is a prominent specification formalism for realtime systems. In this paper, we show that the satisfiability problem for MTL over finite timed words is decidable, with non-primitive recursive complexity. We also consider the model-checking problem for MTL: whether all words accepted by a given Alur-Dill timed automaton satisfy a given MTL formula. We show that this problem is decidable over finite words. Over infinite words, we show that model checking the safety fragment of MTLwhich includes invariance and time-bounded response properties-is also decidable. These results are quite surprising in that they contradict various claims to the contrary that have appeared in the literature.
Introduction
In the linear-temporal-logic approach to verification, an execution of a system is modelled by a sequence of states or events. This representation abstracts away from the precise times of observations, retaining only their relative order. Such an approach is inadequate to express specifications of systems whose correct behaviour depends on quantitative timing requirements. To address this deficiency, much work has gone into adapting linear temporal logic to the real-time setting; see, e.g., [6, 7, 9, 10, 24, 27, 32, 35] .
Real-time logics feature explicit time references, typically by recording timestamps throughout computations. In this paper, we concentrate exclusively on the dense-time, or real-time, semantics, in which the timestamps are drawn from the set of real numbers.
Timed Words and Timed Automata
A time sequence τ = τ 1 τ 2 τ 3 . . . is a non-empty finite or infinite sequence of time values τ i ∈ R ≥0 satisfying the following constraints (where |τ | denotes the length of τ ):
• monotonicity: τ i ≤ τ i+1 for all i such that 1 ≤ i < |τ | • progress: if τ is infinite, then {τ i : i ≥ 1} is unbounded. A timed word over finite alphabet Σ is a pair ρ = (σ, τ ), where σ = σ 1 σ 2 σ 3 . . . is a non-empty finite or infinite word over Σ and τ is a time sequence of the same length as σ. We also represent a timed word as a sequence of timed events by writing ρ = (σ 1 , τ 1 )(σ 2 , τ 2 )(σ 3 , τ 3 ) . . .. Given a timed word ρ = (σ, τ ) and n ≤ |ρ|, let ρ[1 . . . n] denote the prefix (σ 1 , τ 1 ) . . . (σ n , τ n ). Finally, write T Σ * for the set of finite timed words over alphabet Σ, and T Σ ω for the set of infinite timed words over Σ.
The requirement that infinite timed words be progressive is sometimes called nonZenoness or finite variability. It is equivalent to the requirement that an infinite number of events not occur in a finite amount of time. Note however that, unlike [35] , we place no a priori bound on the number of events that can occur in a time interval of unit duration.
2.1. Timed Automata. Definition 2.1 recalls the standard notion of a timed automaton [5] . Elsewhere in this paper we refer to the timed automata defined below as Alur-Dill automata. This is to distinguish them from the more general class of timed alternating automata, which we introduce in Section 3 and which is our primary focus.
Let X = {x 1 , . . . , x n } be a finite set of clock variables. Define the set Φ X of clock constraints over X by the grammar ϕ ::= true | x ⊲⊳ c | ϕ 1 ∧ ϕ 2 , where c ∈ N is a non-negative integer, x ∈ X, and ⊲⊳ ∈ {<, ≤, ≥, >}. Definition 2.1. A timed automaton is a tuple A = (Σ, S, s 0 , F, X, ∆), where
• Σ is a finite alphabet of events • S is a finite set of locations • s 0 ∈ S is an initial location • F ⊆ S is a set of accepting locations • X is a finite set of clock variables • ∆ ⊆ S × Σ × S × Φ X × 2 X is a finite set of edges. An edge (s, a, s ′ , ϕ, R) denotes an a-labelled transition from s to s ′ , with precondition ϕ, and with the postcondition that all clocks in R are reset to zero while all other clocks remain unchanged.
Given a timed automaton A, let c max be the maximum constant appearing in a clock constraint in A. The set of clock values appropriate to A is defined to be Val = [0, c max ] ∪ {⊤}, where ⊤ represents any clock value strictly greater than c max . ⊤ satisfies the expected arithmetic and order-theoretic properties: if v ∈ [0, c max ] and t ∈ R + are such that v+t>c max then we write v + t = ⊥; we also define ⊤ + t = ⊤ for all t ∈ R ≥0 ; finally, we define ⊤ > v for all v ∈ Val. 4 A clock valuation of A is a vector v = (v 1 , . . . , v n ), where v i ∈ Val gives the value of clock x i . If t ∈ R ≥0 , we let v + t be the clock valuation whose i-th component is v i + t. A state of A is a pair (s, v), where s ∈ S is a location and v is a clock valuation. Write Q = S × Val n for the set of states of A. 4 Identifying all clock values strictly greater than cmax is harmless since such values are indistinguishable by clock constraints. Moreover this identification will later turn out to be technically advantageous.
ON THE DECIDABILITY AND COMPLEXITY OF METRIC TEMPORAL LOGIC 5
Automaton A induces a labelled transition system T A = (Q, , −→) on the set of states, where ⊆ Q × R ≥0 × Q is called the delay-step relation, and −→ ⊆ Q × Σ × Q is called the discrete-step relation. Delay steps model the evolution of time while the automaton remains in a given location, while discrete steps correspond to instantaneous transitions between locations. The delay-step transition relation is deterministic, and is defined by (s, v) t (s, v + t), where t ∈ R ≥0 . The discrete-step relation is defined by (s, v) a −→ (s ′ , v ′ ) iff there is an edge (s, a, s ′ , ϕ, R) ∈ ∆ such that v satisfies ϕ, v ′ i = 0 for all x i ∈ R and v ′ i = v i for all x i ∈ R. Let ρ = (σ, τ ) be a timed word, and write d i = τ i − τ i−1 for the time delay between the (i − 1)th and ith events of ρ, where 1 ≤ i ≤ |ρ|, and, by convention, τ 0 = 0. Define a run of A on ρ to be an alternating sequence of time delays and discrete steps in T A :
where s 0 is the initial location and v 0 maps every clock variable to 0. A finite run is accepting if the last location in the run is accepting. An infinite run is accepting if infinitely many control states in the run are accepting. We write L f (A) for the set of finite timed words over which A has an accepting run, and we write L ω (A) for the set of infinite timed words over which A has an accepting run.
