Generalised Rabin(1) synthesis

Generalised Rabin(1) synt hesis ∗† R ¨ udiger Ehlers Saarl and Universit y Octob er 29, 2018 W e present a n o v el metho d for the syn thesis of fi n ite state systems that is a generalisatio n of the generalise d r eactivit y(1 ) synthesis approac h by Piterman et al. (2006). In particu- lar, w e describ e an efficient method to syn thesize systems f rom linear-ti me temp oral logic sp ecifications of the form ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ) for whic h eac h of th e assump tions a i and guarantees g i has a Rabin index of one. W e sho w how to bu ild a p arity game with at most five colours th at captures all solutions to the synt hesis problem from such a sp ecification. This parit y game has a structure that is amenable to symbolic imp lemen tations. W e fur thermore show that the r esults obtained are in some sens e tight, i.e., that there do es not exist a similar synthesis metho d for assum ptions and sp ecifications of higher Rab in index, pr o vided that P 6 = NP . 1 Intro duction Synt hesis of finite state systems (Kupferman and V ardi, 1999) has b een pro v en to b e a v aluable concept for the dev elopment of op en systems that are correct b y construction. In con trast to ve rification, it frees the designer of a computation s ystem from the task to actually build the sys tem in addition to stating its sp ecification. Therefore, this tec hnique can signifi can tly r educe the time for d ev eloping a correct system, making it attracti ve in practice. The first works in this area were concerned with close d synthesis , wh ere everything that can b e b e reasoned ab out is un der the con trol of th e sy s tem to b e synthesized. More recen t w orks are concerned with op en synthesis . Here, there exists some inpu t to the system wh ic h is not u nder its control. This mo d el is more suitable for synthesis of r e a ctive systems , as almost all suc h systems of practical relev ance h a ve some uncon trollable inp ut. In this context , line ar-time temp or al lo gic (L TL, see, e.g., V ardi, 19 96 ) is the predominan t sp ecification language used. One dra w bac k of synthesis is that its time complexit y for L TL sp ecifications is doubly-exp onen tial in the length of the s p ecification (Pn u eli and Rosner, 1989), making the problem in tractable in general. One of the r easons for this h igh complexit y is th e fact that it is p ossible to formulate sp ecifications ∗ This work was supp orted by the German R esearc h F oundation (DFG) within th e program “Perf ormance Guarantees for Computer S y stems” and the T ran sregional Collab orativ e R esearc h Cen ter “Automatic V erification and Analysis of Complex Systems” (SFB/TR 14 A V ACS). † This is the second revision of this paper. In compariso n to the first version, th e main construction in Section 4 has b een simplified and some changes in style of writing hav e b een p erformed. 1 for whic h the smallest implemen tation satisfying it is of size doub ly-exp onen tial in the length of the sp ecification. More recen tly , it has b een argued that suc h high size b ounds rarely occur for sp ecifications used in p ractice (Jobs tman n and Blo em, 2006; S chew e and Finkb einer, 2007), so this do es n ot n ecessarily affect the efficiency of syn thesis for p r actical applications. Apart from app roac hes for synthesis from arbitrary L T L formulas, there also exist sp ecialised pro ce- dures for sp ecifications of certain forms. In p articular, it has b een observ ed that man y sp ecifications found in pr actice are of the form ψ → φ f or some conjunctions of safet y and b asic liv eness p rop erties ψ and φ . W e call ψ the assumption part of su ch a sp ecification and φ th e guaran tee p art. A basic liv eness prop erty is a conjun ct that can b e represented b y the L TL form ula GF p for some atomic p rop osition p . Piterman et al. (2006) w ere able to sh o w that the synthesis problem for suc h ge ne r alise d r e activity(1) form ulas can b e s olved in time cubic in the state space of the design. Sub sequen t works (Blo em et al., 2007b,a) s ho w ed that indeed th is approac h ca n b e used successfully in practice. Recen tly , it has b een observ ed (Sohail et al., 2008) th at the lo w complexit y of the synthesis problem for generalised reactivit y(1) sp ecifications is n ot su rprisin g as the problem can b e r educed to solving a parit y game w ith precisely 3 colours. F urth ermore, the state space of this parit y game is (almost) the pro du ct state space of th e deterministic B¨ uc hi automata represent ing the individual co njun cts of the assumption and guarante e parts, making this ap p roac h amenable to the symb olic solution of the game, for example using the algorithm by McNaught on/Zielonk a (see Gr¨ adel et al., 2002 or Sc hewe, 2008 for comprehensiv e descriptions) with binary de cision diagr ams (see, e.g., Baier and Kato en, 200 8 ). As the set of p rop erties representa ble by generalised reactivit y(1) f orm ulas is still r elativ ely limited (for example, it cannot b e sp ecified that the s y s tem to b e constru cted s hould ha v e some fi n ite in itialisati on p erio d after whic h it must output “ready” f orev er ), a natural question to ask is if this app roac h can b e extended in order to include more representa ble pr op erties without losing the p ossibilit y to enco de the o ve rall sp ecificatio n of the s y s tem as a p arit y automaton with a constan t num b er of colours. More precisely , w e ask th e question what t yp e the assu mption and guaran tee conju n cts ma y b e of such that w e can build a deterministic parit y automaton of size p olynomial in the pro d uct of the automata represent ing the ind ividual assum ptions and guarantee s and its ind uced p arit y game is won if and only if the o verall sp ecification is realisable and the num b er of colours is constant (and indep endent of the n umber of assumption and sp ecification conju ncts). In this pap er, w e present an answ er to