From Emerson-Lei automata to deterministic, limit-deterministic or good-for-MDP automata

The topic of this paper is the determinization problem of ω\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\omega $$\end{document}-automata under the transition-based Emerson-Lei acceptance (called TELA), which generalizes all standard acceptance conditions and is defined using positive Boolean formulas. Such automata can be determinized by first constructing an equivalent generalized Büchi automaton (GBA), which is later determinized. The problem of constructing an equivalent GBA is considered in detail, and three new approaches of solving it are proposed. Furthermore, a new determinization construction is introduced which determinizes several GBA separately and combines them using a product construction. An experimental evaluation shows that the product approach is competitive when compared with state-of-the-art determinization procedures. The second part of the paper studies limit-determinization of TELA and we show that this can be done with a single-exponential blow-up, in contrast to the known double-exponential lower-bound for determinization. Finally, one version of the limit-determinization procedure yields good-for-MDP automata which can be used for quantitative probabilistic model checking.


Introduction
Many standard algorithms in the fields of verification and synthesis of reactive systems [15,37,41,44] are based on the theory of ω-automata, which are automata accepting infinite words. For logical specification languages such as linear temporal logic (LTL), many verification systems, including  Spin [5] or Prism [30], use logic-to-automata translations internally to verify a given system against the specification.
As classical automata-based solutions to reactive synthesis and probabilistic verification use deterministic automata [37,44], the question of whether and how ω-automata can be determinized efficiently is a major research area [31,36,38,40,42]. The first single-exponential and asymptotically optimal determinization for Büchi automata was presented in [40]. It produces Rabin automata, whose acceptance condition is a generalization of the Büchi condition.
The high state-complexity of determinization and most logic-to-automata translations have raised the question of more succinct representations of ω-automata. Using generalized acceptance conditions (e.g. generalized Büchi [16] or generalized Rabin [10,12]) and transition-based [22], rather than state-based, conditions are common techniques in this direction. An even more general approach has led to the HOA-format [1], which represents the acceptance condition as a positive Boolean formula over standard Büchi (Inf) and co-Büchi (Fin) conditions, also called Emerson-Lei conditions [20,41]. This standardized format has proven to be very useful: together with a vast body of work on heuristics and dedicated procedures it has led to practically usable and mature tools and libraries such as Spot [18] and Owl [29] which support a wide range of operations on ω-automata.
While determinization algorithms have made large steps towards practical feasibility, another line of work has considered automata with restricted forms of nondeterminism, which, while being nondeterministic, nevertheless share some of the desired properties of deterministic automata. In this spirit, the classes of good-for-MDP [24] and good-forgames [28] automata can be used for quantitative probabilistic model checking of Markov decision processes [23,43], while limit-deterministic Büchi automata can be used for qualitative model-checking [15]. Another important class in this context are unambiguous automata, which also share some good algorithmic properties of deterministic automata [13], and are useful for probabilistic verification of Markov chains [4]. Dedicated translations from LTL directly to (limit-) deterministic [21] and unambiguous [25] automata have been studied.
This paper considers the problems of determinizing and limit-determinizing transition based Emerson-Lei automata (TELA). In contrast to limit-determinization, the theoretical complexity of determinization is well understood (a tight, double-exponential, bound was given in [40,41]). However, it has not been studied yet from a practical point of view, which is the aim of this paper. All presented algorithms have been implemented, and are openly accessible together with the experimental evaluation [27].

Contribution
Three new translations from TELA to GBA are proposed, and an example is given in which they perform exponentially better than state-of-the-art implementations. We demonstrate how they can be used to build novel determinization approaches for TELA. The determinization procedures are based on a product construction which combines multiple GBA. Our experiments show that this approach often outperforms approaches based on determinizing a single GBA. A simple adaptation of the product construction produces limit-deterministic TELA of singleexponential size (in contrast to the double-exponential worst-case complexity of full determinization). We show that deciding whether Pr max M (L(A)) > 0 holds is NPcomplete if the TELA A is limit-deterministic, and in P if the acceptance of A is fin-less (Proposition 5.3). Finally, a limit-determinization construction for TELA based on the breakpoint-construction is presented. We show that a version of this procedure yields good-for-MDP Büchi automata (Definition 5.4). Thereby Pr max M (L(A)) is computable in single-exponential time for any MDP M and TELA A (Theorem 5.3). The experimental evaluation compares the perfor-mance of the different constructions using three benchmark sets.
This article is an extended version of the conference paper [26] which provides full proofs (including some technical lemmas which were omitted in the conference version) and further examples. The experiments are also extended to an additional benchmark set.

Related work
The upper-bound for determinization of TELA [40,41] relies on a translation to GBA which first transforms the acceptance formula into disjunctive normal form (DNF). We refine this idea by discussing and comparing several ways of performing this transformation. In particular, we present different strategies to remove Fin-atoms from the acceptance formula, which is a necessary ingredient of the approach. The removal of Fin-atoms is also discussed in [17,Sect. 4.5], together with a transformation into Büchi automata which relies on computing the conjunctive normal form of the acceptance formula after removing Fin-atoms. Our fin-removal strategies build on the ideas of [17], but our transformation to GBA avoids the CNF conversion and therefore sometimes produces exponentially smaller automata. Furthermore, we extend it to produce limit-deterministic automata. Translations from LTL to TELA have been proposed in [9,32,35], and all of them use product constructions to combine automata for subformulas.
The emptiness-check for ω-automata under different types of acceptance conditions has been studied in [2,10,12,19], where [2] covers the general case of Emerson-Lei conditions and also considers qualitative probabilistic model checking using deterministic TELA. The generalized Rabin condition from [10,12] is equivalent to the DNF that we use and it is a special case of the hyper-Rabin condition for which the emptiness problem is in P [11,20]. Probabilistic model checking for deterministic automata under this condition is considered in [12], while [10] is concerned with standard emptiness while allowing nondeterminism. In contrast to the above works, we consider probabilistic model checking for nondeterministic automata under general Emerson-Lei conditions. A procedure to transform TELA into parity automata is presented in [39], but it does not guarantee the output to be deterministic.
The first limit-determinization procedure for nondeterministic Büchi automata was presented in [14,15], and it relies on the idea of combining a copy of the automaton with its breakpoint automaton. This idea was also used in [7,23]. We lift it to Emerson-Lei automata by using multiple different breakpoint automata, corresponding to different parts of the Emerson-Lei condition.

