We consider the synthesis of distributed implementations for specifications in parameterized temporal logics such as PROMPT-LTL, which extends LTL by temporal operators equipped with parameters that bound their scope. For single process synthesis it is well-established that such parametric extensions do not increase worst-case complexities. For synchronous distributed systems we show that, despite being more powerful, the realizability problem for PROMPT-LTL is not harder than its LTL counterpart. For asynchronous systems we have to express scheduling assumptions and therefore consider an assume-guarantee synthesis problem. As asynchronous distributed synthesis is already undecidable for LTL, we give a semi-decision procedure for the PROMPT-LTL assume-guarantee synthesis problem based on bounded synthesis. Finally, we show that our results extend to the stronger logics PLTL and PLDL.
Introduction
Linear Temporal Logic [1] (LTL) is the most prominent specification language for reactive systems and the basis for industrial languages like For-Spec [2] and PSL [3] . Its advantages include a compact variable-free syntax and intuitive semantics as well as the exponential compilation property, which explains its attractive algorithmic properties: every LTL formula can be translated into an equivalent Büchi automaton of exponential size. This yields a polynomial space model checking algorithm and a doubly-exponential time algorithm for solving two-player games. Such games solve the monolithic LTL synthesis problem: given a specification, construct a correct-by-design implementation.
However, LTL lacks the ability to express timing constraints. For example, the request-response property G(req → F resp) requires that every request req is eventually responded to by a resp. It is satisfied even if the waiting times between requests and responses diverge, i.e., it is impossible to require that requests are granted within a fixed, but arbitrary, amount of time. While it is possible to encode an a-priori fixed bound for an eventually into LTL, this requires prior knowledge of the system's granularity and incurs a blow-up when translated to automata, and is thus considered impractical.
To overcome this shortcoming of LTL, Alur et al. introduced parametric LTL (PLTL) [4] , which extends LTL with parameterized operators of the form F ≤x and G ≤y , where x and y are variables. The formula G(req → F ≤x resp) expresses that every request is answered within an arbitrary, but fixed, number of steps α(x). Here, α is a variable valuation, a mapping of variables to natural numbers. Typically, one is interested in whether a PLTL formula is satisfied with respect to some variable valuation, e.g., model checking a transition system S against a PLTL specification ϕ amounts to determining whether there is an α such that every trace of S satisfies ϕ with respect to α. Alur et al. showed that the PLTL model checking problem is PSpace-complete. Due to monotonicity of the parameterized operators, one can assume that all variables y in parameterized always operators G ≤y are mapped to zero, as variable valuations are quantified existentially in the problem statements. Dually, again due to monotonicity, one can assume that all variables x in parameterized eventually operators F ≤x are mapped to the same value, namely the maximum of the bounds. Thus, in many cases the parameterized always operators and different variables for parameterized eventually operators are not necessary.
Motivated by this, Kupferman et al. introduced PROMPT-LTL [5] , which can be seen as the fragment of PLTL without the parameterized always operator and with a single bound k for the parameterized eventually operators. They proved that PROMPT-LTL model checking is PSpace-complete and solving PROMPT-LTL games is 2ExpTime-complete, i.e., not harder than LTL games. While the results of Alur et al. rely on involved pumping arguments, the results of Kupferman et al. are all based on the so-called alternating color technique, which basically allows to reduce PROMPT-LTL to LTL. Furthermore, the result on PROMPT-LTL games was extended to PLTL games [6] , again using the alternating color technique. These results show that adding parameters to LTL does not increase the asymptotic complexity of the model checking and the game-solving problem, which is still true for even more expressive logics [7, 8] .
The synthesis problems mentioned above assume a setting of complete information, i.e., every part of the system has a complete view on the system as a whole. However, this setting is highly unrealistic in virtually any system. Distributed synthesis on the other hand, is the problem of synthesizing multiple components with incomplete information. Since there are specifications that are not implementable, one differentiates synthesis from the corresponding decision problem, i.e., the realizability problem of a formal specification. We focus on the latter, but note that from the methods presented here, implementations are efficiently extractable from a proof of realizability.
The realizability problem for distributed systems dates back to work of Pnueli and Rosner in the early nineties [9] . They showed that the realizability problem for LTL becomes undecidable already for the simple architecture of two processes with pairwise different inputs. In subsequent work, it was shown that certain classes of architectures, like pipelines and rings, can still be synthesized automatically [10, 11] . Later, a complete characterization of the architectures for which the realizability problem is decidable was given by Finkbeiner and Schewe by the information fork criterion [12] . Intuitively, an architecture contains an information fork, if there is an information flow from the environment to two different processes where the information to one process is hidden from the other and vice versa. The distributed realizability problem is decidable for all architectures without information fork. Beyond decidability results, semi-algorithms like bounded synthesis [13] give an architecture-independent synthesis method that is particularly well-suited for finding small-sized implementations.
Our Contributions. As mentioned above, one can add parameters to LTL for free: the complexity of the model checking problem and of solving infinite games does not increase. This raises the question whether this observation also holds for the distributed realizability of parametric temporal logics. For synchronous systems, we can answer this question affirmatively. For every class of architectures with decidable LTL realizability, the PROMPT-LTL realizability problem is decidable, too. To show this, we apply the alternating color technique [5] to reduce the distributed realizability problem of PROMPT-LTL to the one of LTL: one can again add parameterized operators to LTL for free.
For asynchronous systems, the environment is typically assumed to take over the responsibility for the scheduling decision [14] . Consequently, the resulting schedules may be unrealistic, e.g., one process may not be scheduled at all. While fairness assumptions such as "every process is scheduled infinitely often" solve this problem for LTL specifications, they are insufficient for PROMPT-LTL: a fair scheduler can still delay process activations arbitrarily long and thereby prevent the system from satisfying its PROMPT-LTL specification for any bound k. Bounded fair scheduling, where every process is guaranteed to be scheduled in bounded intervals, overcomes this problem. Since bounded fairness can be expressed in PROMPT-LTL, the realizability problem in asynchronous architectures can be formulated more generally as an assume-guarantee realizability problem that consists of two PROMPT-LTL specifications. We give a semi-decision procedure for this problem based on a new method for checking emptiness of two-colored Büchi graphs [5] and an extension of bounded synthesis [13] . As asynchronous LTL realizability for architectures with more than one process is undecidable [14] , the same result holds for PROMPT-LTL realizability. Decidability in the one process case, which holds for LTL [14] , is left open.
Finally, we show that all these results also hold for PLTL and for parametric linear dynamic logic (PLDL) [7] , an even stronger logic to which the alternating color technique is still applicable. This is a revised and extended version of a paper that appeared at Gan-dALF 2016 [15] .
Related Work. There is a rich literature regarding the synthesis of distributed systems from global ω-regular specifications [9, 10, 11, 12, 16, 17] . We are not aware of work that is concerned with the realizability of parameterized logics in this setting. For local specifications, i.e., specifications that only relate the inputs and outputs of single processes, the realizabil-ity problem becomes decidable for a larger class of architectures [18] . An extension of these results to context-free languages was given by Fridman and Puchala [19] . The realizability problem for asynchronous systems and LTL specifications is undecidable for architectures with more than one process to be synthesized [14] . Later, Gastin et al. showed decidability of a restricted specification language and certain types of architectures, i.e., wellconnected [20] and acyclic [21] ones. Bounded synthesis [13] provides a flexible synthesis framework that can be used in both the asynchronous and the synchronous setting, based on a semi-decision procedure.
