}(\mathscr {A})\) for u, i.e. \(\rho ' \models \phi _i\) for some \(1 \le i \le m\). It follows that \(\rho '\) eventually moves to \(Q_i\), because \(\phi _i\) contains at least one \({{\text {Inf}}}\)-atom whose all transitions are fully included in \(Q_i\). As no other copy is reachable from \(Q_i\), \(\rho '\) stays in \(Q_i\) thereafter. Recall that copy \(Q_i\) does not contain any transition in \(T_0^{i}\). Projecting the part of \(\rho '\) which is in \(Q_i\) onto the corresponding transitions in Q yields a run \(\rho \) for u in \(\mathscr {A}\). From the definition of \(\phi _i\) and the fact that \(\rho '\) models \(\phi _i\) it follows directly that \(\rho \) models \(\alpha _i\), and hence \(\rho \) is accepting.

We show \(\mathscr {L}({\text {removeFin}}(\mathscr {A})) = \mathscr {L}({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A}))\) by proving that for all runs \(\rho \) in \((\delta ')^{\omega }\) we have

$$\begin{aligned}\rho \models \alpha ' \iff \rho \models \alpha ''.\end{aligned}$$

First, assume that \(\rho \models \alpha '\), which implies that there exists an \(1 \le i \le m\) such that \(\rho \models {{\text {Inf}}}(U_j^i)\) for all \(1 \le j \le k_i\). It follows that \(\inf (\rho ) \subseteq \delta _i\) and hence also \(\rho \models {{\text {Inf}}}(U_j^i)\) for all \(k_i < j \le k\). But then clearly \(\rho \models {{\text {Inf}}}(U_j^1 \cup \ldots \cup U_j^m)\) for all \(1 \le j \le k\) and hence \(\rho \models \alpha ''\).

Now assume that \(\rho \models \alpha ''\). Then, in particular we have \(\rho \models {{\text {Inf}}}(U_1^1 \cup \ldots \cup U_1^m)\), which implies that \(\rho \models {{\text {Inf}}}(U_1^i)\) for some \(1 \le i \le m\). By construction of \({\text {removeFin}}(\mathscr {A})\) it follows that \(\inf (\rho ) \subseteq \delta _i\) and \(\inf (\rho ) \cap \delta _{i'} = \varnothing \), for \(i' \ne i\). As a consequence we have \(\inf (\rho ) \cap U_j^{i'} = \varnothing \) for all \(1 \le j \le k\) and \(i' \ne i\). The only possibility for \(\rho \) to satisfy all conjuncts in \(\alpha ''\) is to satisfy \(\inf (\rho ) \cap {{\text {Inf}}}(U_j^i) \ne \varnothing \) for all \(1 \le j \le k\). But then it follows that \(\rho \models \phi _i\) and hence \(\rho \models \alpha '\). \(\square \)

Observe that, in contrast to \({\text {removeFin}}\), \({\text {removeFin}}_{{\text {GBA}}}\) always produces GBA. Both constructions consist of \(m+1\) copies of \(\mathscr {A}\) (with \({{\text {Fin}}}\)-transitions removed). Each disjunct of the acceptance condition of \({\text {removeFin}}(\mathscr {A})\) contains at most as many atomic conditions than the corresponding disjunct of the acceptance condition of \(\mathscr {A}\).

3.2 Construction of generalized Büchi automata

3.2.1 Construction of spot

Fig. 4
figure 4

A class of TELA where any CNF of the acceptance condition has at least \(2^n\) conjuncts.

The transformation from TELA to GBA from [17] is implemented in Spot[18]. It transforms the automaton into DNF and then applies (an optimized version of) \({\text {removeFin}}\). The resulting fin-less acceptance condition is translated into conjunctive normal form (CNF). As \({{\text {Inf}}}(T_1) \vee {{\text {Inf}}}(T_2) \equiv _{\delta } {{\text {Inf}}}(T_1 \cup T_2)\) holds for all \(\delta \), one can rewrite any fin-less condition in CNF into a conjunction of \({{\text {Inf}}}\)-atoms, which is a generalized Büchi condition. When starting with a TELA \({\mathscr {B}}\) with acceptance \(\beta \) and N states, one gets a GBA with \(N \, 2^{O(|\beta |)}\) states and \(2^{O(|\beta |)}\) acceptance sets, as the fin-removal may introduce exponentially (in \(|\beta |\)) many copies, and the CNF may also be exponential in \(|\beta |\).

Transforming a fin-less automaton into a GBA by computing the CNF has the advantage of only changing the acceptance condition, and in some cases it produces simple conditions directly. For example, Spot’s TELA to GBA construction transforms a Rabin into a Büchi automaton, and a Streett automaton with m acceptance pairs into a GBA with m accepting sets. However, computing the CNF may also incur an exponential blow-up (Fig. 4 shows such an example).

3.2.2 Copy-based approaches

We now describe three approaches (remFin\(\rightarrow \)split\(\alpha \), split\(\alpha \) \(\rightarrow \)remFin and remFin\(\rightarrow \)rewrite\(\alpha \)), which construct GBA with at most \(|\beta |\) acceptance sets. On the other hand, they generally produce automata with more states than the approach that is implemented in Spot. They are based on [41] which first translates copies of \(\mathscr {A}\) (corresponding to the disjuncts of the acceptance condition) to GBA, and then takes their sum. However, it is not specified in [41] how exactly \({{\text {Fin}}}\)-atoms should be removed (they were concerned only with the theoretical complexity). We define:

where the acceptance condition \(\alpha \) of \(\mathscr {A}\) is the DNF of \(\beta \).

With \({\text {removeFin}}\) as defined in Definition 3.3, the approaches remFin\(\rightarrow \)split\(\alpha \) and split\(\alpha \) \(\rightarrow \)remFin produce the same automata (after removing non-accepting SCC’s), and all three approaches create O(m) copies of \(\mathscr {A}\).

We now analyze the number of acceptance sets of the resulting GBA conditions of the different approaches. The acceptance condition of \({\text {removeFin}}(\mathscr {A})\) is in DNF and each disjunct contains at most \(|\beta |\) atomic acceptance conditions. Therefore, the sum of the first approach combines m GBA, which each have at most \(|\beta |\) acceptance sets. The acceptance condition of \({\text {split}}(\mathscr {A})[i]\) contains at most \(|\beta |\) atomic acceptance conditions for each i. As \({\text {removeFin}}\) does not increase the length of the acceptance condition, the sum of the second approach combines m GBA, which each have at most \(|\beta |\) acceptance sets. It follows directly from the definition of \({\text {removeFin}}_{{\text {GBA}}}\) (see Definition 3.3) that the acceptance condition of \({\text {removeFin}}_{{\text {GBA}}}(\mathscr {A})\) contains as many acceptance sets as the largest disjunct of the acceptance condition of \(\mathscr {A}\), which is bounded by \(|\beta |\). Therefore, the number of acceptance sets in the acceptance conditions is bounded by \(O(|\beta |)\) for all three approaches.

Our implementation uses an optimized variant of the function \({\text {removeFin}}\), as provided by Spot, which leads to different results for all three approaches.

4 Determinization

4.1 Determinization via single GBA

The standard way of determinizing TELA is to first construct a GBA, which is then determinized. Dedicated determinization procedures for GBA with N states and K acceptance sets produce deterministic Rabin automata with \(2^{O(N (\log N + \log K))}\) states [42]. For a TELA \(\mathscr {B}\) with n states and acceptance \(\beta \), the above translations yield GBA with \(N = n \, 2^{O(|\beta |)}\) and \(K = 2^{O(|\beta |)}\) (Spot’s construction) or \(N = n \, 2^{O(|\beta |)}\) and \(K = O(|\beta |)\) (copy-based approaches). We evaluate the effect of the translations to GBA introduced in the previous chapter in the context of determinization in Sect.  6.

4.2 Determinization via a product construction

Another way to determinize a TELA \(\mathscr {A}\) in DNF is to determinize the automata \({\text {split}}(\mathscr {A})[i]\) one by one and then combining them with the disjunctive product construction of Definition 3.1:

$$\begin{aligned} \bigotimes _{1 \le i \le m} {\text {det}}\big ({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\big ) \end{aligned}$$

where “\({\text {det}}\)” is any GBA-determinization procedure. Let \({\mathscr {B}}\) be a TELA with acceptance \(\beta \) and n states, and let \(\alpha \) be an equivalent condition in DNF with m disjuncts. Then, for all the automata \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\), the number of states is bounded by O(n) and the number of acceptance sets of the GBA conditions is bounded by \(O(\beta )\). Assuming an optimal GBA-determinization procedure, the product combines m automata with \(2^{O(n (\log n + \log |\beta |))}\) states and hence the result has \(\big (2^{O(n \, (\log n + \log |\beta |))}\big )^m = 2^{O ( 2^{|\beta |} \cdot n (\log n + \log |\beta |))}\) states.

5 Limit-deterministic TELA

Limit-determinism has been studied mainly for Büchi auto-mata [15, 43, 44], and we define it here for general TELA.

