LTL Translation Improvements in Spot

Spot is a library of model-checking algorithms. This paper focuses on the module translating LTL formulae into automata. We discuss improvements that have been implemented in the last four years, we show how Spot's translation competes on various benchmarks, and we give some insight into its implementation.


INTRODUCTION
One of the first steps of the automata-theoretic approach to model checking of linear-time properties (Vardi 1996(Vardi , 2007) ) is to translate the property to verify into an automaton.This automaton is then synchronized with a model of the system in order to find executions that invalidate the property.
The Spot library (Duret-Lutz and Poitrenaud 2004) offers algorithms to realize the above automatatheoretic approach.A salient feature of Spot is its preference for using Transition-based Generalized Büchi Automata instead of the more commonly used Büchi Automata.Section 2 explains the difference.
This paper contains experience feedback on the implementation of a translator of linear-time temporal logic (LTL) formulae into Büchi automata.Spot actually offers four translation procedures, and we shall only discuss the most efficient one, based on an algorithm by Couvreur (1999).We will often delve into technical details, because it is the various adjustments done before, inside, and after the translation algorithm that contribute to the quality of its output and to its efficiency.This paper accounts for 4 years of such development.Along the way, we report some errors that we have made and point some steps (like the degeneralization) that could probably be improved.We believe the insight we provide into the implementation of Spot should be helpful to anyone devising a translator.
We assume the reader is familiar with LTL (Clarke et al. 2000) and Binary Decision Diagrams (Bryant 1986), abbreviated as BDDs in the sequel.This paper is organized as follows.Section 2 defines Transition-based Generalized Büchi Automata as opposed to Büchi Automata.Section 3 presents the core of the translation algorithm, with an emphasis on the optimizations that are enabled by the use of BDDs.Finally section 4 starts by explaining how bad the version of Spot praised by Rozier and Vardi (2007) was, and continues with a potpourri of improvements that have been achieved since.
Throughout the paper, the reader is invited to play with the on-line version of the translator available at http://spot.lip6.fr/ltl2tgba.html.It has options for many optimizations discussed herein.

TWO KINDS OF BÜCHI AUTOMATA
AP is a set of atomic propositions, i.e., propositional variables that may be true or false in the system. 2 AP denotes the set of minterms (or assignments) over AP , and 2 2 AP interpreted as the set of sums of minterms denotes the Boolean formulae over AP .
Definition 1 A Büchi automaton is a tuple B = AP , Q, q 0 , F, δ where AP is a set of atomic propositions, Q is a finite set of states, q 0 ∈ Q is the initial state, F ⊆ Q is a set of acceptance states, and δ ⊆ Q × 2 2 AP × Q is a transition relation in which each transition is labeled by a Boolean formula.An infinite word c 0 c 1 c 2 . . .∈ (2 AP ) ω of assignments is accepted by B if there exists a run of A, say (q 0 , l 0 , q 1 )(q 1 , l 1 , q 2 )(q 2 , l 2 , q 3 ) . . .∈ δ ω , that recognizes the word (∀i, c i ∈ l i ) and that visits infinitely many acceptance states (∀i ≥ 0, ∃j ≥ i, q j ∈ F).Definition 2 A Transition-based Generalized Büchi Automaton (TGBA) is a Büchi automaton in which multiple acceptance conditions are carried by the transitions.It can be defined as a tuple T = AP , Q, q 0 , F, δ where AP is a set of atomic propositions, Q is a finite set of states, q 0 ∈ Q is the initial state, F = {f 1 , f 2 , . . ., f n } is a finite set of elements called acceptance conditions, δ ⊆ Q × 2 2 AP × 2 F × Q is a transition relation in which each transition is labeled by a Boolean formula and a set of acceptance conditions.An infinite word c 0 c 1 c 2 . . .∈ (2 AP ) ω of assignments is accepted by T if there exists a run of A, say (q 0 , l 0 , F 0 , q 1 )(q 1 , l 1 , F 1 , q 2 )(q 2 , l 2 , F 2 , q 3 ) . . .∈ δ ω , that recognizes the word (∀i, c i ∈ l i ) and that visits each acceptance condition infinitely often (∀f ∈ F, ∀i ≥ 0, ∃j ≥ i, f ∈ F j ).
Fig. 1 illustrates these definitions with two automata that recognize the LTL property: G F a ∧ G F b.The infinite sequence a:1 0 0 1 0 0 1 0 0 ... b: 0 0 1 0 0 1 0 0 1 ... will be accepted by T 1 because it visits the top and right loops infinitely often, therefore all acceptance conditions are seen infinitely often.Similarly this sequence visits the only acceptance state of B 1 infinitely often.
Spot is built around the concept of TGBA, and is able to perform the entire model-checking approach with these automata.However most other modelchecking tools use Büchi automata.Spot can therefore degeneralize TGBAs into Büchi automata using an operation discussed in Section 4.2.2.
In the rest of the paper, we will often name the states of automata with the LTL formula they recognize.These extra annotations have no influence on the behavior of the automata.

