From linear temporal logic and limit-deterministic Büchi automata to deterministic parity automata

Controller synthesis for general linear temporal logic (LTL) objectives is a challenging task. The standard approach involves translating the LTL objective into a deterministic parity automaton (DPA) by means of the Safra-Piterman construction. One of the challenges is the size of the DPA, which often grows very fast in practice, and can reach double exponential size in the length of the LTL formula. In this paper, we describe a single exponential translation from limit-deterministic Büchi automata (LDBA) to DPA and show that it can be concatenated with a recent efficient translations from LTL to LDBA to yield a double exponential, ‘Safraless’ LTL-to-DPA construction. We also report on an implementation and a comparison with other LTL-to-DPA translations on several sets of formulas from the literature.


Introduction
Limit-deterministic Büchi automata (LDBA, also known as semi-deterministic Büchi automata) were introduced by Courcoubetis and Yannakakis (based on previous work by Vardi) to solve the qualitative probabilistic model-checking problem: Decide if the executions of a Markov chain or Markov decision process satisfy a given LTL formula with probability 1 [4,39,40].The problem faced by these authors was that fully nondeterministic Büchi automata (NBAs), which can capture all LTL-recognisable languages, cannot be used for probabilistic model checking, and deterministic Büchi automata (DBA), which could be used for probabilistic model checking, cannot capture all LTL-recognisable languages.The solution was to introduce LDBAs as a model in-between: as expressive as NBAs, but deterministic enough.
After these papers, LDBAs received little attention.The alternative path of translating the LTL formula into an equivalent fully deterministic Rabin automaton using Safra's construction [32] was considered a better option, mostly because it also solves the quantitative probabilistic model-checking problem (computing the probability of the executions that satisfy a formula).However, recent papers have shown that LDBAs were unjustly forgotten.Blahoudek et al. have shown that LDBAs are easy to complement [2].Kini and Viswanathan have given a single exponential translation of LTL \GU to LDBA [18].Finally, Sickert et al. describe in [9,34,36] two double exponential translations for full LTL that can also be applied to the quantitative case, and tend to behave better than Safra's construction in practice.
In this paper, we add to this trend by showing that LDBAs are also attractive for synthesis.The classical approach to the synthesis problem with LTL objectives 1 involves a translation of NBAs to DPAs with the help of the Safra-Piterman construction [30] or other recent determinisation constructions, such as [13,17,25].While limit-determinism is not 'deterministic enough' for the synthesis problem, we introduce a conceptually simple and worst-case optimal translation LDBA→DPA.
The presented translation bears some similarities with that of [12] where, however, a Muller acceptance condition is used.This condition can also be phrased as a Rabin condition, but not as a parity condition.Moreover, the way of tracking all possible states and finite runs differs.Furthermore, readers familiar with [13,17] might notice that our construction tries to identify an (infinite) left-path, which is by definition accepting, in the reduced split-tree.If we restrict ourselves to LDBAs, identifying these becomes considerably simpler compared to the cited approaches.Hence our approach uses similar ideas, but is stream-lined and simpler.
Together with the translation LTL→LDBA of [9,34,36], our construction provides a 'Safraless' procedure to obtain a DPA from an LTL formula.However, the direct concatenation of the two constructions does not yield an algorithm of optimal complexity: the LTL → LDBA translation is double exponential (and there is a double exponential lower bound), and so for the LTL→DPA translation we only obtain a triple exponential bound.We solve this problem by showing that these LDBAs derived from LTL formulas possess semantic state annotations that can be used to reduce the amount of tracked information in the constructed DPA.We then prove that in this setting the concatenation of the two constructions remains double exponential.
With the availability of efficient translations from LTL formulas into DPAs several tools emerged following the classical approach to synthesis with LTL objectives.First, there is ltlsynt which is part of Spot [5] that uses a NBA→DPA translation.Second, there is Strix [27,28] that relies on the translation presented in this paper and which recently won all LTL tracks of the synthesis competition SyntComp [16].Besides, the preserved semantic labelling of the states of the automata allows for heuristics guiding the exploration of the on-the-fly generated automaton [27], but also for efficient deployment of learning-based algorithms and lifelong learning paradigms in LTL synthesis [19].Such efforts have a great impact on the practical performance of solutions to this 2-EXPTIME-complete problem.For a detailed description of the exact implementation details of Strix we refer the reader to [27].
In the third and final part, we report on an experimental evaluation of our LTL→LDBA→DPA construction, and compare it with other constructions that translate LTL to DPAs.
Structure of the Paper.Section 2 introduces the necessary preliminaries about automata.Section 3 defines the translation LDBA→DPA.Section 4 shows how to compose this translation with a translation from LTL to LDBAs in such a way that the resulting DPA is at most doubly exponential in the size of the LTL formula.Section 5 reports on the experimental evaluation of this worst-case optimal translation, and Sect.6 contains our conclusions.
Editorial Note.This is an extended journal version of our previously published conference paper [8], including full proofs, more examples, and an extensive evaluation on classical and new, parametrised benchmarks.

Preliminaries
Büchi automata.A (nondeterministic) word automaton A with Büchi acceptance condition (NBA) is a tuple (Q, q 0 , , δ, α) where Q is a finite set of states, q 0 ∈ Q is the initial state, is a finite alphabet, δ ⊆ Q × × Q is the transition relation, and α ⊆ δ is the set of accepting transitions 2 .A is deterministic if for all q ∈ Q, for all σ ∈ , there exists a unique q ∈ Q such that (q, σ, q ) ∈ δ or there exists no such state.Given S ⊆ Q and σ ∈ , let post σ δ (S) = {q | ∃q ∈ S • (q, σ, q ) ∈ δ}.Further, we use q → σ p as a shorthand for (q, σ, p) ∈ δ if δ is clear from the context.
A run of A on a ω-word w : N → is a ω-sequence of states ρ : N → Q such that ρ(0) = q 0 and for all positions i ∈ N, we have that (ρ(i), w(i), ρ(i + 1)) ∈ δ.A run ρ is accepting if there are infinitely many positions i ∈ N such that (ρ(i), w(i), ρ(i + 1)) ∈ α.The language defined by A, denoted by L(A), is the set of ω-words w for which A has an accepting run.
A limit-deterministic Büchi automaton (LDBA) is a Büchi automaton A = (Q, q 0 , , δ, α) such that there exists a subset Q d ⊆ Q satisfying the three following properties: Fig. 1 An LDBA for the LTL language FGa ∨ FGb.The behaviour of A is deterministic within the subset of states Q d = {2, 3, 4} which is a trap, the set of accepting transitions are depicted in bold face and they are defined only between states of Q d .We simplify figure, by using the alphabet Ap = a, b instead of 2 Ap