Outline
After the preliminaries in Section 2, we present the new translation approaches to construct GBA in Sect. 3. In Sect. 4, we show how to use them to determinize TELA and introduce the determinization based on a product construction. The translations to limit-deterministic TELA and good-for-MDP automata are contained in Sect. 5. Finally, we compare the different approaches in our experimental evaluation in Sect. 6 before we conclude the paper in Sect. 7.

Preliminaries
The infinite words over a finite alphabet are denoted by ω .

Automata on infinite words
A transition-based Emerson-Lei automaton (TELA) A is a tuple (Q, , δ, I , α), where Q is a finite set of states, is a finite alphabet, δ ⊆ Q × × Q is the transition relation, I ⊆ Q is the set of initial states and α is a symbolic acceptance condition over δ, defined by: If α is tt, ff , Inf(T ) or Fin(T ), then it is called atomic. We denote by |α| the number of atomic conditions contained in α, where multiple occurrences of the same atomic condition are counted multiple times. Symbolic acceptance conditions describe sets of transitions T ⊆ δ. Their semantics is defined recursively as follows: Two acceptance conditions α and β are δ-equivalent . . . ∈ δ ω that starts with an initial state q 0 ∈ I . The set of transitions that appear infinitely often in ρ are denoted by inf(ρ). A run ρ is accepting (ρ | α) iff inf(ρ) | α. The language of A, denoted by L(A), is the set of all words for which there exists an accepting run of A. The sets of infinite words which are the language of some TELA are called ω-regular. A TELA A is deterministic if the set of initial states contains exactly one state and the transition relation is a function δ : Q × → Q. It is complete, if for all (q, a) ∈ Q × : δ ∩ {(q, a, q ) |q ∈ Q} = ∅. A Büchi condition is an acceptance condition of the form Inf(T ) and a generalized Büchi condition is a condition of the form 1≤i≤k Inf(T i ). We call the sets T i appearing in a generalized Büchi condition its acceptance sets. Rabin (resp. Street) conditions are of the

Probabilistic systems
A labeled Markov decision process (MDP) M is a tuple (S, s 0 , Act, P, , L) where S is a finite set of states, s 0 ∈ S is the initial state, Act is a finite set of actions, P : S × Act ×S → [0, 1] defines the transition probabilities with s ∈S P(s, α, s ) ∈ {0, 1} for all (s, α) ∈ S × Act and L : S → is a labeling function of the states into a finite alphabet . Action α ∈ Act is enabled in s if The set of all paths of M is denoted by Paths(M) and Paths fin (M) denotes the finite paths. Given a path π = s 0 α 0 A Markov chain is an MDP with | Act(s)| ≤ 1 for all states s. A scheduler of M is a function S : (S × Act) * × S → Act such that S(s 0 α 0 . . . s n ) ∈ Act(s n ). It induces a Markov chain M S and thereby a probability measure over Paths(M). The probability of a set of paths starting in s 0 under this measure is Pr S M ( ). For an ω-regular property ⊆ ω we define Pr max M ( ) = sup S Pr S M ({π | π ∈ Paths(M) and L(π ) ∈ }). We denote by Pr S M,s ( ) and Pr max M,s ( ) the corresponding values in the MDP one gets by setting the initial state in M to s ∈ S, and omit the M in the subscript if it is clear from the context. In a Markov chain, which has a unique scheduler, we omit the superscripts. We refer to [3, Chapter 10] for more details.

From TELA to generalized Büchi automata
We present four different constructions to transform TELA into equivalent GBA. One of them is the construction that is implemented by Spot, the other ones are new. First, we define some operations on TELA, which we combine later to define our constructions.

Operations on Emerson-Lei automata
The first operator splits a TELA along the top-level disjuncts of its acceptance condition. Let A = (Q, , δ, I , α) be a TELA where α = 1≤i≤m α i and the α i are arbitrary acceptance conditions. We define split(A) :

Lemma 3.1 If A is a TELA, then
Proof "⊆": Let ρ be a run of A for w such that ρ | α. Then, it follows that ρ | α i for some 1 ≤ i ≤ m. But then ρ is also an accepting run of split(A)[i] and hence w ∈ L(split(A)[i]).
"⊇": Let ρ be an accepting run of split(A)[i] for some 1 ≤ i ≤ m. Then ρ | α i , and hence ρ | α. It follows that ρ is an accepting run of A.
The analogous statement does not hold for conjunction and intersection (see Example 3.1). In other words, the intersection of languages of automata one gets by splitting along a top-level conjunction is not necessarily the language of the original automaton. This is because a conjunctive acceptance formula requires the existence of a run satisfying all conjuncts.

Example 3.1
Consider the automaton A with acceptance condition α as shown in Fig. 1, and observe that we have L(A) = ∅. Splitting the acceptance condition of A leads to the acceptance conditions α 1 and α 2 . We call the corresponding automata that use these two acceptance conditions A 1 and A 2 . Note, that A 1 and A 2 use the same transition system as A. The automata A 1 and A 2 both accept the word a ω , i.e. L( We also need constructions to realize the union of a sequence of automata. This can either be done using the sum (i.e. disjoint union) or the disjunctive product of the state spaces. We define a general sum (simply called sum) operation and one that preserves GBA acceptance (called GBA-specific sum). The disjunctive product construction for TELA is mentioned in [17] and similar constructions are used in [32,35]. While the sum operations yield smaller automata in general, only the product construction preserves determinism.

