Synthesis of Compact Strategies for Coordination Programs

. In multi-agent settings, such as IoT and robotics, it is necessary to coordinate the actions of independent agents to achieve a joint behavior. While it is often easy to specify the desired behavior, programming the necessary coordination can be di(cid:14)cult. This makes coordination an attractive target for automated program synthesis; however, current methods may produce strategies that issue useless actions. This paper develops theory and methods to synthesize coordination strategies that are guaranteed not to initiate unnecessary actions. We refer to such strategies as being \compact." We formalize the intuitive notion of compactness, show that existing methods do not guarantee compactness, and propose a solution. The solution transforms a given temporal logic speci(cid:12)cation using automata-theoretic constructions to incorporate a notion of minimality. The central result is that the winning strategies for the transformed speci(cid:12)cation are precisely the compact strategies for the original. One can therefore apply known synthesis methods to produce compact strategies. We report on prototype implementations that synthesize compact strategies for temporal logic speci(cid:12)cations and for speci(cid:12)cations of multi-robot coordination.


Introduction
Imagine a future home where devices are network-controllable and the control program is synthesized from requirements. Suppose that the homeowner asks for the living-room lights to be turned on when it gets dark. To meet this requirement, a control program must necessarily coordinate the on/off state of the lights with readings from an illumination sensor.
This specification may be expressed more precisely in linear-time temporal logic (LTL) as G(dark ⇒ X light-on). 3 Here "dark" is a proposition that represents a reading from the sensor, and is therefore an input to the control program, while "light-on" is a proposition that represents an action, and is therefore an output of the control program. Abstracting this formula to the shape G(a ⇒ X b), the left half of Figure 1 shows the smallest state machine that meets this specification. It represents a control program that entirely ignores the sensor input and leaves the lights on all day! This strategy is clearly undesirable, although technically it does meet the specification. The machine on the right represents the "commonsense" controller that keeps the lights on only as long as the sensor indicates that it is dark. The two machines are equally valid from the viewpoint of correctness. How then should we distinguish them? And how can a synthesis method avoid generating undesirable solutions? Those are the questions addressed in this paper. We suggest that the crucial distinguishing factor is that the left-hand machine invokes actions that are not essential to satisfying the property. For instance, if the input a is false now, there is no need to invoke action b in the next step. If input a remains false, there is no need to invoke action b at all. It is vital to avoid useless actions in the domains of IoT and robotics, where agents interact with the physical world: there is no need to switch on a toaster when only watering the lawn is asked for. Indeed, switching on the toaster unexpectedly may have dangerous side effects. A reader may easily imagine other similar situations.
We refer to the policy of avoiding unnecessary actions as compactness. Strategies that satisfy this property while meeting the specification are called compact. An immediate question is whether compactness is ensured by standard synthesis methods. Unfortunately, the answer is 'no.' Bounded synthesis [35,20], for instance, will produce the smallest satisfying Mealy or Moore machine; in this setting, the solution of Figure 1(i). We have validated this experimentally with the tool BoSy [19]. Quantitative synthesis (cf. [6]) finds solutions that are worstcase optimal, i.e., programs where the maximum cost, over all input sequences, is the lowest possible. (Dually, programs where the worst-case reward is the highest possible.) Letting each action invocation have unit cost, a quantitative method cannot distinguish between the solutions shown, as both have the same maximum cost for the input where a is always true. We make this analysis precise subsequently, and show that average-case optimality also does not always distinguish compact from non-compact solutions. We have validated this experimentally with the tool QUASY [13]. Hence, compactness cannot be defined in quantitative terms: the synthesis of compact strategies requires new methods. At its core, the issue of compactness is a variation of the well-known frame problem in logic-based AI [29]. The natural way to express the example requirement is as G(a ⇒ X b). However, the semantics of temporal logic allows many satisfying interpretations; among those is the undesirable one of Figure 1(i). This tension between the freedom of interpretation allowed in logic and the naturalness of a specification is at the heart of the frame problem. One approach to achieving compactness is therefore to write a tighter specification, which permits fewer interpretations; e.g., to write the stronger assertion G(a ≡ X b). But this is not a natural choice. Moreover, reworking a specification by hand to rule out interpretations with unnecessary actions is difficult as the process is not compositional: i.e., one cannot rework portions of a specification separately. The specification transformation defined here performs such a tightening automatically, using automata-theoretic constructions.
