# ltl_realizability_via_safety_and_reachability_games__af6c2cee.pdf

LTL Realizability via Safety and Reachability Games

Alberto Camacho , Christian Muise , Jorge A. Baier , Sheila A. Mc Ilraith

Department of Computer Science, University of Toronto IBM Research, Cambridge Research Center, USA Pontificia Universidad Cat olica de Chile Chilean Center for Semantic Web Research {acamacho,sheila}@cs.toronto.edu, christian.muise@ibm.com jabaier@ing.puc.cl

In this paper, we address the problem of LTL realizability and synthesis. State of the art techniques rely on so-called bounded synthesis methods, which reduce the problem to a safety game. Realizability is determined by solving synthesis in a dual game. We provide a unified view of duality, and introduce novel bounded realizability methods via reductions to reachability games. Further, we introduce algorithms, based on AI automated planning, to solve these safety and reachability games. This is the the first complete approach to LTL realizability and synthesis via automated planning. Experiments illustrate that reductions to reachability games are an alternative to reductions to safety games, and show that planning can be a competitive approach to LTL realizability and synthesis.

1 Introduction

LTL synthesis aims to compute a strategy that satisfies a Linear Temporal Logic (LTL) specification. The problem was first proposed in the context of reactive synthesis, and is central to the automated construction of controllers and certain classes of programs [Pnueli and Rosner, 1989]. LTL realizability and synthesis are commonly addressed as a two-player game between an agent and the environment, played over automata transformations of the LTL specification (so-called automata games). Each player has a disjoint set of variables, and the objective is to synthesize a strategy for setting the agent s ( controllable ) variables such that the LTL specification is guaranteed to be satisfied, no matter how the environment sets its ( uncontrollable ) variables. Traditional approaches to LTL realizability and synthesis assume that the agent plays first. Interestingly, in recent years there has been a surge in the development of modern LTL synthesis tools based on automata games, and whereas LTL synthesis tool Lily [Jobstmann and Bloem, 2006] adopts an agent-first play protocol, many of the most successful

This work was conducted while the author was affiliated with CSAIL, Massachusetts Institute of Technology.

LTL synthesis tools such as Unbeast [Ehlers, 2010], Acacia, and Acacia+ [Filiot et al., 2009; Bohy et al., 2012] adopt an inverted turn protocol, where the environment plays first. Indeed, this inverted turn-taking has become the standard used in different incarnations of SYNTCOMP, the annual reactive synthesis competition (e.g. [Jacobs et al., 2017]). SYNTCOMP has promoted standardization and facilitated tool comparison with the introduction of the high-level LTL input language TLSF [Jacobs et al., 2016]. Participating tools (including Acacia+) are compliant with TLSF. To describe the different semantics associated with turntaking protocols, the notions of Mealyand Moore-type semantics has been introduced (e.g. [Ehlers, 2011; Khalimov et al., 2013]), where intuitively Mealy-type semantics correspond to settings where the environment plays first, and Moore-type semantics correspond to settings where the agent plays first. The names originate from Mealy and Moore machines. When a winning strategy exists for one of these semantics, the strategy has a finite representation and is typically conveyed in terms of Mealy (resp. Moore) machines. Inverting the order of agent-environment turn-taking corresponds to playing a dual game. We aim to provide a unified view of duality results for LTL realizability and synthesis, and automata games. To this end, we review the connection between LTL synthesis and automata games, and formalize a duality result for existence of winning strategies in automata games that replicates the duality results for synthesis. We further investigate different reductions to automata games that exploit duality to determine realizability, and introduce novel techniques that exploit these correspondences. We exploit mappings from LTL synthesis to games, together with duality results, to chronicle different techniques to solve LTL realizability and synthesis (Table 1). These techniques extend well-known approaches, and establish the connection between Mealy and Moore semantics for LTL realizability and synthesis, and games over Universal k-co B uchi Word (Uk CW) automata and Non-deterministic k-B uchi Word (Nk BW) automata. From an algorithmic perspective, our approaches to LTL realizability via reduction to Nk BW games provide an alternative to existing techniques based on Uk CW. Whereas the latter are safety games, the former are reachability games. Finally, we address the realizability problem in