Timed Alternating Automata
In this section we define timed alternating automata. These arise by extending alternating automata [11, 13, 34] with clock variables, in much the same way that Alur-Dill timed automata extend nondeterministic finite automata. A similar notion has independently been investigated by Lasota and Walukiewicz in a recent paper [25] . It will soon become apparent that timed alternating automata strictly generalise Alur-Dill automata. However we chose to introduce Alur-Dill automata separately, in Section 2, since by so doing we can avoid considering timed alternating automata with Büchi acceptance conditions. (This greatly simplifies the definition of a run of an alternating automaton because we can elide the tree structure-see below.)
Timed alternating automata can in general be defined to have any number of clocks. Our goal, however, is to use them to represent metric temporal logic formulas, for which one clock suffices. Accordingly, we shall exclusively focus on one-clock timed alternating automata in this paper. 5 In this section we only consider timed alternating automata over finite timed words.
3.1. One-clock Timed Alternating Automata. Let S be a finite set of locations and let x be a distinguished clock variable. We define a set of formulas Φ(S) by the grammar:
where c ∈ N, ⊲⊳ ∈ {<, ≤, ≥, >}, and s ∈ S. A term of the form x ⊲⊳ c is called a clock constraint, whereas the expression x.ϕ is a binding construct corresponding to the operation of resetting the clock x to 0.
In the definition of a timed alternating automaton, below, the transition function maps each location s ∈ S and event a ∈ Σ to an expression in Φ(S). Thus alternating automata allow two modes of branching: existential branching, represented by disjunction, and universal branching, represented by conjunction. Definition 3.1. A timed alternating automaton is a tuple A = (Σ, S, s 0 , F, δ), where
• Σ is a finite alphabet • S is a finite set of locations • s 0 ∈ S is the initial location • F ⊆ S is a set of accepting locations
The notion of a run of a timed alternating automaton, defined below, is somewhat involved, so we first give an example.
Example 3.2. We define an automaton A over the singleton alphabet Σ = {a} that accepts all those finite timed words in which no two events are separated by exactly one time unit. This language is known not to be expressible as the language of an Alur-Dill timed automaton [22] . The required timed alternating automaton has set of locations {s 0 , s 1 }, with s 0 initial, and both s 0 and s 1 accepting. The transition function is defined by:
A run of A starts in location s 0 . Every time an a-event occurs, the automaton makes a conjunctive transition to both s 0 and s 1 , thus opening up a new thread of computation. The automaton resets a fresh copy of clock x whenever it transitions from location s 0 to s 1 , and the transition rule for s 1 ensures that no event can happen when the value of this clock equals one. Every run of this automaton is accepting, since every location is accepting, but there is no run over any word in which two events are separated by exactly one time unit.
We now proceed to the formal definitions. Let c max be the maximum constant mentioned in the definition of the transition function of A, and, as with Alur-Dill automata, define the set of clock values relevant to A to be Val = [0, c max ] ∪ {⊤}. A state of A is a pair (s, v), where s ∈ S is a location and v ∈ Val is a clock valuation. Write Q = S × Val for the set of all states of A.
A set of states M ⊆ Q and a clock valuation v ∈ Val defines a Boolean valuation on Φ(S) as follows:
We say that a set of states M is a minimal model of a formula ϕ ∈ Φ(S) with respect to clock value v ∈ Val if M |= v ϕ and there is no proper subset M ′ ⊂ M with M ′ |= v ϕ. 6 6 Our use of minimal models here is a technical convenience, since, as we will see later, the minimal models of formula ϕ can be directly related to the syntactic structure of ϕ when the latter is given in disjunctive normal form. A configuration of A is a finite set of states; thus the set of configurations is the finite powerset of the set Q of states, and is denoted ℘(Q). The initial configuration is {(s 0 , 0)} and a configuration is accepting if every location that it contains is accepting. Note in particular that the empty configuration is accepting. Given a configuration C and a time delay t ≥ 0, denote by C + t the configuration {(s, v + t) : (s, v) ∈ C}.
The language accepted by a timed alternating automaton over finite words can be described in terms of a transition system of configurations, defined below. Definition 3.4. Given a timed alternating automaton A, we define the labelled transition system T A = (℘(Q), , −→) over the set of configurations as follows. The (R ≥0 )-labelled transition relation ⊆ ℘(Q) × R ≥0 × ℘(Q) captures time evolutions, or delay steps, and is defined by
We include a transition C a −→ C ′ iff one can write C ′ = i∈I M i , where, for each i ∈ I, M i is a minimal model of δ(s i , a) with respect to v i .
Let ρ = (σ, τ ) be a finite timed word with |ρ| = n, and write
where, by convention, τ 0 = 0. Define a run of A on ρ to be a finite alternating sequence of time delays and discrete steps in T A :
where C 0 is the initial configuration. We say that the run is accepting if the last configuration C 2n is accepting, and we say that the timed word ρ is accepted by A if there is some accepting run of A on ρ. We write L f (A) ⊆ T Σ * for the language of finite timed words accepted by A.
7
Example 3.5. A time-bounded response property such as 'for every a-event there is a b-event exactly one time unit later' can be expressed by the following automaton. Let A have two locations {s 0 , s 1 } with s 0 the initial and only accepting location, and transition function δ given by the following table:
Location s 0 represents an invariant, and is present in every configuration in any run of A.
When an a-event occurs, the conjunction in the definition of δ(s 0 , a) results in the creation of a new thread of computation, starting in location s 1 . Since this location is not accepting, the automaton must eventually leave it. This is only possible if a b-event happens exactly one time unit after the new thread was spawned.
7 It is usual to define a run of an alternating automaton to be a tree of states. However, over finite words the branching structure plays no role in the definition of acceptance, and we simply define a run to be a sequence of configurations, where each configuration represents a given level of the run tree.
Duality and Complementation.
The following derivation shows that the class of languages definable by timed alternating automata is closed under complement. Since it is straightforward to show that this class is also closed under union, timed alternating automata are closed under all Boolean operations. The arguments presented here are similar to the untimed case [11, 13] . Given ϕ ∈ Φ(S), we define the dual formula ϕ ∈ Φ(S) as follows. The dual of a clock constraint is its negation (e.g., x < k = x ≥ k), whereas each location is self-dual: s = s for s ∈ S. For the propositional connectives we have the usual de Morgan dualities: true = false, false = true, ϕ 1 ∨ ϕ 2 = ϕ 1 ∧ ϕ 2 and ϕ 1 ∧ ϕ 2 = ϕ 1 ∨ ϕ 2 . Finally, clock resets distribute through the duality operator: x.ϕ = x.ϕ.