Definition 3.1 Let
be two complete TELA with disjoint state-spaces. The sum of A 0 and A 1 is defined as follows: 1}, (i.e. both automata are GBA), then we can use the GBA-specific sum: The disjunctive product is defined as follows: and ↑(α i ) is constructed by replacing every occurring set of transitions T in α i by be two complete TELA with disjoint state-spaces. The following statements hold: ) This is clear as any accepting run of A i (for i ∈ {0, 1}) can be mapped directly to an accepting run of A 0 ⊕A 1 , and an accepting run A 0 ⊕ A 1 corresponds to an accepting run of one of the automata A 0 , A 1 .
Note, that the acceptance α G B A contains the same number of atomic acceptance conditions as A 0 and A 1 , i.e. the acceptance condition does not increase when ⊕ G B A is used to combine two GBA.
The additional Inf(δ 0 ) and Inf(δ 1 ) atoms in the acceptance condition of A 0 ⊕ A 1 are essential (see Example 3.2).

Example 3.2
Consider the TELA A 0 and A 1 in Fig. 2 and Fig. 2, which both accept the empty language. If we unify the state spaces and disjunct the acceptance conditions we get the TELA in Fig. 2. However, this automaton accepts the language a ω = L(A 0 ) ∪ L(A 1 ).
We can apply the GBA-specific sum to any two GBA by adding Inf(δ i ) atoms until the acceptance conditions are of equal length. Many of our constructions will require the acceptance condition of the TELA to be in DNF. We will use the following normal form throughout the paper (also called generalized Rabin in [10,12]).

Definition 3.2 (DNF for TELA) Let
and such that all k i ≥ 1.
A single Fin atom in each disjunct is enough because Fin(T 1 ) ∧ Fin(T 2 ) ≡ δ Fin(T 1 ∪ T 2 ) holds for all T 1 , T 2 , δ. Taking k i ≥ 1 is also no restriction, as we can add "∧ Inf(δ)" to any disjunct. Using standard Boolean operations one can transform a TELA with acceptance β into DNF by just translating the acceptance formula into a formula α of the above form, with |α| ≤ 2 |β| and each disjunct contains at most |β| atomic acceptance conditions.

Fin-less acceptance
To transform a TELA in DNF (see Definition 3.2) into an equivalent one without Fin-atoms we use the idea of [10,17]: a main copy of A is connected to one additional copy for each disjunct α i of the acceptance condition, in which transitions from T i 0 are removed. The acceptance condition ensures that every accepting run leaves the main copy eventually. Figure 3 shows an example.
The construction removeFin(A) already appears in [10,17]. The automaton removeFin GBA (A) uses the same transition system but a different acceptance condition.
Proof We first prove that L(A) = L(removeFin(A)). "⊆": Let ρ be an accepting run of A for u, and assume It follows that there exists a position K after which ρ sees no transitions in T i 0 . We construct an accepting run ρ of removeFin(A) for u: for the first K positions, it copies ρ in the main copy Q. Then, it moves to Q i , and continues to simulate the moves of ρ. From that fact that ρ sees infinitely many transitions in each set T i j , it follows that ρ models φ i and hence is accepting. "⊇": Let ρ be an accepting run of removeFin(A) for u, i.e. ρ | φ i for some 1 ≤ i ≤ m. It follows that ρ eventually moves to Q i , because φ i contains at least one Inf-atom whose all transitions are fully included in Q i . As no other copy is reachable from Q i , ρ stays in Q i thereafter. Recall that copy Q i does not contain any transition in T i 0 . Projecting the part of ρ which is in Q i onto the corresponding transitions in Q yields a run ρ for u in A. From the definition of φ i and the fact that ρ models φ i it follows directly that ρ models α i , and hence ρ is accepting.
We show L(removeFin(A)) = L(removeFin GBA (A)) by proving that for all runs ρ in (δ ) ω we have First, assume that ρ | α , which implies that there exists Observe that, in contrast to removeFin, removeFin GBA always produces GBA. Both constructions consist of m + 1 copies of A (with Fin-transitions removed). Each disjunct of the acceptance condition of removeFin(A) contains at most as many atomic conditions than the corresponding disjunct of the acceptance condition of A.

Construction of spot
The transformation from TELA to GBA from [17] is implemented in Spot [18]. It transforms the automaton into DNF and then applies (an optimized version of) removeFin. The resulting fin-less acceptance condition is translated into conjunctive normal form (CNF). As Inf( holds for all δ, one can rewrite any fin-less condition in CNF into a conjunction of Inf-atoms, which is a generalized Büchi condition. When starting with a TELA B with acceptance β and N states, one gets a GBA with N 2 O(|β|) states and 2 O(|β|) acceptance sets, as the finremoval may introduce exponentially (in |β|) many copies, and the CNF may also be exponential in |β|.
Transforming a fin-less automaton into a GBA by computing the CNF has the advantage of only changing the acceptance condition, and in some cases it produces simple conditions directly. For example, Spot's TELA to GBA construction transforms a Rabin into a Büchi automaton, and a Streett automaton with m acceptance pairs into a GBA with m accepting sets. However, computing the CNF may also incur an exponential blow-up ( Fig. 4 shows such an example).

