Abstract. We consider the synthesis of distributed implementations for specifications in Parametric Linear Temporal Logic (PLTL). PLTL extends LTL by temporal operators equipped with parameters that bound their scope. For single process synthesis it is well-established that such parametric extensions do not increase worst-case complexities. For synchronous systems, we show that, despite being more powerful, the distributed realizability problem for PLTL is not harder than its LTL counterpart. The case of asynchronous systems requires assumptions on the scheduler beyond fairness to ensure that bounds can be met at all, i.e., even fair schedulers can delay processes arbitrary long and thereby prevent the system from satisfying its PLTL specification. Thus, we employ the concept of bounded fair scheduling, where every process is guaranteed to be scheduled in bounded intervals and give a semi-decision procedure for the resulting distributed assume-guarantee realizability problem.
Introduction
The task of synthesis is to construct a correct-by-design implementation from a given formal specification, e.g., in linear temporal logic (LTL) , that characterizes the allowed behaviors of the system. Many synthesis problems assume a setting of complete information, i.e., every part of the system has a complete view on the system as a whole. However, this setting is highly unrealistic in virtually any system. Distributed synthesis on the other hand, is the problem of synthesizing multiple components with incomplete information. Since there are specifications that are not implementable, one differentiates synthesis from the corresponding decision problem, i.e., the realizability problem of a formal specification. We focus on the latter, but note that from the methods presented here, implementations are efficiently extractable from realizable specifications.
Distributed Synthesis. The realizability problem for distributed systems dates back to work of Pnueli and Rosner in the early nineties [15] . They showed that the realizability problem for LTL becomes undecidable already for the simple architecture of two processes with pairwise different inputs. In subsequent work, it was shown that certain classes of architectures, like pipelines and rings, can still be synthesized automatically [11, 14] . Later, a complete characterization of the architectures for which the realizability problem is decidable was given by Finkbeiner and Schewe [5] by the information fork criterion. Intuitively, an architecture contains an information fork, if there is a information flow from the environment to two different processes where the information to one process is hidden from the other and vice versa. The distributed realizability problem is decidable for all architectures without information fork [5] . Such an architecture is also called weakly ordered.
Beyond decidability results, semi-algorithms like bounded synthesis [6] give an architecture-independent synthesis method that is particularly well-suited for finding small-sized implementations.
Parametric LTL. All those prior works have in common that they either use linear temporal logic (LTL) directly or alternatively some ω-regular specification format like nondeterministic Büchi automata. A drawback of this approach is the inability to express timing constraints. For example, the request-response property G(req → F resp) requiring that every request req is eventually responded to by a resp is satisfied even if the waiting times between requests and responses diverge: it is impossible to require that requests are granted within a fixed, but arbitrary, amount of time. While it is possible to encode an a-priori fixed bound for an eventuality into LTL, this requires prior knowledge of the system's granularity and incurs a blow-up when translated to automata, and is thus considered impractical.
To overcome this shortcoming of LTL, Alur et al. introduced parameterized LTL (PLTL) [1] , which extends LTL with parameterized operators of the form F≤x and G≤y, where x and y are variables. The formula G(req → F≤x resp) expresses that every request is answered within an arbitrary, but fixed number of steps α(x). Here, α is a variable valuation, a mapping of variables to natural numbers. Typically, one is interested in whether a PLTL formula is satisfied with respect to some variable valuation. For example, solving infinite games with PLTL winning conditions amounts to determining whether there is an α such that Player 0 has a strategy such that every play that is consistent with the strategy satisfies the winning condition with respect to α. Alur et al. showed that the PLTL model checking problem is PSpace-complete. Kupferman et al. later considered PROMPT-LTL [10] , which can be seen as the fragment of PLTL without the parameterized always operator, and showed that PROMPT-LTL model checking is still PSpace-complete and that PROMPT-LTL games are 2ExpTime-complete, i.e., not harder than LTL games. While the results of Alur et al. relied on involved pumping arguments, the results of Kupferman et al. were all based on the so-called alternating-color technique, which basically allows to reduce PROMPT-LTL to LTL. To this end, one adds a new proposition to the system, which is thought to color executions of the system, and replaces a parameterized eventually F≤x ϕ by an LTL formula that expresses that ϕ holds within one color change. If the distance between color changes is bounded, then F≤x ϕ holds for some α as well. Furthermore, the result on PROMPT-LTL games was extended to infinite games on graphs [18] , again using the alternatingcolor technique. Here, one player is in charge of coloring the executions and the existence of finite-state winning strategies for LTL games guarantees that the distance between color changes is indeed bounded. These results show that adding parameters to LTL does not increase the asymptotic complexity of the model-checking and the game-solving problem (i.e., single process realizability), which is still true for even more expressive logics [4, 19] .
