aa r X i v : . [ c s . L O ] F e b Behavioral QLTL
Giuseppe De Giacomo, Giuseppe PerelliSapienza University of Rome { degiacomo, perelli } @diag.uniroma1.it Abstract
In this paper we introduce Behavioral QLTL, which is a “behavioral” variantof linear-time temporal logic on infinite traces with second-order quantifiers. Be-havioral QLTL is characterized by the fact that the functions that assign the truthvalue of the quantified propositions along the trace can only depend on the past.In other words such functions must be“processes”. This gives to the logic a strate-gic flavor that we usually associate to planning. Indeed we show that temporallyextended planning in nondeterministic domains, as well as LTL synthesis, are ex-pressed in Behavioral QLTL through formulas with a simple quantification alter-nation. While, as this alternation increases, we get to forms of planning/synthesisin which conditional and conformant planning aspects get mixed. We study thislogic from the computational point of view and compare it to the original QLTL(with non-behavioral semantics) and with simpler forms of behavioral semantics.
Since the very early time of AI, researchers have tried to reduce planning to logicalreasoning, i.e., satisfiability, validity, logical implication [23]. However as we con-sider more and more sophisticated forms of planning this becomes more and morechallenging, because the logical reasoning we need to do is intrinsically second-order.One prominent case is if we want to express the model of the world (aka the environ-ment) and the goal of the agent directly in Linear-time Temporal Logic, which is thelogic used most in formal method to specify dynamic systems. Examples are the pio-neering work on using temporal logic as a sort of programming language through theMetateM framework [6], the work on temporal extended goals and declarative controlconstraints [4, 5], the work on planning via model-checking [15, 16, 17, 7], the workon adopting
LTL logical reasoning (plus some meta-theoretic manipulation) for certainforms of planning [11, 9]. More recently the connection between planning in nondeter-ministic domains and (reactive) synthesis [32] has been investigated, and in fact it hasbeen shown that planning in nondeterministic domains can be seen in general terms asa form of synthesis in presence of a model of the environment [10, 3], also related tosynthesis under assumptions [12, 13]. 1owever the connection between planning and synthesis also clarifies formally thatwe cannot use directly the standard forms of reasoning in
LTL , such as satisfiability,validity, or logical implication, to do planning. Indeed the logical reasoning task wehave to adopt is a nonstandard one, called “ realizability ” [14, 32], which is in inherentlya second-order form of reasoning on
LTL specifications. So one question comes natural:can we use the second-order version of
LTL , called
QLTL (or
QPTL ) [37] and then avoiduse nonstandard form of reasoning?In [9] a positive answer was given limited to conformant planning, in which we can-not observe response of the environment to the agent actions. Indeed it was shown thatconformant planning could be captured through standard logical reasoning in
QLTL .But the results there do not extend to conditional planning (with or without full observ-ability) in nondeterministic environment models. The reason for this is very profound.Any plan must be a “ process ”, i.e., observe what has happened so far (the history),observe the current state and take a decision on the next action to do [1].
QLTL in-stead interprets quantified propositions (i.e., in the case of planning, the actions to bechosen) through functions that have access to the whole traces, i.e., also the future in-stants, hence they cannot be considered processes. This is a clear mismatch that makesstandard
QLTL unsuitable to capture planning through standard reasoning tasks.This mismatch is not only a characteristic of
QLTL , but, interestingly, even of log-ics that have been introduced specifically for in strategic reasoning. This has lead toinvestigating the “ behavioral ” semantics in these logics. In their seminal work [28],Mogavero et al. introduce and analyze the behavioral aspects of quantification inStrategy Logic ( SL ): a logic for reasoning about the strategic behavior of agents ina context where the properties of executions are expressed in LTL . They show thatrestricting to behavioral quantification of strategies is a way of both making the se-mantics more realistic and computationally easier. In addition, they proved that behav-ioral and non-behavioral semantics coincide for certain fragments, including the wellknown
ATL ⋆ [2], but diverge for more interesting classes of formulas, e.g., the ones thatcan express game-theoretic properties such as Nash Equilibria and the like. This hasstarted a new line of research that aims at identifying new notions of behavioral andnon-behavioral quantification, as well as characterize the syntactic fragments that areinvariant to these semantic variations [20, 21].In this paper we introduce a behavioral semantics for QLTL . The resulting logic,called
Behavioral-
QLTL ( QLTL B ) is characterized by the fact that the functions thatassign the truth value of the quantified propositions along the trace can only dependon the past. In other words such functions must be “ processes ”. This makes QLTL B perfectly suitable to capture extended forms of planning through standard reasoningtasks (satisfiability in particular).Indeed, temporally extended planning in nondeterministic domains, as well as LTL synthesis, are expressed in
QLTL B through formulas with a simple quantification al-ternation. While, as this alternation increases, we get to forms of planning/synthesisin which conditional and conformant planning aspects get mixed. For example, the QLTL B formula of the form ∃ Y ∀ Xψ represents the conformant planning over the LTL specification (of both environment model and goal) ψ , as it is intended in [34] (notethat this could be done also with standard QLTL , since ∃ Y is put upfront as it can-not depend on the nondeterministic evolution of the fluents in the planning domain).2nstead, the QLTL B formula ∀ X ∃ Y ψ represents contingent planning, i.e.,
Planning inFully Observable Nondeterministic Domains (FOND), as well as
LTL synthesis (which,instead, could not be captured in standard
QLTL ). By taking
QLTL B formulas with in-creased alternation, one can describe more complex forms of planning and synthesis.The QLTL B formula ∀ X ∃ Y ∀ X ϕ represents the problem of Planning in Partially Ob-servable Nondeterministic Domains (POND), where X and X are the visible andhidden parts of the domain, respectively. By going even further in alternation, we geta generalized form of POND where a number of actuators with hierarchically reducedvisibility are coordinated to execute a plan that fulfills a temporally extended goal inan environment model. Interestingly this instantiates problems of distributed synthesiswith hierarchical information studied in formal methods [33, 25, 18].We study QLTL B , by introducing a formal semantics that is Skolem-based , meaningthat we make use of different notions of Skolem functions and Skolemization to definethe truth-value of formulas. The advantage of this approach is in the correspondencebetween Skolem functions and strategies/plans in synthesis and planning problems. Asa matter of fact, they can all be represented as suitable labeled trees, describing allthe possible executions of a given process that receive inputs from the environment.We show characterize the complexity of satisfiability in
QLTL B is ( n + 1) -EXPTIME-complete, with n being the number of quantification blocks of the form ∀ X i ∃ Y i thein the formula. This improves the complexity of the satisfiability problem for classic QLTL , which depends on the overall quantifier alternation in the formula, and in partic-ular is n − -EXSPACE-complete. Moreover, it also shows that the correspondingsynthesis and planning problems can be optimally solved in QLTL B , as the matchinglower-bound is provided by a reduction of these problems.We also consider a weak variant of QLTL B , called Weak Behavioral-
QLTL ( QLTL WB ),where the history is always visible while we have restriction visibility on the curentinstant only. We show that the complexity of satisfiability in QLTL WB is -EXPTIME-complete, regardless of the number and alternation of quantifiers. The reason for thisis in that processes are modeled in a way that they have full visibility on the past com-putation. This allows them to find the right plan by means of a local reasoning, and sowithout employing computationally expensive automata projections. As for the caseof QLTL B , such procedure is optimal to solve the corresponding synthesis problems, asthe matching lower-bound is again provided by a reduction of them. We introduce