Copy-based approaches
We now describe three approaches (remFin→splitα, splitα→remFin and remFin→rewriteα), which construct GBA with at most |β| acceptance sets. On the other hand, they generally produce automata with more states than the approach that is implemented in Spot. They are based on [41] which first translates copies of A (corresponding to the disjuncts of the acceptance condition) to GBA, and then takes their sum. However, it is not specified in [41] how exactly Finatoms should be removed (they were concerned only with the theoretical complexity). We define: where the acceptance condition α of A is the DNF of β.
With removeFin as defined in Definition 3.3, the approaches remFin→splitα and splitα→remFin produce the same automata (after removing non-accepting SCC's), and all three approaches create O(m) copies of A.
We now analyze the number of acceptance sets of the resulting GBA conditions of the different approaches. The acceptance condition of removeFin(A) is in DNF and each disjunct contains at most |β| atomic acceptance conditions. Therefore, the sum of the first approach combines m GBA, which each have at most |β| acceptance sets. The acceptance condition of split(A)[i] contains at most |β| atomic acceptance conditions for each i. As removeFin does not increase the length of the acceptance condition, the sum of the second approach combines m GBA, which each have at most |β| acceptance sets. It follows directly from the definition of removeFin GBA (see Definition 3.3) that the acceptance condition of removeFin GBA (A) contains as many acceptance sets as the largest disjunct of the acceptance condition of A, which is bounded by |β|. Therefore, the number of acceptance sets in the acceptance conditions is bounded by O(|β|) for all three approaches.
Our implementation uses an optimized variant of the function removeFin, as provided by Spot, which leads to different results for all three approaches.

Determinization via single GBA
The standard way of determinizing TELA is to first construct a GBA, which is then determinized. Dedicated determinization procedures for GBA with N states and K acceptance sets produce deterministic Rabin automata with 2 O(N (log N +log K )) states [42]. For a TELA B with n states and acceptance β, the above translations yield GBA with N = n 2 O(|β|) and K = 2 O(|β|) (Spot's construction) or N = n 2 O(|β|) and K = O(|β|) (copy-based approaches). We evaluate the effect of the translations to GBA introduced in the previous chapter in the context of determinization in Sect. 6.

Determinization via a product construction
Another way to determinize a TELA A in DNF is to determinize the automata split(A)[i] one by one and then combining them with the disjunctive product construction of Definition 3.1: where "det" is any GBA-determinization procedure. Let B be a TELA with acceptance β and n states, and let α be an equivalent condition in DNF with m disjuncts. Then, for all the automata removeFin(split(A)[i]), the number of states is bounded by O(n) and the number of acceptance sets of the GBA conditions is bounded by O(β). Assuming an optimal GBA-determinization procedure, the product combines m automata with 2 O(n(log n+log |β|)) states and hence the result has 2 O(n (log n+log |β|)) m = 2 O(2 |β| ·n(log n+log |β|)) states.

Limit-deterministic TELA
Limit-determinism has been studied mainly for Büchi automata [15,43,44], and we define it here for general TELA.
This is a semantic definition and as checking emptiness of deterministic TELA is already coNP-complete, checking whether a TELA is limit-deterministic is as well. To establish this result, we first show that a canonical partition into nondeterministic and deterministic parts of the state space exists. Let A = (Q, I , , δ, α) be a fixed TELA. We say that a state q ∈ Q is deterministic if it has at most one successor in δ for each symbol, and define: The sets Q * D and Q * N can be computed in polynomial time using an SCC analysis of the underlying graph of A.
Proof The direction from right to left is immediate. We now show that if there exists a partition Q D , Q N which satisfies 1-3, then so does Q * D , Q * N . By construction, Q * D , Q * N satisfy conditions 1. and 2. As every state in Q D is only allowed to reach deterministic states, it follows that Q D ⊆ Q * D and hence Q * N ⊆ Q N . But then it follows from the fact that every accepting run of A eventually leaves Q N forever, that it also eventually leaves Q * N forever. This shows that the partition Q * D , Q * N satisfies condition 3. Proposition 5.1 Checking limit-determinism for TELA is coNP-complete.
Proof As we have seen above, checking whether A is limitdeterministic amounts to checking whether Q * D , Q * N satisfies conditions 1-3 of Definition 5.1. Conditions 1-2 hold by construction. To check condition 3 one can construct an automaton N which contains all states and transitions of Q * N and replaces all transitions out of Q * N by a transition to a rejecting trap state (this may need a simple rewrite of the acceptance condition). Then, condition 3 holds if and only if N accepts the empty language, which can be checked in coNP for TELA (this follows from NP-completeness of the non-emptiness problem [20,Thm. 4.7]).
For coNP-hardness, we reduce from the emptiness problem of TELA, which is coNP-hard. First observe that an automaton A in which Q * D is empty is limit-deterministic if and only if L(A) = ∅. So it suffices to translate an arbitrary TELA B into a TELA A in which Q * D is empty, and such that L(B) = ∅ iff L(A) = ∅. To do this we add a nondeterministic SCC to B, a transition from each original state in B to that SCC, and make sure using the acceptance condition that no run which gets trapped in the new SCC is accepting.
A syntactic definition for TELA in DNF, which implies limit-determinism, is provided in Definition 5.2.

Definition 5.2 A TELA
This property implies limit-determinism because each disjunct of the acceptance formula contains at least one atomic inf(T

Limit-determinization
Replacing the product by a sum in the product-based determinization of the last section yields single exponential limitdeterministic automata (in contrast to the double-exponential lower-bound for determinization).

