Antichains for the Automata-Based Approach to Model-Checking

We propose and evaluate antichain algorithms to solve the universality and language inclusion problems for nondeterministic Buechi automata, and the emptiness problem for alternating Buechi automata. To obtain those algorithms, we establish the existence of simulation pre-orders that can be exploited to efficiently evaluate fixed points on the automata defined during the complementation step (that we keep implicit in our approach). We evaluate the performance of the algorithm to check the universality of Buechi automata using the random automaton model recently proposed by Tabakov and Vardi. We show that on the difficult instances of this probabilistic model, our algorithm outperforms the standard ones by several orders of magnitude.


Introduction
In the automata-based approach to model-checking [VW86,VW94], programs and properties are modeled by finite automata.Let A be a finite automaton that models a program and let B be a finite automaton that models a specification that the program should satisfy.Correctness is defined by the language inclusion L(A) ⊆ L(B), that is all traces of the program (executions) should be traces of the specification.To solve the inclusion problem, the classical automata-theoretic solution constructs an automaton for L c (B) the complement of the language of the automaton B and then checks that L(A) ∩ L c (B) is empty (the later intersection being computed as a synchronised product).
In the finite case, the program and the specification are automata over finite words (NFA) and the construction for the complementation is conceptually simple: it is achieved by a classical subset construction.In the case of infinite words, the program and (or at least) the specification are nondeterministic Büchi automata (NBW).The NBW are also complementable; this was first proved by Büchi [Büc62].However, the result is much harder to obtain than in the case of NFA.The original construction of Büchi has a 2 O(2 n ) worst case complexity (where n is the size of the automaton to complement) which is not optimal.In the late eighties Safra in [Saf88], and later Kupferman and Vardi in [KV01], have given optimal complementation procedures that have 2 O(n log n) complexity (see [Mic88] for the lower bound).While for finite words, the classical algorithm has been implemented and shown practically usable, for infinite words, the theoretically optimal solution is difficult to implement and very few results are known about their practical behavior.Recent implementations have shown that applying these algorithms for automata with more than around ten states is hard [TV07,GKSV03].Such sizes are clearly not sufficient in practice.As a consequence, tools like Spin [RH04] that implement the automata-theoretic approach to model-checking ask either that the complement of the specification is explicitly given or they limit the specification to properties that are expressible in LTL.
In this paper, we propose a new approach to check L(A) ⊆ L(B) that can handle much larger Büchi automata.In a recent paper, we have shown that the classical subset construction can be avoided and kept implicit for checking language inclusion and language universality for NFA and their alternating extensions [DDHR06].Here, we adapt and extend that technique to the more intricate case of automata on infinite words.
To present the intuition behind our new techniques, let us consider a simpler setting of the problem.Assume that we are given a NBW B and we want to check if Σ ω ⊆ L(B), that is to check if L(B) is universal.First, remember that L(B) is universal when its complement L c (B) is empty.The classical algorithm first complements B and then checks for emptiness.The language of a NBW is nonempty if there exists an infinite run of the automaton that visits accepting locations infinitely often.The existence of such a run can be established in polynomial time by computing the following fixed point F ≡ νy • µx • (Pre(x) ∪ (Pre(y) ∩ α)) where Pre is the predecessor operator of the automaton (given a set L of locations it returns the set of locations that can reach L in one step) and α is the set of accepting locations of the automaton.The automaton is non-empty if and only if its initial location is a member of the fixed point F.This well-known algorithm is quadratic in the size of the automaton.Unfortunately, the automaton that accepts the language L c (B) is usually huge and the evaluation of the fixed point is unfeasible for all but the smallest specifications B. To overcome this difficulty, we make the following observation: if is a simulation pre-order on the locations of B c (ℓ 1 ℓ 2 means ℓ 1 can simulate ℓ 2 ) which is compatible with the accepting condition (if ℓ 1 ℓ 2 and ℓ 2 ∈ α then ℓ 1 ∈ α), then the sets that are computed during the evaluation of F are all -downward-closed (if an element ℓ is in the set then all ℓ ′ ℓ are also in the set).Then -downward-closed sets can be represented by their -maximal elements and if operations on such sets can be computed directly on their representation, we have the ingredients to evaluate the fixed point in a more efficient way.For an automaton B over finite words, set inclusion would be a typical example of a simulation relation for B c [DDHR06].The same technique can be applied to avoid subset constructions in games of imperfect information [DDR06,CDHR07].We generically call antichain algorithms the techniques that are based on compact representation of downward-closed because when the simulation is a partial order (and it usually is), the maximal elements form an antichain, i.e., a set of incomparable elements.
We show that the classical constructions for Büchi automata that are used in the automata-theoretic approach to model-checking are all equipped with a simulation preorder that exists by construction and does not need to be computed.On that basis we propose antichain algorithms to check universality of NBW, language inclusion for NBW, and emptiness of alternating Büchi automata (ABW).Each of these problems reduces to emptiness checking of NBW, via classcial constructions.
The novelty of our antichain algorithms is to realize that only downward-closed sets can be computed by the fixed point for emptiness, and therefore to use more succinct representations of those downward-closed sets, by storing maximal elements only.Moreover, such compact representations do not come at the price of an increase in the time complexity for the basic operations that are necessary to check emptiness (such as ∩, ∪, and Pre), i.e., we show that they are computable in time polynomial in the size of the compact representation, while this size can be exponentially smaller than the actual downward-closed set.Note that, while a compact representation exists in general (i.e., for any simulation pre-order), we have no generic result that would show that efficient computations can be done symbolically in all cases.Therefore, we have to instantiate the approach for each class of problem, and find efficient algorithms for the basic operations.
We evaluate an implementation of our algorithm for the universality problem of NBW and on a randomized model recently proposed by Tabakov and Vardi.We show that the performance of the antichain algorithm on this randomized model outperforms by several order of magnitude the existing implementations of the Kupferman-Vardi algorithm [TV07,GKSV03].While the classical solution is limited to automata of size 8 for some parameter values of the randomized model, we are able to handle automata with more than one hundred locations for the same parameter values.We have identified the hardest instances of the randomized model for our algorithms and show that we can still handle problems with several dozens of locations for those instances.
Structure of the paper.In Section 2, we give all necessary definitions related to Büchi automata, and we recall the Kupferman-Vardi and Miyano-Hayashi constructions that are used for complementation of NBW.The reader interested in the general theory behind our technique can read Section 3 without going into the details of those constructions (only the definitions of NBW and emptiness are useful to understand Section 3).The notion of simulation pre-order for a Büchi automaton is presented and we prove that the fixed point needed to establish emptiness of nondeterministic Büchi automata handles only downward closed sets for such pre-orders.We use this observation in Section 4 to define an antichain algorithm to decide emptiness of ABW.In Section 5, we adapt the technique for the universality problem of NBW.In Section 6, we report on the performances of the algorithm for universality, and in Section 7, we extend those ideas to obtain an antichain algorithm for language inclusion of NBW.We say that a set X ⊆ Loc satisfies a formula ϕ ∈ B + (Loc) (noted X |= ϕ) iff the truth assignment that assigns true to the members of X and assigns false to the members of Loc\X satisfies ϕ.A run of A on an infinite word w = σ 0 • σ 1 . . . is a dag T w = V, v ι , → where:

