Boolean Abstractions for Realizability Modulo Theories (Extended version)

In this paper, we address the problem of the (reactive) realizability of specifications of theories richer than Booleans, including arithmetic theories. Our approach transforms theory specifications into purely Boolean specifications by (1) substituting theory literals by Boolean variables, and (2) computing an additional Boolean requirement that captures the dependencies between the new variables imposed by the literals. The resulting specification can be passed to existing Boolean off-the-shelf realizability tools, and is realizable if and only if the original specification is realizable. The first contribution is a brute-force version of our method, which requires a number of SMT queries that is doubly exponential in the number of input literals. Then, we present a faster method that exploits a nested encoding of the search for the extra requirement and uses SAT solving for faster traversing the search space and uses SMT queries internally. Another contribution is a prototype in Z3-Python. Finally, we report an empirical evaluation using specifications inspired in real industrial cases. To the best of our knowledge, this is the first method that succeeds in non-Boolean LTL realizability.


Introduction
Reactive synthesis [35,34] is the problem of automatically producing a system that is guaranteed to model a given temporal specification, where the Boolean variables (i.e., atomic propositions) are split into variables controlled by the environment and variables controlled by the system.Realizability is the related decision problem of deciding whether such a system exists.These problems have been widely studied [24,19], specially in the domain of Linear Temporal Logic (LTL) [33].Realizability corresponds to infinite games where players alternatively choose the valuations of the Boolean variables they control.The winning condition is extracted from the temporal specification and determines which player wins a given play.A system is realizable if and only if the system player has a winning strategy, i.e., if there is a way to play such that the specification is satisfied in all plays played according to the strategy.
However, in practice, many real and industrial specifications use complex data beyond Boolean atomic propositions, which precludes the direct use of realizability tools.These specifications cannot be written in (propositional) LTL, but instead use literals from a richer domain.We use LTL T for the extension of LTL where Boolean atomic propositions can be literals from a (multi-sorted) first-order theory T .The T variables (i.e., non-Boolean) in the specification are again split into those controlled by the system and those controlled by the environment.The resulting realizability problem also corresponds to infinite games, but, in this case, players chose valuations from the domains of T , which may be infinite.Therefore, arenas may be infinite and positions may have infinitely many successors.In this paper, we present a method that transforms a specification that uses data from a theory T into an equi-realizable Boolean specification.The resulting specification can then be processed by an off-the-shelf realizability tool.
The main element of our method is a novel Boolean abstraction method, which allows to transform LTL T specifications into pure (Boolean) LTL specifications.The method first substitutes all T literals by fresh Boolean variables controlled by the system, and then extends the specification with an additional subformula that constrains the combination values of these variables.This method is described in Section 3. The main idea is that, after the environment selects values for its (data) variables, the system responds with values for the variables it controls, which induces a Boolean value for all the literals.The additional formula we compute captures the set of possible valuations of literals and the precise power of each player to produce each valuation.
Example 1.Consider the following specification φ = □(R 0 ∧ R 1 ), where: where x is a numeric variable that belongs to the environment and y to the system.In the game corresponding to this specification, each player has an infinite number of choices at each time step.For example, in T Z (the theory of integers), the environment player chooses an integer for x and the system responds with an integer for y.This induces a valuation of all literals in the formula, which in turn induces (also considering the valuations of the literals at other time instants, according to the temporal operators) a valuation of the full specification.
In this paper, we exploit that, from the point of view of the valuations of the literals, there are only finitely many cases and provide a systematic manner to compute these cases.This allows us to reduce a specification into a purely Boolean specification that is equi-realizable.This specification encodes the (finite) set of decisions of the environment, and the (finite) set of reactions of the system.

⊓ ⊔
Ex. 1 suggests a naive algorithm to capture the powers of the environment and system to determine a combination of the valuations of the literals, by enumerating all these combinations and checking the validity of each potential reaction.Checking that a given combination is a possible reaction requires an ∃ * ∀ * query (which can be delegated to an SMT solver for appropriate theories).
In this paper, we describe and prove correct a Boolean abstraction method based on this idea.Then, we propose a more efficient search method for the set of possible reactions using SAT solving to speed up the exploration of the set of reactions.The main idea of this faster method is to learn from an invalid reaction which other reactions are guaranteed to be invalid, and from a valid reaction which other reactions are not worth being explored.We encode these learnt sets as a incremental SAT formula that allows to prune the search space.The resulting method is much more efficient than brute-force enumeration because, in each iteration, the learning can prune an exponential number of cases.An important technical detail is that computing the set of cases to be pruned from the outcome of a given query can be described efficiently using a SAT solver.
In summary, our contributions are: (1) a proof that realizability is decidable for all LTL T specifications for those theories T with a decidable ∃ * ∀ * fragment; (2) a simple implementation of the resulting Boolean abstraction method; (3) a much faster method based on a nested-SAT implementation of the Boolean abstraction method that efficiently explores the search space of potential reactions; and (4) an empirical evaluation of these algorithms, where our early findings suggest that Boolean abstractions can be used with specifications containing different arithmetic theories, and also with industrial specifications.We used Z3 [12] both as an SMT solver and a SAT solver, and Strix [31] as the realizability checker.To the best of our knowledge, this is the first method that succeeds (and efficiently) in non-Boolean LTL realizability.