Our Contributions. This raises the question whether this observation also holds for the realizability of parametric temporal logics within the setting of distributed systems. For synchronous systems, we can answer this question positively. For every class of architectures with decidable LTL realizability, the PLTL realizability problem is decidable, too. To show this, we apply the alternating color technique [10] to reduce the distributed realizability problem of PLTL to the realizability problem of LTL. To this end, we add another process that controls the color and require that this color changes infinitely often. Due to finite-state determinacy of the realizability problem in architectures without information fork, such color changes are bounded and the alternating color technique yields the desired result: one can again add parameterized operators to LTL for free.
For asynchronous systems, the environment is typically assumed to take over the responsibility for the scheduling decision [17] . Consequently, the resulting schedules may be unrealistic, e.g., one process may not be scheduled at all. While fairness assumptions such as "every process is scheduled infinitely often" solve this problem for LTL specifications, they are insufficient for PLTL: a fair scheduler can still delay process activations arbitrary long and thereby prevent the system from satisfying its PLTL specification for any variable valuation α. Thus, we employ the concept of bounded fair scheduling, where every process is guaranteed to be scheduled in bounded intervals. Since the bounded fairness property can be expressed as a PLTL formula as well, the realizability problem in asynchronous architectures can be formulated more generally as an assumeguarantee realizability problem for PLTL specifications. We give a semi-decision procedure for this problem based on a new method for checking emptiness of two-colored Büchi graphs [10] and an extension of bounded synthesis [6] . As asynchronous LTL realizability for architectures with more than one process is undecidable [17] , the same result holds for PLTL realizability. On the positive side, we give a semi-decision procedure for PLTL realizability in this setting. Decidability in the case with one process, which is decidable for LTL specifications [17] , is left as an open problem.
Related Work. There is a rich literature regarding the synthesis of distributed systems from global ω-regular specifications [3, 5, 11, [14] [15] [16] . We are not aware of work that is concerned with the realizability of parameterized logics in this setting. For local specifications, i.e., specifications that only relate input and output of single processes, the realizability problem becomes decidable for a larger class of architectures [13] . An extension of these results to context-free languages was given by Fridman and Puchala [7] . The realizability problem for asynchronous systems and LTL specifications is undecidable for architectures with more than one process to be synthesized [17] . Later, Gastin et al. showed decidability of a restricted specification language and certain types of architectures, i.e., well-connected [9] and acyclic [8] ones. Bounded synthesis [6] provides a flexible synthesis framework that can be used for synthesizing implementations for both the asynchronous and synchronous setting.
Preliminaries
Let X, Y, Z be finite disjoint sets of variables. A valuation of X is a subset of X; thus, the set of all valuations of X is 2
Y -labeled 2 X -transition system S is a tuple S, s 0 , ∆, l where S is a finite set of states, s 0 ∈ S is the designated initial state, ∆ : S × 2 X → S is the transition function, and l : S → 2 Y is the state-labeling. We generalize the transition function to sequences of 2 X by defining
A strategy f is called finite-state if there exists a transition system that generates f .
The
For finite sets A and B, and a strategy g : (2 A ) * → 2 B , the distributed product f ⊗ g is defined as the product wide 2 A\X (f ) × wide 2 X\A (g).
The behavior of a strategy f : (2 X ) * → 2 Y is characterized by an infinite tree that branches by the valuation of X and whose nodes n ∈ (2 X ) * are labeled with the strategic choice f (n). For an infinite word w = w 0 w 1 · · · ∈ (2 X ) ω , the corresponding labeled path is defined as (f (ε)
We lift the set containment operator ∈ to the containment of a labeled path w in a strategy tree, i.e., w ∈ f if, and only if,
Distributed Systems. We characterize distributed systems as a set of processes with a fixed communication topology, called an architecture in the following. Let AP be a finite set of atomic propositions. An architecture A is a tuple P, p env , {I p } p∈P , {O p } p∈P , where P is the finite set of processes and p env ∈ P is the distinct environment process. Given a process p ∈ P , the inputs and outputs of this process are I p ⊆ V and O p ⊆ V , respectively, where we require I penv = ∅. We use the notation I P ′ and O P ′ for some P ′ ⊆ P for p∈P ′ I p and p∈P ′ O p , respectively. We denote by P − = P \ {p env } the set of system processes. While processes may share the same inputs (in case of broadcasting), the outputs of each process must be pairwise disjoint, i.e., for all p = p
Op mapping finite input sequences to a valuation of the output variables. Figure 1 shows example architectures. The architecture in Fig. 1 (a) contains two system processes, p 1 and p 2 , and the environment process p env . The processes p 1 and p 2 receive the inputs a, respectively b, from the environment and output c and d, respectively. Hence, the environment can provide process p 1 with information that is hidden from p 2 and vice versa. In contrast, Fig. 1 (b) shows a pipeline architecture where information from the environment can only propagate through the pipeline processes p 1 and p 2 .