this qu estion. I n f act, the constant n umber of colours can b e retained if the assumption and guarantee conjuncts ha ve a Rabin index of 1, leading to fi v e colours in total. W e call this approac h gener alise d R abin(1) synthesis . Th is result is strict, i. e., for ev ery Rabin index ≥ 2, a constant n umber of colours do es not suffice (for only a p olynomial blo w-up in the state space of th e automaton), u n less P = NP . Th e added expressivity is shown to b e of v alue for practical cases, making this approac h a practically suitable trade-off b et ween the approac h es allo wing full L T L for the sp ecification and the faster framew orks. W e start b y giving th e basic d efinitions in S ection 2. Th en, w e discuss ho w to con ve rt the individu al conjuncts in the sp ecification to Rabin automata with a Rabin index of 1. Section 4 discusses how a p arit y game that captures the synthesis pr oblem for suc h sp ecifications can b e built. Section 5 then d iscusses the p ossibilit y for similar ap p roac h es to s p ecifications with conjuncts of h igher Rabin index and con tains the corresp onding negativ e result. Section 6 sk etc hes an application domain that b enefits from the extended app licabilit y of generalised Rabin (1) synthesis in comparison to generalised reactivit y(1) synthesis. Section 7 finally concludes and giv es an outlo ok. 2 2 Prelimi na r ies W ords, Languages and natural numb ers Let Σ b e a finite set. By Σ ∗ /Σ ω w e d en ote the set of all finite/infinite sequences, resp ectiv ely . Su c h sequences are also called wor ds o ver Σ. S ets of w ords are also called languages . F or the scop e of this pap er, we denote the s et of natural num b ers includ ing 0 b y N 0 . F or simplicit y , if 0 is excluded, w e simply write N . F or some sequence w = w 0 w 1 . . . , w e d enote by w j the suffix of w starting with the j th symb ol, i.e., w j = w j w j +1 . . . for all j ∈ N 0 . Mealy automa ta R e active systems are us u ally describ ed using a finite state machine description. F ormally , w e define Me aly autom ata as fiv e-tuples M = ( S, Σ I , Σ O , δ , s 0 ) where S is some finite set of states, Σ I and Σ O are in put/output alphab ets, resp ectiv ely , s 0 ∈ S is th e initial state and δ : S × Σ I → S × Σ O is the transition function of M . The computation steps of a Mealy automaton are called cycles . F or the scope of this pap er, w e usually s et Σ I = 2 AP I and Σ O = 2 AP O for some sets of input/output atomic prop ositions AP I and A P O . T his is a typical c hoice in literature on synthesis and ve rifica- tion (Kupferman a nd V ardi, 1999, 1997; V ardi, 1996; S c hew e and Finkb einer, 200 7; Blo em et al., 2009; Filiot et al., 2009) as sp ecification logics suc h as L TL are u sually us ed to describ e b ehaviour of the sys - tem with resp ect to the individ ual atomic prop ositions and Meal y automata imp lemen ted in hardware usually h a ve su c h an inpu t/output stru cture (in whic h the individ u al atomic prop ositions r epresen t the v alues of the input/output signals of the system). The language induced b y Mealy a ut omata Giv en a Mealy automato n M = ( S, Σ I , Σ O , δ , s 0 ) and some input w ord i = i 0 i 1 . . . ∈ Σ ω I , M induces a run π = π 0 π 1 . . . and some output wor d o = o 0 o 1 . . . o ver i su c h that π 0 = s 0 and for all j ∈ N 0 : δ ( π j , i j ) = ( π j +1 , o j ). F ormally , w e defin e the language of M , written as L ( M ), to b e the set of w ords w = w 0 w 1 . . . ∈ Σ ω with Σ = 2 AP I ⊎ AP O suc h that M indu ces a run π ov er the input word i = w | Σ I = ( w 0 ∩ Σ I )( w 1 ∩ Σ I ) . . . such that w | Σ O = ( w 0 ∩ Σ O )( w 1 ∩ Σ O ) . . . is the output word corresp ond ing to π . Linea r-time temp oral logic Before a system th at is correct with resp ect to its sp ecification can b e syn thesized, the sp ecification has to b e form ally stated. F or suc h a task, line ar-time temp or al lo gic (L TL) is a commonly used logic. S yn tactically , L TL f orm ulas are defined inductiv ely as follo ws (o ve r some set of atomic prop ositions AP ): • F or all atomic prop ositions x ∈ AP , x is an L T L formula. • Let φ 1 and φ 2 b e L TL form ulas. Then ¬ φ 1 , ( φ 1 ∨ φ 2 ), ( φ 1 ∧ φ 2 ), X φ 1 , F φ 1 , Gφ 1 , and ( φ 1 U φ 2 ) are also v alid L TL formula. The v alidit y of an L TL f orm ula φ ov er AP is defined in ductiv ely with r esp ect to an in finite trace w = w 0 w 1 . . . ∈ (2 AP ) ω . L et φ 1 and φ 2 b e L TL formulas. W e set: • w | = p if and only if (iff ) p ∈ w 0 for p ∈ AP • w | = ¬ ψ iff not w | = ψ • w | = ( φ 1 ∨ φ 2 ) iff w | = φ 1 or w | = φ 2 • w | = ( φ 1 ∧ φ 2 ) iff w | = φ 1 and w | = φ 2 • w | = X φ 1 iff w 1 | = φ 1 3 • w | = Gφ 1 iff for all i ∈ N 0 , w i | = φ 1 • w | = F φ 1 iff th ere exists some i ∈ N 0 suc h that w i | = φ 1 • w | = ( φ 1 U φ 2 ) iff there exists some i ∈ N 0 suc h that for all 0 ≤ j < i , w j | = φ 1 and w i | = φ 2 W e use the u sual p r ecedence ru les for L TL formulas in ord er to b e able to omit un necessary braces and also allo w the abbreviations t ypically used for Bo olean logic, e.g., that a → b is equiv alen t to ¬ a ∨ b for all form u las a , b . As an example, consider the sp ecification φ = G ( r e q u est → gr ant ) ov er AP = { r e quest , gr ant } . Intu- itiv ely , suc h a sp ecification would b e satisfied by all r uns of a Mealy automaton M = ( S, Σ I , Σ O , δ , s 0 ) with Σ I = 2 { r e quest } and Σ O = 2 { gr ant } if all requests give n to M are answ ered b y a gran t immediately . In other pap ers (e.g., Filiot et al., 2009; Jobstmann an d Bloem , 2006), in whic h the ord er of inpu t and output is inv erted, the sp ecification w ould ha ve to b e c hanged to φ = G ( r e quest → X gr ant ) in ord er to b e semantica lly equiv alen t to our mo del here. W e h o wev er prefer our mo del as it t yp ically s h ortens the L TL formulas to b e considered in the syn th esis pro cedure. Lab elled pa rity games A lab elled parit y game is a tuple G = ( V 0 , V 1 , Σ 0 , Σ 1 , E 0 , E 1 , v 0 , c ) with