Definition 5.1

A TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\alpha )\) is called limit-deterministic if there exists a partition \(Q_N,Q_D\) of Q such that


\(\delta \cap (Q_D \times \Sigma \times Q_N) = \varnothing \),


for all \((q,a) \in Q_D \times \Sigma \) there exists at most one \(q'\) such that \((q,a,q') \in \delta \), and


\(\inf (\rho ) \cap (Q_N \times \Sigma \times Q_N) = \varnothing \) holds for every accepting run \(\rho \) of \(\mathscr {A}\).

This is a semantic definition and as checking emptiness of deterministic TELA is already coNP-complete, checking whether a TELA is limit-deterministic is as well. To establish this result, we first show that a canonical partition into nondeterministic and deterministic parts of the state space exists. Let \(\mathscr {A} = (Q,I,\Sigma ,\delta ,\alpha )\) be a fixed TELA. We say that a state \(q \in Q\) is deterministic if it has at most one successor in \(\delta \) for each symbol, and define:

$$\begin{aligned} Q_D^* = \{q \in Q \mid \text { all states } q' \text { reachable from } q \text { are deterministic} \} \end{aligned}$$

and \(Q_N^* = Q \setminus Q_D^*\). The sets \(Q_D^*\) and \(Q_N^*\) can be computed in polynomial time using an SCC analysis of the underlying graph of \(\mathscr {A}\).

Lemma 5.1

A TELA \(\mathscr {A}\) is limit-deterministic iff the partition \(Q_D^*,Q_N^*\) satisfies conditions 1-3 of Definition 5.1.


The direction from right to left is immediate. We now show that if there exists a partition \(Q_D,Q_N\) which satisfies 1-3, then so does \(Q_D^*, Q_N^*\). By construction, \(Q_D^*, Q_N^*\) satisfy conditions 1. and 2. As every state in \(Q_D\) is only allowed to reach deterministic states, it follows that \(Q_D \subseteq Q_D^*\) and hence \(Q_N^* \subseteq Q_N\). But then it follows from the fact that every accepting run of \(\mathscr {A}\) eventually leaves \(Q_N\) forever, that it also eventually leaves \(Q_N^*\) forever. This shows that the partition \(Q_D^*, Q_N^*\) satisfies condition 3. \(\square \)

Proposition 5.1

Checking limit-determinism for TELA is coNP-complete.


As we have seen above, checking whether \(\mathscr {A}\) is limit-deterministic amounts to checking whether \(Q_D^*, Q_N^*\) satisfies conditions 1-3 of Definition 5.1. Conditions 1-2 hold by construction. To check condition 3 one can construct an automaton \(\mathscr {N}\) which contains all states and transitions of \(Q_N^*\) and replaces all transitions out of \(Q_N^*\) by a transition to a rejecting trap state (this may need a simple rewrite of the acceptance condition). Then, condition 3 holds if and only if \(\mathscr {N}\) accepts the empty language, which can be checked in coNP for TELA (this follows from NP-completeness of the non-emptiness problem [20, Thm. 4.7]).

For coNP-hardness, we reduce from the emptiness problem of TELA, which is coNP-hard. First observe that an automaton \(\mathscr {A}\) in which \(Q_D^*\) is empty is limit-deterministic if and only if \(\mathscr {L}({{\mathscr {A}}}) = \varnothing \). So it suffices to translate an arbitrary TELA \(\mathscr {B}\) into a TELA \(\mathscr {A}\) in which \(Q_D^*\) is empty, and such that \(\mathscr {L}({{\mathscr {B}}}) = \varnothing \) iff \(\mathscr {L}({{\mathscr {A}}}) = \varnothing \). To do this we add a nondeterministic SCC to \(\mathscr {B}\), a transition from each original state in \(\mathscr {B}\) to that SCC, and make sure using the acceptance condition that no run which gets trapped in the new SCC is accepting. \(\square \)

A syntactic definition for TELA in DNF, which implies limit-determinism, is provided in Definition 5.2.

Definition 5.2

A TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,\{q_0\},\alpha )\) in DNF, with \(\alpha = \bigvee _{1 \le i \le m} \alpha _i\), \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) and \(k_i \ge 1\) for all i, is syntactically limit-deterministic if there exists a partition \(Q_N,Q_D\) of Q satisfying 1. and 2. of Definition 5.1 and additionally \(T^i_j \subseteq Q_D \times \Sigma \times Q_D \text { for all } i \le m \text { and } 1 \le j \le k_i\).

This property implies limit-determinism because each disjunct of the acceptance formula contains at least one atomic \(\inf (T_i^j)\) formula (for \(1 \le i \le m\) and \(1 \le j \le k_i\)), and all transitions in \(T_i^j\) are included in the deterministic part of the automaton.

5.1 Limit-determinization

Let \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\bigvee _{1 \le i \le m} \alpha _i)\) be a fixed TELA in DNF for the entire section, where \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) for \(1 \le i \le m\). Additionally, define \(\mathscr {A}_i = {\text {split}}(\mathscr {A})[i]\). Replacing the product by a sum in the product-based determinization of the last section yields single exponential limit-deterministic automata (in contrast to the double-exponential lower-bound for determinization).

Proposition 5.2

The automaton \(\bigoplus _{1 \le i \le m} {\text {det}}({\text {removeFin}}(\mathscr {A}_i))\) is limit-deterministic and has \(m \cdot 2^{O(n \, (\log n + \log k))}\) states, where \(k = \max \{k_i \mid 1 \le i \le m\}\), \(n = |Q|\) and “det” is an optimal, i.e. single-exponential, determinization procedure for GBA.


The resulting automaton is limit-deterministic as the only nondeterminism in the transition system consists in the choice of the initial component. Its state space is of size \(\sum _{1 \le i \le m} |{\text {det}}(\mathscr {A}_i)|\) and hence in \(m \cdot 2^{O(n \, (\log n + \log k))}\), as GBA can be determinized with a blow up of \(2^{O(n \, (\log n + \log k))}\) states [42]. \(\square \)

If “\(\det \)” is instantiated by a GBA-determinization that produces Rabin automata, then the result is in DNF and syntactically limit-deterministic. Indeed, in this case the only nondeterminism is the choice of the initial state. But “\(\det \)” can, in principle, also be replaced by any limit-determinization procedure for GBA.

We now extend the limit-determinization constructions of [15] (for Büchi automata) and [6, 7, 23] (for GBA) to Emerson-Lei conditions in DNF. These constructions use an initial component and an accepting breakpoint component [33] for \(\mathscr {A}\), which is deterministic. The following construction differs in two ways: there is one accepting component per disjunct of the acceptance condition, and the accepting components are constructed from \(\mathscr {A}\) without considering the \({{\text {Fin}}}\)-transitions of that disjunct. We will use the subset transition function \(\theta \) associated with \(\delta \), defined by: \(\theta (P,a) = \bigcup _{q \in P}\{ q' \mid (q,a,q') \in \delta \}\) for \((P,a) \in 2^Q \times \Sigma \), and additionally we define \(\theta |_T(P,a) = \bigcup _{q \in P}\{ q' \mid (q,a,q') \in \delta \cap T \}\). These functions are extended to finite words in the standard way. The following definitions refer to the fixed automaton \(\mathscr {A}\) as defined in the beginning of the section.

Definition 5.3

Let \(\theta _i = \theta |_{\delta \setminus T_0^i}\). The i’th accepting breakpoint component of \(\mathscr {A}\) is \(\mathfrak {B}_{i} = (Q_i,\Sigma ,\delta _i,\{p_0\},{{\text {Inf}}}(\delta ^{{\text {break}}}_i))\), with \(p_0 = (I,\varnothing ,1)\), \(Q_i = \{(R,B,l) \in 2^Q \times 2^Q \times \{1, \ldots , k_i\} \mid B \subseteq R \}\), and

$$\begin{aligned} \delta ^{{\text {main}}}_i&= \left\{ ((R_1, B_1, l), a, (R_2, B_2, l)) \;\; \bigg | \;\; \begin{array}{l} R_2 = \theta _i (R_1, a), \\ B_2 = \theta _i (B_1, a) \cup \theta _i|_{T_l^i}(R_1, a) \end{array} \right\} \\ \delta ^{{\text {break}}}_i&= \left\{ \begin{array}{l} \big ((R_1, B_1, l), \\ \;\;\; a, \\ \;\;(R_2, \varnothing , l')\big ) \end{array}\;\; \bigg | \;\; \begin{array}{l} ((R_1, B_1, l), a, (R_2, B_2, l)) \in \delta ^{{\text {main}}}_i,\\ R_2 = B_2, \;\; and\\ l' = (l \bmod k_i)+1. \end{array} \right\} \\ \delta _i&= \bigl \{((R_1, B_1, l), a, (R_2, B_2, l)) \in \delta ^{{\text {main}}}_i \mid R_2 \ne B_2 \bigr \} \cup \delta ^{{\text {break}}}_i \end{aligned}$$

In a state (RBl) of the above construction, intuitively R is the set of states reachable for the word seen so far in \(\mathscr {A}\) without using transitions from \(T_0^i\), while B are the states in R which have seen a transition in \(T_l^i\) since the last “breakpoint”. The breakpoint-transitions are \(\delta ^{{\text {break}}}_i\), which occur when all states in R have seen an accepting transition since the last breakpoint (namely if \(R = B\)). The standard breakpoint construction underapproximates the language of a given GBA, in general.