Let A = (Σ, S, s 0 , F, δ) be an alternating timed automaton, and denote by Q its set of states. The complement automaton A c is defined by A c = (Σ, S, s 0 , S \ F, δ), where δ(s, a) = δ(s, a) for each s ∈ S and a ∈ Σ. Thus we take the dual transition function and the complement of the set of accepting locations. Proposition 3.6. Let ϕ ∈ Φ(S) be a formula over set of locations S and let v ∈ Val be a clock valuation. Given a set of states P ⊆ Q we have
Proof. The proof is by structural induction on ϕ, and is straightforward from the definition of ϕ.
Proof. Suppose that both A and A c have runs on the same timed word ρ = (σ, τ ), with |ρ| = n. Denote the run of A by
and denote the run of A c by
We show by induction on i ≤ 2n that C i ∩ D i is non-empty. In particular, we deduce that C 2n and D 2n meet, so the two runs cannot both be accepting since A and A c have disjoint sets of accepting states. The base case of the induction is just the observation that
. In case i = 2j + 1 is odd, that is, the next transition is a discrete step, then C i+1 |= v δ(s, σ j+1 ) and D i+1 |= v δ(s, σ j+1 ). It follows from Proposition 3.6 that C i+1 and D i+1 are not disjoint. This completes the induction step.
Proof. We claim that, given a finite timed word ρ = (σ, τ ) and a set of states P ⊆ Q, either A has a run on ρ whose last configuration is a subset of P , or A c has a run on ρ whose last configuration is a subset of Q \ P . The proposition follows from the claim by taking P to be the set of states in A whose underlying location is accepting.
We prove the claim by induction on |ρ| as follows. Let ρ = (σ, τ ) and P ⊆ Q be given as in the claim, with |ρ| = n + 1. Also, let d n+1 = τ n+1 − τ n and write
ON THE DECIDABILITY AND COMPLEXITY OF METRIC TEMPORAL LOGIC 9
Observe also that by Proposition 3.6
By induction, either A has a run on ρ[1 . . . n] whose last configuration C is a subset of pred (P ), or A c has a run on ρ[1 . . . n] whose last configuration D is a subset of Q \ pred (P ). In the former case, it is immediate that we can extend the given run of A into a run on ρ. Indeed, since C ⊆ pred (P ), for each (s, v) ∈ C we can choose a finite subset of P that is a minimal model of δ(s, σ n+1 ) with respect to clock value v + d n+1 . In the latter case, in similar fashion, it follows from (3.1) that A c has a run on ρ whose last configuration is a subset of Q \ P . 
Decidability of Language Emptiness
It is well known that the universality problem for Alur-Dill timed automata is undecidable [5] . In fact the proof in [5] shows undecidability for the subclass of Alur-Dill automata with at most two clocks. Since the class of timed alternating automata is closed under complement and includes the class of Alur-Dill automata, it immediately follows that the language-emptiness problem for two-clock timed alternating automata is undecidable. However we show in this section that if we restrict to alternating automata with a single clock, then language emptiness is decidable. The decision procedure that we present is a generalisation of the algorithm for deciding universality for one-clock Alur-Dill automata that appeared in the extended abstract [28] .
In the remainder of this section we assume that A = (Σ, S, s 0 , δ, F ) is a one-clock alternating automaton, and we denote by Q the set of states of this automaton. The language-emptiness problem for A is equivalent to the following reachability question on the derived transition system T A : 'Is there a path from the initial configuration to an accepting configuration?'. However it is not immediate how to decide this question since T A has uncountably many states: indeed each state has uncountably many successors under the delay-step relation.
4.1. The Bisimulation Lemma. In this section we isolate a sub-transition-system of T A , denoted W A , that is effective and is, in a certain sense, bisimilar to T A . 8 In particular, W A has only countably many states and is finitely branching. Moreover the state space of W A possesses an effective well-quasi-order, which we use to prove termination of our reachability algorithm.
Recall The intuition behind the transition system W A is that we can ignore those time delays in T A that leave unchanged the regions of the clock values in a configuration. We only consider time delays that take a configuration to its time successor : Definition 4.2. Let C ⊆ Q be an A-configuration. If C is non-empty then define µ = max{frac(v) : (s, v) ∈ C} to be the maximum fractional part of the clock values appearing in C. Now define the time successor of C to be the configuration next(C) given by the following clauses:
• if neither of the above cases hold then next(C) = C + (1 − µ). • Alphabet. The alphabet of W A is Σ ∪ {ε}.
• States. The states of W A are those A-configurations C ⊆ Q in which all clock values are rational (henceforth call such configurations rational).
• Transitions. Each state C has a unique ε-transition to its time successor next(C).
For a ∈ Σ, we postulate that
Thus W A differs from T A in containing only rational configurations and retaining only those delay steps between a configuration and its time successor (renaming these as ε-transitions). Next we show that W A and T A are bisimilar in a certain sense. To this end, we first reexamine the notion of the minimal model of a formula ϕ ∈ Φ(S) over the set of locations S of A (cf. Section 3).
Any formula ϕ ∈ Φ(S) can be written in disjunctive normal form ϕ ≡ j∈J A j , where each A j is a set of terms of the form s, x.s, and x ⊲⊳ c (which we call atoms). The minimal models of ϕ can be read off from the disjunctive normal form as follows. 
Matching Σ-labelled transitions. Suppose C makes a transition C a −→ C ′ for some a ∈ Σ. By the above considerations on minimal models, we know that
where, for each i ∈ I, the set of atoms A i is a clause in the disjunctive normal form expression for δ(s i , a).
(Here we rely on the fact that u i ∼ v i , so that u i and v i satisfy the same clock constraints.) Now the set of clock values appearing in C ′ is a subset of {u i : i ∈ I} ∪ {0} since Σ-labelled transitions either leave clocks unchanged or reset them to 0. Thus C ′ ≡ D ′ since we can define a bijection
Matching ε-transitions. Since each configuration makes a unique ε-transition to its time successor, we need only show that next(C) ≡ next(D). Now next(C) has the form {(s i , u ′ i )} i∈I , where, for some time delay t > 0,
The effect of the time delay t on C is either to leave the order of the fractional parts of the clocks unchanged or to cyclically permute the order by one place so that the clock with greatest fractional part in C has zero fractional part in next(C). A similar statement holds for D. In any case, we have
for each i ∈ I, and the bijection Proof. Observe that C t C ′ implies that C ′ ≡ next n (C) for some n ≥ 0. From the Bisimulation Lemma we get that next n (C) ≡ next n (D). The proposition follows by taking
Proof. Given a path C 0 We have now reduced the language-emptiness problem for A to the following reachability question for W A : 'Is there a path from the initial configuration to an accepting configuration?'. Although W A is simpler than T A , it still has infinitely many states (indeed, even the quotient of W A by ≡ is infinite-state, since ≡ only relates configurations of the same cardinality). We circumvent this problem by exhibiting a well-quasi-order on the state space of W A . This serves in lieu of finiteness to guarantee the termination of a state-exploration algorithm that computes a conservative over-approximation of the set of reachable states. This is described in the next subsection in terms of the theory of well-structured transition systems [15] .