Preliminaries
We study realizability of LTL [33,29] specifications.The syntax of LTL is: where a ranges from an atomic set of proposition AP, ∨, ∧ and ¬ are the usual Boolean disjunction, conjunction and negation, and  and U are the next and until temporal operators.The semantics of LTL associate traces σ ∈ Σ ω with formulae as follows: and for all 0 ≤ j < i, σ j |= φ 1 We use common derived operators like ∨, R,  and .
Reactive synthesis [37,32,6,16,5] is the problem of producing a system from an LTL specification, where the atomic propositions are split into propositions that are controlled by the environment and those that are controlled by the system.Synthesis corresponds to a turn-based game where, in each turn, the environment produces values of its variables (inputs) and the system responds with values of its variables (outputs).A play is an infinite sequence of turns.The system player wins a play according to an LTL formula φ if the trace of the play satisfies φ.A (memory-less) strategy of a player is a map from positions into a move for the player.A play is played according to a strategy if all the moves of the corresponding player are played according to the strategy.A strategy is winning for a player if all the possible plays played according to the strategy are winning.
Depending on the fragment of LTL used, the synthesis problem has different complexities.The method that we present in this paper generates a formula in the same temporal fragment as the original formula (e.g., starting from a safety formula another safety formula is generated).The generated formula is discharged into a solver capable to solve formulas in the right fragment.For simplicity in the presentation, we illustrate our method with safety formulae.
We use LTL T as the extension of LTL where propositions are replaced by literals from a first-order theory T .In realizability for LTL T , the variables that occur in the literals of a specification φ are split into those variables controlled by the environment (denoted by v e ) and those controlled by the system (v s ), where v e ∩ v s = ∅.We use φ(v e , v s ) to remark that v e ∪ v s are the variables occurring in φ.The alphabet Σ T is now a valuation of the variables in v e ∪ v s .A trace is an infinite sequence of valuations, which induces an infinite sequence of Boolean values of the literals occurring in φ and, in turn, a valuation of the temporal formula.
Realizability for LTL T corresponds to an infinite game with an infinite arena where positions may have infinitely many successors if the ranges of the variables controlled by the system and the environment are infinite.For instance, in Ex. 1 with T = T Z , valuation ranges over infinite values, and literal (x ≥ 2) can be satisfied with x = 2, x = 3, etc.
Arithmetic theories are a particular class of first-order theories.Even though our Boolean abstraction technique is applicable to any theory with a decidable ∃ * ∀ * fragment, we illustrate our technique with arithmetic specifications.Concretely, we will consider T Z (i.e., linear integer arithmetic) and T R (i.e., non-linear real arithmetic).Both theories have a decidable ∃ * ∀ * fragment.Note that the choice of the theory influences the realizability of a given formula.
Example 2. Consider Ex. 1.The formula φ := R 0 ∧ R 1 is not realizable for T Z , since, if at a given instant t, the environment plays x = 0 (and hence x < 2 is true), then y must be greater than 1 at time t+1.Then, if at t+1 the environment plays x = 2 then (x ≥ 2) is true but there is no y such that both (y > 1) and (y < 2).However, for T R , φ is realizable (consider the system strategy to always play y = 1.5).
The following slight modifications of Ex. 1 alters its realizability (R ′ 1 substitutes R 1 by having the T -predicate y ≤ x instead of y < x): ) is realizable for both T Z and T R , as the strategy of the system to always pick y = 2 is winning in both theories.

Boolean Abstraction
We solve the realizability problem modulo theories by transforming the specification into an equi-realizable Boolean specification.Given a specification φ with literals l i , we get a new specification φ[l i ← s i ] ∧ φ extra , where s i are fresh Boolean variables and φ extra ∈ LTL B is a Boolean formula (without temporal operators).The additional sub-formula φ extra uses the freshly introduced variables s i controlled by the system, as well as additional Boolean variables controlled by the environment e, and captures the precise combined power of the players to decide the valuations of the literals in the original formula.We call our approach Booleanization or Boolean abstraction.The approach is summarized in Fig. 1: given an LTL specification φ T , it is translated into a Boolean φ B which can be analyzed with off-the-shelf realizability checkers.Note that G B and G T are the games constructed from specifications φ B and φ T , respectively.Also, note that [23] shows that we can construct a game G from a specification φ and that φ is realizable if and only if G is winning for the system.
The Booleanization procedure constructs an extra requirement φ extra and conjoins φ extra with the formula φ[l i ← s i ].In a nutshell, after the environment chooses a valuation of the variables it controls (including e), the system responds with valuations of its variables (including s i ), which induces a Boolean value for all literals.Therefore, for each possible choice of the environment, the system has the power to choose a Boolean response among a specific collection of responses (a subset of all the possible combinations of Boolean valuations of the literals).Since the set of all possible responses is finite, so are the different cases.The extra requirement captures precisely the finite collection of choices of the environment and the resulting finite collection of responses of the system for each case.

Notation
In order to explain the construction of the extra requirement, we introduce some preliminary definitions.We will use Ex. 1 as the running example.
A literal is an atom or its negation, regardless of whether the atom is a Boolean variable or a predicate of a theory.Let Lit(φ) be the collection of

Realizability Tool
Fig. 1: The tool chain with the correctness argument.literals that appear in φ (or Lit, if the formula is clear from the context).For simplicity, we assume that all literals belong the same theory, but each theory can be Booleanized in turn, as each literal belongs to exactly one theory and we assume in this paper that literals from different theories do not share variables.We will use x as the environment controlled variables occurring in Lit(φ) and y for the variables controlled by the system.
In Ex. 1, we first translate the literals in φ.Since (x < 2) is equivalent to ¬(x ≥ 2), we use a single Boolean variable for both.The substitutions is: After the substitution we obtain where Note that φ ′′ may not be equi-realizable to φ, as we may be giving too much power to the system if s 0 , s 1 and s 2 are chosen independently without restriction.Note that φ ′′ is realizable, for example by always choosing s 1 and s 2 to be true, but φ is not realizable in LTL T Z .This justifies the need of an extra sub-formula.
Definition 1 (Choice).A choice c ⊆ Lit(φ) is a subset of the literals of φ.
The intended meaning of a choice is to capture what literals are true in the choice, while the rest (i.e., Lit \ c) are false.Once the environment picks values for x, the system can realize some choice c by selecting y and making the literals in c true (and the rest false).However, for some values of x, some choices may not be possible for the system for any y.Given a choice c, we use f (c(x, y)) to denote the formula: ¬l which is a formula with variables x and y that captures logically the set of values of x and y that realize precisely choice c.We use C for the set of choices.Note that there are |C| = 2 |Lit| different choices.We call the elements of C choices because they may be at the disposal of the system to choose by picking the right values of its variables.
A given choice c can act as potential (meaning that the response is possible) or as antipotential (meaning that the response is not possible).A potential is a formula (that depends only on x) that captures those values of x for which the system can respond and make precisely the literals in c true (and the rest of the literals false).The negation of the potential (i.e., an antipotential) captures precisely those values of x for which there are no values of y that lead to c. Definition 2 (Potential and Antipotential).Given a choice c, a potential is the following formula c p and an antipotential is the following formula c a : Example 3. We illustrate two choices for Ex. 1.Consider choices c 0 = {(x < 2), (y > 1), (y < x)} and c 1 = {(x < 2), (y > 1)}.Choice c 0 corresponds to f (c 0 ) = (x < 2) ∧ (y > 1) ∧ (y < x), that is, literals (x < 2), (y > 1) and (y < x) are true.Choice c 1 corresponds to f (c 1 ) = (x < 2) ∧ (y > 1) ∧ (y ≥ x), that is, literals (x < 2) and (y > 1) being true and (y < x) being false (i.e., (y ≥ x) being true).It is easy to see the meaning of c 2 , c 3 etc.Then, the potential and antipotential formulae of e.g., choices c 0 and c 1 from Ex. 1 are as follows: Note that potentials and antipotentials have x as the only free variables.