PROMPT-LTL
Throughout this work, we fix a set AP of atomic propositions. The formulas of PROMPT-LTL are given by the grammar
where a ∈ AP is an atomic proposition, ¬, ∧, ∨ are the usual boolean operators, and X, U, R are the LTL operators next, until, and release. We use the derived operators tt := a ∨ ¬a and ff := a ∧ ¬a for some fixed a ∈ AP, and F ϕ := tt U ϕ and G ϕ := ff R ϕ as usual. Furthermore, we use ϕ → ψ as shorthand for ¬ϕ ∨ ψ, if the antecedent ϕ is a (possibly negated) atomic proposition (where we identify ¬¬a with a). We define the size of ϕ to be the number of subfomulas of ϕ. The satisfaction relation for PROMPT-LTL is defined between an ω-word w = w 0 w 1 w 2 · · · ∈ 2 AP ω , a position n ∈ N, a bound k for the prompt-eventually operators, and a PROMPT-LTL formula.
• (w, n, k) a if, and only if, a ∈ w n .
• (w, n, k) ¬a if, and only if, a / ∈ w n .
• (w, n, k) ϕ 0 ∧ ϕ 1 if, and only if, (w, n, k) ϕ 0 and (w, n, k) ϕ 1 .
• (w, n, k) ϕ 0 ∨ ϕ 1 if, and only if, (w, n, k) ϕ 0 or (w, n, k) ϕ 1 .
• (w, n, k) X ϕ if, and only if, (w, n + 1, k) ϕ.
• (w, n, k) ϕ 0 U ϕ 1 if, and only if, there exists a j ≥ 0 such that (w, n + j, k) ϕ 1 and (w, n + j ′ , k) ϕ 0 for every j ′ in the range 0 ≤ j ′ < j.
• (w, n, k) ϕ 0 R ϕ 1 if, and only if, for all j ≥ 0: (w, n + j, k) ϕ 1 or (w, n + j ′ , k) ϕ 0 for some j ′ in the range 0 ≤ j ′ < j.
• (w, n, k) F P ϕ if, and only if, there exists a j in the range 0 ≤ j ≤ k such that (w, n + j, k) ϕ.
For the sake of brevity, we write (w, k) ϕ instead of (w, 0, k) ϕ and say that w is a model of ϕ with respect to k. Note that (w, n, k) ϕ implies (w, n, k ′ ) ϕ for every k ′ ≥ k, i.e., satisfaction with respect to k is an upwards-closed property.
The Alternating Color Technique. In this subsection, we recall the alternating color technique, which Kupferman et al. introduced to solve model checking, assume-guarantee model checking, and the realizability problem for PROMPT-LTL specifications [5] .
Let r / ∈ AP be a fixed fresh proposition. An ω-word w ′ ∈ 2 AP∪{r} ω is an r-coloring of w ∈ 2 AP ω if w ′ n ∩ AP = w n , i.e., w n and w ′ n coincide on all propositions in AP. The additional proposition r can be thought of as the color of w ′ n : we say that the color changes at position n, if n = 0 or if the truth values of r in w ′ n−1 and in w ′ n are not equal. In this situation, we say that n is a change point. An r-block is a maximal infix w ′ m · · · w ′ n of w ′ such that the color changes at m and n + 1, but not in between.
Let k ≥ 1: we say that w ′ is k-spaced if the color changes infinitely often and each r-block has length at least k; we say that w ′ is k-bounded, if each r-block has length at most k. Note that k-boundedness implies that the color changes infinitely often.
Given a PROMPT-LTL formula ϕ, let rel r (ϕ) denote the formula obtained by inductively replacing every subformula F P ψ by (r → (r U (¬r U rel r (ψ)))) ∧ (¬r → (¬r U (r U rel r (ψ)))) , which is only linearly larger than ϕ and requires every prompt eventually to be satisfied within at most one color change (not counting the position where ψ holds). Furthermore, the formula alt r = GF r ∧ GF ¬r is satisfied if the colors change infinitely often. Finally, we define the LTL formula c r (ϕ) = rel r (ϕ) ∧ alt r . Kupferman et al. showed that ϕ and c r (ϕ) are in some sense equivalent on ω-words which are bounded and spaced.
Lemma 1 (Lemma 2.1 of [5] ). Let ϕ be a PROMPT-LTL formula, and let w ∈ 2 AP ω .
Whenever possible, we drop the subscript r for the sake of readability, if r is clear from context. However, when we consider asynchronous systems in Section 4, we need to relativize two formulas with different colors, which necessitates the introduction of the subscripts.
Synchronous Distributed Synthesis
PROMPT-LTL specifications can give guarantees that LTL cannot, for example by asserting not only that requests to a system are answered eventually, but also that there is an upper bound on the reaction time. This is especially important in distributed systems, since such timing constraints become more difficult to implement because of information flows between the various parts of the system.
Consider for example a distributed computation system, where a central server gets important and unimportant tasks, and can forward tasks to a number of clients. A client can either enqueue the task, which means that it will be processed eventually, or clear the client-side queue and process the task immediately. The latter operation is very costly (we have to remember the open tasks as they still need to be completed), but guarantees an upper bound on the completion time. While in LTL we can only specify that all incoming tasks are processed eventually, in PROMPT-LTL we can specify that the answer time to important tasks is bounded by the formula G(important-task → F P finished -task ). 1 We continue by formalizing the distributed realizability problem. Let X and Y be finite and pairwise disjoint sets of variables. A valuation of X is a subset of X; thus, the set of all valuations of X is 2 X . For w = w 0 w 1 w 2 · · · ∈ (2 X ) ω and
where S is a finite set of states, s 0 ∈ S is the designated initial state, ∆ : S × 2 X → S is the transition function, and l : S → 2 Y is the statelabeling. We generalize the transition function to sequences over 2 X by defining ∆ * : (2 X ) * → S recursively as ∆ * (ε) = s 0 and ∆ * (w 0 · · · w n−1 w n ) = ∆(∆ * (w 0 · · · w n−1 ), w n ) for w 0 · · · w n−1 w n ∈ (2 X ) + . A transition system S generates the strategy f if f (w) = l(∆ * (w)) for every w ∈ (2 X ) * . A strategy f is called finite-state if there exists a transition system that generates f .
Let X ′ and Y ′ be finite sets such that X, X ′ , Y , and Y ′ are pairwise disjoint. Further, let f :
Analogously, for transition systems S = S, s 0 , ∆, l and S ′ = S ′ , s ′ 0 , ∆ ′ , l ′ the distributed product, written S ⊗ S ′ , is defined as the transition system S × S ′ , (s 0 , s ′ 0 ), ∆ * , l * , where ∆ * ((s, s ′ ), w) = (s ′′ , s ′′′ ) if and only if ∆(s, w) = s ′′ and ∆ ′ (s ′ , w) = s ′′′ , and l * (s, s ′ ) = l(s) ∪ l ′ (s ′ ). The strategy generated by S ⊗ S ′ is equal to the distributed product of the strategies generated by S and S ′ .
The behavior of a strategy f : (2 X ) * → 2 Y is characterized by an infinite tree that branches by the valuations of X and whose nodes w ∈ (2 X ) * are labeled with the strategic choice f (w). For an infinite word w = w 0 w 1 w 2 · · · ∈ (2 X ) ω , the corresponding labeled path is defined as (f (ε) ∪ w 0 )(f (w 0 ) ∪ w 1 )(f (w 0 w 1 ) ∪ w 2 ) · · · ∈ (2 X∪Y ) ω . We lift the set containment operator ∈ to the containment of a labeled path w = w 0 w 1 w 2 · · · ∈ (2 X∪Y ) ω in a strategy tree induced by f :
We define the satisfaction of a PROMPT-LTL formula ϕ (over propositions X ∪ Y ) on strategy f with respect to the bound k, written (f, k) ϕ for short, as (w, k) ϕ for all paths w ∈ f . Distributed Systems. We characterize a distributed system as a set of processes with a fixed communication topology, called an architecture in the following. Recall that AP is the set of atomic propositions used to build formulas. An architecture A is a tuple P, p env , is the finite set of processes and p env ∈ P is the distinct environment process. We denote by P − = P \ {p env } the set of system processes. Given a process p ∈ P , the input and output signals of this process are I p ⊆ AP and O p ⊆ AP, respectively, where we assume
While processes may share the same inputs (in case of broadcasting), the outputs of processes must be pairwise disjoint, i.e., for all p
An implementation of a process p ∈ P − is a strategy f p : (2 Ip ) * → 2 Op mapping finite input sequences to a valuation of the output variables.