OVERVIEW OF THE TRANSLATION
The algorithm of Couvreur (1999) for the translation of LTL automata into TGBA is based on a tableau method.Although the following explanations are selfcontained, we refer the reader to Duret-Lutz and Poitrenaud (2004) for an illustration of this algorithm as a tableau that can be used to build generalized Büchi automata with state-based or transition-based acceptance conditions.Here we shall present the algorithm at a lower level to explain how the use of BDDs helps the translation.
To put this algorithm in context, the complete translation procedure to go from LTL to a Büchi Automaton can be presented as four steps: 1. Simplify the LTL formula syntactically (we shall discuss this Section 4.2).E.g., rewrite F F a (a 3-state automaton) into F a (2 states).
2. Translate the simplified formula into a TGBA using the algorithm presented in this section.3. Simplify the TGBA, e.g., by removing redundant acceptance conditions and terminal strongly connected components that are not accepting.4. Degeneralize the TGBA into a Büchi automaton, if desired, as discussed in section 4.2.2.
An final step could be to simplify the Büchi automaton, e.g., with simulation-based reductions (Etessami et al. 2001).We do not discuss this option because its implementation in Spot is a work in progress and the results are already good without it.

Basic Translation
If you omit BDDs, the procedure is simple enough to be performed by hand on a paper or blackboard 1 .The algorithm generates an automaton whose states corresponds to LTL formulae.The initial state is the formula to translate.This formula is then rewritten as a sum of products where the only temporal operator allowed at the top level is X.
For instance if we were to translate Reading this formula, it is clear that if your are in a state that must recognize Ψ 1 , then you should either accept an assignment compatible with ¬a and verify a at the next step, or accept an assignment compatible with b and then verify a ∧ (b U ¬a) at the next step.
The start of the automaton is thus as follows: The procedure should then be applied similarly on the new states.There is little subtlety that has to be taken into account when translating the ϕ U ψ operator: the formula ψ must occur eventually, it cannot be postponed infinitely.This is solved in the translation by expliciting a promise to fulfil ψ while rewriting the formula.The actual rewriting rule used  for U is: ϕ U ψ = ψ ∨ (ϕ ∧ X(ϕ U ψ) ∧ P ψ), with the operator P denoting an explicit promise.
All these formulae can be simplified using classical Boolean rules like (α ∧ β) ∨ α = α to kill some terms (even X ϕ or P ϕ).This is where using BDD really helps.The core of the translation is the rewriting function r(f ) defined recursively as in Fig. 2. Var[p], Nxt[f ], P[f ], are BDD variables created as needed to represent respectively atomic propositions, X f formulae, and promises.Applying r on our example, we obtain: This BDD is then massaged into a sum of products: Which corresponds to: There are several ways to turn a BDD into a sum of products, but because each term of the sum corresponds to a transition in the automaton, redundant terms should be avoided.We use an algorithm from Minato (1992) to that effect.(1999) to translate an LTL formula f into a TGBA.The function r(here) is defined on Fig. 2.
The complete translation is shown on Fig. 3.This automaton is still not a TGBA because it uses promises instead of Büchi acceptance conditions.To guarantee that a promise holds, the accepted runs of the automaton should never make promises continuously: in other words for each promise P ϕ, accepted runs should visit infinitely many transitions that do not make such a promise.2This can be encoded as a TGBA by labelling all transitions that do not make promise P ϕ by an acceptance condition associated to ϕ.3There will be as many acceptance conditions as promises.Fig. 4 shows the final TGBA.
The pseudo-code for the complete translation algorithm is shown on Fig. 5.
At this point it should be clear that the use of BDDs simplifies every Boolean formulae that label transitions.For instance we cannot have a transition labelled by b∧a∧¬b because such a conjunction would be simplified by the BDD representation. 4Similarly the conversion of the BDD into an irredundant sum with some obvious redundancy.On the other hand the corresponding BDD rewriting will be simplified ing only the two successors (¬a) ∧ (¬b) ∧ (¬c) and

