From LTL to deterministic automata

Abstract

We present a new algorithm to construct a (generalized) deterministic Rabin automaton for an LTL formula \(\varphi \). The automaton is the product of a co-Büchi automaton for \(\varphi \) and an array of Rabin automata, one for each \({\mathbf {G}}\)-subformula of \(\varphi \). The Rabin automaton for \({\mathbf {G}}\psi \) is in charge of recognizing whether \({\mathbf {F}}{\mathbf {G}}\psi \) holds. This information is passed to the co-Büchi automaton that decides on acceptance. As opposed to standard procedures based on Safra’s determinization, the states of all our automata have a clear logical structure, which allows for various optimizations. Experimental results show improvement in the sizes of the resulting automata compared to existing methods.

Appendix: Technical proofs

Lemma

1 For every formula \(\varphi \) and every finite word \(w \in (2^{Ap})^*\):

1. (1)

   \({ af}(\varphi , w)\) is a boolean combination of proper subformulae of \(\varphi \).

2. (2)

   If \({ af}(\varphi , w) = {\mathbf {tt}}\), then \({ af}(\varphi , ww') = {\mathbf {tt}}\) for every \(w' \in (2^{Ap})^*\), and analogously for \({\mathbf {ff}}\).

3. (3)

   If \(\varphi _1 \equiv _P \varphi _2\), then \({ af}(\varphi _1, w) \equiv _P { af}(\varphi _2, w)\).

4. (4)

   If \(\varphi \) has n proper subformulae, then the set of formulae reachable from \(\varphi \) has at most \(2^{2^n}\) equivalence classes of formulae with respect to propositional equivalence.

Proof

1. (1)

   By structural induction on \(\varphi \).

2. (2)

   Follows immediately from \({ af}({\mathbf {tt}},\nu ) = {\mathbf {tt}}\) and \({ af}({\mathbf {ff}},\nu ) = {\mathbf {ff}}\).

3. (3)

   By (1) every formula \(\varphi \) is a positive boolean combination of proper formulae. Since \({ af}\) distributes over \(\wedge \) and \(\vee \), the formula \({ af}(\varphi , \nu )\) is obtained by applying a simultaneous substitution to the proper formulae. (For example, a proper formula \({\mathbf {G}}\psi \) is substituted by \({ af}(\psi ,\nu ) \wedge {\mathbf {G}}\psi \).) Let \(\varphi [S]\) be the result of the substitution. Consider two equivalent formulae \(\varphi _1 \equiv _P \varphi _2\). Since we apply the same substitution to both sides, the substitution lemma of propositional logic guarantees \(\varphi _1[S] \equiv _P \varphi _2[S]\). So \({ af}(\varphi _1, \nu ) \equiv _P { af}(\varphi _2, \nu )\) for a letter \(\nu \). The general case \({ af}(\varphi _1, w) \equiv _P { af}(\varphi _2, w)\) follows by induction on the length of w.

4. (4)

   Follows from (1) and the fact that there are \(2^{2^n}\) equivalence classes of boolean formulae with n variables.

\(\square \)

Proposition

2 Let \(\varphi \) be a formula, and let \(ww' \in (2^{Ap})^\omega \) be an arbitrary word. Then \(ww' \models \varphi \) iff \(w' \models { af}(\varphi ,w)\).

Proof

First we prove the property when w is a single letter \(\nu \):

$$\begin{aligned} \nu w' \models \varphi \quad \text { if{}f } \quad w' \models { af}(\varphi , \nu ) \end{aligned}$$

(2)

We prove (2) by structural induction on \(\varphi \). We only consider two representative cases.