∀q ∈ Q d • ∀σ ∈
• ∀q 1 , q 2 ∈ Q • (q, σ, q 1 ) ∈ δ ∧ (q, σ, q 2 ) ∈ δ → q 1 = q 2 , i.e. the transition relation δ is deterministic within Without loss of generality, we assume that q 0 ∈ Q \ Q d , and we denote Q\ Q d by Q d .Courcoubetis and Yannakakis show that for every ω-regular language L, there exists an LDBA A such that L(A) = L [4].That is, LDBAs are as expressive as NBAs.An example of LDBA is given in Fig. 1.Note that the language accepted by this LDBA cannot be recognised by a deterministic Büchi automaton.
Parity automata.A deterministic word automaton A with parity acceptance condition (DPA) is a tuple (Q, q 0 , , δ, p), defined as for deterministic Büchi automata with the exception of the acceptance condition p, which is now a function assigning an integer in {1, 2, . . ., d}, called a colour, to each transition in the automaton.Colours are naturally ordered by the order on integers.Given a run ρ over a word w, the infinite sequence of colours traversed by the run ρ is noted p(ρ) and is equal to p(ρ(0), w(0), ρ(1)) . . .p(ρ(n), w(n), ρ(n + 1)) . . . .A run ρ is accepting if the minimal colour that appears infinitely often along p(ρ) is even.The language defined by A, denoted by L(A), is the set of ω-words w for which A has an accepting run.
While deterministic Büchi automata are not expressively complete for the class of ω-regular languages, DPAs are complete for ω-regular languages: for every ω-regular language L there exists a DPA A such that L(A) = L, see e.g.[30].
Linear Temporal Logic.We introduce linear temporal logic (LTL) as most authors with the following reduced syntax: Let w be a word over the alphabet 2 Ap and let ϕ be a formula.Let w i = w(i)w(i + 1) . . .denote the suffix of w at position i.The satisfaction relation w | ϕ is inductively defined as follows: We denote by L(ϕ):={w ∈ (2 Ap ) ω | w | ϕ} the language of ϕ.Left-out, but often used LTL operators are then added as abbreviations.Fϕ:=ttUϕ (eventually) and Gϕ:=¬F¬ϕ.
3 From LDBA to DPA

Run DAGs and their colouring
Run DAG.A nondeterministic automaton A may have several (even an infinite number of) runs on a given ω-word w.As in [23], we represent this set of runs by means of a directed acyclic graph structure called the run DAG of A on w.
where the sets V i are defined inductively: -V 0 = {(q 0 , 0)}, and for all i ≥ 1, - We denote by V d i the set V i ∩ (Q d × {i}) that contains the subset of vertices of layer i that are associated with states in Observe that all the infinite paths of G w that start from (q 0 , 0) are runs of A on w, and, conversely, each run ρ of A on w corresponds exactly to one path in G w that starts from (q 0 , 0).So, we call runs the infinite paths in the run DAG G w .In particular, we say that an infinite path v 0 v 1 . . .v n . . . of G w is an accepting run if there are infinitely many positions i ∈ N such that v i = (q, i), v i+1 = (q , i + 1), and (q, w(i), q ) ∈ α.Clearly, w is accepted by A if and only if there is an accepting run in G w .We denote by ρ(0..n) = v 0 v 1 . . .v n the prefix of length n + 1 of the run ρ.

Ordering of runs. A function
Ord defines a strict total order on the state from Q d , and maps each state q ∈ Q d to +∞, i.e.: -for all q ∈ Q d , Ord(q) = +∞, -for all q ∈ Q d , Ord(q) = +∞, and -for all q, q ∈ Q d , Ord(q) = Ord(q ) implies q = q .
We extend Ord to vertices in G w as follows: Ord((q, i)) = Ord(q).

Remark 1
If A accepts a word w, then A has a -smallest accepting run for w.
We use the -relation on run prefixes to order the vertices of V i that belong to there is a run prefix of G w that ends up in v which is -smaller than all the run prefixes that ends up in v , which induces a total order among the vertices of V d i because the states in Q d are totally ordered by the function Ord.

Lemma 1 For all
Indexing vertices.The index of a vertex v = (q, i) ∈ V i such that q ∈ Q d , denoted by Ind i (v), is a value in {1, 2, . . ., |Q d |} that denotes its order in V d i according to i (the i -smallest element has index 1).For i ≥ 0, we identify two important sets of vertices: i+1 meaning that the sequence of states monitored so far aborts and does not lead to an infinite run; -or there exists a vertex ) ∈ E and (q, w(i), q ) ∈ α, i.e. the set of vertices in V d i that are the source of an accepting transition on w(i).
Remark 2 Along a (infinite) run, the index of vertices can only decrease.As the function Ind(•) has a finite range, the index along a run has to eventually stabilise.
Assigning colours.The set of colours that are used for colouring the levels of the run DAG G w is {1, 2, . . ., 2 • |Q d | + 1}.We associate a colour with each transition from level i to level i + 1 according to the following set of cases: The intuition behind this colouring is as follows: the colouring tracks (potentially infinite) runs in and tries to produce an even colour that corresponds to the smallest index of an accepting run.If in level i the run DAG has an outgoing transition that is accepting, then this is a positive event, as a consequence the colour emitted is even and it is a function of the smallest index of a vertex associated with an accepting transition from V i to V i+1 .Runs in Q d are deterministic but they can merge with smaller runs or they may abort.When this happens, this is considered as a negative event because the even colours that have been emitted by the run that merges with the smaller run or aborts should not be taken into account anymore.As a consequence an odd colour is emitted in order to cancel all the (good) even colours that were generated by the run that merges or aborts.In that case the odd colour is function of the smallest index of a run vertex in V i whose run merges or aborts.Those two first cases are handled by cases 1 and 2 of the case study above.When both situations happen at the same time, then the colour is determined by the minimum of the two colours assigned to the positive and the negative events.This is handled by case 3 above.And finally, when there is no accepting transition from V i to V i+1 and no merging or abort, the largest odd colour is emitted as indicated by case 4 above.
According to this intuition, we define the colour summary of the run DAG G w as the minimal colour that appears infinitely often along the transitions between its levels.Because of the deterministic behaviour of the automaton in Q d , each run can only merge at most |Q d | − 1 times with a smaller one (the size of the range of the function Ind(•) minus one), and as a consequence of the definition of the above Fig. 2 The run DAGs automaton of Fig. 1 on the word w = (ab) ω given on the left, and on the word w = aab ω given on the right, together with their colourings colouring, we know that, on word accepted by A, the smallest accepting run will eventually generate infinitely many (good) even colours that are never trumped by smaller odd colours.