Quantified Linear-Temporal Logic as an extension of
Linear-Time Tem-poral Logic . Linear-Time Temporal Logic
Linear Temporal Logic (
LTL ) over infinite traces wasoriginally proposed in Computer Science as a specification language for concurrentprograms [31]. Formulas of
LTL are built from a set
Var of propositional variables (or simply variables), together with Boolean and temporal operators. Its syntax can bedescribed as follows: 3 ::= x | ¬ ϕ | ϕ ∨ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ where x ∈ Var is a propositional variable.Intuitively, the formula X ϕ says that ϕ holds at the next instant. Moreover, theformula ϕ U ϕ says that at some future instant ϕ holds and until that point, ϕ holds.We also use the standard Boolean abbreviations true := x ∨ ¬ x ( true ), false := ¬ true ( false ), and ϕ → ϕ := ¬ ϕ ∨ ϕ ( implies ). In addition, we also use the binaryoperator ϕ R ϕ . = ¬ ( ¬ ϕ U ¬ ϕ ) ( release ) and the unary operators F ϕ := trueU ϕ ( eventually ) and G ϕ := ¬ F ¬ ϕ ( globally ).The classic semantics of LTL is given in terms of infinite traces, i.e., truth-valuesover the natural numbers. More precisely, an interpretation π : N → Var is a functionthat maps each natural number i to a truth assignment π ( i ) ∈ Var over the set ofvariables
Var . Along the paper, we might refer to finite segments of a computation π . More precisely, for two indexes i, j ∈ N , by π ( i, j ) . = π ( i ) , . . . , π ( j ) ∈ (2 Var ) ∗ we denote the finite segment of π from it’s i -th to its j -th position. A segment π (0 , j ) starting from is also called a prefix and is sometimes denoted π ≤ j .We say that an LTL formula ϕ is true on an assignment π at instant i , written π, i | = C ϕ , if:- π, i | = C x , for x ∈ Var iff x ∈ π ( i ) ;- π, i | = C ¬ ϕ iff π, i = C ϕ ;- π, i | = C ϕ ∨ ϕ iff either π, i | = C ϕ or π, i | = C ϕ ;- π, i | = C ϕ ∧ ϕ iff both π, i | = C ϕ and π, i | = C ϕ ;- π, i | = C X ϕ iff π, i + 1 | = C ϕ ;- π, i | = C ϕ U ϕ iff for some j ≥ i , we have that π, j | = C ϕ and for all k ∈ { i, . . . j − } , we have that π, k | = C ϕ .A formula ϕ is true over π , written π | = C ϕ iff π, | = C ϕ . A formula ϕ is satisfiable if it is true on some interpretation and valid if it is true in every interpretation. Quantified Linear-Time Temporal Logic
Quantified Linear-Temporal Logic (
QLTL )is an extension of
LTL with two
Second-order quantifiers [36]. Its formulas are builtusing the classic
LTL
Boolean and temporal operators, on top of which existential anduniversal quantification over variables is applied. Formally, the syntax is given as fol-lows: ϕ ::= ∃ xϕ | ∀ xϕ | x | ¬ ϕ | ϕ ∨ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ | ϕ R ϕ ,where x ∈ Var is a propositional variable.Note that this is a proper extension of
LTL , as
QLTL has the same expressive powerof
MSO [36], whereas
LTL is equivalent to
FOL [19].In order to define the semantics of
QLTL , we introduce some notation. For aninterpretation π and a set of variables X ⊆ Var , by π ↾ X we denote the projection interpretation over X defined as π ↾ X ( i ) . = π ( i ) ∩ X at any time point i ∈ N . Moreover,by π ↾ − X . = π ↾ Var \ X we denote the projection interpretation over the complement of X .4or a single variable x , we simplify the notation as π ↾ x . = π ↾ { x } and π ↾ − x . = π ↾ Var \{ x } .Finally, we say that π and π ′ agree over X if π ↾ X = π ′ ↾ X .Observe that we can reverse the projection operation by combining interpretationsover disjoint sets of variables. More formally, for two disjoint sets X, X ′ ⊆ Var andtwo interpretations π X and π X ′ over X and X ′ , respectively, π X ⋒ π X ′ is defined as the(unique) interpretation over X ∪ X ′ such that its projections on X and X ′ correspondto π X and π X ′ , respectively.The classic semantics of the quantifiers in a QLTL formula ϕ over an interpretation π , at instant i , denoted π, i | = C ϕ , is defined as follows:- π, i | = C ∃ xϕ iff there exists an interpretation π ′ such that π ↾ − x = π ′ ↾ − x and π ′ , i | = C ϕ ;- π, i | = C ∀ xϕ iff for every interpretation π ′ such that π ↾ − x = π ′ ↾ − x , it holds that π ′ , i | = C ϕ ;A variable x is free in ϕ if it occurs at least once out of the scope of either ∃ x or ∀ x in ϕ . By free ( ϕ ) we denote the set of free variables in ϕ .As for LTL , we say that ϕ is true on π , and write π | = C ϕ iff π, | = C ϕ . Anal-ogously, a formula ϕ is satisfiable if it is true on some interpretation π , whereas it is valid if it is true on every possible interpretation π . Note that, as quantifications in theformula replace the interpretation over the variables in their scope, we can assume that π are interpretations over the set free ( ϕ ) of free variables in ϕ .A QLTL formula is in prenex normal form if it is of the form ℘ψ , where ℘ = Qn x . . . Qn n x n is a prefix quantification with Qn i ∈ {∃ , ∀} and x i being a variableoccurring on a quantifier-free subformula ψ , which can be regarded as LTL . Every
QLTL formula can be rewritten in prenex normal form, meaning that it is true on thesame set of interpretations. Consider for instance the formula G ( ∃ y ( y ∧ X ¬ y )) . This isequivalent to ∀ x ∃ y ( singleton ( x ) → ( G ( x → ( y ∧ X ¬ y )))) , with singleton ( x ) . = F x ∧ G ( x → XG ¬ x ) expressing the fact that x is true exactly once on the trace . A fullproof of the reduction to prenex normal form can be derived from [38, Section 2.3].For convenience and without loss of generality, from now on we will assume that QLTL formulas are always in prenex normal form. Recall that for a formula ϕ = ℘ψ is easyto obtain the prefix normal form of its negation ¬ ϕ as ℘ ¬ ψ , where ℘ is obtained from ℘ by swapping every quantification from existential to universal and vice-versa. Fromnow on, by ¬ ϕ we denote its prenex normal form transformation.An alternation in a quantification prefix ℘ is either a sequence ∃ x ∀ y or a sequence ∀ x ∃ y occurring in ℘ . A formula of the form ℘ψ , is of alternation-depth k if ℘ containsexactly k alternations. By k - QLTL we denote the
QLTL fragment of formulas withalternation k . Moreover, Σ QLTL k and Π QLTL k denote the fragments of k - QLTL of formulasstarting with an existential and a universal quantification, respectively.It is convenient to make use of the syntactic shortcuts ∃ Xϕ . = ∃ x . . . ∃ x k ϕ and ∀ Xϕ . = ∀ x . . . ∀ x k ϕ with X = { x , . . . , x k } . Formulas can then be written in theform Qn X . . . Qn n X n ψ such that every two consecutive occurrences of quantifiersare in alternation, that is, Qn i = ∃ iff Qn i +1 = ∀ , for every i ≤ n . The reader might observe that pushing the quantification over y outside the temporal operator does notwork. Indeed, the formula ∃ y G ( y ∧ X ¬ y ) is unsatisfiable. QLTL formula ϕ , determine whetherit is satisfiable or not. Note that every formula ϕ is satisfiable if, and only if, ∃ free ( ϕ ) ϕ is satisfiable. This means that we can study the satisfiability problem in QLTL for closed formulas, i.e., formulas where every variable is quantified.Such problem is decidable, though computationally highly intractable in general [36].For a given natural number k , by k -EXPSPACE we denote the language of problemssolved by a Turing machine with space bounded by ... n , where the height of thetower is k and n is the size of the input. By convention -EXPSPACE denotes PSPACE. Theorem 1 ([37]) . The satisfiability problem for k - QLTL formulas is k -EXPSPACE-complete. We now give an alternative way to capture the semantics of
QLTL , which is in termsof (second order) Skolem functions. This will allow us later to suitably restrict suchSkolem function to capture behavioral semantics, by forcing them to depend only formthe past history and the current situation.Let ℘ be a quantification prefix. By ∃ ( ℘ ) and ∀ ( ℘ ) we denote the set of variablesthat are quantified existentially and universally, respectively. Moreover, by X < ℘ Y we denote the fact that X occurs before Y in ℘ . For a given set of consecutive variables Y ∈ ∃ ( ℘ ) that are existentially quantified, by Dep ℘ ( Y ) = { X ∈ ∀ ( ℘ ) | X < ℘ Y } wedenote the set of variables to which Y depends on in ℘ . Moreover, for a given set F ⊆ Var of variables by
Dep F℘ ( Y ) = F ∪ Dep ℘ ( Y ) we denote the augmented dependency ,taking into account an additional set of variables for dependency. Whenever clear fromthe context, we omit the subscript and simply write Dep ( Y ) and Dep F ( Y ) .The relation defined above captures the concept of functional dependence generatedby quantifiers and free variables in a QLTL formula. Intuitively, whenever a dependenceoccurs between two variables X and Y , this means that the existential choices in Y aredetermined by a function whose domain is given by all possible choices available in X ,be it universally quantified or free in the corresponding formula. This dependence isknow in first-order logic as Skolem function and can be described in
QLTL as follows.