• \(\varphi = a\). Then

  $$\begin{aligned} \begin{array}{ll} &{} \nu w' \models a \\ \text{ hence } &{} a \in \nu \\ \text{ hence } &{} { af}(a, \nu ) = {\mathbf {tt}}\\ \text{ hence } &{} w' \models { af}(a, \nu ) \\ \end{array} \quad \begin{array}{llr} &{} \nu w' \not \models a \\ \text{ hence } &{} a \notin \nu &{} \text {(semantics of LTL)} \\ \text{ hence } &{} { af}(a, \nu ) = {\mathbf {ff}}&{} \text {(def. of }{ af}) \\ \text{ hence } &{} w' \not \models { af}(a, \nu ) \\ \end{array} \end{aligned}$$

• \(\varphi = {\mathbf {F}}\varphi '\). Then

  $$\begin{aligned} \begin{array}{llr} &{} \nu w' \models {\mathbf {F}}\varphi ' \\ \text{ iff } &{} \nu w' \models ({\mathbf {X}}{\mathbf {F}}\varphi ') \vee \varphi ' &{} ({\mathbf {F}}\varphi ' \equiv {\mathbf {X}}{\mathbf {F}}\varphi ' \vee \varphi ')\\ \text{ iff } &{} \big (w' \models {\mathbf {F}}\varphi '\big ) \vee \big (\nu w' \models \varphi '\big ) &{} \text {(semantics of LTL)}\\ \text{ iff } &{} \big (w' \models {\mathbf {F}}\varphi '\big ) \vee \big ( w' \models { af}(\varphi ',\nu )\big ) &{} \text {(ind. hyp.)}\\ \text{ iff } &{} w' \models {\mathbf {F}}\varphi ' \vee { af}(\varphi ',\nu ) &{} \text {(def. of }{ af})\\ \text{ iff } &{} w' \models { af}({\mathbf {F}}\varphi ',\nu ) &{} \text {(def. of } { af}) \end{array} \end{aligned}$$

Now we prove the property for every word w by induction on the length of w. If \(w = \epsilon \) then \({ af}(\varphi ,w)=\varphi \), and so \(ww' \models \varphi \) iff \(w' \models \varphi \) iff \(w' \models { af}(\varphi ,w)\). If \(w = \nu w''\) for some \(\nu \in 2^{Ap}\), then we have

$$\begin{aligned} \begin{array}{llr} &{} w' \models { af}(\varphi , w) \\ \text{ iff } &{} w' \models { af}(\varphi , \nu w'') \\ \text{ iff } &{} w' \models { af}({ af}(\varphi , \nu ), w'') &{} \text {(def. of } { af})\\ \text{ iff } &{} w'' w' \models { af}(\varphi , \nu ) &{} \text {(ind. hyp.)} \\ \text{ iff } &{} \nu w'' w' \models \varphi &{} (2) \\ \text{ iff } &{} w w' \models \varphi \end{array} \end{aligned}$$

\(\square \)

Lemma

5 Let \(\mathbf {i}\) be the rank of condition (2) in Theorem 5. If the rank of \(\tau \) stabilizes, then \({ strk}_w(\tau ) < \mathbf {i}\).

Proof

We first prove the following two claims, where \(\mathbf {i}\) is the rank of condition (2):

1. (a)

   If \(\tau \) succeeds at rank \(\mathbf {i}\), then \({ strk}_w(\tau ) < \mathbf {i}\).

   Since \(\tau \) has rank \(\mathbf {i}\) when it reaches the accepting states, we clearly have \({ strk}_w(\tau ) \le \mathbf {i}\). We show \({ strk}_w(\tau ) < \mathbf {i}\). Assume the contrary. With the previous observation, we have \({ strk}_w(\tau ) = \mathbf {i}\). Let t be some time at which \(\tau \) has already entered the accepting states, and its rank has stabilized. By (2.1), some token \(\tau '\) born after time t (i.e., \(\tau ' > t\)) also succeeds at rank \(\mathbf {i}\). Let \(t' \ge t\) be the time immediately before \(\tau '\) enters the accepting states. Then we have \({ rk}_w(\tau , t') = \mathbf {i}\), because at time \(t'\) token \(\tau \) has already stabilized, and \({ rk}_w(\tau ', t') = \mathbf {i}\) by definition. But at time \(t'\) token \(\tau \) is in some accepting state, while \(\tau '\) is not. So we have two tokens in different states with the same rank, contradicting the definition of rank.