4.2.
Well-quasi-orders. Recall that a quasi-order (W, ⊑) consists of a set W together with a reflexive, transitive relation ⊑. An infinite sequence w 1 , w 2 , w 3 , . . . in (W, ⊑) is said to be saturating if there exist indices i < j such that
We can extend a quasi-order (W, ⊑) to a quasi-order (W * , ⊑) on the set of finite words over alphabet W as follows. Define w 1 . . . w m ⊑ v 1 . . . v n if there exists a strictly increasing function f : {1 . . . m} → {1, . . . , n} such that w i ⊑ v f (i) for all i ∈ {1, . . . , m}. The induced order on W * is known as the monotone domination order. Next we use Higman's Lemma to construct a well-quasi-order on the state space of the transition system W A . The first step is to define a class of abstract configurations, which are intended as canonical representatives of ≡-equivalence classes of configurations. Definition 4.11. An abstract configuration of the automaton A is a finite word over the alphabet Λ of finite non-empty subsets of S × REG, where S is the set of locations of A and REG is the set of regions.
Roughly speaking, each (concrete) A-configuration C gives rise to an abstract configuration as follows. First, C is converted from a set to a list by ordering its elements according to the fractional part of their clock values. Then each clock value is replaced by the region it lies in. Formally, define an abstraction function H : ℘(Q) → Λ * , yielding an abstract configuration H(C) for each configuration C as follows. First, lift the function reg to configurations by reg (C) = {(s, reg (v)) : (s, v) ∈ C}. Now given a configuration C, partition C into a sequence of non-empty subsets C 1 , . . . , C n , such that for all (s, v) ∈ C i and
Example 4.12. Consider the automaton A from Example 3.2. The maximum clock constant appearing in A is 1, thus the corresponding regions are r 0 = {0}, r 1 = (0, 1), r 2 = {1} and r 3 = {⊤}. Given a concrete configuration C = {(s, 1), (t, 0.4), (s, 1.4), (t, 0.8)}, the corresponding abstract configuration H(C) is the word {(s, r 2 ), (s, r 3 )} {(t, r 1 )} {(t, r 1 )}.
The key fact about the abstraction function H, which is immediate from its definition, is that its kernel is the equivalence on configurations described in Definition 4.6:
Returning to Definition 4.11, notice that Λ, being finite, is trivially a wqo under the subset order. It follows from Lemma 4.10 that the set of abstract configurations is a wqo under the monotone domination order. Taking stock, we have defined a class of abstract configurations that is the quotient of the set of A-configurations with respect to ≡, and which carries a natural well-quasi-order. Next we show how to exploit this structure.
4.3.
Well-Structured Transition Systems. The notion of well-structured transition system (wsts) provides a uniform framework for expressing decidability results about a variety of infinite-state systems, including Petri nets, broadcast protocols and lossy channel systems [1, 15] . Definition 4.14 presents a particular variant, called a downward wsts in [15] . Definition 4.14. A well-structured transition system is a triple W = (W, , −→), where (W, −→) is a finitely-branching (unlabelled) transition system equipped with a wqo such that:
• is a decidable relation We now seek to apply Theorem 4.15 to the case at hand. Proof. Define a quasi-order on the set of A-configurations by C D iff H(C) ⊑ H(D), i.e., the word H(C) corresponding to C is dominated by the word H(D) corresponding to D. It is straightforward to see that inherits the property of being a well-quasi-order from ⊑. Moreover is a decidable relation on rational configurations, since H is computable on rational configurations and ⊑ is decidable.
It remains to prove that is downward compatible. Now suppose that C D and that there is a transition D −→ D ′ . We show how to produce a matching sequence of transitions for C. To this end, it is helpful to first observe that C D implies that there is a configuration 
We are now ready to state one of our main results. Proof. Since a configuration of W A is accepting if it only mentions accepting locations of A, the set of accepting configurations of W A is downward-closed with respect to . By Proposition 4.15 it is decidable whether an accepting configuration of W A is reachable from the initial configuration. In turn this entails, by Proposition 4.9, that it is decidable whether an accepting configuration of T A is reachable from the initial configuration. But this question is equivalent to language emptiness for A. This proves the first assertion of Theorem 4.17. The proof of the second assertion relies on the construction of a wsts representing the execution of B and A in parallel. We omit the details since we treat at length essentially the same construction in Section 8, where we consider a closely related language inclusion problem over infinite timed words.
As noted earlier, these results have recently and independently been obtained by Lasota and Walukiewicz [25] , also building on our earlier paper [28] .
Metric Temporal Logic
In this section we define the syntax and semantics of Metric Temporal Logic (MTL). As discussed in the introduction, there are two different dense-time semantics for MTL: event-based and state-based, and for our concerns the difference is crucial. Following [16, 9, 10, 18, 19, 35] , among others, we adopt an event-based semantics using timed words. A key observation about this semantics is that the temporal connectives quantify over a countable set of positions in a timed word. In contrast, the state-based semantics, adopted in, e.g., [7, 21, 32] , associates a state to each point in real time, and the temporal connectives quantify over the whole time domain. 9 In the state-based semantics one can use a formula of the type (p ↔ 3 =1 q) to specify a perfect channel, whereas in the event-based semantics the same formula only specifies a channel with insertion errors (see Section 7). This observation helps understand why MTL is undecidable under the state-based semantics, whereas, at least over finite words, it is decidable in the event-based semantics (Theorem 6.5).
In the event-based semantics the atomic propositions in MTL refer to particular events, and the temporal connectives quantify over future events. This offers a natural idiom for reasoning about real-time behaviours, as we demonstrate in Example 5.4.