Example 1
The left part of Fig. 2 depicts the run DAG of the limit-deterministic automaton of Fig. 1 on the word w = abb(ab) ω .Each path in this graph represents a run of the automaton on this word.The colouring of the run DAG follows the colouring rules defined above.Between level 0 and level 1, the colour is equal to 7 = 2|Q d |+1, as no accepting edge is taken from level 0 to level 1 and no run merges (within Q d ).The colour 7 is also emitted from level 1 to level 2 for the same reason.The colour 4 is emitted from level 2 to level 3 because the accepting edge (3, b, 3) is taken and the index of state 3 in level 2 is equal to 2 (state 4 has index 1 as it is the end point of the smallest run prefix within Q d ).The colour 3 is emitted from level 3 to level 4 because the run that goes from 3 to 4 merges with the smaller run that goes from 4 to 4. In order to cancel the even colours emitted by the run that goes from 3 to 4, colour 3 is emitted.It cancels the even colour 4 emitted before by this run.Afterwards, colours 3 is emitted forever.The colour summary is 3 showing that there is no accepting run in the run DAG.
The right part of Fig. 2 depicts the run DAG of the limit deterministic automaton of Fig. 1 on the word w = aab ω .The colouring of the run DAG follows the colouring rules defined above.Between levels 0 and 1, colour 7 is emitted because no accepting edge is crossed.To the next level, we see the accepting edge (2, a, 2) and colour 2 • 1 = 2 is emitted.Upon reading the first b, we see again 7 since there is neither any accepting edge seen nor any merging takes place.Afterwards, each b causes an accepting edge (3, b, 3) to be taken.While the smallest run, which visits 4 forever, is not accepting, the second smallest run that visits 3 forever is accepting.As 3 has index 2 in all the levels below level 3, the colour is forever equal to 4. The colour summary of the run is thus equal to 2 • 2 = 4 and this shows that word w = aab ω is accepted by our limit-deterministic automaton of Fig. 1.
The following theorem tells us that the colour summary (the minimal colour that appears infinitely often) can be used to identify run DAGs that contain accepting runs.

Theorem 1
The colour summary of the run DAG G w is even if and only if there is an accepting run in G w .Proof (⇒): Assume that the colour summary of G w is even and equal to c. Then it must be the case that there exists a level i ≥ 0 such the colour after level i is always larger than or equal to c, and infinitely many times equal to c. W.l.o.g.assume that in level i, there exists a vertex v = (q, i) ∈ Acc(V d i ) and c = 2 • Ind(v).Take the smallest run prefix that ends up in v, this run prefix will never merge with a smaller run prefix, and all smaller run prefixes that are active in level i will not merge or abort, as otherwise, there would exist a position j ≥ i where the index of the run that passes by (q, i) would decrease and this would contradict the fact that for all j ≥ i, all the colours that are emitted are larger than or equal to c.Let us now consider the suffix of the run that pass by v = (q, i).As the even colour c is emitted infinitely many times after level i, we know that this run suffix crosses infinitely many times α.So this run is accepting and this is the smallest such run.
(⇐): (Step 1): Now, let us consider the other direction.Assume that there exists an accepting run of A on a word w.We first establish the existence of a run ρ which is accepting and for which there exists a position k ≥ 0 from which ρ does not merge with any smaller run, and all smaller runs are non accepting.We identify ρ and k as follows.Among the accepting runs, we select one that enters first in the set of states Q d say at level i ≥ 0. They can be several of them, but we take one that enters Q d via a state q of minimal index for Ord.Let V d i be the active states at level i that are in Q d .The way we have chosen q make sure that all the states in V d i with a smaller index than q are the origin of non accepting runs and clearly as ρ is accepting it cannot merge with one of those smaller runs.Now, some of those smaller runs may merge or abort in the future, and each time they merge or abort, the index of ρ will decrease.But this will happen a number of times which is bounded by Q d .
(Step 2): Let k be the position when the last merge or abort of a smaller run prefix happens.
(Step 3): Let us now show that the existence of ρ and this position k allow us to prove that the colour summary is even.After position k, there are only odd colours with values larger than or equal to 2 • Ind(ρ(k)) + 1 because we know that nor ρ neither smaller runs merge or abort in the future.Also as ρ is accepting, there will be an infinite number of positions l ≥ k where the even colour is equal to 2 • Ind(ρ(k))), and only finitely many positions after k may have an even colour which is less than this value as all runs that are smaller than ρ are not accepting.So the summary colour is even and equal to 2 • Ind(ρ(k))).

Construction of the DPA
From an LDBA A = (Q, Q d , q 0 , , δ, α) and an ordering function Ord : Q → {1, 2, . . ., |Q d |, +∞} compatible with Q d , we construct a deterministic parity automaton B = (Q B , q B 0 , , δ B , p) that, on a word w, constructs the levels of the run DAG G w and the colouring of previous section.Theorem 1 tells us that such an automaton accepts the same language as A.
First, we need some notations.Given a finite set S, we note P(S) the set of its subsets, and OP(S) the set of its totally ordered subsets.So if (s, <) ∈ OP(S) then s ⊆ S and < ⊆ s × s is a total strict order on s.For e ∈ s, we denote by Ind (s,<) (e) the position of e ∈ s among the elements in s for the total strict order <, with the convention that the index of the <-minimum element is equal to 1.The deterministic parity automaton B = (Q B , q B 0 , , δ B , p) is defined as follows.
States and initial state.The set of states is e. a state of B is a pair (s, (t, <)) where s is a set of states outside Q d , and t is an ordered subset of Q d .The ordering reflects the relative index of each state within t.The initial state is q B 0 = ({q 0 }, ({}, {})).
Fig. 3 Upper: DPA that accepts the LTL language FGa ∨ FGb, edges are decorated with a natural number that specifies its colour.Lower: a reduced DPA Colouring.To define the colouring of edges in the deterministic automaton, we need to identify the states whose indices decrease when going from t 1 to t 2 or that abort because they have no δ-successor for σ .Those are defined as follows: Additionally, let Acc(t 1 ) = {q | ∃q ∈ t 2 : (q, σ, q ) ∈ α} denote the subset of states in t 1 that are the source of an accepting transition.We assign a colour to each transition (s 1 , (t 1 , < 1 )) → σ (s 2 , (t 2 , < 2 )) as follows:

Example 2
The DPA of Fig. 3 is the automaton that is obtained by applying the construction LDBA→DPA defined above to the LDBA of Fig. 1 that recognises the LTL language FGa∨FGb.The figure only shows the reachable states of this construction.As specified in the construction above, states of DPA are labelled with a subset of Q d and an ordered subset of Q d of the original NBA.As an illustration of the definitions above, let us explain the colour of edges from state ({1}, [4,3]) to itself on letter b.When the NBA is in state 1, 3 or 4 and letter b is read, then the next state of the automaton is again 1, 3 or 4. Note also that there are no runs that are merging in that case.As a consequence, the colour that is emitted is even and equal to the index of the smallest state that is the target of an accepting transition.In this case, this is state 3 and its index is 2.This is the justification for the colour 4 on the edge.On the other hand, if letter a is read from state ({1}, [4,3]), then the automaton moves to states ({1}, [4,2]).The state 3 is mapped to state 4 and there is a run merging which induces that the colour emitted is odd and equal to 3.This 3 trumps all the 4's that were possibly emitted from state ({1}, [4,3]) before.

Theorem 2
The language defined by the deterministic parity automaton B is equal to the language defined by the limit deterministic automaton A, i.e.L(A) = L(B).
Proof Let w ∈ ω and G w be the run DAG of A on w.It is easy to show by induction that the sequence of colours that occur along G w is equal to the sequence of colours defined by the run of the automaton B on w.By Theorem 1, the language of automaton B is thus equal to the language of automaton A.

