Results 1  10
of
54
Alternatingtime Temporal Logic
 Journal of the ACM
, 1997
"... Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general var ..."
Abstract

Cited by 616 (55 self)
 Add to MetaCart
(Show Context)
Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternatingtime temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While lineartime and branchingtime logics are natural specification languages for closed systems, alternatingtime logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as modelchecking problems for alternatingtime formulas.
Synthesizing Distributed Systems
, 2001
"... In system synthesis, we transform a specication into a system that is guaranteed to satisfy the speci cation. When the system is distributed, the goal is to construct the system's underlying processes. Results on multiplayer games imply that the synthesis problem for linear specications is un ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
In system synthesis, we transform a specication into a system that is guaranteed to satisfy the speci cation. When the system is distributed, the goal is to construct the system's underlying processes. Results on multiplayer games imply that the synthesis problem for linear specications is undecidable for general architectures, and is nonelementary decidable for hierarchical architectures, where the processes are linearly ordered and information among them ows in one direction. In this paper we present a signicant extension of this result. We handle both linear and branching specications, and we show that a sucient condition for decidability of the synthesis problem is a linear or cyclic order among the processes, in which information ows in either one or both directions. We also allow the processes to have internal hidden variables, and we consider communications with and without delay. Many practical applications fall into this class. 1 Introduction In system synthesis, we...
Optimizations for LTL synthesis
 IN 6TH CONFERENCE ON FORMAL METHODS IN COMPUTER AIDED DESIGN (FMCAD’06
, 2006
"... We present an approach to automatic synthesis of specifications given in Linear Time Logic. The approach is based on a translation through universal coBüchi tree automata and alternating weak tree automata [1]. By careful optimization of all intermediate automata, we achieve a major improvement i ..."
Abstract

Cited by 56 (10 self)
 Add to MetaCart
We present an approach to automatic synthesis of specifications given in Linear Time Logic. The approach is based on a translation through universal coBüchi tree automata and alternating weak tree automata [1]. By careful optimization of all intermediate automata, we achieve a major improvement in performance. We present several optimization techniques for alternating tree automata, including a gamebased approximation to language emptiness and a simulationbased optimization. Furthermore, we use an incremental algorithm to compute the emptiness of nondeterministic Büchi tree automata. All our optimizations are computed in time polynomial in the size of the automaton on which they are computed. We have applied our implementation to several examples and show a significant improvement over the straightforward implementation. Although our examples are still small, this work constitutes the first implementation of a synthesis algorithm for full LTL. We believe that the optimizations discussed here form an important step towards making LTL synthesis practical.
Deterministic Generators and Games for LTL Fragments
 ACM Trans. Comput. Log
, 2001
"... Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from ..."
Abstract