PLTL. Let V be an infinite set of variables and let AP be the set of atomic propositions as above, which we use to build our formulas. The formulas of PLTL are given by the grammar
where p ∈ AP and z ∈ V. We use the derived operators tt := p ∨ ¬p and ff := p ∧ ¬p for some fixed p ∈ AP, F ϕ := tt U ϕ, and G ϕ := ff R ϕ. Furthermore, we use ϕ → ψ as shorthand for ¬ϕ ∨ ψ, where we have to require the antecedent ϕ to be a (negated) atomic proposition and identify ¬¬p with p. We assume negation to bind stronger than every other connective and operator, which allows us to omit some parentheses. In the original work on PLTL [1] , the operators U ≤x , R ≤y , F>y, G>x, U >y , and R >x are also allowed. However, since they do not add expressiveness (see Lemma 2.2 of [1]), we treat them as derived operators instead of adding them as primitive operators.
The set of subformulas of a PLTL formula ϕ is denoted by cl(ϕ) and we define the size of ϕ to be the cardinality of cl(ϕ). Furthermore, we define var F (ϕ) = {z ∈ V | F≤z ψ ∈ cl(ϕ)} to be the set of variables parameterizing eventually operators in ϕ, var G (ϕ) = {z ∈ V | G≤z ψ ∈ cl(ϕ)} to be the set of variables parameterizing always operators in ϕ, and set var(ϕ) = var F (ϕ) ∪ var G (ϕ). From now on, we denote variables in var F (ϕ) by x and variables in var G (ϕ) by y, if ϕ is clear from context. A formula ϕ is variable-free, if var(ϕ) = ∅.
To evaluate PLTL formulas, we define a variable valuation to be a mapping α : V → N. Now, we can define the model relation between an ω-word w ∈ 2 AP ω , a position n of w, a variable valuation α, and a PLTL formula as follows:
-(w, n, α) p if and only if p ∈ w n , -(w, n, α) ¬p if and only if p / ∈ w n , -(w, n, α) ϕ ∧ ψ if and only if (w, n, α) ϕ and (w, n, α) ψ, -(w, n, α) ϕ ∨ ψ if and only if (w, n, α) ϕ or (w, n, α) ψ, -(w, n, α) X ϕ if and only if (w, n + 1, α) ϕ, -(w, n, α) ϕUψ if and only if there exists a k ≥ 0 such that (w, n+k, α) ψ and (w, n + j, α) ϕ for every j in the range 0 ≤ j < k, -(w, n, α) ϕ R ψ if and only if for every k ≥ 0: either (w, n + k, α) ψ or there exists a j in the range 0 ≤ j < k such that (w, n + j, α) ϕ, -(w, n, α) F≤x ϕ if and only if there exists a j in the range 0 ≤ j ≤ α(x) such that (w, n + j, α) ϕ, and -(w, n, α)
G≤y ϕ if and only if for every j in the range 0 ≤ j ≤ α(y):
For the sake of brevity, we write (w, α) ϕ instead of (w, 0, α) ϕ and say that w is a model of ϕ with respect to α. Furthermore, we define (f, α) ϕ for some strategy f to denote the satisfaction (w, α) ϕ for all paths w ∈ f .
As usual for parameterized temporal logics, the use of variables has to be restricted: bounding eventually and always operators by the same variable leads to an undecidable satisfiability problem [1] .
In the following, we only consider well-formed formulas and drop the qualifier "well-formed" for the sake of brevity. We consider the following fragments of PLTL. Let ϕ be a PLTL formula:
-ϕ is an LTL formula, if ϕ is variable-free.
-ϕ is a PROMPT-LTL formula [10] , if var G (ϕ) = ∅ and |var
Every LTL, PROMPT-LTL, PLTL F , and every PLTL G formula is well-formed.
Note that we defined PLTL formulas to be in negation normal form. Nevertheless, a negation can be pushed to the atomic propositions using the duality of the pairs (p, ¬p), (∧, ∨), (X, X) (U, R), and (F ≤z , G≤z). Thus, we can define the negation of a PLTL formula.
Lemma 2. For every PLTL formula ϕ there exists an efficiently constructible PLTL formula ¬ϕ such that 1. (w, n, α) ϕ if and only if (w, n, α) ¬ϕ, 2. |¬ϕ| = |ϕ|. 3. If ϕ is well-formed, then so is ¬ϕ. 4. If ϕ is an LTL formula, then so is ¬ϕ. 5. If ϕ is a PLTL F formula, then ¬ϕ is a PLTL G formula and vice versa.
The bounded temporal operators F≤x and G≤y satisfy the following monotonicity conditions: if (w, α) ϕ, then for all α ′ with α
Hence, when we ask for the existence of a variable valuation, we can assume w.l.o.g. that α(y) = 0 for all y ∈ var G (ϕ), which is equivalent to replacing subformulas G≤y ψ by ψ. Consequently, it is enough to consider specifications in the PLTL F fragment. Dually, when we ask for universality, we can assume w.l.o.g. that α(x) = 0 for all x ∈ var F (ϕ), i.e., replace F≤x ψ by ψ.