The motivating application of compactness is to the synthesis of centralized coordination programs. As formalized in [3], in a coordination problem, a group of independent agents, denoted A 1 , . . . , A n , are guided by an additional synthesized agent, C, so that their joint behavior meets a temporal specification ϕ. That work describes a specification transformation from ϕ to ϕ that incorporates asynchronous agent behavior and other constraints. This transformation, however, does not guarantee compactness. We take the transformed problem as the starting point for our investigations, and consider the more general question of how to generate a compact solution for a given temporal specification.
We begin by proposing a mathematical definition of the compactness property. Generalizing from the example, one can consider a strategy to be compact if for each input sequence, the sequence of actions produced as output (1) meets the specification and (2) cannot be further improved. We formalize the second notion as minimality with respect to a supplied "better than" preference relation between two output sequences. This formulation is closely related to formalizations of commonsense reasoning, in particular the notion of circumscription introduced by McCarthy in [28].
For coordination problems, a natural preference relation is based on the subset ordering on sets of actions. We say that sequence y is better than sequence x if (1) in each step, the actions issued in y are a subset of the actions issued by x and (2) for at least one step, the actions in y are a strict subset of the actions in x. The smallest compact strategy for G(a ⇒ X b) under this preference relation issues action b precisely when input a is true at the prior step. Otherwise, there is a point where a is false but b is issued at the next step. Removing this occurrence of b produces a better sequence that also satisfies the property. This is precisely the strategy defined by the machine in Fig. 1(ii). Alternative preference relations may order sets of actions by size, or order sequences of actions by the substring relation. One may also compare infinite action sequences by cost (limit average or discounted sum) using comparator automata [2]. The choice of preference relation is driven by the application domain. To accommodate various options, compactness is parameterized by the preference relation.
Technically, a temporal specification ϕ can be viewed as a language L, a set of infinite words over a joint input-output alphabet. For a preference relation ≺ over infinite words, it is natural to formulate the language min(L, ≺) that contains only the minimal words in L with respect to the preference relation. The central theoretical result in this paper is that there is a compact strategy satisfying L if, and only if, there is a strategy satisfying min(L, ≺). This theorem reduces the question of synthesizing compact strategies to a standard synthesis question, making it possible to use existing synthesis algorithms to produce compact strategies. We give sufficient conditions under which min(L, ≺) is regular when L is a regular language, and show how to effectively construct a finite automaton for the minimal language and for its complement, from either an automaton or an LTL formula for L. The constructed automata can also be used to model-check whether a given control program defines a compact strategy. Moreover, the transformation makes it possible to modularly apply quantitative or other criteria for synthesis from min(L, ≺); for instance, to synthesize compact strategies that minimize program size or worst-case execution time.
We have implemented these constructions and used them to synthesize compact strategies for LTL specifications and for a class of specifications that arise in multi-robot coordination. Experiments show that compact strategies exist for many specifications and can be effectively computed, albeit with some added overhead. We also experiment with approximation methods which are simpler and avoid potential worst-case exponential blowups in the general construction.
In our view, the main contributions of this work are in bringing attention to the need for compactness in program synthesis; showing its independence from existing criteria; giving a precise formulation in terms of minimality; and in designing and implementing algorithms to synthesize compact strategies.

Background
Automata A finite automaton is a tuple (Q, Σ,Q, δ, F ) where Q is a set of states; Σ is a set of letters, an alphabet;Q is a non-empty set of initial states; δ ⊆ Q × Σ × Q is a transition relation; and F is a non-empty set of final states.
A word over Σ is a (possibly empty) sequence of letters from Σ. For a word w, its length |w| is the number of letters in w if w is finite and ω if w is infinite. We assume the standard definition of a run of the automaton on a word. If w is finite, a run on w is accepting if the last state of the run is in F ; if w is infinite, a run is accepting by the Büchi condition if a state in F occurs on the run infinitely often. The language of an automaton is the set of words for which there exists an accepting run. One typically distinguishes between the finite-word language and the infinite-word language of an automaton. An automaton is deterministic if there is exactly one initial state and for every q and a, there is at most one q such that (q, a, q ) is in δ.
We use the standard abbreviations DFA, NFA and NBA for a deterministic automaton, a nondeterministic automaton over finite words, and a nondeterministic Büchi automaton over infinite words respectively. LTL Linear Temporal Logic (LTL) is a logic defined over a set of atomic propositions, AP . The logic has the following minimal grammar, where p ∈ AP : The satisfaction relation is defined over infinite words where each letter is a subset of AP . It has the form w, i |= f for a word w and a natural number i, and is given by structural induction on formulas. We omit the standard definition. The language of a formula is the set of words that satisfy it. Standard constructions compile an LTL formula to an NBA that accepts the same language (cf. [18,39]), possibly incurring an exponential blowup.