Upper bound
Let n = |Q| be the size of the LDBA and let n d = |Q d | be the size of the accepting component.We can bound the number of different orderings using the series of reciprocals of factorials (with e being Euler's number):

We obtain a matching lower bound by strengthening Theorem 8 from [24]:
Lemma 2 There exists a family (L n ) n≥2 of languages (L n over an alphabet of n letters) such that for every n the language L n can be recognised by a limit-deterministic Büchi automaton with 3n + 2 states but cannot be recognised by a deterministic Parity automaton with less than n! states.
Proof The proof of Theorem 8 from [24] constructs a nondeterministic Büchi automaton of exactly this size and which is in fact limit-deterministic.
Assume there exists a deterministic Parity automata for L n with m < n! states.Since parity automata are closed under complementation, we can obtain a parity automaton and hence also a Rabin automaton of size m for L n and thus a Streett automaton of size m for L n , a contradiction to Theorem 8 of [24].Corollary 1 Every translation from limit-deterministic Büchi automata of size n to deterministic parity yields automata with 2 (n log n) states in the worst case.
In [34,36], we present two different LTL→LDBA translations.Given a formula ϕ of size n, both translations produce an asymptotically optimal LDBA with 2 2 O(n) states.The straightforward composition of these translations with the single exponential LDBA→DPA translation of the previous section is only guaranteed to be triple exponential, while the Safra-Piterman and Muller-Schupp constructions produce DPAs of at most doubly exponential size, if applied to NBAs constructed from LTL formulas.
In this section, we describe two modifications of our simple approach relying on additional semantic information that yield DPAs with 2 2 O(n) states.The approach taken by both modifications is the following: We can view the second component of the states produced by our construction as a sequence of states of the LDBA, ordered by their indices.Since there are 2 2 O(n) states in the LDBA for an LTL formula of length n, the number of such sequences is: If only the length of the sequences (the maximum index) were bounded by 2 n , the number of such sequences would be bounded by the number of functions 2 n → 2 2 O(n) which is: Both modifications prune these state sequences and guarantee that their length stay below a suitable threshold such that the resulting DPAs are asymptotically optimal.

Pruning by language decomposition
We introduce the main ideas of this approach using the LDBA3 depicted in Fig. 4 and the corresponding DPA Fig. 4 An LDBA A for the LTL language aWb ∧ GFc. 3 The behaviour of A is deterministic within the subset of states Q d = {3, 4} which is a trap and contains all accepting transitions which are depicted in bold face depicted in Fig. 5 (upper part) obtained by the construction from the previous section.First, let us examine the LDBA: the state q 4 accepts a superset of the language accepted by q 3 and state q 2 allows to 'restart' failed runs in q 4 .Second, let us examine the DPA: the state {2}, [3 < 4] encodes that in the corresponding run DAG the run in q 3 has entered first Q d before the run in q 4 .One also immediately sees that the states {2}, [3] and {2}, [3 < 4] are bi-similar and that they can be collapsed to a single state (lower part).However, inspecting this example closer we can find a different explanation for this phenomenon.One sees that the states q 3 and q 4 in the original LDBA accept if c appears infinitely often and only differ in the treatment of a.In fact this can be captured by two classic notions about languages: -A language S ⊆ ω is a safety language if there exists a set of bad prefixes B ⊆ * such that S = ω − B ω .Thus for all words outside the language there exists a finite witness that the word does not belong to the language.We then denote the set of all safety languages by S.
Thus all suffixes of a word in the language are also in the language.We then denote the set of all suffix-closed languages by C.
The languages of q 3 and q 4 are in fact an intersection of languages from S and C. To be more concrete, we have L(q 3 ) = C ∩ S 1 and L(q 4 ) = C ∩ S 2 with C = L(GFc), S 1 = L(Ga), S 2 = ω .We now make use of this to remove nodes from the run-DAG and thus also explain the removal of {2}, [3 < 4] .
Assume we have the situation V i = {q 2 , q 3 }, V d i = {q 3 }, and V d i+1 = {q 3 , q 4 }.We argue that we can keep only q 3 , redefine V d i+1 :={q 3 }, and still capture all relevant information to decide acceptance.We focus on the difficult case where the subtree of q 3 ∈ V d i+1 is rejecting and the subtree of q 4 ∈ V d i+1 Fig. 5 Upper: DPA constructed for the LDBA from Fig. 4, edges are decorated with a natural number that specifies its colour.Lower: A reduced DPA obtained through the construction relying on Proposition 1 is accepting.Then since q 4 is accepting the suffix w i+1 is in C and thus w i+1 cannot be in S 1 , which is the safety condition for q 3 .Since S 1 is a safety language, we will detect this after a finite prefix and can discard that particular branch of the run-DAG.Thus for some j > i we have V d j = {}.Since we have V j = {q 2 } due the self-loop on q 2 , we get V d j+1 = {q 4 } and this subtree is going to be accepting, since w i ∈ C and thus also w j ∈ C due to the suffix-closure of C.
Let us now generalise these insights: We call an LDBA and there exists a partition of the states e., all states in the component Q i d can be represented by an intersection of a safety language and a suffix-closed language, 2. ∀q ∈ d and letters σ, σ ∈ , then there exists p ∈ Q d and r ∈ Q i d such that q → σ p → σ r and L(r ) ⊆ L(r ), i.e. moving to the partition Q i d can be delayed, and for each state q ∈ Q d and letter σ we have at most one transition to Q i d .In fact, we can obtain by repetitive application of assumption (3) a generalisation to arbitrary finite words: Proof We proceed by induction on w.In the case w = we can immediately apply assumption (3).
Case w = w σ : Consider Fig. 6.In terms of this picture we need to prove that there exists some t ∈ Q i d such that L(t) ⊆ L(t ).We obtain the first part (the solid lines) by applying the induction hypothesis and have is deterministic we also obtain L(t) ⊆ L(t ) (the dotted lines).Now we apply, assumption (3) on r , s , and t (the dashed lines) to obtain s and t such that L(t ) ⊆ L(t ).Then by transitivity we get L(t) ⊆ L(t ).
We claim that for each block of the partition Q i d at most one state needs to be tracked by a run DAG in order to decide acceptance.Without loss of generality let us assume that LDBAs only contain states that are reachable from the initial state and that can reach an accepting transition.Thus for any state q ∈ Q we have L(q) = ∅.Given a decomposable LDBA with a set of states Q and a suitable partition , where V i,0 contains the nodes representing runs that are at level i in Q d and V i, j contains the nodes that correspond to Q j d .Formally, the sets V i, j are defined inductively as: otherwise.
for all i ≥ 1 and all 1 ≤ j ≤ n and where we use to denote the successors of a level in the underlying automaton.
Let us now reconsider the LDBA from Fig. 4.This LDBA is decomposable with Property (1) follows from our previous analysis and ( 2) is a direct consequence of the LDBA definition, since we only have single partition, and (4) follows from the fact that we have at most one transition from q 1 and q 2 to Q d under each letter.For (3) observe that L(q 3 ) ⊆ L(q 4 ) and we have the 'restarting' loop in q 2 .Let us now see why this pruning is correct: There is an accepting run in the reduced run DAG G * w if and only if there is an accepting run in the run DAG G w .