Definition 5.1. Given an alphabet Σ of events, the formulas of MTL are built up from Σ by Boolean connectives and time-constrained versions of the next operator and the until operator U as follows:
The state-based semantics views MTL as a subset of the monadic first-order theory of the non-negative reals, while the event-based semantics views MTL as a subset of a monadic first-order theory of the naturals with timestamps [9] .
where a ∈ Σ, and I ⊆ R ≥0 is an open, closed, or half-open interval with endpoints in N ∪ {∞}. If I = [0, ∞), then we omit the annotation I in I and U I . We also use pseudoarithmetic expressions to denote intervals. For example, the expression '≥ 1' denotes [1, ∞) and '= 1' denotes the singleton {1}.
Additional temporal operators are defined following the usual conventions. We have the constrained eventually operator 3 I ϕ ≡ true U I ϕ, and the constrained always operator I ϕ ≡ ¬ 3 I ¬ϕ. We define a dual until operator via the standard duality: ϕ 1 U I ϕ 2 ≡ ¬(¬ϕ 1 U I ¬ϕ 2 ). We also define the dual of the time-constrained next operator by I ϕ ≡ ¬ I ¬ϕ.
10
Definition 5.2. Given a (finite or infinite) timed word ρ = (σ, τ ) over alphabet Σ, a word position i ≤ |ρ|, and an MTL formula ϕ, the satisfaction relation (ρ, i) |= ϕ (read ρ satisfies ϕ at position i) is defined as follows:
and (ρ, k) |= ϕ 1 for all k with i ≤ k < j. For future reference it is also helpful to detail the semantics of the derived operators dual until and dual next:
• (ρ, i) |= I ϕ iff i = |ρ| or τ i+1 − τ i ∈ I or (ρ, i + 1) |= ϕ • (ρ, i) |= ϕ 1 U I ϕ 2 iff for all j such that i ≤ j ≤ |ρ| and τ j − τ i ∈ I, either (ρ, j) |= ϕ 2 or there exists k with i ≤ k < j and (ρ, k) |= ϕ 1 . We say that ρ satisfies ϕ, denoted ρ |= ϕ, if (ρ, 1) |= ϕ. The set of finite models of an MTL formula ϕ is given by L f (ϕ) = {ρ ∈ T Σ * : ρ |= ϕ}. The set of infinite models of ϕ is given by L ω (ϕ) = {ρ ∈ T Σ ω : ρ |= ϕ}.
Remark 5.3. Note that in the semantics of MTL, time is measured relative to the occurrence of the first event of a timed word. In particular, the semantics is translation invariant: adding a fixed delay d to each timestamp in a timed word does not change whether that word satisfies a formula or not. For this reason Wilke [35] restricts attention to timed words in which the first event has timestamp 0. In this case one can think of the first event as an initialisation event.
Example 5.4. The following example illustrates the convenience of event-based reasoning in the real-time setting. Consider a set of events Σ = {req i , acq i , rel i : i = X, Y } denoting the actions of two processes X and Y that request, acquire, and release a lock.
• 2(acq X → 2 <3 ¬acq Y ) says that Y cannot acquire the lock less than 3 seconds after X acquires the lock.
• 2(acq X → rel X U <3 ¬acq Y ) says that Y cannot acquire the lock less than 3 seconds after X acquires the lock, unless X first releases it.
• 2(req X → 3 <2 (acq X ∧ 3 =1 rel X )) says that whenever X requests the lock, it acquires the lock within 2 seconds and releases it exactly one second later.
MTL over Finite Words
In this section we consider the satisfiability problem for MTL over finite words: 'Given an MTL formula ϕ, is L f (ϕ) nonempty?'. We also consider the following model-checking problem: 'Given an MTL formula ϕ and an Alur-Dill timed automaton B, is it the case that L f (B) ⊆ L f (ϕ)?'. In both cases we show decidability by translating the MTL formulas into equivalent one-clock timed alternating automata and invoking Theorem 4.17. We also show that both problems have non-primitive recursive complexity.
6.1. Translation to Automata. By using disjunction, falsity, dual until and dual next, in addition to the standard MTL connectives, every formula can be put into a negation normal form, in which negation is only applied to events a ∈ Σ. Given an MTL formula ϕ in negation normal form, we define a one-clock alternating automaton A ϕ such that The closure cl (ϕ) forms the set of locations of A ϕ ; thus states of A ϕ are pairs (ψ, v), where ψ ∈ cl (ϕ) and v is a clock value. We define the transition function δ so that the presence of state (ψ, 0) in a configuration during a run of A ϕ ensures that the input word satisfies ψ at the current position. To enforce this requirement, when ψ is encountered the automaton starts a fresh clock and thereafter propagates ψ from configuration to configuration in the run until all the obligations that it stipulates are discharged. Definition 6.2. Let ϕ be an MTL formula in negation normal form. The automaton A ϕ has set of locations cl (ϕ). The initial location is ϕ init and the accepting locations are those elements of cl (ϕ) of the form ϕ 1 U I ϕ 2 or ( I ψ) r . In order to give a smooth recursive definition of the transition function δ, we define δ(ψ, a) for all subformulas ψ of ϕ, not just those in cl(ϕ). The definition is given by the following clauses, where a, b ∈ Σ:
Remark 6.3. Notice the connection between the notion of duality for MTL formulas and the notion of duality for transition functions (described in Subsection 3.2). In particular, we have δ(ψ 1 U I ψ 2 , a) = δ(ψ 1 U I ψ 2 , a) and δ(( I ψ) r , a) = δ(( I ψ) r , a).
To this end, let ρ = (σ, τ ) be a timed word in L f (A ϕ ), with |ρ| = n. As usual, write d i = τ i − τ i−1 for 1 ≤ i ≤ n. Suppose that A ϕ has an accepting run on ρ:
We claim that for each subformula ψ of ϕ and each i such that 1 ≤ i ≤ n, (ρ, i) |= ψ whenever C 2i |= 0 δ(ψ, σ i ). We prove this claim by structural induction on ψ. The base case, in which ψ ≡ a or ψ ≡ ¬a for an atomic formula a ∈ Σ, is immediate. The only non-trivial cases in the induction step are when the outermost connective of ψ is a temporal modality. We consider the cases ψ ≡ I ψ 1 and ψ ≡ ψ 1 U I ψ 2 ; the cases for the dual temporal connectives are similar.
Case
. In turn, this entails that C 2i+2 |= 0 δ(ψ 1 , σ i+1 ) and τ i+1 − τ i ∈ I. By the induction hypothesis we have (ρ, i + 1) |= ψ 1 , whence (ρ, i) |= I ψ 1 .