Büchi Automata and Classical Algorithms
is the set of nodes.A node (ℓ, i) represents the state ℓ after the first i letters of the word w have been read by A. Nodes of the form (ℓ, i) with ℓ ∈ α are called α-nodes; We say that (ℓ ′ , i + 1) is a successor of (ℓ, i) if (ℓ, i) → (ℓ ′ , i + 1), and we say that (ℓ an infinite word w is accepting iff all its infinite paths π rooted at v ι visit α-nodes infinitely often.An infinite word w ∈ Σ ω is accepted by A if there exists an accepting run on it.We denote by L(A) the set of infinite words accepted by A, and by L c (A) the set of infinite words that are not accepted by A.
Definition 2.2.A nondeterministic Büchi automaton (NBW) is an ABW whose transition function is restricted to disjunctions over Loc.
Runs of NBW reduce to (linear) traces.The transition function of NBW is often seen as a function [Q × Σ → 2 Q ] and we write δ(ℓ, σ) = {ℓ 1 , . . ., ℓ n } instead of δ(ℓ, σ) = ℓ 1 ∨ ℓ 2 ∨ • • • ∨ ℓ n .We note by Pre A σ (L) the set of predecessors by σ of the set L: Problems.The emptiness problem for NBW is to decide, given an NBW A, whether L(A) = ∅.This problem is solvable in polynomial time.The symbolic approach through fixed point computation is quadratic in the size of A [EL86].Other symbolic approaches have been proposed with better complexity bounds [BGS00, GPP03], but the fixed point computation shows better performances in practice [RBS00].
The universality problem for NBW is to decide, given an NBW A over the alphabet Σ whether L(A) = Σ ω where Σ ω is the set of all infinite words on Σ.This problem is PSpacecomplete [SVW87].The classical algorithm to decide universality is to first complement the NBW and then to check emptiness of the complement.The difficult step is the complementation as it may cause an exponential blow-up in the size of the automaton.There exist two types of construction, one is based on a determinization of the automaton [Saf88] and the other uses ABW as an intermediate step [KV01].We review the second construction below.
The language inclusion problem for NBW is to decide, given two NBW A and B, whether L(A) ⊆ L(B).This problem is central in model-checking and it is PSpace-complete in the size of B. The classical solution consists in checking the emptiness of L(A) ∩ L c (B), which again requires the expensive complementation of B.
The emptiness problem for ABW is to decide, given an ABW A, whether L(A) = ∅.This problem is also PSpace-complete and it can be solved using a translation from ABW to NBW that preserves the language of the automaton [MH84].Again, this construction involves an exponential blow-up that makes explicit implementations feasible only for automata limited to around ten states.However, the emptiness problem for ABW is very important in practice for LTL model-checking as there exist efficient polynomial translations from LTL formulas to ABW [GO01].The classical construction is presented below.
Kupferman-Vardi construction.Complementation of ABW is straightforward by dualizing the transition function (by swapping ∧ and ∨, and swapping true and false in each formulas) and interpreting the accepting condition α as a co-Büchi condition, i.e. a run T w is accepted if all its infinite paths have a suffix that contains no α-nodes.
The result is an alternating co-Büchi automaton (ACW).The accepting runs of ACW have a layered structure that has been studied in [KV01], where the notion of rank is defined.The rank is a nonnegative integer associated to each node of an accepting run T w of an ACW on a word w.Let G 0 = T w .Nodes of rank 0 are those nodes from which only finitely many nodes are reachable in G 0 .Let G 1 be the run T w from which all nodes of rank 0 have been removed.Then, nodes of rank 1 are those nodes of G 1 from which no α-node is reachable in G 1 .For all i ≥ 2, let G i be the run T w from which all nodes of rank 0, . . ., i − 1 have been removed.Then, nodes of rank 2i are those nodes of G 2i from which only finitely many nodes are reachable in G 2i , and nodes of rank 2i + 1 are those nodes of G 2i+1 from which no α-node is reachable in G 2i+1 .Intuitively, the rank of a node (ℓ, i) hints how difficult it is to prove that all the paths of T w that start in (ℓ, i) visit α-nodes only finitely many times.It can be shown that every node has a rank between 0 and 2(|Loc| − |α|), and all α-nodes have an even rank [GKSV03].The layered structure of the runs of ACW induces a construction to complement ABW [KV01].We present this construction directly for NBW.