We define two limit-deterministic Büchi automata (LDBA) \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) where \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is additionally good-for-MDP (GFM) [24]. This means that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) can be used to solve certain quantitative probabilistic model checking problems (see Sect.  5.2). Both use the accepting breakpoint components defined above. While \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) simply uses a copy of \(\mathscr {A}\) as initial component, \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) uses the deterministic subset-automaton of \(\mathscr {A}\) (it resembles the cut-deterministic automata of [6]). Furthermore, to ensure the GFM property, there are more transitions between initial and accepting copies in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\). The construction of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) extends the approach for GBA in [23] (also used for probabilistic model checking) to TELA. We will distinguish elements from sets \(Q_i\) for different i from Definition 5.3 by using subscripts (e.g. \((R,P,l)_i\)) and assume that these sets are pairwise disjoint.

Definition 5.4

Let \(Q_{{\text {acc}}} = \bigcup _{1 \le i \le m} Q_i\), \(\delta _{{\text {acc}}} = \bigcup _{1 \le i \le m} \delta _i\) and \(\alpha _{{\text {acc}}} = {{\text {Inf}}}(\bigcup _{1 \le i \le m} \delta ^{{\text {break}}}_i)\). Define

$$\begin{aligned}&\mathscr {G}^{{\text {LD}}}_{\mathscr {A}} = (Q \cup Q_{{\text {acc}}},\Sigma ,\delta ^{{\text {LD}}},I,\alpha _{{\text {acc}}}) \; \text { and} \\&\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}} = (2^{Q} \cup Q_{{\text {acc}}},\Sigma ,\delta ^{{\text {GFM}}},\{I\},\alpha _{{\text {acc}}}), \text { where } \\[0.2cm]&\delta ^{{\text {LD}}}= \delta \cup \delta _{{\text {bridge}}}^{{\text {LD}}}\cup \delta _{{\text {acc}}} \quad \text { and } \quad \delta ^{{\text {GFM}}}= \theta \cup \delta _{{\text {bridge}}}^{{\text {GFM}}}\cup \delta _{{\text {acc}}}\\&\delta _{{\text {bridge}}}^{{\text {LD}}}= \bigl \{\bigl (q,a,(\{q'\},\varnothing ,0)_i\bigr ) \mid (q,a,q') \in \delta \text { and } 1 \le i \le m \bigr \}\\[0.25ex]&\delta _{{\text {bridge}}}^{{\text {GFM}}}= \bigl \{\bigl (P,a,(P',\varnothing ,0)_i\bigr ) \mid P' \subseteq \theta (P,a) \text { and } 1 \le i \le m \bigr \} \end{aligned}$$

As \(\delta _i^{{\text {break}}} \subseteq \delta _{{\text {acc}}}\) for all i, both \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) are syntactically limit-deterministic. The proofs of correctness are similar to ones of the corresponding constructions for GBA [6, Thm. 7.6]. We show later in Theorem  5.2 that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is GFM.

Theorem 5.1

The automata \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) are syntactically limit-deterministic and satisfy \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {A})\). Their number of states is bounded by \((n + 3^n \, m \, k)\) for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) and \((2^n + 3^n \, m \, k) \in O(|\alpha |^2 \cdot 3^n)\) for \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), with \(k = \max \{k_i \mid 1 \le i \le m\}\).

Before giving a proof of Theorem 5.1 we prove two lemmas related to the breakpoint construction, which will be necessary for the correctness part of Theorem  5.1. The functions \(\theta \) and \(\theta _i\) are defined as in Definition  5.3.

The proofs of the lemmas follow known arguments for the correctness of limit-determinization for Büchi and generalized Büchi automata (see [15, Sect. 4.2] and [6, Sects. 7.4 and 7.6]). Still, the extension to Emerson-Lei requires additional arguments and hence we give the proofs here in our notation for completeness. The first lemma extends [6, Lemma 7.1].

Lemma 5.2

For every accepting run \(\rho = q_0q_1 \ldots \) of \(\mathscr {A}\) for \(w = w_0 w_1 \ldots \in \Sigma ^{\omega }\) there exists an \(1 \le i \le m\) such that \(\rho \models \alpha _i\), and a \(K \ge 0\) such that:

  • for all \(l \ge K\): \((q_l,w_l,q_{l+1}) \notin T_0^i\),

  • for all \(l \ge K\) there exists \(u > l\) such that \(\theta _i(\{q_{l}\},w[l..u]) = \theta _i(\{q_{K}\},w[K..u])\).


As \(\rho \) is accepting there must exist an \(1 \le i \le m\) such that \(\rho \models \alpha _i\), which implies \(\rho \models {{\text {Fin}}}(T_0^i)\). Fix such an i. Then, the existence of a K (let us call it \(K_1\)) satisfying the first condition follows directly. Fix such a \(K_1\).

Next, we claim that a \(K_2 \ge K_1\) exists which satisfies both conditions. The first condition is satisfied by all \(K_2 \ge K_1\), so we turn to the second condition. Suppose, for contradiction, that for all \(K_2 \ge K_1\) there exists \(l_1 \ge K_2\) such that for all \(u > l_1\) we have \(\theta _i(\{q_{l_1}\},w[l_1..u]) \ne \theta _i(\{q_{K_2}\},w[K_2..u])\). Clearly then \(\theta _i(\{q_{l_1}\},w[l_1..u]) \subset \theta _i(\{q_{K_2}\},w[K_2..u])\) holds, as \(q_{l_1} \in \theta _i(\{q_{K_2}\},w[K_2..{l_1{-}1}])\). Applying the same argument lets us find \(l_2 \ge l_1\) such that for all \(u > l_2\) we have \(\theta _i(\{q_{l_2}\},w[l_2..u]) \subset \theta _i(\{q_{l_1}\},w[l_1..u])\). Iterating this argument yields an infinitely descending chain, which is impossible as all considered sets are finite. It follows that there exists a \(K_2 \ge K_1\) satisfying both conditions, which concludes the proof. \(\square \)

The following lemma shows one direction of the correctness part of Theorem 5.1.

Lemma 5.3

\(\mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) \subseteq \mathscr {L}(\mathscr {A})\) and \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) \subseteq \mathscr {L}(\mathscr {A})\).


We give the argument only for \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), as it is the same for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) with simple modifications. Any accepting run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for any \(w_0 w_1 \ldots \in \Sigma ^{\omega }\) has the form

$$\begin{aligned} I \rightarrow Q_1 \rightarrow \ldots \rightarrow Q_k \rightarrow (P_0,\varnothing ,0)_i \rightarrow (P_1,B_1,h_1)_i \rightarrow \ldots \end{aligned}$$

where the first part from I to \(Q_k\) is a path through the initial component of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\), and the subsequent part is a path through some accepting breakpoint component \(\mathfrak {B}_i\), with \(1 \le i \le m\). As \(\mathfrak {B}_i\) is the standard breakpoint automaton for \(\mathscr {A}\) under acceptance \(\alpha _i\) and after removing transitions in \(T_0^i\), it follows from the soundness of the known construction [6, Lemma 7.3] that there exists a run \(\rho \) through \(\mathscr {A}\) from some state \(q \in P_0\) for the word \(w[k{+}1..]\) such that \(\rho \models \alpha _i\) and \(\rho \) sees no transition in \(T_0^i\). Furthermore, clearly any state in \(P_0\) is reachable from I with a path labeled by w[0..k]. Concatenating such a path with the run \(\rho \) yields an accepting run of \(\mathscr {A}\) for \(w_0 w_1 \ldots \). \(\square \)

Now we are in a position to prove Theorem 5.1. The last part of the proof follows the proof of [6, Lemma 7.2].

Proof of Theorem 5.1

As \(\delta _i^{\textrm{break}} \subseteq \delta _i\) holds for all i, and the breakpoint components are deterministic, both \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) are syntactically limit-deterministic. The bound \((2^n + 3^n \, m \, k)\) on the states of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) follows as the state-space of \(\mathfrak {B}_i\) is bounded by \(3^n \cdot k\) (this uses that \(B \subset R\) holds for states (RBl) of \(\mathfrak {B}_i\), and \(l \le k\)) for all i, and there are m breakpoint components. Additionally, the initial component is a direct subset construction of \(\mathscr {A}\), adding another \(2^n\) states. For \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\), the initial component is of size n, hence the number of states is bounded by \( (n + 3^n \, m \, k)\).