Case ψ ≡ ψ 1 U I ψ 2 . Suppose C 2i |= 0 δ(ψ, σ i ). We consider two possibilities, corresponding to the two disjuncts in the definition of δ(ψ, σ i ). One possibility is that C 2i |= 0 δ(ψ 2 , σ i ) and 0 ∈ I. In this case, by the induction hypothesis, we have (ρ, i) |= ψ 2 , whence (ρ, i) |= ψ 1 U I ψ 2 . On the other hand, we may have C 2i |= 0 δ(ψ 1 , σ i ) and (ψ, 0) ∈ C 2i . Then the definition of the transition function δ ensures that for each successive value of j ≥ i we have that C 2j |= δ(ψ 1 , σ j ) and (ψ, τ j − τ i ) ∈ C 2j until at some point C 2j |= δ(ψ 2 , σ j ) and τ j − τ i ∈ I. (Note that the latter must eventually occur since ψ is not an accepting location.) From the induction hypothesis it is clear that this implies that (ρ, i) |= ψ. This completes the proof of the claim.
Having proved the claim, we observe that (ϕ init , 0) ∈ C 0 , and, since δ(ϕ init , σ 1 ) = x.δ(ϕ, σ 1 ), we have C 2 |= 0 δ(ϕ, σ 1 ). Thus, applying the claim in case i = 1 and ψ ≡ ϕ, we immediately get that ρ |= ϕ. This completes the proof that
It remains to show the converse inclusion:
To this end, we show that, up to renaming of locations, A ¬ϕ = (A ϕ ) c , that is, the automaton representing ¬ϕ is the complement of the automaton representing ϕ. Indeed the set of locations of (A ϕ ) c is the same as the set of locations of A ϕ : it is just cl (ϕ). On the other hand, the set of locations of A ¬ϕ is cl (¬ϕ), which consists of the duals of the formulas in cl(ϕ). Thus the map sending a formula to its dual is a bijection between the locations of A ¬ϕ and (A ϕ ) c . But now Remark 6.3 shows that the respective transition functions of A ¬ϕ and (A ϕ ) c are identical (modulo the bijection between the respective sets of locations). Now, using the inclusion that we have just proved, we have
But this directly gives
, which completes the proof.
In conjunction with Theorem 4.17, Proposition 6.4 immediately yields:
Theorem 6.5. The satisfiability and the model-checking problems for MTL over finite words are both decidable.
Complexity
In this section, using a result of Schnoebelen [33] about lossy channel systems, we prove that the satisfiability and model-checking problems for MTL have non-primitive recursive complexity.
A channel machine consists of a finite-state automaton acting on an unbounded FIFO channel, or queue. More precisely, a channel machine is a tuple C = (S, M, ∆), where S is a finite set of control states, M is a finite set of messages, and ∆ ⊆ S × Σ × S is the transition relation over label set Σ = {m!, m? : m ∈ M }. A transition labelled m! writes message m to the tail of the channel, and a transition labelled m? reads message m from the head of the channel.
We define an operational semantics for channel machines as follows. A global state of C is a pair γ = (s, x), where s ∈ S is the control state and x ∈ M * represents the contents of the channel. The rules in ∆ induce a Σ-labelled transition relation on the set of global states thus: (s, m!, t) ∈ ∆ yields a transition (s, x) −→ (t, x) that reads m ∈ M from the head of the channel. If we only allow the transitions indicated above, then we call C an error-free channel machine. A computation of such a machine is a finite sequence of transitions between global states
We also consider channel machines that are subject to insertion errors. Given x, y ∈ M * , write x ⊑ y if x is a subword of y, i.e., x can be obtained from y by deleting any number of letters; for example, sub ⊑ stubborn, as indicated by the underlining. (This is a special instance of the monotone domination order introduced earlier.) Following [33] we model insertion errors by extending the transition relation on global states with the following clause: if (s, x) α −→ (t, y), x ′ ⊑ x and y ⊑ y ′ , then (s, x ′ ) α −→ (t, y ′ ). Dually, we define lossy channel machines by adding a clause: if (s, x)
The notion of a computation of a channel machine with insertion errors or lossiness errors is defined analogously to the error-free case, but with the extended transition relations.
The control-state reachability problem asks, given a channel machine C = (S, M, ∆) and two distinct control states s init , s fin ∈ S, whether there is a finite computation of C starting in global state (s init , ε) and ending in global state (s fin , x) for some x ∈ M * . This problem was proved to be decidable for lossy channel machines by Abdulla and Jonsson [4] . Later Schnoebelen [33] showed that it has non-primitive recursive complexity.
The dual control-state reachability problem asks, given a channel machine C = (S, M, ∆) and two distinct control states s init , s fin ∈ S, whether there is a finite computation of C starting in control state (s init , x) and ending in state (s fin , ε), for some initial channel contents x ∈ M * .
Note that the difference between the control-state reachability problem and the dual control-state reachability problem depends on whether the initial or final channel is required to be empty. This difference is significant. For instance, the control-state reachability problem is trivial for channel machines with insertion errors. In this case there is a computation from (s init , ε) to (s fin , x) for some x ∈ M * iff there is a path from s init to s fin in the underlying control automaton. Indeed, given such a path we can always construct a matching computation of the channel machine by using insertion errors to ensure that every readtransition along the path is enabled. In contrast, for the dual control-state reachability problem we have the following result.
Proposition 7.1. The dual control-state reachability problem for channel machines with insertion errors has non-primitive recursive complexity.
Proof. Given a channel machine C = (S, M, ∆), the opposite channel machine is defined by C op = (S, M, ∆ op ) where
Note that C has a computation from (s, x) to (t, y) with lossiness errors iff C op has a computation from (t, y op ) to (s, x op ) with insertion errors, where (−) op : M * → M * reverses the order of a word. Thus the dual control-state reachability problem for C with insertion errors is equivalent to the control-state reachability problem for C op with lossiness errors. But, as we mentioned above, this last problem is known to be decidable with non-primitive recursive complexity.
Theorem 7.2. The satisfiability and model-checking problems for MTL over finite words have non-primitive recursive complexity.
