Fast LTL to B

uchi Automata Translation

Paul Gastin and Denis Oddoux
LIAFA, Universite Paris 7, Paris, France
{Paul.Gastin,Denis.Oddoux}@liafa.jussieu.fr

Abstract. We present an algorithm to generate B

uchi automata from
LTL formulae. This algorithm generates a very weak alternating co-B
uchi
automaton and then transforms it into a B
uchi automaton, using a generalized B
uchi automaton as an intermediate step. Each automaton is
simplified on-the-fly in order to save memory and time. As usual we
simplify the LTL formula before any treatment. We implemented this
algorithm and compared it with Spin: the experiments show that our
algorithm is much more efficient than Spin. The criteria of comparison
are the size of the resulting automaton, the time of the computation and
the memory used. Our implementation is available on the web at the
following address: http://verif.liafa.jussieu.fr/ltl2ba

Introduction

To prove that a program satisfies some property, a standard method is to use

Linear Time Logic (LTL) model checking. When the property is expressed with
an LTL formula, the model checker usually transforms the negation of this formula into a B
uchi automaton, builds the product of that automaton with the
program, and checks this product for emptiness. In this paper we focus on the
generation of a B
uchi automaton from an LTL formula, trying to improve the
time and space of the computation and the size of the resulting automaton.
Spin [4] is a very popular LTL model checker. However, the algorithm it
uses to generate a B
uchi automaton from an LTL formula, presented in [3],
may be quite slow and may need a large amount of memory, even for some
usual LTL formulae. In particular, this algorithm has a very bad behaviour on
formulae with fairness conditions: it is almost impossible to use Spin to generate
a B
uchi automaton from a formula containing 5 or more fairness conditions,
both because of the computation time and of the memory needed. For example,
consider a simple response formula G(q F r) with n fairness conditions:
n = ((G F p1 . . . G F pn ) G(q F r)) .

(1)

A formula of this type is very often encountered in LTL model checking. Moreover, the fairness conditions and the right-hand side property are usually more
complex. The value of n is very often greater than 5. Alas, in this case, Spin
fails to produce the B
uchi automaton within a reasonable amount of time and
memory (see Table 1).

1
2
3
4
5
6
7
8
9
10

Spin
time
space
0.18
460
4.6
4,200
170
52,000
9,600 970,000

Wring
EQLTL
time
space
time
0.56
4,100
16
2.6
4,100
16
16
4,200
18
110
4,700
25
1,000
6,500
135
8,400 13,000
N/A
72,000 43,000

LTL2BA
time
space
0.01
9
0.01
19
0.01
86
0.07
336
0.70
1,600
12
8,300
220
44,000
4,200
260,000
97,000 1,600,000

LTL2BA
time space
0.01
9
0.01
11
0.01
19
0.06
38
0.37
48
4.0
88
32 175
360 250
3,000 490
36,000 970

Table 1. Comparison on the formulae n for 1 n 10. Time is in sec, space in kB.
(N/A) : no answer from the server within 24 h. () : the program died, giving no result

Spins algorithm was improved by [1] (LTL2AUT), [2] (EQLTL), [10] (Wring):
these papers did not modify the basis of the algorithm, but improved it using
the same core algorithm, rewriting LTL formulae, and simplifying the resulting
B
uchi automaton. These improvements are quite efficient but the actual transformation of the LTL formula to a B
uchi automaton, which is similar to the
tableau construction explained in [3], may still perform badly on some natural
formulae such as n . Some experiments are presented in Table 1. Note that Wring
is written in Perl while Spin and LTL2BA are written in C and that EQLTL is
used through a web server. Hence the figures are still relevant but should not be
compared litterally. See Sect. 7 for more details.
In this paper, we present a new algorithm to generate a B
uchi automaton
from an LTL formula. Our algorithm is not based on the tableau construction
presented in [3]. Instead, using the classical construction (see e.g. [12]), we first
produce an alternating automaton from the LTL formula, with n states where
n is less than the size of the formula. This alternating automaton turns out to
be very weak as shown by Rohde [9]. Thanks to that property, instead of generating directly a B
uchi automaton with 2n 2n states, we are able to build first
a generalized B
uchi automaton, that is a B
uchi automaton with labels and accepting conditions on transitions instead of states, with at most 2n states. Using
a generalized B
uchi automaton is one of the most important improvements of
our algorithm. The best solution would be to design a model-checking algorithm
using directly this generalized B
uchi automaton, but in order to compare our
work with other ones and to use existing model-checking algorithms, we transform this automaton into a classical B
uchi automaton. The method we use is
very classical, and we obtain a B
uchi automaton with at most n 2n states.
The second main improvement stems from our simplifications of the automata. Since our construction goes in several steps, we are able to simplify
the automata at each step, improving the efficiency of the following steps. The
simplifications dramatically reduce the number of states and transitions of the
automata, especially of the generalized B
uchi automaton. Moreover, each simpli-