It remains to show that \(\mathscr {L}(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}) = \mathscr {L}(\mathscr {A})\). The inclusions in \(\mathscr {L}(\mathscr {A})\) follow by Lemma 5.3. For the other direction, let \(\rho = q_0q_1 \ldots \) be an accepting run of \(\mathscr {A}\) for \(w = w_0 w_1 \ldots \in \Sigma ^{\omega }\). By Lemma 5.2 there exist \(1 \le i \le m\) and \(K \ge 0\) such that:

  • \(\rho \models \alpha _i\)

  • for all \(l \ge K\): \((q_l,w_l,q_{l+1}) \notin T_0^i\),

  • for all \(l \ge K\) there exists \(u > l\) such that

    $$\begin{aligned}\theta _i(\{q_{l}\},w[l..u]) = \theta _i(\{q_{K}\},w[K..u]).\end{aligned}$$

We define a run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for w as follows. For the first \(K{-}1\) steps, it remains inside the initial component. It will reach a state \(P \subseteq Q\) with \(q_{K{-}1} \in P\). Then it takes the transition \(\bigl (P,w[K{-}1],(\{q_{K}\},\varnothing ,0)_i\bigr )\), and continues deterministically thereafter in component \(\mathfrak {B}_i\). This transition is in \(\delta _{{\text {bridge}}}^{{\text {GFM}}}\) as \((q_{K{-}1},w[K{-}1],q_K) \in \delta \), and hence \(\{q_K\} \subseteq \theta (P,w[K{-}1])\). We claim that the remaining run

$$\begin{aligned} (\{q_{K}\},\varnothing ,0) (R_{K+1},B_{K+1},h_{K+1}) \ldots \end{aligned}$$

of \(\mathfrak {B}_{i}\) sees infinitely many transitions in \(\delta _i^{{\text {break}}}\).Footnote 1 For contradiction, suppose that this is not the case. Then, there exists \(N > K\) such that for all \(j \ge N\) we have \(B_j \subset R_j\) and \(h_j = h_{j+1}\). As \(\rho \models \alpha _i\) holds, there must exist \(N_1 > N\) satisfying \((q_{N_1},w[N_1],q_{{N_1}{+}1}) \in T_{i}^{h_j}\). It follows that \(q_{{N_1}{+}1} \in B_{{N_1}{+}1}\). By the third property above, however, there exists \(u > N_{1}{+}1 \ge K\) such that

$$\begin{aligned} R_u = \theta _i(\{q_K\},w[K..u]) = \theta _i(\{q_{N_{1}{+}1}\},w[N_1{+}1..u]) \subseteq B_u.\end{aligned}$$

This contradicts \(B_u \subset R_u\). Hence, the constructed run is an accepting run of \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) for w, which finishes the proof of \(\mathscr {L}({{\mathscr {A}}}) = \mathscr {L}({\mathscr {G}^{{\text {GFM}}}_{{\mathscr {A}}}})\).

A run for \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) can be constructed in the same way, with the only exception that the initial part of the run is set to be \(q_0 \ldots q_{K-1}\) (rather than the unique path in the subset-construction for prefix \(w[0..{K{-}2}]\)). \(\square \)

As a direct corollary of Theorem  5.1 we get that TELA can be transformed into LDBA of single-exponential size.

Corollary 5.1

Given TELA \({\mathscr {B}}\) (not necessarily in DNF) with acceptance condition \(\beta \) and N states, there exists an equivalent LDBA with \(2^{O(|\beta | + N)}\) states.

5.2 Probabilistic model checking

This section discusses how the above constructions can be used for probabilistic model checking. We will use a product between an MDP \(\mathscr {M}\) and a nondeterministic automaton \(\mathscr {A}\) which was introduced in [28]. The construction is such that schedulers of the MDP are forced to resolve the nondeterminism of \(\mathscr {A}\) by choosing the next state of the automaton. We assume that the automaton used to build the product has a single initial state, which holds for \(\mathscr {G}^{{\text {GFM}}}_\mathscr {A}\).

Definition 5.5

Given an MDP \(\mathscr {M}= (S,s_0,{\text {Act}},P,\Sigma ,L)\) and TELA \(\mathscr {G} = (Q,\Sigma ,\delta ,\{q_0\},\alpha )\) we define the MDP \(\mathscr {M}\times \mathscr {G} = (S \times Q, (s_0,q_0), {\text {Act}}\times Q, P^{\times }, \Sigma , L^{\times })\) with \(L^{\times }((s,q)) = L(s)\) and

$$\begin{aligned} P^{\times }\bigl ((&s,q),(\alpha ,p),(s',q')\bigr ) = \\&{\left\{ \begin{array}{ll} P(s,\alpha ,s') &{} \text {if } p = q' \text { and } (q,L(s),q') \in \delta \\ 0 &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

We define the accepting paths \(\Pi _{acc}\) of \(\mathscr {M}\times \mathscr {G}\) to be:

$$\begin{aligned} \Pi _{acc} = \{(s_0,q_0)&\alpha _0(s_1,q_1)\alpha _1 \ldots \in {\text {Paths}}(\mathscr {M}\times \mathscr {G}) \mid \\&q_0, L(s_0), q_1, L(s_1) \ldots \models \alpha \} \end{aligned}$$

As a first application, consider the qualitative model checking problem which asks to decide \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\), under the assumption that \(\mathscr {A}\) is a limit-deterministic TELA. While NP-hardness follows from the fact that the problem is already hard for deterministic TELA [34, Thm. 5.13], we now show that it is also in NP. Furthermore, it is in P for automata with a fin-less acceptance condition. This was already known for LDBA [15], and our proof uses similar arguments.

Proposition 5.3

Deciding \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {A})) > 0\), given MDP \(\mathscr {M}\) and a limit-deterministic TELA \(\mathscr {A}\), is NP-complete. If \(\mathscr {A}\) has a fin-less acceptance condition, then the problem is in P.


NP-hardness for general limit-deterministic TELA follows directly from NP-hardness for deterministic TELA (see [34, Thm. 5.13]). For the upper-bounds we use the fact discussed above that if \(\mathscr {A}\) is limit-deterministic, then we can compute a partition \(Q_D,Q_N\) satisfying conditions 1-3 of Definition  5.1 in polynomial time.

In NP for limit-det. TELA. We now show that the problem of computing \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {A})) > 0\) is in NP if TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\alpha )\) is limit-deterministic. Let \(Q_N,Q_D\) be a partition of Q satisfying conditions 1-3 of Definition  5.1 and let \(\mathscr {M}\times \mathscr {A}\) be the product-MDP defined in Definition  5.5 for a given MDP \(\mathscr {M}= (S,s_0,{\text {Act}},P,\Sigma ,L)\). Recall that an end-component of \(\mathscr {M}\) is a non-empty subset \(S' \subseteq S\) together with a subset of the enabled actions \(T(s) \subseteq {\text {Act}}(s)\) for each state \(s \in S'\) such that the underlying graph is strongly connected and closed under probabilistic transitions [3, Definition 10.117]. An end-component \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\) naturally induces a set of transitions of \(\mathscr {A}\), which we denote by \({\text {atrans}}({{\mathscr {E}}})\).

Claim. \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) holds iff there exists a reachable end-component \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\) such that \({\text {atrans}}({{\mathscr {E}}}) \models \alpha \).

Proof of claim.\(\Longleftarrow \)”: Let (sq) be a state contained in such an end-component \({\mathscr {E}}\). As \({\mathscr {E}}\) is assumed to be reachable, there exists a finite path \(\pi = s_0 \alpha _0 s_1 \alpha _1 \ldots s_n \alpha _n s\) through \(\mathscr {M}\) and a corresponding path \(q_0 \xrightarrow {L(s_0 \ldots s_{n})} q\) through \(\mathscr {A}\). We start defining a scheduler \(\mathfrak {S}_1\) on \(\mathscr {M}\) which chooses action \(\alpha _i\) for all prefixes of length i, if \(0 \le i \le n\) and \(\alpha _i\) is enabled. Clearly, \(\mathfrak {S}_1\) achieves a positive probability to realize the prefix \(\pi \). As \({\mathscr {E}}\) is an end-component, we can construct a scheduler \(\mathfrak {S}\) on \(M \times \mathscr {A}\) from state (sq) such that with probability one the set of transitions visited infinitely often is the set of all transitions of \({\mathscr {E}}\) [3, Lemma 10.119]. Scheduler \(\mathfrak {S}\) induces a scheduler \(\mathfrak {S}_2\) on \(\mathscr {M}\) from s which satisfies:

$$\begin{aligned} Pr_{\mathscr {M},s}^{\mathfrak {S}_2}(\{\pi \mid L(\pi ) \text { is accepted from } q \text { in } \mathscr {A}\}) = 1.\end{aligned}$$

Combining schedulers \(\mathfrak {S}_1\) and \(\mathfrak {S}_2\) yields a scheduler witnessing \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\).