E 0 : V 0 × Σ 0 → V 1 and E 1 : V 1 × Σ 1 → V 0 . W e abbreviate V = V 0 ⊎ V 1 . W e only consider fi nite games here, for whic h V 0 , V 1 , Σ 0 and Σ 1 are fi nite. T h e initial v ertex v 0 is alwa ys a mem b er of V 0 . T he co louring function c : V 0 → N 0 assigns to eac h v ertex in V 0 a colour. F or the s cop e of this pap er, w e only assign colours to v ertices of pla y er 0. A decision s equ ence in G is a sequence ρ = ρ 0 0 ρ 1 0 ρ 0 1 ρ 1 1 . . . suc h that for all i ∈ N 0 , ρ 0 i ∈ Σ 0 and ρ 1 i ∈ Σ 1 . A decision sequence ρ induces an infinite pla y π = π 0 0 π 1 0 π 0 1 π 1 1 . . . if π 0 0 = v 0 and for all i ∈ N 0 , p ∈ { 0 , 1 } , E p ( π p i , ρ p i ) = π 1 − p i + p . Giv en a pla y π = π 0 0 π 1 0 π 0 1 π 1 1 . . . , we s a y that π is winn in g for p la yer 0 if max { c ( v ) | v ∈ V 0 , v ∈ inf ( π 0 0 π 0 1 . . . ) } is even for the function inf mapping a sequence on to the set of elemen ts that app ear infinitely often in the sequence. If a pla y is not winning for play er 0, it is winn ing for pla ye r 1. Giv en some parity game G = ( V 0 , V 1 , Σ 0 , Σ 1 , E 0 , E 1 , v 0 , F ), a strategy for play er 0 is a function f : (Σ 0 × Σ 1 ) ∗ → Σ 0 . Lik ewise, a str ategy for pla y er 1 is a fu n ction f : (Σ 0 × Σ 1 ) ∗ × Σ 0 → Σ 1 . In b oth cases, a str ategy maps pr efix decision sequences to an action to b e c hosen next. A decision sequence ρ = ρ 0 0 ρ 1 0 ρ 0 1 ρ 1 1 . . . is said to b e in corresp ondence with f if for ev ery i ∈ N 0 , w e h av e ρ p n = f ( ρ 0 0 ρ 1 0 . . . ρ 1 − p n + p − 1 ). A strategy is win ning for pla y er p if all p la ys in the game that are induced by some decision sequence that is in corresp ond ence to f are winning for pla ye r p . It is a w ell-kno wn fact that for parit y games, there exist s a winnin g strateg y for p recisely one of the pla yers (see, e.g ., Gr¨ ad el et al., 2002). W e call a state v ∈ V 0 winning for pla ye r p if changing the initial state to v mak es or leav es the game winning for play er p . Likewise, a state v ′ ∈ V 1 is ca lled winning for pla yer p if a mo dified v ersion of the game, that r esults from introdu cing a n ew initial state with only one transition to v ′ is (still) winn ing for pla y er p . If a strategy f for pla ye r p is a p ositional str ate gy , then f ( ρ 0 0 ρ 1 0 . . . ρ p n ) = f ′ ( E 1 − p ( . . . E 1 ( E 0 ( v 0 , ρ 0 0 ) , ρ 1 0 ) , . . . , ρ 1 − p n + p − 1 )) for some fun ction f ′ : V p → Σ p . By abuse of notation, we ca ll b oth f ′ and f p ositional strategies. Note that suc h a function f ′ is fin itely representa ble as b oth domain and co-domain are finite. F or parit y games, it is kno wn then there exists a win n ing p ositional strategy for a pla yer if and only if there exists some winn in g strategy f or the same play er. Note that a tr an s lation betw een this mo del and an alt ernativ e m o del where the colouring fun ction is defined for b oth p la yers is easily p ossible with only a slight alteration of the game structur e. 4 ω -automat a An ω -automaton A = ( Q, Σ , q 0 , δ , F ) is a five-t uple consisting some fin ite state set Q , some finite alphab et Σ, some initial state q 0 ∈ Q , some transition function δ : Q × Σ → 2 Q and some ac c eptanc e c omp onent F (to b e defin ed later). W e sa y that an automaton is d eterministic if for ev ery q ∈ Q and x ∈ Σ, | δ ( q , x ) | ≤ 1. Giv en an ω -automaton A = ( Q, Σ , q 0 , δ , F ), w e also call ( Q, Σ , q 0 , δ ) the tr ansition structur e of A . Giv en an in finite wo rd w = w 1 w 2 . . . ∈ Σ ω and an ω -automaton A = ( Q, Σ , q 0 , δ , F ), w e sa y that some sequence π = π 0 π 1 . . . is a run for w if π 0 = q 0 and f or all i ∈ { 1 , 2 , . . . } , π i ∈ δ ( π i − 1 , w i ). W e sa y that π is acc epting if for inf ( π ) = { q ∈ Q | ∃ ∞ j ∈ N : π j = q } , inf ( π ) is accepte d by F . Th e acceptance of π by F is defined with r esp ect to the t yp e of F , for whic h man y h a ve b een prop osed in the literature (Gr¨ adel et al., 2002). • F or a safety winning c ondition , all in fi nite ru ns are accepting. In this case, the F -symb ol can also b e omitted from the automaton d efinition. • F or a B ¨ uchi ac c eptanc e c ondition F ⊆ Q , π is accepting if in f ( π ) ∩ F 6 = ∅ . Here, F is also called the set of ac c epting states . • F or a c o-B¨ uchi ac c eptanc e c ondition F ⊆ Q , π is accepting if in f ( π ) ∩ F = ∅ . Here, F is also called the set of r eje cting states . • F or a gener alise d B¨ uchi ac c eptanc e c ondition F ⊆ 2 Q , π is accepting if for all F ∈ F , inf ( π ) ∩ F 6 = ∅ . • F or a p arity ac c eptanc e c ondition , F : Q → N 0 and π is accepting in the case that max {F ( v ) | v ∈ in f ( π ) } is ev en. • F or a R abin ac c eptanc e c ondition F ⊆ 2 Q × 2 Q , π is accepting if for F = { ( F 1 , G 1 ) , . . . , ( F n , G n ) } , there exist s some 1 ≤ i ≤ n suc h th at inf ( π ) ⊆ F i and in f ( π ) ∩ G i 6 = ∅ . • F or a Str e ett ac c eptanc e c ondition F ⊆ 2 Q × 2 Q , π is accepting if for F = { ( F 1 , G 1 ) , . . . , ( F n , G n ) } and f or all 1 ≤ i ≤ n , we ha v e inf ( π ) * F i or inf ( π ) ∩ G i = ∅ . • F or a Mul ler ac c eptanc e c ondition F ⊆ 2 Q , π is acc epting if inf ( π ) ∈ F . The language of A is d efined as the set of words for which there exists a run that is accepting with re- sp ect to the t yp e of the acce ptance condition. W e also call automata with a t -t yp e acceptance condition t -automata (for t ∈ { safet y , B¨ uchi , co-B ¨ uc hi , generalised B ¨ uc hi , parit y , Rabin , Streett , Muller } ). F or Rabin automata, |F | is al so called the R abin index of the automaton. F or the scop e of this pap er and without loss of generalit y , we assume that all deterministic n on-safet y au tomata ha ve no dead-ends, i.e., for all q ∈ Q and x ∈ Σ, w e ha v e | δ ( q , x ) | = 1. The Rabin hierarchy It has b een prov en th at the set of languages representa ble by the follo wing automaton t yp es is the same (see, e.g., Gr¨ ad el et al., 2002) • deterministic Muller, non-deterministic Muller • deterministic