The Alternating Color Technique
Kupferman et al. introduced PROMPT-LTL and solved several of its decision problems, including model checking, assume-guarantee model checking, and the realizability problem [10] . The most important technique for obtaining these results is the alternating color technique. Intuitively, it allows to replace formulas with parameterized eventually operators by standard LTL formulas. To this end, the positions of an infinite word are colored-either red or green-and a parameterized eventually F≤x ψ is replaced by the requirement that ψ holds within one color change (which is expressible in LTL if we use an additional atomic proposition for the color). If there is an upper bound on the distance between adjacent color changes, then the waiting time for the parameterized eventually is also bounded. In games, the bound on the distance is implied by finite-state determinacy: if a finite-state strategy changes the color infinitely often, then the distance between color changes is bounded by the size of the strategy.
Although the alternating color technique in its original formulation is only applicable to PROMPT-LTL formulas, it is easy to see that the restriction to a single variable is not essential. Hence, we state the technique here in a slightly more general version than the one presented in the original work on PROMPT-LTL.
Let r / ∈ AP be a fixed fresh proposition. An ω-word w ′ ∈ 2 AP∪{r} ω is an r-coloring of w ∈ 2 AP ω if w ′ n ∩ AP = w n , i.e., w n and w ′ n coincide on all propositions in AP. The additional proposition r can be thought of as the color of w ′ n : we say that a position n is red if r ∈ w ′ n , and say that it is green if r / ∈ w ′ n . Furthermore, we say that the color changes at position n, if n = 0 or if the colors of w ′ n−1 and w ′ n are not equal. In this situation, we say that n is a change point. A r-block is a maximal monochromatic infix w
e., the color changes at m and n + 1, but not in between. Let k ≥ 1: we say that w ′ is k-spaced if the color changes infinitely often and each r-block has length at least k; we say that w ′ is k-bounded, if each r-block has length at most k. Note that k-boundedness implies that the color changes infinitely often.
Given a PLTL F formula ϕ, let rel r (ϕ) denote the formula obtained by inductively replacing every subformula F≤x ψ by (r → (r U (¬r U rel r (ψ)))) ∧ (¬r → (¬r U (r U rel r (ψ)))) .
We have var(rel r (ϕ)) = ∅ and |rel r (ϕ)| ∈ O(|ϕ|). Furthermore, the formula alt r = GF r ∧ GF ¬r is satisfied if the colors change infinitely often. Finally, consider the LTL formula c r (ϕ) = rel r (ϕ) ∧ alt r , which is satisfied by an ω-word w, if the following holds:
-The color changes infinitely often.
-For every subformula F≤x ψ in ϕ, rel r (ψ) is satisfied within one color change.
Next, we show that ϕ and rel r (ϕ) are in some sense equivalent on ω-words which are bounded and spaced. Our correctness lemma (slightly) differs from the original one presented in [10] , since we may have multiple variables, whereas a PROMPT-LTL formula only has a single one. However, the proof itself is similar to the original one.
Lemma 3 (cf. Lemma 2.1 of [10] ). Let ϕ be a PLTL F formula, and let w ∈ 2 AP ω .
If
Whenever possible, we drop the subscripts r for the sake of readability, if r is clear from context. However, when we consider asynchronous systems in Section 4, we need to relativize two formulas with different colors, which necessitates the introduction of the subscripts.
Synchronous Distributed Synthesis
PLTL specifications can give guarantees that LTL cannot. E.g., in the setting of a system that answers requests, we cannot only assert that requests are answered eventually, but also that there is an upper bound on the reaction time. This is especially important in distributed systems since such timing constraints become inherently more difficult to implement because of complex information flows between the various parts of the system.
Consider for example a-very simplified-distributed computation system. We have a central master that gets important and unimportant tasks, and the clients have two ways of operation: either the task is enqueued, which means that it will be processed eventually, or the client-side queue is cleared and a single task is processed immediately. The latter operation is very costly (we have to remember the open tasks as they still need to be completed), but guarantees an upper bound on the completion time. In contrast to LTL, where we can only specify that all incoming tasks are processed eventually, we can specify in PLTL that the answer time to important tasks is bounded by the formula G(important-task → F≤x finished-task). 1 A similar constraint could be simulated in LTL by writing that on every important incoming task, the worker queues are cleared. This, however, removes implementation freedom.
Let A = P, p env , {I p } p∈P , {O p } p∈P be an architecture. The distributed realizability problem is to decide, given a PLTL formula ϕ, whether there exists a variable valuation α and a finite-state implementation f p for every process p ∈ P − , such that the distributed product p∈P − f p satisfies ϕ, i.e., ( p∈P − f p , α) ϕ. The LTL realizability problem is a special case, as LTL is a fragment of PLTL. Also note that we are only interested in finite-state strategies.
Let r / ∈ AP be the fresh proposition introduced for the alternating color technique and let A = P, p env , I, O be as above. We define the architecture A
Proof. Let A be an architecture and ϕ be a PLTL F formula.