2. (b)

   If \({ rk}_w(\tau , t) \le { rk}_w(\tau ', t) ={ strk}_w(\tau ') \in {\mathbb {N}}\), then \({ rk}_w(\tau , t) ={ strk}_w(\tau )\).

   (If a token has reached its stable rank at some time t, then so have all tokens of older rank.)

   Assume \({ rk}_w(\tau , t) \ne { strk}_w(\tau )\). Then at some time \(t' > t\) the rank of \(\tau \) either becomes \(\bot \) (because \(\tau \) reaches a sink) or improves (because \(\tau \)’s firm merges with a firm of older rank). In both cases, the rank of \({ rk}_w(\tau ', t)\) also improves (because the rank of \(\tau \) becomes vacant), contradicting the assumption that at time t token \(\tau \) has already reached its stable rank.

Assume now that the rank of \(\tau \) stabilizes but \({ strk}_w(\tau ) \ge \mathbf {i}\). By (2.1), some token \(\tau '\) born after the rank of \(\tau \) stabilizes succeeds at rank \(\mathbf {i}\). Since \(q_0 \notin F\), this token eventually enters the accepting states. Let t be the time immediately before \(\tau '\) enters the accepting states. We have \({ rk}_w(\tau ', t) = \mathbf {i}\). Since \({ strk}_w(\tau ) \ge \mathbf {i}\), we have \({ rk}_w(\tau , t) \ge \mathbf {i} = { rk}_w(\tau ', t)\). By (b) (with the roles of \(\tau \) and \(\tau \) reversed), we get \({ rk}_w(\tau ', t) ={ strk}_w(\tau ')\), and so \({ strk}_w(\tau ')=\mathbf {i}\). But, since \(\tau '\) succeeds at rank \(\mathbf {i}\), this contradicts (a). \(\square \)

Proposition

5 Let \(\mathcal {M}_1=(Q_1,\varSigma ,q_{01},\delta _1, F_1)\) and \(\mathcal {M}_2=(Q_2,\varSigma ,q_{02},\delta _2, F_2)\). Let \(Q=Q_1 \times Q_2\), let \(q_0 = (q_{01},q_{02})\), and let \(\delta :Q \times \varSigma \rightarrow Q\) be the function given by \(\delta (q_1,q_2, \nu ) = (\delta _1(q_1, \nu ), \delta _2(q_2, \nu ))\) Then the tuples

$$\begin{aligned} \mathcal {M}_1 \cap \mathcal {M}_2= & {} \big (Q,\varSigma ,q_0,\delta , F_1 \times F_2 \big ) \\ \mathcal {M}_1 \cup \mathcal {M}_2= & {} \big (Q,\varSigma ,q_0,\delta , (F_1 \times Q_2) \cup (Q_1 \times F_2) \big ) \end{aligned}$$

are also Mojmir automata, and moreover \(\mathsf {L}(\mathcal {M}_1 \cap \mathcal {M}_2) = \mathsf {L}(K_1) \cap \mathsf {L}(K_2)\) and \(\mathsf {L}(\mathcal {M}_1 \cup \mathcal {M}_2) = \mathsf {L}(K_1) \cup \mathsf {L}(K_2)\).

Proof

We have to show that states reachable from an accepting state of \(\mathcal {M}_1 \cap \mathcal {M}_2\) or \(\mathcal {M}_1 \cup \mathcal {M}_2\) are again accepting. If \((q_1, q_2)\) is an accepting state of \(\mathcal {M}_1 \cap \mathcal {M}_2\) or \(\mathcal {M}_1 \cup \mathcal {M}_2\), then by definition \(\delta ((q_1,q_2),\nu ) = (\delta _1(q_1, \nu ), \delta _2(q_2, \nu ))\).

• If \((q_1, q_2) \in F_1 \times F_2\), then, since \(\mathcal {M}_1\) and \(\mathcal {M}_2\) are \(\mathcal {M}\) automata, we have \(\delta _1(q_1, \nu ) \in F_1\) and \(\delta _2(q_2, \nu ) \in F_2\), and so \(\delta ((q_1,q_2),\nu ) \in F_1 \times F_2\).