fication is performed on-the-fly during the construction of each automaton. This

is a major improvement on a posteriori simplifications. The amount of memory
used is about the size of the simplified automaton, instead of being the size
of the unsimplified automaton which may be quite huge. The time needed is
also reduced dramatically because we are exploring a much smaller part of the
automaton during the construction.
Using our new algorithm, we built a tool which is available on the web at
http://verif.liafa.jussieu.fr/ltl2ba. Our tool is much more efficient than
any other tool we have tried, in computation time and especially in memory.
The results of our algorithm on the formulae n with on-the-fly simplifications
(LTL2BA) and with a posteriori simplifications (LTL2BA) are detailed in Table 1. More experimental results are presented in Sect. 7. There we also discuss
the size of the generated automaton. From this point of view also our algorithm is
usually better than Spin though occasionally it may produce a bigger automaton. Note that Spin, LTL2BA and LTL2BA give exactly the same resulting
automaton on the formulae n . Wring and EQLTL give bigger automata.
The paper is organized as follows. Section 2 begins with some preliminaries
defining linear temporal logic and its semantics. Sections 3 to 5 describe our
algorithm and some proofs of its correctness. Section 6 presents our simplification
methods and Sect. 7 describes some experimental results.

Preliminaries: Linear Temporal Logic (LTL)

LTL was introduced to specify the properties of the executions of a system.

A finite set Prop contains all atomic properties of states. With the standard
Boolean operators (, , ) we can only express static properties. For dynamical
properties, we use temporal operators such as X (next), U (until), R (release),
F (eventually) and G (always).
Definition 1 (syntax). The set of LTL formulae on the set Prop is defined by
the grammar ::= p | | | X | U , where p ranges over Prop.
The semantics of LTL usually defines whether an execution of a given
system satisfies a formula. Actually the semantics only depends on the atomic
propositions that stand in each state of . Then for our purpose we consider
only sequences of sets of atomic propositions.
Definition 2 (semantics). Let u = u0 u1 . . . be a word in with = 2Prop .
Let be an LTL formula. The relation u |= (u models ) is defined as follows:

u |= p if p u0 ,
u |= 1 if u 6|= 1 ,
u |= 1 2 if u |= 1 or u |= 2 ,
u |= X 1 if u1 u2 . . . |= 1 ,
u |= 1 U 2 if k 0, uk uk+1 . . . |= 2 and 0 i < k, ui ui+1 . . . |= 1 .

Only basic operators have been defined above. We will of course also use the
derived operators defined by:
def

def

def

tt = p p , ff = tt , 1 2 = ( 1 2 ) , (2)
def

def

def

1 R 2 = ( 1 U 2 ) , F = tt U and G = ff R = F .(3)
An LTL formula that is neither a disjunction () nor a conjunction () is
called a temporal formula.
An LTL formula can be written in negative normal form, using only the
predicates in Prop, their negations, and the operators , , X, U, and R. Notice
that this operation does not change the number of temporal operators of the
formula. From now on, we suppose that every LTL formula is in negative normal
form.
Example 1. Let = (G F p G(q F r)) be our running example along the
paper. The negative normal form of is (ff R (tt U p)) (tt U (q (ff R r))).
Before any construction our algorithm simplifies the formula, using a set of
rewriting rules that reduce the number of temporal operators. This is relevant
since the complexity of our algorithm is based on this number. Some of these
rules are presented in [2],[10]. We will not discuss them in this paper.

