An AutomataTheoretic Approach to Linear Temporal Logic Moshe Y - PDF document

AnAutomata-TheoreticApproachtoLinearTemporalLogicMosheY.VardiRiceUniversityDepartmentofComputerScienceP.O.Box1892Houston,TX77251-1892,U.S.A.Email:vardi@cs.rice.eduURL:http://www.cs.rice.edu/vardiAbstract.Theautomata-theoreticapproachtolineartemporallogicusesthetheoryofautomataasaunifyingparadigmforprogramspeci®cation,veri®cation,andsynthesis.Bothprogramsandspeci®cationsareinessencedescriptionsofcomputations.Thesecomputationscanbeviewedaswordsoversomealphabet.Thus,programsandspeci®cationscanbeviewedasdescriptionsoflanguagesoversomealphabet.Theautomata-theoreticperspectiveconsiderstherelationshipsbetweenprogramsandtheirspeci®cationsasrelationshipsbetweenlanguages.Bytranslatingprogramsandspeci®cationstoautomata,questionsaboutprogramsandtheirspeci®cationscanbereducedtoquestionsaboutautomata.Morespeci®cally,questionssuchassatis®abilityofspeci®cationsandcorrectnessofprogramswithrespecttotheirspeci®cationscanbereducedtoquestionssuchasnonemptinessandcontainmentofautomata.Unlikeclassicalautomatatheory,whichfocusedonautomataon®nitewords,theapplicationstoprogramspeci®cation,veri®cation,andsynthesis,useautomataonin®nitewords,sincethecomputationsinwhichweareinterestedaretypicallyin®nite.Thispaperprovidesanintroductiontothetheoryofautomataonin®nitewordsanddemonstratesitsapplicationstoprogramspeci®cation,veri®cation,andsynthesis.1IntroductionWhileprogramveri®cationwasalwaysadesirable,butneveraneasytask,theadventofconcurrentprogramminghasmadeitsigni®cantlymorenecessaryanddif®cult.Indeed,theconceptualcomplexityofconcurrencyincreasesthelikelihoodoftheprogramcon-tainingerrors.Toquotefrom[OL82]:ªThereisaratherlargebodyofsadexperiencetoindicatethataconcurrentprogramcanwithstandverycarefulscrutinywithoutrevealingitserrors.ºThe®rststepinprogramveri®cationistocomeupwithaformalspeci®cationoftheprogram.Oneofthemorewidelyusedspeci®cationlanguagesforconcurrentprogramsistemporallogic[Pnu77,MP92].Temporallogiccomesintwovarieties:lineartimeandbranchingtime([EH86,Lam80]);weconcentratehereonlineartime.Alineartemporal PartofthisworkwasdoneattheIBMAlmadenResearchCenter. speci®cationdescribesthecomputationsoftheprogram,soaprogramsatis®esthespeci®cation(iscorrect)ifallitscomputationssatisfythespeci®cation.Ofcourse,aspeci®cationisofinterestonlyifitissatis®able.Anunsatis®ablespeci®cationcannotbesatis®edbyanyprogram.Anoftenadvocatedapproachtoprogramdevelopmentistoavoidtheveri®cationstepaltogetherbyusingthespeci®cationtosynthesizeaprogramthatisguaranteedtobecorrect.Ourapproachtospeci®cation,veri®cation,andsynthesisisbasedonanintimateconnectionbetweenlineartemporallogicandautomatatheory,whichwasdiscussedexplicitly®rstin[WVS83](seealso[LPZ85,Pei85,Sis83,SVW87,VW94]).Thisconnectionisbasedonthefactthatacomputationisessentiallyanin®nitesequenceofstates.Intheapplicationsthatweconsiderhere,everystateisdescribedbya®nitesetofatomicpropositions,soacomputationcanbeviewedasanin®nitewordoverthealphabetoftruthassignmentstotheatomicpropositions.Thebasicresultinthisareaisthefactthattemporallogicformulascanbeviewedas®nite-stateacceptors.Moreprecisely,givenanypropositionaltemporalformula,onecanconstructa®niteautomatononin®nitewordsthatacceptspreciselythecomputationssatis®edbytheformula[VW94].Wewilldescribetheapplicationsofthisbasicresulttosatis®abilitytesting,veri®cation,andsynthesis.(Foranextensivetreatmentoftheautomata-theoreticapproachtoveri®cationsee[Kur94]).Unlikeclassicalautomatatheory,whichfocusedonautomataon®nitewords,theapplicationstospeci®cation,veri®cation,andsynthesis,useautomataonin®nitewords,sincethecomputationsinwhichweareinterestedaretypicallyin®nite.Beforegoingintotheapplications,wegiveabasicintroductiontothetheoryofautomataonin®nitewords.Tohelpthereadersbuildtheirintuition,wereviewthetheoryofautomataon®nitewordsandcontrastitwiththetheoryofautomataonin®nitewords.Foramoreadvancedintroductiontothetheoryofautomataonin®niteobjects,thereadersarereferredto[Tho90].2AutomataTheoryWearegivena®nitenonemptyalphabet.A®nitewordisanelementof,i.e.,a®nitesequence0;:::;aofsymbolsfrom.Anin®nitewordisanelementof,i.e.,an-sequence20;a1;:::ofsymbolsfrom.Automataon®nitewordsde®ne(®nitary)languages,i.e.,setsof®nitewords,whileautomataonin®nitewordsde®nein®nitarylanguages,i.e.,setsofin®nitewords.2.1AutomataonFiniteWords±ClosureA(nondeterministic®nite)automatonisatuple;S;S0;;F,whereisa®nitenonemptyalphabet,isa®nitenonemptysetofstates,0isanonemptysetofinitialstates,isthesetofacceptingstates,and:2isatransitionfunction.Intuitively,s;aisthesetofstatesthatcanmoveintowhenitisinstateanditreadsthesymbol.Notethattheautomatonmaybenondeterministic,sinceitmayhavemanyinitialstatesandthetransitionfunctionmayspecifymanypossible 2denotesthe®rstin®niteordinal. transitionsforeachstateandsymbol.Theautomatonisdeterministicif01ands;aj1forallstatesandsymbols.Anautomatonisessentiallyanedge-labeleddirectedgraph:thestatesoftheautomatonarethenodes,theedgesarelabeledbysymbolsin,acertainsetofnodesisdesignatedasinitial,andacertainsetofnodesisdesignatedasaccepting.Thus,s;ameansthatthatthereisedgefromtolabeledwith.Whenisdeterministic,thetransitionfunctioncanbeviewedasapartialmappingfromto,andcanthenbeextendedtoapartialmappingfromtoasfollows:s;")=ands;xw)=s;x;wforand.Arunofona®niteword0;:::;a1isasequence0;:::;sof1statesinsuchthat00,and1;afor0in.Notethatanondeterministicautomatoncanhavemanyrunsonagiveninputword.Incontrast,adeterministicautomatoncanhaveatmostonerunonagiveninputword.Therunisacceptingif.Onecouldpicturetheautomatonashavingagreenlightthatisswitchedonwhenevertheautomatonisinanacceptingstateandswitchedoffwhenevertheautomatonisinanon-acceptingstate.Thus,therunisacceptingifthegreenlightisonattheendoftherun.Thewordisacceptedbyifhasanacceptingrunon.Whenisdeterministic,ifandonlyif0;w,where00.The(®nitary)languageof,denoted,isthesetof®nitewordsacceptedby.AnimportantpropertyofautomataistheirclosureunderBooleanoperations.Westartbyconsideringclosureunderunionandintersection.Proposition1.[RS59]Let1;A2beautomata.Thenthereisanautomatonsuchthat)=11L(A2.Proof:Let1;S1;S01;1;F1and2;S2;S02;2;F2.Withoutlossofgenerality,weassumethat1and2aredisjoint.Intuitively,theautomatonnonde-terministicallychooses1or2andrunsitontheinputword.Let=(;S;S0;;F,where11S2,0011S02,11F2,ands;a)=1s;aif12s;aif2Itiseasytoseethat)=11L(A2. Wecallintheproofabovetheunionof1and2,denoted11A2.Proposition2.[RS59]Let1;A2beautomata.Thenthereisanautomatonsuchthat)=12.Proof:Let1;S1;S01;1;F1and2;S2;S02;2;F2.Intuitively,theautomatonrunsboth1and2ontheinputword.Let=(;S;S0;;F,where12,00102,12,ands;t;a)=1s;a2t;a.Itiseasytoseethat)=12. Wecallintheproofabovetheproductof1and2,denoted12.Notethatboththeunionandtheproductconstructionsareeffectiveandpolynomialinthesizeoftheconstituentautomata. Letusconsidernowtheissueofcomplementation.Consider®rstdeterministicautomata.Proposition3.[RS59]Let=(;S;S0;;Fbeadeterministicautomaton,andlet =(;S;S0;;S,then )=.Thatis,itiseasytocomplementdeterministicautomata;wejusthavetocomplementtheacceptancecondition.Thiswillnotworkfornondeterministicautomata,sinceanondeterministicautomatoncanhavemanyrunsonagiveninputword;itisnotenoughthatsomeoftheserunsreject(i.e.,notaccept)theinputword,allrunsshouldrejecttheinputword.Thus,itseemsthattocomplementnondeterministicautomatonwe®rsthavetodeterminizeit.Proposition4.