⊓ ⊔
Depending on the theory, the validity of potentials and antipotentials may be different.For instance, consider c p 0 and theories T Z and T R : These equivalences can be obtained using classic quantifier elimination procedures, e.g., with Cooper's algorithm [11] for T Z and Tarski's method [36] for T R .
A reaction is a description of the specific choices that the system has the power to choose.Definition 3 (Reaction).Let P and A be a partition of C that is: P ⊆ C, A ⊆ C, P ∩ A = ∅ and P ∪ A = C.The reaction react (P,A) is as follows: The reaction react (P,A) is equivalent to: There are 2 2 |Lit| different reactions.
A reaction r is called valid whenever there is a move of the environment for which r captures precisely the power of the system, that is exactly which choices the system can choose.Formally, a reaction is valid whenever ∃x.r(x) is a valid formula.We use R for the set of reactions and VR for the set of valid reactions.It is easy to see that, for all possible valuations of x the environment can pick, the system has a specific power to respond (among the finitely many cases).Therefore, the following formula is valid: Example 4. In Ex. 1, for theory T Z , we find there are two valid reactions (using choices from Ex. 3): where reaction r 1 models the possible responses of the system after the environment picks a value for x with (x < 2), whereas r 2 models the responses to (x ≥ 2).On the other hand, for T R , there are three valid reactions: Note that there is one valid reaction more, since in T R there is one more case: x ∈ (1, 2].Also, note that c 4 cannot be a potential in T Z (not even with a collaboration between environment and system), whereas it can in T R .

The Boolean Abstraction Algorithm
Boolean abstraction is a method to compute φ B from φ T .In this section we describe and prove correct a basic brute-force version of this method, and later in Section 4, we present faster algorithms.All Boolean abstraction algorithms that we present on this paper first compute the extra requirement, by visiting the set of reactions and computing a subset of the valid reactions that is sufficient to preserve realizability.The three main building blocks of our algorithms are (1) the stop criteria of the search for reactions; (2) how to obtain the next reaction to consider; and (3) how to modify the current set of valid reactions (by adding new valid reactions to it) and the set of remaining reactions (by pruning the search space).Finally, after the loop, the algorithm produces as φ extra a conjunction of cases, one per valid reaction (P, A) in VR.
Alg. 1: Brute-force We introduce a fresh variable e (P,A) , controlled by the environment for each valid reaction (P, A), to capture that the environment plays values for x that correspond to the case where the system is left with the power to choose captured precisely by (P, A).Therefore, there is one additional environment Boolean variable per valid reaction (in practice we can enumerate the number of valid reactions and introduce only a logarithmic number of environment variables).Finally, the extra requirement uses P for each valid reaction (P, A) to encode the potential moves of the systems as a disjunction of the literals described by each choice in P .Each of these disjunction contains precisely the combinations of literals that are possible for the concrete case that (P, A) captures.
A brute-force algorithm that implements Boolean abstraction method by exhaustively searching all reactions is shown in Alg 1.The building blocks of this algorithm are: (1) It stops when the remaining set of reactions is empty.
(2) It traverses the set R according to some predetermined order.
(3) To modify the set of valid reactions, if (P, A) is valid it adds (P, A) to the set VR (line 7).To modify the set of remaining reactions, it removes (P, A) from the search.Finally, the extra sub-formula φ extra is generated by getExtra (line 8) defined as follows: Note that there is an ∃ * ∀ * validity query in the body of the loop (line 6) to check whether the candidate reaction is valid.This is why decidability of the ∃ * ∀ * fragment is crucial because it captures the finite partitioning of the environment moves (which is existentially quantified) for which the system can react in certain ways (i.e., potentials, which are existentially quantified) by picking appropriate valuations but not in others (i.e., antipotentials, which are universally quantified).In essence, the brute-force algorithm iterates over all the reactions, one at a time, checking whether each reaction is valid or not.In case the reaction (characterized by the set of potential choices3 ) is valid, it is added to VR.
For example c 2 = {s 0 } is a choice that appears as potential in valid reaction r 1 , so it appears as a disjunct of d 0 as (s 0 ∧ ¬s 1 ∧ ¬s 2 ).The resulting Booleanized specification φ B is as follows: Note that the Boolean encoding is extended with an assumption formula that restricts environment moves to guarantee that exactly one environment decision variable is picked.Also, note that a Boolean abstraction algorithm will output three (instead of two) decisions for the environment, but we ackowledge that one of them will never be played by it, since it gives strictly more power to the system.The complexity of this brute-force Booleanization algorithm is doubly exponential in the number of literals.

From Local Simulation to Equi-Realizability
The intuition about the correctness of the algorithm is that the extra requirement encodes precisely all reactions (i.e., collections of choices), for which there is a move of the environment that leaves the system with precisely that power to respond.As an observation, in the extra requirement, the set of potentials in valid reactions cannot be empty.This is stated in Lemma 3.
Let w be an arbitrary valuation of y and let c be a choice and l a literal.Therefore: Lemma 3 is crucial, because it ensures that once a Boolean abstraction algorithm is executed, for each fresh e variable in the extra requirement, at least one reaction with one or more potentials can be responded by the system.Therefore, in each position in the realizability game, the system can respond to moves of the system leaving to precisely corresponding positions in the Boolean game.In turn, this leads to equi-realizability because each move can be simulated in the corresponding game.Concretely, it is easy to see that we can define a simulation between the positions of the games for φ T and φ B such that (1) each literal l i and the corresponding variable s i have the same truth value in related positions, (2) the extra requirement is always satisfied, and (3) moves of the system in each game from related positions in each game can be mimicked in the other game.This is captured by the following theorem: Theorem 1. System wins G T if and only if System wins the game G B .Therefore, φ T is realizable if and only if φ B is realizable.
Proof.(Sketch).Since realizability games are memory-less determined, it is sufficient to consider only local strategies.Given a strategy ρ B that is winning in G B we define a strategy ρ T in G T as follows.Assuming related positions, ρ T moves in G T to the successor that is related to the position where ρ B moves in G B .By (3) above, it follows that for every play played in G B according to ρ B there is a play in G T played according to ρ T that results in the same trace, and vice-versa: for every play played in G T according to ρ T there is a play in G B played according to ρ B that results in the same trace.Since ρ B is winning, so is ρ T .The other direction follows similarly, because again ρ B can be constructed from ρ T not only guaranteeing the same valuation of literals and corresponding variables, but also that the extra requirement holds in the resulting position.⊓ ⊔ The following corollary of Thm. 1 follows immediately.
Theorem 2. Let T be a theory with a decidable ∃ * ∀ * -fragment.Then, LTL T realizability is decidable.
4 Efficient algorithms for Boolean Abstraction