• If \((q_1, q_2) \in (F_1 \times Q_2) \cup (Q_1 \times F_2)\), then, since \(\mathcal {M}_1\) and \(\mathcal {M}_2\) are \(\mathcal {M}\) automata, we have \(\delta (q_1, \nu ) \in F_1\) or \(\delta (q_2, \nu ) \in F_2\), and so \(\delta ((q_1,q_2),\nu ) \in (F_1 \times Q_2) \cup (Q_1 \times F_2)\).

We now prove \(\mathsf {L}(\mathcal {M}_1 \cap \mathcal {M}_2) = \mathsf {L}(K_1) \cap \mathsf {L}(K_2)\) and \(\mathsf {L}(\mathcal {M}_1 \cup \mathcal {M}_2) = \mathsf {L}(K_1) \cup \mathsf {L}(K_2)\). Since \(\mathcal {M}_1 \cap \mathcal {M}_2\) and \(\mathcal {M}_1 \cup \mathcal {M}_2\) only differ in their accepting states, they have the same function \( run_w(\tau , t)\) describing the position of token \(\tau \) at time t. Moreover, by the definition of \(q_0\) and \(\delta \) we easily get

$$\begin{aligned} run_w(\tau , t) = \big ( run1_w(\tau , t), run2_w(\tau , t)\big ) \end{aligned}$$

where run1 and run2 are the corresponding functions for \(\mathcal {M}_1\) and \(\mathcal {M}_2\). So we have

1. (a)

   Token \(\tau \) of \(\mathcal {M}_1 \cap \mathcal {M}_2\) eventually reaches \(F_1 \times F_2\) iff the token \(\tau \) of \(\mathcal {M}_1\) eventually reaches \(F_1\) and the token \(\tau \) of \(\mathcal {M}_2\) eventually reaches \(F_2\).

2. (b)

   Token \(\tau \) of \(\mathcal {M}_1 \cup \mathcal {M}_2\) eventually reaches \((F_1 \times Q_2) \cup (Q_1 \times F_2)\) iff the token \(\tau \) of \(\mathcal {M}_1\) eventually reaches \(F_1\), or the token \(\tau \) of \(\mathcal {M}_2\) eventually reach \(F_2\).

By (a), almost every token of \(\mathcal {M}_1 \cap \mathcal {M}_2\) eventually reaches \(F_1 \times F_2\) iff almost every token of \(\mathcal {M}_1\) eventually reaches \(F_1\), and almost every token of \(\mathcal {M}_2\) eventually reaches \(F_2\). So \(\mathsf {L}(\mathcal {M}_1 \cap \mathcal {M}_2) = \mathsf {L}(K_1) \cap \mathsf {L}(K_2)\). By (b), almost every token of \(\mathcal {M}_1 \cap \mathcal {M}_2\) eventually reaches \((F_1 \times Q_2) \cup (Q_1 \times F_2)\) iff almost every token of \(\mathcal {M}_1\) eventually reaches \(F_1\), or almost every token of \(\mathcal {M}_2\) eventually reaches \(F_2\). So \(\mathsf {L}(\mathcal {M}_1 \cup \mathcal {M}_2) = \mathsf {L}(K_1) \cup \mathsf {L}(K_2)\) \(\square \)

Lemma

7 Let \(\varphi \) be a formula and let w be a word.

1. (a)

   Every set \(\mathcal {G}\subseteq {\mathbb {G}}{\varphi }\) closed for w is included in \(\mathcal {G}_{w}(\varphi )\).

2. (b)

   \(\mathcal {G}_{w}(\varphi )\) is closed for w.

Proof

1. (a)

   Given \(\mathcal {G}\subseteq {\mathbb {G}}{\varphi }\), we inductively assign to every \({\mathbf {G}}\psi \in \mathcal {G}\) an index as follows. If \(\psi \) has no \({\mathbf {G}}\)-subformulae, then \({\mathbf {G}}\psi \) has index 0; if \(\psi \) has \({\mathbf {G}}\)-subformulae, then its index is the maximum of the indices of its subformulae plus 1. Assume \(\mathcal {G}\subseteq {\mathbb {G}}(\varphi )\) is closed for w, and let \({\mathbf {G}}\psi \in \mathcal {G}\). We prove \(w \models {\mathbf {F}}{\mathbf {G}}\psi \) by induction on the index n of \({\mathbf {G}}\psi \).