LTL to Very Weak Alternating Automata (VWAA)

This section explains a classical construction: building a VWAA from an LTL

formula. Alternating automata have been introduced by Muller and Schupp in
[6],[7],[8]. Then in [9], Rohde defined VWAA as he needed them for a work on
transfinite words. VWAA were also described in [5]. However, our definition is
somewhat different from the classical one.
Definition 3. A co-B
uchi very weak alternating co-B
uchi automaton is a fivetuple A = (Q, , , I, F ) where:
Q is the set of states,
Let Q be the set of conjunctions of elements of Q. The empty conjunction
is denoted by tt. We identify Q with 2Q in the following,
is the alphabet, and we let = 2 ,

: Q 2 Q is the transition function,

I Q is the set of initial states,
F Q is the set of final states (co-B
uchi),
there exists a partial order on Q such that q Q, all the states appearing
in (q) are lower or equal to q.
The definition of a classical alternating automaton would be the same except
for the last condition on the partial order.

tt

G F p tt

tt

Fp

F(q G r)

tt
p

q r

q
p

tt

ff

q
r

Gr

Fig. 1. Automaton A . Some states (right) are unaccessible, they will be removed

Remark 1. The transition function looks different from the usual definition ( :
Q B + (Q)). We made those changes for implementation reasons, in order
to ease the manipulation of the data structures and to save time and space
during the computation. The classical representation of our transition function
is given by:
_
e .
(4)
(q, a) =
(,e)(q)
a

Conversely we may obtain our definition from the classical one, essentially
by taking the disjunctive normal form. Hence the two definitions are equivalent.
Notice that in the transition function we use instead of : so that transitions that differ only by the action can be gathered. In practice, this usually
reduces a lot the number of transitions. However the automaton still reads words
in .
Example 2. You can see the representation of a VWAA on Fig. 1. States in F are
circled twice. Notice that arrows with the same origin represent one transition
to a conjunction of states. In this example, we have:
I = {G F p F(q G r)},
(p) = {(p , tt)} where p = {a | p a},
(G F p) = {(p , G F p), (, G F p F p)}.
A run of A on a word u0 u1 . . . is a labeled DAG (V, E, ) such that :
V is partitioned in

i=0

Vi with E

Vi Vi+1 ,

i=0

: V Q is the labeling function,

(V0 ) I and x Vi , (, e) ((x)), ui and e = (E(x)).
A run is accepting if any (infinite) branch in has only a finite number of
nodes labeled in F (co-B
uchi acceptance condition). L(A) is the set of words
on which there exists an accepting run of A. Note that, B
uchi and co-B
uchi
acceptance conditions are equivalent for VWAA; one only has to replace F by
Q \ F.

Example 3. Here is an example of an accepting run of the automaton A :

{q, r}

{p, q}

GFp

GFp
Fp

GFp
Fp

F(q G r)

F(q G r)

F(q G r)

{p}

{p}

GFp

GFp

Gr

Gr

In the definition of the VWAA associated with an LTL formula, we use two
new operators. helps treating conjunctions, and gives roughly the DNF of ,
allowing us to restrict the states of the automaton to the temporal subformulae
of .

Definition 4. For J1 , J2 2 Q we define

J1 J2 = {(1 2 , e1 e2 ) | (1 , e1 ) J1 and (2 , e2 ) J2 },
For an LTL formula we define by: = {} if is a temporal formula,
1 2 = {e1 e2 | e1 1 and e2 2 } and 1 2 = 1 2 .
Here is the first step of our algorithm, building a VWAA from an LTL formula. Notice that the number of states of this automaton is at most the size of
the formula.
Step 1. Let be an LTL formula on a set Prop. We define the VWAA A by:

Q is the set of temporal subformulae of ,

= 2Prop ,
I = ,
F is the set of until subformulae of , that is formulae of type 1 U 2 ,
is defined as follows ( extends to all subformulae of ):

(tt) = {(, tt)}

(p) = {(p , tt)} where p = {a | p a}

( p) = {( p , tt)} where p = \p
(X ) = {(, e) | e }

1 U 2 ) = (2 ) ((1 ) {(, 1 U 2 )})

(
1 R 2 ) = (2 ) ((1 ) {(, 1 R 2 )})

() = () if is a temporal formula

(1 2 ) = (1 ) (2 )