Definition 1 (Skolem function) . For a given quantification prefix ℘ defined over a set Var ( ℘ ) ⊆ Var of variables, and a set F of variables, a function θ : (2 F ∪∀ ( ℘ ) ) ω → (2 ∃ ( ℘ ) ) ω is called Skolem function over ( ℘, F ) if, for all π , π ∈ (2 ∀ ( ℘ ) ) ω and Y ∈ ∃ ( ℘ ) , itholds that π ↾ Dep F ( Y ) = π ↾ Dep F ( Y ) ⇒ θ ( π ) ↾ Y = θ ( π ) ↾ Y . Informally, a Skolem function takes interpretations of the variables in F ∪ ∀ ( ℘ ) toreturn interpretations of the existentially quantified ones in a functional way. Some-times, to simplify the notation, we identify θ ( π ) with π ⋒ θ ( π ) , that is, θ extends theinterpretation π to the existentially quantified variables of ℘ .6kolem functions can be used to define another semantics in QLTL formulas inprenex normal form.
Definition 2 (Skolem semantics) . A QLTL formula in prenex normal form ϕ = ℘ψ is Skolem true over an interpretation π at an instant i , written π, i | = S ϕ , if there exists aSkolem function θ over ( ℘, free ( ϕ )) such that θ ( π ⋒ π ∀ ( ℘ ) ) , i | = C ψ Intuitively, the Skolem semantics characterizes the truth of a
QLTL formula withthe existence of a Skolem function that returns the interpretations of the existentialquantifications in function of the variables to which they depend.In principle, there might be formulas ϕ and interpretations π such that π | = S ϕ and π | = S ¬ ϕ , as the Skolem semantics require the existence of two Skolem functionsthat are defined over different domains, and so not necessarily inconsistent with eachother. However, as the following theorem shows, the Skolem semantics is equivalentto the classic one. Therefore, for every formula ϕ and an interpretation π , it holds that π | = S ϕ iff π = S ¬ ϕ . Theorem 2.
For every
QLTL formula in prenex normal form ϕ = ℘ψ and an interpre-tation π ∈ (2 F ) ω over the free variables F = free ( ϕ ) of ϕ it holds that π | = C ϕ if, andonly if, π | = S ϕ Proof.
Recall taht π | = S ϕ iff there exists a Skolem function θ over ( ℘, F ) such that,for each interpretation π ′ ∈ (2 ∀ ( ℘ ) ) ω , it holds that θ ( π ⋒ π ′ ) | = C ψ .The proof proceeds by induction on the length of ℘ . For the case | ℘ | = 0 , and so ℘ = ǫ , and so that we have that ϕ = ψ . Moreover, the only Skolem function possibleis the identity function over the free variables of ϕ , which means that π = θ ( π ) andimplies π | = C ϕ iff π | = C ψ iff θ ( π ) | = C ψ iff π | = S ϕ , an so the statement holds inboth directions. For the inductive case, we prove the two directions separately.From the left to right direction, assume that π | = C ℘ψ . We distinguish two cases.• ℘ = ∃ X℘ ′ . Thus, there exists an interpretation π X ∈ (2 X ) ω such that π ⋒ π X | = C ℘ ′ ψ . By induction hypothesis, it holds that π ⋒ π X | = S ℘ ′ ψ and so there exists aSkolem function θ over ( ℘ ′ , F ∪ { X } ) such that θ ( π ⋒ π X ⋒ π ′ ) | = C ψ for each π ′ ∈ (2 ∀ ( ℘ ′ ) ) ω . Now, observe that ∀ ( ℘ ) = ∀ ( ℘ ′ ) and so consider the function θ is also a Skolem function over ( ℘, F ) . Hence θ ( π ⋒ π X ⋒ π ′ ) | = C ψ for every π ′ ,which implies that π | = S ϕ and proves the statement.• ℘ = ∀ X℘ ′ . Then, for every π X , it holds that π ⋒ π X | = C ℘ ′ ψ . By inductionhypothesis, we have that π ⋒ π X | = S ℘ ′ ψ and so there exists a Skolem function θ π X over ( ℘ ′ , F ∪ { X } ) such that θ π X ( π ⋒ π X ⋒ π ′ ) | = C ψ for every π ′ ∈ (2 ∀ ( ℘ ′ ) ) ω . Now, consider the function θ : (2 F ∪∀ ( ℘ ) ) ω → (2 Var ( ℘ ) ) ω such that θ ( π ⋒ π ′ ) = θ π X ( π ⋒ π ′ ) for each π ′ ∈ (2 ∀ ( ℘ ) ) ω . Clearly, θ is a Skolem functionover ( ℘, F ) . Moreover, by its definition, it holds that θ ( π ⋒ π ′ ) | = C ψ for every π ′ , which means that π | = S ϕ and proves the statement.For the right to left direction, we assume that π | = S ϕ and so that there exists aSkolem function θ over ( ℘, F ) such that θ ( π ⋒ π ′ ) | = C ψ for each π ′ ∈ (2 ∀ ( ℘ ) ) ω . Wedistinguish two cases. 7 ℘ = ∃ X℘ ′ . Observe that, since Dep F ( X ) = F , it holds that θ ( π ⋒ π ′ )( X ) = θ ( π ⋒ π ′′ )( X ) for every π ′ , π ′′ and call such interpretation π X . Now, define theSkolem function θ ′ over ( ℘ ′ , F ∪ { X } ) as θ ′ ( π ∪ π ′ ) = θ ( π ⋒ π ′ ) ↾ − X , that is,the restriction of θ with the interpretation over X being projected out. It holdsthat θ ′ ( π ⋒ π X ⋒ π ′ ) = θ ( π ⋒ π ′ ) and so that θ ′ ( π ⋒ π X ⋒ π ′ ) | = C ψ . Byinduction hypothesis, we have that π ⋒ π X | = S ℘ ′ ψ , which in turns implies that π | = C ∃ X℘ ′ ψ and so that π | = C ℘ψ , which proves the statement.• ℘ = ∀ X℘ ′ . Note that ∀ ( ℘ ) = ∀ ( ℘ ′ ) ∪ { X } , and so that θ is also a Skolemfunction over ( ℘ ′ , F ∪ { X } ) . By induction hypothesis, we obtain that, for every π X , it holds that θ ( π ⋒ π X ∪ π ′ ) | = C ψ implies that π ⋒ π X | = C ℘ ′ ψ for every π X ,which means that π | = C ∀ X℘ ′ ψ , and so that π | = C ℘ψ , and then the statement isproved. The classic semantics of
QLTL requires to consider at once the evaluation of the vari-ables on the whole trace. This gives rise to counter-intuitive phenomena. Consider theformula ∀ x ∃ y ( G x ↔ y ) . Such a formula is satisfiable. Indeed, on the one hand, forthe interpretation assigning always true to x , the interpretation that makes y true at thebeginning satisfies the temporal part. On the other hand, for every other interpretationmaking x false sometimes, the interpretation that makes y false at the beginning sat-isfies the temporal part. However, in order to correctly interpret y on the first instant,one needs to know in advance the entire interpretation of x . Such requirement is prac-tically impossible to fulfill and does not reflect the notion of reactive systems , wherethe output of system variables at the k -th instant of the computation depends only onthe past assignments of the environment variables. Such principle is often referred as behavioral principle in the context of strategic reasoning, see e.g., [28, 21].Here, we propose two alternative semantics for QLTL , which are of interest when
QLTL is used in the context of strategic reasoning and planning. Indeed there we requirestrategies to be processes in the sense of [1], i.e., the next move depends only on thepast history and the current situation. The two semantics are inspired by two differentcontexts of planning and distributed synthesis. The first regards partial controllability with partial observability , in which a process in a distributed architecture controls partof the system variables and assigns their value according to the past and present valuesof the environment variables that are made visible to it. The second regards partialcontrollability with full observability , in which the process can base its choices accord-ing to the past evaluation of all variables and the present evaluation of the dependingones.To formally define the two semantics we exploit two different forms of Skolemfunctions, each of them producing different effects on the notion of formula satisfac-tion. These definitions take into account the reactive feature of dependency discussedabove. In addition, we prove their connection with the classic notion of strategy asintended in synthesis and distributed synthesis [32, 25, 18]. In the next subsections, we8ntroduce these two semantics and discuss their relationship with the classic semanticsof
QLTL . Subsequently, we show their connection with the synthesis problem of thecorresponding contexts.