⇒ Assume that the PLTL F formula ϕ is realizable in A. Then, there exist strategies f p for p ∈ P − and a variable valuation α satisfying the PLTL F distributed realizability problem A, ϕ . For every w ∈ p∈P − f p , it holds that (w, α) ϕ. By Lemma 3.1 and for k = max x∈var(ϕ) α(x), it holds that every k-spaced r-coloring w
be a (finite-state) strategy that produces the k-spaced sequence (∅ k {r} k ) ω . Then, the process implementations {f p } p∈P − together with f r are a solution to the distributed realizability problem A r , c(ϕ) . ⇐ Assume that the LTL formula c(ϕ) is realizable in the architecture A r . Thus, there exist strategies f p for p ∈ P − and a strategy f r for process p r . As f r is finite-state, the unique output w r produced by f r is k-bounded, where k is the size of the strategy f r . Hence, for every w ∈ p∈P − f p , the path w ′ = w r ∪ w is a k-bounded r-coloring of w with w rel(ϕ). By Lemma 3.2, there exists a variable valuation α, such that for all such w it holds that (w, α) ϕ. Hence, {f p } p∈P − together with α is a solution to the PLTL F distributed realizability problem.
⊓ ⊔
To conclude, we show that the newly introduced process p r preserves the information fork criterion [5] . Formally, consider tuples P ′ , V ′ , p, p ′ , where P ′ is a subset of the processes, V ′ is a subset of the variables disjoint from I p ∪ I p ′ , and p, p ′ ∈ P − \ P ′ are two different processes. Such a tuple is an information fork if P ′ together with the edges that are labeled with at least one variable from V ′ forms a sub-graph rooted in the environment and there exist two nodes q, q ′ ∈ P ′ that have edges to p, p ′ , respectively, such that O {q,p} I p ′ and O {q ′ ,p ′ } I p . For example, the architecture in Fig. 1(a) contains the information fork ({p env }, ∅, p 1 , p 2 ), while the pipeline architecture depicted in Fig. 1(b) does not contain an information fork.
Lemma 5.
A r contains an information fork if, and only if, A contains an information fork.
Proof. The only if direction follows immediately by construction: if
is an information fork in A then it is an information fork in A r as well. Hence, assume P ′ , V ′ , p, p ′ is an information fork in A r . It holds that neither p r = p nor p r = p ′ since p r has no incoming edges. As I pr = ∅, p r cannot be in a subgraph that is rooted in the environment, hence, p r / ∈ P ′ and r / ∈ V ′ . It follows that P ′ , V ′ , p, p ′ is an information fork in A. ⊓ ⊔ Thus, we can use well-known results for the decidability of distributed realizability for LTL and weakly ordered architectures [5] , i.e., those without an information fork.
Corollary 6. Let A be an architecture. The distributed realizability problem for PLTL specifications is decidable if, and only if, A is weakly ordered.
Furthermore, we can directly apply semi-algorithms for the distributed realizability problem, such as bounded synthesis [6] (see also Section 4.2), to effectively construct small-sized solutions.
Asynchronous Distributed Synthesis
The asynchronous system model is a generalization of the synchronous model discussed in the last section. In an asynchronous system, not all processes are scheduled at the same time. We model the scheduler as part of the environment, i.e., the environment additionally signals whether a process is enabled. The resulting distributed realizability problem for asynchronous system is undecidable for systems with more than one process [17] .
We have to adapt the definition of the PLTL F realizability problem for the asynchronous setting. Using the definition from Section 3, the system can never satisfy a PLTL F formula, even if the scheduler is assumed to be fair. The scheduler can build increasing delay blocks between process activation times, such that it is impossible for the system to guarantee any bound n ∈ N. Hence, we employ the concept of bounded fair schedulers and allow the system valuations to depend on the scheduler bound. More generally, this is a typical instance of an assume-guarantee specification: under the assumption that the scheduler is bounded fair, the system satisfies its specification. In the following, we formally introduce the distributed realizability problem for asynchronous systems and assume-guarantee specifications.
Given a (synchronous) architecture A, we define the asynchronous architecture A * as the architecture with the environment output O * penv = O penv × 2 P . Here we use P as a set of atomic propositions whose valuation indicates whether a process is scheduled or not. Furthermore, we extend the input I p of a process by its scheduling variable, i.e., I * p = I p ∪ {p} for every p ∈ P − . The environment can decide in every step which processes (including itself) to schedule. When the environment itself is not scheduled, the environment input does not change, when a process is not scheduled, its state-and thereby its outputsstays the same [6] . Formally, let f p for p ∈ P − be a finite-state implementation for a process p ∈ P − and S p = S, s 0 , ∆, l a transition system that generates f p . For every path π ∈ (2
, where π[j] denotes the prefix π 0 π 1 · · · π j of π. Fix an asynchronous architecture A * . The realizability problem for A * asks, given an assume-guarantee specification ϕ, ψ , whether there exists a finitestate implementation for every process p ∈ P − such that for all valuations α there is a valuation β that satisfies ( p∈P − f p , β) ψ if ( p∈P − f p , α) ϕ. In this case, we say that p∈P − f p satisfies , ϕ, ψ . Both formulas ϕ and ψ can w.l.o.g. be assumed to be PLTL F formulas (cf. the last paragraph in Section 2). For ψ, we use the monotonicity for existential variable valuations β to remove parameterized always'; for ϕ note that α is universally quantified and the negation of ϕ is used in the problem definition due to the implication, i.e., we can remove the parameterized eventualities in ¬ϕ, which correspond to parameterized always' in ϕ.
