Reactive Synthesis from Extended Bounded Response LTL Specifications
Alessandro Cimatti, Luca Geatti, Nicola Gigante, Angelo Montanari, Stefano Tonetta
11 Reactive Synthesis from ExtendedBounded Response LTL Specifications
Alessandro Cimatti ∗ , Luca Geatti ∗† , Nicola Gigante † , Angelo Montanari † and Stefano Tonetta ∗∗ Fondazione Bruno Kessler, Trento, Italy,Email: [cimatti,lgeatti,tonettas]@fbk.eu † University of Udine, Udine, Italy,Email: [name.surname]@uniud.it
Abstract —Reactive synthesis is a key technique for the designof correct-by-construction systems and has been thoroughlyinvestigated in the last decades. It consists in the synthesisof a controller that reacts to environment’s inputs satisfyinga given temporal logic specification. Common approaches arebased on the explicit construction of automata and on theirdeterminization, which limit their scalability.In this paper, we introduce a new fragment of Linear Tem-poral Logic, called Extended Bounded Response LTL (
LTL
EBR ),that allows one to combine bounded and universal unboundedtemporal operators (thus covering a large set of practical cases),and we show that reactive synthesis from
LTL
EBR specificationscan be reduced to solving a safety game over a deterministic sym-bolic automaton built directly from the specification. We provethe correctness of the proposed approach and we successfullyevaluate it on various benchmarks.
I. I
NTRODUCTION
Since the dawn of computer science, synthesizing correct-by-construction systems starting from a specification is animportant and difficult task. A practical algorithm to solvethis task would be a big improvement in declarative program-ming, since it would allow the programmer to write onlythe specification of the program, freeing her from possibledesign or implementation errors, that, in many cases, aredue to an imperative style of programming. In the context offormal verification and model-based design, the possibility ofsynthesizing a controller able to comply with the specificationfor all possible behaviors of the environment would be of greatimportance as well: all the effort would be directed to improvethe quality of the specification for the controller.Reactive synthesis was first proposed by Church [7] andsolved by B¨uchi and Landweber [5] for
S1S specificationswith an algorithm of nonelementary complexity. For LinearTemporal Logic (
LTL ) specifications, the problem has beenshown to be -complete [20], [21]. In the attemptof making reactive synthesis a practical task, in spite of itsvery high complexity, research mainly focused on two lines:(i) finding good algorithms for the average case; (ii) restrictingthe expressiveness of the specification language. Importantexamples of the first line of research are the contributionby Kupferman and Vardi [14], where the authors devise a
This paper has been accepted for publication in the
Proceedings of the2020 Formal Methods in Computer Aided Design conference , FMCAD 2020,https://fmcad.forsyte.at/ procedure to avoid Safra’s determinization of B¨uchi automata(a known bottleneck in all the problems requiring a determiniz-ation of a B¨uchi automaton), and the work by Finkbeiner andSchewe [10], where the problem is reduced to a sequence ofsmaller problems on safety automata, obtained by bounding thenumber of visits to a rejecting state of a co-B¨uchi automaton. Ameaningful example of restrictions to the specification languageis the definition of the
Generalized Reactivity(1) logic [19],whose synthesis problem can be solved in O ( N ) symbolicsteps, where N is the size of the arena. Finally, in [24] Zhu etal. consider reactive synthesis from Safety LTL specifications.Although the complexity remains doubly exponential, theproposed restriction allows one to reason on finite words andthus to exploit efficient tools for finite-state automata, like, forinstance, MONA [11].In this paper, we propose a new fragment of
LTL , called
Extended Bounded Response
LTL ( LTL
EBR for short), whichsupports bounded operators [17], such as G [ a,b ] and F [ a,b ] , alongwith universal unbounded temporal operators like G and R . Weshow that formulas of LTL
EBR can be turned into deterministicsymbolic automata over infinite words, with a translation carriedout in a completely symbolic way. Such a result is achievedin two steps: (i) a pastification of the subformulas containingonly bounded operators by making use of techniques similar tothose exploited for
MTL [16], [17], and (ii) the construction of deterministic monitors for the unbounded temporal operators.These two steps allow the entire procedure to be carried outwithout ever producing any explicit automaton. Then, we useexisting algorithms for safety synthesis to solve the game onthe deterministic symbolic automaton. We implemented theproposed solution in a tool, called ebr-ltl-synth , and comparedits performance against state-of-the-art synthesizers for full
LTL over a set of
LTL
EBR formulas. The outcomes of theexperimental evaluation are encouraging. For lack of space,some of the proofs are reported in the appendix.II. P
RELIMINARIES
Linear Temporal Logic with Past (
LTL + P ) is a modal logicinterpreted over infinite state sequences. Let Σ be a set of pro-positions. LTL + P formulas are inductively defined as follows: φ := p | ¬ φ | φ ∨ φ | X φ | φ U φ | Y φ | φ S φ where p ∈ Σ . Temporal operators can be subdivided into the future operators , next ( X ) and until ( U ), and past operators , a r X i v : . [ c s . F L ] A ug yesterday ( Y ) and since ( S ). We define the following commonabbreviations (where (cid:62) stands for true): (i) X i φ is X ( X i − φ ) if i > and X φ is φ ; (ii) release : φ R φ ≡ ¬ ( ¬ φ U ¬ φ ) ;(iii) eventually : F φ ≡ (cid:62) U φ ; (iv) globally : G φ ≡ ¬ F ¬ φ ;(v) trigger : φ T φ ≡ ¬ ( ¬ φ S ¬ φ ) ; (vi) once : O φ ≡ (cid:62) S φ ;(vii) historically : H φ ≡ ¬ O ¬ φ . LTL is obtained from
LTL + P by allowing only the next andthe until operators. Conversely, Full Past
LTL ( LTL FP ) is thefragment of LTL + P that only admits past operators. LTL can also be enriched with bounded temporal operators,such as the bounded until ( φ U [ a,b ] φ ) and bounded eventually ( F [ a,b ] φ ≡ (cid:62) U [ a,b ] φ ). Full Bounded
LTL ( LTL FB ) is thefragment of LTL that includes only the next , bounded until ,and bounded eventually operators.Let us now give the semantics of the above logics. A statesequence is an infinite sequence σ = (cid:104) σ , σ , . . . (cid:105) ∈ (2 Σ ) ω ofsets of propositions σ i ∈ Σ , called states . Given a sequence σ , a position i ≥ , and a formula φ , the satisfaction of φ by σ at i , written σ, i | = φ , is inductively defined as follows: σ, i | = p iff p ∈ σ i σ, i | = ¬ φ iff σ, i (cid:54)| = φσ, i | = φ ∨ φ iff either σ, i | = φ or σ, i | = φ σ, i | = φ ∧ φ iff σ, i | = φ and σ, i | = φ σ, i | = X φ iff σ, i + 1 | = φσ, i | = Y φ iff i > and σ, i − | = φσ, i | = φ U φ iff there exists j ≥ i such that σ, j | = φ and σ, k | = φ for all i ≤ k < jσ, i | = φ S φ iff there exists j ≤ i such that σ, j | = φ and σ, k | = φ for all j < k ≤ iσ, i | = φ U [ a,b ] φ iff there exists j ∈ [ i + a, i + b ] such that σ, j | = φ and σ, k | = φ for all i ≤ k < j We say that σ satisfies φ , written σ | = φ , if and only if σ, | = φ . We define the language L ( φ ) of a temporal formula φ as L ( φ ) = { σ ∈ (2 Σ ) ω | σ | = φ } . Symbolic safety automata and safety games
To begin with, we formally define the problems of realizab-ility and reactive synthesis for temporal formulas.As for realizability, it is convenient to view it as a two-player game between Controller, whose aim is to satisfy thespecification, and Environment, who tries to violate it.
Definition 1 (Strategy):
Let
Σ =
C ∪ U be an alphabetpartitioned into the set of controllable variables C and the setof uncontrollable ones U , such that C ∩ U = ∅ . A strategyfor Controller is a function g : (2 U ) + → C that, given thesequence U = (cid:104) U , . . . , U n (cid:105) of choices made by Environment so far, determines the current choices C n = g ( U ) of Controller .Given a strategy g : (2 U ) + → C and an infinite sequence ofuncontrollable choices U = (cid:104) U , U , . . . (cid:105) ∈ (2 U ) ω , let g ( U ) = (cid:104) U ∪ g ( (cid:104) U (cid:105) ) , U ∪ g ( (cid:104) U , U (cid:105) ) , . . . (cid:105) be the state sequenceresulting from reacting to U according to g . Definition 2 (Realizability and Synthesis):
Let φ be atemporal formula over the alphabet Σ =
C ∪U . We say that φ is realizable if and only if there exists a strategy g : (2 U ) + → C such that, for any infinite sequence U = (cid:104) U , U , . . . (cid:105) ∈ (2 U ) ω ,it holds that g ( U ) | = φ . If φ is realizable, the synthesis problemis the problem of computing such a strategy g .Temporal logic has an intimate relationship with automataon infinite words [23], where different acceptance conditionsgive rise to different classes of automata. For instance, theacceptance condition of (non-deterministic) B¨uchi automataallows them to recognize the class of ω -regular languages [4],including all languages definable by LTL + P formulas.Here, we focus on a restricted type of acceptance condition,called safety condition, and we represent automata in a symbolic way, as opposed to their common explicit representation. Definition 3 (Symbolic Safety Automata): A symbolicsafety automaton (SSA) is a tuple A = ( V, I, T, S ) , where(i) V = X ∪ Σ , where X is a set of state variables and Σ is aset of input variables , and (ii) I ( X ) , T ( X, Σ , X (cid:48) ) , and S ( X ) ,with X (cid:48) = { x (cid:48) | x ∈ X } , are Boolean formulae which definethe set of initial states, the transition relation, and the set ofsafe states, respectively.In symbolic automata, states are identified by the values ofstate variables, and both initial/final states and the transitionrelation are represented as Boolean formulas. This allowsthem to be, in many cases, exponentially more succinct thanequivalent explicitly represented automata. In particular, thetransition relation T ( X, Σ , X (cid:48) ) is built over state variables,input variables, and a primed version of state variables thatrepresent the values of state variables at the next state. Asan example, if a variable x has to flip at every transition, thetransition relation would contain a clause of the form x ⇔ ¬ x (cid:48) . Definition 4 (Acceptance of SSA):