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

safe and co-safe specifications, and show how these can be solved more efficiently. We further present the first complete approach to LTL synthesis via Fully Observable Non-Deterministic (FOND) planning. Our approach constructs a planning problem that simulates an automata game, and that can be solved using state-ofthe-art planners. While our contributions are intended to be largely theoretical, we conducted preliminary experiments to assess the practicality of the different techniques for LTL realizability and synthesis that we present. Preliminary results show that techniques employing Nk BW automata can complement existing techniques based on Uk CW automata, addressing realizability and synthesis problems that otherwise cannot be solved by existing tools. Moreover, they show that automated planning technology (and, in particular, FOND) can be an efficient approach to LTL realizability and synthesis. Finally, we believe that the Nk BW game reductions presented here open the door to novel bounded realizability methods for LTL realizability and synthesis as reachability games, providing an alternative to bounded synthesis [Kupferman and Vardi, 2005; Schewe and Finkbeiner, 2007].

2 Background

2.1 Automata on Infinite Words A non-deterministic automaton is a tuple A = Q, Σ, q0, δ, α , where Q is a finite set of automaton states, Σ is a finite alphabet of input letters, q0 Q is the initial state of the automaton, δ Q Σ Q is a transition relation, and α Q is an accepting condition. We sometimes write δ(q, σ) to denote the set Q Q such that (q, σ, q ) δ for every q Q . Intuitively, an automaton A in state q can transition into any state in δ(q, σ) when it reads an input letter σ. When |δ(q, σ)| = 1 for every q Q and σ Σ, the automaton is deterministic. Σω denotes the set of all infinite words over Σ. A run of A on word w = σ1, σ2, . . . Σω is an infinite sequence of states ρ = q0, q1, . . . Qω where (qi 1, σi, qi) δ for every i > 0. It is useful to define operators occρ : Q N {0, }, indexed by runs ρ, that return for each q Q the number of occurrences of q in ρ. In what follows, we review three types of acceptance conditions. A run ρ is accepting with the B uchi condition if occρ(q) = for some q α that is, when some state in α occurs infinitely often in ρ. Conversely, a run ρ is accepting with the co B uchi condition if occρ(q) < for every q α. Finally, ρ is accepting with the k-B uchi (resp. k-co B uchi) condition for k N {0} if occρ(q) k for some q α (resp. occρ(q) k for every q α). The language of an automaton A, L(A), is the set of infinite words accepted by A. We say a non-deterministic automaton A accepts a word w when some run of A on w is accepting that is, A has non-deterministic branching factor. In contrast, when A is a universal automaton all runs of A on w must be accepting that is, A has universal branching factor. Following the naming conventions described above, Nondeterministic B uchi Word (NBW) automata and Nondeterministic k-B uchi Word (Nk BW) automata have nondeterministic branching factor and B uchi and k-B uchi acceptance condition, respectively. Similarly, Universal Co B uchi Word (UCW) automata and Universal k-co B uchi

Word (Uk CW) automata have universal branching factor and co B uchi and k-co B uchi acceptance condition, respectively. For clarity, throughout the paper we use a pairwise notation to denote the acceptance condition of automata. For example, Uk = (A, Uk CW) and Nk = (A, Nk BW) denote automaton A with, respectively, Uk CW and Nk BW acceptance conditions. This notation makes it easy to write automata that differ in their accepting conditions. In particular, it facilitates notation in complementation rules (cf. Proposition 1). The complementation of an automaton A is the task of constructing an automaton that accepts the words that are not in L(A).

Proposition 1. The complementation of Uk is Nk+1.

2.2 Linear Temporal Logic Linear Temporal Logic (LTL) extends propositional logic with the unary temporal operator next and the binary temporal operator until . As such, ϕ stands for next ϕ and ϕUψ stands for ϕ until ψ . LTL formulae over a set of propositions AP are evaluated over infinite sequences s0s1 , where each si is a subset of AP. If σ = s0s1 , then, for every i 0:

σ, i |= ϕ if ϕ is a propositional formula and si |= ϕ. σ, i |= ϕ iffσ, i + 1 |= ϕ. σ, i |= ϕUψ iffthere exists a j i such that sj |= ψ and for every k {i, . . . , j 1}, sk |= ϕ.