Using r to Identify States
A powerful BDD-based optimization is to use the r function to identify some equivalent formulae.
Because BDDs have a unique representation, we have that r(ϕ) = r(ψ) =⇒ ϕ = ψ.The converse does not hold because two equivalent subformulae prefixed with X might be represented by different Nxt[] variables.Graphically, r(ϕ) encodes the outgoing transitions (labels, promises, and destinations) of the state ψ, so r(ϕ) = r(ψ) means that the states ϕ and ψ have the same successors and can be merged.

Such a reduction occurs when translating
The result of r(G F a) implies that G F a should have two successors G F a and (F a)∧G F a as shown in the first automaton of Fig. 6.However r((F a) ∧ G F a) = r(G F a) so these states can be merged.
One way to implement this reduction automatically is to index the states of the automata by the BDD r(ϕ) instead of by the LTL formula ϕ (the pseudo-code from Fig. 5 does not perform this reduction).

Better Determinism
The determinism of the automata from Fig. 6 can be improved using a trick based on the BDD representation of states.Instead of converting the equation into a sum of products to discover the labels and destination, we can instead fix one label to discover its destination(s).
Where shall we go if we read a?
Where shall we go if we read ¬a?
These equations show that all instances of in Fig. 6 can be replaced by ¬a, yielding two deterministic automata.
In an automaton over n atomic propositions (Var[a], Var[b],. . .), there are 2 n labels to consider.However the structure of the BDD encoding the formula helps to ignore useless labels; and in real-world formulae n is usually small enough so that the slowdown incurred by this enumeration is not perceptible.
An automaton constructed this way is usually more deterministic, but it is not necessarily a deterministic automaton.The result of r(ϕ)∧A for some A could have a disjunction, i.e., multiple destinations.
In an experiment we translated 96 LTL formulae taken from the literature with and without this optimization.The resulting automata were then synchronized with random state spaces to measure the effect of the improved determinism.With this technique the number of transitions in the product was reduced by 40%, and the number of states by only 0.33%.

FROM SPOT-0.4 TO SPOT-0.7.1
We now review how this translation has been improved over the last four years.

Better Data Structures
Rozier and Vardi (2007) compared 9 LTL translators, on various families of LTL formulae.
From this description it should be clear that the smallest automaton that can recognize C n is a deterministic loop with n2 n states and as many transitions.Fig. 7 shows this automaton for C 3 .Any translator that constructs such an automaton explicitly will have a runtime that is worse than exponential in n.Rozier and Vardi (2007) show graphs comparing how fast the runtime of each translator grows: few tools passed n = 8.Although the Spot runtime was low compared to other tools (even symbolic) they stopped using Spot after n = 9 because it generated an incorrect automaton for C 10 .
Investigating this bug 6 and playing with C n revealed that Spot's implementation of LTL formulae and its implementation of automata were suboptimal.The effect of the subsequent fixes can been seen on figure 8: spot-0.4 is the version used by Rozier and Vardi, while spot-0.5 is an improved version that is 5 times faster: only the formulae and automata implementation were changed, the translation algorithm is the same.ltl2ba-1.1 (Gastin and Oddoux 2001) is shown for comparison, and other tools are usually off the scale: for instance spin-6.1.0will take more that 11 hours to translate the formula C 1 describing a 2-state automaton 7 .
6 It was a typo in the comparison function used to distinguish two LTL formulae that have the same hash value: a constant '1' (one) was used instead of the variable 'l' (lowercase L), but the two characters were indistinguishable on screen!C 10 was the first formula with enough sub-formulae to trigger a hash conflict. 7The automaton built by spin-6.1.0for C 1 actually has 33 states and 447 transitions, many of them using unsatisfiable guards such as "((!b) && (a) && (b))".
In Spot, LTL formulae are represented as "abstract syntax DAGs", i.e., identical subformulae are represented only once, as in Fig. 9.For commutative operators, the operands are systematically reordered8 so that we can easily detect that a ∧ X(b) is equal to X(b) ∧ a. Sharing of subformulae also work across multiple formulae.The uniqueness of each subformula helps to speed up algorithms that may use a cache as they traverse formulae.However this setup requires that each subformula in the pool be reference counted.The first issue in spot-0.4 was how this reference counting worked: the counter of each node recorded the number of each subformula using this node.This meant that every time a formula was cloned or destroyed, we had to recurse its entire DAG to increment or decrement the counters of each node... "27%" of the time of the translation of C 8 was spent dealing with counters.The obvious fix was to count only the number of direct parents of a node, and this code ran no more than "0.01%" of the time.
The second problem was in the interface used to construct Büchi automata as explicit graphs.The definition of a Büchi automaton does not specify how to represent the elements of Q, i.e., what is the identity of a state.Is it an integer?Is it a name?When reading an automaton from a file written by hand, we want to allow any string.When implementing an LTL translation such as the one described in section 3, it is tempting to label states with the LTL formula they represent: it helps reading the automaton.The states of explicit graphs in spot-0.4were referenced by strings to accommodate all these needs.The translation algorithm was therefore wasting a lot of time just converting LTL formulae into strings to designate states.A new kind of graph with states labeled by pointers to LTL formula objects yielded the most part of the improvement shown on Fig. 8.