[RS59]Letbeanondeterministicautomaton.Thenthereisadeter-ministicautomatonsuchthat)=.Proof:Let;S;S0;;F.Then;20;;F.Thestatesetofconsistsofallsetsofstatesinandithasasingleinitialstate.Thesetisthecollectionofsetsofstatesthatintersectnontrivially.Finally,T;a)=s;aforsome. Intuitively,collapsesallpossiblerunsofonagiveninputwordintoonerunoveralargerstateset.Thisconstructioniscalledthesubsetconstruction.BycombiningPropositions4and3wecancomplementanondeterministicautomata.Theconstructioniseffective,butitinvolvesanexponentialblow-up,sincedeterminizationinvolvesanexponentialblow-up(i.e.,ifhasstates,thenhas2states).Asshownin[MF71],thisexponentialblow-upfordeterminizationandcomplementationisunavoidable.Forexample,®xsome1.Thesetofall®nitewordsoverthealphabeta;bthathaveanatthethpositionfromtherightisacceptedbytheautomaton;012;:::;n0;;,where0;a01,0;b0,andi;a)=i;b)=1for0in.Intuitively,guessesapositionintheinputword,checksthatitcontains,andthenchecksthatitisatdistancefromtherightendoftheinput.Supposethatwehaveadeterministicautomaton;S;0;;Fwithfewerthan2statesthatacceptsthissamelanguage.Recallthatcanbeviewedasapartialmappingfromto.Since2,theremustbetwowords1and2oflengthforwhich0;uav1)=0;ubv2.Butthenwewouldhavethat0;uav1)=0;ubv2;thatis,eitherboth1and2aremembersoforneitherare,contradictingtheassumptionthatconsistsofexactlythewordswithanatthethpositionfromtheright,since12.2.2AutomataonIn®niteWords±ClosureSupposenowthatanautomaton=(;S;S0;;Fisgivenasinputanin®niteword0;a1;:::over.Arunofonisasequence0;s1;:::,where00and1;a,forall0.Sincetherunisin®nite,wecannotde®neacceptancebythetypeofthe®nalstateoftherun.Insteadwehavetoconsiderthelimitbehaviorof therun.Wede®nelimtobethesetforin®nitelymany's,i.e.,thesetofstatesthatoccurinin®nitelyoften.Sinceis®nite,limisnecessarilynonempty.Therunisacceptingifthereissomeacceptingstatethatrepeatsinin®nitelyoften,i.e.,lim.Ifwepicturetheautomatonashavingagreenlightthatisswitchedonpreciselywhentheautomatonisinanacceptingstate,thentherunisacceptingifthegreenlightisswitchedonin®nitelymanytimes.Thein®nitewordisacceptedbyifthereisanacceptingrunofon.Thein®nitarylanguageof,denoted,isthesetofin®nitewordsacceptedby.Thus,canbeviewedbothasanautomatonon®nitewordsandasanautomatononin®nitewords.Whenviewedasanautomatononin®nitewordsitiscalledaBÈuchiautomaton[BÈuc62].Doautomataonin®nitewordshaveclosurepropertiessimilartothoseofautomataon®nitewords?Inmostcasestheanswerispositive,buttheproofsmaybemoreinvolved.Westartbyconsideringclosureunderunion.Heretheunionconstructiondoestherightthing.Proposition5.[Cho74]Let1;A2beBÈuchiautomata.Then11A2)=11L!(A2.Onemightbetemptedtothinkthatsimilarlywehavethat12)=12,butthisisnotthecase.Theacceptingsetof12istheproductoftheacceptingsetsof1and2.Thus,12acceptsanin®nitewordifthereareacceptingruns1and2of1and2,respectively,on,wherebothrunsgoin®nitelyoftenandsimultaneouslythroughacceptingstates.Thisrequirementistoostrong.Asaresult,12couldbeastrictsubsetof12.Forexample,de®nethetwoBÈuchiautomata1=(s;t;;and2=(s;t;;withs;a)=andt;a)=.Clearlywehavethat1)=2)=,but12)=.Nevertheless,closureunderintersectiondoeshold.Proposition6.[Cho74]Let1;A2beBÈuchiautomata.ThenthereisaBÈuchiautomatonsuchthat)=12.Proof:Let1=(;S1;S01;1;F1and2=(;S2;S02;2;F2.Let=(;S;S0;;F,where12f12,00102f1,12f1,and;t;js;t;i;aif1s;a,2t;a,and,unless1and1,inwhichcase2,or2and2,inwhichcase1.Intuitively,theautomatonrunsboth1and2ontheinputword.Thus,theautomatoncanbeviewedhashavingtwoªtracksº,oneforeachof1and2.Inadditiontorememberingthestateofeachtrack,alsohasapointerthatpointstooneofthetracks(1or2).Wheneveratrackgoesthroughanacceptingstate,thepointermovestotheothertrack.Theacceptanceconditionguaranteesthatbothtracksvisitacceptingstatesin®nitelyoften,sincearunacceptsiffitgoesin®nitelyoftenthrough12f1.Thismeansthatthe®rsttrackvisitsin®nitelyoftenanacceptingstatewiththepointerpointingtothe®rsttrack.Whenever,however,the®rsttrackvisitsanacceptingstatewiththepointerpointingtothe®rsttrack,thepointerischangedtopointtothesecondtrack.Thepointerreturnstopointtothe®rsttrackonlyifthesecond trackvisitsanacceptingstate.Thus,thesecondtrackmustalsovisitanacceptingstatein®nitelyoften. Thus,BÈuchiautomataareclosedunderbothunionandintersection,thoughthecon-structionforintersectionissomewhatmoreinvolvedthanasimpleproduct.Thesituationisconsiderablymoreinvolvedwithrespecttoclosureundercomplementation.First,asweshallshortlysee,BÈuchiautomataarenotclosedunderdeterminization,i.e.,non-deterministicBÈuchiautomataaremoreexpressivethandeterministicBÈuchiautomata.Second,itisnotevenobvioushowtocomplementdeterministicBÈuchiautomata.Con-siderthedeterministicBÈuchiautomaton;S;S0;;F.Onemaythinkthatitsuf®cestocomplementtheacceptancecondition,i.e.,toreplacebyandde®ne ;S;S0;;S.Notgoingin®nitelyoftenthrough,however,isnotthesameasgoingin®nitelyoftenthrough.Arunmightgothroughbothandin®nitelyoften.Thus, maybeastrictsupersetof.Forexample,ConsidertheBÈuchiautomaton=(s;t;;withs;aandt;a)=.Wehavethat)= )=.Nevertheless,BÈuchiautomata(deterministicaswellasnondeterministic)areclosedundercomplementation.Proposition7.[BÈuc62]LetbeaBÈuchiautomatonoveranalphabet.Thenthereisa(possiblynondeterministic)BÈuchiautomaton suchthat )=.Theconstructionin[BÈuc62]isdoublyexponential.Thisisimprovedin[SVW87]toasinglyexponentialconstructionwithaquadraticexponent(i.e.,ifhasstatesthen has2states,forsomeconstantc�1).Incontrast,theexponentintheconstructionofProposition4islinear.Wewillcomebacklatertothecomplexityofcomplementation.Letusreturntotheissueofdeterminization.WenowshowthatnondeterministicBÈuchiautomataaremoreexpressivethandeterministicBÈuchiautomata.Considerthein®nitarylanguage=(011,i.e.,consistsofallin®nitewordsinwhich0occursonly®nitelymanytimes.Itiseasytoseethatcanbede®nedbyanondeterministicBÈuchiautomaton.Let001s;t;;,where01s;t,1)=and0)=.Thatis,thestatesareandwiththeinitialstateandtheacceptingstate,Aslongasitisinthestate,theautomaton0canreadbothinputs0and1.Atsomepoint,however,0makesanondeterministictransitiontothestate,andfromthatpointonitcanreadonlytheinput1.Itiseasytoseethat0.Incontrast,cannotbede®nedbyanydeterministicBÈuchiautomaton.Proposition8.Let=(011.ThenthereisnodeterministicBÈuchiautomatonsuchthat.Proof:Assumebywayofcontradictionthat,where=(;S;0;;Ffor01,andisdeterministic.Recallthatcanbeviewedasapartialmappingfromto.Considerthein®niteword01.Clearly,0isacceptedby,sohasanacceptingrunon0.Thus,0hasa®nitepre®x0suchthat0;u0.Considernowthein®niteword1001.Clearly,1isalsoacceptedby,sohasanacceptingrunon1.Thus,1hasa®nitepre®x001suchthat0;u001.Ina similarfashionwecancontinueto®nd®nitewordssuchthat0;u0010:::0.Sinceis®nite,therearei;j,where0ij,suchthat0;u0010:::0)=0;u0010:::00:::0.Itfollowsthathasanacceptingrunon0010:::00:::0Butthelatterwordhasin®nitelymanyoccurrencesof0,soitisnotin. Notethatthecomplementarylanguage=((010(thesetofin®nitewordsinwhich0occursin®nitelyoften)isacceptablebythedeterministicBÈuchiautomaton=(01s;t;;,where0)=0)=and1)=1)=.Thatis,theautomatonstartsatthestatesandthenitsimplyremembersthelastsymbolitread(correspondsto0andcorrespondsto1).Thus,theuseofnondeterminisminProposition7isessential.TounderstandwhythesubsetconstructiondoesnotworkforBÈuchiautomata,con-siderthefollowingtwoautomataoverasingletonalphabet:1=(s;t;1and2=(s;t;2,where1s;a)=s;t,1t;a)=,2s;a)=s;t,and2t;a)=.Itiseasytoseethat1doesnotacceptanyin®niteword,sincenoin®niteruncanvisitthestate.Incontrast,2acceptsthein®niteword,sincetherunisaccepting.Ifweapplythesubsetconstructiontobothautomata,theninbothcasestheinitialstateis,;a)=s;t,ands;t;a)=s;t.Thus,thesubsetconstructioncannotdistinguishbetween1and2.Tobeabletodeterminizeautomataon®nitewords,wehavetoconsideramoregeneralacceptancecondition.Letbea®nitenonemptysetofstates.ARabincondi-tionisasubsetof22,i.e.,itisacollectionofpairsofsetsofstates,writtenn(L1;U1;:::;;U(wedroptheexternalbracketswhentheconditionconsistsofasinglepair).ARabinautomatonisanautomatononin®nitewordswheretheaccep-tanceconditionisspeci®edbyaRabincondition,i.e.,itisoftheform;S;S0;;G.Arunofisacceptingifforsomewehavethatlimandlim,thatis,thereisapairinwheretheleftsetisvisitedin®nitelyoftenbywhiletherightsetisvisitedonly®nitelyoftenby.RabinautomataarenotmoreexpressivethanBÈuchiautomata.Proposition9.[Cho74]LetbeaRabinautomaton,thenthereisaBÈuchiautomatonsuchthat)=.Proof:Let;S;S0;;G,wheree(L1;U1;:::;;U.Itiseasytoseethat)==ki=1,where=(;S;S0;;;U.SinceBÈuchiau-tomataareclosedunderunion,byProposition5,itsuf®cestoprovetheclaimforRabinconditionsthatconsistsofasinglepair,sayL;U.Theideaoftheconstructionistotaketwocopiesof,say1and2.TheBÈuchiautomatonstartsin1andstaysthereaslongasitªwantsº.Atsomepointitnondeterministicallymakesatransitioninto2anditstaysthereavoidingandvisitingin®nitelyoften.Formally,=(;S;S0;;L,wheref0g[,00f0,s;a)=s;afor,and0;a)=s;a0g[s;a. Notethattheconstructioninthepropositionaboveiseffectiveandpolynomialinthesizeofthegivenautomaton. Ifwerestrictattention,however,todeterministicautomata,thenRabinautomataaremoreexpressivethanBÈuchiautomata.Recallthein®nitarylanguage=(011.Weshowedearlierthatitisnotde®nablebyadeterministicBÈuchiautomaton.Itiseasilyde®nable,however,byaRabinautomaton.Let=(01s;t;;,where0)=0)=,1)=1)=.Thatis,theautomatonstartsatthestatesandthenitsimplyremembersthelastsymbolitread(correspondsto0andcorrespondsto1).Itiseasytoseethat.TheadditionalexpressivepowerofRabinautomataissuf®cienttoprovideclosureunderdeterminization.Proposition10.