Proof. We give a reduction of the dual control-state reachability problem for channel machines with insertion errors to the satisfiability problem for MTL. Let C = (S, M, ∆) and s init , s fin ∈ S be an instance of the dual control-state reachability problem. The idea is to encode computations of C as timed words over the alphabet Σ = S ∪ {m!, m? : m ∈ M }. For instance, the computation (7.1) is represented by a timed word whose sequence of events is s 0 α 0 s 1 . . . α n−1 s n . In this encoding the key idea is to choose timestamps that mirror the FIFO discipline of the channel. This is done by requiring that every write-event m! be followed one time unit later by a matching read-event m?. In the following we describe an MTL formula ϕ REACH that describes all timed words that encode computations of C starting in s init and ending in state s fin with empty channel. Thus ϕ REACH is satisfiable iff C is a positive instance of the dual control-state reachability problem.
We use the formula ϕ CHAN , below, to capture the behaviour of a channel: every writeevent is followed one time unit later by a matching read-event. However, there is no guarantee that every read-event is preceded one time unit earlier by a write-event, so the channel may have insertion errors.
In order that there be no confusion in matching write-events with their corresponding subsequent read-events, we require that time be strongly monotonic (no two events can occur at the same time). This is captured by the formula ϕ SM :
We encode the finite control of C using the formula ϕ CONT :
We then use ϕ RUN to assert that a run must start in control state s init and obey the discrete controller until it terminates in control state s fin with empty channel:
Finally, we combine all these requirements into ϕ REACH :
Suppose we are given a timed word ρ satisfying ϕ REACH ; then we can construct a computation of C as follows. First, observe that ρ consists of an alternating sequence of events from S and events from {m!, m? : m ∈ M }. This gives the sequence of control states and transitions in the desired computation; it remains to construct the contents of the channel at each control state. Suppose event s ∈ S occurs at some point along ρ with timestamp t. Then the channel contents associated to this occurrence of s is the sequence of read-events occurring in ρ in the time interval (t, t + 1). Observe how this definition ensures that a message can only be read from the head of the channel, and how each write-event adds a message to the tail of the channel. Finally, observe that any timed word satisfying ϕ REACH must have s fin as its last event; this ensures that the channel is empty at that point.
Conversely, suppose we are given a computation of C,
with s 0 = s init , s n = s fin and x n = ε. We then derive a timed word ρ = (σ, τ ) that satisfies ϕ REACH . We define σ = s 0 α 0 s 1 α 1 . . . s n ; this guarantees that ρ satisfies ϕ RUN . It remains to choose a sequence of timestamps τ such that ϕ CHAN ∧ ϕ SM is also satisfied. Since the given computation of C ends with the empty channel, every message that is written to the channel is eventually read from the channel. Thus for each write-event m! in σ there is a 'matching' read-event m? later on. We choose the sequence of timestamps τ so that each such matching pair is separated by one time unit. This captures the FIFO discipline of the channel: messages are read from the channel in the same order that they were written to the channel. Formally we choose the τ i sequentially, starting with τ 1 = 0 and maintaining the following invariant: τ i is chosen such that for each matching pair σ j = m! and σ k = m?, if j < k = i then τ i − τ j = 1, and if j < i < k then τ i − τ j < 1. It is clearly possible to do this using the density of time.
Thus a channel machine C = (S, M, ∆) and pair of control states s init , s fin ∈ S is a positive instance of the dual reachability problem iff the formula ϕ REACH is satisfiable. This shows that the satisfiability problem for MTL has non-primitive recursive complexity.
Finally, consider a universal Alur-Dill timed automaton, i.e., one that accepts all finite timed words. Model checking this automaton against a given MTL formula is equivalent to asking whether the formula is valid, i.e., whether its negation is unsatisfiable. The complexity of model checking MTL is therefore also non-primitive recursive.
Infinite Words: Safety MTL
In this section we adapt constructions from Section 4 to prove the decidability of the model-checking problem over infinite words for a subset of MTL, called Safety MTL. Safety MTL consists of those MTL formulas whose negation normal form only includes instances of the constrained until operator U I in which interval I has bounded length. Note that no restrictions are placed on the dual-until operator U I .
Safety MTL can express time-bounded response properties, but not arbitrary response formulas. For instance, the formulas ϕ 1 ≡ (a → 3 =1 b) and ϕ 2 ≡ (a → 3 ≤5 (b ∧ 3 =1 c)) are in Safety MTL, but ϕ 3 ≡ 3a is not. Note in passing that, intuitively, ϕ 2 is much harder to model check than ϕ 1 . To find a counterexample to ϕ 1 , one need only guess an a-event, and check that there is no b-event one time unit later-a task requiring only one clock. On the other hand, to find a counterexample to ϕ 2 one must not only guess an a-event, but also check that every b-event in the ensuing five time units fails to have a matching c-event one time unit later-a task requiring a potentially unbounded number of clocks.
To explain the name Safety MTL, recall from [17] that a language L ⊆ T Σ ω defines a safety property relative to the divergence of time if for every ρ ∈ L there exists n ∈ N such that no infinite timed word in T Σ ω extending ρ[1 . . . n] is contained in L. In this case we say that ρ[1 . . . n] is a bad prefix of ρ. Proof. It is straightforward to prove this result by structural induction on ϕ. However, we do not give details since we do not use this result in the sequel and since, in any case, it follows directly from Proposition 8.2 and Proposition 8.3.
To model check a Safety MTL formula ϕ on an Alur-Dill automaton B we need only check whether any of the bad prefixes of ϕ are prefixes of words accepted by B. We can do this by invoking a variant of the idea used in the proof of Theorem 4.17. To set up this model-checking procedure we first define a translation of ϕ into a one-clock alternating automaton A safe ϕ in which every location is accepting. A safe ϕ is a modification of the automaton A ϕ from Section 6.1. A safe ϕ has the same alphabet, locations and initial location as A ϕ , but we declare every location of A safe ϕ to be accepting. To compensate for this last change, we modify a single clause in the definition of the transition function δ-the clause for ϕ 1 U I ϕ 2 -as indicated below.
Intuitively, the above definition uses a 'timeout' rather than an acceptance condition to ensure that the second argument of U I eventually becomes true. In a non-Zeno run, the automaton cannot get stuck forever in location ϕ 1 U I ϕ 2 since the clock constraints in the definition of δ(ϕ 1 U I ϕ 2 , a) only allow transitions when the value of clock x is no greater than sup(I).