Let A be an SSA. A trace is a sequence τ = (cid:104) τ , τ , . . . (cid:105) ∈ (2 V ) ω of subsets τ i of V that satisfies the transition relation of A , that is, suchthat for all i ≥ , T ( X, Σ , X (cid:48) ) is satisfied when τ i is used tointerpret variables from X and Σ , and τ i +1 is used to interpretvariables from X (cid:48) . We say that a trace τ is induced by a word σ = (cid:104) σ , σ , . . . (cid:105) ∈ (2 Σ ) ω iff σ i = τ i ∩ Σ for all i ≥ . A trace τ is accepting (or safe ) iff τ i satisfies S ( X ) for all i ≥ . The language of A , denoted as L ( A ) , is the set of all σ ∈ (2 Σ ) ω such that there exists an accepting trace induced by σ in A .For reactive synthesis, a crucial property of an automaton A is determinism , since in order to check if σ ∈ L ( A ) it sufficesto check if the trace induced by σ in A is accepting. Definition 5 (Deterministic SSA):
An SSA A = ( V, I, T, S ) is deterministic if:1) the formula I has exactly one satisfying assignment;2) the transition relation is of the form: T ( X, Σ , X (cid:48) ) := (cid:94) x ∈ X ( x (cid:48) ⇔ β x ( X ∪ Σ)) where each β x ( X ∪ Σ) is a Boolean formula over X and Σ .Note that Def. 5 implies that for each σ ∈ (2 Σ ) ω , there existsexactly one trace induced by σ for any given deterministic SSA.The realizability and the synthesis problems can be definedover a deterministic automaton as well; this gives rise to asafety game, which is defined as follows. Definition 6 (Safety Game):
Let A be a deterministic SSAover the alphabet Σ =
C ∪ U . A safety game is a tuple G = (cid:104)A , C , U(cid:105) , where C and U are the sets of controllable and uncontrollable variables, respectively. We say that Controllerwins the game if and only if there is a strategy g : (2 U ) + → C such that for all sequences U = (cid:104) U , U , . . . (cid:105) ∈ (2 U ) ω , the trace τ induced by g ( U ) in A is accepting .III. E XTENDED B OUNDED R ESPONSE
LTL
In this section, we define
Extended Bounded Response
LTL , abbreviated
LTL
EBR . LTL
EBR extends
LTL FB (which onlyfeatures bounded operators) by admitting Boolean combinationsof the universal unbounded temporal operators release ( R ) and globally ( G ). Definition 7 (The logic
LTL
EBR ): Let a, b ∈ N . An LTL
EBR formula χ is inductively defined as follows: ψ := p | ¬ ψ | ψ ∨ ψ | X ψ | ψ U [ a,b ] ψ Full Bounded Layer φ := ψ | φ ∧ φ | X φ | G φ | ψ R φ Future Layer χ := φ | χ ∨ χ | χ ∧ χ Boolean Layer
We refer to Sec. II for the semantics of
LTL
EBR operators. Inthe next sections, we will show how to build, given an
LTL
EBR formula φ , a deterministic symbolic safety automaton A ( φ ) such that L ( A ( φ )) = L ( φ ) . A. Examples
We now give some simple examples of requirements thatcan be expressed in the
LTL
EBR logic.The first one is a typical bounded response requirement:Controller has to answer a grant g at most k time units afterthe request r of Environment is issued. It can be expressed bythe following LTL
EBR formula: G ( r → F [0 ,k ] g ) Another quite common requirement is mutual exclusion . Asan example, the case of an arbiter that has to grant a resourceto at most one client at once can be captured as follows (foreach i , g i means that the resource has been granted to client i ): G ( (cid:94) ≤ i EBR by the following formula: ( ¬ prog ∧ G ( on )) ∨ ( prog ∧ G [ h ,h ] ( on ) ∧ X h G ( off )) B. Comparison with other temporal logics Zhu et al. [24] studied the synthesis problem for Safety LTL , which can be viewed as the until -free fragment of LTL in negated normal form (NNF). Every formula φ of LTL EBR can be turned into a Safety LTL one by (i) transforming φ in NNF and (ii) expanding each bounded operator in termsof conjunctions or disjunctions. As an example, the LTL EBR formula φ := G ( p → F [0 , q ) is equivalent to the Safety LTL formula φ (cid:48) := G ( p → (cid:87) i =0 X i q ) . However, since constantsin LTL EBR are represented by using a logarithmic encoding, LTL EBR formulas can be exponentially more succinct thanSafety LTL ones. Whether the converse holds as well, i . e .,whether any formula of Safety LTL can be translated intoan equivalent LTL EBR one, is still an open question. As anexample, G ( p ∨ G q ) is a Safety LTL formula but, syntactically,is not an LTL EBR one.Maler et al. [17] introduced Metric Temporal Logic with aBounded-Horizon ( MTL − B for short) as the metric temporallogic with only bounded operators interpreted over dense time.They addressed the problem of reactive synthesis from MTL − B specifications by showing that each MTL − B formula can betransformed into a deterministic timed automaton. With respectto this fragment, and ignoring the differences in the underlyingtemporal structures (in our setting, time is discrete), LTL EBR extends MTL − B with Boolean combinations of unboundeduniversal temporal operators.IV. F ROM LTL EBR TODETERMINISTIC SYMBOLIC SAFETY AUTOMATA This section focuses on the procedure to turn every LTL EBR formula into a deterministic symbolic safety automaton oninfinite words (see Def. 5) that recognizes the same language.In doing that, we apply a few transformation steps on theformula, summarized in Fig. 1, to simplify its syntactic structureand turn it into a form amenable to direct transformation intoa deterministic SSA. We define two syntactic restrictions of LTL EBR that are the targets of the transformation steps. Definition 8 ( PastLTL EBR ): An PastLTL EBR formula χ isinductively defined as follows: ψ := p | ¬ ψ | ψ ∨ ψ | Y ψ | ψ S ψ φ := ψ | φ ∧ φ | X φ | G φ | ( X i ψ ) R φχ := φ | χ ∨ χ | χ ∧ χ Definition 9 (Canonical PastLTL EBR ): The canonical form of PastLTL EBR formulas is inductively defined as follows: ψ := p | ¬ ψ | ψ ∨ ψ | Y ψ | ψ S ψ φ := ψ | G ψ | ψ R ψ λ := φ | X λχ := λ | χ ∨ χ | χ ∧ χ Canonical PastLTL EBR formulas do not contain nestedoccurrences of unbounded temporal operators, whose operandscan be only full-past formulas, and each of these is prefixedby an arbitrary number of next operators.The transformation of LTL EBR formulas into deterministicSSAs consists of three steps: (i) a translation from LTL EBR LTL EBR φ PastLTL EBR φ · toPastLtlEbr Canonical PastLTL EBR φ · canonize DFA A ( φ ) · ltl2smv AIGER · fsmv2aig result (real./unreal.) · call to a safety synthesizer Figure 1. The overall procedure. to PastLTL EBR ; (ii) a translation from PastLTL EBR to itscanonical form; (iii) a transformation of canonical PastLTL EBR formulas into deterministic SSAs. Once a deterministic SSA A ( φ ) for the original LTL EBR formula φ over C ∪ U has beenobtained, to solve the safety game (cid:104)A ( φ ) , C , U(cid:105) , i . e ., to decidethe existence of a strategy for Controller in the automaton, weapply an existing safety synthesis algorithm (see Def. 6). A. From LTL EBR to PastLTL EBR Let φ be an LTL EBR formula. The first step consists intranslating each LTL FB subformula of φ into an equivalent one,which is of the form X d ψ , with ψ ∈ LTL FP and d ∈ N . Werefer to this process as pastification [16], [17]. As we will see,since “the past has already happened”, full-past formulas canbe represented by deterministic monitors.In order to pastify each LTL FB subformula of φ , we adapt to LTL EBR a technique developed by Maler et al. for MTL − B [16],[17]. Intuitively, for each model of a full-bounded formula φ ,there exists a furthermost time point d (the temporal depth of φ ) such that the subsequent states cannot be constrained by φ in any way. The pastification of φ is a formula that uses onlypast operators and that is equivalent to φ when interpreted attime point d instead of at the origin. Definition 10 (Temporal Depth [17]): Let φ be an LTL FB formula. The temporal depth of φ , denoted as D ( φ ) , isinductively defined as follows: • D ( p ) = 0 , for all p ∈ Σ • D ( ¬ φ ) = D ( φ ) • D ( φ ∧ φ ) = max { D ( φ ) , D ( φ ) } • D ( X φ ) = 1 + D ( φ ) • D ( φ U [ a,b ] φ ) = b + max { D ( φ ) , D ( φ ) } Let M φ (only M if unambiguous) be the greatest constant in φ , with M φ = 0 if φ has no constants. It can be observed that D ( φ ) ≤ M · n , where n = | φ | . Definition 11 (Pastification [17]): Let φ be an LTL FB formula and d ≥ D ( φ ) . The pastification of φ is the formula Π( φ, d ) inductively defined as follows: • Π( p, d ) = Y d p • Π( ¬ φ, d ) = ¬ Π( φ, d ) • Π( φ ∧ φ , d ) = Π( φ , d ) ∧ Π( φ , d ) • Π( X φ, d ) = Π( φ, d − • Π( φ U [ a,b ] φ , d ) = (cid:87) b − at =0 ( Y t (Π( φ , d − b ) ∧ H b − t − Y Π( φ , d − b ))) Note that from Def. 11 we can derive that Π( F [ a,b ] φ, d ) ≡ Π( (cid:62) U [ a,b ] φ, d ) ≡ (cid:87) b − at =0 Y t Π( φ, d − b ) , which can be suc-cinctly written using the once operator, hence we can define Π( F [ a,b ] φ, d ) = O [0 ,b − a ] Π( φ, d − b ) . Proposition 1 (Soundness of pastification): Let ϕ be a LTL FB formula. For all state sequences σ ∈ (2 Σ ) ω , all i ∈ N ,and all d ≥ D ( φ ) , it holds that: σ, i | = ϕ ⇔ σ, i | = X d Π( ϕ, d ) From now on, let pastify ( φ ) be the formula X D ( φ ) Π( φ, D ( φ )) . As an example, if φ := F [0 ,k ] ( q ∧ F [0 ,k ] p ) ,then pastify ( φ ) := X k + k O [0 ,k ] ( Y k q ∧ O [0 ,k ] p ) . We statethe following complexity result about pastification. Proposition 2: Let φ be a LTL FB formula. Then, pastify ( φ ) is a formula of size O ( n · M log n +1 ) , where n = | φ | and M is the greatest constant in φ . Proof: See the appendix.Note that if φ has no constants, that is, M = 1 , the size of pastify ( φ ) is O ( n ) . Given an LTL EBR formula φ , we pastifyeach of its LTL FB subformulas with the pastify operator: wecall this step toPastLtlEbr . Once it has been completed, theresulting formula belongs to PastLTL EBR .The toPastLtlEbr algorithm can be improved by observing thatthere are LTL FB formulas that already belong to PastLTL EBR .One example is the formula p ∧ XXX q . Obviously, for this kindof formulas there is no need for the algorithm to pastify them.Consider the previous example. Without the proposed trick, thealgorithm would have produced the formula XXX ( YYY p ∧ q ) ,while, by simply noticing that the formula already belongs to PastLTL EBR , it does not need to pastify anything, returning p ∧ XXX q . Proposition 3: For each LTL EBR formula φ , there is anequivalent PastLTL EBR formula φ (cid:48) of size O ( n · M log n +1 ) ,where n = | φ | and M is the greatest constant in φ . Proof: Let φ be an LTL EBR formula and let φ (cid:48) := toPastLtlEbr ( φ ) . By Prop. 1, the toPastLtlEbr algorithm