Example 1. Figure 1 shows example architectures A 1 and A 2 , where
The architecture A 1 in Fig. 1 (a) contains two system processes, p 1 and p 2 , and the environment process p env . The processes p 1 and p 2 receive the inputs a, respectively b, from the environment and output c and d, respectively. Hence, the environment can provide process p 1 with information that is hidden from p 2 and vice versa. In contrast, architecture A 2 , depicted in Fig. 1(b) , is a pipeline architecture where information from the environment can only propagate through the pipeline processes p 1 and p 2 .
Distributed Realizability. Let A = P, p env , {I p } p∈P , {O p } p∈P be an architecture. The synchronous PROMPT-LTL realizability problem for A is to decide, given a PROMPT-LTL formula ϕ, whether there exist a bound k and a finite-state implementation f p for every process p ∈ P − , such that the distributed product p∈P − f p satisfies ϕ with respect to k, i.e.,
( p∈P − f p , k) ϕ. In this case, we say that ϕ is realizable in A. The synchronous LTL realizability problem is a special case, as LTL is a fragment of PROMPT-LTL. Let r / ∈ AP be the fresh proposition introduced for the alternating color technique to relativize formulas and let A = P, p env , {I p } p∈P , {O p } p∈P be an architecture as above. We define the architecture A r as
where I r = ∅ and O r = {r}. Intuitively, this describes an architecture where one additional process p r is responsible for providing sequences in (2 {r} ) ω , i.e., a coloring by r. We show that ϕ in A and c r (ϕ) in A r are equi-realizable by applying the alternating color technique. As the processes are synchronized, the proof is similar to the one for the single-process case by Kupferman et al. [5] .
Assume that the PROMPT-LTL formula ϕ is realizable in A. Then, there exist finite-state strategies f p for p ∈ P − and a bound k satisfying the synchronous PROMPT-LTL realizability problem A, ϕ . For every w ∈ p∈P − f p , it holds that (w, k) ϕ. By Lemma 1.1 it holds that every k-spaced r-coloring w ′ of w satisfies c r (ϕ). Let f r : (2 ∅ ) * → 2 {r} be a (finitestate) strategy that produces the k-spaced sequence (∅ k {r} k ) ω . Then, the process implementations {f p } p∈P − together with f r are a solution to the synchronous LTL realizability problem A r , c r (ϕ) . Now, assume that the LTL formula c r (ϕ) is realizable in the architecture A r . Thus, there exist finite-state strategies f p for p ∈ P − and a finitestate strategy f r for process p r . Note that the strategy f r : (2 ∅ ) * → 2 {r} has a unique output w r ∈ (2 {r} ) ω , as it has no inputs. We claim that w r is k-bounded, where k is the number of states of the transition system S = S, s 0 , ∆, l generating f r . To see this, note that f r has no inputs, i.e., every state of S has a unique successor in ∆, and the unique run of S on ∅ ω ends up in a loop which is traversed ad infinitum. As the output w r has infinitely many change points, the loop contains at least one state s labeled by l(s) = ∅ and at last one state s ′ with l(s ′ ) = {r}. Thus, the maximal length of a block of w r is bounded by the length of the loop, which in turn is bounded by the size of S.
Hence, for every w ∈ p∈P − f p , the word w r ∪ w is a k-bounded rcoloring of w with w r ∪ w rel r (ϕ). By Lemma 1.2, for all such w it holds that (w, 2k) ϕ. Hence, {f p } p∈P − together with the bound 2k is a solution to the synchronous PROMPT-LTL realizability problem.
In particular, this allows us to directly apply semi-algorithms for the distributed realizability problem, such as bounded synthesis [13] , to effectively construct small-sized solutions.
To conclude, we show that the newly introduced process p r also preserves the information fork criterion [12] . Formally, consider tuples P ′ , V ′ , p, p ′ , where P ′ is a subset of the processes, V ′ is a subset of the variables disjoint from I p ∪I p ′ , and p, p ′ ∈ P − \P ′ are two different processes. Such a tuple is an information fork in A if P ′ together with the edges that are labeled with at least one variable from V ′ forms a sub-graph of A rooted in the environment and there exist two nodes q, q ′ ∈ P ′ that have edges to p, p ′ , respectively, such that O {q,p}
For example, the architecture in Fig. 1 (a) contains the information fork ({p env }, ∅, p 1 , p 2 ), while the pipeline architecture depicted in Fig. 1 (b) has no information forks. Proof. The if direction follows immediately by construction: if P ′ , V ′ , p, p ′ is an information fork in A then it is an information fork in A r as well. Hence, assume P ′ , V ′ , p, p ′ is an information fork in A r . It holds that neither p r = p nor p r = p ′ since p r has no incoming edges. As I pr = ∅, p r cannot be in a sub-graph that is rooted in the environment, hence, p r /
Thus, we can use well-known results for the decidability of distributed realizability for LTL and weakly ordered architectures [12] , i.e., those without an information fork. 
Asynchronous Distributed Synthesis
The asynchronous system model is a generalization of the synchronous model discussed in the last section. In an asynchronous system, not all processes are scheduled at the same time. We model the scheduler as part of the environment, i.e., at any given time the environment additionally signals whether a process is enabled. The resulting distributed realizability problem is already undecidable for LTL specifications and systems with more than one process [14] .
We have to adapt the definition of the synchronous PROMPT-LTL realizability problem for the asynchronous setting. Using the definition from Section 3, the system can never satisfy a PROMPT-LTL formula if the scheduler is part of the environment, since it may delay scheduling indefinitely. Moreover, even if the scheduler is assumed to be fair, it can still build increasing delay blocks between process activation times, such that it is impossible for the system to guarantee any bound k ∈ N. Hence, we employ the concept of bounded fair schedulers and allow the system bound to depend on the scheduler bound. More generally, this is a typical instance of an assume-guarantee specification: under the assumption that the scheduler is bounded fair, the system satisfies its specification. In the following, we formally introduce the distributed realizability problem for asynchronous systems and assume-guarantee specifications. Scheduling. To model scheduling, we introduce an additional set Sched = {sched p | p ∈ P − } of atomic propositions. The valuation of sched p indicates whether system process p is currently scheduled or not. Given a (synchronous) architecture A = P, p env , {I p } p∈P , {O p } p∈P , we define the asynchronous architecture A * as the architecture with the environment output O * penv = O penv ∪Sched . Furthermore, we extend the input I p of a process by its scheduling variable sched p , i.e., I * p = I p ∪ {sched p } for every p ∈ P − . The environment can decide in every step which processes to schedule. When a process is not scheduled, its state-and thereby its outputs-do not change [13] .
Formally, let f p for p ∈ P − be a finite-state strategy for a process p and S p = S, s 0 , ∆, l a transition system that generates f p . For every path
Assume-Guarantee Realizability. A PROMPT-LTL assume-guarantee specification ϕ, ψ consists of a pair of PROMPT-LTL formulas. The asyn-chronous PROMPT-LTL assume-guarantee realizability problem asks, given an asynchronous architecture A * and ϕ, ψ as above, whether there exists a finite-state strategy f p for every process p ∈ P − such that for every bound k there is a bound l such that for every w ∈ p∈P − f p , we have that (w, k) ϕ implies (w, l) ψ. In this case, we say that p∈P − f p satisfies ϕ, ψ .