Recall that so far we have only considered alternating automata on finite words. In order to state the correctness of the definition of A safe ϕ we consider runs of timed alternating automata on infinite words. Our task is simplified by the fact that we only consider automata in which every location is accepting. (Technically this means that, as with automata over finite words, we can elide the tree structure that is usually associated with runs of alternating automata.) Suppose then that A is a timed alternating automaton in which every location is accepting. A run of A on an infinite timed word ρ = (σ, τ ) is an infinite alternating sequence of time delays and discrete steps in T A :
where C 0 is the initial configuration and d i = τ i − τ i−1 . We define L ω (A) to be the set of non-Zeno timed words ρ ∈ T Σ ω over which A has a run. (Since every location of A is accepting, there is no need to consider an acceptance condition here.)
The proof of Proposition 6.4 carries over almost verbatim to the present setting. Referring to the details of that proof, the only change is to observe that it is the 'timeout' in the definition of δ(ϕ 1 U I ϕ 2 , a), rather than the fact that ϕ 1 U I ϕ 2 is non-accepting, that ensures that whenever (ϕ 1 U I ϕ 2 , 0) lies in some configuration C 2i in a run, then there exists j ≥ i such that C 2j |= δ(ϕ 2 , σ j ). t (γ + t, C + t) for t ≥ 0, and a Σ-labelled discrete-step transition relation by (γ, C)
A configuration (γ, C) of T B,A c is said to be initial if γ is the initial state of B and C is the initial configuration of A c . Recall that A c can only accept a word by moving to the empty configuration. Thus a timed word ρ ∈ L ω (B) fails to lie in L ω (A) iff there is a computation of A c on a finite prefix of ρ that reaches ∅. Motivated by this observation, we say that a B-A c -configuration (γ, C) is doomed if C = ∅ (i.e., A c has reached an accepting configuration) and B can accept some infinite non-Zeno word starting in state γ. Then L ω (B) ⊆ L ω (A) iff there is a doomed configuration (γ, ∅) that is reachable from the initial configuration of T B,A c . Below we sketch how we can use Theorem 4.15 to prove that this reachability problem is decidable.
To set up the application of Theorem 4.15 we reuse constructions from Section 4 to show that T B,A c contains a sub-transition-system W B,A c that is a wsts. The first step is to adapt the notion of the time successor of a configuration to the present setting. • Alphabet. The alphabet of W B,A c is Σ ∪ {ε}.
• States. The states of W B,A c are those configurations (γ, C) in which all clock values are rational (henceforth call such configurations rational).
• Transitions. Each configuration (γ, C) makes a unique ε-transition to its time successor next(γ, C). For a ∈ Σ, we declare that (γ, C)
Continuing to shadow the development in Section 4, we adapt the Bisimulation Lemma, Lemma 4.7, to the present setting. We define an equivalence relation ≡ on B-A c configurations that abstracts away from precise clock values, recording only their integer parts and the relative order of their fractional parts. 
(In particular, we require that C and C ′ have the same cardinality.) Then we define (γ, C) ≡ (γ ′ , C ′ ) if the following hold, where ⊲⊳ ∈ {<, =, >}:
. . , n}. The first four clauses of this definition ensure that (γ, C) ≡ (γ ′ , C ′ ) implies that γ and γ ′ are region equivalent in the sense of [5] and that C ≡ C ′ in the sense of Definition 4.6. However Definition 8.7 doesn't just involve comparing fractional parts among the clock values in C, and separately among the clock values in γ: the fifth clause compares between values in γ and values in C. This is essential for ≡ to be a congruence with respect to the time-successor operation, as the following example shows. Proof. The proof is almost identical to that of Proposition 4.9.
To complete the correspondence with Section 4, it remains to show that W B,A c is a wsts. As we now explain, this requires a slight variation of the construction used in Proposition 4.16.
Suppose that A has set of locations S and that B has set of locations T , where S and T are disjoint. Define a finite alphabet Λ to be the set of non-empty subsets of ((T × {1, . . . , n}) ∪ S) × REG, where REG is the set of clock regions as defined in Subsection 4.1. Following Definition 4.11, an abstract B-A c -configuration is a finite word over Λ.
We reuse the abstraction function H from Section 4 to map B-A c -configurations to abstract configurations as follows: map a configuration ((s, v), C) of T B,A c to the word H({ ((s, 1), v 1 ) , . . . , ((s, n), v n )} ∪ C) ∈ Λ * . From this word we can reconstruct all clock values in ((s, v), C) up to the nearest integer and also the relative order of the fractional parts of the clocks. As in Proposition 4.13 this observation implies that the kernel of H agrees with the notion of equivalence of B-A c -configurations, that is, H(γ, C) = H(γ ′ , C ′ ) implies (γ, C) ≡ (γ ′ , C ′ ). Proof. The inclusion L ω (B) ⊆ L ω (A) holds iff it is not possible to reach a doomed state from the initial state in W B,A c . Now the set of doomed states in W B,A c is trivially downwardclosed with respect to the monotone domination order (recall that (γ, C) is doomed only if C = ∅). The set of doomed states is also decidable: to decide doom of (γ, ∅) we have to check whether B can accept a non-Zeno timed word starting from γ. This last problem is essentially the language-emptiness problem for Alur-Dill automata over infinite timed words, which is well-known to be decidable-see [5] . 
Conclusion
In this paper, we have shown that Metric Temporal Logic is decidable over finite timed words in its standard dense-time, point-based semantics, with non-primitive recursive complexity. Over infinite words, we have shown that the important safety fragment of Metric Temporal Logic can be model checked.
To prove the decidability results above, we introduced the class of timed alternating automata, and showed that the language-emptiness problem for one-clock timed alternating automata over finite words is decidable. In the words of [21] , one-clock timed alternating automata constitute a fully decidable specification formalism for timed languages in that they are closed under all Boolean operations and language emptiness is decidable. In contrast to Alur-Dill timed automata, one-clock timed alternating automata do not admit finite untimed quotients. In fact, it is straightforward to define a one-clock timed alternating automaton A such that the untimed language obtained from L f (A) (by forgetting all timestamps) is the classic non-regular language {a n b m : 0 ≤ n ≤ m}. Reflecting this fact, the termination proof for our language emptiness algorithm used a well-quasi-order derived from Higman's Lemma.
The focus of this paper has exclusively been on MTL over finite words. Recently we have obtained both positive and negative decidability results for MTL over infinite words. In particular, we have shown that the satisfiability problem for Safety MTL is decidable [31] , whereas the satisfiability problem for MTL is undecidable [30] . Thus restricting to safety properties is crucial to obtaining decidability.
