Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternating-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas.

In this paper we further develop the methodology of temporal logic as an executable imperative language, presented by Moszkowski [Mos86] and Gabbay [Gab87, Gab89] and present a concrete framework, called METATEM for executing (modal and) temporal logics. Our approach is illustrated by the development of an execution mechanism for a propositional temporal logic and for a restricted first order temporal logic.

Live sequence charts (LSCs) have been de ned recently as an extension of message sequence charts (MSCs � or their UML variant, sequence diagrams) for rich inter-object speci cation. One of the main additions is the notion of universal charts and hot, mandatory behavior, which, among other things, enables one to specify forbidden scenarios. LSCs are thus essentially as expressive as statecharts. This paper deals with synthesis, which is the problem of deciding, given an LSC speci cation, if there exists a satisfying object system and, if so, to synthesize one automatically. The synthesis problem is crucial in the development of complex systems, since sequence diagrams serve as the manifestation of use cases | whether used formally or informally | and if synthesizable they could lead directly to implementation. Synthesis is considerably harder for LSCs than for MSCs, and we tackle it by de ning consistency, showing that an entire LSC speci cation is consistent i it is satis able by a state-based object system, and then synthesizing a satisfying system as a collection of nite state machines or statecharts. 1

A traditional approach for planning is to evaluate goal statements over state trajectories modeling predicted behaviors of an agent. This paper describes a powerful extension of this approach for handling complex goals for reactive agents. We describe goals by using a modal temporal logic that can express quite complex time, safety, and liveness constraints. Our method is based on an incremental planner algorithm that generates a reactive plan by computing a sequence of partially satisfactory reactive plans converging to a completely satisfactory one. Partial satisfaction means that an agent controlled by the plan accomplishes its goal only for some environment events. Complete satisfaction means that the agent accomplishes its goal whatever environment events occur during the execution of the plan. As such, our planner can be stopped at any time to yield a useful plan. An implemented prototype is used to evaluate our planner on empirical problems. Keywords: Planning, control, reactiv...

We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the model-checking problem for any 3-valued temporal logic can be reduced to two model-checking problems for the corresponding 2-valued temporal logic. We then introduce a new semantics for 3-valued temporal logics that can give more definite answers than the previous one. With this semantics, the evaluation of a formula OE on a partial Kripke structure M returns the third truth value? (read "unknown") only if there exist Kripke structures M1 and M2 that both complete M and such that M1 satisfies OE while M2 violates OE, hence making the value of OE on M truly unknown. The partial Kripke structure M can thus be viewed as a partial solution to the satisfiability problem which reduces the solution space to complete Kripke structures that are more complete than M wit...

This paper focuses on the realizability problem of a framework for modeling and specifying the global behaviors of reactive electronic services (e-services). In this framework, Web accessible programs (peers) communicate by asynchronous message passing, and a virtual global watcher silently listens to the network. The global behavior is characterized by a "conversation", which is the infinite sequence of messages observed by the watcher. We show that given a Buchi automaton specifying the desired set of conversations, called a "conversation protocol", it is possible to realize the protocol using a set of finite state peers if three realizability conditions are satisfied. In particular, the synthesized peers will conform to the protocol by generating only those conversations specified by the protocol. Our results enable a top-down verification strategy where (1) A conversation protocol is specified by a realizable Buchi automaton, (2) The properties of the protocol are verified on the Buchi automaton specification, and (3) The peer implementations are synthesized from the protocol via projection.

agent or group of agents. In this paper, we address the problem of how plans might be developed for a group of agents to cooperate to bring about such a goal. We present a novel approach to this problem, in which the problem is formulated as one of model checking in Alternating Temporal Epistemic Logic (ATEL). After introducing this logic, we present a model checking algorithm for it, and show that the model checking problem for this logic is tractable. We then show how multiagent planning can be treated as a model checking problem in ATEL, and discuss the related issue of checking knowledge preconditions for multiagent plans. We illustrate the approach with an example. We then describe how this example was implemented using the MOCHA model checking system, and conclude by discussing the relationship of our work with that of others in the planning and speech acts communities.

We propose a novel planning framework for the automated composition of web services. We consider services that are specified and implemented in industrial standard languages for business processes modeling and execution, like BPEL4WS. These languages describe web services whose behavior is intrinsically asynchronous. For this reason, the key aspect of our framework is the modeling of asynchronous planning problems. In the paper we describe the framework and propose a planning approach that is based on state of the art techniques for planning under uncertainty. Our experiments show that this approach can scale up to significant cases, i.e., to cases in which the manual development of BPEL4WS composed services is not trivial and is time consuming.

. There is a growing need for reliable methods of designing correct reactive systems such as computer operating systems and air traffic control systems. It is widely agreed that certain formalisms such as temporal logic, when coupled with automated reasoning support, provide the most effective and reliable means of specifying and ensuring correct behavior of such systems. This paper discusses known complexity and expressiveness results for a number of such logics in common use and describes key technical tools for obtaining essentially optimal mechanical reasoning algorithms. However, the emphasis is on underlying intuitions and broad themes rather than technical intricacies. 1 Introduction There is a growing need for reliable methods of designing correct reactive systems. These systems are characterized by ongoing, typically nonterminating and highly nondeterministic behavior. Examples include operating systems, network protocols, and air traffic control systems. There is w...

Methods for mechanically synthesizing concurrent programs from temporal logic specifications obviate the need to manually construct a program and compose a proof of its correctness. A serious drawback of extant synthesis methods, however, is that they produce concurrent programs for models of computation that are often unrealistic. In particular, these methods assume completely fault-free operation, i.e., the programs they produce are fault-intolerant. In this paper, we show how to mechanically synthesize fault-tolerant concurrent programs for various fault classes. We illustrate our method by synthesizing fault-tolerant solutions to the mutual exclusion and barrier synchronization problems. Categories and Subject Descriptors: F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs—logics of programs, mechanical verification, specification