\(\implies \)”: Every path \(\pi \) from s in \(\mathscr {M}\) induces a unique path \(p_q(\pi )\) from (sq) in \(\mathscr {M}\times \mathscr {A}\), if \(q \in Q_D\) (assuming that \(\mathscr {A}\) is complete). We let \({\text {Limit}}(\pi )\) be the pair (AT) where A is the set of states appearing infinitely often in path \(\pi \) and \(T : A \rightarrow 2^{{\text {Act}}}\) is the set of actions appearing infinitely often for each of the states in A. Given a state \(q \in Q_D\) and an end-component \({\mathscr {E}}\) of \(\mathscr {M}\times \mathscr {A}\), we let

$$\begin{aligned} X_{q,{{\mathscr {E}}}} = \{ \pi \in {\text {Paths}}(&\mathscr {M}) \mid \text { there exist } \pi _1\pi _2 \text { s.t. } \pi = \pi _1 \pi _2, \\&I \xrightarrow {L(\pi _1)}_{\mathscr {A}} q \text { and } {\text {Limit}}(p_q(\pi _2)) = \mathscr {E}\}, \end{aligned}$$

where \(I \xrightarrow {L(\pi _1)}_{\mathscr {A}} q\) means that a path in \(\mathscr {A}\) exists which starts in some state in I, ends in q and is labeled by \(L(\pi _1)\). Let \(\mathfrak {S}\) be a scheduler on \(\mathscr {M}\) satisfying \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\). The \(\mathfrak {S}\)-paths \(\pi \) in \(\mathscr {M}\) satisfying both

$$\begin{aligned} L(\pi ) \in \mathscr {L}(\mathscr {A}) \;\;\text { and }\;\; \pi \not \in \bigcup _{q \in Q_D} \{X_{q,\mathscr {E}} \mid {\text {atrans}}(\mathscr {E}) \models \alpha \}\end{aligned}$$

have probability zero. This is because a path \(\pi \) satisfies the following property with probability one under \(\mathfrak {S}\): for all \(i \ge 0\) and \(q \in Q_D\): \({\text {Limit}}(p_q(\pi [i..]))\) forms an end-component in \(\mathscr {M}\times \mathscr {A}\). It follows that there exists \(q \in Q_D\) and an end-component \({\mathscr {E}}\) of \(\mathscr {M}\times {\mathscr {A}}\) satisfying \({\text {atrans}}(\mathscr {E}) \models \alpha \) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(X_{q,\mathscr {E}}) > 0\). But then \({\mathscr {E}}\) must also be reachable in \(\mathscr {M}\times \mathscr {A}\), which concludes the proof of the claim.

It is a direct consequence now that the problem is in NP, as we can guess the end-component \({\mathscr {E}}\) and then check in polynomial time whether \({\text {atrans}}({{\mathscr {E}}}) \models \alpha \) holds.

In P for fin-less limit-det. TELA. If \(\alpha \) is fin-less, then the existence of an end-component \({\mathscr {E}}\) with \({\text {atrans}}({\mathscr {E}}) \models \alpha \) is equivalent to the existence of a maximal end-component satisfying the same property. This is because fin-less properties are preserved when adding additional transitions. As all maximal end-components can be enumerated in polynomial time (see Algorithm 47 in [3]), it follows by the above claim that \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) > 0\) can be decided in polynomial time in this case. \(\square \)

Our next aim is to show that the maximal probability in an MDP to satisfy a property specified as a TELA can be computed in single-exponential time. As a means to this end we will show that the automaton \(\mathscr {G}^{{\text {GFM}}}_\mathscr {A}\), as defined in Definition  5.4, is good-for-MDP (GFM) [24]. As before, we start with a TELA \(\mathscr {A} = (Q,\Sigma ,\delta ,I,\bigvee _{1 \le i \le m} \alpha _i)\) in DNF, with \(\alpha _i = {{\text {Fin}}}(T^i_0) \wedge \bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(T^i_j)\) for \(1 \le i \le m\).

The GFM-property is defined using the product construction introduced above (Definition 5.5). A Büchi automaton \(\mathscr {G}\) is called good-for-MDP (GFM) iff \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {G})) = \textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}}(\Pi _{acc})\) holds for all MDP \(\mathscr {M}\) [24]. The inequality “\(\ge \)” holds for all automata [28, Thm. 1], but the other direction requires, intuitively, that a scheduler on \(\mathscr {M}\times \mathscr {G}\) is able to safely resolve the nondeterminism of the automaton based on the prefix of the run. This is trivially satisfied by deterministic automata, but good-for-games automata also have this property [28]. Limit-deterministic Büchi automata are not GFM in general, for example, \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) may not be (see Example 5.1).

The proof proceeds by fixing an arbitrary MDP \(\mathscr {M}\) and showing that \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}}(\Pi _{acc})\). To this end it is enough to show that for any finite-memory scheduler \(\mathfrak {S}\) on \(\mathscr {M}\) one finds a scheduler \(\mathfrak {S'}\) on \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}\) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \Pr ^{\mathfrak {S}'}_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_\mathscr {A}}(\Pi _{acc})\). The restriction to finite-memory schedulers is allowed because the maximal probability to satisfy an \(\omega \)-regular property is always attained by such a scheduler [3, Sects. 10.6.3 and 10.6.4].

To define \(\mathfrak {S}'\) we analyze the behaviour of \(\mathfrak {S}\) in the product \(\mathscr {M}\times \mathscr {D}\) of \(\mathscr {M}\) with a specific deterministic automaton \(\mathscr {D}\) for \(\mathscr {L}(\mathscr {A})\), which we introduce later. In particular, we show that for each accepting bottom strongly connected component B of the induced Markov chain of \(\mathscr {M}\times \mathscr {D}\) under \(\mathfrak {S}\) there exists an accepting breakpoint component \(\mathfrak {B}_i\) such that, with probability one, words generated by B are accepted by \(\mathfrak {B}_i\). To show this, we first prove a sufficient condition for a word to be accepted by \(\mathfrak {B}_i\).

Lemma 5.4

Let \(1 \le i \le m\), \(w \in \Sigma ^{\omega }\), \(0 = j_0< j_1< j_2 < \ldots \) be an increasing sequence of natural numbers and \(Q' \subseteq Q\) satisfying:

  • for all \(l \ge 0\): \(\theta _i(Q', w[j_l..{j_{l{+}1}{-}1}]) = Q'\) and

  • for all \(l \ge 0\) and \(q' \in Q'\) there exists \(q \in Q'\) and a finite \(\theta _i\)-path from q to \(q'\) in \(\mathscr {A}\) labeled by \(w[j_l..j_{l+1}{-}1]\) which hits all transition-sets \(T_1^i, \ldots , T_{k_i}^i\).

Then, w is accepted from state \((Q',\varnothing ,0)\) in \(\mathfrak {B}_i\).


As the first component of states in \(\mathfrak {B}_i\) just simulates the subset transition function \(\theta _i\), the run from state \((Q',\varnothing ,0)\) of \(\mathfrak {B}_i\) for w has the form:

$$\begin{aligned}{} & {} (Q',\varnothing ,0) \xrightarrow {w[0..j_1{-}1]} (Q',B_1,h_1)\\{} & {} \qquad \xrightarrow {w[j_1..j_2{-}1]} (Q',B_2,h_2) \xrightarrow {w[j_2..j_3{-}1]} \ldots \end{aligned}$$

We show that each infix \((Q',B_l,h_l) \xrightarrow {w[j_l..j_{l{+}1}{-}1]} (Q',B_{l{+}1},h_{l{+}1})\) of the run above sees a transition in \(\delta _i^{{\text {break}}}\). For contradiction, suppose that for some l this is not the case. Then, the third component is not changed in any transition of the corresponding infix run. Let

$$\begin{aligned}{} & {} (Q_0,A_0,h_l) \xrightarrow {w[j_l]} (Q_1,A_1,h_l)\\{} & {} \quad \xrightarrow {w[j_l{+}1]} \ldots \xrightarrow {w[j_l{+}M{-}1]} (Q_M,A_M,h_l) \end{aligned}$$

be the sequence of the run between \((Q_0,A_0,h_l) = (Q',B_l,h_l)\) and \((Q_M,A_M,h_l) = (Q',B_{l+1},h_l)\). Take an arbitrary element \(q' \in Q' \setminus B_{l+1}\) and let P be the source states of the incoming transitions of \(q'\) labeled by \(w[j_l{+}M{-}1]\) wrt. \(\delta \setminus T_0^i\). As a consequence we have that \(P \cap A_{M{-}1}\) is empty and no \(p \in Q_{M{-}1}\) satisfies \((p,w[j_l{+}M{-}1],q') \in T_{h_l}^i\). This is because otherwise we would either have \(q' \in B_{l+1}\) or see a breakpoint transition. In particular, there is no path from any \(p \in Q_{M{-}1}\) to \(q'\) labeled by \(w[j_l{+}M{-}1]\) that sees \(T_{h_l}^i\). We can continue this argument inductively until reaching \((Q_0,A_0,h_l)\) and conclude that there is no \(q \in Q'\) such that there exists a \(\theta _i\)-path from q to \(q'\) labeled by \(w[j_l..j_{l+1}{-}1]\) which sees some transition in \(T_{h_l}^i\). This is in contradiction with the second property above.