We now introduce behavioral
QLTL , denoted
QLTL B , a logic with the same syntax asof prenex normal form QLTL but where the semantics is defined in terms of behav-ioral Skolem functions: a modified version of the Skolem functions introduced in theprevious section.
Definition 3 (Behavioral Skolem function) . For a given quantification prefix ℘ definedover a set Var ( ℘ ) ⊆ Var of propositional variables and a set F of variables notoccurring in ℘ , a Skolem function θ over ( ℘, F ) is behavioral if , for all π , π ∈ (2 F ∪∀ ( ℘ ) ) ω , k ∈ N , and X ∈ ∃ ( ℘ ) , it holds that π (0 , k ) ↾ Dep F ( X ) = π (0 , k ) ↾ Dep F ( X ) implies θ ( π ) ↾ X = θ ( π ) ↾ X . The behavioral Skolem functions capture the fact that the interpretation of exis-tentially quantified variables depend only on the past and present values of free anduniversally quantified variables. This offers a way to formalize the semantics of
QLTL B as follows. Definition 4. A QLTL B formula ϕ = ℘ψ is true over an interpretation π in an instant i , written π, i | = B ℘ψ , if there exists a behavioral Skolem function θ over ( ℘, free ( ϕ )) such that θ ( π ⋒ π ′ ) , i | = C ψ for every π ′ ∈ (2 F ∪∀ ( ℘ ) ) ω . A QLTL B formula ϕ is true on an interpretation π , written π | = B ϕ , if π, | = B ϕ . Aformula ϕ is satisfiable if it is true on some interpretation and valid if it is true in everyinterpretation.Clearly, since QLTL B shares the syntax with QLTL , all the definitions that involvesyntactic elements, such as free variables and alternation, apply to this variant the sameway.As for
QLTL , the satisfiability of a
QLTL B formula ϕ is equivalent to the one of ∃ free ( ϕ ) ϕ , as well as the validity is equivalent to the one of ∀ free ( ϕ ) ϕ . However, theproof of this is not as straightforward as for the classic semantics case. Theorem 3.
For every
QLTL B formula ϕ = ℘ψ , it holds that ϕ is satisfiable if, andonly if, ∃ free ( ϕ ) ϕ is satisfiable. Moreover, ϕ is valid if, and only if, ∀ free ( ϕ ) ϕ is valid.Proof. We show the proof only for satisfiability, as the one for validity is similar. Theproof proceeds by double implication. From left to right, assume that ϕ is satisfiable,therefore there exists an interpretation π over F = free ( ϕ ) such that π | = B ϕ , whichin turns implies that there exists a behavioral Skolem function θ over ( ℘, F ) such that θ ( π ⋒ π ′ ) | = C ψ for every interpretation π ′ ∈ (2 ∀ ( ℘ ) ) ω . Consider the function θ ′ :(2 ∀ ( ℘ ) ) ω → (2 ∃ ( ℘ ) ∪ F ) ω defined as θ ′ ( π ′ ) = θ ( π ⋒ π ′ ) ⋒ π , for every π ′ ∈ (2 ∀ ( ℘ ) ) ω .Clearly, it is a behavioral Skolem function over ( ∃ F ℘, ∅ ) such that θ ′ ( π ′ ) | = ψ forevery π ′ ∈ (2 ∀ ( ℘ ) ) ω , which implies that ∃ F ϕ is satisfiable. From right to left, thereasoning is similar and left to the reader. 9ote that every behavioral Skolem function is also a Skolem function.This means that a formula ϕ interpreted as QLTL B is true on π implies that the sameformula is true on π also when it is interpreted as QLTL . The reverse, however, is nottrue. Consider again the formula ϕ = ∀ x ∃ y ( G x ↔ y ) . We have already shown thatthis is satisfiable when interpreted as QLTL . However, it is not satisfiable as a
QLTL B formula. Lemma 1.
For every
QLTL B formula ϕ and an interpretation π over the set free ( ϕ ) offree variables, if π | = B ϕ then π | = C ϕ . On the other hand, there exists a formula ϕ and an interpretation π such that π | = C ϕ but not π | = B ϕ .Proof. The first part of the theorem follows from the fact that every behavioral Skolemfunction is also a Skolem function and so, if π | = B ϕ , clearly also π | = S ϕ and so, fromTheorem 2, that π | = C ϕ .For the second part, consider the formula ϕ = ∀ x ∃ y ( G x ↔ y ) . We have alreadyshown that such formula is satisfiable. However, it is not behavioral satisfiable. Indeed,assume by contradiction that it is behavioral satisfiable and let θ the behavioral Skolemfunction such that θ | = C ( G x ↔ y ) . Now consider two interpretations π over x that always assigns true, and π that assigns true on x at the first iteration and thenalways false. It holds that π (0) = π (0) and therefore, since x ∈ Dep ( y ) and θ isbehavioral, it must be the case that θ ( π )(0) ↾ y = θ ( π )(0) ↾ y . Now, if such value is θ ( π )(0) ↾ y = false , then it holds that θ ( π ) = C G x ↔ y ) . On the other hand, if θ ( π )(0) ↾ y = true , then it holds that θ ( π ) = C G x ↔ y ) , which means that θ = C ( G x ↔ y ) , a contradiction.Lemma 1 has implications also on the meaning of negation in QLTL B . Indeed, boththe formula ϕ = ∀ x ∃ y ( G x ↔ y ) and its negation are not satisfiable, that is = B ϕ and = B ¬ ϕ . This is a common phenomenon, as it also happens when consideringthe behavioral semantics of logic for the strategic reasoning [28, 21]. It is important,however, to notice that there are three syntactic fragments for which QLTL and
QLTL B are equivalent. Precisely, the fragments Π QLTL B , Σ QLTL B , and Σ QLTL B . The reason is thatthe sets of Skolem and behavioral Skolem functions for these formulas coincide, andso the existence of one implies the existence of the other. Theorem 4.
For every
QLTL B formula ϕ = ℘ψ in the fragments Π QLTL B , Σ QLTL B , and Σ QLTL B and an interpretation π , it holds that π | = B ϕ if, and only if, π | = S ϕ .Proof. The proof proceeds by double implication. From left to right, it follows fromLemma 1. From right to left, consider first the case that ϕ ∈ Π QLTL . Observe that ∃ ( ℘ ) = ∅ and so the only possible Skolem function θ returns the empty interpretationon every possible interpretation π ⋒ π ′ ∈ (2 free ( ϕ ) ∪∀ ( ℘ ) ) ω . Such Skolem function istrivially behavioral and so we have that π | = S ϕ implies π | = B ϕ .For the case of ϕ ∈ Σ QLTL ∪ Σ QLTL , assume that π, | = S ϕ and let θ be a Skolemfunction such that θ ( π ∪ π ′ ) | = C ϕ for every π ′ ∈ (2 ∀ ( ℘ ) ) ω . Observe that, for every Note that, being ϕ with no free variables, we can omit the interpretation π as the only possible is theempty one ∈ ∃ ( ℘ ) , it holds that Dep ℘ = ∅ and so the values of Y depend only on the freevariables in ϕ . Now, consider the Skolem function θ ′ over ( ℘, free ( ϕ )) defined suchthat as θ ′ ( π ′ ) . = θ ( π ′ ↾ ∀ ( ℘ ) ⋒ π ) . As θ is a Skolem function and Dep ℘ = ∅ , it holds that θ ′ ( π ′ )( Y ) = θ ′ ( π ′′ )( Y ) for every π ′ , π ′′ ∈ (2 ∀ ( ℘ ) ) ω and so θ ′ is trivially behavioral.Moreover, from its definition, it holds that θ ′ ( π ⋒ π ′ ) | = C ψ for every π ′ ∈ (2 ∀ ( ℘ ) ) ω ,which implies π | = B ϕ .Theorem 4 shows that for these three fragments of QLTL B , the satisfiability prob-lem can be solved by employing QLTL satisfiability. This also comes with the samecomplexity, as we just interpret the
QLTL B formula directly as QLTL one.