Quasi-reactions
The basic algorithm presented in Section 3 exhaustively traverses the set of reactions, one at a time, checking whether each reaction is valid.Therefore, the body of the loop is visited 2 |C| times.In practice, the running time of this basic algorithm quickly becomes unfeasible.We now improve Alg. 1 by exploiting the observation that every SMT query for the validity of a reaction reveals information about the validity of other reactions.We will exploit this idea by learning uninteresting subsequent sets of reactions and pruning the search space.The faster algorithms that we present below encode the remaining search space using a SAT formula, whose models are further reactions to explore.
To implement the learning-and-pruning idea we first introduce the notion of quasi-reaction.
Definition 4 (Quasi-reaction).A quasi-reaction is a pair (P, A) where P ⊆ C, A ⊆ C and P ∩ A = ∅.
Quasi-reactions remove from reactions the constraint that P ∪A = C.A quasireaction represents the set of reactions that would be obtained from choosing the remaining choices that are neither in P nor in A as either potential or antipotential.The set of quasi-reactions is: Example 6.Consider a case with four choices c 0 , c 1 , c 2 and c 3 .The quasi-reaction ({c 0 , c 2 }, {c 1 }) corresponds to the following formula: Note that nothing is stated in this quasi-reaction about c 3 (it neither acts as a potential nor as an antipotential).
⊓ ⊔ Consider the following order between quasi-reactions: (P, A) ⪯ (P ′ , A ′ ) holds if and only if P ⊆ P ′ and A ⊆ A ′ .It is easy to see that ⪯ is a partial order, that (∅, ∅) is the lowest element and that for every two elements (P, A) and (P ′ , A ′ ) there is a greatest lower bound (namely (P ∩ P ′ , A ∩ A ′ )).Therefore (P, A) ⊓ (P ′ , A ′ ) def = (P ∩ P ′ , A ∩ A ′ ) is a meet operation (it is associative, commutative and idempotent).Note that q ⪯ q ′ if and only if q ⊓ q ′ = q.Formally: The quasi-reaction semi-lattice represents how informative a quasi-reaction is.Given a quasi-reaction (P, A), removing an element from either P or A results in a strictly less informative quasi-reaction.The lowest element (∅, ∅) contains the least information.
Given a quasi-reaction q, the set Q q = {q ′ ∈ Q|q ′ ⪯ q} of the quasi-reactions below q form a full lattice with join (P, Q) . This is well defined because P ′ and Q, and P and Q ′ are guaranteed to be disjoint.Proposition 2. For every q, (Q q , ⊓, ⊔) is a lattice.
As for reactions, quasi-reactions correspond to a formula in the theory as follows: Again, given a quasi-reaction q, if ∃x.qreact q (x) is valid we say that q is valid, otherwise we say that q is invalid.The following holds directly from the definition (and the fact that adding conjuncts makes a first-order formula "less satisfiable").
Proposition 3. Let q, q ′ be two quasi-reactions with q ⪯ q ′ .If q is invalid then q ′ is invalid.If q ′ is valid then q is valid.
These results enable the following optimizations.

Quasi-reaction-based Optimizations
A Logic-based Optimization.Consider that, during the search for valid reactions in the main loop, a reaction (P, A) is found to be invalid, that is react (P,A) is unsatisfiable.If the algorithms explores the quasi-reactions below (P, A), finding (P ′ , A ′ ) ⪯ (P, A) such that qreact (P ′ ,A ′ ) , then by Prop.3, every reaction (P ′′ , A ′′ ) above (P ′ , A ′ ) is guaranteed to be invalid.This allows to prune the search in the main loop by computing a more informative quasi-reaction q after an invalid reaction r is found, and skipping all reactions above q (and not only r).For example, if the reaction corresponding to ({c 0 , c 2 , c 3 }, {c 1 }) is found to be invalid, and by exploring quasi-reactions below it, we find that ({c 0 }, {c 1 }) is also invalid, then we can skip all reactions above ({c 0 }, {c 1 }).This includes for example ({c 0 , c 2 }, {c 1 , c 3 }) and ({c 0 , c 3 }, {c 1 , c 2 }).In general, the lower the invalid quasi-reaction in ⪯, the more reactions will be pruned.This optimization resembles a standard choosing of max/min elements in an anti-chain.
A Game-based Optimization.Consider now two reactions r = (P, A) and r ′ = (P ′ , A ′ ) such that P ⊆ P ′ and assume that both are valid reactions.Since r ′ allows more choices to the system (because the potentials P determine these choices), the environment player will always prefer to play r than r ′ .Formally, if there is a winning strategy for the environment that chooses values for x (corresponding to a model of react r ), then choosing values for x ′ instead (corresponding to a model of react r ′ ) will also be winning.
Therefore, if a reaction r is found to be valid, we can prune the search for reactions r ′ that contain strictly more potentials, because even if r ′ is also valid, it will be less interesting for the environment player.For instance, if ({c 0 , c 3 }, {c 1 , c 2 }) is valid, then ({c 0 , c 1 , c 3 }, {c 2 }) and ({c 0 , c 1 , c 3 , c 2 }, {}) become uninteresting to be explored and can be pruned from the search.We present now a faster algorithm that replaces the main loop of Alg. 1 that performs exhaustive exploration with a SAT-based search procedure that prunes uninteresting reactions.In order to do so, we use a SAT formula ψ with one variable z i per choice c i , in a DPLL(T) fashion.An assignment v : Vars(ψ) → B to these variables represents a reaction (P, A) where Similarly, a partial assignment v : Vars(ψ) ⇀ B represents a quasi-reaction.The intended meaning of ψ is that its models encode the set of interesting reactions that remain to be explored.This formula is initialized with ψ = true (note that ¬( zi ¬z i ) is also a correct starting point because the reaction where all choices are antipotentials is invalid).Then, a SAT query is used to find a satisfying assignment for ψ, which corresponds to a (quasi-)reaction r whose validity is -If the reaction is invalid (as a result of the SMT query in line 16), then it checks the validity of quasi-reaction q = (∅, A) in line 23.If q is invalid, add the negation of q as a new conjunction of ψ (line 26).If q is valid, add the negation of the reaction (line 24).This prevents all SAT models that agree with one of these q, which correspond to reactions q ⪯ r ′ , including r.
-If the reaction is valid, then it is added to the set of valid reactions VR and the corresponding quasi-reaction that results from removing the antipotentials is added (negated) to ψ (line 18), preventing the exploration of uninteresting cases, according to the game-based optimization.As for the notation in Alg. 2 (also in Alg. 3 and Alg.4), model(ψ) in line 15 is a function that returns a satisfying assignment of the SAT formula ψ, posVars(m) returns the positive variables of m (e.g., c i , c j etc.) and negVars(m) returns the negative variables.Finally, toTheory(m, C) = mi c p i ∧ ¬mi c a i (in lines 16 and 23) translates a Boolean formula into its corresponding formula in the given T theory.Note that unsatisfiable m can be minimized finding cores.
If r is invalid and (∅, A) is found also to be invalid, then exponentially many cases can be pruned.Similarly, if r is valid, also exponentially many cases can be pruned.The following result shows the correctness of Alg.2: Theorem 3. Alg. 2 terminates and outputs a correct Boolean abstraction.
Proof.(Sketch).Alg. 2 terminates because, at each step in the loop, ψ removes at least one satisfying assignment and the total number is bounded by 2 |C| .Also, the correctness of the generated formula is guaranteed because, for every valid reaction in Alg. 1, either there is a valid reaction found in Alg. 2 or a more promising reaction found in Alg. 2.