Definition 2.3 ([KV01]). Given a NBW
after the first i letters of the input word w have been read if it guesses that the rank of the node (ℓ, i) in a run of A on w is at most n; The ABW specified by the Kupferman-Vardi construction accepts the complement language of L(A) and its size is quadratic in the size of the original automaton A.

Theorem 2.4 ([KV01]). For all NBW
Miyano-Hayashi construction.Classically, to check emptiness of ABW, a variant of the subset construction is applied that transforms the ABW into a NBW that accepts the same language [MH84].Intuitively, the NBW maintains a set s of states of the ABW that corresponds to a whole level of a guessed run dag of the ABW.In addition, the NBW maintains a set o of states that "owe" a visit to an accepting state.Whenever the set o gets empty, meaning that every path of the guessed run has visited at least one accepting state, the set o is initiated with the current level of the guessed run.It is asked that o gets empty infinitely often in order to ensure that every path of the run dag visits accepting states infinitely often.The construction is as follows.

Definition 2.5 ([MH84]). Given an ABW
The size of the Miyano-Hayashi construction is exponential in the size of the original automaton.

Theorem 2.6 ([MH84]). For all ABW A, we have L(MH(A)) = L(A).
The size of the automaton obtained after the Kupferman-Vardi and the Miyano-Hayashi construction is an obstacle to the direct implementation of the method.
Direct complementation.In our solution, we implicitly use the two constructions to complement Büchi automata but, as we will see, we do not construct the automata.For the sake of clarity, we give below the specification of the automaton that would result from the composition of the two constructions.In the definition of the state space, we omit the states (ℓ, i) for ℓ ∈ α and i odd, as those states have no successor in the Kupferman-Vardi construction.

Simulation Pre-Orders and Fixed Points
Let A = Loc, ι, Σ, δ, α be a NBW.Let 2 Loc , ⊆, ∪, ∩, ∅, Loc be the powerset lattice of locations.The fixed point formula Intuitively, the greatest fixed point νy in F A computes in the n-th iteration the set of states from which n accepting states can be visited with some word.When this set stabilizes, infinitely many visits to an accepting state are possible.
We show in this section that a certain structural property of the NBW is tightly correlated to the structure of the sets that are computed by the fixed point F A .The key property is the notion of simulation relation for finite automata.Let ⊆ Loc × Loc be a pre-order and let ℓ 1 ≺ ℓ 2 iff ℓ 1 ℓ 2 and ℓ 2 ℓ 1 .Definition 3.1.A pre-order is a simulation for A iff the following properties hold: • for all ℓ 1 , ℓ 2 , ℓ 3 ∈ Loc, for all σ ∈ Σ, if ℓ 3 ℓ 1 and ℓ 2 ∈ δ(ℓ 1 , σ) then there exists ℓ 4 ∈ Loc such that ℓ 4 ℓ 2 and ℓ 4 ∈ δ(ℓ 3 , σ) (see illustration in Figure 1); For any -closed set L ⊆ Loc, we have L =↓Max(L).Furthermore, if is a partial order, then Max(L) is an antichain of elements and it can serve as a canonical representation of L.
Our goal is to show that the operators involved in the fixed point formula F A preserve -closedness.This is true for union and intersection, for all relations .
Lemma 3.2.For all relations , for all -closed sets L 1 , L 2 , the sets The next lemma shows that simulation relations are necessary (and also sufficient) to guarantee preservation of -closedness under the Pre operator.Note that many other notions of simulation pre-orders have been defined for Büchi automata, see [EWS05].1 Lemma 3.3.Let A = Loc, ι, Σ, δ, α be a NBW.A pre-order ⊆ Loc × Loc is a simulation for A if and only if the following two properties hold: First, assume that is a simulation for A. Then, the set α is -closed by Definition 3.1, which establishes (a).To prove (b), let L ⊆ Loc be a -closed set and let σ ∈ Σ.For all ℓ 1 ∈ Pre A σ (L) there exists ℓ 2 ∈ L such that ℓ 2 ∈ δ(ℓ 1 , σ).By Definition 3.1, for all ℓ 3 ℓ 1 there exists ℓ 4 ∈ Loc such that ℓ 4 ℓ 2 and ℓ 4 ∈ δ(ℓ 3 , σ) (see Figure 1).So ℓ 4 ∈ L since L is -closed and ℓ 2 ∈ L, and thus Second, assume that (a) and (b) hold, and show that satisfies Definition 3.1.By (a), for all ℓ ∈ α and for all ℓ ′ ℓ, we have ℓ Lemmas 3.2 and 3.3 entail that all sets computed in the iterations of the fixed point formula F A are -closed for any simulation for A. We can take advantage of this fact to use a compact representation of those sets, namely their maximal elements.This would indeed reduce the size of the sets to manipulate by the fixed point algorithms (possibly exponentially as we will see later).Notice that in general, this compact representation can make more difficult the computation of the Pre operator.To illustrate this, consider the example in Figure 2 where we want to compute Pre σ (↓{ℓ}).More precisely, given ℓ we need to compute the maximal elements of the -closed set Pre σ (↓{ℓ}).The set ↓{ℓ} is delimited by the dashed curve in the figure.First, note that applying Pre σ to {ℓ} would give the empty set from which the correct result can obviously not be extracted.Second, if we assume that the states ℓ 1 , . . ., ℓ k are -incomparable, then the result is Max(Pre σ (↓{ℓ})) = {ℓ 1 , . . ., ℓ k }, which shows that essentially any set can be obtained, including sets of maximal elements that are huge or difficult to manipulate symbolically.Third, even if the result is compact (e.g., if ℓ i ℓ 1 for all 1 ≤ i ≤ k, then the result is the singleton {ℓ 1 }), the computation may somehow require to enumerate all the ℓ i for i = 1, 2, . . ., k where k may be for instance exponential in the size of the problem.
The above remarks show that for each particular application (i.e., for each class of automata, and each particular simulation that we use), we need (1) to define a predecessor operator Pre abs that applies to maximal elements, such that Pre abs (Max(L)) = Max(Pre(L)) for all -closed sets L, (2) to present an algorithm to compute this operator, and establish its correctness, and (3) to study the complexity of such an algorithm.
Finally, note that the way to compute Max(L 1 ∩ L 2 ) given Max(L 1 ) and Max(L 2 ) should also be defined for each application, while for union, the following general rule applies: In the next sections, we show that the NBW that we have to analyze in the automatabased approach to model-checking are all equipped with a simulation pre-order that can be exploited to compute efficiently the intersection and the predecessor operators.Hence, we show that the expected efficiency in terms of space consumption of the antichain representation does not come at the price of a blow-up in the computation times of these operators.We do so for the emptiness problem of ABW, and for the universality and language inclusion problems for NBW.All these problems can be reduced to the emptiness problem of NBW that are obtained by specific constructions (analogous of the powerset construction), for which simulation relations need not to be computed for each instance of the problems, but can be defined generically (like set inclusion is such a relation for the classical powerset construction).