replacesthe LTL FB subformulas of φ with an equivalent formula, hence φ ≡ φ (cid:48) . Since in φ there are at most n = | φ | subformulas,then, by Prop. 2, | φ (cid:48) | = n · O ( n · M log n +1 ) , that is, | φ (cid:48) | = O ( n · M log n ) .Note that if there are no constants in φ , that is, M = 1 , then,by Prop. 2, | toPastLtlEbr ( φ ) | = O ( n ) . B. From PastLTL EBR to Canonical PastLTL EBR The second step is the canonization of the PastLTL EBR formula obtained from the previous step, in order to obtainan equivalent formula in canonical form (Def. 9). Canonical PastLTL EBR formulas are Boolean combinations of formulasof the form X i ψ , X i G ψ , and X i ( ψ R ψ ) , where ψ and ψ are full past formulas. Compared to general PastLTL EBR formulas, formulas in canonical form do not admit neithernested unbounded operators nor next operators in front of the left-hand argument of a release . The canonization of a PastLTL EBR formula is obtained by applying a set of rewritingrules. Definition 12 (Canonization): Given a PastLTL EBR formula φ , canonize ( φ ) is the formula obtained by recursively applyingthe R - R rules to the subformulas of φ in a bottom-up fashionfollowed by the application of the R flat rule: R : X ( ψ ∧ ψ ) (cid:32) X ψ ∧ X ψ R : ψ R ( ψ ∧ ψ ) (cid:32) ψ R ψ ∧ ψ R ψ R : ( X i ψ ) R ( X j ψ ) (cid:32) (cid:40) X i ( ψ R ( Y i − j ψ )) if i > j X j (( Y j − i ψ ) R ψ ) otherwise R : ( X i ψ ) R ( X j ( ψ R ψ )) (cid:32) (cid:40) X i ( ψ R (( Y i − j ψ ) R ( Y i − j ψ ))) if i > j X j (( Y j − i ψ ) R ( ψ R ψ )) otherwise R : GX i G ψ (cid:32) X i G ψR : GX i ( ψ R ψ ) (cid:32) X i G ψ R : ( X i ψ ) R ( X j G ψ ) (cid:32) (cid:40) X i GY i − j ψ if i > j X j G ψ otherwise R flat : X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) (cid:32) X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ) . . . )) R ψ n ) for any n ≥ where ψ , ψ , ψ , and ψ are full-past formulae.It is worth noticing that, as far as for now, we do not haverules (preserving the equivalence) to deal with the followingcases: (i) ( φ ∧ φ ) R ( φ ) , (ii) ( G φ ) R ( φ ) or (iii) ( φ R φ ) R ( φ ) .This is why in Def. 7 we restricted the left-hand argument ofeach release operator to be a full-bounded formula. Lemma 1 (Soundness of canonize ( · ) ): For any PastLTL EBR formula φ , it holds that φ and canonize ( φ ) are equivalent and canonize ( φ ) is a Canonical PastLTL EBR formula. Proof: See the appendix. Proposition 4 (Complexity of canonize ( · ) ): For any PastLTL EBR formula φ , canonize ( φ ) can be built in O ( n ) time,and the size of canonize ( φ ) is O ( n ) , where n = | φ | . Proof: See the appendix. C. From Canonical PastLTL EBR to deterministic SSA The particular shape of canonical PastLTL EBR formulasmakes it possible to encode the specification into deterministicSSAs. The key observation is that LTL FP formulas can beencoded into deterministic automata: since these formulas talkexclusively about the past, their truth can be evaluated at anysingle step depending only on previous steps, without makingany guess about the future (“the past already happened”).But LTL FP formulae are not the only ones that can beencoded deterministically. Consider, for instance, the formula φ ≡ X p ∨ X q . At a first glance, it may seem that φ needs anon-deterministic automaton to be encoded, which at the firststate makes a choice about whether p or q will hold in the next state. Nevertheless, this formula is equivalent to X ( p ∨ q ) and it corresponds to the deterministic automaton that, oncearrived in its second state by reading any proposition symbol,proceeds to an accepting state by reading either p or q , or goesto a sink ( error ) state otherwise. PastLTL EBR in its canonical form combines full past formu-las into a broader language that can still be turned into symbolicdeterministic automata, extending the above intuition andexploiting the monitorability of universal temporal operators.Monitoring is a technique coming from runtime verifica-tion [15]. Consider the formula G α . By observing a statesequence, at each step we can decide if a violation has occurred;indeed, if α is false at the current step, then the value of G α iscertainly false for each of the previous steps. More generally,universal temporal formulas, such as G φ and φ R φ , are monitorable , meaning that a violation of them can be decidedon the basis of the observation of a finite number of steps.In particular, reporting an error in the next state can be doneby considering only the current values. This means that anyuniversal temporal operator can be monitored by adding aBoolean error variable with a deterministic transition relation.Therefore, despite not being able to evaluate the truth ofa formula such as G α , as it can be done in the case of pastoperators, we can nevertheless state in the accepting conditionthat an error state can never be reached. In this way, if thetrace is accepting, that is, an error state can never be reached,then we know that there are no violations, e . g ., for G α , wehave forced α to be true in every state. Otherwise, if the traceis not accepting, that is, an error state is reachable, we knowthat there is a (finite) violation and that the temporal formulawas falsified at some step. We therefore introduce an errorbit for each X i ψ , X i G ψ , and X i ( ψ R ψ ) of a canonical PastLTL EBR formula.Let φ be a canonical PastLTL EBR formula over the alphabet Σ = C ∪ U . We define the deterministic SSA A ( φ ) =( V, I, T, S ) as follows: • Variables. The set of state variables of the automaton isdefined as X = X P ∪ X F ∪ X C , where: X P = { v α | α is an LTL FP subformula of φ } X F = (cid:40) error ϕ (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ϕ is subformula of φ of the form X i ψ , X i G ψ , or X i ( ψ R ψ ) (cid:41) X C = (cid:40) counter i (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) i ∈ { , . . . , log d } d max. among all X d ψ in φ . (cid:41) Intuitively, variables in X P track the truth value of allthe full-past subformulas, variables in X F implement theabove-described monitoring mechanism, and variables in X C are used to encode a binary counter used to monitornested tomorrow operators. In particular, for n nested tomorrow operators, a counter with log ( n ) bits is needed. • Initial state. All the state variables, including the counterbits, are initially false, that is, I ( X ) = (cid:86) x ∈ X ¬ x . • Transition relation. T ( X, Σ , X (cid:48) ) is the conjunction of thetransition functions of the binary counter and the monitorsof each subformula of φ , as will be defined later. Notice that each conjunct is of the form x (cid:48) ⇔ β ( X ∪ Σ) , andthus it is a deterministic transition relation. • Safety condition. S ( X ) is a Boolean formula obtainedfrom φ by replacing each formula ϕ ∈ X F by ¬ error ϕ , i . e ., S ( X ) = φ [ ϕ/ ¬ error ϕ ] .We now define the monitors for the binary counter, used tohandle nested tomorrow operators, any formula ψ ∈ LTL FP , andany canonical PastLTL EBR formula of one of the forms X i ψ , X i G ψ , and X i ( ψ R ψ ) . We give the definition of the monitorsusing the SMV language [6], as it provides useful shorthands(like the switch-case primitive). Each of the following SMVstatement corresponds to the Boolean formula that definestransition functions of our monitors.The monitor for the counter is defined as follows: next ( c o u n t e r ) := ¬ c o u n t e r next ( c o u n t e r i ) := ( c o u n t e r i − ∨ c o u n t e r i ) ∧ ¬ c o u n t e r i If ψ := α S β or Y α , its monitor is defined as follows: next ( v Y α ) := v α ∧ c o u n t e r > DEFINE v α S β := v β ∨ ( v α ∧ v Y ( α ) ) If ψ is a propositional atom, a negation, or a disjunction offull-past formulas, we define its monitor as follows: DEFINE v p := pv ¬ α := ¬ v α v α ∨ β := v α ∨ v β For each formula φ of type X i ψ , where ψ is a full-pastformula, we introduce a new error bit error φ . Its monitor isdefined as follows: next ( error X iψ ) := case error X iψ : TRUE; counter = i ∧ ¬ v ψ : TRUE;TRUE : FALSE ;esac If φ := X i G ψ , where ψ is a full-past formula, we introducea new error bit error φ , and we define its monitor as follows: next ( error X i G ψ ) := case counter < i : FALSE ; ¬ error X i G ψ ∧ v ψ : FALSE ;TRUE : TRUE;esac The same for φ := X i ( ψ R ψ ) : next ( error X i ( ψ R ψ ) := case counter < i : FALSE ; ¬ error X i ( ψ R ψ ∧ v iψp : FALSE ; ¬ error X i ( ψ R ψ ∧ v ψ ∧ v ψ : FALSE ; ¬ error X i ( ψ R ψ ∧ v ψ : FALSE ;TRUE : TRUE;esacnext ( v iψp ) := case counter < i : FALSE ; v ψp : TRUE; v iψp : TRUE;TRUE : FALSE ;esac In Fig. 2, we describe the execution of all the steps describedso far on a simple formula. G ( u → XX c ) ∧ G ( u → X c ) GXX ( YY u → c ) ∧ GX ( Y u → c ) XXG ( YY u → c ) ∧ XG ( Y u → c ) ASSIGNinit ( error ) := ⊥ next ( error ) := . . . ASSIGNinit ( error ) := ⊥ next ( error ) := . . . INVARSPEC ¬ error ∧ ¬ error pastifycanonizeto SSA Figure 2. The execution of the sequence of steps: a simple example. Proposition 5: Let φ be a canonical PastLTL EBR formula,with | φ | = n . Then, there exists a deterministic SSA of size O ( n ) that accepts the same language. Theorem 1: Let φ be an LTL EBR formula, with | φ | = n ,and let M be the greatest constant in φ . Then, there exists adeterministic SSA of size O ( n · M log n +1 ) that accepts thesame language. Corollary 1: Let φ be an LTL EBR formula with no constants,with | φ | = n . Then, there exists a deterministic SSA of size O ( n ) that accepts the same language.Proofs of the above statements can be found in the appendix.V. S OLVING THE GAME ON THESYMBOLIC DETERMINISTIC AUTOMATON Once we have obtained the deterministic SSA A ( φ ) for an LTL EBR formula φ with the steps described in the previoussections, we can use A ( φ ) as the arena of a two-player gamebetween Controller and Environment in order to solve therealizability (and synthesis) problem for φ .Let us focus on the safety game G = (cid:104)A ( φ ) , C , U(cid:105) (recallDef. 