LTL Simplification Improvements and Better Degeneralization
After the release of Spot 0.5, we were contacted by Rüdiger Ehlers who was trying to use ltl2ba and Spot with various options to translate an LTL formulae and keep only the smallest automata (in term of states) produced by any tool.His goal was to later minimize these automata even more using a technique that could easily take hours (Ehlers and Finkbeiner 2010), so it made sense to try a few tools to find the smallest candidate first.
The benchmark consists in 92 LTL formulae: • 55 formulae from Dwyer et al. (1998), • 25 formulae from Somenzi and Bloem (2000) -their paper shows 27 formulae but two of them were ignored because they are already the negations of other formulae in the list, • 12 formulae from Etessami and Holzmann (2000).
With their negations this makes a total of 184 formulae.Table 1 shows how much time each translator was better than the other on these 184 formulae.For instance comparing "spot-0.5 (1)" with "ltl2ba-1.1"we can see ltl2ba-1.1 produced automata strictly smaller than spot-0.5 for 80 formulae, while spot-0.5 was strictly better in 23 cases.
The numbers (1) and (2) refer to different reductions performed on the LTL formulae before translation.
implications 9 like "if ϕ ⇒ ψ then ϕ U ψ = ψ", and rewritings based on the concept pure eventualities and purely universal formulae like "if ψ is a pure eventuality then ϕ U ψ = ψ"10 .ltl2ba-1.1 includes similar rules, except that pure eventualities and purely universal formulae are handled with a less general set of rewritings.11 In case (2), a stronger set of rules based on language containment are used to replace the syntactic implications checks.In this setup, checking that ϕ ⇒ ψ involves translating ϕ and ¬ψ into automata, and checking whether their product is empty: 12 These operations have to be performed on many subformulae of the formula to simplify so this is a costly simplification.
But have found that the runtime is usually acceptable as the automata involved when translating formulae used in verification are usually small.The initial set of rewriting rules based on language containment comes from Tauriainen (2006, section 5.3), but we extended these as in Table 2 so they would catch more patterns to reduce.The simplification described for (1) are still performed, but languagecontainment rules are able to catch a few more simplifications that were not detected syntactically.
A typical formula that rules (1) are not able to simplify The extended language containment rules from Table 2 reduces The reduction this entails on the automaton is welcome: ϕ 1 is translated by Spot into a Büchi automaton with 25 states, while ϕ 2 needs only 5 states.
Simplification rules based on language containment.
After translating the simplified formula into a generalized Büchi automaton, both Spot and ltl2ba perform a pass of automaton simplification based on the elimination of maximal strongly connected components that are terminal and non-accepting.The degeneralization of this automaton into a Büchi automaton follows.
Looking at the formulae for which Spot fared worse than ltl2ba in Table 1 we were able to make three improvements, included in spot-0.6.The first two changes were enough to bring Spot up to the point were only one formula was translated worse than ltl2ba.The third change improved the number of case where Spot was producing smaller automata.