Hence, the run sees a transition in \(\delta _i^{{\text {break}}}\) infinitely often, which implies that it is accepting. \(\square \)

Recall that \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\) is a GBA with two components: the initial component \(Q_1\) is a copy of \(\mathscr {A}\) where no transition is accepting, and component \(Q_2\) is a copy of \(\mathscr {A}\) without the transitions of \(T_0^i\). The acceptance condition is the GBA condition \(\bigwedge _{1 \le j \le k_i} {{\text {Inf}}}(U_{j}^i)\) where \(U_j^i\) is the set of transitions corresponding to \(T_j^i \setminus T_0^i\) in the component \(Q_2\).

Now let \(\mathscr {D}_i = {\text {det}}({\text {removeFin}}({\text {split}}(\mathscr {A})[i]))\) be the Rabin automaton one gets by applying the construction of [42] to \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). Their soundness-proof [42, Thm. 1] can be modified slightly to prove the following statement, where \(\gamma \) is the extended subset transition function of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). It shows that an accepting lasso-path through \(\mathscr {D}_i\) induces a special path through the powerset automaton of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). As a consequence, the corresponding word is accepted by \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). Furthermore, the word labeling the loop of the lasso satisfies a condition which matches the one of Lemma 5.4, and hence is accepted by \(\mathfrak {B}_i\).

Lemma 5.5

Let \(\rho = d_0 d_1 \ldots \) be an accepting run of \(\mathscr {D}_i\) for w satisfying Rabin pair \({{\text {Inf}}}(D_1) \wedge {{\text {Fin}}}(D_2)\) and \(i_0\) be a position such that for all \(l \ge i_0\) we have \((d_l,w[l],d_{l{+}1}) \notin D_2\) and for infinitely many \(l \ge i_0\) we have \(d_{l} = d_{i_0}\).

Then, a sequence \(i_0< i_1 < i_2 \ldots \) and a \(Q' \subseteq Q_2\) exist such that

  • \(Q' \subseteq \gamma (I,w[0..i_0{-}1])\),

  • for all \(l \ge 0\): \(Q' = \gamma (Q',w[i_l..i_{l+1}{-}1])\) and for all \(q_2 \in Q'\) there exists \(q_1 \in Q'\) and a \(\gamma \)-path from \(q_1\) to \(q_2\) labeled by \(w[i_l..i_{l+1}{-}1]\) which hits all transition-sets \(U_1^i, \ldots , U_{k_i}^i\).


The following statement follows directly from the proof of [42, Thm. 1]: Let \(j_0< j_1 < \ldots \) be an infinite sequence of positions such that \((d_l,w[l],d_{l{+}1}) \notin D_2\) holds for \(l \ge j_0\) and the sequence \(d_{j_l}w[j_l]d_{j_l{+}1} \ldots d_{j_{l{+}1}}\) sees at least \(k_i\) transitions in \(D_1\) for all \(l\ge 0\). Then, there exists a sequence \(P_0, P_1 \ldots \), with all \(P_l \subseteq Q_1 \cup Q_2\), such that we have \(P_0 \subseteq \gamma (I,w[0..j_0{-}1])\), \(P_{l{+}1} = \gamma (P_l,w[j_l..j_{l{+}1}{-}1])\) and for all \(q_2 \in P_{l{+}1}\) there exists a \(q_1 \in P_l\) and a \(\gamma \)-path from \(q_1\) to \(q_2\) labeled by \(w[j_l..j_{l{+}1}{-}1]\) which hits all transition sets \(U_1^i,\ldots , U_{k_i}^i\). Furthermore, the sequence is such that if \(d_{j_l} = d_{j_p}\), then \(P_l = P_p\).

Clearly a sequence \(j_0< j_1 < \ldots \) exists satisfying the above assumption (as \(\rho \) is accepting) and which additionally has the property that \(d_{j_l} = d_{j_0}\) for all \(l \ge 0\) (by taking \(j_0 = i_0\) and the fact that infinitely many positions see \(d_{i_0}\)). We may conclude that the sequence \(P_0,P_1 \ldots \) exists as above and as \(d_{j_l} = d_{j_0}\) for all \(l \ge 0\), indeed \(P_0 = P_l\) for all l. So we may take \(Q' = P_0\), and the only thing left to show is that \(Q' \subseteq Q_2\) holds. This, however, follows from the fact that \(Q'\) is reachable from some accepting transition and hence must be included in the accepting part \(Q_2\) of \({\text {removeFin}}({\text {split}}(\mathscr {A})[i])\). \(\square \)

The above lemmas give a sufficient condition for a word to be accepted by \(\mathfrak {B}_i\) (Lemma 5.4), and show that words labeling a loop in the deterministic automaton \(\mathscr {D}_i\) induce a path through the powerset automaton of \({\text {remove\,\,Fin}}({\text {split}}(\mathscr {A})[i])\) (Lemma 5.5). Now, we show how these facts can be used to construct the scheduler \(\mathfrak {S}'\).

Recall that we are given a finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\) and to prove the GFM-property we have to provide a scheduler \(\mathfrak {S}'\) such that \(\Pr ^{\mathfrak {S}}_{\mathscr {M}}(\mathscr {L}(\mathscr {A})) \le \Pr ^{\mathfrak {S}'}_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{acc})\). Let \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) be the product of the induced finite Markov chain \(M_{\mathfrak {S}}\) with \(\mathscr {D} = \bigotimes _{1 \le i \le m} \mathscr {D}_i\). The scheduler \(\mathfrak {S}'\) is constructed as follows. It stays inside the initial component of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and mimics the action chosen by \(\mathfrak {S}\) until the corresponding path in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) reaches an accepting bottom strongly connected component (BSCC) B. This means that the transitions of \(\mathscr {D}\) induced by B satisfy one of the Rabin pairs. The following lemma shows that in this case there exists a state in one of the accepting breakpoint components \(\mathfrak {B}_{i}\) to which \(\mathfrak {S}'\) can safely move.

Lemma 5.6

Let \(\mathfrak {s}\) be a state in an accepting BSCC B of \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) and \(\pi _1\) be a finite path that reaches \(\mathfrak {s}\) from the initial state of \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\). Then, there exists \(1 \le i \le m\) and \(Q' \subseteq \theta \bigl (I,L(\pi _1)\bigr )\) such that

$$\begin{aligned} Pr_{{\mathfrak {s}}}(\{\pi \mid L(\pi ) \text { is accepted from } (Q',\varnothing ,0) \text { in } \mathfrak {B}_i\bigl \}) = 1.\end{aligned}$$


There exists some Rabin pair \({{\text {Inf}}}(D'_1) \wedge {{\text {Fin}}}(D'_2)\) of \({\mathscr {D}}\) such that no transition of B is contained in \(D_2'\), and some transition of B is contained in \(D_1'\). By construction of \(\mathscr {D}\), this pair directly corresponds to a Rabin pair \({{\text {Inf}}}(D_1) \wedge {{\text {Fin}}}(D_2)\) of one of the components \(\mathscr {D}_i\) (as the acceptance condition of \(\mathscr {D}\) is essentially the disjunction of the acceptance conditions of the \(\mathscr {D}_i\)).

Hence for every path \(\pi _2\) through B starting in \(\mathfrak {s}\) which sees all transitions in B infinitely often we find an accepting run \(d_0 d_1 \ldots \) of \(\mathscr {D}_i\) for \(L(\pi _1 \pi _2)\) and a sequence \(j_0< j_1 < \ldots \) where \(j_0 = |\pi _1|\) and such that:

  • no transition of \(d_{j_0} d_{j_0{+}1} \ldots \) is included in \(D_2\),

  • for all \(l \ge 0\): \(d_{j_l} = d_{j_0}\) and the run \(d_0 d_1 \ldots \) sees an accepting transition in between position \(j_l\) and \(j_{l+1}\) for all \(l \ge 0\).

By Lemma 5.5 there exists a \(Q' \subseteq \gamma (I,L(\pi _1)) \cap Q_2\) such that for all \(l \ge 0\): \(Q' = \gamma (Q',w[j_l..j_{l+1}{-}1])\) and for all \(q_1 \in Q'\) there exists a \(q_2 \in Q'\) and a finite \(\gamma \)-path for \(w[j_l..j_{l+1}{-}1]\) hitting all transition-sets \(U_1^i, \ldots , U_{k_i}^i\). Let \(Q''\) be the corresponding set of states of \(\mathscr {A}\), which implies \(Q'' \subseteq \theta (I,L(\pi _1))\). As \(Q' \subseteq Q_2\) we have: for all \(q_1 \in Q''\) there exists a \(q_2 \in Q''\) and a finite \(\theta _i\)-path for \(w[j_l..j_{l+1}{-}1]\) hitting all transition-sets \(T_1^i, \ldots , T_{k_i}^i\).