Corollary 1.
The satisfiability problem for the fragments Π QLTL B and Σ QLTL B is PSPACE-complete. Moreover, the satisfiability problem for the fragment Σ QLTL B is EXPSPACE-complete. We now turn into solving the satisfiability problem for
QLTL B formulas that are notin fragments Π QLTL B , Σ QLTL B , and Σ QLTL B . Analogously to the case of QLTL , note thatTheorem 3 allows to restrict our attention to closed formulas. We use an automata-theoretic approach inspired by the one employed in the synthesis of distributed sys-tems [25, 18, 35]. This requires some definitions and results, presented below.For a given set Υ of directions the Υ -tree is the set Υ ∗ of finite words. The elementsof Υ ∗ are called nodes, and the empty word ε is called root . For every x ∈ Υ ∗ , thenodes x · c ∈ Υ ∗ are called children. We say that c = dir ( x · c ) is the direction of thenode x · c , and we fix some dir ( ε ) = c ∈ Υ to be the direction of the root. Given twofinite sets Υ and Σ , a Σ -labeled Υ -tree is a pair h Υ ∗ , l i where l : Υ ∗ → Σ maps/labelsevery node of Υ ∗ into a letter in Σ .For a set Θ × Υ of directions and a node x ∈ (Θ × Υ) ∗ , hide Υ ( x ) denotes thenode in Θ ∗ obtained from x by replacing ( ϑ, υ ) with ϑ in each letter of x . The function xray Ξ maps a Σ -labeled (Ξ × Υ) -tree h (Ξ × Υ) ∗ , l i into a Ξ × Σ -labeled (Ξ × Υ) -tree h (Ξ × Υ) ∗ , l ′ i where l ′ ( x ) = ( pr ( dir ( x )) , l ( x )) adds the Ξ -direction of x to itslabeling.An alternating automaton A = (Σ , Q, q , δ, α ) runs over Σ -labeled Υ -trees (for apredefined set of directions Υ ). The set of states Q is finite with q being a designatedinitial state, while δ : Q × Σ → B + ( Q × Υ) denotes a transition function, returninga positive Boolean formula over pairs of states and directions, and α is an acceptancecondition.We say that A is nondeterministic , and denote it with the symbol N , if every tran-sition returns a positive Boolean formula with only disjunctions. Moreover, was thatit is deterministic deterministic , and denote it with the symbol D , if every transitionreturns a single state.A run tree of A on a Σ -labeled Υ tree h Υ ∗ , l i is a Q × Υ -labeled tree where theroot is labeled with ( q , l ( ε )) and where, for a node x with a label ( q, x ) , and a set ofchildren child ( x ) , the labels of these children have the following properties:11 for all y ∈ child ( x ) , the label of y is of the form ( q y , x · c y ) such that ( q y , c y ) isan atom of the formula δ ( q, l ( x )) and• the set of atoms defined by the children of x satisfies δ ( q, l ( x )) .We say that α is a parity condition if it is a function α : Q → C ( ⊂ N ) mappingevery state to a natural number, sometimes referred as color. Alternatively, it is a Streett condition if it is a set of pairs { ( G i , R i ) } i ∈ I , where each G i , R i is a subset of Q . Aninfinite path ρ over Q fulfills a parity condition α if the highest color of mapped by α over ρ that appears infinitely often is even. The path ρ fulfills a Streett condition iffor every i ∈ I , either an element of G i or no element of R i occurs infinitely often on ρ . A run tree is accepting if all its path fulfill the acceptance condition α . A tree isaccepted by A if there is an accepting tree run over it. By L ( A ) we denote the set oftrees accepted by A . An automaton A is empty if L ( A ) = ∅ .For a Σ -labeled Υ -tree h Υ ∗ , l Σ i and a Ξ -labeled Υ × Θ -tree h (Υ × Θ) ∗ , l Ξ i , their composition , denoted h Υ ∗ , l Σ i ⊕h (Υ × Θ) ∗ , l Ξ i is the Ξ × Σ -labeled Υ × Θ -tree h (Υ × Θ) ∗ , l i such that, for every x ∈ (Υ × Θ) ∗ , it holds that l ( x ) = l Ξ ( x ) ∪ l Σ ( hide Θ ( x )) .Observe that the Υ -component appears in both the trees. Their composition, indeed,can be seen as an extension of the labeling l Ξ with the labeling l Σ in a way that thechoices for it are oblivious to the Θ -component of the direction. A more general defini-tion of tree composition is given in [18] where the Σ -labeling is included as a directionand made consistent with it by means of an xray operation.For a set T of Ξ × Σ -labeled Υ × Θ -trees, shape Ξ , Υ ( T ) is the set of Σ -labeled Υ -trees h Υ ∗ , l Σ i for which there exists a Ξ -labeled Υ × Θ -tree h (Υ × Θ) ∗ , l Ξ i suchthat h Υ ∗ , l Σ i ⊕ h (Υ × Θ) ∗ , l Ξ i ∈ T . Intuitively, the shape operation performs a non-deterministic guess on the Σ -component of the trees by taking into account only the Υ -component of the directions. This allows to refine the set of trees into those onesfor which a decomposition consistent with this limited dependence is possible. In-terestingly, being this nondeterministic guess similar to an existential projection, wecan also refine a (nondeterministic) parity tree automaton N in order to recognize theshape operation of its language. Indeed, consider a nondeterministic parity tree au-tomaton N = (Ξ × Σ , Q, q , δ, α ) recognizing Ξ × Σ -labeled Υ -trees, the automaton change Ξ , Υ ( N ) = (Σ , Q, q , δ ′ , α ) recognizes Σ -labeled Υ -trees where δ ′ ( q, σ ) = W ξ ∈ Ξ ,f ∈ δ ( q, ( ξ,σ )) V υ ∈ Υ ,ϑ ∈ Θ ( f ( υ, ϑ ) , ( ξ, σ )) .Intuitively, the automaton change Ξ , Υ ( N ) encapsulates and then nondeterministi-cally guesses Ξ -labeled Υ × Θ -trees in a way that their composition with the read Σ -labeled Υ -tree is accepted by N . The following holds. Theorem 5. [18, Theorem 4.11] For every nondeterministic parity tree automaton N over Ξ × Σ -labeled Υ × Θ -trees, it hols that L ( change Ξ , Υ ( N )) = shape Ξ , Υ ( L ( N )) . We can apply the change operation only on nondeterministic automata. This meansthat, in order to recognize the shape language of a parity alternating automaton A , wefirst need to turn it into a nondeterministic one. This can be done by means of twosteps: we first turn A into a nondeterministic Street automaton N S that recognize the12ame language L ( N S ) = L ( A ) , and then turn it into a nondeterministic parity N suchthat L ( N ) = L ( N S ) = L ( A ) . If A has n = | Q | states and c = | C | colors, then theautomaton N S has n O ( c · n ) states and O ( c · n ) pairs such that L ( A ) = L ( N S ) [29].In addition, it the nondeterministic Street automaton N S has m states and p pairs,we can build a nondeterministic parity automaton N with p O ( p ) · m states and O ( p ) colors [18]. By applying these two constructions, we then transform an alternatingparity automaton A into a nondeterministic one N accepting the same tree-language.Note that N is of size single exponential with respect to A . Indeed, we obtain it with n ′ = O ( c · n ) O ( c · n ) = n O ( c · n ) states and c ′ = O ( c · n ) colors. By ndet ( A ) = N wedenote the transformation of an alternating parity automaton into a nondeterministicparity one.From now on, we consider closed QLTL B formulas being of the form ℘ψ = ∃ Y ∀ X . . . ∃ Y n ∀ X n ψ with Y and X n being possibly empty. Therefore, we refer to θ as a be-havioral Skolem function over ℘ , as the set F = ∅ is always empty. Moreover, wedefine ˆ X i = S j ≤ i X i and ˆ Y i = S j ≤ i Y i , with X = ˆ X and Y = ˆ Y , respectively.Finally, we define ˇ X i = S j>i X i and ˇ Y i = S j>i Y i , respectively.A behavioral Skolem function θ over ℘ can be regarded as the labeling function ofa Y -labeled X -tree. In addition, such labeling fulfills a compositional property, as itis expressed in the following lemma. Lemma 2.