Programs as Transition Systems A program is represented by its state transition system. This is a Moore machine, defined as a tuple (S,Ŝ, I, O, R, o) where S is a set of states,Ŝ is a non-empty set of initial states; I is a set of input values; O is a set of output values; R ⊆ S × I × S is the transition relation, which must be total on I; and o : S → O is the output mapping. An execution of this system is an unbounded alternating sequence of states and inputs, and takes the form s 0 , a 0 , s 1 , a 1 , . . ., such that for each i, the triple (s i , a i , s i+1 ) is in the transition relation. A computation is an execution of this form where s 0 is an initial state.
Input-Output Words An input-output word (i/o word for short) is a pair of sequences (a, b) where a is a sequence of inputs, b is a sequence of outputs, and |b| = 1 + |a|. The input-output word induced by a program execution s 0 , a 0 , s 1 , a 1 , . . . Games and Strategies A strategy is a function from finite sequences of inputs to outputs, represented as σ : I * → O. For an infinite input sequence a = a 0 , a 1 , . . ., the strategy σ induces the infinite output sequence denoted σ(a), given by σ( ), σ(a 0 ), σ(a 0 , a 1 ), . . .. A play for input a is the i/o word (a, b = σ(a)). We sometimes abuse this notation and use σ(a) to refer to the play induced by a. A play is winning for a temporal property ϕ if it satisfies this property when viewed as a zipped i/o word. A strategy σ is winning for ϕ if for every input a, the play on a is winning for ϕ.
The realizability question is: given a property ϕ, determine whether there exists a program satisfying ϕ. The synthesis question is: given a property ϕ that is realizable, construct a program that satisfies ϕ. A strategy σ induces a deterministic program with an infinite state space, denoted P (σ) = (S,Ŝ, I, O, R, o). The state space S is the set of finite input sequences I * , the initial state is , the output label for state x is σ(x) and the transition relation R is given by {(x, a, xa) | x ∈ I * , a ∈ I}. This is in fact an infinite complete tree over I (sometimes called a "fulltree") where each node is labeled by an output value. A labeled fulltree, in turn, corresponds to a strategy and a deterministic program.

Synthesis Methods for Temporal Properties
There is an extensive literature on methods to synthesize programs from LTL specifications (cf. [34,32,31,26] and tools that implement various algorithms (cf. [33,8,17,27,35,20]), all based on the conversion from LTL formulas to equivalent automata.
The classical approach to realizability of temporal properties (which we only sketch here, cf. [34,32]) is via the connection between programs, strategies, and labeled fulltrees. If a property ϕ is realizable, there is a deterministic program M satisfying ϕ. This program may also be seen as a strategy and a fulltree. From a deterministic word automaton with the same language as ϕ, one constructs a tree automaton that accepts precisely the fulltrees that satisfy ϕ. Now ϕ is realizable if and only if the language of this tree automaton is non-empty. For properties in LTL, this procedure can be carried out in 2EXPTIME in the length of the formula ϕ; the problem is 2EXPTIME-complete [32]. A winning strategy can be extracted as a finite state, deterministic reactive program from the tree automaton, thanks to the finite-model property of temporal logic. This approach is implemented in the tool Strix [30].
Two other approaches have been developed. One is to limit the logic: the GR(1) fragment expresses many useful properties, has a lower complexity (DEX-PTIME), and can be implemented easily using symbolic (BDD-based) methods [31]. This is implemented in several tools [33,8,17,27]. The bounded synthesis method applies to full LTL and is iterative in nature. By placing bounds on the size of the intended program and the ranking argument for formula satisfaction, one obtains a simpler safety game, which can be solved using symbolic methods [26,35,20]. The approach is implemented in [11,19].
We use two of the approaches described above in this work. The classical approach is used to determine compact realizability of an arbitrary LTL formula, while GR(1) approach is used in the multi-robot setting.

Compactness
We formulate compactness for temporal specifications, investigate its properties, and show how to synthesize a compact strategy through a specification transformation. We consider specifications on infinite words for simplicity and to match the semantics of temporal logic.
A relation ≺ O over the set of infinite output words is a preference relation if its transitive closure ≺ + O is irreflexive. We informally say that word b is better As the transitive closure is irreflexive, it is not possible for a word to be better than itself, matching intuition. This relation is extended to input-output words as follows. An i/o word (a, b) is better than an i/o word (a , b ) if (1) the input sequences a and a are identical, and (2) The first condition ensures that comparable words have the same input sequence, which is important as we are ultimately interested in the i/o words that are generated as plays of strategies.