It follows that the conditions of Lemma 5.4 are satisfied and hence that \(L(\pi _2)\) is accepted from \((Q'',\varnothing ,0)\) in \(\mathfrak {B}_i\). \(\square \)

The lemma does not hold if we restrict ourselves to singleton \(\{q\} \subseteq \theta \bigl (I,L(\pi _1)\bigr )\) (see Example 5.1). Hence, restricting \(\delta _{{\text {bridge}}}^{{\text {GFM}}}\) to such transitions (as for \(\delta _{{\text {bridge}}}^{{\text {LD}}}\), see Definition 5.4) would not guarantee the GFM property.

Fig. 5
figure 5

Restricting \(\delta _{{\text {bridge}}}^{{\text {GFM}}}\) to transitions with endpoints of the form \((s, (\{q\},\varnothing ,0))\) (similar to \(\delta _{{\text {bridge}}}^{{\text {LD}}}\)) would not guarantee the GFM property (see Example  5.1)

Example 5.1

Consider the automaton \(\mathscr {A}\) with states \(\{\texttt{a}_i\texttt{b}_j \mid i,j \in \{1,2\}\} \cup \{\texttt{b}_i\texttt{a}_j \mid i,j \in \{1,2\}\}\), where \(\texttt{a}_i\texttt{b}_j\) has transitions labeled by \(a_i\) to \(\texttt{b}_j\texttt{a}_1\) and \(\texttt{b}_j\texttt{a}_2\). Transitions of states \(\texttt{b}_i\texttt{a}_j\) are defined analogously, and all states in \(\{\texttt{a}_i\texttt{b}_j \mid i,j \in \{1,2\}\}\) are initial (Fig. 5 shows the transitions of \(\texttt{a}_1\texttt{b}_1\)). All transitions are accepting for a single Büchi condition, and hence \(\mathscr {L}(\mathscr {A}) = (\{a_i b_j \mid i,j \in \{1,2\}\})^{\omega }\).

Consider the Markov chain \(\mathscr {M}\) in Fig. 5 (transition probabilities are all 1/2 and omitted in the figure). Clearly, \(\Pr _{\mathscr {M}}(\mathscr {L}(\mathscr {A})) = 1\). Figure 5 shows a part of the product of \(\mathscr {M}\) with the breakpoint automaton \(\mathfrak {B}\) for \(\mathscr {A}\) (Definition 5.3) starting from \(\bigl (a_1,(\{\texttt{a}_1\texttt{b}_1\},\varnothing ,0)\bigr )\). As \(\texttt{b}_1\texttt{a}_1\) and \(\texttt{b}_1\texttt{a}_2\) have no \(b_2\)-transition, the state \(\bigl (b_2,(\{\texttt{b}_1\texttt{a}_1,\texttt{b}_1\texttt{a}_2\},\varnothing ,0)\bigr )\) is a trap state. Hence, the state \(\bigl (a_1,(\{\texttt{a}_1\texttt{b}_1\},\varnothing ,0)\bigr )\) generates an accepting path with probability at most 1/2. This holds for all states \(\bigl (s,(P',\varnothing ,0)\bigr )\) of \(\mathscr {M}\times \mathfrak {B}\) where \(P'\) is a singleton. But using \(\delta _{{\text {bridge}}}^{{\text {LD}}}\) to connect initial and accepting components implies that any accepting path sees such a state. Hence, using \(\delta _{{\text {bridge}}}^{{\text {LD}}}\) to define \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) would not guarantee the GFM property.

Using Lemma 5.6 we can define \(\mathfrak {S}'\) such that the probability accepting paths under \(\mathfrak {S}'\) in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is at least as high as that of paths with label in \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\). This is the non-trivial direction of the GFM property.

Lemma 5.7

For every finite-memory scheduler \(\mathfrak {S}\) on \(\mathscr {M}\), there exists a scheduler \(\mathfrak {S}'\) on \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) such that:

$$\begin{aligned} \mathop {\Pr }\nolimits _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}'}(\Pi _{acc}) \ge \mathop {\Pr }\nolimits _{\mathscr {M}}^{\mathfrak {S}}(\mathscr {L}(\mathscr {A}))\end{aligned}$$


Let \(\mathfrak {S}\) be a finite-memory scheduler on \(\mathscr {M}\) and \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) be as above. As \(\mathfrak {S}\) uses only finite memory, the Markov chain \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) has finitely many states. This, in turn, implies that a BSCC will be reached with probability one.

We construct the scheduler \(\mathfrak {S}'\) as follows. For every finite path \(\pi _1\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) it needs to choose an action of \(\mathscr {M}\) and whether to move from the initial component to one of the breakpoint components (this is the only nondeterministic choice in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\)). The action of \(\mathscr {M}\) is always chosen in the same way as by \(\mathfrak {S}\) for the corresponding finite path of \(\mathscr {M}\). If the path in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) corresponding to \(\pi _1\) does not end in a BSCC, \(\mathfrak {S}'\) chooses to remain in the initial component. If it does reach a BSCC B we make a distinction on whether B is accepting or not. If B is not accepting, then \(\mathfrak {S}'\) can be defined arbitrarily for all prefixes that extend \(\pi _1\). If B is accepting, then let us assume that the last state visited by \(\pi _1\) is (sP). Then P is exactly the set of states reachable in \(\mathscr {A}\) from I on a path labeled by \(L^{\times }(\pi _1)\). By Lemma 5.6 there exists \(1 \le i \le m\) and \(Q' \subseteq P\) such that the probability of generating a suffix \(\pi _2\) from state s in \(\mathscr {M}\) under scheduler \(\mathfrak {S}\) whose label is accepted in \(\mathfrak {B}_i\) from state \((Q',\varnothing ,0)\) is 1. Consequently, \(\mathfrak {S'}\) chooses \(\bigl (\theta (Q',L(s)),\varnothing ,0\bigr )_i\) as the successor state of the automaton and continues to simulate \(\mathfrak {S}\).

The induced probability of \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\) equals the probability of reaching an accepting BSCC in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\), as \(\mathscr {D}\) is a deterministic automaton for \(\mathscr {L}(\mathscr {A})\). By construction, the probability in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) under scheduler \(\mathfrak {S}'\) of generating a finite trace that reaches an accepting BSCC in \(\mathscr {M}_{\mathfrak {S}} \times \mathscr {D}\) equals this probability. Furthermore, after generating such a trace, \(\mathfrak {S}'\) moves to a state \(\bigl (s,(Q',\varnothing ,0)\bigr )\) where \((Q',\varnothing ,0)\) is a state of one of the automata \(\mathfrak {B}_i\) such that, by continuing to simulate \(\mathfrak {S}\), a suffix trace is generated with probability one which is accepted from \((Q',\varnothing ,0)\) in \(\mathfrak {B}_i\). As \(\mathfrak {B}_i\) is deterministic there is only one corresponding path for such a trace, and this path is accepting. It follows that the probability of generating a path in \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) under \(\mathfrak {S}'\) whose induced path in \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is accepting is at least as high as the induced probability of \(\mathscr {L}(\mathscr {A})\) in \(\mathscr {M}_{\mathfrak {S}}\). In other words we have \(\Pr _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}'}(\Pi _{acc}) \ge \Pr _{\mathscr {M}}^{\mathfrak {S}}(\mathscr {L}(\mathscr {A}))\), which concludes the proof. \(\square \)

Theorem 5.2

The automaton \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is good-for-MDP.


To show that \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is GFM, it suffices to show the following two statements:


For every finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\) there exists a scheduler \(\mathfrak {S}'\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) such that

$$\begin{aligned} \text {Prs}_{\mathscr {M}}^\mathfrak {S} (\mathscr {L}({\mathscr {A}})) \le \Pr \nolimits _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}'}{\Pi _{(acc)}} \end{aligned}$$

For every finite memory scheduler \(\mathfrak {S}\) of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) there exists a scheduler \(\mathfrak {G}'\) of \(\mathscr {M}\) such that

$$\begin{aligned} \Pr \nolimits _{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}^{\mathfrak {S}}{\Pi _{(acc)}} \le \text {Prs}_{\mathscr {M}}^{\mathfrak {S}'} (\mathscr {L}({\mathscr {A}})) \end{aligned}$$

1. is proved by Lemma 5.7 and 2. is proved for arbitrary automaton in [28, Thm. 1]. \(\square \)

To compute \(\textbf{Pr}_{\mathscr {M}}^{\max }(\mathscr {L}(\mathscr {B}))\) one can translate \(\mathscr {B}\) into an equivalent TELA \(\mathscr {A}\) in DNF, then construct \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) and finally compute \(\textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{{\text {acc}}})\). The automaton \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) is single-exponential in the size of \(\mathscr {B}\) by Theorem 5.1, and it is well known that \(\textbf{Pr}^{\max }_{\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}}(\Pi _{{\text {acc}}})\) can be computed in polynomial time in the size of \(\mathscr {M}\times \mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) [3, Thm. 10.127].

Theorem 5.3

Given a TELA \(\mathscr {B}\) (not necessarily in DNF) and an MDP \(\mathscr {M}\), the value \(\textbf{Pr}^{\max }_{\mathscr {M}}(\mathscr {L}(\mathscr {B}))\) can be computed in single-exponential time.