Consider the bounded fairness specification discussed above, which is expressed by the formula ϕ = p∈P − GF P sched p , i.e., for every point in time, every p is scheduled within a bounded number of steps. That is, we use ϕ as an assumption on the environment which implies that the guarantee ψ only has to be satisfied if ϕ holds. Consider for example the asynchronous architecture corresponding to Fig. 1 (a) and the PROMPT-LTL specification ψ = G(F P c ∧ F P ¬c ∧ F P d ∧ F P ¬d). Even when we assume a fair scheduler, i.e., ϕ = GF sched p 1 ∧ GF sched p 2 , the environment can prevent one process from satisfying the specification for any bound l. This problem is fixed by assuming the scheduler to be bounded fair, i.e., ϕ = GF P sched p 1 ∧ GF P sched p 2 . Then, there exist realizing implementations for processes p 1 and p 2 (that alternate between enabling and disabling the output), and the bound on the guarantee is l = 2 · k for every bound k on the assumption.
Unlike LTL, where the assume-guarantee problem ϕ, ψ can be reduced to the LTL realizability problem for the implication ϕ → ψ, this is not possible in PROMPT-LTL due to the quantifier alternation on the bounds. Indeed, it is still open whether the PROMPT-LTL assume-guarantee realizability problem in the single-process case is decidable. We show that even if the problem turns out to be decidable, an implementation that realizes the specification in general may need infinite memory. Lemma 3. There exists a PROMPT-LTL assume-guarantee specification that can be realized with an infinite-state strategy, but not with a finite-state strategy.
Proof. Consider the assume-guarantee specification ϕ, ψ with ϕ = GF P o∨ FG ¬o and ψ = ff and a single process architecture with I = ∅ and O = {o}. As the guarantee ψ is false, the implementation has to falsify the assumption ϕ for every bound k on the prompt-eventually operator to realize ϕ, ψ . To falsify ϕ with respect to k, the implementation has to produce a sequence w ∈ (2 {o} ) ω where o is repeatedly true and where ∅ k is an infix of w. Thus, the size of the implementation depends on k and an implementation that falsifies ϕ for every k must have infinite memory.
Moreover, already the LTL realizability problem is undecidable in the asynchronous case. Thus, the PROMPT-LTL assume-guarantee realizability problem for asynchronous architectures may be at best solvable by a semi-decision procedure. We present such a semi-algorithm for the asynchronous PROMPT-LTL assume-guarantee realizability problem based on bounded synthesis [13] . In bounded synthesis, a transition system of a fixed size is "guessed" and model checked by a constraint solver. Model checking for PROMPT-LTL can be solved by checking pumpable non-emptiness of colored Büchi graphs [5] . However, the pumpability condition cannot directly be expressed in the bounded synthesis constraint system. Hence, in Section 4.1, we give an alternative solution to the non-emptiness of colored Büchi graphs by a reduction to Büchi graphs that have access to the state space of the transition system. We show how to extend bounded synthesis to such Büchi graphs in Section 4.2, and present a semi-algorithm for PROMPT-LTL assume-guarantee synthesis based on this extension in Section 4.3.
Since the algorithm developed in this section needs access to the syntactic representation of strategies, we use in the following transition systems as representation for finite-state strategies.
Nonemptiness of Colored Büchi Graphs
In the case of LTL specifications, the nonemptiness problem for Büchi graphs gives a classical solution to the model checking problem for a given system S. Let ϕ be the LTL formula that S should satisfy. In a preprocessing step, the negation of ϕ is translated to a nondeterministic Büchi word automaton N ¬ϕ [22] . Then ϕ is violated by S if, and only if, the Büchi graph G representing the product of S and N ¬ϕ is nonempty. An accepting path π in G witnesses a computation of S that violates ϕ. Colored Büchi graphs are an extension to those graphs in the context of model checking PROMPT-LTL [5] .
A colored Büchi graph of degree two is a tuple G = {r, r ′ }, V, E, v 0 , L, B where r and r ′ are propositions, V is a set of vertices, E ⊆ V × V is a set of edges, v 0 ∈ V is the designated initial vertex, L : V → 2 {r,r ′ } describes the color of a vertex, and B = {B 1 , B 2 } is a generalized Büchi condition of index two, i.e., B 1 , B 2 ⊆ V . A Büchi graph is a special case where we omit the labeling function and are interested in finding an accepting path. A path π = v 0 v 1 v 2 · · · ∈ V ω is pumpable if we can pump all its r ′ -blocks without pumping its r-blocks. Formally, a path is pumpable if for all adjacent r ′ -change points i and i ′ , there are positions j, j ′ , and j ′′ such that i ≤ j < j ′ < j ′′ < i ′ , v j = v j ′′ and r ∈ L(v j ) if, and only if, r / ∈ L(v j ′ ). A path π is accepting, if it visits both B 1 and B 2 infinitely often. The pumpable nonemptiness problem for G is to decide whether G has a pumpable accepting path. It is NLogSpace-complete and solvable in linear time [5] .
We give an alternative solution to this problem based on a reduction to the nonemptiness problem of Büchi graphs. To this end, we construct a nondeterministic safety automaton N pump that characterizes the pumpability condition. Note that an infinite word is accepted by a safety automaton if, and only if, there exists an infinite run on this word. Proof. We define a non-deterministic safety automaton N pump = V × 2 {r,r ′ } , S, s 0 , δ, S over the alphabet V ×2 {r,r ′ } that checks the pumpability condition. The product of G and N pump (defined later) represents the Büchi graph G ′ where every accepting path is pumpable.
The language L ⊆ (V × 2 {r,r ′ } ) ω of pumpable paths (with respect to a fixed set of vertices V ) is an ω-regular language that can be recognized by a small non-deterministic safety automaton. This automaton N pump operates in 3 phases between every pair of adjacent r ′ -change points: first, it nondeterministically remembers a vertex v and the corresponding truth value of r. Then, it checks that this value changes and thereafter it remains to show that the vertex v repeats before the next r ′ -change point. Thus, the state space S of N pump is
and the initial state is s 0 . The state space corresponds to the 3 phases: In the states s v,x a vertex v and a truth value of r are remembered, before state s ′ v,y the value of r changes, and s ′′ z is the state after the vertex repetition. The transition function δ : (S × (V × 2 {r,r ′ } )) → 2 S is defined as follows: Figure 2 gives a visualization of this automaton. Remark 1. Note that in the context of this proof, it would be enough to remember a vertex v without the valuation of {r, r ′ }, as the vertex determines the valuation by the labeling function L : v → 2 {r,r ′ } of G. However, we will later use N pump in a more general setting (cf. Section 4.3).
We define the product G ′ of the colored Büchi graph G = {r, r ′ }, V, E, v 0 , L, B and the automaton N pump as the Büchi graph (
. It remains to show that G has a pumpable accepting path if, and only if, G ′ has an accepting path.
Consider a pumpable accepting path π in G. We show that there is a corresponding accepting path π ′ in G ′ . Let i and i ′ be adjacent r ′ -change points. Then there are positions j, j ′ , and j ′′ such that i ≤ j < j ′ < j ′′ < i ′ , v j = v j ′′ and r ∈ L(v j ) if, and only if, r / ∈ L(v j ′ ). By construction, at position i, automaton N pump is some state from the set {s 0 , s ′′ ∅ , s ′′ {r ′ } }. We follow the automaton and remember vertex v and the truth value of r at position j ≥ i (some state s v,x ). Next, we take the transition to s ′ v,y where the truth value of r changes (at position j ′ ). Lastly, we check that there is a vertex repetition (at position j ′′ ) and go to state s ′′ z . At the next r ′ -change point i ′ , the argument repeats. This path is accepting, as the original one is accepting. Now, consider an accepting path π in G ′ . We show that there is a pumpable accepting path in G. Let π ′ be the projection of every position of π to the first component. By construction, π ′ is an accepting path in G. Let π i π i+1 · · · π i ′ be an r ′ -block of π. As π has a run on automaton N pump , we know that there exists a state repetition between i and i ′ where the truth value of r changes in between. Hence, the path π ′ is pumpable.