Definition 1 (Compact Strategy).
A strategy σ is compact for an i/o language L if (1) σ is a winning strategy for L and (2) for every input sequence a, there is no i/o word (a, b ) such that (a, b ) satisfies L and (a, b ) is better than the i/o word (a, b = σ(a)) that is produced as the play of σ on input a.
The first condition ensures that σ is a valid strategy for L; the second that a compact strategy produces the "best possible" output for each input. We say that a language L is compactly realizable if it has a compact strategy.
Proof. From right-to-left, consider a compact strategy σ for L. From the definition, σ is a winning strategy for L, hence L is realizable.
The converse does not hold. Let the input set I = {0, 1} and the output set O = {c, d} with the output preference ordering c < d extended point-wise to output words. Let the specification L consist of sequences of the form c(0c) ω and d({0, 1}d) ω . This is realizable. No winning strategy can produce c on as there can be no win on input 1 ω . The single winning strategy produces d on every input sequence, including . But this strategy is not compact: for input 0 ω it generates d(0d) ω , but there is the better word c(0c) ω in L.
Standard realizability is monotone: if L ⊆ L and program M satisfies L , then M also satisfies L. However, compact realizability is neither monotone nor anti-monotone (proof in the full version). As is the case with deduction systems for commonsense reasoning (cf. [37]), non-monotonicity is a consequence of the formulation in terms of minimality.
The simple example from the Introduction is easily extended to a collection of N "if-condition-then-action" requirements. The IFTTT service (https://ifttt. com) or Apple Shortcuts implement these operationally, using an event-driven rule engine. However, from the viewpoint of temporal logic and synthesis, the results can be unexpected, as we have seen. The N requirements in LTL have the shape ( i : G(a(i) ⇒ X b(i))). The smallest model is one with a single state, issuing all the b actions unconditionally. This is clearly unintended. The intended model, which is compact, has 2 N states, one for each subset of the b actions. Thus, the gap between the smallest non-compact and compact models can be exponential in the length of the specification.
We now show the main theorem that links compact and standard realizability through a specification transformation.
Definition 2 (minimal language). For a language L over alphabet Σ and a preference relation ≺ on Σ-words, the minimal elements of L form the language min(L, ≺) = {x | x ∈ L ∧ ¬(∃y : y ∈ L ∧ y ≺ + x)} I.e., a word x is in min(L, ≺) if it belongs to L and there is no word y in L that is transitively better than x. Proof. (Left-to-right) Let σ be a strategy that compactly realizes L. Consider any input sequence a. The output b = σ(a) produced by the strategy is such that there is no word in L that is better than (a, b), by the definition of compactness. Hence, (a, b) is in min(L, ≺). As this holds for each input sequence, σ is a winning strategy for min(L, ≺).
(Right-to-left) Let σ be a winning strategy for min(L, ≺). For any input sequence a and its corresponding output b = σ(a), the word x = (a, b) must satisfy min(L, ≺). By the definition of min, we have that (1) x also satisfies L. Moreover, (2) there is no i/o word y that is better than x and also satisfies L.

Effective Minimality Constructions for LTL
Theorem 2 implies that one can reduce compact realizability to standard realizability. Given a temporal specification ϕ, we transform its language L(ϕ) to the language C(ϕ) = min(L(ϕ), ≺). Starting from an LTL formula f , we give two constructions: one for the minimal language C(f ), the other for its complement. The constructions assume that the relation ≺ + can be expressed as an NBA, which is the case for the preference order defined in the Introduction.
The first construction directly follows Definition 2. The left-hand term (x ∈ L(f )) is fulfilled by the standard conversion from LTL formula f to an NBA A f . For the right-hand term, we use the same NBA A f , now re-defined over y, for the y ∈ L(f ) term; intersect this with the NBA for ≺ + ; then project onto x and complement to obtain an NBA for the right-hand conjunct. The intersection of these two NBAs provides an NBA for C(f ). These steps may result a worst-case double exponential blowup in the size of f : the first exponential is in the construction of A f ; the second is in the complementation step. A similar construction applies if the specification is given directly as an NBA.
The second construction produces an NBA for the complement of the minimal language, with "only" a worst-case single exponential blowup. The complement For an LTL formula f , one constructs NBAs A f and A ¬f for the LTL formulas f and ¬f , respectively. An NBA for (∃y : y ∈ L(f ) ∧ y ≺ + x) is obtained as in the first construction by omitting the final complementation step. The union of this NBA with the NBA for A ¬f gives an NBA for the complement of C(f ).