Proof (⇒) Observe that G *
w is a subgraph of G w , since we obtain G * w from G w by removing nodes and edges.Thus every accepting run on G * w is also an accepting run on G w .(⇐) Assume that G w = (V , E) has an accepting run.Then an accepting run eventually transitions from some q ∈ Q d by reading the letter w(i − 1) to some p ∈ Q Assume V i, j = {p}.Then by definition of G * w we also have a (deterministic) run starting in ( p, i) that is identical to the one in G w starting in ( p, i) which is accepting.
Assume V i, j = ∅ and let r = δ( p, w(i)).Then by assumption (3) and (4) there exists unique p ∈ Q d and r ∈ Q j d such that q → w(i−1) p → w(i) r and L(r ) ⊆ L(r ).Since the (deterministic) run (r , i + 1) (in G w ) is accepting, the (deterministic) run starting (r , i + 1) (in G * w ) is also accepting.
It remains to consider the case where V i, j is neither empty nor simply { p}.By the definition of G * w there exists a unique state p ∈ V j,i .If w i ∈ L( p ), then we are also done since then G * w has then an accepting run.Thus assume w i / ∈ L( p ). From w i ∈ L( p) we derive that w i ∈ C for the suffix-closed language C associated with Q j d .This follows from assumption (1).Moreover, assumption (1) tells us that w i / ∈ S for all S ∈ S with L(q ) = C ∩ S. Finally, since the LDBA does not contain states q with L(q) = ∅, there must be a level i > i such that V i , j is empty.We then proceed analogous to the case V i, j = ∅, but make use of Lemma 3 to bridge the longer distance.To be more precise, let q → w(i−1) p → w(i) • • • → w(i −2) r → w(i −1) s be the sequence of states in the original run-DAG.We then apply We now can apply the construction from Sect.3.2 to obtain a DPA tracking the reduced run DAG G * w .Assume that the LDBA has m states and n partitions.Then each V i has at most cardinality n + 1 and thus the resulting DPA has at most (m + 1) n+1 states.
A suitable LTL → LDBA translation.We now show that decomposable LDBAs exist and these are in fact produced by the recent LTL→LDBA translation defined in [34][Theorem 6.2].
Proposition 2 For all LTL formulas ϕ, the procedure of [34] [Theorem 6.2] produces a LDBA which is decomposable and has at most 2 n partitions, where n is the the length of ϕ.
Proof Let us first sketch the structure of the resulting LDBA.A schema of the structure can be found Fig. 7.The states of the LDBA are a disjoint union of the set Reach(ϕ), forming the states for the initial component, and Q X i ,Y i , forming the states for the accepting component.Further, the latter is parametrised by sets X i and Y i which depend on the formula ϕ.Within the initial component, we have a deterministic transition relation, named af , and states that can be identified by LTL formulas.The accepting component is constructed as follows: for fixed sets X and Y , let X ,Y , , δ X ,Y , α) be the intersection of the following deterministic Büchi automata (DBA): -A 1 ϕ,X accepts the language of a syntactic safe formula obtained from ϕ and X .-A 2 X ,Y accepts the language of i GFψ i , where ψ i is derived from X and Y .-A 3 X ,Y accepts the language of j Gψ j , where ψ j is a syntactic safe formula derived from X and Y .
The overall transition relation δ for the LDBA A is the union of af , δ X ,Y , and the yet-to-be-defined δ .δ connects the initial component with the accepting component.
It contains exactly one edge for each state in Reach(ϕ) to a state in Q X ,Y .
We now claim that the partition Y m is a suitable partition to show that the LDBA A is decomposable.For this observe, that af , δ X ,Y are deterministic transition relations.Lastly, we need to verify that for each Q X ,Y the assumptions (1-4) hold: 1.By construction, A X ,Y is derived by an intersection, every state in q ∈ Q X ,Y recognises the intersection L( i GFψ i ) ∈ C and a safety language.2. By construction Q is a disjoint union and no transitions leaving Q X ,Y have been added, thus Q X ,Y is a trap.3.This assumption is proven by the technical [34][ Lemma 4.20] relating af and •[•] ν , which is the essential component of δ .4. Finally, it can be easily verified by looking at the definition δ in [34][Theorem 6.2], that there exists at most one transition from the initial component to each of the partitions.
Lastly we claimed that there are at most 2 n , where n is the size of the formula, partitions.For this observe that X i and Y j are according to [34][Theorem 6.2] subsets of two disjoint sets containing only subformulas of ϕ and thus there exist at most 2 n possible choices for X i and Y j .

Pruning by language subsumption
Fix an LDBA with a set of states Q. Assume the existence of an oracle: a list of statements of the form L(q) ⊆ q ∈Q q L(q ) where q ∈ Q and Q q ⊆ Q.We use the oracle to define a mapping that associates to each run DAG G w a 'reduced DAG' G * w , defined as the result of iteratively performing the following four-step operation: -Find the first V i in the current DAG such that the sequence We call (v k , i) a redundant vertex.-Remove (v k , i) from the sequence, and otherwise keep the ordering i unchanged (thus decreasing the index of vertices (v, ) with > k).-Remove any vertices (if any) that are no longer reachable from vertices of V 1 .
We define the colour summary of G * w in exactly the same way as the colour summary of G w .The DAG G * w satisfies the following crucial property:

Proposition 3 The colour summary of the run DAG G *
w is even if and only if there is an accepting run in G w .
Proof "⇒": The 'only-if' direction can be proven as in Theorem 1 verbatim, only replacing G w by G * w .The reason why the argumentation is still correct, is that the discussed "smallest run prefix that ends up in v" (now in G * w ) is actually a real run prefix (in G w ) since it never secondarily merged.Indeed, runs only merge into smaller ones.
"⇐": (Step 1): For the 'if' direction, we first use the proof Theorem 1, Step 1, verbatim, obtaining the smallest accepting run in G w .
Additionally, we prove that this (smallest) constructed run ρ is actually a run in G * w .For a contradiction, assume that this is not the case and ρ = ρ 1 (v k , i)ρ 2 where (v k , i) is the first vertex on ρ that secondarily merged.Then there is The states are the pairs (s, (t, <)) such that (t, <) does not contain redundant vertices.There is a transition (s 1 , (t 1 , < )) a → (s 2 , (t 2 , <)) with colour c iff there is a word w and an index i such that (s 1 , (t 1 , <)) and (s 2 , (t 2 , <)) correspond to the i-th and (i + 1)-th levels of G * w , and a and c are the letter and colour of the step between these levels in G * w .Observe that the set of transitions is independent of the words chosen to define them.
The equivalence between the initial DPA A and the reduced DPA A r follows immediately from Proposition 3: A accepts w iff G w contains an accepting run iff the colour summary of G * w is even iff A r accepts w.
Example 3 Consider the LDBA of Fig. 1 and an oracle given by L(4) = ∅, ensuring L(4) ⊆ i∈I L(i) for any I ⊆ Q.Then 4 is always redundant and merged, removing the two rightmost states of the DPA of Fig. 3 (left), resulting in the DPA of Fig. 3 (right).However, for the sake of technical convenience, we shall refrain from removing a redundant vertex when it is the smallest one (with index 1).
Since the construction of the reduced DPA is parametrised by an oracle, the obvious question is how to obtain an oracle that does not involve applying an expensive language inclusion test.Let us give a first example in which an oracle can be easily obtained: Example 4 Consider an LDBA where each state v = {s 1 , . . ., s k } arose from some powerset construction on an NBA in such a way that L({s 1 , . . ., An oracle can, for instance, allow us to merge whenever v k ⊆ j<k v j , which is a sound syntactic approximation of language inclusion.This motivates the following formal generalisation. Let L B = {L i | i ∈ B} be a finite set of languages, called base languages.We call L C := { L | L ⊆ L B } the join-semilattice of composed languages.We shall assume an LDBA with some L B such that L(q) ∈ L C for every state q.We say that such an LDBA has a base L B .In other words, every state recognises a union of some base languages.(Note that every automaton has a base of at most linear size.)Whenever we have states v j recognising i∈I j L i with I j ⊆ B for every j, the oracle allows us to merge vertices v k satisfying I k ⊆ j<k I j .Intuitively, the oracle declares a vertex redundant whenever the simple syntactic check on the indices allows for that. Let be a sequence of languages of L C where the reduction has been applied and there are no more redundant vertices.The maximum length of such a sequence is given already by the base L B and we denote it width(L B ).