A Nested-SAT algorithm (Alg. 3)
We now present an improvement of Alg. 2 that performs a more detailed search for a promising collection of invalid quasi-reactions under an invalid reaction r. Alg.
Note that it is not necessary to find the precise collection of all the smallest quasi-reactions that are under an invalid reaction r, as long as at least one quasireaction under r is calculated (perhaps, r itself).Finding lower quasi-reactions allow to prune more, but its calculation is more costly, because more SMT queries need to be performed.The Nested-SAT algorithm (Alg.3) explores (using an inner SAT encoding) this trade-off between computing more exhaustively better invalid quasi-reactions and the cost of the search.The three main building blocks of the nested-SAT algorithm (see Alg. 3) are: (1) It stops when ψ is invalid (as in Alg. 2), in line 33.(2) To get the reaction, obtain a satisfying assignment m for ψ (as in Alg. 2), in line 34.
(3) Check the validity of the corresponding reaction and prune ψ according to what can be learned as follows.If the reaction is valid, then we proceed as in Alg. 2. If r = (P, A) is invalid (as a result of the SMT query), then an inner SAT formula encodes whether a choice is masked (eliminated from P or A).Models of the inner SAT formula, therefore, correspond to quasi-reactions below r.If a quasi-reaction q found in the inner loop is invalid, the inner formula is additionally constrained and the set of invalid quasi-reactions is expanded.If a quasi-reaction q found is valid, then the inner SAT formula is pruned eliminating all quasi-reactions that are guaranteed to be valid.At the end of the inner loop, a (non-empty) collection of invalid quasi-reactions are added to ψ.  explores a full lattice.Also, note that ¬( zi ¬z i ) is, again, a correct starting point.Consider, for example, that the outer loop finds ({c 1 , c 3 }, {c 0 , c 2 }) to be invalid and that the inner loop produces assignment w 0 ∧ w 1 ∧ w 2 ∧ ¬w 3 .This corresponds to c 3 being masked producing quasi-reaction ({c 1 }, {c 0 , c 2 }).The pruning system is the following: -If quasi-reaction q is valid then the inner SAT formula is pruned eliminating all inner models that agree with the model in the masked choices.
In our example, we would prune all models that satisfy ¬w 3 if q is valid (because the resulting quasi-reactions will be inevitably valid).-If quasi-reaction q is invalid, then we prune in the inner search all quasireactions that mask less than q, because these will be inevitably invalid.In our example, we would prune all models satisfying ¬(w 0 ∧ w 1 ∧ w 2 ).Note that toTheory inn(u, m, C) = mi∧uj c p i ∧ ¬mi∧uj c a i is not the same function as the toTheory() used in Alg. 2 and Alg. 3, since the inner loops needs both model m and mask u (which makes no sense to be negated) to translate a Boolean formula into a T -formula.Also, note that there is again a trade-off in the inner loop because an exhaustive search is not necessary.Thus, in practice, we also used some basic heuristics: (1) entering the inner loop only when (∅, A) is invalid; (2) fixing a maximum number of inner model queries per outer model with the possibility to decrement this amount dynamically with a decay; and (3) reducing the number of times the inner loop is exercised (e.g., enter the inner loop only if the number of invalid outer models so far is even).
Example 7. We explore the results of Alg. 3. A possible execution for 2 literals can be as follows: ({c 1 }, {c 0 }) and ({c 2 }, {c 3 }).The addition of the negation of these cores leads to an unsatisfiable outer SAT formula, and the algorithm terminates.The execution in this example has performed 4 SAT+SMT queries in the outer loop, and 3+2 SAT+SMT queries in the inner loops.The brute-force Alg. 1 would have performed 16 queries.Note that the difference between the exhaustive version and the optimisations soon increases exponentially when we consider specifications with more literals.
For the implementation, we used used Python 3.8.8 with Z3 4.11.
It is easy to see that "clusters" of literals that do not share variables can be Booleanized independently, so we split into clusters each of the examples.We report our results in Fig. 2. Each row contains the result for a cluster of an experiment (each one for the fastest heuristic).Each benchmark is split into clusters, where we show the number of variables (vr.) and literals (lt.) per cluster.We also show running times of each algorithm against each cluster; concretely, we test Alg. 1 (BF ), Alg. 2 (SAT ) and Alg. 3 (Doub.).For Alg. 2 and Alg. 3, we show the number of queries performed; in the case of Alg. 3, we also show both outer and inner queries.Alg. 1 and Alg. 2 require no heuristics.For Alg. 3, we report, left to right: maximum number of inner loops (MxI.), the modulo division criteria (Md.) 4 , the number of queries after which we perform a decay of 1 in the maximum number of inner loops (Dc.), and if we apply the invalidity of (∅, A) as a criteria to enter the inner loop (A.), where ✓ means that we do and × means the contrary.Also, ⊥ means timeout (or no data).The brute-force (BF) Alg. 1 performs well with 3 or fewer literals, but the performance dramatically decreases with 4 literals.Alg. 2 (single SAT) performs well up to 4 literals, and it can hardly handle cases with 6 or more literals.An exception is Lift (1,7) which is simpler since it has only one variable (and this implies that there is only one player).The performance improvement of SAT with respect to BF is due to the decreasing of queries.For example, Train (3,6) performs 13706 queries, whereas BF would need 2 2 6 = 1.844 • 10 18 queries.
All examples are Booleanizable when using Alg. 3 (two SAT loops), particularly when using a combination of concrete heuristics.For instance, in small cases (2 to 5 literals) it seems that heuristic-setups like 3/3/3/0/✓ 5   We conjecture that a non-zero decay is required to handle large inputs, since inner loop exploration becomes less useful after some time.However, adding a decay is not always faster than fixing a number of inner loops (see Syn (2,7)), but it always yields better results in balancing the number of queries between the two nested SAT layers.Thus, since balancing the number of queries typically leads to faster execution times, we recommend to use decays.Note that we performed all the experiments reported in this section running all cases several times and computing averages, because Z3 exhibited a big volatility in the models it produces, which in turn influenced the running time of our algorithms.This significantly affects the precise reproducibility of the running times.For instance, for Syn(2,5) the worst case execution was almost three times worst than the average execution reported in Fig. 2. Studying this phenomena more closely is work in progress.Note that there are cases in which the number of queries of SAT and Doub.are the same (e.g., Usb(3,5)), which happened when the A. heuristic had the effect of making the search not to enter the inner loop.
In Fig. 2 we also analyzed the constructed φ B , measuring the number of valid reactions from which it is made (Val.) and the time (Tme.)that a realizability checker takes to verify whether φ B (hence, φ T ) is realizable or not (expressed with dark and light gray colours, respectively).We used Strix [31] as the realizability checker.As we can see, there is a correspondence between the expected realizability in φ T and the realizability result that Strix returns in φ B .Indeed, we can see all instances can be solved in less than 7 seconds, and the length of the Boolean formula (characterized by the number of valid reactions) hardly affects performance.This suggests that future work should be focused on reducing time necessary to produce Boolean abstraction to scale even further.
Also, note that Fig. 2 shows remarkable results as for ratios of queries required with respect to the (doubly exponential) brute-force algorithm: e.g., 4792 + 9941 (outer + inner loops) out of the 1.844•10 19 queries that the brute-force algorithm would need, which is less than its 1•10 −13 % (see Fig. 3 for more details).We also compared the performance and number of queries for two different theories T Z and T R for Syn (2,3) to Syn (2,6).Note, again, that the realizability result may vary if a specification is interpreted in different theories, but this is not relevant for the experiment in Fig. 4, which suggests that time results are not dominated by the SMT solver; but, again, from the enclosing abstraction algorithms.