The NBA for the complement of C(f ) can be used to model-check whether a given strategy is compact. It can also be used to synthesize machines using bounded synthesis, which requires an NBA for the complement of the specification property. The worst-case blowups are unavoidable: that follows from a lower-bound result by Birget [5] and a simpler but less general result of ours, discussed in the full version of this paper.

Relationship to Quantitative Synthesis
The formulation of compactness is in terms of a qualitative notion of minimality. A natural question is the relationship to methods for synthesis with quantitative objectives; in particular, methods for producing programs with optimal worst-case or average-case behavior [6,13]. Expanding on the argument in the Introduction, we establish that worst-case optimality cannot always distinguish between compact and non-compact solutions to a given specification.
In quantitative formulations, the synthesis game is formulated so that each transition has an associated reward. The reward of an infinite computation is defined using standard cumulative metrics such as mean-payoff (the limit of average rewards over successively longer prefixes) or discounted sum (the sum of rewards over the computation discounted geometrically, i.e., the k'th reward contributes a factor d k , where d ∈ (0, 1) is the discount factor). The objective is to find a winning strategy with maximum worst-case reward, where the worstcase reward is the minimum reward over all inputs. In the stochastic form of the game, an additional probabilistic player "Nature" is introduced, and the objective is to find a winning strategy with the maximum average-case reward, where the average is the expectation taken over the induced probability space. Precise definitions of these concepts can be found in [6].
Worst-case optimality We return to the example discussed in the Introduction. There, we had assumed for simplicity that each action set is assigned a cost that is its cardinality. However, the reasoning carries over to any cost function that is monotonic with respect to set inclusion: i.e., if A ⊂ B then cost(A) < cost(B). Intuitively, monotonicity captures the preference for choosing a smaller set of output actions. Consider the mean-payoff cost of an infinite execution where the input a is always true. For the non-compact program in Figure 1(i), it is obvious that the limit of the average cost is cost({b}). That is also the case for the compact program in Figure 1(ii): the fact that the initial cost is cost(∅) is swamped in the limit. This is the worst case input for both programs by the monotonicity of the cost function. The best case for the program on the right is when the input a is almost everywhere false. Thus, worst-case optimality cannot distinguish between the two programs for any monotonic cost function.
Average-case optimality We now show that average-case optimality also cannot always distinguish between compact and non-compact strategies. The general principle is that if a strategy is non-compact only for a finite prefix of a computation, its average-case cost in the limit will be the same as the cost of a strategy which performs in a compact manner throughout.
Consider the input set I = {0, 1}. Suppose that inputs are chosen uniformly at random. The output set O is the set of subsets of the action set A = {a, b}. Let the specification be the following: the initial choice of output set is either {a} or A; all subsequent outputs must be A. There are only two winning strategies, which differ only in their choice of initial output (either {a} or A); both produce output A subsequently regardless of the input. Assuming unit cost per output action, the average cost of a run of length n is thus (1 + 2(n − 1))/n for the first strategy and 2 for the second. In the limit, both strategies have average cost 2, although the first is compact, while the second is not. This argument also applies for an arbitrary but monotone cost function.
In our view, quantitative measures are best suited to modeling the real cost of actions rather than to modeling a preference ordering. The two may, however, be combined to good effect. As compactness is ensured with a specification transformation, one can modularly apply quantitative synthesis to the transformed specification min(L, ≺) to obtain strategies that are compact and also optimal with respect to a cost metric.

Approximating Compactness
The worst-case exponential blowups can make it difficult to produce compact strategies. Moreover, Theorem 1 asserts that there are specifications that are realizable but have no compact strategies. For both reasons, we describe methods by which one can approximate the compactness criterion.
Approximately Minimal Languages The first method is to tighten the language L to L that lies between L and min(L, ≺); we call L approximately minimal for L. We synthesize a program satisfying L . Given an NBA A for L over alphabet I × O, we construct an NBAÂ whose language is approximately minimal for L. This construction applies only to a class of preference relations that are induced pointwise by a partial order ≤ on individual letters of the output set O.
For infinite i/o words w = (a, b) and w = (a , b ), define w ≺ p w iff (1) for all i, a i = a i (inputs are identical) and b i ≤ b i , and (2) there is some i for which b i < b i . We say that w p w if w ≺ p w or w = w . The ordering ≺ p is transitive and regular. It is easy to construct an automaton accepting ≺ p , which checks condition (1) at each position of the zipped word w w , and accepts only if condition (2) holds at some position on the zipped word. The subset and cardinality preference relations introduced earlier are of this type.