A Harmful Rewriting Rule
The first correction is quite simple.In the set of rewriting rules chosen to reduce the size of the automaton produced by the Wring tool, Somenzi and Bloem (2000) give this one (applied from left to right): It might be true that Wring performs better on the right formula, but this is generally wrong for Spot.This rule had to be disabled.Intuitively, this rule is dubious because F(ϕ ∧ G F(ψ)) appears less complex to translate.Translating F Φ is just a matter of creating an initial state that accepts any letter for a finite number of step, and non-deterministically jumps into a state that will recognize Φ when a letter matching the beginning of Φ is found.Translating a formula such as (F ϕ) ∧ G F ψ is harder because in the initial state you have four choices to consider: either the input can be the start of ϕ, or it is the start of ψ, or it is both, or it is none.When ϕ and ψ are atomic propositions as in Fig. 10, these four cases can be reduced to three.It turns out that on the automaton A 2 from Fig. 10 the states (F a)∧G F b and This rewriting rule also prevented other useful rules to apply.E.g., spot-0.5 would rewrite the formula is easier to translate for similar reasons.
In spot-0.6 (and also the current spot-0.7.1) this harmful rewriting rule is simply disabled, but from the above discussion it sounds like it would be better to apply it in the opposite direction, trying to gather as much terms as possible after the F. We are currently overhauling the entire rewriting module in order to improve it, and plan to make a more systematic study of each rule we apply.Applying a rewriting rule because it has been used in another tool is not a good justification: the rule might be favorable to the other tool but not yours.

Better Degeneralization
A degeneralization algorithm takes a generalized automaton with n states and m acceptance conditions, and produces a Büchi automaton with a single acceptance condition and at most n(m + 1) states.The classical algorithm used to transform Generalized Büchi Automata into Büchi automata (Clarke et al. 2000, section 9.2.2) can be adapted to transform TGBA into Büchi automata (Giannakopoulou and Lerda 2002;Gastin and Oddoux 2001) as follows.
If T = AP , Q, q 0 , F, δ is a TGBA with m acceptance conditions F = {f 1 , f 2 , . . ., f m }, then an equivalent Büchi automaton T = AP , Q , q 0 , F , δ can be constructed as follows: , for each level j < m the outgoing transitions that carry f j+1 are redirected to the next level and all outgoing transitions from the last level are redirected to the first one.
• q 0 = q 0 × {0} the initial state is on the first level (but any other level would also be correct).
This setup guarantees that any accepting path in the degeneralized automaton will correspond to an infinite path that sees all acceptance conditions infinitely often in the original automaton.The classical optimization is to "jump levels", i.e., when a transition from level i < m carries acceptance conditions f i+1 , f i+2 , and f i+3 , it can be redirected to the level i + 3.This corresponds to the following redefinition of The automaton B 1 from Fig. 1 was degeneralized from T 1 with this definition, in the order f 1 = , f 2 = , and setting the initial state in the last level.
This degeneralization procedure offers m! possible ways to order the acceptance conditions, and there are m+1 possible levels on which the initial state can be located.Changing these parameter might make states from Q × {0, . . ., m} unreachable, and can thus reduce the automaton.For one TGBA, we therefore have m!(m + 1) possible degeneralizations using only this definition.
In Spot, the acceptance conditions labeling each transitions are stored as BDDs13 and the order used by the degeneralization algorithm is related to the order in which the corresponding BDD variables were declared.This order is in turn related to the order in which the LTL formula was recursively traversed by the translation algorithm.In ltl2ba, this order is that of the states of the alternating automaton is that constructed recursively from the LTL formula.So in both cases, the order used is tied to the syntax tree/DAG of the LTL formula.It so turns out that the order used in spot-0.5 was usually the reverse of the order used in ltl2ba, and was unfavorable.Simply reversing that order, is responsible the largest part of the improvements observed between spot-0.5 and spot-0.6 on Table 1.This reversed order corresponds to expecting the acceptance conditions associated to a formula φ before expecting the acceptance condition associated to subformulae of φ.For instance when translating the formula G F(a∧G F(b∧G F c)) there will be acceptance conditions associated to a ∧ G F(b ∧ G F c), b ∧ G F c and c and they should be expected in this order during the degeneralization.
We are currently investigating how choosing different orders may improve the degeneralization and it seems that the above heuristic is usually better.The choice of the level for the initial state is another parameter that we have yet to explore.Oddoux (2003, section 6.1.2) mentions another kind of degeralization in which the acceptance conditions can be taken in any order and where each state of degeneralized automaton has to retain the set of all acceptance conditions that are waited for.This can potentially multiply the size of the original automaton with 2 m if m acceptance conditions are used.But this might be worth a try when m is very small.Another optimization that was included in spot-0.6 to improve its degeneralization is the "pulling of acceptance conditions".When all the outgoing transition of a state s have a set Y of acceptance conditions in common, this set can be added to the acceptance conditions of all the incoming transitions.This is correct because if a run of traverses s it will necessarily see all acceptance conditions from Y ; it makes no difference if its sees them twice.
Finally the only formula of this benchmark for which ltl2ba-1.1 produces an automata with less states than spot-0.6 in Table 1 ). ltl2ba-1.1 gives a Büchi automaton with 10 states and 336 transitions, while spot-0.6produces 11 states and 260 transitions. 14In this extraordinary case, disabling the SCC-based simplifications will actually help the degeneralization algorithm, and Spot will produce an automaton with 10 states and 244 transitions.