[McN66]LetbeaBÈuchiautomaton.ThereisadeterministicRabinautomatonsuchthat)=.Proposition10was®rstprovenin[McN66],whereadoublyexponentialconstruc-tionwasprovided.Thiswasimprovedin[Saf88],whereasinglyexponential,withanal-mostlinearexponent,constructionwasprovided(ifhasstates,thenhas2logstatesandpairs).Furthermore,itwasshownin[Saf88,EJ89])howthedeterminiza-tionconstructioncanbemodi®edtoyieldaco-determinizationconstruction,i.e.,acon-structionofadeterministicRabinautomatonsuchthat)=,whereistheunderlyingalphabet.Theco-determinizationconstructionisalsosinglyexponentialwithanalmostlinearexponent(again,ifhasstates,thenhas2logstatesandpairs).Thus,combiningtheco-determinizationconstructionwiththepolynomialtranslationofRabinautomatatoBÈuchiautomata(Proposition9),wegetacomplementationconstructionwhosecomplexityissinglyexponentialwithanalmostlinearexponent.Thisimprovesthepreviouslymentionedboundoncomplemen-tation(singlyexponentialwithaquadraticexponent)andisessentiallyoptimal[Mic88].Incontrast,complementationforautomataon®nitewordsinvolvesanexponentialblow-upwithalinearexponent(Section2.1).Thus,complementationforautomataonin®nitewordsisprovablyharderthancomplementationforautomataon®nitewords.Bothconstructionsareexponential,butinthe®nitecasetheexponentislinear,whileinthein®nitecasetheexponentisnonlinear.2.3AutomataonFiniteWords±AlgorithmsAnautomatonisªinterestingºifitde®nesanªinterestingºlanguage,i.e.,alanguagethatisneitheremptynorcontainsallpossiblewords.Anautomatonisnonemptyif;itisnonuniversalif.Oneofthemostfundamentalalgorithmicissuesinautomatatheoryistestingwhetheragivenautomatonisªinterestingº,i.e.,nonemptyandnonuniversal.Thenonemptinessproblemforautomataistodecide,givenanautomaton,whetherisnonempty.Thenonuniversalityproblemforautomataistodecide,givenanautomaton,whetherisnonuniversal.Itturnsoutthattestingnonemptinessiseasy,whiletestingnonuniversalityishard.Proposition11.[RS59,Jon75]1.Thenonemptinessproblemforautomataisdecidableinlineartime.2.ThenonemptinessproblemforautomataisNLOGSPACE-complete. Proof:Let=(;S;S0;;Fbethegivenautomaton.Lets;tbestatesof.Wesaythatisdirectlyconnectedtoifthereisasymbolsuchthats;a.Wesaythatisconnectedtoifthereisasequence1;:::;s,1,ofstatessuchthat1,,and1isdirectlyconnectedtofor1im.Essentially,isconnectedtoifthereisapathinfromto,whereisviewedasanedge-labeleddirectedgraph.Notethattheedgelabelsareignoredinthisde®nition.Itiseasytoseethatisnonemptyifftherearestates0andsuchthatisconnectedto.Thus,automatanonemptinessisequivalenttographreachability.Theclaimsnowfollowfromthefollowingobservations:1.Abreadth-®rst-searchalgorithmcanconstructinlineartimethesetofallstatesconncectedtoastatein0[CLR90].isnonemptyiffthissetintersectsnontrivially.2.Graphreachabilitycanbetestedinnondeterministiclogarithmicspace.Theal-gorithmsimplyguessesastate00,thenguessesastate1thatisdirectlyconnectedto0,thenguessesastate2thatisdirectlyconnectedto1,etc.,untilitreachesastate.(Recallthatanondeterministicalgorithmacceptsifthereisasequenceofguessesthatleadstoacceptance.Wedonotcarehereaboutsequencesofguessesthatdonotleadtoacceptance[GJ79].)Ateachstepthealgorithmneedstorememberonlythecurrentstateandthenextstate;thus,iftherearestatesthealgorithmneedstokeepinmemorylogbits,sincelogbitssuf®cetodescribeonestate.Ontheotherhand,graphreachabilityisalsoNLOGSPACE-hard[Jon75]. Proposition12.[MS72]1.Thenonuniversalityproblemforautomataisdecidableinexponentialtime.2.ThenonuniversalityproblemforautomataisPSPACE-complete.Proof:Notethatiffiff ,where isthecomplementaryautomatonof(seeSection2.1).Thus,totestfornonuniversality,itsuf®cestotest fornonemptiness.Recallthat isexponentiallybiggerthan.Sincenonemptinesscanbetestedinlineartime,itfollowsthatnonuniversalitycanbetestedinexponentialtime.Also,sincenonemptinesscanbetestedinnondeterministiclogarithmicspace,nonuniversalitycanbetestedinpolynomialspace.Thelatterargumentrequiressomecare.Wecannotsimplyconstruct andthentestitfornonemptiness,since isexponentiallybig.Instead,weconstruct ªon-the-¯yº;wheneverthenonemptinessalgorithmwantstomovefromastate1of toastate2,thealgorithmguesses2andchecksthatitisdirectlyconnectedto1.Oncethishasbeenveri®ed,thealgorithmcandiscard1.Thus,ateachstepthealgorithmneedstokeepinmemoryatmosttwostatesof andthereisnoneedtogenerateallof atanysinglestepofthealgorithm.Thisyieldsanondeterministicpolynomialspacealgorithm.Toeliminatenonde-terminism,weappealtoawell-knowntheoremofSavitch[Sav70]whichstatesthat NSPACEDSPACE2,forlog;thatis,anynondetermin-isticalgorithmthatusesatleastlogarithmicspacecanbesimulatedbyadetermin-isticalgorithmthatusesatmostquadraticallylargeramountofspace.Inparticular,anynondeterministicpolynomial-spacealgorithmcanbesimulatedbyadeterministicpolynomial-spacealgorithm.ToprovePSPACE-hardness,itcanbeshownthatanyPSPACE-hardproblemcanbereducedtothenonuniversalityproblem.Thatis,thereisalogarithmic-spacealgorithmthatgivenapolynomial-space-boundedTuringmachineandawordoutputsanautomatonM;wsuchthatacceptsiffM;wisnon-universal[MS72,HU79]. 2.4AutomataonIn®niteWords±AlgorithmsTheresultsforBÈuchiautomataareanalogoustotheresultsinSection2.3.Proposition13.1.[EL85b,EL85a]ThenonemptinessproblemforBÈuchiautomataisdecidableinlineartime.2.[VW94]ThenonemptinessproblemforBÈuchiautomataisNLOGSPACE-complete.Proof:Let;S;S0;;Fbethegivenautomaton.Weclaimthatisnonemptyifftherearestates00andsuchthatisconnectedto0andisconnectedtoitself.Suppose®rstthatisnonempty.Thenthereisanacceptingrun0;s1;:::ofonsomeinputword.Clearly,1isdirectlyconnectedtoforall0.Thus,isconnectedtowheneverij.Sinceisaccepting,someoccursinin®nitelyoften;inparticular,therearei;j,where0ij,suchthat.Thus,isconnectedto00andisalsoconnectedtoitself.Conversely,supposethattherearestates00andsuchthatisconnectedto0andisconnectedtoitself.Sinceisconnectedto0,thereareasequenceofstates1;:::;sandasequenceofsymbols1;:::;asuchthatand1;afor1.Similarly,sinceisconnectedtoitself,thereareasequenceofstates0;t1;:::;tandasequenceofsymbols1;:::;bsuchthat0and1;bfor1.Thus,0;s1;:::;s10;t1;:::;t1isanacceptingrunofon1;:::;a1;:::;b,soisnonempty.Thus,BÈuchiautomatanonemptinessisalsoreducibletographreachability.1.Adepth-®rst-searchalgorithmcanconstructadecompositionofthegraphintostronglyconnectedcomponents[CLR90].isnonemptyifffromacomponentthatintersects0nontriviallyitispossibletoreachanontrivialcomponentthatintersectsnontrivially.(Astronglyconnectedcomponentisnontrivialifitcontainsanedge,whichmeans,sinceitisstronglyconnected,thatitcontainsacycle).2.Thealgorithmsimplyguessesastate00,thenguessesastate1thatisdirectlyconnectedto0,thenguessesastate2thatisdirectlyconnectedto1,etc.,untilitreachesastate.Atthatpointthealgorithmremembersanditcontinuestomovenondeterministicallyfromastatetoastatethatisdirectlyconnectedtountilitreachesagain.Clearly,thealgorithmneedsonlyalogarithmicmemory,sinceitneedstorememberatmostadescriptionofthreestatesateachstep. NLOGSPACE-hardnessfollowsfromNLOGSPACE-hardnessofnonemptinessforautomataon®nitewords. Proposition14.[SVW87]1.ThenonuniversalityproblemforBÈuchiautomataisdecidableinexponentialtime.2.ThenonuniversalityproblemforBÈuchiautomataisPSPACE-complete.Proof:Againiffiff ,where isthecomplementaryautomatonof(seeSection2.2).Thus,totestfornonuniversality,itsuf®cestotest fornonemptiness.Since isexponentiallybiggerthanandnonemptinesscanbetestedinlineartime,itfollowsthatnonuniversalitycanbetestedinexponentialtime.Also,sincenonemptinesscanbetestedinnondeterministiclogarithmicspace,nonuniversalitycanbetestedinpolynomialspace.Again,thepolynomial-spacealgorithmconstructs ªon-the-¯yº.PSPACE-hardnessfollowseasilyfromthePSPACE-hardnessoftheuniversalityproblemforautomataon®nitewords[Wol82]. 2.5AutomataonFiniteWords±AlternationNondeterminismgivesacomputingdevicethepowerofexistentialchoice.Itsdualgivesacomputingdevicethepowerofuniversalchoice.