Given an NBA A recognizing L, the NBAÂ is constructed by excluding certain transitions of A. Specifically, a transition (q, (a 1 , b 1 ), q ) of A is omitted inÂ if there is a "better" transition (q, (a 2 , b 2 ), q ) in A with a 1 = a 2 and b 2 < b 1 . AutomatonÂ can be efficiently constructed from A by performing a single pass over δ. The set of states, initial states and final states are identical in A andÂ. Proof. It is easy to see that L(Â) ⊆ L(A), as an accepting run inÂ is also an accepting run in A.
For the other inclusion, let w be in min(L, ≺ p ). Then, w is also in L. Thus, there is an accepting run ρ for w in A. If all transitions in ρ are present inÂ, then w is also in L(Â). If not, there is a transition (q, (a 1 , b 1 ), q ) at the k-th step of ρ (for some k) that is not present inÂ. By construction, there must be a transition (q, (a 1 , b 2 ), q ) in A such that b 2 < b 1 . Now consider the run ρ that is generated by swapping transition (q, (a 1 , b 1 ), q ) with (q, (a 1 , b 2 ), q ) at the k-th step. This is also an accepting run, on a word w that is identical to w except that it has (a 1 , b 2 ) rather than (a 1 , b 1 ) as its k-th entry. As w is in L and w ≺ p w, it cannot be the case that w is in min(L, ≺ p ), a contradiction.
Minimal Strategies for L The second method searches greedily for compact strategies in a game graph for L. For strategies σ and σ , say that σ σ (read as "σ is better than σ ") if for all input sequences a, σ(a) = σ (a) or σ(a) ≺ + σ (a). I.e., the output on input a is using σ is at least as good as that using σ . The minimal elements according to this ordering are called minimal strategies for L. It is easy to show that every compact strategy for L is a minimal strategy for L. The converse does not hold.
The greedy construction applies to a game graph for L where strategies are memoryless (e.g., if synthesis for L is a safety game or a parity game), and if the preference order is pointwise, as defined above. The core idea is simple: compute the set of winning positions; then nondeterministically and greedily extract a strategy by choosing only those transitions between successive winning positions that are output-minimal with respect to <. In the full version, it is shown that any strategy extracted in this manner is minimal for L.

Multi-Robot Coordination
Our original motivation to investigate compactness comes from an application to multi-robot orchestration. Due to space limitations, we describe this setting in brief. One has available multiple, heterogeneous robots, each capable of carrying out certain actions, some of which cannot be allowed to overlap. The goal is to perform specified tasks by (a) assigning robots to carry out actions and (b) sequence the actions appropriately. Tasks are described in a simple declarative language, called Resh [12], that has been implemented and used to control groups of mobile robots. A useful subset of Resh is given by the following grammar, where A is the set of action names and R is a set of robot names.
The interpretation of these operators is in terms of a finite-word input-output sequence. A term a → R is interpreted as "perform action a using one of the robots in R." For this, a control strategy chooses a robot r in R, and produces a "(begin a on r)" output event. Action duration is not fixed: E.g., the time taken to perform a "move to position p" action may vary as the robot maneuvers around humans. The completion signal is a "(end a on r)" event that is an input to the control strategy. The other operators are interpreted as ⇒ (sequencing), & (concurrent), | (choice), and + (concurrent with both tasks starting together). The interpretation of each operator produces a regular language.
The finite-word semantics is appropriate for robotics tasks that must be performed to completion. The same observation motivates the use of LTLf (a finite-word variant of LTL) in [38] to specify robotics tasks. A winning control strategy is one that satisfies the semantics of the operators.
As action completions are uncontrolled, even a simple specification such as a → R is unrealizable if the completion signal is never issued by an adversarial environment. It is thus necessary to restrict the environment so that every initiated action is eventually completed. This assumption must be interpreted over infinite words. It has the shape of a conjunction of LTL formulas G(begin(a, r) ⇒ X F end(a, r)) over all actions a and robots r. This can be represented by a DBA which tracks the set of pending (i.e., begun but not ended) actions. This DBA is worst-case exponential in the number of action-robot pairs, but in practice is limited by the concurrency in the specification.
In order to match the infinite-word environment constraint, the Resh system specification must be extended to infinite words. This is done by saying that an infinite word w satisfies the specification if there is a prefix x of w such that x satisfies the specification. Being a regular language, a Resh specification is representable as a DFA; this is extended to infinite words as a DBA by replacing the outgoing transitions of each final state with a self-loop on all inputs.