   • \(n = 0\). Since \(\mathcal {G}\) is closed for w, we have \(\mathcal {G}\models _P { af}_{\mathbf {G}}(\psi , w_{ij})\) for almost every \(i \in \mathbb {N}\) and almost every \(j \ge i\). Let \(j > i\) be such that \(\mathcal {G}\models _P { af}_{\mathbf {G}}(\psi , w_{ij})\) holds. Since \(\psi \) has no \({\mathbf {G}}\)-subformulae (because \(n=0\)), the formulae of \(\mathcal {G}\) occur neither in \(\psi \) nor, by the definition of \({ af}_{\mathbf {G}}\), in \({ af}_{\mathbf {G}}(\psi , w_{ij})\). So we get \(\emptyset \models _P { af}_{\mathbf {G}}(\psi , w_{ij})\), which implies \({ af}_{\mathbf {G}}(\psi , w_{ij}) \equiv _P {\mathbf {tt}}\). Moreover, since \(\psi \) has no subformulae and \({ af}_{\mathbf {G}}\) and \({ af}\) only differ on \({\mathbf {G}}\)-formulae, we have \({ af}_{\mathbf {G}}(\psi , w_{ij}) = { af}(\psi , w_{ij})\). So we finally obtain \({ af}(\psi , w_{ij})\equiv _P {\mathbf {tt}}\) for almost every \(i \in \mathbb {N}\) and almost every \(j \ge i\). Apply now Theorem 3.

   • \(n > 0\). Let \(\mathcal {G}'\) be the set of formulae of \(\mathcal {G}\) that are subformulae of \(\psi \). For every \({\mathbf {G}}\psi ' \in \mathcal {G}'\) the index of \({\mathbf {G}}\psi '\) is at most \(n-1\) and so, by induction hypothesis, we have \(w \models {\mathbf {F}}{\mathbf {G}}\psi '\). So there exists \(k_1\) such that \(w_i \models \mathcal {G}'\) for every \(i \ge k_1\). Moreover, since \(\mathcal {G}\) is closed for w, we have \(\mathcal {G}\models _P { af}_{\mathbf {G}}(\psi , w_{ij})\) for almost every \(i \in \mathbb {N}\) and almost every \(j \ge i\). Further, since the formulae of \(\mathcal {G}\setminus \mathcal {G}'\) do not appear in any \({ af}_{\mathbf {G}}(\psi , w_{ij})\), there exists \(k_2\) such that \(\mathcal {G}' \models _P { af}_{\mathbf {G}}(\psi , w_{i j})\) for every \(i \ge k_2\) and almost every \(j \ge i\). Taking \(k = \max \{k_1, k_2\}\), we obtain:

     1. (i)

        \(w_i \models \mathcal {G}'\) for every \(i \ge k\), and

     2. (ii)

        \(\mathcal {G}' \models _P { af}_{\mathbf {G}}(\psi , w_{i j})\) for every \(i \ge k\) and almost every \(j \ge i\).

     We show that (i) and (ii) imply \(w_i \models \psi \) for almost every \(i \ge k\). We proceed by an structural induction on \(\psi \), very similar to the one in the proof of Proposition 2, except for the case \(\psi = {\mathbf {G}}\psi '\). We omit some cases, and only sketch the proof of others.

     • \(\psi = a\). Let \(i \ge k\) such that (i) holds. By (ii) we have \(\mathcal {G}' \models _P { af}_{\mathbf {G}}(a, w_{i j})\) for almost every \(j \ge i\), and so \({ af}_{\mathbf {G}}(a, w_{ij}) = {\mathbf {tt}}\) for almost every \(j \ge i\). But \({ af}_{\mathbf {G}}(a, w_{ij}) = {\mathbf {tt}}\) implies \(w_{i(i+1)}=a\), and so \(w_i \models a\).