Consider the bounded fairness specification introduced earlier. The PLTL F formula for this specification is ϕ = p∈P − GF ≤x p, i.e., for every point in time, p is scheduled within α(x) steps. That is, we use ϕ as an assumption on the environment which implies that the guarantee ψ only has to be satisfied if ϕ holds. Consider for example the asynchronous architecture corresponding to Fig. 1(a) and the
Even when we assume a fair scheduler that always schedules at least one process, i.e., ϕ = GF p 1 ∧ GF p 2 ∧ ( i∈{1,2} p i ), the environment can prevent one process from satisfying the specification for any bound on x. This problem is fixed by assuming the scheduler to be bounded fair, i.e., ϕ = GF ≤x p 1 ∧ GF ≤x p 2 ∧ ( i∈{1,2} p i ). Then, there exist a implementation for processes p 1 and p 2 (that alternates between enabling and disabling the output), and the bound on the guarantee β is β(x) = 2 · α(x) for every valuation α.
We present a semi-algorithm for the asynchronous distributed realizability problem for assume-guarantee PLTL specifications based on bounded synthesis [6] . In bounded synthesis, a transition system of a fixed size is "guessed" and model-checked within the context of an constraint solver. Model-checking for PROMPT-LTL can be solved by checking pumpable non-emptiness of colored Büchi graphs [10] , however, the pumpable condition cannot be expressed in the bounded synthesis constraint system. Hence, in Section 4.1, we give an alternative solution to the non-emptiness of colored Büchi graphs by a reduction to Büchi graphs that have access to the state space of the transition system. In Section 4.2, we recap bounded synthesis and adapt the method to allow the specification format to accommodate this extended automaton model. Lastly, we combine those results to the semi-algorithm that is presented in Section 4.3.
Nonemptiness of Colored Büchi Graphs
In the case of LTL specifications, the nonemptiness problem for Büchi graphs gives a classical solution to the model checking problem for a given system S. Let ϕ be the LTL formula that S should satisfy. In a preprocessing step, the negation of ϕ is translated to a nondeterministic Büchi word automaton A ¬ϕ [2] . Then ϕ is violated by S, if the Büchi graph G representing the product of S and A ¬ϕ is nonempty. An accepting path π in G witnesses a computation of S that violates ϕ. Colored Büchi graphs are an extension to those graphs int he context of model-checking PROMPT-LTL [10] .
A colored Büchi graph of degree two is a tuple G = {r, r ′ }, V, E, v 0 , L, B where r and r ′ are propositions, V is a set of vertices, E ⊆ V ×V is a set of edges, v 0 ∈ V is the designated initial vertex, L : V → 2 {r,r ′ } describes the color of a vertex, and B = {B 1 , B 2 } is a generalized Büchi condition of index 2. A Büchi graph is a special case where we omit the labeling function and are interested in finding an accepting path. A path π = v 0 v 1 v 2 · · · ∈ V ω is pumpable, if we can pump all its r ′ -blocks without pumping its r-blocks. Formally, a path is pumpable if for all adjacent r ′ -change points i and i ′ , there are positions j, j ′ , and
A path π is accepting, if it visits both B 1 and B 2 infinitely often. The pumpable nonemptiness problem for G is to decide whether G has a pumpable accepting path. It is NLogSpace-complete and solvable in linear time [10] .