More LTL Operators: W and M
The changes described in sections 4.2.1 and 4.2.2 were enough to let Spot-0.6 (2) produce automata that were smaller that ltl2ba's in 50 cases.11 more cases were won by adding support for the W and M operators, even if they are not used in the formulae... 14 When counting transitions in an automaton over the atomic propositions {p, q, r, s} an arc labeled by p is counted for 8 transitions because there are 8 different configurations of the atomic propositions (pqrs, pqrs, pqrs, . ..) that satisfy formula p. a M b is the strong release operator : a has to hold until a ∧ b hold, and the latter is will occur eventually.

LTL Translation Improvements in
These operators do not add expressive power: when is less intuitive, the second rewriting is actually a better choice, because it translates into a smaller automaton (Fig. 11).An even better choise, if the R operator is available, is to write b R(a ∨ b).Similarly, a M b can be rewritten in many ways: The translation rule for W is the same as that for U except that no promise is made (hence no acceptance condition is output), and conversely the rule for a M b is the same as R with the promise of a.
The weak until operator can be used to express properties such as ϕ becomes true before ψ or The 11 formulae for which the translation was improved correspond to formulae of Dwyer et al. (1998) in which the ϕ U(ψ ∨ G ϕ) idiom was used.
Rewriting these using W helped the translation since it did not have to deal with promises associated to U.

Reaching the Minimum
Cicho ń et al. ( 2009) studied several classes of LTL formulae for which they calculated the size (in states) of the minimal Büchi automaton that could represent the property.They compared the output of spot-0.4 and ltl2ba-1.1,neither of which was able translate all formulae efficiently.Sometimes they would take too long, sometimes they would produce automata larger than necessary.
Here are four families of formulae they evaluated on both tools for n ranging from 1 to 20: n occurences of p ∧ F(q ∧ X(q ∧ X(q ∧ . ..)) The minimal Büchi automaton for α n has (n + 1) 2 states.ltlba-1.1 and spot-0.4both manage to produce it, but they take a lot of time.In their experiment ltl2ba-1.1 took 14 hours to translate α 19 (they did not try α 20 ) while spot-0.4took 6 seconds to translate α 20 .But 6 seconds are a lot for such a formula: spot-0.7.1 takes less than 0.01 second.
The minimal Büchi automaton for β n also has (n+1) 2 states, but a lot more transitions.Neither ltl2ba-1.1 nor spot-0.4 were able to produce the smallest automata for n > 1.For β 20 the minimal automaton has 441 states; ltl2ba-1.1 produced an automaton of 1164 states in 21 seconds while spot-0.4produced 1237 states in about 12 minutes.
ϕ n did not cause any problem with either tools.The minimal automaton were produced by both tools instantaneously.
The worse formula was ψ n although both tools manage to build the minimal automaton (with n + 1 states), they have to deal with an exponential number of transitions.ltl2ba took more that 3 hours to translate ψ 11 while spot-0.4took 20 minutes for ψ 18 and subsequently died on ψ 19 (out-of-memory?).
We are happy to report that spot-0.7.1 is able to run this entire benchmark (the four families with n ranging from 1 to 20) in less than 15 minutes and always produces Büchi automata with the minimal number of states.The necessary fixes are those described in section 4.2, but running this benchmark on spot-0.6 revealed that the "pulling of acceptance conditions" could use a cache to avoid a quadratic behavior 16 .This cache was added in spot-0.7.1.