(ComparethistothecomplexityclassesNPandco-NP[GJ79]).Itisthereforenaturaltoconsidercomputingdevicesthathavethepowerofbothexistentialchoiceanduniversalchoice.Suchdevicesarecalledalternating.Alternationwasstudiedin[CKS81]inthecontextofTuringmachinesandin[BL80,CKS81]for®niteautomata.Thealternationformalismsin[BL80]and[CKS81]aredifferent,thoughequivalent.Wefollowheretheformalismof[BL80].Foragivenset,letbethesetofpositiveBooleanformulasover(i.e.,Booleanformulasbuiltfromelementsinusingand),wherewealsoallowtheformulastrueandfalse.Let.Wesaythatsatis®esaformula2Bifthetruthassignmentthatassignstruetothemembersofandassignsfalsetothemembersofsatisfes.Forexample,thesets1;s3and1;s4bothsatisfytheformula1234,whiletheset1;s2doesnotsatisfythisformula.Consideranondeterministicautomaton=(;S;S0;;F.Thetransitionfunc-tionmapsastateandaninputsymboltoasetofstates.Eachelementinthissetisapossiblenondeterministicchoicefortheautomaton'snextstate.Wecanrepresentusing;forexample,s;a1;s2;s3canbewrittenass;a)=123.Inalternatingautomata,s;acanbeanarbitraryformulafrom.Wecanhave,forinstance,atransitions;a)=(1234meaningthattheautomatonacceptstheword,whereisasymbolandisaword,whenitisinthestate,ifitacceptsthewordfromboth1and2orfromboth3and 4.Thus,suchatransitioncombinesthefeaturesofexistentialchoice(thedisjunctionintheformula)anduniversalchoice(theconjunctionsintheformula).Formally,analternatingautomatonisatuple;S;s0;;F,whereisa®nitenonemptyalphabet,isa®nitenonemptysetofstates,0istheinitialstate(noticethatwehaveauniqueinitialstate),isasetofacceptingstates,and:!Bisatransitionfunction.Becauseoftheuniversalchoiceinalternatingtransitions,arunofanalternatingautomatonisatreeratherthanasequence.Atreeisa(®niteorin®nite)connecteddirectedgraph,withonenodedesignatedastherootanddenotedby,andinwhicheverynon-rootnodehasauniqueparent(istheparentofandisachildofifthereisanedgefromto)andtheroothasnoparent.Thelevelofanode,denoted,isitsdistancefromtheroot;inparticular,0.Abranch0;x1;:::ofatreeisamaximalsequenceofnodessuchthat0istherootandistheparentof1foralli�0.Notethatcanbe®niteorin®nite.A-labeledtree,fora®nitealphabet,isapair;,whereisatreeandisamappingfromtothatassignstoeverynodeofalabelin.Weoftenrefertoasthelabeledtree.Abranch0;x1;:::ofde®nesanin®niteword)=01;:::consistingofthesequenceoflabelsalongthebranch.Formally,arunofona®niteword0;a1;:::;a1isa®nite-labeledtreesuchthat)=0andthefollowingholds:ifin,)=,ands;a)=,thenhaschildren1;:::;x,forsomej,and1;:::;rsatis®es.Forexample,if0;a0is1234,thenthenodesoftheruntreeatlevel1includethelabel1orthelabel2andalsoincludethelabel3orthelabel4.Notethatthedepthof(i.e.,themaximallevelofanodein)isatmost,butnotallbranchesneedtoreachsuchdepth,sinceif;atrue,thendoesnotneedtohaveanychildren.Ontheotherhand,ifnand,thenwecannothaves;a)=false,sincefalseisnotsatis®able.Theruntreeisacceptingifallnodesatdeptharelabeledbystatesin.Thus,abranchinanacceptingrunhastohitthetruetransitionorhitanacceptingstateafterreadingalltheinputword.Whatistherelationshipbetweenalternatingautomataandnondeterministicau-tomata?Itturnsoutthatjustasnondeterministicautomatahavethesameexpressivepowerasdeterministicautomatabuttheyareexponentiallymoresuccinct,alternatingautomatahavethesameexpressivepowerasnondeterministicautomatabuttheyareexponentiallymoresuccinct.We®rstshowthatalternatingautomataareatleastasexpressiveandassuccinctasnondeterministicautomata.Proposition15.[BL80,CKS81,Lei81]Letbeanondeterministicautomaton.Thenthereisanalternatingautomatonsuchthat)=.Proof:Let=(;S;S0;;F.Then=(;S[f0;s0;;F,where0isanewstate,andisde®nedasfollows,forand:±0;b)=0, ±s;b)=.(Wetakeanemptydisjunctioninthede®nitionoftobeequivalenttofalse.)Es-sentially,thetransitionsofareviewedasdisjunctionsin.Aspecialtreatmentisneededfortheinitialstate,sinceweallowasetofinitialstatesinnondeterministicautomata,butonlyasingleinitialstateinalternatingautomata. Notethathasessentiallythesamesizeas;thatis,thedescriptionsofandhavethesamelength.Wenowshowthatalternatingautomataarenotmoreexpressivethannondetermin-isticautomata.Proposition16.[BL80,CKS81,Lei81]Letbeanalternatingautomaton.Thenthereisanondeterministicautomatonsuchthat)=.Proof:Let=(;S;s0;;F.Then=(;S0;;F,where2,2,andT;a)=satis®est;a(Wetakeanemptyconjunctioninthede®nitionoftobeequivalenttotrue;thus,;2;a.)Intuitively,guessesaruntreeof.Atagivenpointofarunof,itkeepsinitsmemoryawholeleveloftheruntreeof.Asitreadsthenextinputsymbol,itguessesthenextleveloftheruntreeof. Thetranslationfromalternatingautomatatonondeterministicautomatainvolvesanexponentialblow-up.Asshownin[BL80,CKS81,Lei81],thisblow-upisunavoidable.Forexample,®xsome1,andleta;b.Letbethesetofallwordsthathavetwodifferentsymbolsatdistancefromeachother.Thatis,uavbwu;wand1g[fubvawu;wand1Itiseasytoseethatisacceptedbythenondeterministicautomaton=(;p;qg[1;:::;n;;;,wherep;a)=1;a,p;b)=1;b,a;i;x)=a;i1andb;i;x)=b;i1forand0in,a;n;a)=,a;n;b)=,b;n;b)=,b;n;a)=,andq;x)=for.Intuitively,guessesapositionintheinputword,readstheinputsymbolatthatposition,movespositionstotheright,andchecksthatitcontainsadifferentsymbol.Notethathas22states.ByPropositions15and17(below),thereisanalternatingautomatonwith23statesthatacceptsthecomplementarylanguage .Supposethatwehaveanondeterministicautomaton=(;S;S0;;Fwithfewerthan2statesthataccepts .Thus,acceptsallwordsww,where.Let0;:::;s2anacceptingrunofonww.Since2,therearetwodistinctwordu;vsuchthat.Thus,0;:::;s;s1;:::;s2isanacceptingrunofon,but sinceitmusthavetwodifferentsymbolsatdistancefromeachother.Oneadvantageofalternatingautomataisthatitiseasytocomplementthem.We®rstneedtode®nethedualoperationonformulasin.Intuitively,thedual ofa formulaisobtainedfrombyswitchingand,andbyswitchingtrueandfalse.Forexample, )=.(Notethatweareconsideringformulasin,sowecannotsimplyapplynegationtotheseformulas.)Formally,wede®nethedualoperationasfollows:± ,for,± truefalse,± falsetrue,± )=( _ ,and± )=( ^ .Supposenowthatwearegivenanalternatingautomaton;S;s0;;F.De®ne =(;S;s0 ;S,where s;a)= s;aforalland.Thatis, isthedualizedtransitionfunction.Proposition17.[BL80,CKS81,Lei81]Letbeanalternatingautomaton.Then )=.BycombiningPropositions11and16,wecanobtainanonemptinesstestforalter-natingautomata.Proposition18.[CKS81]1.Thenonemptinessproblemforalternatingautomataisdecidableinexponentialtime.2.ThenonemptinessproblemforalternatingautomataisPSPACE-complete.Proof:AllthatremainstobeshownisthePSPACE-hardnessofnonemptiness.RecallthatPSPACE-hardnessofnonuniversalitywasshowninProposition12byagenericreduction.Thatis,thereisalogarithmic-spacealgorithmthatgivenapolynomial-space-boundedTuringmachineandawordoutputsanautomatonM;wsuchthatacceptsiffM;wisnonuniversal.ByProposition15,thereisanalternatingautomatonsuchthat)=M;wandhasthesamesizeasM;w.ByProposition17, )=.Thus,M;wisnonuniversaliff isnonempty. 2.6AutomataonIn®niteWords-AlternationWesawearlierthatanondeterministicautomatoncanbeviewedbothasanautomatonon®nitewordsandasanautomatononin®nitewords.Similarly,analternatingautomatoncanalsobeviewedasanautomatononin®nitewords,inwhichcaseitiscalledanalternatingBÈuchiautomaton[MS87].Let;S;s0;;FbeanalternatingBÈuchiautomaton.Arunofonanin®niteword0;a1;:::isa(possiblyin®nite)-labeledtreesuchthat)=0andthefollowingholds:if,)=,ands;a)=,thenhaschildren1;:::;x,forsomej,and1;:::;rsatis®es. Therunisacceptingifeveryin®nitebranchinincludesin®nitelymanylabelsin.Notethattheruncanalsohave®nitebranches;if,)=,ands;a)=,thendoesnotneedtohaveanychildren.Wewithalternatingautomata,alternatingBÈuchiautomataareasexpressiveasnon-deterministicBÈuchiautomata.We®rstshowthatalternatingautomataareatleastasexpressiveandassuccinctasnondeterministicautomata.TheproofofthefollowingpropositionisidenticaltotheproofofProposition19.Proposition19.[MS87]LetbeanondeterministicBÈuchiautomaton.ThenthereisanalternatingBÈuchiautomatonsuchthat)=.Asthereadermayexpectbynow,alternatingBÈuchiautomataarenotmoreexpressivethannondeterministicBÈuchiautomata.Theproofofthisfact,however,ismoreinvolvedthantheproofinthe®nite-wordcase.Proposition20.