Cited by 42 (2 self)
 Add to MetaCart
Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from Ltl formulas to deterministic !automata. First, we show that the longest distance (length of the longest simple path) of the generator is also an important parameter, by giving an O(d log n)space procedure to solve a Buchi game on a graph with n vertices and longest distance d. Then, for the Ltl fragment with only eventualities and conjunctions, we provide a translation to deterministic generators of exponential size and linear longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Pspacecomplete. Introducing next modalities in this fragment, we provide a translation to deterministic generators still of exponential size but also with exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Exptimecomplete. For the fragment resulting by further adding disjunctions, we provide a translation to deterministic generators of doublyexponential size and exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Expspace. Finally, we show tightness of the doubleexponential bound on the size as well as the longest distance for deterministic generators for Ltl even in the absence of next and until modalities. This research was partially supported by NSF Career award CCR9734115, NSF award CCR9970925, SRC award 99TJ688, and Alfred P. Sloan Faculty Fellowship. y Partially supported by the M.U.R.S.T. in the framework of project TO...
Bounded synthesis
, 2007
"... The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for lineartime temporal logic (LTL), based on a novel emptinesspreserving translation from ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
(Show Context)
The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for lineartime temporal logic (LTL), based on a novel emptinesspreserving translation from LTL to safety tree automata. For distributed architectures, where standard unbounded synthesis is in general undecidable, we show that bounded synthesis can be reduced to a SAT problem. As a result, we obtain an effective algorithm for the bounded synthesis from LTL specifications in arbitrary architectures. By iteratively increasing the bound, our construction can also be used as a semidecision procedure for the unbounded synthesis problem.
Rectangular Hybrid Games
 In CONCUR 99, LNCS 1664
, 1999
"... In order to study control problems for hybrid systems, we generalize hybrid automata to hybrid games  say, controller vs. plant. If we specify the continuous dynamics by constant lower and upper bounds, we obtain rectangular games. We show that for rectangular games with objectives expressed in Lt ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
(Show Context)
In order to study control problems for hybrid systems, we generalize hybrid automata to hybrid games  say, controller vs. plant. If we specify the continuous dynamics by constant lower and upper bounds, we obtain rectangular games. We show that for rectangular games with objectives expressed in Ltl (linear temporal logic), the winning states for each player can be computed, and winning strategies can be synthesized. Our result is sharp, as already reachability is undecidable for generalizations of rectangular systems, and optimal  singly exponential in the size of the game structure and doubly exponential in the size of the Ltl objective. Our proof systematically generalizes the theory of hybrid systems from automata (singleplayer structures) [9] to games (multiplayer structures): we show that the successively more general infinitestate classes of timed, 2d rectangular, and rectangular games induce successively weaker, but still finite, quotient structures called game bisimilarity, game similarity, and game trace equivalence. These quotients can be used, in particular, to solve the Ltl control problem.
Anzu: A tool for property synthesis
 in CAV
, 2007
"... Abstract. We present the tool ANZU. ANZU takes a formal specification of a design and generates a functionally correct system if one exists. The specification is given as a set of linear temporal logic (LTL) formulas belonging to the class of generalized reactivity of rank 1. Such formulas cover the ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present the tool ANZU. ANZU takes a formal specification of a design and generates a functionally correct system if one exists. The specification is given as a set of linear temporal logic (LTL) formulas belonging to the class of generalized reactivity of rank 1. Such formulas cover the majority of the formulas used in practice. ANZU is an implementation of the symbolic reactive(1) approach to synthesis by Piterman, Pnueli, and Sa’ar. If the specification is realizable ANZU provides the user with a Verilog module that represents a correct finitestate system. 1
From Verification to Control: Dynamic Programs for Omegaregular Objectives
, 2001
"... Dynamic programs, or fixpoint iteration schemes, are useful for solving many problems on state spaces, including model checking on Kripke structures ("verification"), computing shortest paths on weighted graphs ("optimization"), computing the value of games played on game graphs ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
Dynamic programs, or fixpoint iteration schemes, are useful for solving many problems on state spaces, including model checking on Kripke structures ("verification"), computing shortest paths on weighted graphs ("optimization"), computing the value of games played on game graphs ("control"). For Kripke structures, a rich fixpoint theory is available in the form of the calculus. Yet few connections have been made between different interpretations of fixpoint algorithms. We study the question of when a particular fixpoint iteration scheme ' for verifying an !regular property on a Kripke structure can be used also for solving a twoplayer game on a game graph with winning objective. We provide a sufficient and necessary criterion for the answer to be a rmative in the form of an extremalmodel theorem for games: under a game interpretation, the dynamic program' solves the game with objective if and only if both (1) under an existential interpretation on Kripke structures,' is equivalent to 9, and (2) under a universal interpretation on Kripke structures,' is equivalent to 8. In other words,' is correct on all twoplayer game graphs i it is correct on all extremal game graphs, where one or the other player has no choice of moves. The theorem generalizes to quantitative interpretations, where it connects twoplayer games with costs to weighted graphs. While the standard translations from !regular properties to thecalculus violate (1) or (2), we give a translation that satisfies both conditions. Our construction, therefore, yields fixpoint iteration schemes that can be uniformly applied on Kripke structures, weighted graphs, game graphs, and game graphs with costs, in order to meet or optimize a given !regular objective.
Synthesis with incomplete informatio
 In Advances in Temporal Logic
, 2000
"... Abstract. In program synthesis, we transform a specification into a system that is guaranteed to satisfy the specification. When the system is open, then at each moment it reads input signals and writes output signals, which depend on the input signals and the history of the computation so far. The ..."
Abstract

Cited by 31 (7 self)
 Add to MetaCart
Abstract. In program synthesis, we transform a specification into a system that is guaranteed to satisfy the specification. When the system is open, then at each moment it reads input signals and writes output signals, which depend on the input signals and the history of the computation so far. The specification considers all possible input sequences. Thus, if the specification is linear, it should hold in every computation generated by the interaction, and if the specification is branching, it should hold in the tree that embodies all possible input sequences. Often, the system cannot read all the input signals generated by its environment. For example, in a distributed setting, it might be that each process can read input signals of only part of the underlying processes. Then, we should transform a specification into a system whose output depends only on the readable parts of the input signals and the history of the computation. This is called synthesis with incomplete information. In this work we solve the problem of synthesis with incomplete information in its full generality. We consider linear and branching settings with complete and incomplete information. We claim that alternation is a suitable and helpful mechanism for coping with incomplete information. Using alternating tree automata, we show that incomplete information does not make the synthesis problem more complex, in both the linear and the branching paradigm. In particular, we prove that independently of the presence of incomplete information, the synthesis problems for CTL and CTL ⋆ are complete for EXPTIME and 2EXPTIME, respectively. 1.
Synthesis from Component Libraries
"... Synthesis is the automated construction of a system from its specification. In the classical temporal synthesis algorithms, it is always assumed the system is “constructed from scratch” rather than “composed” from reusable components. This, of course, rarely happens in real life. In real life, almos ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
(Show Context)
Synthesis is the automated construction of a system from its specification. In the classical temporal synthesis algorithms, it is always assumed the system is “constructed from scratch” rather than “composed” from reusable components. This, of course, rarely happens in real life. In real life, almost every nontrivial commercial system, either in hardware or in software system, relies heavily on using libraries of reusable components. Furthermore, other contexts, such as webservice orchestration, can be modeled as synthesis of a system from a library of components. In this work we define and study the problem of LTL synthesis from libraries of reusable components. We define two notions of composition: dataflow composition, for which we prove the problem is undecidable, and controlflow composition, for which we prove the problem is 2EXPTIMEcomplete. As a side benefit we derive an explicit characterization of the information needed by the synthesizer on the underlying components. This characterization can be used as a specification formalism between component providers and integrators.