Finally we say that σ is a model of ϕ, denoted σ |= ϕ, iff σ, 0 |= ϕ. Three other common temporal operators, eventually ϕ ( ϕ), always ϕ ( ϕ), and ψ releases ϕ (ψRϕ), can be defined as follows: ϕ Uϕ, ϕ ϕ, and ψRϕ ( ψU ϕ).

2.3 LTL and Automata It is well-known that for an LTL formula ϕ one can construct an automaton Nϕ = (Aϕ, NBW) that accepts all and only the infinite words that satisfy ϕ. The construction is worst-case exponential in the size of the formula. An UCW automaton Uϕ that accepts the models of ϕ can be obtained from the construction of an NBW automaton that accepts the models of ϕ. Formally, Uϕ = (A, UCW) accepts the models of ϕ iff N ϕ = (A, NBW) accepts the models of ϕ (cf. [Kupferman and Vardi, 2005]). Lemma 1 summarizes these results.

Lemma 1. Given an LTL formula ϕ, it is possible to build an NBW automaton Nϕ, and a UCW automaton Uϕ, such that L(Nϕ) = L(Uϕ) = {w Σω | w |= ϕ}. The constructions are worst-case exponential in the size of ϕ.

2.4 Fully Observable Non-Deterministic Planning Here we briefly describe the Fully Observable Non Deterministic (FOND) setting, and refer the interested reader to Geffner and Bonet [2013] for a more thorough description. A FOND problem is a tuple F, O, I,G , where F is a set of fluents (atomic propositions whose truth value can change over time); I F are the fluents true in the initial state; G F, are the fluents that must hold in a goal state; and O is the set of (possibly non-deterministic) operators or action schemas. Each o O is made up of Preo (the fluents that must hold for o to be executable) and Effo (the set of possible effects for o, one of which will update the state).

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

States are represented by a set of fluents (all those not in the set are presumed false) and partial states are represented by a set of literals (i.e., fluents or their negation). An action is a ground operator. The outcome of action a in state s is another state s that results from updating s with one of the effects of the ground operator o corresponding to a. A distinguishing property of FOND planning is that the action outcome is not known until run time, and so all contingencies must be planned for. For this reason, solutions to a FOND problem take the form of a policy π that maps the state of the world to the action that should be executed. An execution of a policy π from state s0 is a sequence of states s0, s1, . . . such that each si+1 is an outcome of π(si) in si. Cimatti et al. [2003] defined different classes of solutions to a FOND problem. Here, we examine two of them. A strong solution is a policy that is guaranteed to achieve the goal regardless of non-determinism. Strong cyclic solutions are less restrictive and guarantee goal reachability in the presence of fairness, which presumes that all the action outcomes in a given state would manifest infinitely often. As the name suggests, a strong cyclic solution may revisit states. Strong cyclic solutions have the property stated in Proposition 2.

Proposition 2 (Strong Cyclic Solution). A policy π is a strong cyclic solution ifffor every state s reachable by π there exists an execution that achieves the goal from s.

Automated planning technology is highly optimized, and typically used for computation of plans or policies that achieve a prescribed goal after execution of a finite number of actions that can be unbounded in strong cyclic plans. Patrizi et al. [2013] proposed a means of synthesizing infinite plans for planning domains with LTL goal formulae and fair non-deterministic actions. Their technique compiles the original domain into a new domain in a way that executions of a strong cyclic solution to the modified domain produce infinite plans in the original domain. The approach is limited to the class of LTL formulae that can be compiled into deterministic B uchi automata.

3 LTL Realizability and Synthesis

The realizability and synthesis problems for an LTL specification were first posed by Pnueli and Rosner in 1989. Since then, the scholarly literature has explored two slightly different interpretations of an LTL specification in the context of synthesis. In this paper, we study both interpretations, which differ in their semantics, distinguishing them via the subscript s Mealy, Moore notation (cf. Definition 1). We adopt the terms Mealy and Moore semantics, which have been used previously in the synthesis literature (e.g. [Ehlers, 2011; Khalimov et al., 2013]). A strategy for an LTL specification X, Y, ϕ s is a function f : (2X) 2Y that maps histories, or finite sequences of subsets of X, into subsets of Y. A strategy f is winning when, for every infinite sequence X1X2 of subsets of X, either: (i) s = Mealy and {(Xi f(X1 Xi))}i 1 satisfies ϕ; or (ii) s = Moore and {(Xi f(X0 Xi 1))}i 1 satisfies ϕ for some constant X0, typically set to the empty trace ϵ. Winning strategies for an LTL specification X, Y, ϕ Moore are also winning strategies for X, Y, ϕ Mealy, but the opposite