[MH84]LetbeanalternatingBÈuchiautomaton.ThenthereisanondeterministicBÈuchiautomatonsuchthat)=.Proof:Asinthe®nite-wordcase,guessesarunof.Atagivenpointofarunof,itkeepsinitsmemoryawholeleveloftherunof(whichisatree).Asitreadsthenextinputsymbol,itguessesthenextleveloftheruntreeof.Thenondeterministicautomaton,however,alsohastokeepinformationaboutoccurrencesofacceptingstatesinordertomakesurethateveryin®nitebranchhitsacceptingstatesin®nitelyoften.Tothatend,partitionseveryleveloftherunofintotwosetstodistinguishbetweenbranchesthathitrecentlyandbranchesthatdidnothitrecently.Let=(;S;s0;;F.Then=(;S;S0;;F,where22(i.e.,eachstateisapairofsetsofstatesof),00(i.e.,thesingleinitialstateispairconsistingofthesingletonset0andtheemptyset),f;g2,and±for,U;V;a)=;VthereexistX;Ysuchthatsatis®est;asatis®est;aF;andd(X\F)g;±;V;a)=;Vthereexistssuchthatsatis®est;aF;andTheproofthatthisconstructioniscorrectrequiresacarefulanalysisofacceptingrunsof. Animportantfeatureofthisconstructionisthattheblowupisexponential.Whilecomplementationofalternatingautomataiseasy(Proposition17),thisisnotthecaseforalternatingBÈuchiautomata.Herewerunintothesamedif®cultythatweranintoinSection2.2:notgoingin®nitelyoftenthroughacceptingstatesisnotthesameasgoingin®nitelyoftenthroughnon-acceptingstates.�FromPropositions7,19and20. itfollowsthatalternatingBÈuchiautomataareclosedundercomplement,buttheprecisecomplexityofcomplementationinthiscaseisnotknown.Finally,bycombiningPropositions13and20,wecanobtainanonemptinesstestforalternatingBÈuchiautomata.Proposition21.1.ThenonemptinessproblemforalternatingBÈuchiautomataisdecidableinexponen-tialtime.2.ThenonemptinessproblemforalternatingBÈuchiautomataisPSPACE-complete.Proof:AllthatremainstobeshownisthePSPACE-hardnessofnonemptiness.WeshowthatthenonemptinessproblemforalternatingautomataisreducibletothenonemptinessproblemforalternatingBÈuchiautomata.Let;S;s0;;Fbeanalternatingautomaton.ConsiderthealternatingBÈuchiautomaton;S;s0;,wheres;a)=s;aforand,ands;a)=trueforand.Weclaimthatiff.Suppose®rstthatforsome.Thenthereisanacceptingrunofon.Butthenisalsoanacceptingrunofonwuforall,becauses;a)=trueforand,sowu.Suppose,ontheotherhand,thatforsome.Thenthereisanacceptingrunofon.Sincehasnoacceptingstate,cannothavein®nitebranches,sobyKÈonig'sLemmaitmustbe®nite.Thus,thereisa®nitepre®xofsuchthatisanacceptingrunofon,so. 3LinearTemporalLogicandAutomataonIn®niteWordsFormulasoflinear-timepropositionaltemporallogic(LTL)arebuiltfromasetPropofatomicpropositionsandareclosedundertheapplicationofBooleanconnectives,theunarytemporalconnective(next),andthebinarytemporalconnective(until)[Pnu77,GPSS80].LTLisinterpretedovercomputations.Acomputationisafunction:2Prop,whichassignstruthvaluestotheelementsofPropateachtimeinstant(naturalnumber).Foracomputationandapoint,wehavethat:±;iforPropiff.±;iiff;iand;i.±;iiffnot;i±;iX'iff;i1.±;iU iffforsome,wehave;jandforallk,kj,wehave;k.Thus,theformulaU',abbreviatedasF',saysthatholdseventually,andtheformula,abbreviated,saysthatholdshenceforth.Forexample,theformulasaysthatwheneverarequestismadeitholdscontinuouslyuntilitiseventuallygranted.Wewillsaythatsatis®esaformula,denoted,iff;0.Computationscanalsobeviewedasin®nitewordsoverthealphabet2Prop.Weshallseethatthesetofcomputationssatisfyingagivenformulaareexactlythoseaccepted bysome®niteautomatononin®nitewords.Thisfactwasproven®rstin[SPH84].Theproofthereisbyinductiononstructureofformulas.Unfortunately,certaininductivestepsinvolveanexponentialblow-up(e.g.,negationcorrespondstocomplementation,whichwehaveseentobeexponential).Asaresult,thecomplexityofthattranslationisnonelementary,i.e.,itmayinvolveanunboundedstackofexponentials(thatis,thecomplexityboundisoftheform22wheretheheightofthestackis.)ThefollowingtheoremestablishesaverysimpletranslationbetweenLTLandalter-natingBÈuchiautomata.Theorem22.[MSS88,Var94]GivenanLTLformula,onecanbuildanalternatingBÈuchiautomaton=(;S;s0;;F,where2Propandisin,suchthatisexactlythesetofcomputationssatisfyingtheformula.Proof:Thesetofstatesconsistsofallsubformulasofandtheirnegation(weidentifytheformulawith).Theinitialstate0isitself.ThesetofacceptingstatesconsistsofallformulasinoftheformU .Itremainstode®nethetransitionfunction.Inthisconstruction,weuseavariationofthenotionofdualthatweusedinSec-tion2.5.Here,thedual ofaformulaisobtainedfrombyswitchingand,byswitchingtrueandfalse,and,inaddition,bynegatingsubformulasin,e.g., Xqis_:Xq.Moreformally,± ,for,± truefalse,± falsetrue,± )=( _ ,and± )=( ^ .Wecannowde®ne:±p;a)=trueif,±p;a)=falseif,± ;a)=;a ;a,± ;a)= ;a,±X ;a)=,±U ;a)= ;a;aU .Notethat ;aisde®nedbyinductiononthestructureof.Considernowarunof.Itiseasytoseethatcanhavetwotypesofin®nitebranches.Eachin®nitebranchislabeledfromsomepointonbyaformulaoftheformU orbyaformulaoftheformU .SinceU ;a)= ;a ;aU ,anin®nitebranchlabeledfromsomepointbyU ensuresthatU indeedfailsatthatpoint,sincefailsfromthatpointon.Ontheotherhand,anin®nitebranchlabeledfromsomepointbyU doesnotensurethatU holdsatthatpoint,sinceitdoesnotensurethateventuallyholds.Thus,whileweshouldallowin®nite brancheslabeledbyU ,weshouldnotallowin®nitebrancheslabeledbyU .Thisiswhywede®nedtoconsistsofallformulasinoftheformU . Example1.ConsidertheformulaUq.ThealternatingBÈuchiautomatonassociatedwithis2';Xp;p;q;;';;,whereisdescribedinthefollowingtable. p;q (s;fpg) (s;fqg) (s;;) ' true :p^' true :p^' :' false _: false _: X:p :p :p :p :p :X:p p p p p :p false false true true p true true false false q true false true false :q false true false true Inthestate,ifdoesnotholdinthepresentstate,thenrequiresbothtobesatis®edinthepresentstate(thatis,hastobesatis®edinnextstate),andtobesatis®edinthenextstate.As,shouldeventuallyreachastatethatsatis®es.Notethatmanyofthestates,e.g.,thesubformulasand,arenotreachable;i.e.,theydonotappearinanyrunof. ByapplyingProposition20,wenowget:Corollary23.[VW94]GivenanLTLformula,onecanbuildaBÈuchiautomaton=(;S;S0;;F,where2Propandisin2,suchthatisexactlythesetofcomputationssatisfyingtheformula.TheproofofCorollary23in[VW94]isdirectanddoesnotgothroughalternatingBÈuchiautomata.Theadvantageoftheproofhereisthatitseparatesthelogicfromthecombinatorics.Theorem22handlesthelogic,whileProposition20handlesthecombinatorics.Example2.ConsidertheformulaFGp,whichrequirestoholdfromsomepointon.TheBÈuchiautomatonassociatedwithis=(2010;;1,whereisdescribedinthefollowingtable. (s;fpg) (s;;) 0 0,1 0 1 1 ; Theautomatoncanstayforeverinthestate0.Uponreading,however,canchoosetogotothestate1.Oncehasmadethattransition,ithastokeepreading,otherwiseitrejects.Notethathastomakethetransitiontothestate1atsomepoint,sincethestate0isnotaccepting.Thus,acceptspreciselywhenholdsfromsomepointon. 4Applications4.1Satis®abilityAnLTLformulaissatis®ableifthereissomecomputationsuchthat.Anunsatis®ableformulaisuninterestingasaspeci®cation,sounsatis®abilitymostlikelyindicatesanerroneousspeci®cation.Thesatis®abilityproblemforLTListodecide,givenanLTLformula,whetherissatis®able.Theorem24.[SC85]Thesatis®abilityproblemforLTLisPSPACE-complete.Proof:ByCorollary23,givenanLTLformula,wecanconstructaBÈuchiautomaton,whosesizeisexponentialinthelengthof,thatacceptspreciselythecomputationsthatsatisfy.Thus,issatis®ableiffisnonempty.Thisreducesthesatis®abilityproblemtothenonemptinessproblem.SincenonemptinessofBÈuchiautomatacanbetestedinnondeterministiclogarithmicspace(Proposition13)andsinceisofexponentialsize,wegetapolynomial-spacealgorithm(again,thealgorithmconstructsªon-the-¯yº).ToprovePSPACE-hardness,itcanbeshownthatanyPSPACE-hardproblemcanbereducedtothesatis®abilityproblem.Thatis,thereisalogarithmic-spacealgorithmthatgivenapolynomial-space-boundedTuringmachineandawordoutputsanLTLformulaM;wsuchthatacceptsiffM;wissatis®able. AnLTLformulaisvalidifforeverycomputationwehavethat.Avalidformulaisalsouninterestingasaspeci®cation.ThevalidityproblemforLTListodecide,givenanLTLformula,whetherisvalid.Itiseasytoseethatisvalidiffisnotsatis®able.Thus,thevalidityproblemforLTLisalsoPSPACE-complete.4.2Veri®cationWefocushereon®nite-stateprograms,i.e.,programsinwhichthevariablesrangeover®nitedomains.Thesigni®canceofthisclassfollowsfromthefactthatasigni®cantnumberofthecommunicationandsynchronizationprotocolsstudiedintheliteratureareinessence®nite-stateprograms[Liu89,Rud87].Sinceeachstateischaracterizedbya®niteamountofinformation,thisinformationcanbedescribedbycertainatomicpropositions.Thismeansthata®nite-stateprogramcanbespeci®edusingpropositionaltemporallogic.Thus,weassumethatwearegivena®nite-stateprogramandanLTLformulathatspeci®esthelegalcomputationsoftheprogram.Theproblemistocheckwhetherallcomputationsoftheprogramarelegal.Beforegoingfurther,letusde®nethesenotionsmoreprecisely.A®nite-stateprogramoverasetPropofatomicpropositionsisastructureoftheform=(;w0;R;V,whereisa®nitesetofstates,0istheinitialstate,2isatotalaccessibilityrelation,and:2PropassignstruthvaluestopropositionsinPropforeachstatein.Theintuitionisthatdescribesallthestatesthattheprogramcouldbein(whereastateincludesthecontentofthememory,registers,buffers,locationcounter,etc.),describesallthepossibletransitionsbetweenstates(allowingfornondeterminism),andrelatesthestatestothepropositions(e.g.,ittellsusinwhatstatesthepropositionistrue).Theassumptionthatistotal (i.e.,thateverystatehasachild)isfortechnicalconvenience.Wecanviewaterminatedexecutionasrepeatingforeveritslaststate.Letbeanin®nitesequence0;u1:::ofstatesinsuchthat00,and1forall0.Thenthesequence0;V1:::isacomputationof.Wesaythatsatis®esanLTLformulaifallcomputationsofsatisfy.Theveri®cationproblemistocheckwhethersatis®es.Thecomplexityoftheveri®cationproblemcanbemeasuredinthreedifferentways.First,onecan®xthespeci®cationandmeasurethecomplexitywithrespecttothesizeoftheprogram.Wecallthismeasuretheprogram-complexitymeasure.Moreprecisely,theprogramcomplexityoftheveri®cationproblemisthecomplexityofthesetssatis®esfora®xed.Secondly,onecan®xtheprogramandmeasurethecomplexitywithrespecttothesizeofthespeci®cation.Wecallthismeasurethespeci®cation-complexitymeasure.Moreprecisely,thespeci®cationcomplexityoftheveri®cationproblemisthecomplexityofthesetssatis®esfora®xed.Finally,thecomplexityinthecombinedsizeoftheprogramandthespeci®cationisthecombinedcomplexity.Letbeacomplexityclass.Wesaythattheprogramcomplexityoftheveri®cationproblemisinifsatis®esg2foranyformula.Wesaythattheprogramcomplexityoftheveri®cationproblemishardforifsatis®esishardforforsomeformula.Wesaythattheprogramcomplexityoftheveri®cationproblemiscompleteforifitisinandishardfor.Similarly,wesaythatthespeci®cationcomplexityoftheveri®cationproblemisinifsatis®esg2foranyprogram,wesaythatthespeci®cationcomplexityoftheveri®cationproblemishardforifsatis®esishardforforsomeprogram,andwesaythatthespeci®cationcomplexityoftheveri®cationproblemiscompleteforifitisinandishardfor.Wenowdescribetheautomata-theoreticapproachtotheveri®cationproblem.A®nite-stateprogram;w0;R;VcanbeviewedasaBÈuchiautomaton;W0;;W,where2Propands;aiffs;sand.Asthisautomatonhasasetofacceptingstatesequaltothewholesetofstates,anyin®niterunoftheautomatonisaccepting.Thus,isthesetofcomputationsof.Hence,fora®nite-stateprogramandanLTLformula,theveri®cationproblemistoverifythatallin®nitewordsacceptedbytheautomatonsatisfytheformula.ByCorollary23,weknowthatwecanbuildaBÈuchiautomatonthatacceptsexactlythecomputationssatisfyingtheformula.Theveri®cationproblemthusreducestotheautomata-theoreticproblemofcheckingthatallcomputationsacceptedbytheautomatonarealsoacceptedbytheautomaton,thatis.Equivalently,weneedtocheckthattheautomatonthataccepts isempty,where )= )=First,notethat,byCorollary23, )=andtheautomatonhas2states.(Astraightforwardapproach,startingwiththeautomatonandthenusingProposition7tocomplementit,wouldresultinadoublyexponentialblow-up.)Togettheintersectionofthetwoautomata,weuseProposition6.Consequently,wecanbuildanautomatonforhavingj
2states.Weneedtocheckthisautomatonforemptiness.UsingProposition13,wegetthefollowingresults. Theorem25.[LP85,SC85,VW86]1.Theprogramcomplexityoftheveri®cationproblemiscompleteforNLOGSPACE.2.Thespeci®cationcomplexityoftheveri®cationproblemiscompleteforPSPACE.3.Checkingwhethera®nite-stateprogramsatis®esanLTLformulacanbedoneintimej
2orinspacelog2.Wenotethatatimeupperboundthatispolynomialinthesizeoftheprogramandexponentialinthesizeofthespeci®cationisconsideredheretobereasonable,sincethespeci®cationisusuallyrathershort[LP85].Forapracticalveri®cationalgorithmthatisbasedontheautomata-theoreticapproachsee[CVWY92].4.3SynthesisIntheprevioussectionwedealtwithveri®cation:wearegivena®nite-stateprogramandanLTLspeci®cationandwehavetoverifythattheprogrammeetsthespeci®cation.Afrequentcriticismagainstthisapproach,however,isthatveri®cationisdoneaftersig-ni®cantresourceshavealreadybeeninvestedinthedevelopmentoftheprogram.Sinceprogramsinvariablycontainerrors,veri®cationsimplybecomespartofthedebuggingprocess.Thecriticsarguethatthedesiredgoalistousethespeci®cationintheprogramdevelopmentprocessinordertoguaranteethedesignofcorrectprograms.Thisiscalledprogramsynthesis.Itturnsoutthattosolvetheprogram-synthesisproblemweneedtouseautomataonin®nitetrees.RabinTreeAutomataRabintreeautomatarunonin®nitelabeledtreeswithauniformbranchingdegree(recallthede®nitionoflabeledtreesinSection2.5).The(in®nite)-arytreeistheset1;:::;k,i.e.,thesetofall®nitesequencesover1;:::;k.Theelementsofarethenodesofthetree.Ifandarenodesof,thenthereisanedgefromto,i.e.,istheparentofandisthechildof.Theemptysequenceistherootof.Abranch0;x1;:::ofisanin®nitesequenceofnodessuchthat0,andistheparentof1forall0.A-labeled-arytree,fora®nitealphabet,isamapping:thatassignstoeverynodealabel.Weoftenrefertolabeledtreesastrees;theintentionwillbeclearfromthecontext.Abranch0;x1;:::ofde®nesanin®niteword)=01;:::consistingofthesequenceoflabelsalongthebranch.A-aryRabintreeautomatonisatuple;S;S0;;G,whereisa®nitealphabet,isa®nitesetofstates,0isasetofinitialstates,22isaRabincondition,and:2isatransitionfunction.Theautomatontakesasinput-labeled-arytrees.Notethats;aisasetof-tuplesforeachstateandsymbol.Intuitively,whentheautomatonisinstateanditisreadinganode,itnondeterministicallychoosesa-tuple1;:::;sinandthenmakescopiesofitselfandmovestothenodeinthestatefor1;:::;k.Arun:ofona-labeled-arytreeisan-labeled-arytreesuchthattherootislabeledbyaninitialstateandthetransitionsobeythetransitionfunction;thatis,0,andforeachnodewehave1;:::;ri2.Therunisacceptingifsatis®esforeverybranch0;x1;:::of.Thatis, foreverybranch0;x1;:::,thereissomepairL;Usuchthatforin®nitelymany's,butforonly®nitelymany's.Notethatdifferentbranchesmightbesatis®edbydifferentpairsin.Thelanguageof,denoted,isthesetoftreesacceptedby.ItiseasytoseethatRabinautomataonin®nitewordsareessentially1-aryRabintreeautomata.ThenonemptinessproblemforRabintreeautomataistodecide,givenaRabintreeautomaton,whetherisnonempty.Unlikethenonemptinessproblemforautomataon®niteandin®nitewords,thenonemptinessproblemfortreeautomataishighlynontrivial.Itwasshowntobedecidablein[Rab69],butthealgorithmtherehadnonelementarytimecomplexity;i.e.,itstimecomplexitycouldnotbeboundedbyany®xedstackofexponentialfunctions.Lateron,elementaryalgorithmsweredescribedin[HR72,Rab72].Thealgorithmin[HR72]runsindoublyexponentialtimeandthealgorithmin[Rab72]runsinexponentialtime.Severalyearslater,in[Eme85,VS85],itwasshownthatthenonemptinessproblemforRabintreeautomataisinNP.Finally,in[EJ88],itwasshownthattheproblemisNP-complete.TherearetworelevantsizeparametersforRabintreeautomata.The®rstisthetransitionsize,whichissizeofthetransitionfunction(i.e.,thesumofthesizesofthesetss;aforand);thetransitionsizeclearlytakesintoaccountthethenumberofstatesin.Thesecondisthenumberofpairsintheacceptancecondition.Forourapplicationhereweneedacomplexityanalysisofthenonemptinessproblemthattakesintoaccountseparatelythetwoparameters.Proposition26.[EJ88,PR89]ForRabintreeautomatawithtransitionsizeandpairs,thenonemptinessproblemcanbesolvedintime.Inotherwords,thenonemptinessproblemforRabintreeautomatacanbesolvedintimethatisexponentialinthenumberofpairsbutpolynomialinthetransitionsize.Aswewillsee,thisdistinctionisquitesigni®cant.RealizabilityTheclassicalapproachtoprogramsynthesisistoextractaprogramfromaproofthatthespeci®cationissatis®able.In[EC82,MW84],itisshownhowtoextractprogramsfrom(®niterepresentationsof)modelsofthespeci®cation.Inthelate1980s,severalresearchersrealizedthattheclassicalapproachiswellsuitedtoclosedsystems,butnottoopensystems[Dil89,PR89,ALW89].Inopensystemstheprograminteractswiththeenvironment;suchprogramsarecalledreactiveprograms[HP85].Acorrectreactiveprogramshouldbeabletohandlearbitraryactionsoftheenvironment.Ifoneappliesthetechniquesof[EC82,MW84]toreactiveprograms,oneobtainsprogramsthatcanhandleonlycertainactionsoftheenvironment.In[PR89,ALW89,Dil89],itisarguedthattherightwaytoapproachsynthesisofreactiveprogramsistoconsiderthesituationasanin®nitegamebetweentheenvironmentandtheprogram.Wearegivena®nitesetofstatesandavaluation:2Prop.Theintuitionisthatdescribesalltheobservablestatesthatthesystemcanbein.