Emptiness of ABW
We now show how to apply Lemmas 3.2 and 3.3 to check more efficiently the emptiness of ABW.Let A 1 = Loc 1 , ι 1 , Σ, δ 1 , α 1 be an ABW for which we want to decide whether L(A 1 ) = ∅.We know that the (exponential) Miyano-Hayashi construction gives a NBW A 2 = MH(A 1 ) such that L(A 2 ) = L(A 1 ).The emptiness of A 1 (or equivalently of A 2 ) can be decided more efficiently by computing the fixed point F A 2 and without constructing explicitly A 2 .To do so, we establish the existence of a simulation for A 2 for which we can compute ∪, ∩ and Pre by manipulating only maximal elements of closed sets of locations.
Note that the pre-order alt is a partial order.As a consequence, given a set of pairs L = { s 1 , o 1 , s 2 , o 2 , . . ., s n , o n }, the set Max(L) is an antichain and identifies L.
Lemma 4.2.For all ABW A 1 , the partial order alt is a simulation for MH(A 1 ).According to Lemmas 3.2 and 3.3, all the sets that we compute to evaluate F A 2 are alt -closed.We need to compute intersection and Pre by only manipulating maximal elements.Given s 1 , o 1 , s 2 , o 2 , we take s, o such that ↓ s, o =↓ s 1 , o 1 ∩ ↓ s 2 , o 2 as follows: and otherwise the intersection is empty.Algorithm 1 computes the maximal elements of the set of σ-predecessors of the alt -closure of a pair s ′ , o ′ .This allows to compute the maximal elements of the set of predecessors of any alt -closed set by just manipulating its maximal elements, since Pre ).Note that our algorithm runs in polynomial time, more precisely in O(|Loc 1 | • δ 1 ) where δ 1 is the size of the transition relation, defined as the maximal number of boolean connectives in a formula δ 1 (ℓ, σ).

Universality of NBW
We present a new algorithm to check universality of NBW, based the existence of a simple simulation relation for the complement automaton of NBW given by Definition 2.7.