Bounded Synthesis
For a specification expressed in a universal co-Büchi automaton U, a (possibly asynchronous) architecture A, and a size bound b (or a family of bounds on the components), the bounded synthesis method [13] decides whether a correct implementation of the given size exists. In this section, we show a modification of bounded synthesis that gives the specification automaton access to the states of the system to be synthesized. This extension is needed for automata that can express the pumpability condition, in particular the one we constructed in the proof of Lemma 4.
For distributed architectures, bounded synthesis separately considers the problems of finding a global transition system that is accepted by U, and of dividing the transition system into local components according to the given architecture. To this end, two sets of constraints are generated: (i) an encoding of the acceptance by U of a global transition system S of size b, and (ii) an encoding of the architectural constraints that divides this global system into local components. If the conjunction of both sets of constraints is satisfiable, then a satisfying assignment of the constraints represents a distributed system that satisfies ϕ in A. Since the architectural constraints we consider are the same as in standard bounded synthesis, we only have to modify the constraints encoding the existence of a global transition system that satisfies the given specification.
Extended Automata. We define a universal co-Büchi tree automaton to be a tuple U = Σ, Υ, Q, q 0 , δ, B , where Σ is an input alphabet, Υ is a set of directions, Q is a set of states, δ : Q × Σ → 2 Q×Υ , and B ⊆ Q is the set of rejecting states.
We are interested in the acceptance of a 2 O -labeled 2 I -transition system S = S, s 0 , ∆, l , and further want to recognize the pumpability condition. Therefore, we consider a state-aware universal co-Büchi tree automaton with Σ = 2 O ×S and Υ = 2 I , i.e., in addition to output valuations, the automaton has access to the current state of S.
Acceptance of S by the automaton is defined in terms of run graphs: the run graph of an automaton U S = 2 O × S, 2 I , Q, q 0 , δ, B on S is the minimal directed graph G = (G, E) that satisfies the constraints
• (q 0 , s 0 ) ∈ G, and
• for every (q, s) ∈ G, it holds (q ′ , υ) ∈ Q × 2 I | ((q, s), (q ′ , ∆(s, υ))) ∈ E ⊇ δ(q, (l(s), s)).
The co-Büchi condition requires that, for an infinite path g 0 g 1 g 2 · · · ∈ G ω of the run graph, g i ∈ B × S for only finitely many i ∈ N. A run graph is accepting if every infinite path g 0 g 1 g 2 · · · ∈ G ω satisfies the co-Büchi condition. A transition system S is accepted by U S if the unique run graph of U S on S is accepting.
Annotated transition systems. We introduce an annotation function for transition systems that witnesses acceptance by a (possibly state-aware) universal co-Büchi tree automaton. The annotation assigns to each pair (q, s) ∈ Q × S a natural number or a special symbol ⊥. Natural numbers indicate the maximal number of occurrences of rejecting states on any path to (q, s) in the run graph. ⊥ indicates that the pair (q, s) is not reachable. Thus, if for a given transition system there exists an annotation that assigns natural numbers to all vertices of the run graph, then the number of visits to rejecting states must be bounded in any run. Such annotations are called valid, and transition systems with valid annotations are exactly those that are accepted by the automaton.
An annotation of a 2 O -labeled 2 I -transition system S = S, s 0 , ∆, l on a state-aware universal co-Büchi tree automaton U S = 2 O × S, 2 I , Q, q 0 , δ, B is a function λ : Q × S → {⊥} ∪ N. An annotation is valid if it satisfies the following conditions:
where ⊲ is interpreted as > if q ′ ∈ B, and ≥ otherwise.
An annotation is c-bounded if its codomain is contained in {⊥, 0, . . . , c}. Proof. The original proof by Finkbeiner and Schewe [13] works without modifications for our extension to state-aware universal co-Büchi tree automata.
For a given state-aware universal co-Büchi tree automaton U S = 2 O × S, 2 I , Q, q 0 , δ, B , Theorem 2 allows us to decide the existence of an O-labeled I-transition system with state space S that is accepted by U S .
SMT encoding of global acceptance. In particular, the existence of a (global) transition system with a valid annotation can be encoded into a set of decidable SMT constraints. Essentially, this is done by directly encoding the conditions for a valid annotation into SMT, for a transition system with uninterpreted transition function and labeling. Like the proof of Theorem 2, the original encoding directly supports our notion of state-aware universal Büchi tree automata. That is, we construct an SMT encoding in the following way:
1. Assume that U S is defined in a suitable way, i.e., the sets Q and B, state q 0 and transition relation δ are defined. 2. Declare uninterpreted sets and functions for the transition system S and the annotation:
• Define the set of states S as {1, . . . , b} for a given bound b ∈ N. 3. Assert the following constraints:
For a detailed explanation of the encoding, we refer to Finkbeiner and Schewe [13] . The only difference is that we allow a state-aware automaton. In particular, note that the translation of LTL specifications into universal co-Büchi tree automata (see Kupferman and Vardi [23] ) can also be used with our definition, and simply results in an automaton that ignores the concrete state of the transition system in its input.
Encoding of architectural constraints. As mentioned above, the encoding of architectural constraints can be adopted from the original approach without changes. For a given asynchronous architecture A * = P, p env , {I * p } p∈P , {O * p } p∈P , the additional constraints (1) assert that the state of a process p ∈ P − does not change if it is not scheduled and (2) that the transitions of a process only depend on its current state and the visible inputs. In addition, it can contain additional bounds on the state space of every single component.
The conjunction of both sets of constraints then asks for the existence of a distributed implementation S = p∈P − S p of size b that is accepted by U, possibly with additional bounds b p for every p ∈ P − on the size of the components.
Theorem 3 (cp. [13] ). Given a state-aware universal co-Büchi tree automaton U S , an asynchronous architecture A * , and a family of bounds b p for every p ∈ P − , there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exist implementations f p of size b p for every p ∈ P − such that p∈P − f p is accepted by U S and satisfies the architectural constraints of A * .
Proof. Follows immediately from Theorem 2 and the correctness of the architectural constraints from Finkbeiner and Schewe [13] .
A Semi-Algorithm for Assume-Guarantee Realizability
As the assume-guarantee realizability problem for asynchronous architectures is undecidable and infinite-state strategies are required in general, we give a semi-decision procedure for the problem. Our solution is based on the techniques developed in the last subsections.
As the bounded synthesis approach described in the last subsection already accounts for "guessing" transition systems S p for every system process p according to the architectural constraints given by A * , we reduce the problem of model checking individual implementations S p to model checking the product system S = p∈P − S p . A transition system S satisfies an assumeguarantee specification ϕ, ψ if the strategy f generated by S satisfies ϕ, ψ , i.e., if for every bound k there is a bound l such that for every w ∈ f , we have that (w, k) ϕ implies (w, l) ψ.
Given an assume-guarantee specification ϕ, ψ , we first solve the problem of model checking assume-guarantee specifications by building a state-aware universal co-Büchi tree automaton U S that accepts a transition system S if, and only if, S satisfies ϕ, ψ . Given U S and a bound b on the size of the implementation, we can then use the encoding from Section 4.2 to decide realizability modulo this bound, and obtain a semi-decision procedure by solving the problem for increasing bounds.