Let ℘ = ∃ Y ∀ X . . . ∃ Y n ∀ X n be a prefix quantifier. A Y -labeled X -tree θ is a behavioral Skolem function over ℘ iff there exist a tuple θ , . . . , θ n , where θ i is a Y i -labeled ˆ X i -tree, such that θ = θ ⊕ . . . ⊕ θ n .Proof. The proof proceeds by double implication. From left to right, consider a behav-ioral Skolem function θ and, for every ≤ i ≤ n , consider the Y i -labeled ˆ X i -tree θ i , defined as θ i ( x ) = θ ( x × x ′ ) ↾ Y i where x ∈ (2 ˆ X i ) ∗ and x ′ ∈ (2 X \ ˆ X i ) ∗ . Note that Dep ℘ ( Y i ) = ˆ X i and so the definition of θ i over x does not really depend on the valuesin x ′ , therefore it is well-defined. By applying the definition of tree composition, iteasily follows that θ = θ ⊕ . . . ⊕ θ n .For the right to left direction, let θ , . . . , θ n be labeled trees and consider the com-position θ = θ ⊕ . . . ⊕ θ n . From the definition of tree composition, it follows that forevery i , θ ( x ) ↾ Y i = θ i ( x ˆ X i ) , which fulfills the requirement for θ of being a behavioralSkolem function over ℘ .We now show how to solve the satisfiability problem for QLTL B with an automatatheoretic approach. To do this, we first introduce some notation. For a list of variables ( Y i , X i ) , consider the quantification prefix ˇ ℘ i . = ∀ ˇ X i ∃ ˇ Y i and then the quantificationprefix ℘ i . = ∃ Y ∀ X . . . ∃ Y i ∀ X i ˇ ℘ i . Intuitively, every quantification prefix ℘ i +1 is ob-tained from ℘ i by pulling the existential quantification of Y i +1 up before the universalquantification of X i +1 . Clearly, we obtain that ℘ = ∀ X ∃ Y and ℘ n = ℘ . The au-tomata construction builds on top of this quantifier transformation. First, recall thatthe satisfiability of ℘ ψ amounts to solving the synthesis problem for ψ with X and Y being the set of variables controlled by the environment and the system, respec-tively. Let A be an alternating parity automaton that solves the synthesis problem, The last equivalence because the number c of colors is bounded by the number n of states. Y -labeled X -trees representing the models of ψ . Now, for every i < n , define A i +1 . = change Yi , ˆ Xi ( ndet ( A i )) . We have the following. Theorem 6.
For every i ≤ n , the formula ℘ i ψ is satisfiable iff L ( A i ) = ∅ , where • A is the alternating parity automaton that solves the synthesis problem for ψ with system variables Y and environment variables X , and • A i +1 . = change Yi , ˆ Xi ( ndet ( A i )) , for every i < n .Proof. We prove the theorem by induction through a stronger statement. We show thatthe automaton A i accepts ˇ Y i -labeled X -trees θ i for which there exists a sequence θ , . . . , θ i − such that θ ⊕ . . . ⊕ θ i is a behavioral Skolem function over ℘ i that satisfies ℘ i ψ .For the base case, the statement boils down to the fact that the automaton A ac-cepts the Y -labeled X -trees that solve the synthesis problem for ψ .For the induction case, assume that the statement is true for some i . Thus, theautomaton A i , and then its nondeterministic version ndet ( A i ) accept ˇ Y i -labeled X -trees θ i for which there exists a sequence θ , . . . , θ i − such that θ ⊕ . . . ⊕ θ i is abehavioral Skolem function that satisfies ℘ i ψ . Now, consider the automaton A i +1 = change Yi , ˆ Xi ( ndet ( A i )) . From Theorem 5, it holds that it accepts ˇ Y i +1 -labeled X -trees θ i +1 that are in shape Yi +1 , ˆ Xi +1 ( L ( A i )) and so for which there exists a Y i -labeled ˆ X i +1 -tree θ ′ i such that θ ′ i ⊕ θ i +1 ∈ L ( A i ) . Observe that now the variables Y i are handled over a ˆ X i -tree and so they do not depend on variables in ˇ X i anymore.This implies that the composition θ ⊕ θ i − ⊕ θ ′ i ⊕ θ i +1 is a behavioral Skolem over ℘ i +1 that satisfies ℘ i +1 ψ , and the statement is proved.Theorem 6 shows that the automata construction is correct. The complexity ofsolving the satisfiability of QLTL B is stated below. Theorem 7.
The satisfiability problem of a
QLTL B formula of the form ϕ = ∃ Y ∀ X . . . ∃ Y n ∀ X n ψ can be solved in ( n + 1) -EXPTIME-complete.Proof. From Theorem 6, we reduce the problem to the emptiness of the automaton A n ,whose size is n -times exponential in the size of ψ , as we apply n times the nondeter-minisation, starting from the automaton A ψ that solves the synthesis problem for ψ .As the emptiness of the alternating parity automaton A n involves another exponentialblow-up, we obtain that the overall procedure is ( n + 1) -EXPTIME.A matching lower-bound is obtained from the synthesis of distributed synthesis forhierarchically ordered architecture processes with LTL objectives, presented in [33],that is ( n + 1) -EXPTIME-complete with n being the number of processes. Indeed, ev-ery process p i in such architecture synthesizes a strategy represented by a O i -labeled I i -tree, with O i being the output variables and I i the input variables. An architecture A is hierarchically ordered if I i ⊆ I i +1 , for every process p i . Thus, for an ordered ar-chitecture A and an LTL formula ψ , consider the variables Y i = O i and X i = I i \ I i − and the QLTL B formula ϕ = ∃ Y ∀ X . . . ∃ Y n ∀ X n ψ . A behavioral Skolem function θ that makes ϕ true corresponds to an implementation for the architecture that realizes ( A, ψ ) . Moreover, the satisfiability of ϕ is ( n + 1) -EXPTIME, matching the lower-bound complexity of the realizability instance.14 Weak-Behavioral QLTL
We now introduce weak-behavioral
QLTL , denoted
QLTL WB , that can be used to modelsystems with full observability over the executions history. In such system every actionis public , meaning that it is visible to the entire system once it is occurred. In orderto model this, we introduce an alternative definition of Skolem function, which wecall here weak-behavioral . We study the satisfiability problem of QLTL WB and showthat its complexity is 2-EXPTIME-complete via a reduction to a Multi-Player ParityGame [26] with a double exponential number of states and a (single) exponential num-ber of color.Analogously to the case of QLTL B , the logic QLTL WB is defined in a Skolem-basedapproach. Definition 5.
