Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternating-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas.

Abstract not found

Several proof rules based on the assume-guarantee paradigm have been proposed for compositional reasoning about concurrent systems.

We study the problems of synthesizing open systems as well as controllers for open systems. We deal with specifications given as formulas of the branching temporal logic CTL ? and its sub-logic CTL. A key aspect of our work is that we deal with reactive environments. These are environments that can disable some of their responses along the interaction with the system.

Deciding infinite two-player games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doubly-exponential translation from Ltl formulas to deterministic !-automata. First, we show that the longest distance (length of the longest simple path) of the generator is also an important parameter, by giving an O(d log n)-space procedure to solve a Buchi game on a graph with n vertices and longest distance d. Then, for the Ltl fragment with only eventualities and conjunctions, we provide a translation to deterministic generators of exponential size and linear longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Pspace-complete. Introducing next modalities in this fragment, we provide a translation to deterministic generators still of exponential size but also with exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Exptime-complete. For the fragment resulting by further adding disjunctions, we provide a translation to deterministic generators of doubly-exponential size and exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Expspace. Finally, we show tightness of the double-exponential bound on the size as well as the longest distance for deterministic generators for Ltl even in the absence of next and until modalities. This research was partially supported by NSF Career award CCR97-34115, NSF award CCR99-70925, SRC award 99-TJ688, and Alfred P. Sloan Faculty Fellowship. y Partially supported by the M.U.R.S.T. in the framework of project TO...

The difference in the complexity of branching and linear model checking has been viewed as an argument in favor of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking makes CTL a popular choice, leading to efficient model-checking tools for this logic. Can we use these tools in order to verify linear properties? In this paper we relate branching and linear model checking. With each LTL formula /, we associate a CTL formula /A that is obtained from / by preceding each temporal operator by the universal path quantifier A. We first describe a number of attempts to utilize the tight syntactic relation between / and /A in order to use CTL model-checking tools in the process of checking the formula /. Neither attempt, however, suggests a method that is guaranteed to perform better than usual LTL model checkers. We then claim that, in practice, LTL model checkers perform nicely on formulas with equivalences of CTL. In fact, they oft...

Abstract not found

The solution of games is a key decision problem in the context of veri cation of open systems and program synthesis. We present an automata-theoretic approach to solve timed games. Our solution gives a general framework to solve many classes of timed games via a translation to tree automata, extending to timed games a successful approach to solve discrete games. Our approach relies on translating a timed automaton into a tree automaton that accepts all the trees corresponding to a given strategy of the protagonist. This construction exploits the region automaton introduced by Alur and Dill. We use our framework to solve timed Buchi games in exponential time, timed Rabin games in exponential time, Ctl games in exponential time and Ltl games in doubly exponential time. All these results are tight in the sense that they match the known lower bounds on these decision problems.

Model checkers like Spin can handle closed reactive systems, only. Thus to handle open systems, in particular when using assume-guarantee reasoning, we need to be able to close (sub-)systems, which is commonly done by adding an environment process. For models with asynchronous message-passing communication, however, modelling the environment as separate process will lead to a combinatorial explosion caused by all combinations of messages in the input queues. In this

In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system � and a property � , we say that � robustly satisfies � iff for every open system �� � , which serves as an environment to � , the composition ���� � � satisfies �. The problem of robust model checking is then to decide, given � and � , whether � robustly satisfies �. In this paper we study the robust-model-checking problem. We consider systems modeled by nondeterministic Moore machines, and properties specified by branching temporal logic (for linear temporal logic, robust satisfaction coincides with usual satisfaction). We show that the complexity of the problem is EXPTIME-complete for CTL and the �-calculus, and is 2EXPTIME-complete for CTL �. We partition branching temporal logic formulas into three classes: universal, existential, and mixed formulas. We show that each class has different sensitivity to the robustness requirement. In particular, unless the formula is mixed, robust model checking can ignore nondeterministic environments. In addition, we show that the problem of classifying a CTL formula into these classes is EXPTIME-complete.