Encoding ϕ, ψ into Büchi automata. Let A * = P, p env , {I * p } p∈P , {O * p } p∈P be an asynchronous architecture and let I = O * penv and O = p∈P − O * p be the set of inputs, respectively outputs, of the composition of the system processes. First, we construct the non-deterministic Büchi automaton N c r ′ (ψ)∧cr(ϕ) = 2 I∪O∪{r,r ′ } , Q, q 0 , δ, B , where c r ′ (ψ) = alt r ′ ∧ ¬rel r ′ (ψ) whose language contains exactly those paths that satisfy c r ′ (ψ) ∧ c r (ϕ) [22] . Then, we use the following lemma to characterize whether a transition system S satisfies an assume-guarantee specification ϕ, ψ by reducing it to finding pumpable error paths in the two-color Büchi graph G = {r, r ′ }, V, E, v 0 , L, B , as introduced in Section 4.1, that is the product of S = S, s 0 , ∆, l and N c r ′ (ψ)∧cr (ϕ) . Formally, the elements of G are defined as V = S × 2 {r,r ′ } × Q, E as ((s, R, q), (s ′ , R ′ , q ′ )) ∈ E if and only if there is an input valuation i ∈ 2 I such that s ′ = ∆(s, i) and (q ′ , i) ∈ δ(q, l(s)), v 0 = (s 0 , ∅, q 0 ), L as L((s, R, q, q * )) = R, and B = {B}.
Lemma 5. Let ϕ, ψ be a PROMPT-LTL assume-guarantee specification, A * be an asynchronous architecture and S p be a finite-state implementation for every system process p ∈ P − . The distributed product S = p∈P − S p does not satisfy ϕ, ψ if, and only if, the product of S and N c r ′ (ψ)∧cr (ϕ) is pumpable non-empty.
Proof. Similar to the proof of Lemma 6.1 and Theorem 6.2 in [5] . The missing proof of Lemma 6.1 is presented in [7] (Lemma 8). See also the discussion below the proof.
To check the existence of pumpable error paths, we use the non-deterministic automaton N pump = V × 2 {r,r ′ } , S, s 0 , δ ′ , S from the proof of Lemma 4. Here, we let V = X × Q, where X is a set with b elements, representing the state space of the desired solution S, and Q is the state space of the automaton N c r ′ (ψ)∧cr (ϕ) defined above. That is, we use as V the state space X × Q of the colored Büchi graph that is used to model check an implementation S against a specification ψ, ϕ .
The product of N c r ′ (ψ)∧cr(ϕ) and N pump is an automaton N that operates on the inputs I, outputs O, propositions {r, r ′ }, and the state space X of the implementation, and accepts all those paths that are pumpable and violate the assume-guarantee specification (cf. Lemma 4) .
N is defined as
and B * is the Büchi condition {(q, s) | q ∈ B, s ∈ S}.
We complement N , resulting in a universal co-Büchi automaton U that accepts a given sequence w ∈ (2 I∪{r,r ′ } ) ω of inputs and the behavior of an implementation S on w if, and only if, the execution of S on w satisfies ψ, ϕ . Finally, we construct a (state-aware) universal co-Büchi tree automaton U S = (2 O × X, 2 I∪{r,r ′ } , Q, q 0 , δ, B) by spanning a copy of U for every direction in 2 I∪{r,r ′ } . Then, an implementation S with set S of states is accepted by U S if, and only if, S satisfies ϕ, ψ (for all possible input sequences). Thus, U S solves the problem of model checking assume-guarantee specifications.
Encoding the automaton into constraints. Now, we can use the modified bounded synthesis algorithm from Section 4.2 to encode U S into a set of constraints that are satisfiable if, and only if, there exists an implementation S that satisfies ϕ, ψ . We obtain the following corollaries.
Corollary 2. Given a PROMPT-LTL assume-guarantee specification ϕ, ψ and a bound b, there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exist an implementation S of size b such that S satisfies ϕ, ψ .
Corollary 3. Given a PROMPT-LTL assume-guarantee specification ϕ, ψ , an asynchronous architecture A * , and a family of bounds b p for every p ∈ P − , there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exist implementations S p of size b p for every p ∈ P − such that S∈P − S p satisfies ϕ, ψ in A * .
By exhaustively traversing the space of bounds (b p ) p∈P − and by solving the resulting constraint system, we obtain a semi-algorithm for the asynchronous PROMPT-LTL assume-guarantee realizability problem. Furthermore, this also solves the synthesis problem, as implementations are efficiently obtained from a satisfying assignment of the constraint system. Corollary 4. Let A * be an asynchronous architecture. The asynchronous PROMPT-LTL assume-guarantee realizability problem for A * is semi-decidable.
Beyond PROMPT-LTL
In this section, we consider distributed synthesis for stronger logics than PROMPT-LTL. As already explained in the introduction, PROMPT-LTL is predated by parametric linear temporal logic (PLTL), which was introduced by Alur et al. [4] . This logic is obtained by adding parameterized eventually operators of the form F ≤x ϕ and parameterized always operators of the form G ≤y to LTL. Here, x and y are variables which are instantiated by a variable valuation α mapping variables to natural numbers that serve as bounds: F ≤x ϕ holds with respect to α if ϕ holds within the next α(x) steps, while G ≤y ϕ holds with respect to α, if ϕ holds at least for the next α(y) steps. Thus, intuitively, the variables bound the scope of the operators. In particular, PROMPT-LTL can be seen as the fragment of PLTL without parameterized always operators and where all parameterized eventually operators are parameterized by the same variable.
Alur et al. showed that the model checking problem for PLTL, where the variable valuation α is existentially quantified, is PSpace-complete, and therefore not harder than LTL model checking. Later, a similar result was shown for solving infinite games with PLTL winning conditions, which is still complete for doubly-exponential time [6] . As for PROMPT-LTL, distributed synthesis for PLTL specifications has never been considered before.
The second logic we consider in this section is parametric linear dynamic logic (PLDL) [7] , which has its roots in another shortcoming of LTL: it has not the full expressive power of the ω-regular languages. There is a long line of extensions of LTL addressing this issue [24, 25, 26] . Most recently, Vardi introduced linear dynamic logic (LDL), which adds regular expressions as guards to the temporal operators of LTL: the formula g ϕ holds if there is a position such that the prefix up to it matches the guard g and ϕ holds at this position. Similarly, [g ] ϕ holds, if ϕ holds at all positions where the prefix up to it matches the guard. Thus, the diamond operator is a guarded eventually operator and the box operator is a guarded always operator. Vardi showed that LDL has the exponential compilation property [27] , i.e., formulas can be translated into equivalent Büchi automata of exponential size. Thus, LDL model checking is still PSpace-complete while solving LDL games is 2ExpTime-complete. Now, PLDL is obtained by allowing parameterized diamond and box operators, with the expected semantics. For the first time, this logic addresses both shortcomings of LTL, lack of timing constraints and limited expressiveness, simultaneously. Even in this setting, model checking is just PSpacecomplete and solving games is 2ExpTime-complete [7] . Distributed synthesis for PLDL specifications has never been considered before.
In this section, we address the distributed synthesis problem for both log-ics, starting with the synchronous variant. For PLTL, we rely on a reduction to the PROMPT-LTL synthesis problem. The variable valuation α will be existentially quantified in the problem statement, just as the bound k in the case of PROMPT-LTL synthesis is existentially quantified. Now, consider a parameterized always operator G ≤y ϕ: if ϕ is satisfied for at last α(y) steps, then also for at least zero steps, i.e., at the current position. Thus, when the value for y is existentially quantified, G ≤y ϕ degenerates to the formula ϕ, as y can always be instantiated with 0. Dually, consider a parameterized eventually operator F ≤x ϕ: if ϕ holds at least once within the next α(x) steps, then also at least once within the next k steps, for every k ≥ α(x). Thus, if α is existentially quantified, then one can replace all variables parameterizing parameterized eventually operators by a unique one. By applying these two replacements, one obtains an equivalent PROMPT-LTL formula, provided α is existentially quantified. In fact, these observations were the impetus to introduce PROMPT-LTL. However, the situation is different when one is interested in a fixed variable valuation or for optimization problems. In this case, the replacements are no longer valid.