Proof
The resulting automaton is limit-deterministic as the only nondeterminism in the transition system consists in the choice of the initial component. Its state space is of size log n+log k)) , as GBA can be determinized with a blow up of 2 O(n (log n+log k)) states [42].
If "det" is instantiated by a GBA-determinization that produces Rabin automata, then the result is in DNF and syntactically limit-deterministic. Indeed, in this case the only nondeterminism is the choice of the initial state. But "det" can, in principle, also be replaced by any limitdeterminization procedure for GBA.
We now extend the limit-determinization constructions of [15] (for Büchi automata) and [6,7,23] (for GBA) to Emerson-Lei conditions in DNF. These constructions use an initial component and an accepting breakpoint component [33] for A, which is deterministic. The following construction differs in two ways: there is one accepting component per disjunct of the acceptance condition, and the accepting components are constructed from A without considering the Fin-transitions of that disjunct. We will use the subset transition function θ associated with δ, defined by: θ(P, a) = q∈P {q | (q, a, q ) ∈ δ} for (P, a) ∈ 2 Q × , and additionally we define θ | T (P, a) = q∈P {q | (q, a, q ) ∈ δ ∩ T }. These functions are extended to finite words in the standard way. The following definitions refer to the fixed automaton A as defined in the beginning of the section. a), R 1 , B 1 , l), a, (R 2 , B 2 , l)

Definition 5.3 Let
In a state (R, B, l) of the above construction, intuitively R is the set of states reachable for the word seen so far in A without using transitions from T i 0 , while B are the states in R which have seen a transition in T i l since the last "breakpoint". The breakpoint-transitions are δ break i , which occur when all states in R have seen an accepting transition since the last breakpoint (namely if R = B). The standard breakpoint construction underapproximates the language of a given GBA, in general.
We define two limit-deterministic Büchi automata (LDBA) is additionally good-for-MDP (GFM) [24]. This means that G GFM A can be used to solve certain quantitative probabilistic model checking problems (see Sect. 5.2). Both use the accepting breakpoint components defined above. While G LD A simply uses a copy of A as initial component, G GFM A uses the deterministic subset-automaton of A (it resembles the cut-deterministic automata of [6]). Furthermore, to ensure the GFM property, there are more transitions between initial and accepting copies in G GFM A . The construction of G GFM A extends the approach for GBA in [23] (also used for probabilistic model checking) to TELA. We will distinguish elements from sets Q i for different i from Definition 5.3 by using subscripts (e.g. (R, P, l) i ) and assume that these sets are pairwise disjoint.

Definition 5.4 Let
Before giving a proof of Theorem 5.1 we prove two lemmas related to the breakpoint construction, which will be necessary for the correctness part of Theorem 5.1. The functions θ and θ i are defined as in Definition 5.3.
The proofs of the lemmas follow known arguments for the correctness of limit-determinization for Büchi and generalized Büchi automata (see [15,Sect. 4.2] and [6, Sects. 7.4 and 7.6]). Still, the extension to Emerson-Lei requires additional arguments and hence we give the proofs here in our notation for completeness. The first lemma extends [6, Lemma 7.1].

Lemma 5.2
For every accepting run ρ = q 0 q 1 . . . of A for w = w 0 w 1 . . . ∈ ω there exists an 1 ≤ i ≤ m such that ρ | α i , and a K ≥ 0 such that: Proof As ρ is accepting there must exist an 1 ≤ i ≤ m such that ρ | α i , which implies ρ | Fin(T i 0 ). Fix such an i. Then, the existence of a K (let us call it K 1 ) satisfying the first condition follows directly. Fix such a K 1 .
Next, we claim that a K 2 ≥ K 1 exists which satisfies both conditions. The first condition is satisfied by all K 2 ≥ K 1 , so we turn to the second condition. Suppose, for contradiction, that for all K 2 ≥ K 1 there exists l 1 ≥ K 2 such that for all u > l 1 we have Applying the same argument lets us find l 2 ≥ l 1 such that for all u > l 2 we have . Iterating this argument yields an infinitely descending chain, which is impossible as all considered sets are finite. It follows that there exists a K 2 ≥ K 1 satisfying both conditions, which concludes the proof.
The following lemma shows one direction of the correctness part of Theorem 5.1.

Lemma 5.3 L(G GFM A ) ⊆ L(A) and L(G LD A ) ⊆ L(A).
Proof We give the argument only for G GFM A , as it is the same for G LD A with simple modifications. Any accepting run of G GFM A for any w 0 w 1 . . . ∈ ω has the form where the first part from I to Q k is a path through the initial component of G GFM A , and the subsequent part is a path through some accepting breakpoint component B i , with 1 ≤ i ≤ m. As B i is the standard breakpoint automaton for A under acceptance α i and after removing transitions in T i 0 , it follows from the soundness of the known construction [6, Lemma 7.3] that there exists a run ρ through A from some state q ∈ P 0 for the word w[k+1..] such that ρ | α i and ρ sees no transition in T i 0 . Furthermore, clearly any state in P 0 is reachable from I with a path labeled by w[0..k]. Concatenating such a path with the run ρ yields an accepting run of A for w 0 w 1 . . ..
We define a run of G GFM A for w as follows. For the first K −1 steps, it remains inside the initial component. It will reach a state P ⊆ Q with q K −1 ∈ P. Then it takes the transition P, w[K −1], ({q K }, ∅, 0) i , and continues deterministically thereafter in component B i . This transition is in δ GFM bridge as (q K −1 , w[K −1], q K ) ∈ δ, and hence {q K } ⊆ θ(P, w[K −1]). We claim that the remaining run of B i sees infinitely many transitions in δ break i . 1 For contradiction, suppose that this is not the case. Then, there exists N > K such that for all j ≥ N we have B j ⊂ R j and h j = h j+1 . As ρ | α i holds, there must exist N 1 > N sat- i . It follows that q N 1 +1 ∈ B N 1 +1 . By the third property above, however, there exists u > N 1 +1 ≥ K such that This contradicts B u ⊂ R u . Hence, the constructed run is an accepting run of G GFM A for w, which finishes the proof of L(A) = L(G GFM A ).