     • \(\psi = \psi _1 \wedge \psi _2\) and \(\psi =\psi _1 \vee \psi _2\). Both cases follow immediately from the induction hypothesis.

     • \(\psi = {\mathbf {G}}\psi '\). By the definition of \({ af}_{\mathbf {G}}\), we have \({ af}_{\mathbf {G}}(\psi , w_{i j})={\mathbf {G}}\psi '=\psi \) for every \(j \ge i\). So, by (ii), we have \(\mathcal {G}' \models _P \psi \) which, together with (i), implies \(w_i \models \psi \) for every \(i \ge k\).

2. (b)

   We first prove a preliminary result: if \(w \models \varphi \), then \(\mathcal {G}_{w}(\varphi ) \models { af}_{\mathbf {G}}(\varphi , w_{0i})\) for almost every \(i \in \mathbb {N}\). The proof is very similar to that of Theorem 1. It suffices to say that we proceed by structural induction on \(\varphi \), using the same arguments as in Theorem 1, with two minor adjustments:

   • \({ af}_{\mathbf {G}}(\varphi , w_{0i}) \equiv _P {\mathbf {tt}}\) is replaced by \(\mathcal {G}_{w}(\varphi ) \models { af}_{\mathbf {G}}(\varphi , w_{0i})\).

   • The \({\mathbf {G}}\)-case, i.e., \(\varphi = {\mathbf {G}}\varphi '\), is proved differently. It follows immediately from the fact that, since \(w \models {\mathbf {G}}\varphi '\) by assumption, we have \({\mathbf {G}}\varphi ' \in \mathcal {G}_{w}({\mathbf {G}}\varphi ')\).

Now we proceed to prove (b), also by structural induction on \(\varphi \). If \(\varphi \) is not a \({\mathbf {G}}\)-formula, then the result follows either directly from the definitions or directly from the induction hypothesis. So consider the case \(\varphi = {\mathbf {G}}\varphi ^\prime \). By definition we have \(\mathcal {G}_{w}(\varphi ') \subseteq \mathcal {G}_{w}(\varphi )\), and by induction hypothesis \(\mathcal {G}_{w}(\varphi ')\) is closed for w. If \(w \not \models {\mathbf {F}}{\mathbf {G}}\varphi ^\prime \) then \(\mathcal {G}_{w}(\varphi ') = \mathcal {G}_{w}(\varphi )\), and so \(\mathcal {G}_{w}(\varphi )\) is closed for w. If \(w \models {\mathbf {F}}{\mathbf {G}}\varphi ^\prime \) then \(\mathcal {G}_{w}(\varphi ) = \mathcal {G}_{w}(\varphi ') \cup \{{\mathbf {G}}\varphi '\}\). Since \(\mathcal {G}_{w}(\varphi ')\) is closed for w, we have \(\mathcal {G}_{w}(\varphi ') \models _P { af}_{\mathbf {G}}(\psi , w_{ij})\) for almost every \(i\in \mathbb {N}\), almost every \(j \ge i\), and for every \({\mathbf {G}}\psi \in \mathcal {G}_{w}(\varphi ')\). So it suffices to show \(\mathcal {G}_{w}(\varphi ) \models _P { af}_{\mathbf {G}}(\varphi ', w_{ij})\) for almost all every \(i \in \mathbb {N}\) and almost every \(j \ge i\). Since \(w \models {\mathbf {F}}{\mathbf {G}}\varphi ^\prime \), we have \(w_i \models \varphi '\) for almost all \(i\in \mathbb {N}\). Applying the preliminary result above to every \(w_i\), we obtain \(\mathcal {G}_{w}(\varphi ') \models _P { af}_{\mathbf {G}}(\varphi ', w_{ij})\) for almost every \(i \in \mathbb {N}\) and almost every \(j \ge i\), and we are done. \(\square \)

Lemma

8 Let \(\varphi \) be a formula and let \(\mathcal {G}\subseteq {\mathbb {G}}(\varphi )\). For every \(\psi \in { Reach}_{\mathbf {G}}(\varphi )\) and every \(\nu \in 2^{Ap}\), if \(\mathcal {G}\models _P \psi \) then \(\mathcal {G}\models _P { af}_{\mathbf {G}}(\psi ,\nu )\).