WDBA Minimization
It is well known that not all Büchi automata are determinizable (Vardi 1996, prop. 8).There is a subclass of properties that can be represented by Weak Deterministic Büchi Automata (WDBA), and for which there exists an algorithm to compute the minimal WDBA recognizing the property in a way that is comparable to the minimization of deterministic finite automata (Löding 2001).This class corresponds to the "obligations" in the temporal hierarchy of Manna and Pnueli (1990)  and third numbers give the number of states and transitions17 of the automaton produced by Spot (with formula simplifications and SCC simplifications turned on), while the fourth and fifth numbers show the number of states and transitions with an additional WDBA minimization step.
We can observe that some minimized automata have more transitions: this is because their structure changed when they were determinized.Even though they have the same number of states as the nonminimized automaton, the states do not accept the same language.There is even one case (formula 36) where the minimized automaton got one more state.
In only two cases (formulae 31 and 35) the minimization actually removed states in addition to making the automata deterministic.

CONCLUSION
We have presented the main improvements realized in the LTL translation module of Spot between versions 0.4 and 0.7.1, both in the size of the produced automata and in the time it takes to generate them.We also gave insight into its implementation and explained why using BDDs during the translation actually allows many reduction.
It has been argued (Cicho ń et al. 2009;Tsay et al. 2011) that rather than optimizing an algorithm to try to produce the best automata always, it would be useful to create a database of optimal automata for commonly used formulae.However different uses may call for different definition of optimal automaton.
In the context of model-checking, one usually wants to reduce the size of product of the property with the system, and translating the property into a small automaton that is the most deterministic possible usually helps (Sebastiani and Tonetta 2003).In the context of synthesis of reactive systems Ehlers and Finkbeiner (2010) prefer to minimize the number of states at the expense of determinism.
Also different kinds of automata can be used for verification: model checking with TGBA is usually better than model checking with Büchi automata when the formula incur a lot of acceptance conditions (Couvreur et al. 2005).Using testing automata also appears promising (Geldenhuys and Hansen 2006;Ben Salem et al. 2011).A database should therefore not be limited to Büchi automata.
While we agree such a database could indeed be useful, we still believe that it is important to have a translation that is efficient and versatile enough to be tuned to the needs of a particular situation.52 ¬((G q) ∨ (q U(q ∧ ((F(s ∧ X F t)) → (s U p))))) 5 320 ¬(G((q ∧ F r) → (p → (r U(s ∧ r ∧ z ∧ X((r ∧ z) U t)))) U r)) Table 3: Size of (degeneralized) Büchi automata produced by spot-0.7.1 before and after WDBA minimization.
For the interested reader, the Büchi Store project (Tsay et al. 2011) is a database of formulae associated to representative Büchi automata, where users can submit better automata.In February 2011, we downloaded their list of formulae and automata for benchmarking purpose.Out of the 322 formulae involving only future-time LTL operators Spot was able to produce smaller automata in 52 cases, and bigger automata in 21 cases (in this comparison, the number of transitions was used to compare automata with equal number of states).We have yet to submit our automata for these 52 cases.

Figure 2 :
Figure 2: Rewriting rules to translate an LTL formula into a BDD.LTL patterns are in blue, BDD variables and operations in red.

Figure 6 :
Figure 6: Two translations of G F a. Since r(G F a) = r((F a) ∧ G F a) the two states of the first automaton can be merged, yielding the second automaton.

Figure 9 :
Figure 9: An abstract syntax DAG for the formula C3.The letters L and R are used to distinguish left and right operands of non-commutative binary operators.

Figure 10 :
Figure 10: Paper-and-pen translations into TGBA of F(a ∧ G F b) and (F a) ∧ G F b.

Figure 11 :
Figure 11: Four formulae equivalent to a W b and their corresponding automata.When the W and R operators are not available, a U(b ∨ G a) is easier to translate.