We have arrived at the final form of the synthesis question, which has the shape E ⇒ S, where E (the environment assumptions) and S (the system specification) are both representable as deterministic Büchi automata. That is precisely the general form of a GR(1) specification [31]; therefore, algorithms for GR(1) synthesis can be applied to synthesize finite-state controllers.
Implementation and Experiments. Our initial experiments in synthesis with (E ⇒ S) occasionally produced non-compact strategies, which motivated this exploration of compactness. We now use the modified specification E ⇒Ŝ, where the system portion is made approximately compact through the construction in Section 3.3, which preserves the GR(1) format. This specification produces compact strategies for all cases we have examined.
Our implementation of GR(1) synthesis uses a SAT solver, similar to the method of [10]; we found this to be significantly faster than BDD-based methods. As there is not a well-defined set of benchmarks for robotics or Resh specifications, we generate 500 specifications at random, producing specifications with parse-tree depth 4, biased slightly to prefer the sequencing operation (i.e., ⇒ ) over the others, as is likely to be the case in practice.
The system specification is set up to have two robots. Actions are allowed to overlap, which implies that all specifications are realizable. Of the 500 specifications, the GR(1) game graph was generated for 428 (85%) within a timeout limit of 5 minutes for each specification. (The Resh-to-automaton construction uses BDDs to symbolically represent output event sets, which sometimes blows up.) All 428 game graphs are solved by the SAT-based GR(1) procedure within a timeout of 5 minutes per game. The median solution time is 3 seconds; 90% are solved within 30 seconds; and all are solved within 225 seconds. We also experimented with a small hand-designed group of specifications where certain action overlaps are forbidden, which are also resolved efficiently.

Compactness for LTL
We now describe an implementation of a compact synthesis pipeline for general LTL specifications. Our experiments use the benchmarks from the SYNTCOMP (2020) competition. 4 In these experiments, the preference order is fixed as the pointwise subset order. We were forced to make this arbitrary choice as there is limited information about the origin of the benchmark problems, so we could not tailor the ordering to the problem domain.
The goal is (1) to determine the difficulty of constructing a compact synthesis pipeline for LTL, and (2) to gauge the practical feasibility of the compact synthesis procedures. The experiments are designed to answer the following questions that arise from (2): (Q1) What is the overhead on generating compact strategies compared to standard synthesis? (Q2) Is the approximation procedure more efficient than exact compactness? and (Q3) How effective are the approximate constructions at producing compact strategies? A high-level overview of the internal structure of our tool is in Fig. 2. Our implementation chains together several known tools: the automaton libraries SPOT (v. 2.9.5) and Owl (v.20.06) [25], the synthesis tool Strix (v. 20.10) [30] and the model checker NuSMV (v. 2.6.0) [14]. We also use the AIGER toolkit [4] as well as the Syfco synthesis format converter 5 . We are grateful to the authors for making these tools freely available.
Our tool offers three main features: (1) Compact Realizability: given an LTL formula f , determine if f is compactly realizable. This feature uses the compactness transformation from Section 3.1 to produce an automaton for the complement of the minimal language, which is then complemented, determinized and synthesized using Strix; (2) Compactness Test: given an LTL formula f and a candidate program P , determine if P is a compact program for f ; and (3) Approximate Compact Realizability: given an LTL formula f , generate an approximately compact strategy. Here we implement the construction of the approximate minimal automaton from Section 3.3.
Our experiments were carried out on a Linux VM running Ubuntu 20.04 with 12 GB of memory. Naturally, we only consider synthesizing compact strategies for specifications that are realizable 6 . The results can be summarized as follows: (A1) We compare the efficiency of compact synthesis to the standard synthesis by evaluating the number of specifications that can be synthesized within a certain time limit. We fix this time limit to be 10 minutes, and use Strix for standard synthesis. (With this limit, the entire run over the benchmarks takes several hours.) Strix determines realizability for 396 specifications out of 421 (∼ 94%), while our tool determines compact realizability for 213 (∼ 50%). (A2) Within the same time limit, the approximation technique determines realizability for 398 specifications, significantly more than for exact compactness and about the same as for standard realizability. (A3) We model-check the strategies generated through approximate compact realizability. Model-checking for compactness requires the complement minimal automaton of a specification, so we set the time limit of 10 minutes per specification to generate this automaton. Within this limit, our tool manages to construct the required automaton for 246 specifications. Generating approximate compact strategies for these 246 specifications, and applying the Compactness Test on these strategies, we find that ∼ 42% of the synthesized strategies are compact.