(1 2 ) = (1 ) (2 )
Using the partial order subformula of it is easy to prove that A is very weak.
Remark 2. One can notice that the elements of used in our definition are
intersections of the sets , p and p . Hence, they can be denoted by conjunctions of literals, as in the following examples : p q r for p q r ,
tt for . Note that intersection and test for inclusion can be easily performed
with this representation.
Example 4. Figure 1 shows the result of Step 1 on the formula defined in Ex. 1.

p r

p
G F p F(q G r)

p q r

GFp Gr

p q r

p q r
q r
p

p r

tt

G F p F p F(q G r)

p r

p
A

q r

tt
q r

B
r

GFp Fp Gr

r
tt
Fig. 2. Automaton GA , before (left) and after (right) simplification

Theorem 1. L(A ) = {u | u |= }.
Proof. The idea of the proof is to show recursively that for any subformula of
, the language accepted by A with I = is equal to {u | u |= }. The
main difficulties are encountered for = 1 U 2 (this is where the acceptance
condition comes into play) and = 1 R 2 .

VWAA to Generalized B
uchi Automata (GBA)

At that point we have obtained a VWAA for our LTL formula . The problem
is that the usual method to transform an alternating automaton into a B
uchi
automaton produces an automaton that is much too big. This is why we generate
first a GBA, which is a B
uchi automaton with several acceptance conditions on
transitions instead of states.
Definition 5. A generalized B
uchi automaton is a five-tuple G = (Q, , , I, T )
where :

Q is the set of states,

is the alphabet, and we let 2 ,

: Q 2 Q is the transition function,

I Q is the set of initial states,
T = {T1 , . . . , Tr } where Tj Q Q are the accepting transitions.

Example 5. The automata on Fig. 2 are examples of GBAs. In these examples,

r = 2: dashed transitions are in T1 and bold transitions are in T2 . An accepting run has to use infinitely many dashed transitions and infinitely many bold
transitions.
A run of G on a word u0 u1 . . . is a sequence q0 , q1 , . . . of elements of
Q such that q0 I and i 0, i such that ui i and (i , qi+1 ) (qi ).
A run is accepting if for each 1 j r it uses infinitely many transitions from
Tj . L(G) is the set of words on which there exists an accepting run of G.

Here is the second step of our algorithm, building a GBA from a co-B
uchi
VWAA. It can be of course applied to any VWAA, and not only to an automaton
issued from Step 1. GA has at most 2|Q| states and |F | acceptance sets.
Step 2. Let A = (Q, , , I, F ) be a VWAA with co-B
uchi acceptance conditions. We define the GBA GA = (Q , , , I, T ) where:
Q = 2Q is identified with conjunctions of states as explained in Definition 3,
n
N
(qi ),
(q1 . . . qn ) =
i=1

is the set of 4-minimal transitions of where the relation 4 is defined

by t 4 t if t = (e, , e ), t = (e, , e ), , e e , and T T ,
t T t T ,
T = {Tf | f F } where
Tf = {(e, , e ) | f
/ e or (, e ) (f ), and f
/ e e }.

Remark 3. One may notice that using f

/ e instead of f
/ e in the definition
of Tf would have been more intuitive, since it corresponds to the case where in
the run of A there is no edge with both ends labeled by f . But our definition is
also correct. The proof of the following main theorem is more complicated with
this definition but the experimental results are much better with it, especially
regarding the simplifications.
Example 6. Figure 2 shows the result of Step 2 on the automaton A of Fig. 1.
Theorem 2. L(GA ) = L(A).
Remark 4. This is the point where we need the alternating automaton to be
very weak (this theorem is false for classical alternating automata). Consider
an infinite branch in a run of A on a given word : since A is very weak, the
sequence of the labels on this branch is decreasing, and has to be ultimately
constant since Q is finite. Then having only a finite number of nodes labelled in
F is equivalent to having an infinite number of nodes labelled in Q\F . This
is crucial in the proof.
Proof.SLet = (V,
S E, ) be an accepting run of A on a word u = u0 u1 . . .
Ei , with Ei Vi Vi+1 . We are first going to build a new
Vi , E =
V =
i0

i0

run of A on u, redefining gradually the sets Vi and Ei to Vi Vi and Ei , i 0.