Then, we consider the synchronous synthesis problem for PLDL, which we solve along the same lines as for its special case PROMPT-LTL: the alternating color technique has been reformulated for PLDL and the exponential compilation property holds as well. Finally, we also discuss the asynchronous synthesis problem. Here, the approach for PLTL and PLDL is similar. Hence, we restrict our attention to the case of PLDL, as it subsumes PLTL.
Synchronous Distributed Synthesis for Parametric Linear Temporal Logic
Let V be an infinite set of variables and let AP be a set of atomic propositions. The formulas of PLTL are given by the grammar
where a ∈ AP and z ∈ V. Again, we use the derived operators F and G as well as implications, which are defined as for PROMPT-LTL.
The set of subformulas of a PLTL formula ϕ is denoted by cl(ϕ) and we define the size of ϕ to be the cardinality of cl(ϕ). Furthermore, we define var F (ϕ) = {z ∈ V | F ≤z ψ ∈ cl(ϕ)} to be the set of variables parameterizing eventually operators in ϕ, and var G (ϕ) = {z ∈ V | G ≤z ψ ∈ cl(ϕ)} to be the set of variables parameterizing always operators in ϕ. Finally, var(ϕ) = var F (ϕ) ∪ var G (ϕ) denotes the set of all variables appearing in ϕ.
To evaluate formulas we define a variable valuation to be a mapping α : V → N mapping each variable to a value. Now, we can define the model relation between a path w = w 0 w 1 w 2 · · · , a position n of w, a variable valuation α, and a PLTL formula. For the atomic propositions, boolean connectives, and standard temporal operators it is defined as for PROMPT-LTL, and for the parameterized operators as follows:
F ≤z ϕ if, and only if, there exists a j ≤ α(z) such that (w, n + j, α) ϕ.
• (w, n, α) G ≤z ϕ if, and only if, for every j ≤ α(z): (w, n + j, α) ϕ.
For the sake of brevity, we write (w, α) ϕ instead of (w, 0, α) ϕ and say that w is a model of ϕ with respect to α.
As usual for parameterized temporal logics, the use of variables has to be restricted: parameterizing eventually and always operators by the same variable leads to an undecidable satisfiability problem [4] .
In the following, we only consider well-formed formulas and omit the qualifier "well-formed". Also, we will denote variables in var F (ϕ) by x and variables in var G (ϕ) by y, if the formula ϕ is clear from context.
Our solution for the PLTL synthesis problem is based on the monotonicity of the parameterized temporal operators explained earlier, which is formalized in the following lemma. Lemma 6 ([4] ). Let ϕ be a PLTL formula and let α and β be variable valuations satisfying α(x) ≤ β(x) for every x ∈ var F (ϕ) and α(y) ≥ β(y) for every y ∈ var G (ϕ). If (w, α) ϕ, then (w, β) ϕ.
Thus, let ϕ be a PLTL formula and let ϕ ′ be the PROMPT-LTL-formula obtained from ϕ by inductively replacing every subformula F ≤x ψ by F P ψ and every subformula G ≤y ψ by ψ. The following is a straightforward consequence of the previous lemma.
Corollary 5. Let ϕ be a PLTL formula, let ϕ ′ be defined as above.
1. For every w: If there exists a variable valuation α such that (w, α) ϕ, then (w, max x∈var F (ϕ) α(x)) ϕ ′ .
For every w:
If there exists a bound k such that (w, k) ϕ ′ , then (w, α) ϕ, where α maps every x ∈ var F (ϕ) to k and every other variable to 0.
Let A = P, p env , {I p } p∈P , {O p } p∈P be an architecture. Here, the synchronous PLTL realizability problem for A is to decide, given a PLTL formula ϕ, whether there exist a variable valuation α and a finite-state implementation f p for every process p ∈ P − , such that the distributed product p∈P − f p satisfies ϕ with respect to α, i.e., ( p∈P − f p , α) ϕ. In this case, we say that ϕ is realizable in A. Also, bounded synthesis is again applicable, as we can translate the relativized PLTL formulas into universal co-Büchi automata.
Synchronous Distributed Synthesis for Parametric Linear Dynamic Logic
Again, let V be an infinite set of variables and let AP be the set of atomic propositions. The formulas of PLDL are given by the grammar
where a ∈ AP, z ∈ V, and where φ ranges over propositional formulas over AP. Here, expressions of the form ϕ? are tests, which are necessary to nest operators. The sets var ♦ (ϕ), var (ϕ), and var(ϕ) are defined analogously to the sets var F (ϕ), var G (ϕ), and var(ϕ) for PLTL, taking subformulas in tests into account.
The satisfaction relation is again defined between a path w, a position n, a variable valuation α, and a formula φ. First, let the relation R(g, w, α) ⊆ N × N contain all pairs (m, n) ∈ N × N such that w m · · · w n−1 matches g. Formally, it is defined inductively by • R(φ, w, α) = {(n, n + 1) | w n φ} for propositional ϕ,
• R(ϕ?, w, α) = {(n, n) | (w, n, α) ϕ},
• R(g 0 ; g 1 , w, α) = {(n 0 , n 2 ) | ∃n 1 s.t. (n 0 , n 1 ) ∈ R(g 0 , w, α) and (n 1 , n 2 ) ∈ R(g 1 , w, α)}, and
• R(g * , w, α) = {(n, n) | n ∈ N}∪ {(n 0 , n k+1 ) | ∃n 1 , . . . , n k s.t. (n j , n j+1 ) ∈ R(g, w, α) for all j ≤ k}.
Then, for atomic formulas and boolean connectives defined as for PROMPT-LTL and for the four temporal operators, we define • (w, n, α) g ϕ if there exists j ≥ 0 such that (n, n + j) ∈ R(g, w, α) and (w, n + j, α) ϕ,
• (w, n, α) [g ] ϕ if for all j ≥ 0 with (n, n + j) ∈ R(g, w, α) we have (w, n + j, α) ϕ,
• (w, n, α) g ≤z ϕ if there exists j ≤ α(z) such that (n, n + j) ∈ R(g, w, α) and (w, n + j, α) ϕ, and • (w, n, α) [g ] ≤z ϕ if for all j ≤ α(z) and with (n, n + j) ∈ R(g, w, α)
we have (w, n + j, α) ϕ.
Again, we restrict ourselves to well-formed formulas, i.e., those formulas ϕ with var ♦ (ϕ) ∩ var (ϕ) = ∅. With this restriction, Lemma 6 holds for PLDL, too.
Lemma 7. Let ϕ be a PLDL formula and let α and β be variable valuations satisfying α(x) ≤ β(x) for every x ∈ var ♦ (ϕ) and α(y) ≥ β(y) for every y ∈ var (ϕ). If (w, α) ϕ, then (w, β) ϕ.
Recall that the alternating color technique for PROMPT-LTL replaces every prompt-eventually operator F P ψ by a formula that expresses that ψ holds within one color change. In LTL, this is naturally expressed by two nested until operators. However, in PLDL, parameterized diamond operators, the analogues of prompt-eventually operators, are guarded by regular expressions. Thus, one has to express that both the guard hold and at most one color change occurs. The simplest way to do so is to introduce a change point bounded variant of the diamond-operator (cf. [7] ).
Formally, we add the operator · r cp with the following semantics:
• (w, n, α) g r cp ψ if there exists a j ∈ N s.t. (n, n + j) ∈ R(g, w, α), w n · · · w n+j−1 contains at most one r-change point, and (w, n+j, α) ψ.
Let LDL cp be the logic obtained by disallowing parameterized operators but allowing the change point-bounded operator, whose semantics are independent of variable valuations. Hence, we drop them from our notation for the satisfaction relation and the relation R.