In addition, we tried our tool on the generalized version of the example specification from the introduction ( i : G(a(i) ⇒ X b(i))). Our tool can synthesize a compact strategy till N = 8 fairly quickly, after which our setup struggles to compile the original LTL formula to an NBA. On the same set of specifications, the approximate techniques also produce a compact strategy.
The implementation process was fairly straightforward, a pleasant surprise given the number of tools and format conversions involved. We had to patch some tools to extend their capabilities (e.g., to allow automata as specifications) and to implement format conversions.
In summary, compact synthesis is feasible for a substantial number of specifications. Where it is not -due either to blowups in automaton construction or due to the gap between normal and compact realizability -one can use the approximation procedure defined in Section 3.3 to generate strategies that are minimal with respect to the strategy ordering.

Related Work
We discuss closely related work in synthesis and commonsense reasoning.
Qualitative Temporal Synthesis There is a considerable literature on the synthesis of open reactive programs from LTL specifications, starting with the seminal work by Pnueli and Rosner [32]. The beautiful theoretical results are made practical by the discovery of efficient algorithms for the GR(1) subclass [9,31], and procedures for bounded synthesis [21,36], based on so-called "Safraless" procedures [26]. These algorithms have been implemented in several tools, e.g., [11,15,16,19,23,33,27]. Our work builds on this basis by transforming the search for compact strategies to a standard synthesis question that can be handled by these tools.
In the robotics domain, prior work investigates synthesis for an interpretation of LTL over finite words called LTLf [22,38,40]. Although Resh is similarly restricted to finite-word properties, a central difference is that specifications in LTLf (like LTL) are defined over propositions on robot and world state, and not in terms of actions of an unknown duration.
There are many ways to choose between satisfying models: e.g., [7] designs synthesis procedures that produce minimally vacuous models. While the formulations differ, there is a common thread in the notion of minimality with respect to an ordering over models.
Quantitative Temporal Synthesis A substantial body of work in temporal synthesis is focused on quantitative objectives. These problems are represented by games where each action has an associated cost (or, dually, reward) and the objective is to find strategies that minimize cost (or, maximize reward) (cf. [6]). There are several ways to formulate appropriate cost/reward functions and correspondingly many ways to solve such games. One could attempt to model compactness by assigning costs to actions such that if word x is better than word y then x has the lower cost. We chose not to develop solutions along such quantitative lines for two main reasons: first, as the connection between cost and preference is indirect, setting up the right cost assignments to model a desired preference ordering is difficult; secondly, the theoretical complexity and practical difficulty of quantitative synthesis is high. Instead, we chose to tackle the question in a qualitative manner.
As shown in Section 3, quantitative measures cannot always differentiate between compact and non-compact solutions. Using the specification transformation developed here, the two methods can, however, be used in cooperation: one can model the real costs of actions in a manner that is orthogonal to the preference ordering and compute minimal-cost, compact strategies.
A recent work [1] focuses on the "quality" of satisfaction of an LTL formula (e.g., preferring to satisfy one part of a specification over another). Synthesis is through a reduction to a standard LTL specification; unfortunately this has a worst-case exponential blowup. Non-Monotonic Reasoning. As mentioned briefly in the introduction, the compactness criterion is a form of commonsense reasoning: one does not expect synthesized solutions to include unnecessary actions. Commonsense reasoning is exemplified by the classical frame problem, introduced in [29], which shows that the freedom of interpretation given by logic must be restricted in order to achieve commonsense conclusions.
It was soon recognized that such restrictions imply a non-standard notion of deduction, which is not monotonic: adding new hypotheses can invalidate current conclusions [37]. In [28], McCarthy suggests a formulation in terms of a circumscription operation: each inference is guarded with a "not(abnormal)" predicate, and a successor state is one where the extent of this predicate is minimized-i.e., abnormal effects are maximally limited while avoiding inconsistencies. Logically, this is specified in second-order logic as ϕ(A) ∧ ¬(∃B : B ⊂ A ∧ ϕ(B)), where ϕ is the specification and A is the abnormality predicate. Readers will immediately notice the similarity to the definition of min(L, ≺).
The importance of a general preference order in place of the fixed subset relation is laid out in [24]; the authors propose reasonable properties that any nonmonotonic inference relation should meet, and show that a definition in terms of a preference ordering satisfies those properties. Our formulation of compactness is based on similar notions of minimality over a preference ordering on words. This is at the root of the non-monotonicity of compactness. These similarities hint at deeper connections between compactness and non-monotonic commonsense reasoning; we aim to investigate those in future work.