Lits Heuristic
T Z T R setup Time (s) Queries (ou/in) Time (s) Queries (ou/in) 3

Related Work and Conclusions
Related work.Constraint LTL [13] extends LTL with the possibility of expressing constraints between variables at bounded distance (of time).The theories considered are a restricted form of T Z with only comparisons with additional restrictions to overcome undecidability.In comparison, we do not allow predicates to compare variables at different timesteps, but we prove decidability for all theories with an ∃ * ∀ * decidable fragment.LTL modulo theories is studied in [22,14] for finite traces and they allow temporal operators within predicates, leading the logic to undecidability.As for works closest to ours, [9] proposes numerical LTL synthesis using an interplay between an LTL synthesizer and a non-linear real arithmetic checker.However, [9] overapproximates the power of the system and hence it is not precise for realizability.Linear arithmetic games are studied in [15] introducing algorithms for synthesizing winning strategies for non-reactive specifications.Also, [25] considers infinite theories (like us), but it does not guarantee success or termination, whereas our Boolean abstraction is complete.They only consider safety, while our approach considers all LTL.The follow-up [26] has still similar limitations: only liveness properties that can be reduced to safety are accepted, and guarantees termination only for the unrealizability case.Similarly, [21] is incomplete, and requires a powerful solver for many quantifier alternations, which can be reduced to 1-alternation, but at the expense of the algorithm being no longer sound for the unrealizable case (e.g., depends on Z3 not answering "unknown").As for [38], it (1) only considers safety/liveness GR(1) specifications, (2) is limited to the theory of fixed-size vectors and requires (3) quantifier elimination (4) and guidance.We only require ∃ * ∀ * -satisfiability (for Boolean abstraction) and we consider multiple infinite theories.The usual main difference is that Boolean abstraction generates a (Boolean) LTL specification so that existing tools can be used with any of their internal techniques and algorithms (bounded synthesis, for example) and will automatically benefit from further optimizations.Moreover, it preserves fragments like safety and GR(1) so specialized solvers can be used.On the contrary, all approaches above adapt one specific technique and implement it in a monolithic way.
Temporal Stream Logic (TSL) [18] extends LTL with complex data that can be related accross time, making use of a new update operator y ← f x , to indicate that y receives the result of applying function f to variable x.TSL is later extended to theories in [17,28].In all these works, realizability is undecidable.Also, in [10] reactive synthesis and syntax guided synthesis (SyGuS) [1] collaborate in the synthesis process, and generate executable code that guarantees reactive and data-level properties.It also suffers from undecidability: both due to the undecidability of TSL [18] and of SyGus [8].In comparison, we cannot relate values accross time but we provide a decidable realizability procedure.
Comparing TSL with LTL T , TSL is undecidable already for safety, the theory of equality and Presburger arithmetic.More precisely, TSL is only known to be decidable for three fragments (see Thm. 7 in [17]).TSL is (1) semi-decidable for the reachability fragment of TSL (i.e., the fragment of TSL that only permits the next operator and the eventually operator as temporal operators); (2) decidable for formulae consisting of only logical operators, predicates, updates, next operators, and at most one top-level eventually operator; and (3) semi-decidable for formulae with one cell (i.e., controllable outputs).All the specifications considered for empirical evaluation in Section 5 are not within the considered decidable or semi-decidable fragments.Also, TSL allows (finite) uninterpreted predicates, whereas we need to have predicates well defined within the semantics of theories of specifications for which we perform Boolean abstraction.