Proof

We proceed by induction on the structure of \(\psi \). Since \(\mathcal {G}\models _P \psi \), by the definition of propositional implication, the formula \(\psi \) must be either \({\mathbf {tt}}\), a conjunction, a disjunction, or a \({\mathbf {G}}\)-formula. If \(\psi ={\mathbf {tt}}\) then \({ af}_{\mathbf {G}}(\psi ,\nu )={\mathbf {tt}}\) and we are done. If \(\psi =\psi _1 \wedge \psi _2\) then \({ af}_{\mathbf {G}}(\psi ,\nu )={ af}_{\mathbf {G}}(\psi _1, \nu ) \wedge { af}_{\mathbf {G}}(\psi _2,\nu )\) and \(\mathcal {G}\models _P { af}_{\mathbf {G}}(\psi ,\nu )\) follows immediately from the induction hypothesis. The case \(\psi =\psi _1 \vee \psi _2\) is analogous. Finally, if \(\psi = {\mathbf {G}}\psi '\) for some formula \(\psi '\) then \({ af}_{\mathbf {G}}({\mathbf {G}}\psi ') = {\mathbf {G}}\psi '\), and we are done. \(\square \)

Lemma

11 Let \(\mathcal {M}(\psi ,\mathcal {G})\) be the Mojmir automaton for a formula \(\psi \). Assume \(\mathcal {M}(\psi , \mathcal {G})\) accepts a word w at the smallest accepting rank \({\mathbf {r}}\). For almost every \(t \in \mathbb {N}\) and for every token \(\tau \) of the run of \(\mathcal {M}(\psi ,\mathcal {G})\) on w, the token succeeds iff

1. 1.

   \(\tau > t\), or

2. 2.

   \({ sr}_w({ run}_w(\tau ,t),t) \ge r\), or

3. 3.

   \({ run}_w(\tau ,t) \in F\).

Proof

Consider the accepting run of \(\mathcal {M}(\psi ,\mathcal {G})\) on w. Let \(k'\) be large enough such that at time \(t' \ge k'\): all tokens \(\tau \) born after \(k'\) eventually succeed; the finitely many tokens that fail have already reached a sink; and the finitely many tokens that succeed with rank smaller than \({\mathbf {r}}\) have already already reached an accepting state. Notice that such a \(k'\) only exists for the smallest accepting rank, since infinitely many tokens enter the accepting states with this rank and for all larger accepting ranks this constant does not exist. Furthermore let \(k \ge k'\) be large enough so that all squatting tokens born before or at time \(k'\) have already reached their stable rank at time k. We show that the lemma holds for every \(t \ge k\).

Let \(\tau \) be an arbitrary token.

• Assume \(\tau \) succeeds. We show that if (1) and (3) do not hold, then (2) holds. By (3), \(\tau \) has not yet reached the accepting states. By our choice of \(k'\), by the time \(\tau \) enters the accepting states it will have rank \({\mathbf {r}}\) or larger. Since the rank of a token can only decrease, its current rank is also equal to the accepting rank r or larger. So \({ sr}_w({ run}_w(\tau ,t),t) \ge r\).

• Assume (1), (2), or (3) hold. If (3) holds, then \(\tau \) succeeds by the definition of success. If (1) holds, then \(\tau \) succeeds by our choice of \(k'\). Assume now that (2) holds. We show that (2) neither fails nor squats outside the accepting states, and so necessarily succeeds. Since \(\tau \) has a rank at time t, it is not in a sink, and so, by our choice of \(k'\), the token does not fail. To show that \(\tau \) does not squat outside the accepting states, we recall part (c) in the proof of Theorem 5: the stable rank of a token is bounded from above by accepting ranks, thus also by the smallest. So, by (2), the rank of \(\tau \) has not stabilized yet, and therefore, by our choice of k, it does not squat outside the accepting states. \(\square \)