6). Safety games have been extensively studied, astheir reachability objective makes the problem simpler thanconsidering ω -regular objectives, such as, for instance, B¨uchiand Rabin conditions.The aim of Controller is to choose an infinite sequence of controllable variables in such a way that, no matter what valuesfor the uncontrollable variables are chosen by Environment, the trace induced by the play in A ( φ ) is safe , that is, it visits onlystates s such that s | = S ( X ) (see Def. 6). Since in our case A ( φ ) recognizes exactly the language of φ , the play satisfies φ , and thus Controller has a winning strategy for φ .Since the organization of the SYNTCOMP [13], manyoptimized tools have been proposed in the literature to solvesafety games. For this reason, we chose to use a safetysynthesizer as a black box. The majority of these tools acceptas input a symbolic arena described in terms of and-invertergraphs (or AIGER format [1]), so we provide a simple utility toobtain the AIGER representation of functional SMV modules,that is, SMV modules with the transition relation expressedonly in terms of ASSIGN statements, such as the ones resulting from our encoding. The AIGER model is then given as input tothe chosen safety synthesizer, completing the process outlinedin Fig. 1.The next theorem states the complexity of the procedure. Theorem 2: The realizability problem for LTL EBR belongsto . If no constant is admitted, it belongs to EXPTIME . Proof: We first show that the proposed algorithm, asdescribed in Fig. 1, belongs to for generic LTL EBR formulas. It is easy to see that the time complexity of all thesteps matches their space complexity. Therefore, we have analgorithm to turn an LTL EBR formula φ into an equivalentdeterministic SSA A ( φ ) whose time complexity is O ( n · M log n +1 ) , where n = | φ | and M is the greatest constant in φ . Since A ( φ ) is symbolically represented, it can be turnedinto an explicit automaton A (cid:48) ( φ ) of size at most exponential inthe size of A ( φ ) , that is, | A (cid:48) ( φ ) | ∈ O (2 n · M log2 n +1 ) . Finally,the time complexity of reachability games is linear in the sizeof the arena [8], and thus the overall time complexity of therealizability problem for LTL EBR is . If no constantis admitted, then, by Corollary 2, | A (cid:48) ( φ ) | ∈ O (2 n ) , and thecomplexity becomes EXPTIME . Comparison with Safety LTL It is interesting to briefly compare the proposed procedurefor realizability to the one used by the Ssyft tool for Safety LTL specifications [24]. In that tool, the negation of the initialformula is first translated into first-order logic over finite wordsand then transformed into deterministic automata using thetool MONA [11], which uses the classical subset constructionto determinize automata over finite words. Finally, Ssyft usesthe classical backward fixpoint iteration to compute the setof winning states over the DFA . It is worth to notice thatthe way MONA represents automata is not fully symbolic: theset of states is explicitly represented, while it uses a BDDfor each pair of states in order to represent symbolically thetransitions between the two corresponding states. In contrast ofsubset construction, our solution performs the pastification offull-bounded formulas. Most importantly, our construction ofdeterministic monitors is carried out in a fully symbolic way.VI. E XPERIMENTAL E VALUATION We implemented the proposed procedure (see Fig. 1) in atool called ebr-ltl-synth . The transformation from LTL EBR todeterministic SSA together with the translation to AIGER hasbeen implemented inside the nuXmv model checker [6]. Asthe backend for solving the safety game, we have chosen theSAT-based tool demiurge [2].We tested our tool on a set of scalable benchmarks dividedin four categories (the propositional atoms starting with theletter c are controllable, while those starting with the letter u are uncontrollable):1) the first category is generated by the realizable formula: G ( c ∧ XG ( c ∧ · · · ∧ X n G ( c n ∧ u ) . . . )) http://users.dimi.uniud.it/ ∼ luca.geatti/tools/ebrltlsynth.html 2) the second category is generated by the realizable formula: G (( c ∨ u ) ∧ XG (( c ∨ u ) ∧ · · · ∧ X n G (( c n ∨ u n )) . . . )) 3) the third category is generated by the unrealizable formula: G ( c ) ∧ n (cid:95) i =1 G ( i (cid:94) j =0 u i ) 4) the fourth category is generated by the unrealizableformula: c ∧ n (cid:94) i =1 X i ( u i ∨ u i +1 ) Each category contains the respective scalable formula for n ∈ [1 , , for a total of benchmarks, half of which isrealizable and the other half is unrealizable. We set a timeoutof 180 seconds for each benchmark. We compared ebr-ltl-synth with ltlsynt [12], Strix [18] and Ssyft [24]. The first two toolssolve the realizability and synthesis problems for full LTL andare based on a translation to parity games. ltlsynt uses SPOT[9] for efficient translation and manipulation of automata. Strix implements several optimizations like specification splitting,that enables to split the initial formula in safety, co-safety,B¨uchi, and co-B¨uchi subformulas and speeds up the processof solving of the game. On the contrary, Ssyft solves therealizability problem for specifications written in Safety LTL (see Sec. V for a brief description of the Ssyft tool).For realizability, we tested all the tools in their sequentialconfigurations. ltlsynt has two sequential configurations, whichdiffer on whether the split of actions into Controller’s andEnvironment’s ones is performed before or after the determ-inization. Strix has two sequential modes as well, dependingon the kind of search on the arena (depth-first for the firstconfiguration and with a priority queue for the second). Ssyft and ebr-ltl-synth have only one configuration.Fig. 3 shows the outcomes of the comparison between ebr-ltl-synth and the best configuration of ltlsynt : it can be clearlyseen that, for both realizable and unrealizable formulas, ltlsynt presents an exponential blow-up in the solving time that isavoided by ebr-ltl-synth . Fig. 4 compares ebr-ltl-synth with thebest configuration of Strix : while for realizable formulas thereis an exponential blow up of Strix avoided by ebr-ltl-synth , itis interesting to note that for the unrealizable benchmarks thedifference between the solving time of the two tools is linear,mostly showing a 10x improvement in favor of ebr-ltl-synth .The survival plots for the set of realizable and unrealizablescalable benchmarks are shown in Figs. 5 and 6, respectively.The outcomes of the comparison between ebr-ltl-synth and Ssyft are shown in Fig. 7. Here the three lines near thesides of the figure correspond to timeouts (the solid blackline), memouts for unrealizable benchmarks and memouts forrealizable benchmarks (the dotted lines). It can be noticed that Ssyft reaches a memory out for the vast majority of benchmarks.For instance, on both the realizable categories, Ssyft reaches thefirst memout with n = 7 . As for the unrealizable benchmarks,on the third category, Ssyft reaches the first memout with n = 36 , while for the fourth category with n = 59 . This is dueto MONA , which is not able to build the (explicit) DFA for the Figure 3. ebr-ltl-synth vs ltlsynt (first conf.) on all scalable benchmarks.Figure 4. ebr-ltl-synth vs Strix on all scalable benchmarks. (negation of the) initial specification . This is an important hintabout the use of fully symbolic techniques for the representationof automata, like the one of ebr-ltl-synth , as in many cases theycan avoid an exponential blowup of the automata’ state space.The survival plot between ebr-ltl-synth and Ssyft is shownin Fig. 8 . The rest of the plots for realizability of scalablebenchmarks can be found in the appendix.In addition to these scalable formulas, from the benchmarksof SYNTCOMP [13], we filtered the formulas that belong to LTL EBR : this resulted into a set of 29 formulas. The survivalplot showing the comparison with ltlsynt and Strix is shown inFig. 9, while the comparison with Ssyft is shown in Fig. 10. Itis interesting to see that, on the SYNTCOMP benchmarks, the We point out that in some cases, like in the fourth category for n ≥ , MONA ’s memouts are due to its parser. The reason why we do not have a single survival plot comparing all thefour tools is that Ssyft could not have been compiled for the same platform asthe others, due to issues with its source code. Figure 5. Survival plot for realizable scalable benchmarks.Figure 6. Survival plot for unrealizable scalable benchmarks. results of ebr-ltl-synth and Ssyft are comparable.As for the synthesis problem, once a specification is found tobe realizable, all the three tools produce a strategy as a witness:this strategy is in the form of an and-inverter graph whoseinput bits are only the starting uncontrollable variables. Often, astrategy of this kind can be minimized by using logic synthesistools (like ABC [3]) as black-box. In the particular case ofthe tools considered in this section, they all use a separatelogic synthesizer as black box, with different configurationsto minimize the strategy. Therefore, we do not compare thesize of the strategies found by the three tools, since such acomparison would add nothing about the methods implementedby the tools but would rather compare their backends.VII. C ONCLUSIONS In this paper, we introduce the logic LTL EBR , a fragmentof LTL that combines formulas with only bounded operatorsand a particular combination of universal unbounded tem-poral operators. We focus on the realizability and reactivesynthesis problems for this logic. The main contribution isa fully symbolic translation from any LTL EBR formula to a deterministic symbolic safety automaton on infinite words. Theprocess applies a pastification step and a set of rules to reach acanonical form for LTL EBR formulas. The realizability is thendecided by solving a safety game on the arena represented bythe automaton. We first showed that realizability for LTL EBR Figure 7. ebr-ltl-synth vs Ssyft on scalable benchmarks.Figure 8. Survival plot for ebr-ltl-synth and Ssyft on scalable benchmarks. belongs to , but drops to EXPTIME if no constantis used. Then, we implemented the proposed procedure in a tool,whose experimental evaluation revealed very good performanceagainst tools for realizability and synthesis of full LTL andSafety LTL specifications.As a future development of this line of work, we believethat the translation from LTL EBR to deterministic SSA mayprovide many benefits in the context of symbolic modelchecking as well, since the search of the state space couldbenefit from a deterministic representation of the automatonfor the formula [22]. On the automata construction side, aninteresting development would be to keep the symbolic boundsduring pastification and monitor