6 Experimental evaluation

The product approach combines a sequence of deterministic automata using the disjunctive product. We introduce the langcover heuristic: the automata are “added” to the product one by one, but only if their language is not already subsumed by the automaton constructed so far. This leads to substantially smaller automata in many cases, but is only efficient if checking inclusion for the considered automata types is efficient. In our case this holds because we can reduce the needed checks to inclusion checks on Street automata, which are in P [2, Table 2]. Note, that this is not the case for arbitrary deterministic TELA, or nondeterministic automata.

6.1 Implementation

We compare the following implementations of the constructions discussed above.Footnote 2Spot uses the TELA to GBA translator of Spot, simplifies (using Spot’s postprocessor with preference Small) and degeneralizes the result and then determinizes using a version of Safra’s algorithm [18, 38]. The \({\text {removeFin}}\) function that is used is an optimized version of Definition 3.3. If the input is a weak, Rabin or Street automaton, Spot uses dedicated algorithms instead of \({\text {removeFin}}\) to construct the GBA. In the constructions remFin\(\rightarrow \)split\(\alpha \), split\(\alpha \) \(\rightarrow \)remFin and remFin\(\rightarrow \)rewrite\(\alpha \), the first step is replaced by the corresponding TELA to GBA construction (using Spot’s function \({\text {removeFin}}\)). The product approach (also implemented using the Spot-library) is called product and product (no langcover) (without the langcover heuristic). The intermediate GBA are also simplified. The construction \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) is implemented in limit-det., using the Spot-library and parts of Seminator [8]. We compare it to limit-det. via GBA, which concatenates the TELA to GBA construction of Spot with the limit-determinization of Seminator. Similarly, good-for-MDP and good-for-MDP via GBA are the construction \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) applied to \(\mathscr {A}\) directly, or to the GBA as constructed by Spot. Both constructions via GBA are in the worst case double-exponential. No post-processing, e.g. Spot’s postprocessor, is applied to any output automaton.

6.2 Experiments

Computations were performed on a computer with two Intel E5-2680 CPUs with 8 cores each at \(2.70\) GHz running Linux. Each individual experiment was limited to a single core, 15 GB of memory and 1200 seconds. We use versions 2.9.4 of Spot (configured to allow 256 acceptance sets) and 2.0 of Seminator.

Table 1 Evaluation of benchmarks random and DNF. Columns “States”, “Time” and “Acceptance” refer to the respective median values, where mem-/timeouts are counted as infinity. Values in brackets refer to the subset of input automata for which at least one determinization needed more than 0.5 seconds (447 (182) automata for benchmark random (DNF))
Fig. 6
figure 6

Comparing pairwise the sizes of the state spaces for different approaches on the random benchmark.

Our first benchmark set (called random) consists of 1000 TELA with 4 to 50 states and 8 sets of transitions \(T_1, \ldots , T_8\) used to define the acceptance conditions. They are generated using Spot’s procedure random_graph() by specifying probabilities such that: a triple \((q,a,q') \in Q \times \Sigma \times Q\) is included in the transition relation (3/|Q|) and such that a transition t is included in a set \(T_j\) (0.2). We use only transition systems that are nondeterministic. The acceptance condition is generated randomly using Spot’s procedure acc_code::random(). We transform the acceptance condition to DNF and keep those acceptance conditions whose lengths range between 2 and 21 and consist of at least two disjuncts. To quantify the amount of nondeterminism, we divide the number of pairs of transitions with common starting point and symbol (that is, of the form \((q,a,q_1),(q,a,q_2)\), with \(q_1 \ne q_2\)) of the automaton by its number of states.

Table 1 shows that the product produces smallest deterministic automata overall. Spot produces best results among the algorithms that go via a single GBA. One reason for this is that after GBA-simplifications of Spot, the number of acceptance marks of the intermediate GBA are of about the same and Spot constructs GBA with fewer states. This difference in the number of states is expected, given the theoretical analysis in Sect. 3.2. The similarity of the numbers of acceptance marks is not supported by the theoretical analysis and can only be explained by Spot’s advanced GBA-simplification algorithms that might suit Spot ’s GBA better than the GBA constructed by the other approaches.

The limit-deterministic automata are in general much smaller than the deterministic ones, and limit-det via GBA. performs best in this category (see Fig. 6). However, the construction \(\mathscr {G}^{{\text {LD}}}_{\mathscr {A}}\) (limit-det.) resulted in fewer time- and memouts and, as shown in Fig. 6, it still produces for most cases outputs with fewer states than Spot .

For GFM automata we see that computing \(\mathscr {G}^{{\text {GFM}}}_{\mathscr {A}}\) directly, rather than first computing a GBA, yields much better results (good-for-MDP vs. good-for-MDP via GBA). However, the GFM automata suffer from significantly more time- and memouts than the other approaches. The automata sizes are comparable with Spot ’s determinization (see Fig. 6). Given their similarity to the pure limit-determinization constructions, and the fact that their acceptance condition is much simpler than for the deterministic automata, we believe that future work on optimizing this construction could make it a competitive alternative for probabilistic model checking using TELA.

Table 2 Comparison of Spot and product, with input automata grouped by the size of the DNF of their acceptance condition and the amount of nondeterminism. “States”, “Time” and “Acceptance” refer to the median of the ratio product / Spot . The number of automata that is denoted in brackets is the number of input automata for which both approaches were able to construct a result within the given time and memory bounds.

We compare the two best performing determinization approaches, Spot and product, in more detail. Figure 6 shows that the results are widely spread, i.e. both approaches produce smaller results than the other one for a significant number of inputs. Figure 2 partitions the set of all input automata according to acceptance complexity (measured in the size of their DNF) and amount of nondeterminism. Each subset of input automata is of roughly the same size (159-180). The number of timeouts and memouts increases with the amount of nondeterminism and the size of the input acceptance condition and reaches up to 42%. The values “states”, “time” and “acceptance” are the median value of the ratio of these metrics. If only one of the approaches was able to construct a result within the given time and memory bounds we define the ratio as 0 ( Spot did not construct a result) or infinity (product did not construct a result). If none of the approaches was able to construct a result, we do not consider this input automaton for the calculation. Values below 1 indicate that product produces smaller results and values above 1 indicate that Spot produces smaller results. The approach product produces for all subsets of input automata outputs with fewer states than Spot and the ratio of the computation time decreases the larger the amount of nondeterminism and the longer the acceptance condition is.

The second benchmark set (called DNF) consists of 500 TELA constructed randomly as above, apart from the acceptance conditions. They are in DNF with 2-3 disjuncts, with 2-3 \({{\text {Inf}}}\)-atoms and 0-1 \({{\text {Fin}}}\)-atoms each (all different). Such formulas tend to lead to larger CNF conditions, which benefits the new approaches. Table 1 shows that product produces way smaller results than Spot . Again, Table 2 partitions the set of input automata but we do not consider different lengths of acceptance conditions here because the subsets of input automata are already relatively small (140-193). Again, product performs better for automata with more nondeterminism.

Fig. 7
figure 7

Comparing the approaches for input automata of Fig. 4. The copy-based GBA approaches produce the same results and are collapsed here.

The third benchmark set consists of the sequence of automata described in Fig. 4. Figure 7 shows the results for such input automata with 1-25 states. For these automata, Spot first computes GBA with an exponential number of acceptance sets. As a consequence most input automata lead to a time- or memout and, if the computation finishes, to large output automata. Therefore, our proposed alternative constructions can compute results for far larger input automata. The example also highlights the effect of the langcover heuristic: it benefits from the fact that the language of the input automaton under any individual disjunct of the DNF is the same. This is used to prune large parts of the state-space.

7 Conclusion

In this article, new approaches for determinization and limit-determinization of transition-based Emerson-Lei automata (TELA) have been suggested. One of these constructions produces limit-deterministic good-for-MDP automata, which can be used for quantitative probabilistic verification. The constructions have all been implemented and evaluated experimentally. The evaluation shows promising results in particular when applying the new product construction for determinization of TELA. Furthermore, we show that the complexity of limit-determinization of TELA is single-exponential rather than double-exponential (as compared to full determinization).

The presented work opens the door to numerous research questions and directions. At first, a general study on what properties can be naturally encoded directly into nondeterministic TELA would be of interest. This could be combined with a general evaluation of the developed approaches against real-world examples. It would also be interesting to see, whether and how much the new constructions could be further improved by relying on determinization procedures for GBA that use a general acceptance condition (rather than Rabin or parity) to reduce the number of states. Such an analysis could pave the way to develop a heuristic that selects for every GBA the determinization procedure that leads to the best overall result. Another important direction would be to consider translations from LTL to compact, nondeterministic TELA, which could then be used within (probabilistic) model-checking tools for LTL. A first step in this direction has already been made in [32]. Furthermore, the evaluation of good-for-MDP automata in the context of probabilistic model checking is another future research direction.