Definition 5.1. Given an NBW
s, o univ s ′ , o ′ iff the following conditions hold: • for all (ℓ, n) ∈ s, there exists This relation formalizes the intuition that it is easier to accept a word in KVMH(A) from a given location with a high rank than with a small rank.This is because the rank is always decreasing along every path of the runs of KV(A), and so a small rank is always simulated by a greater rank.Hence, essentially the minimal rank of each location of s and o is relevant to define the pre-order univ .The third condition requires that only accepting states simulate accepting states.
Lemma 5.2.For all NBW A, the pre-order univ is a simulation for the NBW KVMH(A).
, and combining (ii) and (ii Second, for all s, o ∈ α ′ we have o = ∅, and thus for all Hence univ is a simulation for KVMH(A).
According to Lemmas 3.2 and 3.3, all intermediate sets that are computed by the fixed point F A c to check emptiness of A c = KVMH(A) (and thus universality of A) are univ -closed.Since univ is not a partial order, the set Max(L) for a univ -closed set L may contain several univ -equivalent elements (x and y are univ -equivalent if x univ y and y univ x).For example, the set { {(ℓ, 3), (ℓ ′ , 4)}, ∅ } is univ -equivalent to the set { {(ℓ, 3), (ℓ, 4), (ℓ ′ , 4)}, ∅ }.In fact Max(L) is a union of univ -equivalent classes.Hence, the size of Max(L) can be reduced by keeping only one canonical element for each univequivalent class.Given a set s ∈ Q, define its characteristic function Notice that ≤ is partial order over characteristic functions, and that if s ⊆ s ′ , then f s ′ ≤ f s for all s, s ′ ∈ Q.The following lemma is a corollary of Definition 5.1.