Let V0 = V0 . Now suppose that Vi has been defined. By definition of a run,
x Vi ,
T x such that uiS x , and (x , ex ) ((x)) where ex = (Ei (x)).
Let =
x and e =
ex .
xVi

xVi

By definition of , t = ((Vi ), , e) is in : there exists a transition t =

((Vi ), , e ) in such that t 4 t and t is minimal. Note that t is a transition

of GA , and that T
ui . Since
S t , x Vi , (x , ex ) ((x))

such that =
x and ex =
e.
xVi

xVi

Moreover x Vi such that (x) = f F and t Tf , there exists (x , ex )

(f ) such that f
/ ex e and x . For all other elements x of Vi , let ex = ex
and x = x .

Let Vi+1
= {y Vi+1 | (y) e } and Ei = {(x, y) Vi Vi+1
| (y) ex }.
Note that (Ei (x)) = ex since ex e = (Vi ) and that Ei (Vi ) may be strictly

contained in Vi+1
.
Claim. i 0, f F , the following property holds:
if (x, y) Ei , (x) = (y) = f then (x, y) Ei , (x) = (y) = f .
Proof. If x Vi , (x) 6= f then the claim is true. Otherwise x Vi
Vi , (x) = f . Assume that y Ei (x) with (y) = f . Then we have
f ex , and by definition of ex we deduce that t
/ Tf . Since t 4 t we
have t
/ Tf and we deduce easily that f ex , which proves the claim.
Let V =

i0

Vi , E =

i0

Ei and be the restriction of to V . From the

construction, one can easily see that = (V , E , ) is a new run of A on u. We

show first that is an accepting run. Suppose that is not accepting: since A
is very weak, the labels on an infinite branch of a run are ultimately constant.
Hence if is not accepting, then there exists an infinite branch of ultimately
labeled by some f F . Using the claim, there exists in an infinite branch
which is ultimately labeled by f . This is impossible since is accepting.
Let ei = (Vi ), i 0. We have e0 = (V0 ) I and from our construction
we get i 0, i such that ui i and (ei , i , ei+1 ) is a transition of GA :
= e0 , e1 , . . . is a run of GA on u. Now let us prove that is accepting. Let
i 0 and f F . We intend to prove that at some depth j i the transition
(ej , j , ej+1 ) is in Tf .
If f
/ ei+1 then j = i will do. Otherwise let j > i be the smallest depth
where (f, f )
/ (Ej ). Note that j exists, otherwise there would be an infinite

branch in ultimately labeled by f and would not be accepting. Since we

know that f ej , let x be the node of Vj labeled by f . From our construction
we know that (ex , x ) (f ), f
/ ex ej+1 and j x . We can conclude
that (ej , j , ej+1 ) is in Tf .
Therefore, from any accepting run of A, we have built an accepting run
of GA on the same word and we get the first inclusion L(A) L(GA ).
Conversely let = e0 , e1 , . . . be an accepting run of GA on a word u =
u0 u1 .S
. . Hence e0 I and i 0, i , ui i and (i , ei+1 ) (ei ). Let
Vi where Vi = {(p, i) | p ei } and let (p, i) = p so that (Vi ) = ei .
V =
i0

By definition of , x Vi , (x , ex ) ((x)) such that ex ei+1 and

i x . Moreover f F , if (ei , i , ei+1 ) Tf then either f
/ ei , or (x) = f
for some x in Vi and in that case we can choose x and ex such that f
/ ex . Let
E be defined by (x, y) E if i 0, x Vi , y Vi+1 and (y) ex .
We can easily see that = (V, E, ) is a run of A on u. Now suppose that
is not accepting: as we proved before, there would exist in an infinite branch
with all nodes ultimately labeled by some f F . But is accepting so it has

p q r
A,0

p r

B,2

p r

q r
r
B,1
tt
Fig. 3. Automaton BGA after simplification

infinitely many transitions in Tf , and for each such transition there is no edge
in E with both ends labeled by f at the corresponding depth. Hence this is
impossible.
Therefore from any accepting run of GA , we have built an accepting run
of A on the same word, proving the converse inclusion L(GA ) L(A).