Streett, non-deterministic Streett • deterministic Rabin, non-determin istic Rabin • deterministic parit y , non-d eterministic p arity • non-deterministic B¨ uc hi 5 This set is called the ω -r egular languages. Giv en an alphab et Σ and some ω -regular language L ⊆ Σ ω , th ere exists some n umber n such that some deterministic Rabin automaton with n acce ptance pairs accepts L and there d o es not exist a deterministic R ab in automaton w ith less than n acceptance pairs that accepts precisely L . W e call this num b er n the R abin index of L . It has b een pro v en th at the so-called R abin hier ar chy is strict, i.e., for ev ery Rabin in dex v alue n ∈ N , there exists some language with a Rabin ind ex of n (Kaminski, 1985). In this pap er , w e pa y sp ecial atten tion to languages with a Rabin index of 1. These str ictly cont ain the set of languages represen table b y safet y and deterministic B ¨ uc hi or co-B¨ uc hi automata. P a rity a utomata and parit y games Giv en a deterministic parit y automaton A = ( Q, Σ , q 0 , δ , F ) with Σ = 2 ( AP I ⊎ AP O ) , it is w ell-kno wn that A can b e con v erted to a p arit y game G su c h that G admits a winning strategy for play er 1 (the s o-calle d system player ) if and only if there exists a Mealy automaton M reading Σ I = 2 AP I and outputting Σ O = 2 AP O suc h that the language induced b y M is a subset of the language of A (see, e.g., Thomas, 2008). F urthermore, from a winning p ositional strategy in G , suc h a Mealy auto maton M can ea sily b e extrac ted. 3 Obtaining determ inistic autom a ta from pa rts of the sp ecification Man y sp ecificatio ns found in practice are of the form ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ) (1) for some set of assump tions a 1 , . . . , a n a and guarantees g 1 , . . . , g n g (see, e.g., Piterman et al. , 2006; Bloem et al. , 2007a,b; K¨ onighofer et al., 2009). Suc h a sp ecification is t ypical for a case in whic h a single comp onent of a bigger system is to b e synthesize d as s ome assumptions ab out the environmen t (i.e., th e b eha viour of the other co mp onen ts) can b e giv en and th e part to b e syn thesized in turn has to satisfy some guarantee s. Piterman et al. (2006) presen ted the generali sed r eactivit y(1) synthesis app roac h for p erforming syn- thesis for sp ecifications of the form stated in F orm ula 1. Although not explicitly stated (see, e.g., K¨ onighofer et al., 20 09), the app roac h can b e used whenev er all assum ptions and guaran tees are rep- resen table and giv en as deterministic B¨ uchi automata. T he question of ho w to obtain these automata from guarantees and assumptions giv en in some log ic lik e L TL has b een left op en. In th is section, w e add ress this problem f or b oth th e generalised reactivit y(1) and the generalised Rabin(1) synthesis approac h es, of which the latter will b e in tro du ced in the follo w ing section. W e carefully tr eat th e tw o cases and p oin t out similarities and differences in the pro cess of obtaining deterministic au tomata for the t wo app roac h es. In the follo wing, we abbreviate the terms “generalised reactivit y(1)” by GR(1) and “generalised Ra- bin(1)” by GRabin(1). 3.1 The classical construction The classical wa y of obtaining a deterministic auto maton A from an L TL form ula ψ is to p erform th e follo win g steps: • Con ve rt ψ to an equiv alent non-deterministic B ¨ uc h i automaton A ′ (En try p oin ts to the literature are V ard i, 19 96 and Gastin and Odd oux, 2001). 6 • Con ve rt A ′ to a deterministic Rabin or parit y automaton using (something similar to) Safra’s construction (H enzinger and Piterman , 2006; Safra, 1989). As a result, we obtain automata with p ossib ly high Rabin ind ices. F or generalised r eactivit y(1) syn- thesis, w e need to con v ert them to deterministic B ¨ uc h i automata afterwards. F or generalised Rabin(1) syn thesis, a conv ersion to deterministic Rabin automata with a single acceptance p air is necessary . F urthermore, wh enev er this is not p ossible, the s p ecification has b e to discarded for b eing usable for GR(1)/GRa bin(1) synthesis, resp ectiv ely . So in b oth cases, additional steps ha ve to be p erformed. F or the generalised r eactivit y(1) case, this is simp le. As deterministic Rabin automata are B¨ uchi- typ e (Kup f erman et al ., 2006), th ey can easily b e con ve rted to B ¨ uc h i automata whenev er p ossible in p olynomial time (Krishnan et al ., 1994). Add utionally , these B¨ uc hi automata can then b e minimised (Ehlers, 2010). F or the generalised Rabin case, w e can apply some algorithm for obtaining a Rabin automaton with the same language but a minimal Rabin index. Krish nan et al. (1995) d escrib e a suitable algorithm runn in g in time p olynomial in the source automato n size. 3.2 Using a general L TL synthesis procedure An alt ernativ e metho d for obtaining d eterministic B¨ uc hi or one-pair Rabin auto mata equiv alen t to a giv en L TL form u la ψ has been giv en b y K u pferman and V ardi (2005). Let ψ r an ge o v er a set of v ariables I . Th e problem of obtaining an equiv alent deterministic B ¨ uchi automaton can b e solv ed by reduction to the fi nite-state system synthesis problem of the sp ecification φ = ψ ↔ ( GF out ) with the in put v ariable set I and the output v ariable set { out } . An y fi n ite-state mac h ine satisfying the sp ecification can b e con v erted to a suitable B ¨ uc hi automaton by d uplicating all states, making one copy of eac h state accepting, and routing the tran s itions to the r esp ectiv e accepting states if and only if out is set to true. Equiv alen tly , obtaining a one-pair Rabin automaton from a sp ecification ψ o v er some v ariable s et I can b e reduced to finite-state system synthesis with the sp ecification φ = ψ ↔ ( F G out 1 ∧ GF out 2 ), the input v ariable set I , and the outpu t v ariable set { out 1 , out 2 } . F or p erforming the synthesis step in practice, any of the known algorithms can b e u sed (see, e.g., Kupferm an and V ardi, 1999, 2005; Sc hew e and Finkb einer, 2007; Henzinger and Piterman, 2006; V ardi, 1996). 