We give an alternative solution to this problem based on a reduction to the nonemptiness problem of Büchi graphs. To this end, we construct a nondeterministic safety automaton A pump that characterizes the pumpability condition. Note that an infinite word is accepted by a safety automaton if, and only if, there exists an infinite run on this word. Proof. We define a non-deterministc automaton A pump = V × 2 {r,r ′ } , S, s 0 , δ, ∅ over the alphabet V × 2 {r,r ′ } that checks the pumpability condition. This automaton A pump operates in 3 phases between every pair of adjacent r ′ -change points: first, it non-deterministically remembers a vertex v and the corresponding truth value of r. Then, it checks that this value changes and thereafter it remains to show that the vertex v repeats before the next r ′ -change point. The state space of A pump is
and the initial state is s 0 . The transition function δ is defined as follows: Fig. 2 . Visualization of Apump. The rectangular boxes represent the set of states that "remember" the vertex v of the Büchi graph G. In the inner four boxes, the vertex is chosen nondeterministically, while in the outer four boxes the vertex cannot be changed as the automaton waits for a vertex repetition (edges to s ′′ ∅ and s ′′ {q} ). We define the product G ′ of the colored Büchi graph G and the automaton A pump as the Büchi graph (V × S, E ′ , (v 0 , s 0 ), B ′ ), where
and where
2 ) is a generalized Büchi condition such that for i ∈ {1, 2}:
Consider a pumpable accepting path π in G. We show that there is a corresponding accepting path π ′ in G ′ . Let i and i ′ be adjacent q-change points. Then there are positions j, j ′ , and j ′′ such that i ≤ j < j Now, consider an accepting path w in G ′ . We show that there is a pumpable accepting path in G. Let w ′ be the projection of every position of w to the first component. By construction, w ′ is an accepting path in G. Let w i w i+1 · · · w i ′ be a r ′ -block of w. As w has a run on automaton A pump , we know that there exists a state repetition between i and i ′ where the truth value of r changes in between. Hence, the path w ′ is pumpable. ⊓ ⊔
Bounded Synthesis
In this section, we show a modification to the bounded synthesis method [6] that gives the specification automaton access to the states of the system to be synthesized. This extension is needed for automata that can express the pumpability condition, in particular the one we constructed in the proof of Lemma 7.
Extended Automata. We define a universal co-Büchi tree automaton to be a tuple U = Σ, Υ, Q, q 0 , δ, B , where Σ is an input alphabet, Υ is a set of directions, Q is a set of states, δ : Q × Σ → 2 Q×Υ , and B ⊆ Q is the set of rejecting states. We extend this automaton by changing the input alphabet to Σ × S, for a given transition system S = S, s 0 , ∆, l , i.e., the extended automaton has access to the current state of S. We are interested in the acceptance of a transition system S by our extended automaton. Acceptance is defined in terms of run graphs: the run graph of an automaton U S = 2 Σ × S, 2 Υ , Q, q 0 , δ, B on S is the minimal directed graph G = (G, E) that satisfies the constraints
The co-Büchi condition requires that, for an infinite path g 0 g 1 g 2 · · · ∈ G ω of the run graph, g i ∈ B×S for only finitely many i ∈ N. A run graph is accepting if every infinite path g 0 g 1 g 2 · · · ∈ G ω satisfies the co-Büchi condition. A transition system is accepted by U if its unique run graph is accepting.
Annotated transition systems. We introduce an annotation function for transition systems that witnesses acceptance by a universal co-Büchi tree automaton.
The annotation assigns to each pair (q, s) ∈ Q × S a natural number or a special symbol ⊥. Natural numbers indicate the maximal number of rejecting states that occur on any path to (q, s) in the run graph. Thus, transition systems for which there is an annotation that assigns natural numbers to all vertices of the run graph have an upper bound on the number of visits to rejecting states. Such annotations are called valid, and transition systems with valid annotations are exactly those that are accepted by the automaton.
An annotation of a transition system S = S, s 0 , ∆, l on a universal co-Büchi tree automaton U = 2 Σ × S, 2 Υ , Q, q 0 , δ, B is a function λ : Q × S → {⊥} ∪ N. An annotation is valid if it satisfies the following conditions:
, where ⊲ is interpreted as > if q ′ ∈ B, and ≥ otherwise.
An annotation is c-bounded if its codomain is contained in {⊥, 1, . . . , c}.
Theorem 9 (cf. Finkbeiner and Schewe [6] ). A finite-state Σ-labeled Υ -transition system S = S, s 0 , ∆, l is accepted by a universal co-Büchi tree automaton U = Σ × S, Υ, Q, q 0 , δ, B if, and only if, it has a valid (|S| · | B|)-bounded annotation.
Proof. The original proof by Finkbeiner and Schewe [6] works without modifications for our slightly generalized form of universal co-Büchi tree automata. ⊓ ⊔ Based on Theorem 9, we obtain a semi-procedure for deciding the existence of a finite-state implementation that is accepted by a universal co-Büchi tree automaton. In particular, the existence of a transition system of bounded size with a valid annotation can be encoded into a set of decidable SMT constraints. Essentially, this is done by directly encoding the conditions for a valid annotation into SMT, for a transition system with uninterpreted transition function and labeling. Like the proof of Theorem 9, the original encoding directly supports our extended notion of universal Büchi tree automata. For details of the encoding, we refer to Finkbeiner and Schewe [6] .
Furthermore, note that the translation of LTL specifications into universal co-Büchi tree automata (see Kupferman and Vardi [12] ) can also be used with our definition, and simply results in an automaton that ignores the concrete state of the transition system in its input.
To close the gap to the asynchronous distributed realizability problem, we use the SMT constraint system developed in [6] . Compared to the single process synthesis, there are additional constraints that (1) assert that the state of a process does not change if it is not scheduled and (2) that the transition of a process does only depend on its current state and the visible inputs.
This method gives us a semi-decision procedure for the asynchronous distributed realizability problem with extended automata as specification.