We extend the operator [[•]
] to sets of pairs of characteristic functions as expected.Notice Now, we show how to compute efficiently ∪, ∩ and Pre for univ -closed sets that are represented by characteristic functions.Let L 1 , L 2 be two sets of pairs of characteristic functions, let L ∪ be the set of ≤-minimal elements of L 1 ∪ L 2 , and let L ∩ be the ≤-minimal elements of the union of: By Equation (4.1) and by the previous remarks, we have: To compute Pre σ (•) of a single pair of characteristic functions, we propose Algorithm 2 whose correctness is established by Theorem 5.4.Computing the predecessors of a set of characteristic functions is then straightforward using the algorithm for union of sets of pairs of characteristic functions since In Algorithm 2, we represent ∞ by any number strictly greater than k = 2(|Loc| − |α|), and we adapt the definition of ≤ as follows: In the algorithm, we use the notations ⌈n⌉ odd for the least odd number n ′ such that n ′ ≥ n, and ⌈n⌉ even for the least even number n ′ such that n ′ ≥ n.The structure of Algorithm 2 is similar to Algorithm 1, but the computations are expressed in terms of characteristic functions, thus in terms of ranks.For example, lines 4-5 compute the equivalent of line 2 in Algorithm 1, where α 1 corresponds here to the set of odd-ranked locations, and thus contains no α-nodes.Details are given in the proof of Theorem 5.4.Theorem 5.4.Let A = Loc, ι, Σ, δ, α be a NBW, σ ∈ Σ, and ) and for all f s , f o ∈ L Pre , we have f s ≤ f o and f s (ℓ) and f o (ℓ) are even for all ℓ ∈ α.
By the test of line 9, we have f o = f ∅ and therefore o = ∅.According to Definition 2.7 of KVMH(A), we have to check that there exists a set o ′′ ⊆ s ′ such that o ′ = o ′′ \ odd (we take o ′′ = o ′ ∪ (s ′ ∩ odd)), and the following conditions hold: Observe that for all ℓ ∈ Loc, for all ℓ ′ ∈ δ(ℓ, σ), we have f s ′ (ℓ ′ ) ≤ f s (ℓ) (lines 11,12 of Algorithm 2).Since f s (ℓ) ≤ n (by definition of characteristic functions), we take This is enforced by line 12 and line 6 of the algorithm.Second, consider a pair f o , f ∅ added to L Pre at line 7, and let s, is even for all ℓ ∈ α by (iv).We show that there exists To prove (b), assume that there exist s 1 , o 1 and s , where f s is computed by line 11 of Algorithm 2) for ℓ ∈ α.We also have f s 1 (ℓ) ≥ f s (ℓ) (see line 12 of Algorithm 2) for ℓ ∈ α, as f s 1 (ℓ) is even in that case.Thus, (iii) By our assumption that o 1 = ∅, we have f o 1 = f ∅ , and so f o = f ∅ by (ii).
Hence, the pair f s , f o added to L Pre by Algorithm 2 at line 13 satisfies f s By (1) and (2), we get easily f s ′ 1 ≥ f s ′′ .Now, by the fact that automata [TV07].In the model, the input alphabet is fixed to Σ = {0, 1}, and for each letter σ ∈ Σ, a number k σ of different state pairs (ℓ, ℓ ′ ) ∈ Loc × Loc are chosen uniformly at random before the corresponding transitions (ℓ, σ, ℓ ′ ) are added to the automaton.The ratio r σ = kσ |Loc| is called the transition density for σ.This ratio represents the average outdegree of each state for σ.In all experiments, we choose r 0 = r 1 , and denote the transition density by r.The model contains a second parameter: the density f of accepting states.There is only one initial state, and the number m of accepting states is linear in the total number of states, as determined by f = m |Loc| .The accepting states themselves are chosen uniformly at random.Observe that since the transition relation is not always total, automata with f = 1 are not necessarily universal.
Tabakov and Vardi have studied the space of parameter values for this model and argue that "interesting" automata are generated by the model as the two parameters r and f vary.They also study the density of universal automata.
Performance comparison.We have implemented our algorithm to check the universality of randomly generated NBW.The code is written in C with an explicit representation for characteristic functions, as arrays of integers.All the experiments are conducted on a biprocessor Linux station (two 3.06Ghz Intel Xeons with 4GB of RAM).