construction, without, forinstance, expanding X i α into i nested next operators. Onthe expressiveness side, we want to study in which ways assumptions can be integrated into LTL EBR . Last but not least,we aim at checking whether the synthesis problem for moreexpressive logics, like, for instance, LTL , can be reduced to thesynthesis problem for LTL EBR , for example checking whetherit is possible to use LTL EBR for solving the safety problemsoriginated from bounded synthesis techniques. Figure 9. Survival plot for SYNTCOMP benchmarks.Figure 10. Survival plot for ebr-ltl-synth and Ssyft on SYNTCOMP benchmarks. Acknowledgments: The authors want to thank all theanonymous reviewers of FMCAD 2020 for the insightfulcomments on a preliminary version of this paper.R EFERENCES[1] Biere, A., Heljanko, K., Wieringa, S.: Aiger 1.9 and beyond. Availableat fmv. jku. at/hwmcc11/beyond1. pdf (2011)[2] Bloem, R., K¨onighofer, R., Seidl, M.: Sat-based synthesis methodsfor safety specs. In: International Conference on Verification, ModelChecking, and Abstract Interpretation. pp. 1–20. Springer (2014)[3] Brayton, R., Mishchenko, A.: ABC: An academic industrial-strengthverification tool. In: International Conference on Computer AidedVerification. pp. 24–40. Springer (2010)[4] B¨uchi, J.R.: On a decision method in restricted second order arithmetic.In: The collected works of J. Richard B¨uchi, pp. 425–435. Springer(1990)[5] Buchi, J.R., Landweber, L.H.: Solving sequential conditions by finite-statestrategies. In: The Collected Works of J. Richard B¨uchi, pp. 525–541.Springer (1990)[6] Cavada, R., Cimatti, A., Dorigatti, M., Griggio, A., Mariotti, A., Micheli,A., Mover, S., Roveri, M., Tonetta, S.: The nuxmv symbolic modelchecker. In: International Conference on Computer Aided Verification.pp. 334–342. Springer (2014)[7] Church, A.: Logic, arithmetic, and automata. In: Proceedings of theinternational congress of mathematicians. vol. 1962, pp. 23–35 (1962)[8] De Alfaro, L., Henzinger, T.A., Kupferman, O.: Concurrent reachabilitygames. Theoretical Computer Science (3), 188–217 (2007)[9] Duret-Lutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, E.,Xu, L.: Spot 2.0—a framework for ltl and ω -automata manipulation. In:International Symposium on Automated Technology for Verification andAnalysis. pp. 122–129. Springer (2016)[10] Finkbeiner, B., Schewe, S.: Bounded synthesis. International Journal onSoftware Tools for Technology Transfer (5-6), 519–539 (2013) [11] Henriksen, J.G., Jensen, J., Jørgensen, M., Klarlund, N., Paige, R., Rauhe,T., Sandholm, A.: Mona: Monadic second-order logic in practice. In:International Workshop on Tools and Algorithms for the Constructionand Analysis of Systems. pp. 89–110. Springer (1995)[12] Jacobs, S., Bloem, R.: The 5th reactive synthesis competition-syntcomp2018[13] Jacobs, S., Bloem, R., Brenguier, R., Ehlers, R., Hell, T., K¨onighofer,R., P´erez, G.A., Raskin, J.F., Ryzhyk, L., Sankur, O., et al.: The firstreactive synthesis competition (syntcomp 2014). International journal onsoftware tools for technology transfer (3), 367–390 (2017)[14] Kupferman, O., Vardi, M.Y.: Safraless decision procedures. In: 46th An-nual IEEE Symposium on Foundations of Computer Science (FOCS’05).pp. 531–540. IEEE (2005)[15] Leucker, M., Schallhart, C.: A brief account of runtime verification. TheJournal of Logic and Algebraic Programming (5), 293–303 (2009)[16] Maler, O., Nickovic, D., Pnueli, A.: Real time temporal logic: Past,present, future. In: International Conference on Formal Modeling andAnalysis of Timed Systems. pp. 2–16. Springer (2005)[17] Maler, O., Nickovic, D., Pnueli, A.: On synthesizing controllers frombounded-response properties. In: International Conference on ComputerAided Verification. pp. 95–107. Springer (2007)[18] Meyer, P.J., Sickert, S., Luttenberger, M.: Strix: Explicit reactive synthesisstrikes back! In: International Conference on Computer Aided Verification.pp. 578–586. Springer (2018)[19] Piterman, N., Pnueli, A., Sa’ar, Y.: Synthesis of reactive (1) designs. In:International Workshop on Verification, Model Checking, and AbstractInterpretation. pp. 364–380. Springer (2006)[20] Pnueli, A., Rosner, R.: On the synthesis of an asynchronous reactivemodule. In: International Colloquium on Automata, Languages, andProgramming. pp. 652–671. Springer (1989)[21] Rosner, R.: Modular synthesis of reactive systems. Ph.D. thesis, PhDthesis, Weizmann Institute of Science (1992)[22] Sebastiani, R., Tonetta, S.: ”More Deterministic” vs. ”Smaller” B¨uchiAutomata for Efficient LTL Model Checking. In: Geist, D., Tronci, E.(eds.) CHARME. Lecture Notes in Computer Science, vol. 2860, pp.126–140. Springer (2003). https://doi.org/10.1007/978-3-540-39724-3 12,https://doi.org/10.1007/978-3-540-39724-3 12[23] Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Informa-tion and computation (1), 1–37 (1994)[24] Zhu, S., Tabajara, L.M., Li, J., Pu, G., Vardi, M.Y.: A symbolic approachto safety LTL synthesis. In: Haifa Verification Conference. pp. 147–162.Springer (2017) A PPENDIX AP ROOFS Proposition 6 (Soundness of pastification): Let ϕ be a LTL FB formula. For all state sequences σ ∈ (2 Σ ) ω , all i ∈ N ,and all d ≥ D ( φ ) , it holds that: σ, i | = ϕ ⇔ σ, i | = X d Π( ϕ, d ) Proof: The proof goes by structural induction over ϕ .As the base case, consider a proposition p ∈ Σ , and since D ( p ) = 0 , consider any d ≥ . It holds that σ, i | = p ifand only if σ, i | = X d Y d p , which is equivalent to say that σ, i + d | = Y d p , hence σ, i + d | = Π( p, d ) . For the inductivecase, we consider multiple cases:1) if φ ≡ X φ , consider any d ≥ D ( X φ ) . By the semanticsof the tomorrow operator, σ, i | = X φ is equivalent to σ, i + 1 | = φ , which, by the inductive hypothesis, isequivalent to σ, i + 1 + t | = Π( φ , t ) for all t ≥ D ( φ ) .Since D ( X φ ) = D ( φ ) + 1 , the above is equivalent to σ, i + d | = Π( φ , d − , hence σ, i + d | = Π( X φ , d ) , forall d ≥ D ( X φ ) .2) if φ ≡ φ U [ a,b ] φ , consider any d ≥ D ( φ ) . The followingequivalences hold: σ, i | = φ U [ a,b ] φ ⇔ ∃ j ∈ [ a, b ] (cid:0) σ, i + j | = φ ∧∀ w ∈ [0 , j ) . σ, i + w | = φ (cid:1) semantics of until ⇔ ∃ j ∈ [ a, b ]( σ, i + j + d − b | = Π( φ , d − b ) ∧∀ w ∈ [0 , j ) . σ, i + w + d − b | = Π( φ , d − b )) by the inductive hypothesis,since D ( φ ) ≥ D ( φ ) and D ( φ ) ≥ D ( φ ) ⇔ ∃ t ∈ [0 , b − a ]( σ, i − t + d | = Π( φ , d − b ) ∧∀ w (cid:48) ∈ [0 , b − t − .σ, i − t − w (cid:48) + d − | = Π( φ , d − b )) since w (cid:48) = b − t − w − and t = b − j ⇔ ∃ t ∈ [0 , b − a ]( σ, i + d | = Y t Π( φ , d − b ) ∧ σ, i + d | = Y t H ≤ b − t − Y Π( φ , d − b )) semantics of yesterday and historically ⇔ σ, i + d | = b − a (cid:95) t =0 Y t (cid:0) Π( φ , d − b ) ∧ H ≤ b − t − Y Π( φ , d − b ) (cid:1) conjunction and disjunction ⇔ σ, i + d | = Π( φ U [ a,b ] φ , d ) This concludes the proof. Proposition 7: Let φ be a LTL FB formula. Then, pastify ( φ ) is a formula of size O ( n · M log n +1 ) , where n = | φ | and M is the greatest constant in φ . Proof: We first give a bound for the Π( · ) operator. It holdsthat: • | Π( p, d ) | = O ( p ) for each p ∈ Σ ; • | Π( ¬ φ, d ) | = | Π( φ, d ) | + 1 ; • | Π( φ ∧ φ , d ) | = | Π( φ , d ) | + | Π( φ , d ) | + 1 ; • | Π( X φ , d ) | ≤ | Π( φ , d ) | + 1 ;and | Π( φ U [ a,b ] φ , d ) | ≤ M (cid:88) i =0 ( i + | Π( φ , d − i ) | +( M − i ) + | Π( φ , d − i ) | ) ≤ M (cid:88) i =0 ( M + | Π( φ , d − i ) | + | Π( φ , d − i ) | ) ≤ M + M | Π( φ , d ) | + M | Π( φ , d ) | Since the case for the bounded until operator dominates allthe others, we have that | Π( φ, d ) | ≤ M + M | Π( φ , d ) | + M | Π( φ , d ) | , where | φ | = 1 + | φ | + | φ | . Without loss ofgenerality, we can assume that | φ | = | φ | = | φ |− ; in thisway, the recurrence equation S ( n ) describing the space requiredfor | Π( φ, d ) | , with n = | φ | , is the following: S ( n ) = (cid:40) O ( d ) if n = 12 M · S ( n ) + O ( M ) otherwiseBy unrolling the equation for i steps, we have that S ( n ) =(2 M ) i · S ( n i ) + O ( M i ) . For i = log n , the equation amountsto: S ( n ) = (2 M ) log n · S (1) + O ( M log n )= d · (2 M ) log n + O ( M log n ) Since pastify ( φ ) is defined as X d Π( φ, d )) where d = D ( φ ) , itholds that: pastify ( φ ) ≤ d + d · (2 M ) log n + O ( M log n ) ≤ M n + M n · (2 M ) log n + O ( M log n ) since d ≤ M n ∈ O ( M · n · (2 M ) log n ) ∈ O ( M · n · log n · M log n ) ∈ O ( n · M log n +1 ) Lemma 2 (Strong equivalence for the rules): Let ψ , ψ , ψ and ψ be LTL FP formulas. For all state sequences σ and forall positions i ∈ N , it holds that: R : σ, i | = X ( ψ ∧ ψ ) ⇔ σ, i | = X ψ ∧ X ψ R : σ, i | = ψ R ( ψ ∧ ψ ) ⇔ σ, i | = ψ R ψ ∧ ψ R ψ R : σ, i | = ( X i ψ ) R ( X j ψ ) ⇔ σ, i | = (cid:40) X i ( ψ R ( Y i − j ψ )) if i > j X j (( Y j − i ψ ) R ψ ) otherwise R : σ, i | = ( X i ψ ) R ( X j ( ψ R ψ )) ⇔ σ, i | = X i ( ψ R (( Y i − j ψ ) R ( Y i − j ψ ))) if i > j X j (( Y j − i ( ψ ∧ (cid:62) )) R ( ψ R ψ )) otherwise R : σ, i | = GX i G ψ ⇔ σ, i | = X i G ψR : σ, i | = GX i ( ψ R ψ ) ⇔ σ, i | = X i G ψ R : ( X i ψ ) R ( X j G ψ ) ⇔ σ, i | = (cid:40) X i GY i − j ψ if i > j X j G ψ otherwise R flat : σ, | = X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) ⇔ σ, | = X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ) . . . ))) R ψ n ) ∀ n ≥ Proof: Before starting the proof, we remark that the claimof this lemma not only asks for proving the equivalence between the left- and the right-hand side of the rules, butrequires to prove the strong equivalence between the two, i . e .,that for all the state sequences σ and for all the positions i , σ is a model starting from position i of the left-hand formulaiff σ is a model starting from position i of the right-handformula. Equivalence is a special case of strong equivalence byconsidering only i = 0 . In our case, the necessity of consideringstrong equivalence is due to the fact that the left-hand sideof the rules (except for R flat , for which we require only theequivalence) can appear as subformulas of the original φ onwhich we apply the canonize algorithm, and thus it can beinterpreted potentially on any position i . Since we want tomaintain the equivalence between φ and canonize ( φ ) , we haveto make sure that each subformulas is strongly equivalent to theone by which it is replaced during the applications of the rules.The only exception is the R flat rule, which is applied only totop-level conjuncts or disjuncts, and thus we can require for itto maintain only the equivalence.Initially we prove the first two points ( i . e ., R and R ). Forthe R rule, the following steps hold: σ, i | = X ( ψ ∧ ψ ) ⇔ σ, i + 1 | = ψ ∧ ψ ⇔ σ, i + 1 | = ψ ∧ σ, i + 1 | = ψ ⇔ σ, i | = X ψ ∧ σ, i | = X ψ ⇔ σ, i | = X ψ ∧ X ψ Consider rule R . We first prove that σ, s | = ψ R ( φ ∧ φ ) implies σ, s | = ψ R φ ∧ ψ R φ , for all state sequences σ and for all positions s . Let σ be a state sequence and let s ∈ N bea position such that σ, s | = ψ R ( φ ∧ φ ) . We divide in cases:1) if ∀ i ≥ s. ( σ, i | = φ ∧ φ ) , then ∀ i ≥ s.