Theorem 10. Let A * be an asynchronous architecture, let {b p | p ∈ P − } be a family of bounds, and let U S be an extended universal automaton, where S is the product of the states of the process implementations S p with |S p | = b p for p ∈ P − . There exist implementations S p for p ∈ P − (with state space S p ) such that the product S is accepted by U S if, and only if, the constraint system for the asynchronous realizability problem as introduced above is satisfiable.
A Semi-Algorithm for Assume-Guarantee PLTL Realizability
We use the techniques developed in the last subsections to give a semi-decision procedure for the assume-guarantee realizability problem for asynchronous architectures. For simplicity, we partition the set of atomic propositions into a set O and I, controllable by the system and environment, respectively. Furthermore, let X = Π p∈P − S p be a finite set of states that represents the product of the state spaces of the transition systems implementing the strategies to be synthesized. Given a PLTL F assume-guarantee specification ψ, ϕ , we construct the non-
The language of A c r ′ (ψ)∧cr(ϕ) are exactly those paths that satisfy c r ′ (ψ) ∧ c r (ϕ).
Lemma 11 (cf. Theorem 6.2 of [10] ). Let f p be finite-state implementations for processes p ∈ P − . The product system p∈P − f p does not satisfy ψ, ϕ if, and only if, the product of p∈P − f p and A c r ′ (ψ)∧cr(ϕ) is pumpable non-empty.
We use the non-deterministic automaton A pump = X × Q × 2 {r,r ′ } , S, s 0 , δ ′ , ∅ from the proof of Lemma 7 to construct an automaton A that accepts pumpable error paths. Note that X × Q is exactly the state space of the colored Büchi graph that is used to model-check implementations (cf. Lemma 11) .
We then construct an automaton A that operates on the inputs I, outputs O, propositions {r, r ′ }, and the state space X and accepts all those paths that are pumpable and violate the assume-guarantee specification. A is defined as 2 I × 2 O × 2 {r,r ′ } × X, Q × S, (q 0 , s 0 ), δ * , α * , where δ * : Q × S × 2
I∪O∪{r,r
Q×S is defined as (q ′ , s ′ ) ∈ δ * ((q, s), (σ, x)) if, and only if, q ′ ∈ δ(q, σ) and s ′ ∈ δ ′ (s, {q, x} ∪ (σ ∩ {r, r ′ })). Furthermore, B * is the Büchi condition {(q, s) | q ∈ B, s ∈ S}.
Next, we interpret A as a universal co-Büchi tree automaton U, i.e., the language of U is the complement of the language of A. From U, we construct the universal co-Büchi tree automaton U T = (2 O × X, 2 I × 2 {r,r ′ } , Q, q 0 , δ, B) by spanning a copy of U for every direction 2 I × 2 {r,r ′ } . Furthermore, from the automaton U T we can build a constraint system [6] to solve the assume-guarantee realizability problem for asynchronous architectures, cf. Theorem 10.
Theorem 12. Let A * , ϕ, ψ be an assume-guarantee specification with an asynchronous architecture A * . For a family of bounds {b p | p ∈ P − }, there is a constraint system that is satisfiable if, and only if, the assume-guarantee specification is realizable in A * with bounds {b p | p ∈ P − }.
Proof. Given a set of bounds {b p | p ∈ P − }, we construct the state-space S p of the implementations S p with |S p | = b p . Next, we construct the automaton U T as described before. U T accepts all those transition systems where every path satisfies the assume-guarantee specification. Using Theorem 10, we build a constraint system that is satisfiable if, and only if, there exist implementations S p for p ∈ P − with the given bounds that are accepted by U T . ⊓ ⊔ Theorem 12 gives us immediately a semi-decision procedure: starting with the bounds b p = 1 for every p ∈ P − , we increase the bounds whenever the constraint system is unsatisfiable. The same algorithm can easily be adapted to the assume-guarantee realizability problem in the synchronous distributed or even the single-process setting. Whether the latter problem is decidable is an open question.
Conclusion
In this paper, we have investigated distributed synthesis problems for specifications in PLTL. This logic subsumes LTL, but additionally allows to express bounded satisfaction of system properties, instead of only eventual satisfaction. To the best of our knowledge, this is the first treatment of PLTL specifications in distributed synthesis.
We have shown that for the case of synchronous distributed systems, we can reduce the PLTL synthesis problem to an LTL synthesis problem. Thus, the complexity of PLTL synthesis corresponds to the complexity of LTL synthesis, and the PLTL realizability problem is decidable if, and only if, the LTL realizability problem is decidable. For the case of asynchronous distributed systems with multiple components, the PLTL realizability problem is undecidable, again corresponding to the result for LTL. For this case, we give a semi-decision procedure based on a novel method for checking emptyness of two-colored Büchi graphs.
Among the problems that remain open is realizability of PLTL specifications in asynchronous distributed systems with a single component. This problem can be reduced to the (single-process) assume-guarantee realizability problem for PLTL, which also remains open.