For a given quantification prefix ℘ defined over a set Var ( ℘ ) ⊆ Var of propositional variables and a set F of variables not occurring in ℘ , a function θ : (2 F ∪∀ ( ℘ ) ) ω → (2 ∃ ( ℘ ) ) ω is a weak-behavioral Skolem function over ( ℘, free ( ϕ )) if,for all π , π ∈ (2 F ∪∀ ( ℘ ) ) ω , k ∈ N , and Y ∈ ∃ ( ℘ ) , it holds that θ ( π )(0 , k ) = θ ( π )(0 , k ) and π ( k + 1) ↾ Dep F ( Y ) = π ( k + 1) ↾ Dep F ( Y ) implies θ ( π ) ↾ Y = θ ( π ) ↾ Y . In weak-behavioral Skolem functions, the evaluation of existential variables Y atevery instant depends not only on the current evaluation of Dep F ( Y ) but also the eval-uation history of each variable. The semantics of QLTL WB is given below. Definition 6. A QLTL WB formula ϕ = ℘ψ is true over an interpretation π at an in-stant i , written π, i | = WB ϕ , if there exists a weak-behavioral Skolem function θ over ( ℘, free ( ϕ )) such that θ ( π ⋒ π ′ ) , i | = C ψ , for every π ′ ∈ (2 F ∪∀ ( ℘ ) ) ω . Differently from behavioral,
QLTL WB is not a special case of QLTL . As a matter offact, they are incomparable. Consider again the formula This is due to the fact that theexistentially quantified variables depend, for standard Skolem functions, on the futureof their dependencies, whereas, weak-behavioral functions, on the whole past of thecomputation, including the non-dependencies.Consider again the formula ϕ = ∀ x ∃ y ( G x ↔ y ) . This is not satisfiable as a QLTL WB formula, as this semantics still does not allow existential variables to dependon the future interpretation of the universally quantified ones. On the other hand, theformula ϕ = ∃ y ∀ x ( F x ↔ F y ) is satisfiable as a QLTL WB . Indeed, the existentiallyquantified variable y can determine its value on an instant i by looking at the entirehistory of assignments, including those for x , although only on the past but not thepresent instant i itself. However, the semantics of both QLTL and
QLTL B does notallow such dependence, which makes ϕ non satisfiable as both QLTL and
QLTL B . Lemma 3.
There exists a satisfiable
QLTL B formula that is not satisfiable as QLTL WB .Moreover, there exists a satisfiable QLTL WB formula that is not satisfiable as QLTL B . Weak-Behavioral QLTL Satisfiability
We now address the satisfiability problem for
QLTL WB by showing a reduction to multi-agent parity games [26]. Intuitively, a QLTL WB formula of the form ϕ = ℘ψ , with ψ being an LTL formula, establishes a multi-player parity game with ψ determining theparity acceptance condition and ℘ setting up the Player’s controllability and team side.In order to present this result, we need some additional definition.An ω -word over an alphabet Σ is a special case of a Σ -labeled Υ -tree where the setof directions is a singleton. Being the set Υ irrelevant, an ω -word is also representedas an infinite sequence over Σ . The tree automata accepting ω -words are also called word automata . Word automata are a very useful way to (finitely) represent all themodels of an LTL formula ψ . As a matter of fact, for every LTL formula ψ , there existsa deterministic parity word automaton D ψ whose language is the set of interpretationon which ψ is true. The size of such automaton is double-exponential in the length of ψ . The following theorem gives precise bounds. Lemma 4 ([30]) . For every
LTL formula ψ over a set Var of variables, there existsa deterministic parity automaton D ψ = h Var , Q, q , δ, α i of size double-exponentialw.r.t. ψ and a (single) exponential number of priorities such that L ( D ψ ) = { π ∈ (2 Var ) ω | π | = C ψ } . A multi-player parity game is a tuple G = h Pl , ( Ac i ) i ∈ Pl , St , s , λ, tr i where (i) Pl = { , . . . , n } is a set of players; (ii) Ac i is a set of actions that player i can play; (iii) St is a set of states with s being a designated initial state; (iv) λ : St → C is a col-oring function, assigning a natural number in C to each state of the game; (v) tr : St × ( Ac × . . . × Ac n ) → St is a transition function that prescribe how the gameevolves in accordance with the actions taken by the players.Players identified with an even index are the Even team, whereas the other arethe Odd team. Objective of the Even team is to generate an infinite play over theset of states whose coloring fulfills the parity condition established by λ . A strategyfor Player i of the Even team is a function s i : St ∗ × ( Ac × Ac i − ) → Ac i , thatdetermines the action to perform in a given instant according to the past history and thecurrent actions of players that perform their choices before i .A tuple of strategies h s , s , . . . i for the Even team is winning if every play that isgenerated by that, no matter what the Odd team responds, fulfills the parity condition.Now, consider a QLTL WB formula of the form ϕ = ∃ X ∀ X . . . ∃ X n − ∀ X n ψ , with X , X n being possibly empty, and D ψ = h Var , Q, q , δ, α i being the DPW that recog-nizes the interpretations satisfying ψ , with α = h F , F , . . . , F k i . Then, consider themulti-player parity game G ϕ = h Pl , ( Ac i ) i ∈ Pl , St , s , λ, tr i where (i) Pl = { , . . . , n } ;(ii) Ac i = 2 X i for each i ∈ Pl ; (iii) St = Q with s = q ; (iv) λ : St → N such that λ ( s ) = arg j { q ∈ F j } ; (v) tr = δ . The next theorem provides the correctness of thisconstruction. Theorem 8. A QLTL WB formula ϕ is satisfiable iff there exists a winning strategy forthe Even team in the multi-player parity game G ϕ .Proof. Observe that every player i is associated to the set of actions Ac i correspondingto the evaluation of variables in X i . In addition, every set of existentially quantified16ariables is associated to a player whose index is even and so playing for the Even teamin G ϕ . Also, the ordering of player reflects the order in the quantification prefix ℘ .In addition to this, note that the strategy tuples for the Even team correspond tothe weak-behavioral Skolem functions over ℘ and so they generate the same set ofoutcomes over (2 X ) ω .Since the automaton D ψ accepts all and only those ω -words on which ψ is true, itfollows straightforwardly that every weak-behavioral Skolem function θ over ℘ is suchthat θ ( π ) | = C ψ iff θ is a winning strategy for the Even team in G ϕ . Hence, the QLTL WB formula ϕ is satisfiable iff G ϕ admits a winning strategy for the Even team.Regarding the computational complexity of QLTL WB , consider that solving a multi-player parity game amounts to decide whether the Even team has a winning strategy in G . A precise complexity result is provided below. Lemma 5. [26] The complexity of solving a multi-player parity game G is polynomialin the number of states and exponential in the number of colors and players. Therefore, we can conclude that the complexity of
QLTL WB satisfiability is as statedbelow. Theorem 9.
The complexity of
QLTL WB satisfiability is 2EXPTIME-completeProof. The procedure described in Theorem 8 is 2EXPTIME. Indeed, the automataconstruction of Lemma 4, produces a game whose set of states St is doubly-exponentialin ψ and a number of colors C singly exponential in the size of ψ . Moreover, thenumber n of players in G ϕ is bounded by the length of ϕ itself, as it corresponds to thenumber of quantifiers in the formula.Now, from Lemma 5, we obtain that solving G ϕ is polynomial in St , and exponen-tial in both C and n . This amounts to a procedure that is double-exponential in the sizeof ϕ .Regarding the lower-bound, observe that the formula ∀ X ∃ Y ψ represents the syn-thesis problem for the
LTL formula ψ with X and Y being the uncontrollable andcontrollable variables, which is already 2EXPTIME-Complete [32]. The interaction of second-order quantified variables is of interest in the logic and formalmethod community. For instance, Independence-Friendly logic considers dependenceatoms as a syntactic extension [27, 22]. Another approach generalizes quantification bymeans of partially ordered quantifiers [8, 24] in which existential variables may dependon disjoint sets of universal quantification.The notion of behavioral has recently drawn the attention of many researchers in thearea of logic for strategic reasoning. Strategy Logic [28] ( SL ) has been introduced as aformalism for expressing complex strategic and game-theoretic properties. Strategiesin SL are first class citizens. Unfortunately, and similarly to QLTL , quantifications overthem sets up a kind of dependence that cannot be realized through actual processes, asthey involve future and counter-factual possible computations that are not accessible17y reactive programs. To overcome this, and also mitigate the computational complex-ities of the main decision problems, the authors introduced a behavioral semantics asa way to restrict the dependence among strategies to a realistic one. They also showedthat for a small although significant fragment of SL , which includes ATL ⋆ , behavioralsemantics has the same expressive power of the standard one. This means that “ be-havioral strategies ” are able to solve the same set of problems that can be expressedin such fragment. Further investigations around this notion has been carried out inthe community. In [20, 21], the authors characterize different notions of behavioral,ruling out future and counter-factual dependence one by one, providing a classifica-tion of syntactic fragments for which the behavioral and non-behavioral semantics areequivalent. We introduced a behavioral semantic for
QLTL , getting a new logic
Behavioral
QLTL ( QLTL B ). This logic is characterized by the fact that the (second-order) existentialquantification of variables is restricted to depend, at every instant, only on the pastinterpretations of the variables that are universally quantified upfront in the formula,and not on their entire trace, as it is for classic QLTL . This makes such dependenceto be a function ready implementable by processes, thus making
QLTL B suitable forcapturing advanced forms of planning and synthesis through standard reasoning, asenvisioned since in the early days of AI [23]. We studied satisfiability for QLTL B ,providing tight complexity bounds. For the simplest syntactic fragments, which do notinclude quantification blocks of the form ∀ X i ∃ Y i , the complexity is the same as QLTL ,given the two semantics are equivalent. For the rest of
QLTL B , where the characteristicsof behavioral semantics become apparent, we present an automata-based techniquethat is ( n + 1) -EXPTIME, with n being the number of quantification blocks ∀ X i ∃ Y i .The matching lower-bound comes from a reduction of the corresponding (distributed)synthesis problems.We also consider a weaker-version of Behavioral QLTL , denoted
QLTL WB , wherethe history of quantification is completely visible to every existentially quantified vari-able, except for the current instant in which only the upfront quantification is available.We give a technique for satisfiability that is -EXPTIME, regardless of the number ofquantifications in the formula. This is due to the fact that full visibility of variablesallows for solving the problem with a simple local reasoning that avoids computation-ally expensive automata constructions. Also in this case, the matching lower-boundcomes from a reduction of the corresponding synthesis problem, again proving that ourtechnique is optimal. Acknowledgments
This work is partially supported by ERC Advanced Grant White-Mech (No. 834228) and the EU ICT-48 2020 project TAILOR (No. 952215).18 eferences [1] Mart´ın Abadi, Leslie Lamport, and Pierre Wolper. Realizable and unrealizablespecifications of reactive systems. In
ICALP’89 , volume 372 of
LNCS , pages1–17. Springer, 1989.[2] R. Alur, T.A. Henzinger, and O. Kupferman. Alternating-Time Temporal Logic.