does not hold in general (see example below). The realizability problem consists of determining existence of a winning strategy, and the synthesis problem consists of computing one (Definition 2). For unrealizable specifications, a certificate of unrealizablity is a strategy g : (2Y) 2X that prevents the agent from realizing ϕ. Lemma 2 formulates a well-known duality between the two semantics in LTL realizability.

Definition 1. An LTL specification is a tuple X, Y, ϕ s, where X and Y are two finite and disjoint sets of variables, ϕ is an LTL formula over variables in X Y, and s {Mealy, Moore}.

Definition 2. The realizability problem for an LTL specification X, Y, ϕ s is to determine whether there exists a winning strategy. The synthesis problem for a realizable LTL specification consists of computing a winning strategy. We say that an LTL specification is unrealizable when it is not realizable.

Lemma 2 (Duality). An LTL specification X, Y, ϕ Mealy is realizable iff Y, X, ϕ Moore is unrealizable.

Example LTL specification {x} , {y} , (x y) Mealy is realizable, and has a winning strategy f that maps each sequence X1 Xn (2X) to {y} if Xn = {x}, and to otherwise. On the other hand, {x} , {y} , (x y) Moore is unrealizable. An unrealizability certificate g : (2Y) 2X can be constructed by assigning g({y}) = and g( ) = {x}. Clearly, plays that start with a prefix (g(f(X0)) f(X0)) cannot satisfy (x y).

3.1 Automata Games Following Thomas [1995], in this paper a two-player game is defined with respect to two finite sets of variables, X and Y, and an automaton A with alphabet Σ = 2X Y whose language describes which plays are winning in the game. In this paper we exploit the correspondence between LTL synthesis and games in various forms. To facilitate readability, in this paper we opt to represent games with a tuple X, Y, A s, where s Moore, Mealy . In the following, we formalize automata games, and present duality results that are analogous to those for LTL synthesis. We first describe the dynamics of a game X, Y, A Moore, which corresponds to the definition of automata games commonly used in the literature. A game X, Y, A Moore has two players, P1 and P2. In each round of the game, P1 selects a subset of variables Yi Y, followed by P2, which selects a subset of variables Xi X. The game is played an infinite number of rounds, and so a play consists of an infinite word w = {(Xi Yi) | Xi X, Yi Y}i 1. The play is winning (for P1) if A accepts w, and the game is winning (for P1) if P1 has a strategy that only yields winning plays, regardless of the moves of P2. Formally, X, Y, A Moore is winning if there exists an strategy f : (2X) 2Y such that, for any sequence {Xi}i 1 of moves of P2, A accepts the infinite word w = {(Xi f(X0 Xi 1))}i 1 for some constant X0. In this paper we are also interested in examining the conditions under which player P2 has a winning strategy. We write X, Y, A Mealy to denote a game with inverted turns with respect to X, Y, A Moore. In each round, player P1 selects a subset of variables of X, followed by player P2, which selects a subset of variables of Y. The difference now is

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

that the game is P2-centric. We say that the game is winning (for P2) if there exists an strategy g : (2X) 2Y such that, for any sequence {Xi}i 1 of moves of P1, the play w = {(Xi f(X1 Xi))}i 1 is accepted by A. Proposition 3 below is analogous to Lemma 2, and formalizes the well-known zero-sum property of automata games. That is, player P1 has a strategy to win a game X, Y, A Moore iffplayer P2 has no strategy to win the dual game Y, X, A Mealy, where A is an automaton that accepts the complement language of A. Note that duality inverts the set of controllable variables. Throughout this paper we exploit a particular case of Proposition 3 with two classes of automata that recognize complement languages: Uk CW and Nk BW automata. We formalize the result in Lemma 3. Proposition 3 (Duality). A game X, Y, A Moore is winning (for P1) iffthe game Y, X, A Mealy is not winning (for P2). Lemma 3 (Duality). Let Uk = (A, Uk CW) and Nk = (A, Nk BW). A game X, Y, Uk Moore is winning iff Y, X, Nk+1 Mealy is not winning. Likewise, X, Y, Uk Mealy is winning iff Y, X, Nk+1 Moore is not winning.