Lemma 4 For any L B , we have width(L B ) ≤ |L
Proof We provide an injective mapping of languages in the sequence (except for V 1 ) into B. Since I 2 I 1 , there is some i ∈ I 2 \ I 1 and we map V 2 to this i.In general, since I k k−1 j=1 I j , we also have i ∈ I k \ k−1 j=1 I j and we map V k to this i.
On the one hand, the transformation of LDBA to DPA without the reduction yields 2 O(|Q|•log |Q|) states.On the other hand, we can now show that the second component of reduced LDBA with a base can be exponentially smaller.Further, let us assume the LDBA is initial-deterministic, meaning that δ ∩ (Q d × × Q d ) is deterministic, thus not resulting in blowup in the first component.

Corollary 2
For every initial-deterministic LDBA with base of size m, there is an equivalent DPA with 2 O(m 2 ) states.
Proof The number of composed languages is L C = 2 m .Therefore, the LDBA has at most 2 m (nonequivalent) states.Hence the construction produces at most states since the LDBA is initial-deterministic, causing no blowup in the first component.

Bases for LDBAs obtained from LTL formulas
We prove that the width for LDBA arising from the LTL transformation is only singly exponential in the formula size.To this end, we need to recall a property of the LTL→LDBA translation of [36].Since partial evaluation of formulas plays a major role in the translation, we introduce the following definition.Given an LTL formula ϕ and sets T and F of LTL formulas, let ϕ[T , F] denote the result of substituting tt (true) for each occurrence of a formula of T in ϕ, and similarly ff (false) for formulas of F. The following property of the translation is proven in "Appendix A".

Proposition 4
For every LTL formula ϕ, every state s of the LDBA of [36] is labelled by an LTL formula label(s) such that (i) L(s) = L(label(s)) and (ii) label(s) is a Boolean combination of subformulas of ϕ[T s , F s ] for some T s and F s .Moreover, the LDBA is initial-deterministic.
As a consequence, we can bound the corresponding base: Corollary 3 For every LTL formula ϕ, the LDBA of [36] for ϕ has a base of size 2 O(|ϕ|) .
Proof Firstly, we focus on states using the same ϕ[T s , F s ].The language of each state can be defined by a Boolean formula over O(|ϕ|) atoms.Since every Boolean formula can be expressed in the disjunctive normal form, its language is a union of the conjuncts.The conjunctions thus form a base for these states.There are exponentially many different conjunction in the number of atoms.Hence the base is of singly exponential size 2 O(|ϕ|) as well.
Secondly, observe that there are only 2 O(|ϕ|) different formulas ϕ[T s , F s ] and thus only 2 O(|ϕ|) different sets of atoms.Altogether, the size is bounded by 2 Theorem 3 For every LTL formula ϕ, there is a DPA with 2 2 O(|ϕ|) states.

Proof
The LDBA for ϕ has base of singly exponential size 2 O(|ϕ|) by Corollary 3 and is initial-deterministic by Proposition 4. Therefore, by Corollary 2, the size of the DPA is doubly exponential, in fact 2 (2 This matches the lower bound 2 2 (n) by [22] as well as the upper bound by the Safra-Piterman approach.Finally, note that while the breakpoint constructions in [36] is analogous to Safra's vertical merging, the merging introduced here is analogous to Safra's horizontal merging.

Comparing the two pruning methods
We presented two different pruning techniques to achieve an asymptotically optimal LTL→DPA translation.The question is how to they compare on conceptual level, is one stronger than the other?No, in fact they are incomparable.Consider Fig. 5. Here, the first construction removes the ranking [3 < 4] but this cannot be achieved by the second construction.On the other hand, is is clear that languagebased pruning technique can be applied to any LDBA (by using a language inclusions checks) and thus is applicable to larger set of LDBAs.

Experimental evaluation
We showed that our determinisation construction, which is considerably simpler compared to other constructions, can be combined with semantic pruning of tracked states.This then yields an asymptotical optimal construction.This simplicity is achieved by a detour over LDBAs and one would expect that this incurs inefficiencies in practice.In this section, we provide experimental evidence that this not the case.