4 P erforming gener alised Rabi n(1) synthesis b y reduction to pa rit y games In this section, w e present the core construction of the generalised Rabin(1) synthesis approac h, i.e., ho w we transform a sp ecification of the form ψ = ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ) for some set of assum ptions a 1 , . . . , a n a and some set of guarantees g 1 , . . . , g n g giv en in form of deter- ministic one-pair Rabin automata to a deterministic parit y automaton with at most 5 colours that accepts precisely the w ords that satisfy ψ . The n u m b er of states of the generated automaton is p oly- nomial in the pro duct of the state n umbers of the individu al Rabin automata a 1 , . . . , a n a , g 1 , . . . , g n g . The generated parit y automaton can then b e transformed in to a parit y game (taking into accoun t the partitioning of the atomic prop ositions int o input and ou tp ut b its) that is winning for p la yer 1 if and 7 only if there exists a Mealy automaton o ver the giv en sets of inp uts and outputs suc h that all of its runs s atisfy the sp ecification. Note th at b y the d efinition of Rabin acceptance, a w ord is acce pted by a deterministic one-pair Rabin automaton A = ( Q, Σ , q 0 , δ , { ( F , G ) } ) if and only if it is accepted by the co-B ¨ uc hi automaton A C = ( Q, Σ , q 0 , δ , Q \ F ) and the B ¨ uc h i automaton A B = ( Q, Σ , q 0 , δ , G ). Therefore, we can decomp ose a sp ecification of the form stated ab ov e in to f our sets of automata: • A set A = { A 1 , . . . , A n 1 } con taining the automata of th e assumption conjuncts with B ¨ uc hi acceptance co ndition • A set B = { B 1 , . . . , B n 2 } con taining the automata of the assump tion conjun cts w ith co-B¨ uchi acceptance co ndition • A set C = { C 1 , . . . , C n 3 } con taining the automata of the guaran tee conjuncts with B ¨ uc hi acc ep- tance co ndition • A set D = { D 1 , . . . , D n 4 } conta ining the automata of th e guarantee conjuncts w ith co-B ¨ uc hi acceptance co ndition F or impr o ved readabilit y of the follo wing description of the algorithm, b y abu se of notation, we in tr o- duce δ , Q , q 0 , Σ, and F as functions mapp ing automata onto their comp onen ts. F or example, giv en some automaton A = ( ˜ Q, ˜ Σ , ˜ q 0 , ˜ δ , ˜ F ), w e ha ve δ ( A ) = ˜ δ . W e furthermore assume that for all a, a ′ ∈ A ⊎ B ⊎ C ⊎ D , Σ( a ) = Σ( a ′ ), i.e., all automata share the same alph ab et. W e construct the parit y automaton A ′ = ( Q ′ , Σ ′ , δ ′ , q ′ 0 , F ′ ) as follo ws: • Σ ′ is c hosen suc h that for all a ∈ A ⊎ B ⊎ C ⊎ D : Σ ′ = Σ ( a ) • Q ′ = Q ( A 1 ) × . . . × Q ( D n 4 ) × { 0 , 1 , . . . , n 1 } × { 0 , 1 , . . . , n 3 } × B • F or all q = ( q A 1 , . . . , q D n 4 , q W , q R , q V ) ∈ Q ′ and x ∈ Σ , we d efine δ ′ ( q , x ) = ( q ′ A 1 , . . . , q ′ D n 4 , q ′ W , q ′ R , q ′ V ) s u c h th at: – F or all 1 ≤ i ≤ n 1 : δ ( A i )( q A i , x ) = q ′ A i – F or all 1 ≤ i ≤ n 2 : δ ( B i )( q B i , x ) = q ′ B i – F or all 1 ≤ i ≤ n 3 : δ ( C i )( q C i , x ) = q ′ C i – F or all 1 ≤ i ≤ n 4 : δ ( D i )( q D i , x ) = q ′ D i – q ′ W = ( q W + 1) mo d ( n 1 + 1) if q ′ A q W ∈ F ( A q W ) or q W = 0, otherwise q ′ W = q W . – q ′ R = ( q R + 1) m o d ( n 3 + 1) if q ′ C q R ∈ F ( C q R ) or q R = 0, otherwise q ′ R = q R . – q ′ V = true if and only if (at least) one the follo wing t wo co nditions hold: ∗ q W = 0 ∗ for all 1 ≤ i ≤ n 4 , q ′ D i / ∈ F ( D i ) and q V = t rue • F or all q = ( q A 1 , . . . , q D n 4 , q W , q R , q V ) ∈ Q ′ , we ha v e that F ′ maps q to the least v alue in c ∈ { 0 , 1 , 2 , 3 , 4 } suc h that: – c = 4 if for some 1 ≤ i ≤ n 2 : q B i ∈ F ( B i ) – c ≥ 3 if q V = t rue and for some 1 ≤ i ≤ n 4 , q D i ∈ F ( D i ) – c ≥ 2 if q R = 0. 8 – c ≥ 1 if q W = 0 • q ′ 0 = ( q 0 ( A 1 ) , . . . , q 0 ( D n 4 ) , 0 , 0 , false ) 4.1 Ex planation of the construction In this su b-section, w e discuss the co nstru ction of the automaton A ′ = ( Q ′ , Σ ′ , δ ′ , q ′ 0 , F ′ ) as describ ed ab o v e and giv e a correctness pro of. The states q = ( q A 1 , . . . , q D n 4 , q W , q R , q V ) ∈ Q ′ in the automaton ha v e some comp onen ts q A 1 , . . . , q D n 4 that b asically represent the automata of A ⊎ B ⊎ C ⊎ D ru nning in parallel. The remaining part of th e state tuples corresp ond s to some add itional c ontr ol structur e for c hec king if the sp ecification ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ) is satisfied. Note that adding the con trol stru cture only results in a p olynomial b low-up. Th e parts of the co ntrol structur e hav e the follo w ing purp oses: • The counte r q W k eeps trac k of the B ¨ uchi assump tion for wh ic h an acce pting state is to b e visited next. The construction of this part of the parit y game is essent ially the same as for de-generalising generalised B¨ uc hi automata (see, e.g ., Thomas, 1994, Lemma 1.2). • The counter q R do es th e same for the guarant ees. • The b it q V trac ks if r ecen tly accepting state s for all automata in A hav e b een visited. These coun ters and b its s u ffice f or assig ning colours to the state s in A ′ suc h that the highest num b er o ccurring infinitely often along a ru n is even if and only if the corresp onding wo rd satisfies ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ). Und er s tanding the idea b ehind the construction is most simple b y considering the fiv e reasons for rejecting/accepting a w ord individually: 1. A w ord should b e accepted b y A ′ if it is not accepted b y some automaton b ∈ B (violation of a co-B¨ uc hi assumption). 2. A w ord should b e ac cepted b y A ′ if it is not accepted b y some automa ton a ∈ A (vio lation of a B ¨ uc h i assumption). 