3.2 LTL Realizability and Automata Games The correspondence between LTL realizability and automata games has been commonly exploited to approach LTL realizability and synthesis (e.g. [Jobstmann and Bloem, 2006; Filiot et al., 2009; Ehlers, 2010]). Theorem 1 formalizes the mapping, which preserves winning strategies. Typically, automata-based approaches to LTL synthesis rely on deterministic automata. NBW automata can be determinized (into Rabin automata) with the Safra construction. This construction, unfortunately, is very involved and not amenable to symbolic methods. Reportedly, the best tools cannot even handle relatively simple automata with more than 6 states. Theorem 1. Let ϕ be an LTL formula over X Y, and let Aϕ be an automaton that accepts the models of ϕ. σ is a winning strategy for X, Y, ϕ Moore (resp. X, Y, ϕ Mealy) iffσ is a winning strategy for X, Y, Aϕ Moore (resp. X, Y, Aϕ Mealy).

Safety Games As an alternative to avoid Safra s construction, so-called safraless methods reduce the synthesis problem to a series of safety games over Uk CW automata [Kupferman and Vardi, 2005]. In a safety game, all plays that violate the LTL specification formula ϕ have a bad prefix. A bad prefix is a finite trace π from which it is no longer possible to satisfy ϕ. That is, any infinite trace π with prefix π is such that π |= ϕ. The challenge in a safety game is for the agent to avoid bad prefixes. The advantage of using Uk CW automata is that these can be determinized efficiently, using well-known methods derived from the powerset construction commonly used to determinize finite-state automata. Reachability Games In a reachability game, winning plays have a good prefix, that is, a finite trace π such that any infinite trace π with prefix π satisfies the specification. In particular, games over Nk BW automata are reachability games.

4 Reductions to Automata Games In this section we introduce a collection of techniques to reduce LTL realizability into a series of games defined over

Uk CW and Nk BW automata. The reductions rely on Theorems 2, 3, 4, and 5, and are summarized in Table 1. Theorem 2. Let A = (A, UCW) be an automaton that accepts the models of ϕ. The following are equivalent: X, Y, ϕ Mealy is unrealizable Y, X, (A, Uk CW) Moore is winning for some k in 2O(|A|)

X, Y, (A, Nk BW) Mealy not winning for some k in 2O(|A|)

Proof sketch. By Lemma 2, X, Y, ϕ Mealy is unrealizable iff Y, X, ϕ Moore is realizable. By well-known results on bounded synthesis (e.g. [Kupferman, 2006]), this occurs iff Y, X, (A, Uk CW) Moore is winning for some k in 2O(|A|). By Lemma 3, this occurs iff X, Y, (A, Nk BW) Mealy is not winning for some k worst-case exponential in the size of A. Theorem 3. Let A = (A, NBW) be an automaton that accepts the models of ϕ. The following is equivalent: X, Y, ϕ Mealy is realizable Y, X, (A, Nk BW) Moore is not winning for some k in 2O(|A|)

X, Y, (A, Uk CW) Mealy is winning for some k in 2O(|A|)

Proof sketch. By Lemma 2, X, Y, ϕ Mealy is realizable iff Y, X, ϕ Moore is unrealizable. This occurs iff Y, X, (A, Nk BW) Moore is not winning for some k < . By Lemma 3, this occurs iff X, Y, (A, Uk CW) Mealy is winning for some k < . The results for bounded synthesis (e.g. [Kupferman, 2006]) set the exponential bound on k. Theorem 4. Let A = (A, UCW) be an automaton that accepts the models of ϕ The following is equivalent: X, Y, ϕ Moore is realizable X, Y, (A, Uk CW) Moore is winning for some k in 2O(|A|)

Y, X, (A, Nk BW) Mealy is not winning for some k in 2O(|A|)