Figure 3 shows as a function of r (transition density) and f (density of accepting states) the median execution times for testing universality of 100 random automata with |Loc| = 30.It shows that the universality test was the most difficult for r = 1.8 and f = 0.1 with a median time of 11 seconds.The times for r ≤ 1 and r ≥ 2.8 are not plotted because they were always less than 250ms.A similar shape and maximal median time is reported by Tabakov for automata of size 6, that is for automata that are five times smaller [TV07].Another previous work reports prohibitive execution times for complementing NBW of size 6, showing that explicitly constructing the complement is not a reasonable approach [GKSV03].The density of universal automata in the samples is shown in Figure 4.The density increases when states have more transitions, while it seems less sensitive to the density of accepting states.The difficult instances correspond to the values of the densities of transitions and accepting states for which the probability to be universal is close to a half.Analogous results have been observed in [TV07].
To evaluate the scalability of our algorithm, we have run the following experiment.For a set of parameter values, we have evaluated the maximal size of automata (measured in term of number of locations) for which our algorithm could analyze 50 over 100 instances in less than 20 seconds.We have tried automata sizes from 10 to 1500, with a fine granularity for small sizes (from 10 to 100 with an increment of 10, from 100 to 200 with an increment of 20, and from 200 to 500 with an increment of 30) and a rougher granularity for large sizes (from 500 to 1000 with an increment of 50, and from 1000 to 1500 with an increment of 100).
The results are shown in Fig. 5, and the corresponding values are given in Table 1.The vertical scale is logarithmic.For example, for r = 2 and f = 0.5, our algorithm was able to handle at least 50 automata of size 120 in less than 20 seconds and was not able to do so for automata of size 140.In comparison, Tabakov and Vardi have studied the behavior of Kupferman-Vardi and Miyano-Hayashi constructions for different implementation schemes.We compare with the performances of their symbolic approach which is the most efficient.For the same parameter values (r = 2 and f = 0.5), they report that their implementation can handle NBW with at most 8 states in less than 20 seconds [TV07].Figure 5: Automata size for which the median execution time to check universality is less than 20 seconds (log scale).See also Table 1.
Table 1: Automata size (NBW) for which the median execution time for checking universality is less than 20 seconds.The symbol ∝ means more than 1500.In Figure 6, we show the median execution time to check universality for relatively difficult instances (r = 2 and f vary from 0.3 to 0.7).The vertical scale is logarithmic, so the behavior is roughly exponential in the size of the automata.Similar analyzes are reported in [TV07] but for sizes below 10.
Finally, we give in Figure 7 the distribution of execution times for 100 automata of size 50 with r = 2.2 and f = 0.5, so that roughly half of the instances are universal.Each point represents one automaton, and one point lies outside the figure with an execution   time of 675s for a non universal automaton.The existence of very few instances that are very hard was often encountered in the experiments, and this is why we use the median for the execution times.If we except this hard instance, Figure 7 shows that universal automata (average time 350ms) are slightly easier to analyze than non-universal automata (average time 490ms).This probably comes from the fact that we stop the computation of the (greatest) fixed point whenever the initial state is not in the univ -closure of the current approximation.Indeed, in such case, since the approximations are univ -decreasing, we know that the initial state would also not lie in the fixed point.Of course, this optimization applies only for universal automata.