Method
Metric.We compare the size (number of states, number of colours) of produced automata since this is a good indicator of the size of the arena in the automata-theoretic approach to synthesis.In contrast, we do not include any resource consumption analysis, i.e. measurements of computation time or allocated memory.Not only are these values highly dependent on implementation details but, foremost, as shown by [27] on-the-fly computation of the state-space and additional compositional constructions are highly relevant for the overall computation time in the context of synthesis.For each input formula ϕ i , we compare sizes a i and b i achieved by different methods and are interested in the achieved improvement factor, which is their ratio a i /b i .In order to aggregate the factors into an average one, given that the involved numbers can be hugely different, it is appropriate to use the geometric average of the ratios: Consequently, for each approach and a set of inputs, we display the the geometric average of the sizes since, for each pair of approaches, the respective ratio immediately yields the desired comparison.
Competing Translations.We compare seven configurations from three different groups of translations that yield DPAs (with the acceptance condition defined on transitions): -via NBAs: N ltl2tgba4 ( [5], 2.8.5):The tool implements a portfolio approach for constructing small automata, in our configuration DPAs.If the formula is not covered by one of the specialised constructions, a version of the Safra determinisation procedure [31] with several optimisations is used.Thus one can argue that it is the state-of-the-art portfolio translator.N 2 nbadet5 ( [26]6 ): The tool implements the construction presented [25] with additional optimisations [26].
We use ltl2tgba -B to translate LTL formulas into NBAs with the acceptance condition defined on states, since in the tested version of the tool acceptance conditions on transitions are not supported.Note that such a detour causes a blowup in the intermediate NBA.
-via DRAs (deterministic Rabin automata): D 1 ltl2dgra (asymmetric), dgra2dra, dra 2dpa7 : This approach uses the direct translation to deterministic generalised Rabin automata (DGRA) that has been described in [7] and revised and corrected in [10].This configuration uses all available optimisations, including the usual reduction rules for Rabin pairs, e.g.[10].This approach treats the least-(F, U, M) and greatest-fixed-point operators (G, W, R) 'asymmetrically', and has only a proven triple exponential upper bound.We combine it with the IAR (index-appearance record) construction as improved in [21].D 2 ltl2dra (symmetric), dra2dpa 7 : This approach uses the direct translation to DRAs based on the 'Master-Theorem' [9,34] and uses optimisations described in detail in [34].As in the previous case, we combine it with the IAR construction of [21].
-via LDBAs: LD 1 ltl2dpa (asymmetric) 7 : This translation combines the construction presented here with the 'asymmetric' translation LTL→LDBA presented in [36], which treats least-(F, U, M) and greatest-fixed-point operators (G, W, R) differently.LD 2 ltl2dpa (symmetric) 7 : This translation combines the construction presented here with the 'symmetric' translation LTL→LDBA based on the 'Master-Theorem' presented in [9,34], which treats least-(F, U, M) and greatest-fixed-point operators (G, W, R) symmetrically.LD p ltl2dpa (portfolio) 7 : Here, we combine the previous translations with a portfolio of translations for fragments that directly yield DPAs [9,34,35].This portfolio approach is important in comparison to the configuration N 1 where similar steps are taken.Moreover, since complementation of DPAs is trivial, this configuration translates both the formula and its negation to DPAs A ϕ , A ¬ϕ , constructs the complement A ¬ϕ , and picks the smaller of A ϕ and A ¬ϕ .
Input Formula Sets.We base the evaluation on two sets of formulas: the first set consists of the well-known 'Dwyer'patterns [6] that collects 55 LTL formulas specifying common properties; the second set is obtained by instantiating the 11 parametrised formulas from Table 1.These families are partly taken from [14, 29,38] or are simple combinations of U, GF, and FG formulas 8 .The second set of formulas is useful to isolate and analyse strong-and weak points of the compared translations.Furthermore, we abstained from using randomly generated formulas, because in our experience it is unclear what this implies for practice, since formulas from real-world examples usually have a high degree of structure compared to randomly generated formulas.
The formula sets are obtained by executing genltl9 with the corresponding parameters.Each formula and its negation is then added to the set of formulas.We take the following steps to reduce the influence of specific simplification rules and to remove (close to) duplicate entries: first, we bring formulas into negation normal form; second, we apply a standard set of LTL simplification rules [1,11,29,33,37] with the goal to neutralise the effect LTL simplifier in the evaluation; third, we normalise the atomic propositions and remove formulas that are equal modulo renaming of atomic propositions.
As a consequence, the number of formulas consider is less than the number of formulas of the corresponding original publication.For example, [6] lists 55 formulas, but we remove six entries: e.g., only one of Ga, G¬a, and Fa is added to the formula set.Note that we always evaluate the translation also on the negation of each formula.However, we do not remove duplicates across the two formula sets.

Results
The measured automata sizes for the LTL formulas are listed in Tables 2 and 4. We refer by ϕ to formulas of the pattern set, and by χ to formulas of the parametrised set.Further, we write ϕ instead of ¬ϕ.We sort the rows of the table by the difference in the orders of magnitude of sizes yielded by the considered configurations.More precisely, we compute max min for each row, where min refers to the number of states of the smallest automaton and max refers to the number of states of the largest automaton, and sort in descending order.In the main body of the paper, we list only the top 10 rows according to this order to highlight the most interesting differences.The remaining results are located in Appendix B.

Discussion
Table 2 and Table 4, which contain the formulas with the largest differences in size, suggest the following conclusions.

Variants of the LDBA approach.
There are several cases where LD 1 produces dramatically smaller automata than LD 2 , e.g., the first four rows of Table 2. Nevertheless, there are also many cases where LD 2 is slightly smaller LD 1 , e.g., the following rows in that table and most of the formulas of Table 4. Thus both techniques have their merit, with their ratio close to 1 and the asymmetric being 'safer' if only one is to be used.
Observe that the same behaviour occurs with the pair D 1 and D 2 , reflecting the fact that this difference stems from the difference between the asymmetric and symmetric approaches.This pattern is already noticeable for the intermediate constructions, i.e, the sizes of the constructed LDBAs and DRAs, respectively.The geometric averages for this intermediate step are 6.16, 5.68, 4.75, and 4.80 on the patterns set for LD 1 , LD 2 , D 1 , and D 2 , respectively, and 7.47, 7.94, 4.85, and 5.51 on the parametrised set.The complete results are located in "Appendix B".

Safra versus IAR versus LDBA determinisation
Our LDBA determinisation in a portfolio configuration (LD p ) is on-par with N 1 on the pattern set, the average ratio being 103%, and takes the lead in the parametrised setting, the average ratio being 70% there.
For LD 1 and LD 2 , without post-processing and portfolio techniques, the difference to N 1 grows (with the ratios 124% and 133%, respectively).Yet, on the parametrised set they are still better than the the portfolio N 1 (with 90% and 87%, respectively).
One of the reasons for the discrepancy between comparisons on the pattern set and on the parametrised set is that the parametrised set contains several 'simpler' formulas that are recognisable by a deterministic Büchi or deterministic co-Büchi automaton, as indicated by N 1 only needing a single colour.In these 'simple' cases, several techniques are known, and implemented in N 1 , to reduce the number of states in the automata.
The other Safra-based approach N 2 tends to yield larger automata than N 1 .
Comparing the IAR and LDBA-determinisation approaches, interestingly, there are significant differences in both directions on many formulas; yet the ratios are close to 1 on the pattern set, showing they are quite incomparable.However, the latter takes the lead on the parametrised set.
Summary The portfolio approaches are the clear winners.While N 1 may produce slightly smaller automata in many cases, LD p produces in several cases significantly smaller automata.Both approaches are practically used in the LTL synthesis: N 1 is used in ltlsynt [15] and a variant of LD p is used in Strix [27].We leave open the question, whether implementing a portfolio for the IAR approach would also yield a competitive configuration.
Finally, having pointed out the differences, it is important to keep in mind that, for a substantial part of the formulas, all participating tools yield small automata, not differing dramatically, as one can see by inspecting "Appendix B".