A run for G LD
A can be constructed in the same way, with the only exception that the initial part of the run is set to 1 Here we let the indices for R, B and h start with K +1 so that they are in line with the position of the input word. be q 0 . . . q K −1 (rather than the unique path in the subsetconstruction for prefix w[0..K −2]).
As a direct corollary of Theorem 5.1 we get that TELA can be transformed into LDBA of single-exponential size.

Probabilistic model checking
This section discusses how the above constructions can be used for probabilistic model checking. We will use a product between an MDP M and a nondeterministic automaton A which was introduced in [28]. The construction is such that schedulers of the MDP are forced to resolve the nondeterminism of A by choosing the next state of the automaton. We assume that the automaton used to build the product has a single initial state, which holds for G GFM A . We define the accepting paths acc of M × G to be: As a first application, consider the qualitative model checking problem which asks to decide Pr max M (L(A)) > 0, under the assumption that A is a limit-deterministic TELA. While NP-hardness follows from the fact that the problem is already hard for deterministic TELA [34, Thm. 5.13], we now show that it is also in NP. Furthermore, it is in P for automata with a fin-less acceptance condition. This was already known for LDBA [15], and our proof uses similar arguments.

Proposition 5.3 Deciding Pr max M (L(A)) > 0, given MDP M and a limit-deterministic TELA A, is NP-complete. If A has a fin-less acceptance condition, then the problem is in P.
Proof NP-hardness for general limit-deterministic TELA follows directly from NP-hardness for deterministic TELA (see [34,Thm. 5.13]). For the upper-bounds we use the fact discussed above that if A is limit-deterministic, then we can compute a partition Q D , Q N satisfying conditions 1-3 of Definition 5.1 in polynomial time.
In NP for limit-det. TELA. We now show that the prob- Combining schedulers S 1 and S 2 yields a scheduler witnessing Pr max M (L(A)) > 0. " ⇒ ": Every path π from s in M induces a unique path p q (π ) from (s, q) in M × A, if q ∈ Q D (assuming that A is complete). We let Limit(π ) be the pair (A, T ) where A is the set of states appearing infinitely often in path π and T : A → 2 Act is the set of actions appearing infinitely often for each of the states in A. Given a state q ∈ Q D and an end-component E of M × A, we let X q,E = {π ∈ Paths(M) | there exist π 1 π 2 s.t. π = π 1 π 2 , where I L(π 1 ) − −− → A q means that a path in A exists which starts in some state in I , ends in q and is labeled by L(π 1 ). Let S be a scheduler on M satisfying Pr S M (L(A)) > 0. The S-paths π in M satisfying both L(π ) ∈ L(A) and π / ∈ q∈Q D {X q,E | atrans(E) | α} have probability zero. This is because a path π satisfies the following property with probability one under S: for all i ≥ 0 and q ∈ Q D : Limit( p q (π [i..])) forms an end-component in M × A. It follows that there exists q ∈ Q D and an end- But then E must also be reachable in M×A, which concludes the proof of the claim.
It is a direct consequence now that the problem is in NP, as we can guess the end-component E and then check in polynomial time whether atrans(E) | α holds.
In P for fin-less limit-det. TELA. If α is fin-less, then the existence of an end-component E with atrans(E) | α is equivalent to the existence of a maximal end-component satisfying the same property. This is because fin-less properties are preserved when adding additional transitions. As all maximal end-components can be enumerated in polynomial time (see Algorithm 47 in [3]), it follows by the above claim that Pr max M (L(A)) > 0 can be decided in polynomial time in this case.
Our next aim is to show that the maximal probability in an MDP to satisfy a property specified as a TELA can be computed in single-exponential time. As a means to this end we will show that the automaton G GFM A , as defined in Definition 5.4, is good-for-MDP (GFM) [24]. As before, we start with a TELA A = (Q, , δ, I , 1≤i≤m α i ) in DNF, with The GFM-property is defined using the product construction introduced above (Definition 5.5). A Büchi automaton G is called good-for-MDP (GFM) iff Pr max M (L(G)) = Pr max M×G ( acc ) holds for all MDP M [24]. The inequality "≥" holds for all automata [28,Thm. 1], but the other direction requires, intuitively, that a scheduler on M × G is able to safely resolve the nondeterminism of the automaton based on the prefix of the run. This is trivially satisfied by deterministic automata, but good-for-games automata also have this property [28]. Limit-deterministic Büchi automata are not GFM in general, for example, G LD To show this, we first prove a sufficient condition for a word to be accepted by B i .
be the sequence of the run between (Q , B l+1 , h l ). Take an arbitrary element q ∈ Q \ B l+1 and let P be the source states of the incoming transitions of q labeled by w[ j l +M−1] wrt. δ\T i 0 . As a consequence we have that P ∩ A M−1 is empty and no p ∈ Q M−1 satisfies ( p, w[ j l +M−1], q ) ∈ T i h l . This is because otherwise we would either have q ∈ B l+1 or see a breakpoint transition. In particular, there is no path from any p ∈ Q M−1 to q labeled by w[ j l +M−1] that sees T i h l . We can continue this argument inductively until reaching (Q 0 , A 0 , h l ) and conclude that there is no q ∈ Q such that there exists a θ i -path from q to q labeled by w[ j l .. j l+1 −1] which sees some transition in T i h l . This is in contradiction with the second property above.
Hence, the run sees a transition in δ break i infinitely often, which implies that it is accepting.