Conclusion.
The main contribution of this paper is to show that LTL T is decidable via a Boolean abstraction technique for all theories of data with a decidable ∃ * ∀ * fragment.Our algorithms create, from a given LTL T specification where atomic propositions are literals in such a theory, an equi-realizable specification with Boolean atomic propositions.We also have introduced efficient algorithms using SAT solvers for efficiently traversing the search space.A SAT formula encodes the space of reactions to be explore and our algorithms reduce this space by learning uninteresting areas from each reaction explores.The fastest algorithm uses a two layer SAT nested encoding, in a DPLL(T) fashion.This search yields dramatically more efficient running times and makes Boolean abstraction applicable to larger cases.We have performed an empirical evaluation of implementations of our algorithms.We found empirically that the best performances are obtained when there is a balance in the number of queries made by each layer of the SAT-search.To the best of our knowledge, this is the first method to propose a solution (and efficient) to realizability for general ∃ * ∀ * decidable theories, which include, for instance, the theories of integers and reals.
Future work includes first how to improve scalability further.We plan to leverage quantifier elimination procedures [11] to produce candidates for the sets of valid reactions and then check (and correct) with faster algorithms.Also, optimizations based in quasi-reactions can be enhanced if state-of-the-art tools for satisfiability core search (e.g., [27,3,2]) are used.Another direction is to extend our realizability method into a synthesis procedure by synthesizing functions in T to produces witness values of variables controlled by the system given (1) environment and system moves in the Boolean game, and (2) environment values (consistent with the environment move).Finally, we plan to study how to extend LTL T with controlled transfer of data accross time preserving decidability.

A More about empirical evaluation
In this paper, we only optimized heuristics (of Alg. 3) with respect to time and, even if current evidence suggests that the number of valid reactions is not relevant, it could be the case it is relevant for other kind of formulae to be evaluated.Thus, note that different heuristics yield different φ B that can be more succint (e.g., produce much less valid reactions): for instance, using the 100/20/40/× heuristic-setup for Train(4,5) took 4144 seconds and produced 24 valid reactions; whereas using the 20/2/0/✓ setup took 6328 seconds, but produced 17 valid reactions.This means that the difference between using a set of heuristics or another one is not only performance of Boolean abstraction method, the difference can be as great as the (actual) possibility of performing realizability checking.Studying this phenomena is also reported as a work in progress: it might be the case that it is overall faster to spend more time on the LTL T to LTL encoding if this results in a formula with fewer valid reactions whose realizability result can be obtained faster.
Fig. 3 contains the best ratios of queries required with respect to the (doubly exponential) brute-force algorithm.In Fig. 4, we also compare the performance and number of queries for Syn (2,3) to Syn (2,6) for theories T Z and T R .Note, again, that the realizability result may vary if a specification is interpreted in different theories, but this is not relevant for the experiment in Fig. 4.
Also, we tried to replicate results of Fig. 2 using the AbsSynthe (safety) checker [7], because of the fact that Past LTL [20] is more succint than LTL [30] and because it obtained remarkable results in the Reactive Synthesis Competition editions it participated 6 .Thus, we adapted some of our benchmark for realizability to the AIGER standard7 format [4] using Py-Aiger PLTL 8 .However, even if early results in AbsSynthe are promising (e.g., it lasted 0.06 seconds to solve Syn(2,2) instead of the 4.12 seconds of Strix9 ), the parsing process is too expensive and we got timeouts for φ B containing many valid reactions such as Stages (8,8).Comparing generated φ B with different realizability checkers (including AbsSynthe) is another interesting future research line.

B Benchmarks' literals
We show literals that compose each cluster, together with a minimal description about the specification from which they have been extracted.Note that original names of variables and the rest of the specification (which includes state enumerated variables and Boolean variables) are not shown.Nevertheless, they are all safety specifications.

B.1 Industrial case 1: Lift
Lift is part of a set of specifications that describes the functioning of a freight elevator system.It is divided into 4 clusters, interpreted in T R .
Cluster 1: Lift (1,7).This cluster contains 1 variable (which belongs to the system) and 7 literals.Concretely: Note that the c are just predefined constants and their value may affect the realizability result.Also, note that we can have formulae within literals (e.g., lit 25 ).
Cluster 2: Lift (2,4).This cluster contains 2 variables (both of them belong to the environment) and 4 literals.Concretely: )) Note that, if we would like to enhance speed, lit 21 and lit 23 could be conjuncted in a single literal, since they are assumptions of the environment that will always hold together.
Note that there are literals that use the equality operator, which is more restrictive than the comparison ones.
Note the inequality operator, which is less restrictive than the comparison ones.

B.2 Industrial case 2: Train
Train is part of a set of specifications describing the functioning of an autonomous train driving system.It is divided into 8 clusters, interpreted in T R .

B.3 Industrial case 3: Connect
Connect is part of a set of specifications describing the functioning of an electric vehicle charging and discharging system.It contains a single cluster Connect (2,2), interpreted in T Z .The cluster contains 2 variables (both of them belong to the environment) and 2 literals.Concretely: )) Note that we are performing an integer division.

B.4 Industrial case 4: Cooker
Cooker is part of a set of specifications describing the operation of a food processor with various functions.It contains a single cluster Cooker (3,5), interpreted in both T Z and T R .
The cluster contains 3 variables (the three of them belong to the system) and 5 literals, where b ∈ R. Concretely: Note that, since we are making an (unsound) comparison between an integer value and a real value in lit 5 , Z3 converts the integer typed value into a real typed one.

B.5 Industrial case 5: Usb
Usb is part of a set of specifications describing the operation of a system that prevents the loss of information during the interaction between a USB and a machine.It is divided into 2 clusters, interpreted in in T Z .
Cluster 1: Usb (2,3).This cluster contains 2 variables (both of them belong to the system) and 3 literals.Concretely: Note that, since the power operation is only accepted for reals, Z3 again performs a type conversion from integer to reals.
Cluster 2: Usb (3,5).This cluster contains 3 variables (the three of them belong to the system) and 5 literals.Concretely: Note that this case is a simple stressing from the previous one, adding an integer variable that could be (in this case) interpreted as a Boolean out of the Boolean abstractions, and also as a cluster itself.

B.6 Industrial case 6: Stages
Stages is part of a set of specifications describing the operation of a system that combines the use of different sensors for use in aviation.It is divided into 2 clusters, interpreted in in T Z .
Cluster 1: Stage (8,8).This cluster contains 8 variables (all of them belong to the environment) and 8 literals.Concretely: )) Note that there are several clusters merged in this one (lit 1 to lit 3 , and the rest are a single cluster each predicate).Since only the environment player appears in them, the Boolean abstraction remains fast.