(Wewillseelaterwhytheemphasishereonobservability.)Abehavioroverisanin®nitewordoverthealphabet.Theintendedmeaningisthatthebehavior0;w1;:::describesasequenceofstatesthatthesystemgoesthrough,wherethetransitionfrom1towascausedbytheenvironmentwhenisoddandbytheprogramwheniseven.Thatis, theprogrammakesthe®rstmove(intothe®rststate),theenvironmentrespondswiththesecondmove,theprogramcounterswiththethirdmove,andsoon.Weassociatewiththecomputation)=0;V1;:::,andsaythatsatis®esanLTLformulaifsatis®es.Thegoaloftheprogramistosatisfythespeci®cationinthefaceofeverypossiblemovebytheenvironment.Theprogramhasnocontrolovertheenvironmentmoves;itonlycontrolsitsownmoves.Thus,thesituationcanbeviewedasanin®nitegamebetweentheenvironmentandtheprogram,wherethegoaloftheprogramistosatisfythespeci®cation.In®nitegameswereintroducedin[GS53]andtheyareoffundamentalimportanceindescriptivesettheory[Mos80].Historiesare®nitewordsin.Thehistoryofarun0;w1;:::attheevenpoint0,denoted;i,isthe®niteword1;w3;:::;w1consistingofallstatesmovedtobytheenvironment;thehistoryistheemptysequencefor0.Aprogramisafunction:fromhistoriestostates.Theideaisthatiftheprogramisscheduledatapointatwhichthehistoryis,thentheprogramwillcauseachangeintothestate.Thiscapturestheintuitionthattheprogramactsinreactiontotheenvironment'sactions.Abehavioroverisarunoftheprogramif;iforalleven.Thatis,allthestatetransitionscausedbytheprogramareconsistentwiththeprogram.Aprogramsatis®esthespeci®cationifeveryrunofoversatis®es.Thus,acorrectprogramcanbethenviewedasawinningstrategyinthegameagainsttheenvironment.Wesaythatisrealizablewithrespecttoandifthereisaprogramthatsatis®es,inwhichcasewesaythatrealizes.(Inthesequel,weoftenomitexplicitmentionofandwhenitisclearfromthecontext.)Itturnsoutthatsatis®abilityofisnotsuf®cienttoguaranteerealizabilityof.Example3.ConsiderthecasewhereProp,01,0,and1.Considertheformula.Thisformularequiresthatalwaysbetrue,anditisclearlysatis®able.Thereisnoway,however,fortheprogramtoenforcethisrequirement,sincetheenvironmentcanalwaysmovestothestate0,makingfalse.Thus,isnotrealizable.Ontheotherhand,theformulaGFp,whichrequirestoholdin®nitelyoften,isrealizable;infact,itisrealizedbythesimpleprogramthatmapseveryhistorytothestate1.Thisshowsthatrealizabilityisastrongerrequirementthansatis®ability. Considernowthespeci®cation.ByCorollary23,wecanbuildaBÈuchiautomaton=(;S;S0;;F,where2Propandisin2,suchthatisexactlythesetofcomputationssatisfyingtheformula.Thus,givenastatesetandavaluation:2Prop,wecanalsoconstructaBÈuchiautomaton;S;S0;;Fsuchthatisexactlythesetofbehaviorssatisfyingtheformula,bysimplytakings;w)=s;V.ItfollowsthatwecanassumewithoutlossofgeneralitythatthewinningconditionforthegamebetweentheenvironmentandtheprogramisexpressedbyaBÈuchiautomaton:theprogramwinsthegameifeveryrunofisacceptedby.WethussaythattheprogramrealizesaBÈuchiautomatonifallitsrunsareacceptedby.Wealsosaythenthatisrealizable.ItturnsoutthattherealizabilityproblemforBÈuchiautomataisessentiallythesolv-abilityproblemdescribedin[Chu63].(Thewinningconditionin[Chu63]isexpressed inS1S,themonadicsecond-ordertheoryofonesuccessorfunction,butitisknown[BÈuc62]thatS1SsentencescanbetranslatedtoBÈuchiautomata.)Thesolvabilityprob-lemwasstudiedin[BL69,Rab72].Itisshownin[Rab72]thatthisproblemcanbesolvedbyusingRabintreeautomata.Consideraprogram:.Supposewithoutlossofgeneralitythat1;:::;k,forsomek�0.Theprogramcanberepresentedbya-labeled-arytree.Consideranode01:::i,where1for0;:::;m.Wenotethatisahistoryin,andde®ne.Conversely,a-labeled-arytreede®nesaprogram.Considerahistory01:::i,where1for0;:::;m.Wenotethatisanodeof,andde®ne.Thus,-labeled-arytreescanbeviewedasprograms.Itisnothardtoseethattherunsofcorrespondtothebranchesof.Let0;x1;:::beabranch,where0and11for0.Then0;i01;i12;:::isarunof,denoted.Conversely,if0;i1;:::isarunof,thencontainsabranch0;x1;:::,where0,121,and)=2for0.Onewaytovisualizethisistothinkoftheedgefromtheparenttoitschildaslabeledby.Thus,therunisthesequenceofedgeandnodelabelsalong.Wethusrefertothebehaviorsforbranchesofa-labeled-arytreeastherunsof,andwesaythatrealizesaBÈuchiautomatonifalltherunsofareacceptedby.Wehavethusobtainedthefollowing:Proposition27.AprogramrealizesaBÈuchiautomatoniffthetreerealizes.WehavethusreducedtherealizabilityproblemforLTLspeci®cationstoanautomata-theoreticproblem:givenaBÈuchiautomaton,decideifthereisatreethatrealizes.OurnextstepistoreducethisproblemtothenonemptinessproblemforRabintreeautomata.WewillconstructaRabinautomatonthatacceptspreciselythetreesthatrealize.Thus,iffthereisatreethatrealizes.Theorem28.GivenaBÈuchiautomatonwithstatesoveranalphabet1;:::;k,wecanconstructa-aryRabintreeautomatonwithtransitionsize2logandpairssuchthatispreciselythesetoftreesthatrealize.Proof:Consideraninputtree.TheRabintreeautomatonneedstoverifythatforeverybranchofwehavethat.Thus,needstoªruninparallelºonallbranchesof.We®rstneedtodealwiththefactthatthelabelsincontaininformationonlyabouttheactionsof(whiletheinformationontheactionsoftheenvironmentisimplicitintheedges).Supposethat=(;S;S0;;F.We®rstde®neaBÈuchiautomatonthatemulatesbyreadingpairsofinputsymbolsatatime.Let=(2;Sf01;S0f0;;Sf1,wherea;b)=0ij;bforsomes;ag[1ij;bforsomes;ag[1ij;bforsomes;a Intuitively,appliestwotransitionsofwhilerememberingwhethereithertransitionvisited.Notethatthisconstructiondoublesthenumberofstates.Itiseasytoprovethefollowingclaim:Claim:acceptsthein®niteword0;w12;w3;:::overthealphabet2iffacceptsthein®niteword0;w1;w2;w3;:::over.Inordertobeabletoruninparallelonallbranches,weapplyProposition10toandobtainadeterministicRabinautomatonsuchthat.AscommentedinSection2.2,has2logstatesandpairs.Let2;Q;0;;G.WecannowconstructaRabintreeautomatonthatªrunsinparallelºonallbranchesof.Let=(;Q;0;;G,whereisde®nedasfollows:q;a)=q;1


q;a;kIntuitively,emulatesbyfeedingitpairsconsistingofanodelabelandanedgelabel.Notethatifq;a;i)=forsome1,thenq;a)=.Claim:ispreciselythesetoftreesthatrealize.Itremainstoanalyzethesizeof.Itisclearthatithas2logstatesandpairs.Sinceitisdeterministic,itstransitionsizeis2log. WecannowapplyProposition26tosolvetherealizabilityproblem.Theorem29.[ALW89,PR89]TherealizabilityproblemforBÈuchiautomatacanbesolvedinexponentialtime.Proof:ByTheorem28,givenaBÈuchiautomatonwithstatesoveranalphabet1;:::;k,wecanconstructa-aryRabintreeautomatonwithtransitionsize2logandandpairssuchthatispreciselythesetoftreesthatrealize.ByProposition26,wecantestthenonemptinessofintime22log. Corollary30.[PR89]TherealizabilityproblemforLTLcanbesolvedindoublyexpo-nentialtime.Proof:ByCorollary23,givenanLTLformula,onecanbuildaBÈuchiautomatonwith2statessuchthatisexactlythesetofcomputationssatisfyingtheformula.BycombiningthiswiththeboundofTheorem29,wegetatimeboundof2. In[PR89],itisshownthatthedoublyexponentialtimeboundofCorollary30isessen-tiallyoptimal.Thus,whiletherealizabilityproblemforLTLisdecidable,intheworstcaseitcanbehighlyintractable.Example4.ConsideragainthesituationwhereProp,01,0)=,and1)=.Letbetheformula.Wehave=(11;;W,where11)=1,andallothertransitionsareempty(e.g.,10)=,etc.).Notethatisdeterministic.Wecanemulatebyanautomatonthatreadspairsofsymbols:2;Wf0110;;Wf1,where101111,andallothertransitionsareempty.Finally,weconstructtheRabintreeautomaton ;Wf0110;L;U,wheres;aisemptyforallstatesandsymbol.Clearly,)=,whichimpliesthatisnotrealizable. WenotethatCorollary30onlytellsushowtodecidewhetheranLTLformulaisrealizableornot.Itisshownin[PR89],however,thatthealgorithmofProposition26canprovidemorethanjustaªyes/noºanswer.WhentheRabinautomatonisnonempty,thealgorithmreturnsa®niterepresentationofanin®nitetreeacceptedby.Itturnsoutthatthisrepresentationcanbeconvertedintoaprogramthatrealizesthespeci®cation.Iteventurnsoutthatthisprogramisa®nite-stateprogram.Thismeansthattherearea®niteset,afunction:,afunction1:,andafunction2:suchthatforallandwehave:±)=2±)=1;wThus,insteadofrememberingthehistory(whichrequiresanunboundedmemory),theprogramneedsonlytoremember.Itperformsitsaction1and,whenitseestheenvironment'saction,itupdatesitsmemoryto2;w.Notethatthisªmemoryºisinternaltotheprogramandisnotpertinenttothespeci®cation.Thisisincontrasttotheobservablestatesinthatarepertinenttothespeci®cation.AcknowledgementsIamgratefultoOysteinHaugen,OrnaKupferman,andFaronMollerfortheirmanycommentsonearlierdraftsofthispaper.References[ALW89]M.Abadi,L.Lamport,andP.Wolper.Realizableandunrealizableconcurrentpro-gramspeci®cations.InProc.16thInt.ColloquiumonAutomata,LanguagesandPro-gramming,volume372,pages1±17.LectureNotesinComputerScience,Springer-Verlag,July1989.