Language Inclusion for Büchi automata
Let A 1 = Loc 1 , ι 1 , Σ, δ 1 , α 1 and A 2 be two NBW defined on the same alphabet Σ for which we want to check language inclusion: L(A 1 ) ⊆ ?L(A 2 ).To solve this problem, we check emptiness of L(A 1 ) ∩ L c (A 2 ).As we have seen, we can use the Kupferman-Vardi and Miyano-Hayashi construction to specify a NBW A c 2 = Loc 2 , ι 2 , Σ, δ 2 , α 2 that accepts the complement of the language of A 2 .
Lemma 7.1.The relation inc is a simulation for B.
Proof.First, observe that equality is a simulation relation for A 1 .Then, the first condition of Definition 3.1 is a direct consequence of the fact that equality (resp.univ ) is a simulation relation for A 1 (resp.for A c 2 ), and that B = A 1 × A c 2 is the product of these automata.Second, it is easy to see that the sets β 1 and β 2 are inc -closed.
As a consequence of the last lemma, we know that all sets that we have to manipulate to solve the language inclusion problem using the fixed point F ′ B are inc -closed.The operators ∪, ∩ and Pre can be thus computed efficiently, using the same algorithms and data structures as for universality.In particular, let Pre inc σ (ℓ ′ 1 , ℓ ′ 2 ) = Pre A 1 σ (ℓ ′ 1 ) × Pre univ σ (ℓ ′ 2 ) where Pre univ σ is computed by Algorithm 2 (with input A 2 ).It is easy to show as a corollary of Theorem 5.4 that ↓Pre inc σ (ℓ ′ 1 , ℓ ′ 2 ) = Pre B σ (↓{(ℓ ′ 1 , ℓ ′ 2 )}).

Conclusion
We have shown that the prohibitive complementation constructions for nondeterministic Büchi automata can be avoided for solving classical problems like universality and language inclusion.Our approach is based on fixed points computation and the existence of simulation relations for the (exponential) constructions used in complementation of Büchi automata.Those simulations are used to dramatically reduce the amount of computations needed to decide classical problems.Their definition relies on the structure of the original automaton and do not require explicit complementation.
The resulting algorithms evaluate a fixed point formula and avoid redundant computations by maintaining sets of maximal elements according to the simulation relation.In practice, the computation of the predecessor operator, which is the key of the approach, is efficient because it is done on antichains of elements only.Even though the classical approaches (as well as ours) have the same worst case complexity, our prototype implementation outperforms those approaches where the structural properties of the complement automaton (witnessed by the existence of simulation relations) is not exploited.The huge gap of performances holds over the entire parameter space of the randomized model proposed by Tabakov and Vardi.Applications of this paper go beyond universality and language inclusion for NBW, as we have shown that the methodology applies to alternating Büchi automata for which efficient translations from LTL formula are known [GO01].Significant improvements in the modelchecking and satisfiability problem of LTL can be achieved with the same ideas [DDMR08b,DDMR08a].
Definition 2.1.An alternating Büchi automaton (ABW) is a tuple A = Loc, ι, Σ, δ, α where: • Loc is a finite set of states (or locations).The size of A is |A| = |Loc|; • ι ∈ Loc is the initial state; • Σ is a finite alphabet; • δ : Loc × Σ → B + (Loc) is the transition function where B + (Loc) is the set of positive boolean formulas over Loc, i.e. formulas built from elements in Loc ∪ {true, false} using the boolean connectives ∧ and ∨; • α ⊆ Loc is the set of accepting states.

Figure 2 :
Figure 2: Computing the predecessors of a -closed set.
4 and s 4 , o 4 alt s 2 , o 2 .Let us consider the case where o 1 = ∅.Then we have o 3 = ∅ by definition of alt and δ σ)} as s 3 puts less constraints than s 1 since s 3 ⊆ s 1 .A similar reasoning holds if o 1 = ∅.Second, let s 1 , o 1 ∈ α 2 and let s 2 , o 2 alt s 1 , o 1 .By definition of α 2 , we know that o 1 = ∅, and by definition of alt we have o 2 = ∅ and so s 2 , o 2 ∈ α 2 .

Figure 3 :
Figure 3: Median time to check universality of 100 automata of size 30 for each sample point.

Figure 6 :
Figure 6: Median time to check universality (of 100 automata for each sample point).

Figure 7 :
Figure 7: Execution time to check universality of 100 automata, 57 of which were universal.