3. If the assu mptions are satisfied, a w ord should b e rejected if it is not accepted by some automato n d ∈ D (violati on of a co-B ¨ uc hi guarante e) 4. If the assu mptions are satisfied, a w ord should b e rejected if it is not accepted by some automato n c ∈ C (violation of a B ¨ uchi guaran tee) 5. In th e remaining cases (i.e., all the assumptions and guarantees are satisfied), a w ord sh ould b e accepted. It is clear from the definition of the sp ecification that an automaton satisfying these constrain ts is suitable for the s yn thesis task. The automaton A ′ fulfils these criteria, as th e f ollo wing lines of th ough t sho w: 1. Assume that s ome automaton b ∈ B do es n ot accept the inp ut/output wo rd. In this case, rejecting states of b are visited infin itely often, resulting in the colour 4 o ccurr in g infin itely often along the run. As this is the highest p ossible colour, the word is accepted. 2. Assume that some automaton a ∈ A d o es not accept the in put/output w ord. Without loss of generalit y , w e can assum e that all automata in B accept the w ord, as otherwise the p r evious item already co vers th is case. So, col our 4 is not visited infinitely often. Since some automaton a ∈ A do es not accept the inp ut/output wo rd, the coun ter q W stalls at some p oin t as it cycles through all automata of A , w aiting for visits to their resp ective accepting 9 states. Consequently , the v alue of q V can only b e set from false to true finitely often. As ev ery o ccurrence of colour 3 resets q V to false after q W has stalled and requires q V to b e equal to true b eforehand, states with co lour 3 can only b e visited fin itely ofte n. Finally , colo ur 1 cann ot b e visited infinitely often as the coun ter q W ev en tually stalls. Th us, only the co lours 2 or 0 can b e visited infinitely often, leading to acceptance of the wo rd. 3. Assume that th e assumptions are satisfied, b ut some co-B ¨ uc hi-automaton d ∈ D of the guarante e part of the sp ecification d o es not accept the input w ord. In this case, as the B ¨ uc h i assumptions are fulfilled, q W is set to 0 infi nitely often and thus q V will b e equal to true infinitely often. As for some c ∈ C , its rejecting state is visited infinitely often, and q V sta ys equal to true un til a state w ith colour 3 h as b een visited, this imp lies th at colour 3 o ccurs infi n itely often. As colour 4 do es not o ccur infi nitely often (the co-B ¨ uc hi assu mptions are f u lfilled), the input/output w ord is rejected. 4. Assume that th e assump tions are satisfied, but some B ¨ uc hi-automaton c ∈ C of the guaran tee part of the sp ecification d o es not accept the input w ord. In th is case, at some p oin t during the r u n, th e q R -part of the states o ccur ring stalls at a n um b er 6 = 0, i.e., the count er will not b e increased or reset an y longer, leading to only finitely many visits to co lour 2. Since the co-B¨ uc hi assump tions and guarante es are s atisfied, states with the colour 4 are only visited fin itely often (see ab ov e). W e can also assume that th e co-B¨ uc hi guaran tees are fulfilled as otherw ise the previous item co ve rs this case, so states with colour 3 are visited only finitely often. Th us, as the B ¨ uc h i assu mptions hold, the counter q W is reset infinitely often and colour 1 is the highest one o ccurring infinitely often, the wo rd is rejected. 5. Assume that all guarantee s and assump tions are satisfied. In this case, from some p oint onw ards, colour 3 and 4 are nev er visited (as the co-B¨ uc hi assumptions and guarantee s are fulfilled). Th e coun ter q R is ho w ev er reset to 0 infinitely often (as the B ¨ uc hi gu arantees are fulfilled), wh ich leads to infinitely man y occurr ences of colo ur 2, r esulting in acc eptance. By taking these facts toge ther, we obtain the follo wing result: Theorem 1. The p arity automato n given ab ove ac c epts pr e cisely the wor ds w ∈ Σ ω that satisfy the over al l sp e cific ation, i.e., either ther e e xi sts some automaton in A ⊎ B that r eje cts w or al l automata in C ⊎ D ac c ept w . 5 On extending the app roach to gener alised Rabi n( k )-sp ecifications with k > 1 The construction given in the previous section do es only work for sp ecifications with assumptions and guaran tees ha ving Rabin in dices of one. A natural question to ask is: Do es a sim ilar construction also exist for guaran tees and assumptions whose Rabin indices are greater th an one? In th is section, w e sh o w that this is not the case . I n p articular, we prov e the follo wing theorem: Theorem 2. F or al l k > 1 and c ∈ N , the fol lowing holds: In p olynomial time, it is not p ossible to c ompute a c ontr ol structur e of size p olynomial in n a + n g for r e ducing the synthesis pr oblem for sp e cific ations of the form ( a 1 ∧ a 2 ∧ . . . ∧ a n a ) → ( g 1 ∧ g 2 ∧ . . . ∧ g n g ) 10 with al l assumptions a 1 , a 2 , . . . , a n a and guar ante es g 1 , g 2 , . . . , g n g given as R abin automata of index at most k to the non-emptiness pr oblem of a p arity automaton with c c olours such that its tr ansition structur e is the p ar al lel c omp osition of the tr ansition structur es of the R abin automata and the c ontr ol structur e (unless P = N P). Th us, the approac h p resen ted in this pap er is in some sense as far as we can get without losing its go o d p rop erties. These are: • the fact that the transition structur e of A ′ is the p arallel comp osition of th e tr ansition structures of the automata f or the ind ividual assu m ptions and guarantee s and some con trol str ucture – this allo ws the efficient representa tion of the transition fun ction in a sym b olic wa y (e.g., by u sing binary decisio n diagrams, see, e.g., Drec hsler and S ieling, 2001); • the co nstant num b ers of colo urs. In th e remainder of this section, we show why Theorem 2 holds. F or this, we use a theorem pro v en by Chatterjee et al. (2007). Let ( ⊗ , k , [ n ]) r epresen t th e set of g ener alise d p arity games with an acceptance condition t yp e ⊗ ∈ {∨ , ∧} and a n umb er k ∈ N of colouring functions, w ith eac h colouring function ha ving a co-domain of { 0 , . . . , n } . Like wise, [ n ] + represent s colouring fun ctions h a v in g a co-domain of { 1 , . . . , n } . A play in a generalised parity game with ⊗ = ∨ / ⊗ = ∧ is accepting for pla yer zero if for an y/all of the colo uring functions, th e h ighest colour occurr in g infinitely often is ev en , r esp ectiv ely . Theorem 3 (Ch atterjee et al., 2007, pp. 159) . Given a game gr aph G , for obje ctives Ψ in ( ∨ , k, [3] + ) and Φ in ( ∧ , k , [2]) , and a vertex v in G : • che cking whether v is a vertex winning for player 1 for Ψ is NP-har d; • che cking whether v is a vertex winning for player 0 for Φ is c o-NP- har d. W e are no w ready to p ro v e Theorem 2. Pr o of. Ass u me that Th eorem 2 do es not h old and that we ha ve a sp ecification of th e form g 1 ∧ . . . ∧ g n g suc h that all Rabin automata for g 1 , . . . , g n g ha v e the same transition structure. Sin ce we assume that the parity automaton is the p arallel comp osition of th e transition structures of g 1 , . . . , g n g and some p olynomial con trol structur e, w e obtai n some parit y automaton with a size p olynomial in n g and th e n umber of states in the automato n of g 1 with a constant num b er of colours. Emptiness of suc h an automaton ca n consequen tly b e d ecided in time p olynomial in the size of the automat on of g 1 . This is ho w ev er a con tr adiction to T heorem 3. T o see th is, note that Rabin automata w ith index 1 are essential ly parit y automata with a parit y fu n ction with co-domain { 1 , 2 , 3 } . L ik ewise, a Str eett automaton with a single acceptance pair is essen tially a parity automaton with a parity fu n ction with co-domain { 0 , 1 , 2 } . All suc h Streett automata hav e a Rabin index of at most 2. Assume that we ha ve n g Streett automata with s ingle acceptance pairs give n as sp ecification. If they all share th e s ame transition function, w e only hav e to consider it once in the combined parity game. This essen tially leads to a game of size p olynomial in n g and the size of th e tr an s ition structure of the Str eett automata. Since solving this game can b e done in p olynomial time and the result is alw a ys a correct answe r to the problem p osed in Theorem 3, this w ould imply co-NP=P as w ell as NP=P . So, pr o vid ed that NP 6 =P , the only wa y to ha v e a similar construction with a constan t n umb er of colours w ould b e to ha v e an appr oac h that do es not allo w the tec hnical tric k to join equ iv alen t transition structures of the ind ividual automata, whic h would b e a strong in dicator for un suitabilit y for sy mb olic implemen tations, essen tially ruling out its u sage for syn thesis. 11 6 On applicati o n domai ns fo r the techniques describ ed here F rom a theoretical p ersp ectiv e, ge neralised Rabin(1) syn thesis is a strict generalisat ion of generalised reactivit y(1) synthesis and exte nds its scop e by allo win g co-B¨ uc hi assumptions and guaran tees. F rom a practical p ersp ectiv e, the qu estion if the added expressivit y in comparison to the approac h b y P iterman et al. (2006) is of p ractical v alue is natural to ask. Indeed, the b enefit of the added p ossibilit y to wo rk with co-B ¨ uc h i guaran tees and assu mptions is not ob vious. T o shed ligh t on this issue, we ment ion t wo p ossible app lication areas her e: • During the initialisatio n p hase of a larger system implemente d in hard w are, the status of the system can b e partly unsp ecified. In suc h a case, some comp onen ts of s uc h a system can deviate from their regular b eha viour. Co-B ¨ uc hi assumptions can b e u sed to mo d el th e fact that at some p oint in time, suc h an initialisa tion phase is o v er. Add itionally , co-B¨ uc hi guarant ees can b e used to allo w deviations in the b eh a viour of a comp onent of a larger system to b e synthesize d for a limited p erio d of time (i.e., during the comp onen t’s o wn initialisat ion ph ase). • Blo em et al. (2009) discussed the b en efit of adding robustness criteria to the syn thesis pro cess. In this setting, a pr o cess to b e synthesize d is exp ected to d egrade gracefully on the violation of the assumptions used dur in g synthesis. F or examp le, consider a t wo-process m utex that is required to grant all requests in th e s ame computation cycle. F ormally , suc h a system h as inpu ts AP I = { r 1 , r 2 } and outp u ts AP O = { g 1 , g 2 } . Cons ider the sp ecification G ( ¬ r 1 ∨ ¬ r 2 ) → G ( r 1 → g 1 ∧ r 2 → g 2 ). It only constrains the b eha viour of the system if the t wo pr o cesses n ev er request a grant at the same time. In case of a violation of this constrain t, ho we ve r, no restriction on the b ehavio ur of the mutex is made. Blo em et al. (2009) argue that in p ractice, most systems are somewh at r ob u st against su c h assu m ption violations. F or example, the comp onen t to b e syn thesized could con tin ue to resp ond to requests in the correct wa y after a violation of th e assumption, i.e., whenever only one request is given at the same time, the resp ectiv e gran t is giv en. F or the qualitative version of robust syn thesis, co-B ¨ uc hi sp ecifications are a natural w ay to express suc h degradable parts of the assumption or gu arantee. F or example, a finite-state system satisfying F G ( ¬ r 1 ∨ ¬ r 2 ) → F G ( r 1 → g 1 ∧ r 2 → g 2 ) ∧ G ( ¬ g 1 ∧ ¬ g 2 ) can on ly violate the resp onsiveness guaran tee infinitely often if the assump tion ¬ r 1 ∨ ¬ r 2 is violated infinitely often. Since it only has a finite num b er of states, it is th u s forced to return to n ormal beh aviour after a limited amoun t of time after some compu tation cycle in which ¬ r 1 ∨ ¬ r 2 is violat ed, w hic h mak es it a v alid s olution. Bloem et al. (200 9 ) present ed algorithmic solutions for th e robust syn thesis problem for safet y sp ecifications. They lea v e an extension of their tec hniqu es to the liv en ess case as an op en pr oblem. As with generalised Rabin (1) synthesis, we are able to handle suc h sp ecifications, the tec hn ique present ed here is a suitable solutio n to this op en problem. 