GBA to B
uchi Automata (BA)

At that point we have obtained a GBA for our LTL formula . We simply have
to transform it into a BA to complete our algorithm. This construction is quite
easy and well-known, but for the sake of completeness we explain it briefly. We
will begin by defining a BA, using once more the same modifications concerning
the alphabet and the transition function.
Definition 6. A B
uchi automaton is a five-tuple B = (Q, , , I, F ) where :

Q is the set of states,

is the alphabet, and we let 2 ,

: Q 2 Q is the transition function,

I Q is the set of initial states,
F Q is the set of repeated states (B
uchi condition).

A run of B on a word u0 u1 . . . is a sequence q0 , q1 , . . . of elements of

Q such that q0 I and i 0, i such that ui i and (i , qi+1 ) (qi ).
A run is accepting if there exists infinitely many states in F . L(B) is the set
of words on which there exists an accepting run of B.
Here is the third step of our algorithm, building a BA from a GBA. If B has
n states and r acceptance conditions, then BG has at most (r + 1) n states.
Step 3. Let G = (Q, , , I, T ) be a GBA with T = {T1 , . . . , Tr }. We define the
BA BG = (Q {0, . . . , r}, , , I {0}, Q {r}) where:
((q, j)) = {(, (q , j )) | (, q ) (q) and j = next(j, (q, , q ))}.

max{j i r | j < k i, t Tk } if j 6= r
with next(j, t) =
max{0 i r | 0 < k i, t Tk } if j = r
Example 7. Figure 3 shows the result of Step 3 on the automaton GA of Fig. 2.
Theorem 3. L(BG ) = L(B).

Remark 5. There exist many similar algorithms transform a GBA into a BA.
They often consist in building the synchronous product of the GBA with some
automaton verifying that every acceptance condition is verified infinitely often.
This automaton differs from one algorithm to another. We chose one that gives
good results for the size of the resulting BA after simplification.

Simplification

Simplification is really important in our algorithm. Since each step produces a

new automaton from the result of the previous step, the more we simplify each
result, the faster our algorithm is and the least memory it uses.
After each step, we simplify the automaton obtained, using iteeratively three
rules until no more simplification occurs:
A state that is not accessible can be removed,
If a transition t1 implies a transition t2 , then t2 can be removed,
t1 = (q, 1 , q1 ) implies t2 = (q, 2 , q2 ) if
In a VWAA,
2 1 and q1 q2
In a GBA, 2 1 , q1 = q2 and t T , t2 T t1 T
In a BA,
2 1 and q1 = q2

If two states q1 and q2 are equivalent, then they can be merged.

q1 and q2 are equivalent if
In a VWAA, (q1 ) = (q2 ) and q1 F q2 F
In a GBA, (q1 ) = (q2 ) and (, q ) (q1 ), T T ,
(q1 , , q ) T (q2 , , q ) T
In a BA,
(q1 ) = (q2 ) and q1 F q2 F

Note that for a GBA issued from Step 2, the condition (q1 , , q ) Tj does
not depend on q1 so that the condition simply becomes (q1 ) = (q2 ).
This simplification procedure is really efficient to reduce the size of the automata. But the strength of our algorithm is that the last two simplification rules
are also used on-the-fly: after a transition has been created, it is compared with
the other transitions already calculated from the same state, and the ones that
become useless are immediately deleted; after all the transitions of a state have
been created, that state is compared with the other states that have already
been created, and is merged to one of those states if possible. This method is
important since usually many states and transitions are to be simplified, and
simplifying them on-the-fly saves a lot of time and space.
In Table 1, the results of the algorithm with or without on-the-fly simplification are compared (LTL2BA is our algorithm with a posteriori simplification
only). For the formula n defined in (1), the unsimplified GBA has 2n+1 states,
whereas the simplified GBA has only 2 states. Using on-the-fly simplification
avoids the intermediary exponential automaton which explains the great improvement, even if the time and memory used by LTL2BA are still exponential.