B.7 Synthetic examples
This specification is different from the rest of them.Here, we stress an original specification in order to test the Boolean abstraction tool.Note that we can interpret literals in both T Z and T R .The original specification Syn (2,2) contains 2 variables (where x belongs to the environment and y belongs to the system) and 2 literals.Concretely: Then, we add a new constraint to make Syn (2,3): We add another one to make Syn (2,4): Note that Syn (2,7) has two executions in Fig. 2 in order to illustrate results with different heuristics.Also, note that semantics of original Syn (2,2) may vary with each addition of a constraint, yet they add no new theory-level operators.This may affect realizability results.

C Correctness
The main element of the proof of correctness of our Boolean abstraction technique is to show that every strategy of system in the game that corresponds to φ T can be mimicked by the system in the game of φ B in a way that one is winning if and only if the other is winning.This essentially boils down to proving that a local move for the system can be mimicked in both games.

C.1 Local Simulation
We start by stating properties of the set of valid reactions.The following lemma shows that there is an always valid move of the system (the extra requirement is never blocking).For every movement of the environment, the system can move at least with one of the reactions.Theorem 4. φ VR = ∀x.r∈VR r is a valid formula.
Proof.By contradiction, assume φ VR = ∀x.r∈VR r is not valid.Then, there is an interpretation I such that I ̸ ⊨ φ VR , or equivalently I[x v] ⊭ r∈VR r, for some v.By Lemma 2, we know φ React is valid, so I[x v] ⊨ r∈React r, for some v.That is, there is a reaction r such that r[x v] is valid.Therefore, ∃x.r is valid, so r ∈ VR.This means: I[x v] ⊨ r.
It follows that there is a r ∈ React \ VR such that I[v x] ⊨ r, which implies that I ⊨ ∃x.r.Since I ⊨ ∃x.r is closed, I ⊨ ∃x.r is valid.This is a contradiction.
As an observation, in the extra requirement, the set of potentials in valid reactions cannot be empty.In other words, for every move of the environment the system can always move with a valid reaction, which will result in the alwaysexistence of some outcome.This is stated in Lemma 3. Lemma 3 is crucial, because it ensures that once a Boolean abstraction algorithm is executed, for each fresh e variable in the extra requirement, at least one reaction with one or more potentials can be responded by the system.

C.2 From Local Simulation to Equi-Realizability
Realizability from LTL specifications considers infinite games.The positions in the arena of the game are valuations of the atomic propositions.The two players take turns choosing alternatively the values of their variables, resulting in a new position.Then, an infinite play is winning for the system if the specification is satisfied in the induced trace of the played, when the specification formula is evaluated according to the semantics of the logic.A strategy of the system is a map that assigns a move, given the previous sets of positions and the current move of the environment.A strategy is winning if all plays played according to it are winning for the system, in which case the specification is realizable and a system can be extracted.Note that, for φ B in particular, a winning system strategy always moves to positions where the extra requirement is true (otherwise the φ B would not hold and the strategy would not be winning.
For LTL T realizability, the arena has infinitely many position, since valuations of the variables are now considered.
It is easy to see that the results in the previous sub-section allow to define a simulation between the positions of the games for φ T and φ B such that (1) each literal l i and the corresponding variable s i have the same truth value in related positions, (2) the extra requirement is always satisfied, and (3) moves of the system in each game from related positions in each game can be mimicked in the other game.
Theorem 5. System wins G T if and only if System wins the game G B .Therefore, φ T is realizable if and only if φ B is realizable.
Proof.Since realizability games are memory-less determined, it is sufficient to consider only local strategies.Given a strategy ρ B that is winning in G B we define a strategy ρ T in G T as follows.Assuming related positions, ρ T moves in G T to the successor that is related to the position where ρ B moves in G B .By (3) above, it follows that for every play played in G B according to ρ B there is a play in G T played according to ρ T that results in the same trace, and vice-versa: for every play played in G T according to ρ T there is a play in G B played according to ρ B that results in the same trace.Since ρ B is winning, so is ρ T .
The other direction follows similarly, because again ρ B can be constructed from ρ T not only guaranteeing the same valuation of literals and corresponding variables, but also that the extra requirement holds in the resulting position.⊓ ⊔

Example 5 .
Consider again the specification in Ex. 1, with T Z as theory.Note that the valid reactions are r 1 and r 2 , as shown in Ex.4,where the potentials of r 1 are {c 1 , c 2 , c 3 } and the potentials of r 2 are {c 5 , c 6 }.Now, the creation of φ extra requires two fresh variables d 0 and d 1 for the environment (they correspond to environment decisions (x < 2) and (x ≥ 2), respectively), resulting into:

1 .
Reaction ({c 0 , c 3 }, {c 1 , c 2 }) is obtained in line 34, which is declared invalid by the SMT solver in line 35.The inner loop called in line 42 produces ({c 0 }, {c 1 }), ({c 3 }, {c 2 }) and ({}, {c 1 , c 2 }) as three invalid quasi-reactions, and their negations are added to the SAT formula of the outer loop in line 43.2. A second reaction ({c 0 , c 1 }, {c 3 , c 4 }) is obtained from the SAT solver in line 34, and now the SMT solver query is valid in line 35.Then, ¬(c 0 ∧ c 1 ) is added to the outer SAT formula in line 37. 3. A third reaction ({c 2 , c 3 }, {c 0 , c 1 }) is obtained in line 33 , which is again valid in line 35.Similarly, ¬(c 2 ∧ c 3 ) is added the outer SAT formula in line 37. 4. A fourth reaction ({c 1 , c 2 }, {c 0 , c 3 }) is obtained in line 33, which is now invalid (line 35).The inner loop called in line 42 generates the following cores:

Fig. 2 :
Fig. 2: Empirical evaluation results of the different Boolean abstraction algorithms, where the best results are in bold and φ B only refers to best times.

Lemma 2 .
For every valuation of v of x there is at least one reaction C such that react C [x v] is valid.Therefore, φ React = ∀x.r∈React r is valid.Proof.Let v be an arbitrary valuation of the variables x and let C = {c ∈ C|I[x v] ⊨ ∃y.c(x, y))} where I is an arbitrary interpretation.It follows that I[x v] ⊨ react C , since for every c ∈ C then I[x v] ⊨ c and for any c / ∈ C then I[x v] ⊭ c.

Lemma 3 .
Let C ∈ C be such that react C ∈ VR.Then C ̸ = ∅.Proof.Bear in mind react C ∈ VR is valid.Let v be such that react C [x v] is valid.Let w be an arbitrary valuation of y and let c be a configuration and l a literal.Therefore:l[x v,y w] is true l ∧ l[x v,y w] is false ¬l It follows that I[x ← v]∃y.c,so c ∈ C.