Recall that removeFin(split(A)[i]) is a GBA with two components: the initial component Q 1 is a copy of A where no transition is accepting, and component Q 2 is a copy of
and for all q 2 ∈ P l+1 there exists a q 1 ∈ P l and a γ -path from q 1 to q 2 labeled by w[ j l .. j l+1 −1] which hits all transition sets U i 1 , . . . , U i k i . Furthermore, the sequence is such that if d j l = d j p , then P l = P p .
Clearly a sequence j 0 < j 1 < . . . exists satisfying the above assumption (as ρ is accepting) and which additionally has the property that d j l = d j 0 for all l ≥ 0 (by taking j 0 = i 0 and the fact that infinitely many positions see d i 0 ). We may conclude that the sequence P 0 , P 1 . . . exists as above and as d j l = d j 0 for all l ≥ 0, indeed P 0 = P l for all l. So we may take Q = P 0 , and the only thing left to show is that Q ⊆ Q 2 holds. This, however, follows from the fact that Q is reachable from some accepting transition and hence must be included in the accepting part Q 2 of removeFin(split(A)[i]).
The above lemmas give a sufficient condition for a word to be accepted by B i (Lemma 5.4), and show that words labeling a loop in the deterministic automaton D i induce a path through the powerset automaton of removeFin(split(A)[i]) (Lemma 5.5). Now, we show how these facts can be used to construct the scheduler S .
Recall that we are given a finite memory scheduler S of M and to prove the GFM-property we have to provide a scheduler S such that Pr Hence for every path π 2 through B starting in s which sees all transitions in B infinitely often we find an accepting run d 0 d 1 . . . of D i for L(π 1 π 2 ) and a sequence j 0 < j 1 < . . . where j 0 = |π 1 | and such that: • for all l ≥ 0: d j l = d j 0 and the run d 0 d 1 . . . sees an accepting transition in between position j l and j l+1 for all l ≥ 0.
By Lemma 5.5 there exists a Q ⊆ γ (I , L(π 1 )) ∩ Q 2 such that for all l ≥ 0: Q = γ (Q , w[ j l .. j l+1 −1]) and for all q 1 ∈ Q there exists a q 2 ∈ Q and a finite γ -path for w[ j l .. j l+1 −1] hitting all transition-sets U i 1 , . . . , U i k i . Let Q be the corresponding set of states of A, which implies Q ⊆ θ(I , L(π 1 )). As Q ⊆ Q 2 we have: for all q 1 ∈ Q there exists a q 2 ∈ Q and a finite θ i -path for w[ j l .. j l+1 −1] hitting all transition-sets T i 1 , . . . , T i k i . It follows that the conditions of Lemma 5.4 are satisfied and hence that L(π 2 ) is accepted from (Q , ∅, 0) in B i .
The lemma does not hold if we restrict ourselves to singleton {q} ⊆ θ I , L(π 1 ) (see Example 5.1). Hence, restricting δ GFM bridge to such transitions (as for δ LD bridge , see Definition 5.4) would not guarantee the GFM property.

Example 5.1 Consider the automaton
Proof Let S be a finite-memory scheduler on M and M S × D be as above. As S uses only finite memory, the Markov chain M S ×D has finitely many states. This, in turn, implies that a BSCC will be reached with probability one. We construct the scheduler S as follows. For every finite path π 1 of M × G GFM  does reach a BSCC B we make a distinction on whether B is accepting or not. If B is not accepting, then S can be defined arbitrarily for all prefixes that extend π 1 . If B is accepting, then let us assume that the last state visited by π 1 is (s, P). Then P is exactly the set of states reachable in A from I on a path labeled by L × (π 1 ). By Lemma 5.6 there exists 1 ≤ i ≤ m and Q ⊆ P such that the probability of generating a suffix π 2 from state s in M under scheduler S whose label is accepted in

Experimental evaluation
The product approach combines a sequence of deterministic automata using the disjunctive product. We introduce the langcover heuristic: the automata are "added" to the product one by one, but only if their language is not already subsumed by the automaton constructed so far. This leads to substantially smaller automata in many cases, but is only efficient if checking inclusion for the considered automata types is efficient. In our case this holds because we can reduce the needed checks to inclusion checks on Street automata, which are in P [2, Table 2]. Note, that this is not the case for arbitrary deterministic TELA, or nondeterministic automata.

Implementation
We compare the following implementations of the constructions discussed above. 2 Spot uses the TELA to GBA translator of Spot, simplifies (using Spot's postprocessor with preference Small) and degeneralizes the result and [: : :] then determinizes using a version of Safra's algorithm [18,38]. The removeFin function that is used is an optimized version of Definition 3.3. If the input is a weak, Rabin or Street automaton, Spot uses dedicated algorithms instead of removeFin to construct the GBA. In the constructions remFin→splitα, splitα→remFin and remFin→rewriteα, the first step is replaced by the corresponding TELA to GBA construction (using Spot's function removeFin). The product approach (also implemented using the Spot-library) is called product and product (no langcover) (without the langcover heuristic). The intermediate GBA are also simplified. The construction G LD A is implemented in limit-det., using the Spot-library and parts of Seminator [8]. We compare it to limit-det. via GBA, which concatenates the TELA to GBA construction of Spot with the limit-determinization of Seminator. Similarly, good-for-MDP and good-for-MDP via GBA are the construction G GFM A applied to A directly, or to the GBA as constructed by Spot. Both constructions via GBA are in the worst case double-exponential. No post-processing, e.g. Spot's postprocessor, is applied to any output automaton.