Conclusion
We have presented a simple, 'Safraless', and asymptotically optimal translation from LTL and LDBA to DPA.Furthermore, the translation is suitable for an on-the-fly implementation and deployment in the LTL synthesis, which has been successfully demonstrated Strix [27], the winner of the LTL-synthesis track of SyntComp 2018 [16] and 2019. 10

A Proof of Proposition 4
We start by recalling the LTL→LDBA translation of [36].
Preliminaries.The translation assumes that formulas are in negation normal form, given by the syntax where a belongs to a finite set of atomic propositions.Every formula over the usual syntax of LTL (with negation and the X and U operators) can be normalised with linear blowup if formulas are represented by their syntax DAGs, where two occurrences of the same subformula are represented by the same node.
The states of the LDBA for an LTL formula are equivalence classes of formulas (or tuples thereof) with respect to propositional equivalence.However, we abuse language and write that the states are formulas or tuples of formulas.
The LDBA A ϕ consists of two deterministic components, called the initial and accepting components, and denoted A in and A ac , respectively-in Fig. 8 they are shown above and below the dashed line.The accepting component A ac is the union (defined componentwise for states, transitions, and accepting states) of subcomponents A G , one for each set G of G-subformulas of ϕ-that is, if ϕ has n different Gsubformulas, then A ac is the union of 2 n subcomponents).Transitions of A ϕ labeled by an alphabet letter connect either two states of A in , or two states of the same subcomponent of A ac .Further, for each state q of A in and each set G there is an -transition leading from q to a state of A G .Initial component A in : Define the set of formulas reachable from ϕ as Reach(ϕ) = {ψ | ∃w.ψ = af (ϕ, w)}.The set of states of A in is Reach(ϕ).The initial state is ϕ.The transition function δ in is given by δ in (ψ, a) = af (ψ, a).Intuitively, A in monitors the formula that has to hold at the current moment for ϕ to hold at the beginning.Accepting component A ac : The accepting component A ac is the union of subcomponents A G , one for each G ⊆ G(ϕ).
Let G(ϕ) denote the set of all G-subformulas of ϕ.Given a set G ⊆ G(ϕ) and a formula ψ, we write ψ[G] as an abbreviation for ψ[G, G(ϕ) \ G], i.e., for the result of substituting tt for each maximal occurrence of a formula of G in ψ, and ff for each maximal occurrence of a formula of  The only final state is tt.The initial state is left unspecified.Lemma 2 of [36] shows that the ϕ[G]-monitor accepts a word w from a state q iff w satisfies the formula q.
This concludes the description of A ϕ .
We can now proceed to prove Proposition 4. Proposition 4 For every LTL formula ϕ, every state s of the LDBA of [36] for ϕ can be labelled by an LTL formula label(s) such that (i) L(s) = L(label(s)) and (ii) label(s) is a Boolean combination of subformulas of ϕ[T s , F s ] for some T s and F s .Moreover, the LDBA is initial-deterministic.
Further, label(s) can be computed in linear time from the descriptor of s.
Proof Recall the two properties of the af function.For every formula ϕ, finite word v, and ω-word w: Therefore, every formula of Reach(ϕ) is a boolean combination of subformulas of ϕ.
Let s be a state of A in , and let v be any finite word leading from s 0 to s.By Theorem 1 of [36], we have L(s 0 ) = L(ϕ).(ϕ, v)).So we can take label(s) = s.
We consider now the case that s belongs to A ac .Then there is a set G = (Gψ

B Additional experimental results
We list in Table 5 the complete and normalised 'Dwyer'pattern formula set.Tables 6 and 7 contain missing entries from Tables 2, and 8 contains entries missing from Table 4, respectively.Moreover, we list the sizes of the intermediate automata in Tables 9 and 10. aW(aW(aW(aW(Ga)))) Table 7 This table is a continuation of Table 6 LTL

Fig. 6
Fig. 6 Structure of the induction step in Lemma 3 j d .Then p ∈ V d i and the (deterministic) run starting in ( p, i) is accepting.Let us now see what happens in G * w = (V , E ).We proceed by a case distinction.

Fig. 7
Fig.7 Schematic overview of an LDBA obtained in[34, Theorem 6.2]   for a formula ϕ.Q d is on the left and Q d is on the right hand-side Lemma 3 to obtain s ∈ Q j d with L(s) ⊆ L(s ) and that is in V i +1, j .Due to the language inclusion, this run is then accepting.
a contradiction with minimality of ρ. (Step 2): Let k be the position when the last merge of a smaller run prefix happens in G * w (not G w ).(Step 3): We use the proof Theorem 1, Step 3, verbatim, proving the colour summary is even.The mapping on DAGs induces a reduced DPA as follows.
a product of DBAs: One for the formula ϕ[G], and one for each formula of the form G(ψ[G]), where Gψ ∈ G. Observe that ϕ[G] is a G-free formula, and G(ψ[G]) does not have nested Gs.For example, if G = {G(a ∨ Gb)}, then A G is the product of three DBAs, one for ϕ[G], one for G(b[G]) = Gb, and a third one for G((a ∨ Gb)[G]) = G(a ∨ ff) ≡ P Ga.We call the DBAs for ϕ[G] and G(ψ[G]) the monitors.

Fig. 8
Fig. 8 Automaton A for ϕ = c ∨ XG(a ∨ Fb).The initial component is the dashed line, the accepting component below 1 , . . ., Gψ n ) such that s belongs to A G .By the definition of A G as product of DBAs, s is of the form (ϕ [G], (ξ 11 , ξ 21 ), . . ., (ξ 1n , ξ 2n )), where ϕ [G] is a state of the monitor for ϕ[G], and (ξ 1i , ξ 2i ) is a state of the monitor for G(ψ i [G]).Further, the words recognised from s are those simultaneously recognized from ϕ [G], (ξ 11 , ξ 21 ), . . ., (ξ 1n , ξ 2n ) in their respective automata.By Lemma 5, the words recognised from s are those satisfying ϕ [G] ∧ ξ 11 ∧ ξ 21 ∧ . . .∧ ξ 1n ∧ ξ 2n .We choose label(s) as this formula.It remains to show that each conjunct of label(s) is a boolean combination of formulas of sf(ϕ)[G].-By the definition of the monitor for ϕ[G], the formula ϕ [G] belongs to Reach(ϕ[G]), and by (ii) we are done.-By the definition of the monitor for G(ψ i [G]), the formulas ξ 1i and ξ 2i belong to Reach(ψ i [G]).By (ii), they are boolean combinations of subformulas of ψ i [G].Since ψ i is a subformula of ϕ, they are also boolean combinations of subformulas of ϕ[G], and so a boolean combination of formulas of sf(ϕ)[G].

Table 3
Excerpt ofTable highlighting the effect of negation and complementation used in the portfolio approach

Table 5
Complete and normalised 'Dwyer'-pattern formula set

Table 8
This table is a continuation of Table4

Table 9
This table displays the sizes of the intermediate automata for the 'Dwyer'-patterns set.The table list number of states, followed by the number of acceptance sets (if larger than 1) and is sorted descending in regards to the largest difference in order of magnitude differences, as explained in the text.We write1n , σ , , and med., for the average, the standard deviation, the geometric average, and the median, respectively, for the number of states.For D 1 and D 2 we list the sizes of the intermediate DRAs and for LD 1 and LD 2 the sizes of the intermediate LDBAs n √

Table 10
This table displays the sizes of the intermediate automata for the parametrised set (Table1).The table is structured as Table9Acknowledgements The authors want to thank Michael Luttenberger for helpful discussions and the anonymous reviewers for constructive feedback.Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.