JACM , 49(5):672–713, 2002.[3] Benjamin Aminof, Giuseppe De Giacomo, Aniello Murano, and Sasha Rubin.Planning under LTL environment specifications. In
ICAPS , pages 31–39. AAAIPress, 2019.[4] Fahiem Bacchus and Froduald Kabanza. Planning for Temporally ExtendedGoals.
Ann. Math. Artif. Intell. , 22(1-2):5–27, 1998.[5] Fahiem Bacchus and Froduald Kabanza. Using Temporal Logics to ExpressSearch Control Knowledge for Planning.
Artif. Intell. , 116(1-2):123–191, 2000.[6] Howard Barringer, Michael Fisher, Dov M. Gabbay, Graham Gough, and RichardOwens. METATEM: an introduction.
Formal Aspects Comput. , 7(5):533–549,1995.[7] Piergiorgio Bertoli, Alessandro Cimatti, and Marco Roveri. Heuristic search +symbolic model checking = efficient conformant planning. In
IJCAI’01 , pages467–472, 2001.[8] Andreas Blass and Yuri Gurevich. Henkin quantifiers and complete problems.
Ann. Pure Appl. Log. , 32:1–16, 1986.[9] Diego Calvanese, Giuseppe De Giacomo, and Moshe Y. Vardi. Reasoning aboutActions and Planning in LTL Action Theories. In
KR’02 , pages 593–602, 2002.[10] Alberto Camacho, Meghyn Bienvenu, and Sheila A. McIlraith. Towards a UnifiedView of AI Planning and Reactive Synthesis. In
ICAPS’19 , pages 58–67, 2019.[11] Serenella Cerrito and Marta Cialdea Mayer. Bounded Model Search in LinearTemporal Logic and Its Application to Planning. In
TABLEAUX’98 , volume 1397of
LNCS , pages 124–140. Springer, 1998.[12] Krishnendu Chatterjee and Thomas A Henzinger. Assume-Guarantee Synthesis.In
TACAS’07 , volume 4424 of
LNCS , pages 261–275, 2007.[13] Krishnendu Chatterjee, Thomas A. Henzinger, and Barbara Jobstmann. Environ-ment Assumptions for Synthesis. In
CONCUR’08 , pages 147–161, 2008.[14] Alonzo Church. Logic, arithmetics, and automata. In
Proc. Int. Congress ofMathematicians, 1962 , pages 23–35, 1963.[15] Alessandro Cimatti, Fausto Giunchiglia, Enrico Giunchiglia, and Paolo Traverso.Planning via model checking: A decision procedure for AR . In ECP’97 , volume1348 of
LNCS , pages 130–142, 1997.1916] Alessandro Cimatti and Marco Roveri. Conformant Planning via Symbolic ModelChecking.
J. Artif. Intell. Res. , 13:305–338, 2000.[17] Marco Daniele, Paolo Traverso, and Moshe Y. Vardi. Strong cyclic planningrevisited. In
ECP’99 , volume 1809 of
LNCS , pages 35–48. Springer, 1999.[18] Bernd Finkbeiner and Sven Schewe. Uniform distributed synthesis. In
LICS’05 ,pages 321–330, 2005.[19] Dov M. Gabbay, Amir Pnueli, Saharon Shelah, and Jonathan Stavi. On the tem-poral basis of fairness. In Paul W. Abrahams, Richard J. Lipton, and Stephen R.Bourne, editors,
POPL’80 , pages 163–173, 1980.[20] Patrick Gardy, Patricia Bouyer, and Nicolas Markey. Dependences in StrategyLogic. In
STACS’18 , volume 96 of
LIPIcs , pages 34:1–34:15, 2018.[21] Patrick Gardy, Patricia Bouyer, and Nicolas Markey. Dependences in strategylogic.
Theory Comput. Syst. , 64(3):467–507, 2020.[22] Erich Gr¨adel and Jouko A. V¨a¨an¨anen. Dependence and independence.
Stud Log-ica , 101(2):399–410, 2013.[23] C. Cordell Green. Application of theorem proving to problem solving. In
IJ-CAI’69 , pages 219–240, 1969.[24] Michal Krynicki and Marcin Mostowski. Decidability problems in languageswith henkin quantifiers.
Ann. Pure Appl. Log. , 58(2):149–172, 1992.[25] Orna Kupferman and Moshe Y. Vardi. Synthesizing distributed systems. In
LICS’01 , pages 389–398, 2001.[26] Vadim Malvone, Aniello Murano, and Loredana Sorrentino. Concurrent Multi-Player Parity Games. In
AAMAS’16 , pages 689–697, 2016.[27] Allen L. Mann, Gabriel Sandu, and Merlijn Sevenster.
Independence-FriendlyLogic - a Game-Theoretic Approach , volume 386 of
London Mathematical Soci-ety lecture note series . Cambridge University Press, 2011.[28] Fabio Mogavero, Aniello Murano, Giuseppe Perelli, and Moshe Y. Vardi. Reason-ing about strategies: On the model-checking problem.
ACM TOCL , 15(4):34:1–34:47, 2014.[29] David E. Muller and Paul E. Schupp. Alternating Automata on Infinite Objects,Determinacy and Rabin’s Theorem. In
Automata on Infinite Words , volume 192of
LNCS , pages 100–107. Springer, 1984.[30] Nir Piterman. From nondeterministic b¨uchi and streett automata to deterministicparity automata.
LMCS , 3(3), 2007.[31] A. Pnueli. The temporal logic of programs. In
FOCS-77 , pages 46–57, 1977.2032] A. Pnueli and R. Rosner. On the Synthesis of a Reactive Module. In
POPL , pages179–190. ACM, 1989.[33] A. Pnueli and R. Rosner. Distributed reactive systems are hard to synthesize. In
FOCS’90 , pages 746–757, 1990.[34] Jussi Rintanen. Complexity of Planning with Partial Observability. In
ICAPS’04 ,pages 345–354, 2004.[35] Sven Schewe.
Synthesis of distributed systems . PhD thesis, Saarland University,Saarbr¨ucken, Germany, 2008.[36] A.P. Sistla, M.Y. Vardi, and P. Wolper. The Complementation Problem for B¨uchiAutomata with Applications to Temporal Logic.
TCS , 49:217–237, 1987.[37] Aravinda Prasad Sistla.
Theoretical Issues in the Design and Verification of Dis-tributed Systems.
PhD thesis, 1985.[38] Wolfgang Thomas. Languages, automata, and logic. In