We need the following results from [7] which generalizes the replacement of PLTL subformulas G ≤y ψ by ψ with respect to variable valuations mapping y to zero. In PLDL, the situation is different, e.g., the formulas [g ] ≤y ψ and ψ are not necessarily equivalent with respect to variable valuations mapping y to zero, e.g., if r = ϕ? is a test. This test has to be satisfied, even if α(y) = 0. However, one can easily simplify the guard g to a guard g that captures g when restricted to matchings of length zero.
Lemma 8 ([7]
). For every PLDL formula ϕ there is an efficiently constructible PLDL formula ϕ ′ without paramterized box operators whose size is at most the size of ϕ such that Finally, the exponential compilation property holds for LDL cp as well: every LDL cp formula can be translated into an equivalent non-determinstic Büchi automaton of exponential size [7] . Now, the (synchronous) PLDL distributed synthesis problem is defined as its analogue for PLTL. Let A = P, p env , {I p } p∈P , {O p } p∈P be an architecture. Then, the synchronous PLDL realizability problem for A is to decide, given a PLDL formula ϕ, whether there exist a variable valuation α and a finite-state implementation f p for every process p ∈ P − , such that the distributed product p∈P − f p satisfies ϕ with respect to α, i.e., ( p∈P − f p , α) ϕ. In this case, we say that φ is realizable in A.
Theorem 5. Let A be an architecture. The synchronous PLDL realizability problem for A is decidable if, and only if, A is weakly ordered.
Proof. Theorem 1 holds for PLDL as well, using the same proof: A PLDL formula ϕ is realizable in A if, and only if, c r (ϕ) is realizable in A r . Now, the information fork criterion holds for ω-regular conditions as well [12] , which finishes the proof.
Also, bounded synthesis is again applicable, as we can also translate the relativized PLDL formulas into universal co-Büchi automata.
Asynchronous Distributed Synthesis for PLDL
Finally, we consider the asynchronous setting. We focus on PLDL, as PLTL is a fragment of PLDL and the approach for both problems is similar.
As for the asynchronous PROMPT-LTL realizability problem, we require the implementations to only change their state if they are scheduled. Here, a PLDL assume-guarantee specification ϕ, ψ consists of a pair of PLDL formulas. The asynchronous PLDL assume-guarantee realizability problem asks, given an asynchronous architecture A * and ϕ, ψ as above, whether there exists a finite-state implementation f p for every process p ∈ P − such that for every variable valuation α there is a variable valuation β such that for every w ∈ p∈P − f p , we have that (w, α) ϕ implies (w, β) ψ. In this case, we say that p∈P − f p satisfies ϕ, ψ .
To solve the problem, we use the framework of bounded synthesis and emptiness checking for Büchi graphs as presented for PROMPT-LTL in Section 4. In particular, we adapt the notation introduced in Subsection 4.3, e.g., the product system S = p∈P − S p . Our semi-algorithm again guesses implementations and then model checks whether their product S satisfies the assume-guarantee specification, based on a characterization in terms of S being pumpable non-empty. To this end, we have to lift Lemma 11 to PLDL, which again requires to remove parameterized box operators. We again rely on monotonicity, but due to the quantifier alternation and the implication between ϕ and ψ, the application is not completely trivial. Given the assumption ϕ, let ϕ ′ be the formula as described in Lemma 8, which has no parameterized box operators. The formula ψ ′ is defined similarly. Proof. Let f denote the strategy generated by S.
For the implication from left to right, let S satisfy ϕ, ψ , i.e., for every α there is a β such that for all w ∈ f : (w, α) ϕ implies (w, β) ψ. As β depends on α, we write β(α) to make the dependency clear. Now, given some arbitrary α let α 0 denote that variable valuation mapping every x ∈ var ♦ (ϕ) = var ♦ (ϕ ′ ) to α(x) and every other variable to 0. We claim that (w, α) ϕ ′ implies (w, β(α 0 )) ψ ′ for all w ∈ f , which implies that S satisfies ϕ ′ , ψ ′ .
Thus, assume the assumption is satisfied, i.e., (w, α) ϕ ′ . Then, we also have (w, α 0 ) ϕ by Lemma 8. Thus, (w, β(α 0 )) ψ, which implies (w, β(α 0 )) ψ ′ , again by Lemma 8.
For the other implication, let S satisfy ϕ ′ , ψ ′ , i.e., for every α there is a β such that for all w ∈ f : (w, α) ϕ ′ implies (w, β) ψ ′ . Again, as β depends on α, we write β(α) to make the dependency clear.
We claim that (w, α) ϕ implies (w, β(α)) ψ for all w ∈ f , which implies that S satisfies ϕ, ψ .
Thus, assume the assumption is satisfied, i.e., (w, α) ϕ. Then, we also have (w, α) ϕ ′ by Lemma 8. Thus, (w, β(α)) ψ ′ , which implies (w, (β(α)) 0 ) ψ, again by Lemma 8. Here, (β(α)) 0 maps every variable in var ♦ (ψ) = var ♦ (ψ ′ ) to (β(α))(x) and every other variable to 0.
Thus, to simplify our notation we can from now on assume that ϕ and ψ do not contain any parameterized box operators. Thus, the alternating color technique is applicable to them. Also, there is a non-deterministic Büchi automaton N c r ′ (ψ)∧cr (ϕ) = 2 I∪O∪{r,r ′ } , Q, q 0 , δ, B , where c r ′ (ψ) = alt r ′ ∧ ¬rel r ′ (ψ) whose language contains exactly those paths that satisfy c r ′ (ψ) ∧ c r (ϕ) [7] . Then, Lemma 11 holds in this setting as well.
Lemma 11. Let ϕ, ψ be a PLDL assume-guarantee specification, A * be an asynchronous architecture and S p be a finite-state implementation for every system process p ∈ P − . The distributed product S = p∈P − S p does not satisfy ϕ, ψ if, and only if, the product of S and N c r ′ (ψ)∧cr (ϕ) is pumpable non-empty.
From here on the algorithm is similar to that described in Section 4 and we obtain the same semi-decidability result. Corollary 6. Let A * be an asynchronous architecture. The asynchronous PLDL assume-guarantee realizability problem for A * is semi-decidable.
Conclusion
In this paper, we have initiated the investigation of distributed synthesis for parameterized specifications, in particular for PROMPT-LTL, PLTL and PLDL. These logics subsume LTL, but additionally allow to express bounded satisfaction of system properties, instead of only eventual satisfaction. To the best of our knowledge, this is the first treatment of parametrized temporal logic specifications in distributed synthesis.
We have shown that for the case of synchronous distributed systems, we can reduce the PROMPT-LTL synthesis problem to an LTL synthesis problem. Thus, the complexity of PROMPT-LTL synthesis corresponds to the complexity of LTL synthesis, and the PROMPT-LTL realizability problem is decidable if, and only if, the LTL realizability problem is decidable. For the case of asynchronous distributed systems with multiple components, the PROMPT-LTL realizability problem is undecidable, again corresponding to the result for LTL. For this case, we give a semi-decision procedure based on a novel method for checking emptiness of two-colored Büchi graphs. Finally, we have shown that all these results also hold for PLTL and PLDL. Furthermore, the approach is also applicable to PLTL and PLDL in a weighted setting [8] , as even these logics have the exponential compilation property and as the alternating color technique is applicable to them as well. Finally, we conjecture that the approach also extends to assume-guarantee synthesis with mutual assumptions between different processes [28, 29] .
Among the problems that remain open is realizability of PROMPT-LTL specifications in asynchronous distributed systems with a single component. This problem can be reduced to the (single-process) assume-guarantee realizability problem for PROMPT-LTL, which was left open in [5] .
In the future, we also want to look into the synthesis of distributed systems with a parametric number of components [30, 31] from parameterized temporal logics.