Experiments
Computations were performed on a computer with two Intel E5-2680 CPUs with 8 cores each at 2.70 GHz running Linux. Each individual experiment was limited to a single core, 15 GB of memory and 1200 seconds. We use versions 2.9.4 of Spot (configured to allow 256 acceptance sets) and 2.0 of Seminator.
Our first benchmark set (called random) consists of 1000 TELA with 4 to 50 states and 8 sets of transitions T 1 , . . . , T 8 used to define the acceptance conditions. They are generated using Spot's procedure random_graph() by specifying probabilities such that: a triple (q, a, q ) ∈ Q × × Q is included in the transition relation (3/|Q|) and such that a transition t is included in a set T j (0.2). We use only transition systems that are nondeterministic. The acceptance condition is generated randomly using Spot's procedure acc_code::random(). We transform the acceptance condition to DNF and keep those acceptance conditions whose lengths range between 2 and 21 and consist of at least two disjuncts. To quantify the amount of nondeterminism, we divide the number of pairs of transitions with 2 The source code and data of all experiments are available at [27]. common starting point and symbol (that is, of the form (q, a, q 1 ), (q, a, q 2 ), with q 1 = q 2 ) of the automaton by its number of states. Table 1 shows that the product produces smallest deterministic automata overall. Spot produces best results among the algorithms that go via a single GBA. One reason for this is that after GBA-simplifications of Spot, the number of acceptance marks of the intermediate GBA are of about the same and Spot constructs GBA with fewer states. This difference in the number of states is expected, given the theoretical analysis in Sect. 3.2. The similarity of the numbers of acceptance marks is not supported by the theoretical analysis and can only be explained by Spot's advanced GBA-simplification algorithms that might suit Spot's GBA better than the GBA constructed by the other approaches.
The limit-deterministic automata are in general much smaller than the deterministic ones, and limit-det via GBA. performs best in this category (see Fig. 6). However, the construction G LD A (limit-det.) resulted in fewer timeand memouts and, as shown in Fig. 6, it still produces for most cases outputs with fewer states than Spot.
For GFM automata we see that computing G GFM A directly, rather than first computing a GBA, yields much better results (good-for-MDP vs. good-for-MDP via GBA). However, the GFM automata suffer from significantly more time-and memouts than the other approaches. The automata sizes are comparable with Spot's determinization (see Fig. 6). Given their similarity to the pure limit-determinization constructions, and the fact that their acceptance condition is much simpler than for the deterministic automata, we believe that future work on optimizing this construction could make it a competitive alternative for probabilistic model checking using TELA.
We compare the two best performing determinization approaches, Spot and product, in more detail. Figure 6 shows that the results are widely spread, i.e. both approaches produce smaller results than the other one for a significant number of inputs. Figure 2 partitions the set of all input automata according to acceptance complexity (measured in the size of their DNF) and amount of nondeterminism. Each subset of input automata is of roughly the same size (159-180). The number of timeouts and memouts increases with the amount of nondeterminism and the size of the input acceptance condition and reaches up to 42%. The values "states", "time" and "acceptance" are the median value of the ratio of these metrics. If only one of the approaches was able to construct a result within the given time and memory bounds we define the ratio as 0 (Spot did not construct a result) or infinity (product did not construct a result). If none of the approaches was able to construct a result, we do not consider this input automaton for the calculation. Values below 1 indicate that product produces smaller results and values above 1 indicate that Spot produces smaller results.  The approach product produces for all subsets of input automata outputs with fewer states than Spot and the ratio of the computation time decreases the larger the amount of nondeterminism and the longer the acceptance condition is. The second benchmark set (called DNF) consists of 500 TELA constructed randomly as above, apart from the acceptance conditions. They are in DNF with 2-3 disjuncts, with 2-3 Inf-atoms and 0-1 Fin-atoms each (all different). Such formulas tend to lead to larger CNF conditions, which benefits the new approaches. Table 1 shows that product produces way smaller results than Spot. Again, Table 2 partitions the set of input automata but we do not consider different lengths of acceptance conditions here because the subsets of input automata are already relatively small . Again, product performs better for automata with more nondeterminism.
The third benchmark set consists of the sequence of automata described in Fig. 4. Figure 7 shows the results for such input automata with 1-25 states. For these automata, Fig. 7 Comparing the approaches for input automata of Fig. 4. The copy-based GBA approaches produce the same results and are collapsed here.
Spot first computes GBA with an exponential number of acceptance sets. As a consequence most input automata lead to a time-or memout and, if the computation finishes, to large output automata. Therefore, our proposed alternative constructions can compute results for far larger input Table 2 Comparison of Spot and product, with input automata grouped by the size of the DNF of their acceptance condition and the amount of nondeterminism. "States", "Time" and "Acceptance" refer to the median of the ratio product / Spot. The number of automata that is denoted in brackets is the number of input automata for which both approaches were able to construct a result within the given time and memory bounds. Benchmark Amount of nondet. automata. The example also highlights the effect of the langcover heuristic: it benefits from the fact that the language of the input automaton under any individual disjunct of the DNF is the same. This is used to prune large parts of the state-space.

Conclusion
In this article, new approaches for determinization and limitdeterminization of transition-based Emerson-Lei automata (TELA) have been suggested. One of these constructions produces limit-deterministic good-for-MDP automata, which can be used for quantitative probabilistic verification. The constructions have all been implemented and evaluated experimentally. The evaluation shows promising results in particular when applying the new product construction for determinization of TELA. Furthermore, we show that the complexity of limit-determinization of TELA is singleexponential rather than double-exponential (as compared to full determinization). The presented work opens the door to numerous research questions and directions. At first, a general study on what properties can be naturally encoded directly into nondeterministic TELA would be of interest. This could be combined with a general evaluation of the developed approaches against real-world examples. It would also be interesting to see, whether and how much the new constructions could be further improved by relying on determinization procedures for GBA that use a general acceptance condition (rather than Rabin or parity) to reduce the number of states. Such an analysis could pave the way to develop a heuristic that selects for every GBA the determinization procedure that leads to the best overall result. Another important direction would be to consider translations from LTL to compact, nondeterministic TELA, which could then be used within (probabilistic) model-checking tools for LTL. A first step in this direction has already been made in [32]. Furthermore, the evaluation of good-for-MDP automata in the context of probabilistic model checking is another future research direction.
Funding Open Access funding enabled and organized by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.