Experimental Results

In this section we compare the results of some recent algorithms transforming

an LTL formula into a BA.
Spin is a model-checker developed by Bell Labs since 1980. It contains an
algorithm transforming an LTL formula into a BA, presented in [3]. The program
is written in C, and we used version 3.4.1. (released Aug 2000).
Wring is an algorithm presented in [10]. The program is written in Perl,
so the comparison with our work cannot be read litterally, and the amount of
memory used is just an approximation we made using the Unix command top.
EQLTL is an algorithm presented in [2]. The program is not publicly available, but a demo is proposed on the web. All we could do was to measure the
time needed by the web interface to start responding to our request. We do not
even know what type of machine handles the request. Consequently the times
we gave should be taken with caution.
LTL2BA is a program writen in C as Spin, in order to make reliable comparison between the two programs. LTL2BA is the same program, with a
prosteriori simplification only.
Tests were made on a Sun Ultra 10 station with 1 GB of RAM.
As explained in the introduction, we compared the tools on usual LTL formulae, taking the example of the formula n defined in (1). The result of the
comparison is detailed in Table 1.
Another type of usual LTL formulae, often encountered in model-checking,
is formulae like: n = (p1 U (p2 U (. . . U pn ) . . .). We made the same tests on
these fomulae in Table 2. Again our algorithm outperforms the other ones.

2
3
4
5
6
7
8

Spin
time
space
0.01
8
0.03
110
0.75
1,700
43
51,000
1,200 920,000

Wring
EQLTL
LTL2BA
time space
time
time space
0.07 4,100
8
0.01
3.2
0.29 4,100
8
0.01
5.5
1.34 4,200
9
0.01
11
10 4,200
11
0.01
13
92 4,500
15
0.15
25
720 6,000
27
9.2
48
92 1,200
93

Table 2. Comparison on the formulae n for 2 n 8. Time is in sec, space in kB

We also compared the algorithms on random LTL formulae of a fixed size,

using a tool presented in [11]. For compatibility reasons, the only comparison
we could realize was between our alogrithm and Spins. Here the results are
issued from a test on 200 random formulae of size 10, where both algorithms are
compared on the same formulae. See Table 3 for details.

time of computation (seconds)

number of states
number of transitions

avg.
14.23
5.74
14.73

Spin
max.
4521.65
56
223

LTL2BA
avg. max.
0.01 0.04
4.51
39
9.67 112

Table 3. Comparison on random formulae of a fixed size

References
1. M. Daniele, F. Giunchiglia, and M. Vardi. Improved automata generation for
linear temporal logic. In Proc. 11th International Computer Aided Verification
Conference, pages 249260, 1999.
2. K. Etessami and G. Holzmann. Optimizing B
uchi automata. In Proceedings of
11th Int. Conf. on Concurrency Theory (CONCUR), 2000.
3. R. Gerth, D. Peled, M. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Protocol Specification Testing and Verification,
pages 318, Warsaw, Poland, 1995. Chapman & Hall.
4. G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279295, May 1997.
5. O. Kupferman and M. Vardi. Weak alternating automata are not that weak.
In Proc. 5th Israeli Symposium on Theory of Computing and Systems ISTCS97,
pages 147158. IEEE, 1997.
6. D. Muller and P. Schupp. Alternating automata on infinite objects: Determinacy
and Rabins theorem. In Proceedings of the Ecole de Printemps dInformatique
Theoretique on Automata on Infinite Words, volume 192 of LNCS, pages 100107,
Le Mont Dore, France, May 1984. Springer.
7. D. Muller and P. Schupp. Alternating automata on infinite trees. Theoretical
Computer Science, 54(2-3):267276, October 1987.
8. D. Muller and P. Schupp. Simulating alternating tree automata by nondeterministic automata: New results and new proofs of the theorems of Rabin, McNaughton
and Safra. Theoretical Computer Science, 141(12):69107, April 1995.
9. S. Rohde. Alternating automata and the temporal logic of ordinals. PhD Thesis
in Mathematics, University of Illinois at Urbana-Champaign, 1997.
10. F. Somenzi and R. Bloem. Efficient B
uchi automata from LTL formulae. In CAV:
International Conference on Computer Aided Verification, 2000.
11. H. Tauriainen. A randomized testbench for algorithms translating linear temporal
logic formulae into B
uchi automata. In Workshop Concurrency, Specifications and
Programming, pages 251262, Warsaw, Poland, 1999.
12. M. Vardi. An Automata-Theoretic Approach to Linear Temporal Logic, volume
1043 of Lecture Notes in Computer Science, pages 238266. Springer-Verlag Inc.,
New York, NY, USA, 1996.