σ, i | = φ and ∀ i ≥ s.σ, i | = φ . Thus, σ, s | = ψ R φ and σ, s | = ψ R φ ,that is σ, s | = ψ R φ ∧ ψ R φ .2) if ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, j | = ( φ ∧ φ )) ⇔ ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i. ( σ, j | = φ ) ∧∀ s ≤ k ≤ i. ( σ, k | = φ )) ⇒ ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i. ( σ, j | = φ )) ∧∃ i ≥ s. ( σ, i | = ψ ∧ ∀ ≤ j ≤ i. ( σ, j | = φ )) ⇔ σ, s | = ψ R φ ∧ ψ R φ We now prove the opposite direction, that is σ, s | = ψ R φ ∧ ψ R φ implies σ, s | = ψ R ( φ ∧ φ ) , for all state sequences σ and for all positions s . Let σ be a state sequence and let s ∈ N such that σ, s | = ψ R φ ∧ ψ R φ . We divide again incases:1) if ∀ i ≥ s. ( σ, i | = φ ) ∧ ∀ i ≥ s. ( σ, j | = φ ) , then ∀ i ≥ s. ( σ, i | = φ ∧ φ ) and thus σ, s | = ψ R ( φ ∧ φ ) .2) if ∀ i ≥ s. ( σ, i | = φ ) and ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, j | = φ ) , then ∃ i ≥ s ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, j | =( φ ∧ φ )) , that is σ, s | = ψ R ( φ ∧ φ ) .3) if ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, j | = φ ) and ∀ i ≥ s. ( σ, i | = φ ) , then ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, k | = φ ∧ φ ) , that is σ, s | = ψ R ( φ ∧ φ ) .4) consider the case such that ∃ l ≥ s. ( σ, l | = ψ ∧ ∀ s ≤ j ≤ l.σ, j | = φ ) and ∃ k ≥ s. ( σ, k | = ψ ∧ ∀ s ≤ j ≤ k.σ, j | = φ ) . Let i = min( l, k ) : then σ, i | = φ and ∀ s ≤ j ≤ i. ( σ, j | = φ ∧ φ ) , that is σ, s | = ψ R ( φ ∧ φ ) .This concludes the proof for the R rule.Before proving the cases of the remaining rules, we defineand prove the following auxiliary strong equivalences . For allstate sequences σ and for all positions i , it holds that: R : σ, i | = ψ R ( X i ψ ) ⇔ σ, i | = X i (( Y i ψ ) R ψ ) R : σ, i | = ( X i ψ ) R ψ ⇔ σ, i | = X i ( ψ R ( Y i ψ )) R : σ, i | = Y i X i ψ ⇔ σ, i | = ψ ∧ Y i (cid:62) R : σ, i | = Y i ( ψ R ψ ) ⇔ σ, i | = ( Y i ψ ) R ( Y i ψ ) R : σ, i | = GG ψ ⇔ σ, i | = G ψR : σ, i | = G ( ψ R ψ ) ⇔ σ, i | = G ψ R : σ, i | = ψ R ( G ψ ) ⇔ σ, i | = G ψ These will help proving the cases for R - R .Consider the case for rule R . We first prove that σ, s | = ψ R ( X i ψ ) implies σ, s | = X i (( Y i ψ ) R ψ ) , for all statesequences σ and all positions s . Let σ be a state sequence andlet s ∈ N such that σ, s | = ψ R ( X i ψ ) . We divide in cases:1) if ∀ j ≥ s.σ, j | = X i ψ , then ⇔ ∀ j ≥ s + i.σ, j | = ψ ⇒ σ, s + i | = ( Y i ψ ) R ψ ⇔ σ, s | = X i (( Y i ψ ) R ψ ) 2) if ∃ j ≥ s. ( σ, j | = ψ ∧ ∀ s ≤ k ≤ j.σ, k | = X i ψ ) , then ∃ j ≥ s. ( σ, j + i | = Y i ψ ∧ ∀ s + i ≤ k ≤ j + i.σ, k | = ψ ) ,which in turn means that σ, s + i | = ( Y i ψ ) R ψ , that is σ, s | = X i (( Y i ψ ) R ψ ) . We now prove the opposite direction, that is σ, s | = X i (( Y i ψ ) R ψ ) implies σ, s | = ψ R ( X i ψ ) , for all statesequences σ and all positions s . Let σ be a state sequence andlet s ∈ N such that σ, s | = X i (( Y i ψ ) R ψ ) . We divide againin cases:1) if ∀ j ≥ s + i. ( σ, j | = ψ ) , then ∀ j ≥ s. ( σ, j | = X i ψ ) and thus σ | = ψ R ( X i ψ ) .2) if ∃ j ≥ s + i. ( σ, j | = Y i ψ ∧ ∀ s + i ≤ k ≤ j.σ, k | = ψ ) ,then: ⇔ ∃ j ≥ s + i. ( σ, j − i | = X i Y i ψ ∧ ∀ s ≤ k ≤ j − i.σ, k | = X i ψ ) ⇔ ∃ j ≥ s + i. ( σ, j − i | = ψ ∧ ∀ s ≤ k ≤ j − i.σ, k | = X i ψ ) ⇔ σ, s + i | = Y i ( ψ R ( X i ψ )) ⇔ σ, s | = ψ R ( X i ψ ) This concludes the proof for the rule R . The proof for the R rule is specular.Consider the R case. We first prove that σ, s | = Y i X i ψ implies σ, s | = ψ ∧ Y i (cid:62) , for all state sequences σ and allpositions s . Let σ be a state sequence such that σ, s | = Y i X i ψ for a given s ∈ N . We divide in cases:(i) if s < i , then σ, s (cid:54)| = Y i X i ψ , but this is a contradictionwith our hypothesis;(ii) then it has to be the case that s ≥ i . It holds that: σ, s | = Y i X i ψ ⇔ σ, s − i | = X i ψ ⇔ σ, s − i + i | = ψ ⇔ σ, s | = ψ ∧ Y i (cid:62) since s ≥ i We prove the opposite direction, that is σ, s | = ψ ∧ Y i (cid:62) implies σ, s | = Y i X i ψ , for all state sequences σ and all positions s .Let σ be a state sequence such that σ, s | = ψ ∧ Y i (cid:62) for a given s ∈ N . We divide in cases:(i) if s < i , then σ, s (cid:54)| = Y i (cid:62) , but this is a contradiction withour hypothesis;(ii) then it has to be the case that s ≥ i . It holds that: σ, s | = ψ ∧ Y i (cid:62)⇔ σ, s − i | = X i ψ since s ≥ i ⇔ σ, s − i + i | = Y i X i ψ ⇔ σ, s | = Y i X i ψ This concludes the proof for R .Consider now the R case. We first prove the left-to-rightdirection, that is σ, s | = Y i ( ψ R ψ ) implies σ, s | = ( Y i ψ ) R ( Y i ψ ) , for all state sequences σ and all positions s . Let σ be a state sequence such that σ, s | = Y i ( ψ R ψ ) with s ≥ i (obviously, it can’t be that s < i ). It holds that σ, s − i | = ψ Rψ . Now, we divide in cases:1) if ∀ k ≥ s − i.σ, k | = ψ , then ∀ k ≥ s.σ, k | = Y i ψ andthus σ, s | = ( Y i ψ ) R ( Y i ψ ) .2) if ∃ k ≥ s − i. ( σ, k | = ψ ∧ ∀ s − i ≤ l ≤ k.σ, l | = ψ ) ,then ∃ k ≥ s. ( σ, k | = Y i ψ ∧ ∀ s ≤ l ≤ k.σ, l | = Y i ψ ) ,and thus σ, s | = ( Y i ψ ) R ( Y i ψ ) . Now we prove the opposite direction. Suppose that σ, s | =( Y i ψ ) R ( Y i ψ ) where s ≥ i . We divide in cases:1) if ∀ k ≥ s.σ, k | = Y i ψ , then: ∀ k ≥ s − i.σ, k | = ψ ⇔ σ, s − i | = ψ R ψ ⇔ σ, s | = Y i ( ψ R ψ ) 2) if ∃ k ≥ s. ( σ, k | = Y i ψ ∧ ∀ k ≤ l ≤ k.σ, l | = Y i ψ ) , then: ∃ k ≥ s − i. ( σ, k | = ψ ∧ ∀ s − i ≤ l ≤ k.σ, l | = ψ ) ⇔ σ, s − i | = ψ R ψ ⇔ σ, s | = Y i ( ψ R ψ ) This concludes the proof for the R case.The case for R is simple, and it consists in the followingsteps. For all state sequences σ and for all positions s , it holdsthat: σ, s | = GG ψ ⇔ ∀ i ≥ s.σ, i | = G ψ ⇔ ∀ i ≥ s. ∀ j ≥ i.σ, j | = ψ ⇔ ∀ i ≥ s.σ, i | = ψ ⇔ σ, s | = G ψ Consider the R strong equivalence. We first prove the left-to-right direction. Suppose that σ, s | = G ( ψ R ψ ) , for agiven state sequence σ and a given position s . It holds that ∀ i ≥ s.σ, i | = ψ R ψ . We divide in cases, depending on thesemantics of the release operator:1) if ∀ i ≥ s. ∀ j ≥ i.σ, j | = ψ . In this case we have that ∀ i ≥ s.σ, i | = ψ , that is σ, s | = G ψ .2) otherwise, ∀ i ≥ s. ∃ j ≥ i. ( σ, j | = ψ ∧ ∀ i ≤ k ≤ j.σ, k | = ψ ) . In particular, for k = i , we have that ∀ i ≥ s.σ, i | = ψ , that is σ, s | = G ψ .We prove the right-to-left direction for the R case. Supposethat σ, s | = G ψ , for a given state sequence σ and position s .It holds that: σ, s | = G ψ ⇔ ∀ i ≥ s.σ, i | = ψ ⇔ ∀ i ≥ s. ∀ j ≥ i.σ, j | = ψ ⇒ ∀ i ≥ s.σ, i | = ψ R ψ ⇔ σ, s | = G ( ψ R ψ ) Finally, consider the case for the R strong equivalence. We firstprove the left-to-right direction. Suppose that σ, s | = ψ R ( G ψ ) for a given state sequence σ and position s . We divide in cases,depending on the semantics of the release operator:1) if ∀ i ≥ s.σ, i | = G ψ , then for i = s we have that σ, s | = G ψ .2) otherwise, ∃ i ≥ s. ( σ, i | = ψ ∧ ∀ s ≤ j ≤ i.σ, j | = G ψ ) .In particular, for j = s , σ, s | = G ψ .Therefore, in both cases we have that σ, s | = G ψ . For theright-to-left direction, suppose that σ, s | = G ψ . Then, ∀ i ≥ s.σ, i | = G ψ . This implies that σ, s | = ψ R ( G ψ ) . Thisconcludes the proof of all the auxiliary strong equivalences. We can now prove the remaining rules R - R . Considerfirst R in the case i > j : we have to prove that σ, s | =( X i ψ ) R ( X j ψ ) ⇔ σ, s | = X i ( ψ R ( Y i − j ψ )) , for all statessequences σ and all positions s . This can be simply done bymeans of the auxiliary rules R and R : σ, s | = ( X i ψ ) R ( X j ψ ) ⇔ σ, s | = X i ( ψ R ( Y i X j ψ )) by rule R ⇔ σ, s | = X i ( ψ R ( Y i − j ( Y j X j ψ ))) ⇔ σ, s | = X i ( ψ R ( Y i − j ( ψ ∧ Y j (cid:62) ))) by rule R ⇔ σ, s | = X i ( ψ R ( Y i − j ψ ∧ Y i − j + j (cid:62) )) ⇔ σ, s | = X i ( ψ R ( Y i − j ψ ∧ Y i (cid:62) )) ⇔ σ, s | = X i ( ψ R ( Y i − j ψ )) Consider now the rule R in the case i ≤ j . We have to provethat σ, s | = ( X i ψ ) R ( X j ψ ) ⇔ σ, s | = X j (( Y j − i ψ ) R ψ ) .This can be done using the auxiliary equivalences R and R : σ, s | = ( X i ψ ) R ( X j ψ ) ⇔ σ, s | = X j (( Y j X i ψ ) R ψ ) by rule R ⇔ σ, s | = X j (( Y j − i ( Y i X i ψ )) R ψ ) ⇔ σ, s | = X j (( Y j − i ( ψ ∧ Y i (cid:62) )) R ψ ) by rule R ⇔ σ, s | = X j (( Y j − i ψ ∧ Y j − i + i (cid:62) ) R ψ ) ⇔ σ, s | = X j (( Y j − i ψ ∧ Y j (cid:62) ) R ψ ) ⇔ σ, s | = X j (( Y j − i ψ ) R ψ ) Consider the R rule in the case i > j . It holds that: σ | = ( X i ψ ) R ( X j ( ψ R ψ )) ⇔ σ, s | = X i ( ψ R ( Y i X j ( ψ R ψ ))) by rule R ⇔ σ, s | = X i ( ψ R ( Y i − j Y j X j ( ψ R ψ ))) ⇔ σ, s | = X i ( ψ R ( Y i − j ( ψ R ψ ∧ Y j (cid:62) ))) by rule R ⇔ σ, s | = X i ( ψ R ( Y i − j ( ψ R ψ ) ∧ Y i (cid:62) )) ⇔ σ, s | = X i ( ψ R ( Y i − j ( ψ R ψ ))) ∧ X i ( ψ R Y i (cid:62) ) by rule R ⇔ σ, s | = X i ( ψ R ( Y i − j ( ψ R ψ ))) ⇔ σ, s | = X i ( ψ R (( Y i − j ψ ) R ( Y i − j ψ ))) by rule R Finally, consider the R rule in the case i ≤ j . It holds that: σ | = ( X i ψ ) R ( X j ( ψ R ψ )) ⇔ σ, s | = X j (( Y j X i ψ ) R ( ψ R ψ )) by rule R ⇔ σ, s | = X j (( Y j − i Y i X i ψ ) R ( ψ R ψ )) ⇔ σ, s | = X j (( Y j − i ( ψ ∧ Y i (cid:62) )) R ( ψ R ψ )) by rule R ⇔ σ, s | = X j (( Y j − i ψ ∧ Y j (cid:62) ) R ( ψ R ψ )) ⇔ σ, s | = X j (( Y j − i ψ ) R ( ψ R ψ )) Consider the R rule. It can be proved by means of the rules R and R as follows. For all state sequences σ and all positions s , it holds that: σ, s | = GX i G ψ ⇔ σ, s | = ( X ⊥ ) R ( X i ( ⊥ R ψ )) by definition of globally operator ⇔ σ, s | = X i (( Y i ⊥ ) R ( ⊥ R ψ )) by rule R ⇔ σ, s | = X i ( ⊥ R ( ⊥ R ψ )) ⇔ σ, s | = X i ( GG ψ ) ⇔ σ, s | = X i G ψ by rule R Consider the R rule. It can be prove by means of the rules R and R as follows. For all state sequences σ and positions s it holds that: σ, s | = GX i ( ψ R ψ ) ⇔ σ, s | = (( X ⊥ ) R ( X i ( ψ R ψ ))) by definition of globally operator ⇔ σ, s | = X i (( Y i ⊥ ) R ( ψ R ψ )) by rule R ⇔ σ, s | = X i ( ⊥ R ( ψ R ψ )) ⇔ σ, s | = X i ( G ( ψ R ψ )) ⇔ σ, s | = X i ( G ψ ) by rule R Consider the R rule. It can be proved by means of the rules R and R as follows. Let σ be a state sequence and let s bea position. We divide in cases. If i > j , then: σ, s | = ( X i ψ ) R ( X j G ψ ) ⇔ σ, s | = ( X i ψ ) R ( X j ( ⊥ R ψ )) ⇔ σ, s | = X i ( ψ R (( Y i − j ⊥ ) R ( Y i − j ψ ))) by rule R ⇔ σ, s | = X i ( ψ R ( ⊥ R ( Y i − j ψ ))) ⇔ σ, s | = X i ( ψ R ( G ( Y i − j ψ ))) ⇔ σ, s | = X i ( ψ R ( G ( Y i − j ψ ))) by rule R ⇔ σ, s | = X i GY i − j ψ Otherwise, it holds that i ≤ j and: σ, s | = ( X i ψ ) R ( X j G ψ ) ⇔ σ, s | = ( X i ψ ) R ( X j ( ⊥ R ψ )) ⇔ σ, s | = X j (( Y j − i ψ ) R ( ⊥ R ψ )) by rule R ⇔ σ, s | = X j (( Y j − i ψ ) R ( G ψ )) ⇔ σ, s | = X j G ψ by rule R This concludes the case for the rules R - R .It remains the case for the R flat rule, for which we have toprove only equivalence. We first prove the left-to-right direction,for all n ≥ . Suppose that: σ, | = X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) σ, i | = ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . )) This formula contains exactly n release operators. Each ofthese can be satisfied in two ways: (i) universally , that is if forall the future positions the right-hand side formula holds, or(ii) existentially , if there exists a position in the future where theleft-hand side formula holds and the right-hand side formulaholds until then. Therefore, we have a total of n − cases.We consider first the cases in which there exists a release operator that is universally satisfied. These correspond to n − − cases. Let m be the index of the outermost betweenthese operators. Let k = i . We have that: ∃ j ≥ k . ( σ, j | = ψ ∧ ∀ k ≤ k ≤ j . ∃ j ≥ k . ( σ, j | = ψ ∧ · · · ∧ ∀ k m − ≤ k m − ≤ j m − . ∀ k m ≥ k m − . ( σ, k m | = ψ m R ( . . . ( ψ n − R ψ n ) . . . ))) . . . ) Which is equivalent to: ∃ j ≥ k . ( σ, j | = ψ ∧ ∀ k ≤ k ≤ j . ∃ j ≥ k . ( σ, j | = ψ ∧ · · · ∧ ∀ k m − ≤ k m − ≤ j m − . ( σ, k m − | = G ( ψ m R ( . . . ( ψ n − R ψ n ) . . . ))) . . . )) By the repeated application of the R auxiliary rule n − m times, we have that: ∃ j ≥ k . ( σ, j | = ψ ∧ ∀ k ≤ k ≤ j . ∃ j ≥ k . ( σ, j | = ψ ∧ · · · ∧ ∀ k m − ≤ k m − ≤ j m − . ( σ, k m − | = G ψ n ) . . . )) that is: ∃ j ≥ k . ( σ, j | = ψ ∧ ∀ k ≤ k ≤ j . ∃ j ≥ k . ( σ, j | = ψ ∧ · · · ∧ ∀ k m − ≤ k m − ≤ j m − . ∀ k ≥ k m − . ( σ, k | = ψ n ) . . . )) In particular, for k = k = · · · = k m − = k m − , we havethat: ∀ k ≥ k .σ, k | = ψ n Since by definition k = i , we have that ∀ k ≥ i.σ, k | = ψ n , andthus σ, | = X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ))) R ψ n ) . Theremaining case is when all the release operators are existentiallysatisfied. Suppose that: ∃ j ≥ k . ( σ, j | = ψ ∧ ∀ k ≤ k ≤ j . ∃ j ≥ k . ( σ, j | = ψ ∧ · · · ∧ ∀ k n − ≤ k n − ≤ j n − . ∃ j n − ≥ k n − . ( σ, j n − | = ψ n − ∧ ∀ k n − ≤ k n ≤ j n − .σ, k n | = ψ n )) . . . ) where k = i . This implies that: ∃ j ≥ i. ( σ, j | = ψ ∧∃ j ≥ j . ( σ, j | = ψ ∧ · · · ∧∃ j n − ≥ j n − . ( σ, j n − | = ψ n − ∧ ∀ i ≤ k ≤ j n − .σ, k | = ψ n ) . . . )) This is equivalent to: ∃ j n − ≥ i. ( σ, j n − | = ψ n − ∧∃ i ≤ j n − ≤ j n − . ( σ, j n − | = ψ n − ∧ · · · ∧∃ i ≤ j ≤ j . ( σ, j | = ψ ) . . . ) ∧∀ i ≤ k ≤ j n − .σ, k | = ψ n ) This in turn is equivalent to: ∃ j n − ≥ i. ( σ, j n − | = ψ n − ∧∃ ≤ j n − ≤ j n − . ( σ, j n − | = ψ n − ∧ · · · ∧∃ ≤ j ≤ j . ( σ, j | = ψ ∧ Y i (cid:62) ) . . . ) ∧ ∀ i ≤ k ≤ j n − .σ, k | = ψ n ) This is the definition of the existential semantics of the formula ( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ))) R ψ n , starting fromposition i . Therefore, σ, | = X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ))) R ψ n ) .We now prove the right-to-left direction for R flat . Supposethat σ, | = X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ))) R ψ n ) .Therefore, σ, i | = ( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ))) R ψ n .We divide in cases:1) if ∀ j ≥ i. σ, j | = ψ n , then σ, | = X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) 2) otherwise, ∃ j ≥ i. ( σ, j | = ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ) . . . ) ∧ ∀ i ≤ k ≤ j.σ, k | = ψ n ) .With the former case, we are done. Instead, the latter isequivalent to: ∃ j n − ≥ i. ( σ, j n − | = ψ n − ∧∃ ≤ j n − ≤ j n − . ( σ, j n − | = ψ n − ∧ . . . ∃ ≤ j ≤ j . ( σ, j | = ( ψ ∧ Y i (cid:62) )) . . . ) ∧∀ i ≤ k ≤ j n − .σ, k | = ψ n ) In turn, this is equivalent to: ∃ j n − ≥ i. ( σ, j n − | = ψ n − ∧∃ i ≤ j n − ≤ j n − . ( σ, j n − | = ψ n − ∧ . . . ∃ i ≤ j ≤ j . ( σ, j | = ψ ) . . . ) ∧∀ i ≤ k ≤ j n − .σ, k | = ψ n ) This is equivalent to: ∃ j ≥ i. ( σ, j | = ψ ∧∃ j ≥ j . ( σ, j | = ψ ∧ . . . ∃ j n − ≥ j n − . ( σ, j n − | = ψ n − ) . . . ) ∧∀ i ≤ k ≤ j .σ, k | = ψ n ) which implies that: ∃ j ≥ i. ( σ, j | = ψ ∧ ∀ i ≤ k ≤ j . ∃ j ≥ j . ( σ, j | = ψ ∧ · · · ∧ ∀ k n − ≤ k n − ≤ j n − . ∃ j n − ≥ j n − . ( σ, j n − | = ψ n − ∧ ∀ k n − ≤ k ≤ j n − .σ, k | = ψ n ) . . . )) This is the definition of the existential semantics of the formula ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . )) , starting from position i .Therefore, σ, | = X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) . Thisconcludes the proof of Lemma 2. Lemma 3: Let ψ , ψ and ψ be LTL FP formulas. Let φ be a formula of type X j ψ , X j G ψ or X j ( ψ R ψ ) . For eachstate sequence σ and position i , it holds that:1) σ, i | = G φ ⇔ σ, i | = resolve_globally ( φ ) σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) Proof: We prove the second point, for the release oper-ator. The subroutine resolve_release divides in cases,depending on the structure of φ : • if φ = X j ψ and i > j , then: resolve_release ( X i ψ , X j ψ ) := X i ( ψ R ( Y i − j ψ )) By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) . • if φ = X j ψ and i ≤ j , then resolve_release ( X i ψ , X j ψ ) := X j (( Y j − i ψ ) R ψ ) By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) . • if φ = X j ( ψ R ψ ) and i > j , then resolve_release ( X i ψ , X j ( ψ R ψ )) := X i ( ψ R (( Y i − j ψ ) R ( Y i − j ψ ))) By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) . • if φ = X j ( ψ R ψ ) and i ≤ j , then resolve_release ( X i ψ , X j ( ψ R ψ )) := X j (( Y j − i ψ ) R ( ψ R ψ )) By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) . • if φ = X j G ψ and i > j , then resolve_release ( X i ψ , X j G ψ ) := X i GY i − j ψ By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) . • if φ = X j G ψ and i ≤ j , then resolve_release ( X i ψ , X j G ψ ) := X j G ψ By rule R of Lemma 2, we have that σ, i | = ( X i ψ ) R φ ⇔ σ, i | = resolve_release ( X i ψ , φ ) .The case for resolve_globally ( φ ) is analogous. Lemma 4 (Soundness of applyR1R7 ( · ) ): For any PastLTL EBR formula φ , for any state sequence σ and for anyposition i , it holds that σ, i | = φ iff σ, i | = applyR1R7 ( φ ) . Proof: Consider the pseudo-code of applyR1R7 ( · ) asdescribed in Fig. 19. We prove this claim by induction onthe complexity of formula φ .The base case corresponds to the case when φ is a LTL FP formula. In this case, the applyR1R7 ( · ) algorithm returns φ itself. Obviously, φ is strongly equivalent to applyR1R7 ( φ ) For the inductive step, we divide in cases. If φ := X φ ,then σ, i + 1 | = φ . By inductive hypothesis σ (cid:48) , i (cid:48) | = φ iff σ (cid:48) , i (cid:48) | = applyR1R7 ( φ ) , for all state sequences σ (cid:48) and positions i (cid:48) . Therefore: σ, i | = X φ ⇔ σ, i + 1 | = φ ⇔ σ, i + 1 | = applyR1R7 ( φ ) by inductive hypothesis ⇔ σ, i | = X ( applyR1R7 ( φ )) In general, applyR1R7 ( φ ) is a conjunction of formulas of type X j ψ , X j G ψ , X j (( X k ψ ) R ψ ) , that is: applyR1R7 ( φ ) := φ c ∧ · · · ∧ φ cn and thus: σ, i | = X φ ⇔ σ, i | = X ( φ c ∧ · · · ∧ φ cn ) Using rule R of Lemma 2, we have that: σ, i | = X φ ⇔ σ, i | = X ( φ c ∧ · · · ∧ φ cn ) ⇔ σ, i | = X φ c ∧ · · · ∧ X φ cn by rule R of Lemma 2 σ, i | = φ ⇔ σ, i | = applyR1R7 ( φ ) This concludes the case for φ := X φ . Consider the case φ := ( X i ψ ) R φ . Since by inductive hypothesis σ (cid:48) , i (cid:48) | = φ iff σ (cid:48) , i (cid:48) | = applyR1R7 ( φ ) , for all state sequences σ (cid:48) andpositions i (cid:48) , we have that: σ, i | = ( X i ψ ) R φ ⇔ σ, i | = ( X i ψ ) R ( applyR1R7 ( φ )) σ, i | = ( X i ψ ) R ( φ c ∧ · · · ∧ φ cn ) where φ ci is a formula of type X j ψ , X j G ψ , X j (( X k ψ ) R ψ ) ,for each < i ≤ n . By rule R of Lemma 2, we have that: σ, i | = ( X i ψ ) R φ ⇔ σ, i | = ( X i ψ ) R ( φ c ∧ · · · ∧ φ cn ) ⇔ σ, i | = ( X i ψ ) R ( φ c ) ∧ · · · ∧ ( X i ψ ) R ( φ cn ) Let φ ri ≡ resolve_release ( X i ψ , φ ci ) , for all < i ≤ n .By Lemma 3: σ, i | = ( X i ψ ) R φ ⇔ σ, i | = ( X i ψ ) R ( φ c ) ∧ · · · ∧ ( X i ψ ) R ( φ cn ) ⇔ σ, i | = ( X i ψ ) R ( φ r ) ∧ · · · ∧ ( X i ψ ) R ( φ rn ) by Lemma 3 ⇔ σ, i | = applyR1R7 ( φ ) by definition of applyR1R7 This concludes the case for φ := φ := ( X i ψ ) R φ . The casefor the globally operator is analogous to the proof for the release one. Lemma 5 (Soundness of flatten ( · ) ): For any PastLTL EBR formula φ , it holds that φ ≡ flatten ( φ ) . Proof: We prove this lemma by induction on the number n of top-level conjucts or disjuncts. The base case correspondsto the case of n = 0 . We divide in cases: • if φ := X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) ,then flatten ( φ ) := X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ) . . . )) R ψ n ) . By the R flat rule of Lemma 2, φ ≡ flatten ( φ ) . • otherwise, the flatten algorithm falls in the default case.In this case, flatten ( φ ) := φ , and obviously φ ≡ flatten ( φ ) .For the inductive step, we divide in cases as well. • if φ := φ ∧ φ , then by inductive hypothesis φ ≡ flatten ( φ ) and φ ≡ flatten ( φ ) . Thus φ ≡ flatten ( φ ) ∧ flatten ( φ ) , that is φ ≡ flatten ( φ ) . • if φ := φ ∧ φ , then by inductive hypothesis φ ≡ flatten ( φ ) and φ ≡ flatten ( φ ) . Thus φ ≡ flatten ( φ ) ∨ flatten ( φ ) , that is φ ≡ flatten ( φ ) . Lemma 6 (Soundness of canonize ( · ) ): For any PastLTL EBR formula φ , it holds that φ and canonize ( φ ) are equivalent and canonize ( φ ) is a Canonical PastLTL EBR formula. Proof: We define canonize ( φ ) as the formula flatten ( applyR1R7 ( φ )) , where applyR1R7 is the algorithmin Fig. 19 and flatten is the algorithm in Fig. 21. ByLemma 4, for each state sequence σ and position i , wehave that σ, i | = φ iff σ, i | = applyR1R7 ( φ ) . In particular,for i = 0 , this means that φ ≡ applyR1R7 ( φ ) . By Lemma 5,we have that flatten ( applyR1R7 ( φ )) ≡ applyR1R7 ( φ ) ,and thus φ ≡ flatten ( applyR1R7 ( φ )) , and by definition φ ≡ canonize ( φ ) .Finally, it is easy to see that all the rules of Lemma 2, exceptfor R , replace a formula with a one in Canonical PastLTL EBR .Thus canonize ( φ ) would be a Canonical PastLTL EBR formulaif we did not consider the nested release operators. Sincethis is exactly the case solved by the R flat rule and thus bythe flatten algorithm (which produces a formula in canonicalform), we have that flatten ( applyR1R7 ( φ )) , which by definitionis canonize ( φ ) , is in Canonical PastLTL EBR . Proposition 8 (Complexity of canonize ( · ) ): For any PastLTL EBR formula φ , canonize ( φ ) can be built in O ( n ) time,and the size of canonize ( φ ) is O ( n ) , where n = | φ | . Proof: Since canonize ( φ ) := flatten ( applyR1R7 ( φ )) , westudy the complexity of both applyR1R7 and flatten . At eachiteration, algorithm applyR1R7 ( φ ) makes at most one recursivecall on a formula φ (cid:48) of size | φ (cid:48) | < | φ | and thus it stop atmost after O ( n ) iterations. The same holds for flatten . At eachiteration, applyR1R7 and flatten produce a formula of constantsize with respect to the size of the formula produced by therecursive call; therefore the recurrence equation describing thesize of the formula produced by canonize ( φ ) is: S ( n ) = (cid:40) O (1) if n = 1 S ( n − 1) + O (1) otherwiseTherefore: S ( n ) = S ( n − − i ) + i · O ( i )= S (1) + O ( n ) for i = n − ∈ O ( n ) Lemma 7: For each canonical PastLTL EBR formula φ , foreach LTL FP formula α ∈ LTL FP and for each i ≥ , σ ( i ) | = α iff τ ( i ) | = v α , where τ is the trace of A ( φ ) induced by σ . Proof: We prove the lemma by induction on the structureof α . For the base case, σ ( i ) | = p ∈ Σ iff τ ( i ) | = v p ; since bydefinition of its monitor v p ⇔ p , we have that σ ( i ) | = p iff τ ( i ) | = p ; since τ is induced by σ , this is always true.For the inductive step, consider first α ∨ β . If σ ( i ) | = α ∨ β ,then either σ ( i ) | = α or σ ( i ) | = β ; by inductive hypothesis,either τ ( i ) | = v α or τ ( i ) | = v β ; finally, by the definition ofthe monitor for disjunction, we have that τ ( i ) | = v α ∨ β . Theopposite case and the case for ¬ α can be proved similarly.Consider the case for Y α . If σ ( i ) | = Y α , then σ ( i − | = α and i > . By inductive hypothesis τ ( i − | = v α and i > ;by definition of the monitor for Y α , τ ( i ) | = v Y α . Finally, we prove the case for α S β . If σ ( i ) | = α S β ,then either σ ( i ) | = β or σ ( i ) | = α ∧ Y ( α S β ) ; by inductivehypothesis, either τ ( i ) | = v β or τ ( i ) | = v α ∧ v Y ( α S β ) ; bydefinition of the monitor for α S β , we have that τ ( i ) | = v αSβ .The opposite direction can be proved in the specular way. Proposition 9: Let φ be a canonical PastLTL EBR formula,with | φ | = n . Then, there exists a deterministic SSA of size O ( n ) that accepts the same language. Proof: Let φ be a canonical PastLTL EBR formula over thealphabet Σ and let A ( φ ) = ( X ∪ Σ , I ( X ) , T ( X, Σ , X (cid:48) ) , G ( X )) be the deterministic symbolic safety automaton as previouslydefined. Soundness. We first prove that L ( φ ) = L ( A ( φ )) . In particu-lar we prove that ∀ σ ∈ L ( φ ) .σ | = φ iff τ ( i ) | = S ( X ) ∀ i ≥ ,where τ is the trace induced by σ in A ( φ ) . Recall that S ( X ) = φ [ ϕ/ ¬ error ϕ ] . We proceed by induction on thestructure of φ .For the base case we consider φ = X i G α where α ∈ LTL FP (the cases for X i α and X i ( α R β ) are similar). If σ | = X i G α then σ ( i ) | = G α , that is σ ( j ) | = α ∀ j ≥ i . ByLemma 7, τ ( j ) | = v α ∀ j ≥ i . The following points hold:1) given the first condition in the monitor for X i G α , we havethat τ ( j ) | = ¬ error φ ∀ ≤ j < i ;2) given the previous point and the fact that τ ( j ) | = v α ∀ j ≥ i , by the second condition of the monitor we have that τ ( j ) | = ¬ error φ ∀ j ≥ i .By these two points, it follows that τ ( j ) | = ¬ error φ ∀ j ≥ .Viceversa, if τ ( j ) | = ¬ error φ ∀ j ≥ , then by definition ofthe monitor we have that τ ( j ) | = v α ∀ j ≥ i . By Lemma 7, σ ( j ) | = α ∀ j ≥ i , that is σ | = X i G α .For the inductive step, consider first φ = φ ∧ φ . If σ | = φ ,then σ | = φ and σ | = φ . By inductive hypothesis, τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ and τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ ,that is τ ( i ) | = ( φ ∧ φ )[ ϕ/ ¬ error ϕ ] ∀ i ≥ . The oppositedirection can be proved in the same way.Finally, consider the case φ = φ ∨ φ . If σ | = φ , thenby inductive hypothesis either τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ or τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ ; thus τ ( i ) | = ( φ ∨ φ )[ ϕ/ ¬ error ϕ ] ∀ i ≥ . For the opposite direction, assumethat τ ( i ) | = ( φ ∨ φ )[ ϕ/ ¬ error ϕ ] ∀ i ≥ ; since each error ϕ is monotone (once set to true, it remains true forever), itholds that either τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ or τ ( i ) | = φ [ ϕ/ ¬ error ϕ ] ∀ i ≥ . By inductive hypothesis, either σ | = φ or σ | = φ , that is σ | = φ ∨ φ . Complexity. Let n = | φ | ; it holds that: • | X | = | M P | + | M F | ∈ O ( n ) , since | M P | + | M F | ≤ n ; • | I ( X ) | , | T ( X, Σ , X (cid:48) ) | ∈ O ( n ) , since they are both sum-mations over the variables in X ; • | S ( X ) | ∈ O ( n ) , since S ( X ) is obtained from φ byreplacing each subformula in M F with a variable.Overall, we have that the size of A ( φ ) is O ( n ) . Proof: Let φ be an LTL EBR formula of size n . By Prop. 3,we can build an equivalent PastLTL EBR formula φ (cid:48) of size O ( n · M log n +1 ) ; by Prop. 4, from φ (cid:48) we can obtain anequivalent canonical PastLTL EBR formula φ (cid:48)(cid:48) of linear size withrespect to | φ | . Finally, by Prop. 9, the size of the deterministicsymbolic safety automaton A ( φ (cid:48)(cid:48) ) is linear in | φ (cid:48) | , hence | A ( φ (cid:48)(cid:48) ) | ∈ O ( n · M log n +1 ) . Corollary 2: Let φ be an LTL EBR formula with no constants,with | φ | = n . Then, there exists a deterministic SSA of size O ( n ) that accepts the same language. Proof: Let φ be an LTL EBR formula with no constants;then M = 1 . By Theorem 1, the size of the deterministicsymbolic safety automaton recognizing the language of φ is O ( n ) . A PPENDIX BP LOTSFigure 11. ebr-ltl-synth vs ltlsynt (second conf.) on all scalable benchmarks.Figure 12. ebr-ltl-synth vs Strix (second conf.) on all scalable benchmarks. A PPENDIX CP SEUDOCODES Figure 13. ebr-ltl-synth vs ltlsynt (first conf.) on SYNTCOMP benchmarks.Figure 14. ebr-ltl-synth vs ltlsynt (second conf.) on SYNTCOMP benchmarks.Figure 15. ebr-ltl-synth vs Strix (first conf.) on SYNTCOMP benchmarks. Figure 16. ebr-ltl-synth vs Strix (second conf.) on SYNTCOMP benchmarks.Figure 17. ebr-ltl-synth vs Ssyft on SYNTCOMP benchmarks. / / I n p u t : φ ∈ LTL EBR , i n f u t u r e = f a l s e/ / Output : φ ∈ PastLTL EBR toPastLtlEbr ( φ , i n f u t u r e ) { switch ( φ ) { case p :r e t u r n p ;case ¬ φ :case ψ U [0 ,k ] ψ :r e t u r n pastify ( φ ) case φ ∧ φ :r e t u r n toPastLtlEbr ( φ , i n f u t u r e ) ∧ toPastLtlEbr ( φ , i n f u t u r e )case φ ∨ φ :i f ( i n f u t u r e )r e t u r n pastify ( φ ) e l s er e t u r n toPastLtlEbr ( φ , i n f u t u r e ) ∨ toPastLtlEbr ( φ , i n f u t u r e )case X φ :switch ( φ ) { case φ ∧ φ :case X φ :case G φ :case ψ R φ :r e t u r n X ( toPastLtlEbr ( φ , t r u e ) ) d e f a u l t :r e t u r n X ( pastify ( φ )) } case G φ :switch ( φ ) { case φ ∧ φ :case X φ :case G φ :case ψ R φ :r e t u r n G ( toPastLtlEbr ( φ , t r u e ) ) d e f a u l t :r e t u r n G ( pastify ( φ )) } case ψ R φ :switch ( φ ) { case φ ∧ φ :case X φ :case G φ :case ψ (cid:48) R φ :r e t u r n ψ R ( toPastLtlEbr ( φ , t r u e ) ) d e f a u l t :r e t u r n ψ R ( pastify ( φ )) }}} Figure 18. toPastLtlEbr algorithm. 0/ / I n p u t : φ ∈ PastLTL EBR / / Output : φ ∈ c a n o n i c a l LTL EBR / / N o t a t i o n :/ / φ, φ , . . . , φ n ∈ LTL EBR / / ψ, ψ , ψ , ψ ∈ LTL FP / / p ∈ Σ applyR1R7 ( φ ) { switch ( φ ) { / / Base case = LTL FP formulaecase p :case ¬ ψ :case Y ψ :case ψ S ψ :r e t u r n φ / / And / Or O p e r a t o r scase φ ∧ φ :case φ ∨ φ :r e t u r n applyR1R7 ( φ ) ∧ applyR1R7 ( φ ) / / Next Rewriting Rulescase X φ : φ ← applyR1R7 ( φ ) switch ( φ ) { case φ ∧ · · · ∧ φ n : / / r u l e R r e t u r n X φ ∧ · · · ∧ X φ n d e f a u l t :r e t u r n X φ } / / G l o b a l l y Rewriting Rulescase G φ : φ ← applyR1R7 ( φ ) switch ( φ ) { case φ ∧ · · · ∧ φ n : / / r u l e R φ ← r e s o l v e g l o b a l l y ( φ ) . . .φ n ← r e s o l v e g l o b a l l y ( φ n )r e t u r n φ ∧ · · · ∧ φ n d e f a u l t : φ ← r e s o l v e g l o b a l l y ( φ )r e t u r n φ } / / Release Rewriting Rulescase ψ R φ : φ ← applyR1R7 ( φ ) switch ( φ ) { case φ ∧ · · · ∧ φ n : / / r u l e R φ ← r e s o l v e r e l e a s e ( ψ , φ ) . . .φ n ← r e s o l v e r e l e a s e ( ψ , φ n )r e t u r n φ ∧ · · · ∧ φ n d e f a u l t : φ ← r e s o l v e r e l e a s e ( ψ , φ )r e t u r n φ } d e f a u l t :unreachable code ( ) }} Figure 19. The applyR1R7 algorithm (part I). r e s o l v e g l o b a l l y ( φ ) { switch ( φ ) { case X i ψ : / / r u l e R (2 nd case )r e t u r n X i G ψ case X i G ψ : / / r u l e R r e t u r n X i G ψ case X i ( ψ R ψ ) : / / r u l e R r e t u r n X i G ψ d e f a u l t :r e t u r n G ψ }} r e s o l v e r e l e a s e ( X i ψ , φ ) { switch ( φ ) { case X j ψ : / / r u l e R i f ( i > j )r e t u r n X i ( ψ R ( Y i − j ψ )) e l s er e t u r n X j (( Y j − i ψ ) R ψ ) case X j G ψ : / / r u l e R i f ( i > j )r e t u r n X i G ( Y i − j ψ ) e l s er e t u r n X j G ψ case X j ( ψ R φ ) : / / r u l e R i f ( i > j )r e t u r n X i ( ψ R (( Y i − j ψ ) R ( Y i − j ψ ))) e l s er e t u r n X j (( Y j − i ψ ) R ( ψ R ψ )) d e f a u l t :r e t u r n ( X i ψ ) R φ }} Figure 20. The applyR1R7 algorithm (part II). flatten ( φ ) { switch ( φ ) { case φ ∧ φ :r e t u r n flatten ( φ ) ∧ flatten ( φ ) case φ ∨ φ :r e t u r n flatten ( φ ) ∨ flatten ( φ ) / / r u l e R flat case X i ( ψ R ( ψ R ( . . . ( ψ n − R ψ n ) . . . ))) :r e t u r n X i (( ψ n − ∧ O ( ψ n − ∧ . . . O ( ψ ∧ Y i (cid:62) ) . . . )) R ψ n ) d e f a u l t :r e t u r n φ }} Figure 21. The flattenflatten