[BL69]J.R.BÈuchiandL.HG.Landweber.Solvingsequentialconditionsby®nite-statestrate-gies.Trans.AMS,138:295±311,1969.[BL80]J.A.BrzozowskiandE.Leiss.Finiteautomata,andsequentialnetworks.TheoreticalComputerScience,10:19±35,1980.[BÈuc62]J.R.BÈuchi.Onadecisionmethodinrestrictedsecondorderarithmetic.InProc.Internat.Congr.Logic,MethodandPhilos.Sci.1960,pages1±12,Stanford,1962.StanfordUniversityPress.[Cho74]Y.Choueka.Theoriesofautomataon-tapes:Asimpli®edapproach.J.ComputerandSystemSciences,8:117±141,1974.[Chu63]A.Church.Logic,arithmetics,andautomata.InProc.InternationalCongressofMathematicians,1962,pages23±35.institutMittag-Lef¯er,1963.[CKS81]A.K.Chandra,D.C.Kozen,andL.J.Stockmeyer.Alternation.JournaloftheAsso-ciationforComputingMachinery,28(1):114±133,1981.[CLR90]T.H.Cormen,C.E.Leiserson,andR.L.Rivest.IntroductiontoAlgorithms.MITPress,1990. [CVWY92]C.Courcoubetis,M.Y.Vardi,P.Wolper,andM.Yannakakis.Memoryef®cientalgorithmsfortheveri®cationoftemporalproperties.FormalMethodsinSystemDesign,1:275±288,1992.[Dil89]D.L.Dill.Tracetheoryforautomatichierarchicalveri®cationofspeedindependentcircuits.MITPress,1989.[EC82]E.A.EmersonandE.M.Clarke.Usingbranchingtimelogictosynthesizesynchro-nizationskeletons.ScienceofComputerProgramming,2:241±266,1982.[EH86]E.A.EmersonandJ.Y.Halpern.Sometimesandnotneverrevisited:Onbranchingversuslineartime.JournaloftheACM,33(1):151±178,1986.[EJ88]E.A.EmersonandC.Jutla.Thecomplexityoftreeautomataandlogicsofprograms.InProceedingsofthe29thIEEESymposiumonFoundationsofComputerScience,pages328±337,WhitePlains,October1988.[EJ89]E.A.EmersonandC.Jutla.Onsimultaneouslydeterminizingandcomplementing-automata.InProceedingsofthe4thIEEESymposiumonLogicinComputerScience,pages333±342,1989.[EL85a]E.A.EmersonandC.-L.Lei.Modalitiesformodelchecking:Branchingtimelogicstrikesback.InProceedingsoftheTwelfthACMSymposiumonPrinciplesofPro-grammingLanguages,pages84±96,NewOrleans,January1985.[EL85b]E.A.EmersonandC.-L.Lei.Temporalmodelcheckingundergeneralizedfairnessconstraints.InProc.18thHawaiiInternationalConferenceonSystemSciences,pages277±288,Hawaii,1985.[Eme85]E.A.Emerson.Automata,tableaux,andtemporallogics.InLogicofPrograms,volume193ofLectureNotesinComputerScience,pages79±87.Springer-Verlag,Berlin,1985.[GJ79]M.GareyandD.S.Johnson.ComputersandIntractability:AGuidetotheTheoryofNP-completeness.W.FreemanandCo.,SanFrancisco,1979.[GPSS80]D.Gabbay,A.Pnueli,S.Shelah,andJ.Stavi.Onthetemporalanalysisoffairness.InProceedingsofthe7thACMSymposiumonPrinciplesofProgrammingLanguages,pages163±173,January1980.[GS53]D.GaleandF.M.Stewart.In®nitegamesofperfectinformation.Ann.Math.Studies,28:245±266,1953.[HP85]D.HarelandA.Pnueli.Onthedevelopmentofreactivesystems.InK.Apt,editor,LogicsandModelsofConcurrentSystems,volumeF-13ofNATOAdvancedSummerInstitutes,pages477±498.Springer-Verlag,1985.[HR72]R.HossleyandC.W.Rackoff.Theemptinessproblemforautomataonin®nitetrees.InProc.13thIEEESymp.onSwitchingandAutomataTheory,pages121±124,1972.[HU79]J.E.HopcroftandJ.D.Ullman.IntroductiontoAutomataTheory,LanguagesandComputation.Addison-Wesley,NewYork,1979.[Jon75]N.D.Jones.Space-boundedreducibilityamongcombinatorialproblems.JournalofComputerandSystemSciences,11:68±75,1975.[Kur94]RobertP.Kurshan.Computer-AidedVeri®cationofCoordinatingProcesses:TheAutomata-TheoreticApproach.PrincetonUniversityPress,Princeton,NewJersey,1994.[Lam80]L.Lamport.Sometimesissometimesªnotneverº-onthetemporallogicofprograms.InProceedingsofthe7thACMSymposiumonPrinciplesofProgrammingLanguages,pages174±185,January1980.[Lei81]Leiss.Succinctrepresentationofregularlanguagesbybooleanautomata.TheoreticalComputerScience,13:323±330,1981.[Liu89]M.T.Liu.Protocolengineering.AdvancesinComputing,29:79±195,1989. [LP85]O.LichtensteinandA.Pnueli.Checkingthat®nitestateconcurrentprogramssatisfytheirlinearspeci®cation.InProceedingsoftheTwelfthACMSymposiumonPrinciplesofProgrammingLanguages,pages97±107,NewOrleans,January1985.[LPZ85]O.Lichtenstein,A.Pnueli,andL.Zuck.Thegloryofthepast.InLogicsofPro-grams,volume193ofLectureNotesinComputerScience,pages196±218,Brooklyn,1985.Springer-Verlag,Berlin.[McN66]R.McNaughton.Testingandgeneratingin®nitesequencesbya®niteautomaton.InformationandControl,9:521±530,1966.[MF71]A.R.MeyerandM.J.Fischer.Economyofdescriptionbyautomata,grammars,andformalsystems.InProc.12thIEEESymp.onSwitchingandAutomataTheory,pages188±191,1971.[MH84]S.MiyanoandT.Hayashi.Alternating®niteautomataon-words.TheoreticalComputerScience,32:321±330,1984.[Mic88]M.Michel.Complementationismoredif®cultwithautomataonin®nitewords.CNET,Paris,1988.[Mos80]Y.N.Moschovakis.DescriptiveSetTheory.NorthHolland,1980.[MP92]Z.MannaandA.Pnueli.TheTemporalLogicofReactiveandConcurrentSystems:Speci®cation.Springer-Verlag,Berlin,1992.[MS72]A.R.MeyerandL.J.Stockmeyer.Theequivalenceproblemforregularexpressionswithsquaringrequiresexponentialtime.InProc.13thIEEESymp.onSwitchingandAutomataTheory,pages125±129,1972.[MS87]D.E.MullerandP.E.Schupp.Alternatingautomataonin®nitetrees.TheoreticalComputerScience,54,:267±276,1987.[MSS88]D.E.Muller,A.Saoudi,andP.E.Schupp.Weakalternatingautomatagiveasimpleexplanationofwhymosttemporalanddynamiclogicsaredecidableinexponentialtime.InProceedings3rdIEEESymposiumonLogicinComputerScience,pages422±427,Edinburgh,July1988.[MW84]Z.MannaandP.Wolper.Synthesisofcommunicatingprocessesfromtemporallogicspeci®cations.ACMTransactionsonProgrammingLanguagesandSystems,6(1):68±93,January1984.[OL82]S.OwickiandL.Lamport.Provinglivenesspropertiesofconcurrentprograms.ACMTransactionsonProgrammingLanguagesandSystems,4(3):455±495,July1982.[Pei85]R.Peikert.-regularlanguagesandpropositionaltemporallogic.TechnicalReport85-01,ETH,1985.[Pnu77]A.Pnueli.Thetemporallogicofprograms.InProc.18thIEEESymposiumonFoundationofComputerScience,pages46±57,1977.[PR89]A.PnueliandR.Rosner.Onthesynthesisofareactivemodule.InProceedingsoftheSixteenthACMSymposiumonPrinciplesofProgrammingLanguages,Austin,Januery1989.[Rab69]M.O.Rabin.Decidabilityofsecondordertheoriesandautomataonin®nitetrees.TransactionoftheAMS,141:1±35,1969.[Rab72]M.O.Rabin.Automataonin®niteobjectsandChurch'sproblem.InRegionalConf.Ser.Math.,13,Providence,RhodeIsland,1972.AMS.[RS59]M.O.RabinandD.Scott.Finiteautomataandtheirdecisionproblems.IBMJ.ofResearchandDevelopment,3:115±125,1959.[Rud87]H.Rudin.Networkprotocolsandtoolstohelpproducethem.AnnualReviewofComputerScience,2:291±316,1987.[Saf88]S.Safra.Onthecomplexityofomega-automata.InProceedingsofthe29thIEEESymposiumonFoundationsofComputerScience,pages319±327,WhitePlains,October1988. [Sav70]W.J.Savitch.Relationshipbetweennondeterministicanddeterministictapecom-plexities.J.onComputerandSystemSciences,4:177±192,1970.[SC85]A.P.SistlaandE.M.Clarke.Thecomplexityofpropositionallineartemporallogic.JournaloftheAssociationforComputingMachinery,32:733±749,1985.[Sis83]A.P.Sistla.Theoreticalissuesinthedesignandanalysisofdistributedsystems.PhDthesis,HarvardUniversity,1983.[SPH84]R.Sherman,A.Pnueli,andD.Harel.Istheinterestingpartofprocesslogicun-interesting:atranslationfromPLtoPDL.SIAMJ.onComputing,13(4):825±839,1984.[SVW87]A.P.Sistla,M.Y.Vardi,andP.Wolper.ThecomplementationproblemforBÈuchiautomatawithapplicationstotemporallogic.TheoreticalComputerScience,49:217±237,1987.[Tho90]W.Thomas.Automataonin®niteobjects.Handbookoftheoreticalcomputerscience,pages165±191,1990.[Var94]M.Y.Vardi.Nontraditionalapplicationsofautomatatheory.InTheoreticalAspectsofComputerSoftware,Proc.Int.Symposium(TACS'94),volume789ofLectureNotesinComputerScience,pages575±597.Springer-Verlag,Berlin,1994.[VS85]M.Y.VardiandL.Stockmeyer.Improvedupperandlowerboundsformodallogicsofprograms.InProc17thACMSymp.onTheoryofComputing,pages240±251,1985.[VW86]M.Y.VardiandP.Wolper.Anautomata-theoreticapproachtoautomaticprogramveri®cation.InProceedingsoftheFirstSymposiumonLogicinComputerScience,pages322±331,Cambridge,June1986.[VW94]M.Y.VardiandP.Wolper.Reasoningaboutin®nitecomputations.InformationandComputation,115(1):1±37,1994.[Wol82]P.Wolper.SynthesisofCommunicatingProcessesfromTemporalLogicSpeci®ca-tions.PhDthesis,StanfordUniversity,1982.[WVS83]P.Wolper,M.Y.Vardi,andA.P.Sistla.Reasoningaboutin®nitecomputationpaths.InProc.24thIEEESymposiumonFoundationsofComputerScience,pages185±194,Tucson,1983.