7 Conclusion In this p ap er, we ha v e presented generalised Rabin(1) synthesis as a strict generalisation of generalised reactivit y(1) synt hesis and show ed that it shares its go o d algorithmic pr op erties. This increases the practical app licabilit y of the app roac h and is th u s a big step forwards to wa rds synthesis from large sp ecifications. W e also sho w ed that th e concept cannot b e extended furth er without losing its goo d algorithmic p rop erties. 12 References Baier, C. and Kato en, J.-P . (20 08). Princip les of Mo del Che cking . MIT Pr ess. Biere, A. and Pixley , C., editors (200 9). Pr o c e e dings of 9th International Confer enc e on F ormal Metho ds in Computer-Aid e d Design, FMCAD 2009, 15-18 Novemb er 2009, A ustin, T exas, USA . IE EE. Blo em, R., Ga ller, S., Jobstmann, B ., P iterman, N., Pn ueli, A., a nd W eiglhofer, M. (20 07a). Interactive presentation: Automatic hardware s ynthesis from specifica tions: A case study . In Lauwereins, R. and Madsen, J., editor s, Pr o c. DA TE , pag e s 11 88–1 1 93. ACM. Blo em, R., Galler, S., Jobstmann, B., Piterman, N., P n ueli, A., and W eiglhofer, M. (2007b). Sp ecify , compile, run: Hardware from PSL. Ele ctr. Notes The or. Comput. Sci. , 190(4):3 –16. Blo em, R., Greimel, K., Henzinger, T. A., and Jobstmann, B. (2009 ). Synthesizing robust systems. In Biere and Pixley (2009), pa ges 85–92. Chatterjee, K., Henzinger, T. A., a nd Piterman, N. (20 07). Ge ne r alized par ity ga mes. In Seidl, H., editor, F oSSaCS , volume 44 23 of L e ct ur e N otes in Computer Scienc e , pages 15 3 –167 . Springer. Drechsler, R. a nd Sieling, D. (2001 ). Binary decision dia grams in theory and pr actice. STTT , 3(2):11 2–136 . Ehlers, R. (2 0 10). Minimising deterministic B ¨ uchi automata precise ly using SA T solving . In Strichman, O. and Szeider, S., editor s, SA T , volume 6175 o f Le ctur e Notes in Computer Scienc e , pages 326–3 32. Springer- V erla g. Filiot, E., Jin, N., and Rask in, J.-F. (2 009). An antic hain alg orithm for L TL r ealizability . In Boua jjani, A. a nd Maler, O., editors , CA V , volume 5643 of L e ctur e Notes in Computer Scienc e , pages 263–27 7. Spr inger. Gastin, P . and O ddoux, D. (2001 ). F ast L TL to B ¨ uc hi automa ta transla tion. In Ber ry , G., Comon, H., a nd Finkel, A., editors, CA V , volume 210 2 o f Le ctur e Notes in Computer Scienc e , pages 53–65 . Spring e r . Gr¨ adel, E., Tho mas, W., a nd Wilke, T., editors (200 2 ). Automata, L o gics, and Infin ite Games: A Guide t o Curr ent R ese ar ch , volume 2 500 of L e ctur e Notes in Co mputer Scienc e . Spr inger. Henzinger, T. A. and P iterman, N. (2006). Solving games without determinization. In ´ Esik, Z., editor, CSL , volume 4 207 o f L e ctu r e Notes in Computer Scienc e , pages 395 – 410. Spr inger. Jobstmann, B. and Blo em, R. (2006). Optimizations for L TL sy nt hesis. In FMCAD , pages 11 7–124 . IEEE Computer So ciety . Kaminski, M. (19 85). A classificatio n of omeg a-reg ular lang uages. The or. Comput. Sci. , 36:217 –229. K¨ onighofer , R., Hofferek, G., a nd Bloe m, R. (2009). Debugging formal sp ecifications using simple counterstrate- gies. In Bier e and Pixley (2009), page s 152– 159. Krishnan, S. C., Puri, A., and Brayton, R. K. (1994 ). Deterministic ω -automata vis- a-vis deterministic Buc hi automata. In Du, D.-Z. and Zhang , X.-S., edito r s, ISAAC , volume 834 of L e ctur e Notes in Computer Scienc e , pages 3 7 8–38 6. Spr inger. Krishnan, S. C., Puri, A., Brayton, R. K., and V a r aiya, P . (1 995). The Rabin index and chain automata , with applications to automatas and g a mes. In W olp er , P ., editor, CA V , volume 939 of L e ct u r e Notes in Computer Scienc e , pages 2 5 3–26 6. Spr inger. Kupferman, O., Morgenster n, G., and Murano, A. (200 6). Typeness for omega -regula r automata. Int. J . F ound. Comput. Sci. , 17(4):86 9–884 . Kupferman, O. a nd V ardi, M. Y. (1997). Syn thesis with incomplete informatio . In ICTL . Kupferman, O. and V ardi, M. Y. (1999). Church’s problem revisited. Bul letin of Symb olic L o gic , 5(2):245–2 63. Kupferman, O. a nd V ardi, M. Y. (2005). Safraless decisio n pro cedures. In FOCS , pages 531–54 2. IEEE . 13 Piterman, N., Pnueli, A., and Sa’ar , Y. (2006). Synthesis of reactive(1) designs. In Emerso n, E. A. and Namjoshi, K. S., editors, VMCAI , v olume 3855 of L e ctur e Notes in Computer Scienc e , pages 3 64–38 0. Spr inger. Pnueli, A. and Rosner, R. (1989). On the synthesis of an asynchronous reactive mo dule. In Ausie llo , G., Dezani- Ciancaglini, M., and Ro cca , S. R. D., editors, ICALP , volume 372 o f L e ctu r e Notes in Computer Scienc e , pages 6 5 2–67 1. Spr inger. Safra, S. (19 8 9). Complexity of Automata on In fi nite Obje cts . PhD thesis, W eiz mann Institute of Science, Rehov o t, Israel. Schew e, S. (2 008). Synt hesis of D istribute d Syst ems . PhD thesis, Saarland Universit y . Schew e, S. a nd Finkb einer, B. (200 7). Bo unded synthesis. In Namjoshi, K. S., Y oneda, T., Higas hino , T., and Ok amura, Y., editors, A TV A , volume 4762 of L e ctur e N otes in Co mputer Scienc e , pages 4 7 4–48 8. Springer . Sohail, S., Somenzi, F., and Ravi, K. (2008 ). A hybrid algor ithm for L TL g ames. In Logo zzo, F., Peled, D., and Zuck, L. D., editors, VMCAI , volume 49 05 of L e ctur e Notes in Computer Scienc e , pages 3 0 9–32 3. Springer . Thomas, W. (1994). Handb o ok of The or etic al Computer Scienc e – V ol. B: F ormal Mo dels and S emantics , c hapter Automata o n Infinite Ob jects, page s 13 3–19 1. MIT Press. Thomas, W. (2008 ). Chu rch’s problem and a tour through automa ta theor y . In Avro n, A., Dershowitz, N., a nd Rabinovic h, A., editors, Pil lars of Computer Scienc e , v olume 48 00 of L e ctu re Notes in Computer S cienc e , pages 6 3 5–65 5. Spr inger. V ar di, M. Y. (1996 ). An a utomata-theor e tic approach to linear tempo ral logic. In Pr o c e e dings of t he VIII Banff Higher or der workshop c onfer enc e on L o gics for c oncurr ency : stru ctur e versus automata , pages 238– 266, Secaucus, NJ, USA. Springer-V erlag New Y or k, Inc. 14