Results 1  10
of
109
Alternatingtime Temporal Logic
 Journal of the ACM
, 1997
"... Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general var ..."
Abstract

Cited by 608 (53 self)
 Add to MetaCart
(Show Context)
Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternatingtime temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While lineartime and branchingtime logics are natural specification languages for closed systems, alternatingtime logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as modelchecking problems for alternatingtime formulas.
Verifying aspect advice modularly
 In FSE ’04
"... Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assum ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
(Show Context)
Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assumes that the set of pointcut designators is known statically, but that the actual advice can vary. This calls for a modular technique that does not require repeated analysis of the entire system every time a developer changes advice. We present such an analysis, addressing several subtleties that arise. We also present an important optimization for handling multiple pointcut designators. We have implemented a prototype verifier and applied it to some simple but interesting cases.
Strategy Logic
, 2007
"... We introduce strategy logic, a logic that treats strategies in twoplayer games as explicit firstorder objects. The explicit treatment of strategies allows us to handle nonzerosum games in a convenient and simple way. We show that the onealternation fragment of strategy logic, is strong enough ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
(Show Context)
We introduce strategy logic, a logic that treats strategies in twoplayer games as explicit firstorder objects. The explicit treatment of strategies allows us to handle nonzerosum games in a convenient and simple way. We show that the onealternation fragment of strategy logic, is strong enough to express Nashequilibrium, secureequilibria, as well as other logics that were introduced to reason about games, such as ATL, ATL*, and gamelogic. We show that strategy logic is decidable, by constructing tree automata that recognize sets of strategies. While for the general logic, our decision procedure is nonelementary, for the simple fragment that is used above we show that complexity is polynomial in the size of the game graph and optimal in the formula (ranging between 2EXPTIME and polynomial depending on the exact formulas).
The Common Fragment of CTL and LTL
 In IEEE Symposium on Foundations of Computer Science
, 2000
"... It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. B ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
(Show Context)
It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. By omitting path quantifiers, we get an inductive definition of the LTL formulas expressible in ACTL. We can show that the fragment defined by our logic represents exactly those LTL formulas the negation of which can be represented by a 1weak Büchi automaton and that for this fragment, the representing automaton can be chosen to be of size linear in the size of the formula.
Module checking revisited
 In Proc. 9th CAV, LNCS 1254
, 1997
"... Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy t ..."
Abstract

Cited by 44 (6 self)
 Add to MetaCart
(Show Context)
Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy the requirement. Module checking is an algorithmic method that checks, given an open system (modeled as a finite structure) and a desired requirement (specified by a temporallogic formula), whether the open system satisfies the requirement with respect to all environments. In this paper we extend the modulechecking method with respect to two orthogonal issues. Both issues concern the fact that often we are not interested in satisfaction of the requirement with respect to all environments, but only with respect to these that meet some restriction. We consider the case where the environment has incomplete information about the system; i.e., when the system has internal variables, which are not readable by its environment, and the case where some assumptions are known about environment; i.e., when the system is guaranteed to satisfy the requirement only when its environment satisfies certain assumptions. We study the complexities of the extended modulechecking problems. In particular, we show that for universal temporal logics (e.g., LTL, ¥ CTL, and ¥ CTL ¦), module checking with incomplete information coincides with module checking, which by itself coincides with model checking. On the other hand, for nonuniversal temporal logics (e.g., CTL and CTL ¦), module checking with incomplete information is harder than module checking, which is by itself harder than model checking. 1
Distributed Controller Synthesis for Local Specifications
, 2001
"... We consider the problem of synthesizing distributed controllers for reactive systems against local specifications. We show that a larger class of architectures become decidable in comparison to the analogous problem for global specifications. We identify the exact class of architectures for which th ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
We consider the problem of synthesizing distributed controllers for reactive systems against local specifications. We show that a larger class of architectures become decidable in comparison to the analogous problem for global specifications. We identify the exact class of architectures for which the problem is decidable. Our results also show the decidability of a related realizability problem for local specifications.
Concurrent OmegaRegular Games
, 2000
"... We consider twoplayer games which are played on a finite state space for an infinite number of rounds. The games are concurrent, that is, in each round, the two players choose their moves independently and simultaneously; the current state and the two moves determine a successor state. We consider ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
We consider twoplayer games which are played on a finite state space for an infinite number of rounds. The games are concurrent, that is, in each round, the two players choose their moves independently and simultaneously; the current state and the two moves determine a successor state. We consider omegaregular winning conditions on the resulting infinite state sequence. To model the independent choice of moves, both players are allowed to use randomization for selecting their moves. This gives rise to the following qualitative modes of winning, which can be studied without numerical considerations concerning probabilities: surewin (player 1 can ensure winning with certainty), almostsurewin (player 1 can ensure winning with probability 1), limitwin (player 1 can ensure winning with probability arbitrarily close to 1), boundedwin (player 1 can ensure winning with probability bounded away from 0), positivewin (player 1 can ensure winning with positive probability), and existwin (player 1 can ensure that at least one possible outcome of the game satisfies the winning condition). We provide algorithms for computing the sets of winning states for each of these winning modes. In particular, we solve concurrent Rabinchain games in ÒÇ Ñ time, where Ò is the size of the game structure and Ñ is the number of pairs in the Rabinchain condition. While this complexity is in line with traditional turnbased games, where in each state only one of the two players has a choice of moves, our algorithms are considerably more involved than those for turnbased games. This is because concurrent games violate two of the most fundamental properties of turnbased games. First, concurrent games are not determined, but rather exhibit a more general duality property which involves multiple modes of winning. Second, winning strategies for concurrent games may require infinite memory.
Verifying CrossCutting Features as Open Systems
, 2002
"... Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderat ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderata for verifying such modules through model checking and find that existing work on the verification of open systems fails to address most of the concerns that arise from featureoriented systems. We therefore provide a new methodology for verifying such systems. To validate this new methodology, we have implemented it and applied it to a suite of modules that exhibit feature interaction problems. Our model checker was able to automatically locate ten problems previously found through a laborious simulationbased e#ort.
Deterministic Generators and Games for LTL Fragments
 ACM TRANS. COMPUT. LOG
, 2001
"... Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from Ltl formulas to deterministic !automata. First, we show that the longest distance (length of the longest simple path) of the generator is also an important parameter, by giving an O(d log n)space procedure to solve a Buchi game on a graph with n vertices and longest distance d. Then, for the Ltl fragment with only eventualities and conjunctions, we provide a translation to deterministic generators of exponential size and linear longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Pspacecomplete. Introducing next modalities in this fragment, we provide a translation to deterministic generators still of exponential size but also with exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Exptimecomplete. For the fragment resulting by further adding disjunctions, we provide a translation to deterministic generators of doublyexponential size and exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Expspace. Finally, we show tightness of the doubleexponential bound on the size as well as the longest distance for deterministic generators for Ltl even in the absence of next and until modalities.