Proof sketch. It follows from negating Theorem 2 and applying the duality results in Lemmas 2 and 3. Theorem 5. Let A = (A, NBW) be an automaton that accepts the models of ϕ. The following is equivalent: X, Y, ϕ Moore is unrealizable X, Y, (A, Nk BW) Moore is not winning for some k in 2O(|A|)

Y, X, (A, Uk CW) Mealy is winning for some k in 2O(|A|)

Proof sketch. It follows frin negating Theorem 3 and applying the duality results in Lemmas 2 and 3. Bounded Realizability and Synthesis Table 1 summarizes the results of the theorems above into a series of tests to determine realizability and unrealizability of an LTL specification. The tests based on reductions to Uk CW games (i.e. safety games) are well known, and commonly referred to as bounded synthesis methods [Schewe and Finkbeiner, 2007], which build upon safraless methods [Kupferman and Vardi, 2005]. These tests are constructive, meaning that a winning strategy for the reduced game is a winning strategy for the original specification in case it is realizable , or a certificate of unrealizability in case it is unrealizable. Bounded synthesis has been a successful approach to synthesis, and nowadays many modern tools exploit reductions to Uk CW games in some way (e.g. Lily [Jobstmann and Bloem, 2006], Unbeast [Ehlers, 2010], and Acacia/Acacia+ [Filiot et al., 2009;

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

Specification Construction of A Test Good for Constructive Thm

X, Y, ϕ Mealy L(A, NBW) = L(ϕ) k. Y, X, (A, Uk CW) Moore winning for P1 unrealizable co-safe yes 2 X, Y, ϕ Mealy L(A, NBW) = L(ϕ) k. X, Y, (A, Nk BW) Mealy not winning for P2 unrealizable co-safe no 2 X, Y, ϕ Mealy L(A, UCW) = L(ϕ) k. Y, X, (A, Nk BW) Moore not winning for P1 realizable safe no 3 X, Y, ϕ Mealy L(A, UCW) = L(ϕ) k. X, Y, (A, Uk CW) Mealy winning for P2 realizable safe yes 3

X, Y, ϕ Moore L(A, UCW) = L(ϕ) k. X, Y, (A, Uk CW) Moore winning for P1 realizable safe yes 4 X, Y, ϕ Moore L(A, UCW) = L(ϕ) k. Y, X, (A, Nk BW) Mealy not winning for P2 realizable safe no 4 X, Y, ϕ Moore L(A, NBW) = L(ϕ) k. X, Y, (A, Nk BW) Moore not winning for P1 unrealizable co-safe no 5 X, Y, ϕ Moore L(A, NBW) = L(ϕ) k. Y, X, (A, Uk CW) Mealy winning for P2 unrealizable co-safe yes 5

Table 1: Strategies to determine realizability and unrealizability of an LTL specification via reduction to automata games. When ϕ is a safe (resp. co-safe) LTL formula, strategies that are good for safe (resp. good for co-safe) formulae only require tests with k = 0 in Uk CW games; and k = 1 in Nk BW games. Constructive tests yield a winning strategy or certificate, as appropriate.

Bohy et al., 2012]). The tests based on reductions to Nk BW games (i.e. reachability games) are novel. These tests determine realizability and unrealizability. By way of analogy to bounded synthesis, we refer to them as bounded realizability methods. Note that a complete approach for LTL realizability and synthesis would combine at least two of these approaches in parallel or with interleaved search. Safe and Co-Safe LTL Specifications Different syntactic characterizations of LTL formulas have been studied (e.g. [Sistla, 1994]). Here, we examine the safe and co-safe fragment of LTL [Kupferman and Vardi, 2001]. Safe properties assert that something bad never happens. Co-safe properties are dual, and assert that something good eventually happens. The following syntactic fragments of LTL express safe, and co-safe properties: Safe: ϕ = | | p | p | ϕ ϕ | ϕ | ϕRϕ Co-safe: ϕ = | | p | p | ϕ ϕ | ϕ | ϕUϕ Safe and co-safe LTL formulae can be transformed into automata with absorbing rejecting and accepting states, respectively [Kupferman and Vardi, 2001]. We observe that with these automata constructions, realizability of safe and co-safe formulae can be determined by performing only one test (Theorem 6). Theorem 6. LTL realizability for safe (resp. co-safe) specifications can be determined with strategies that are good for safe (resp. good for co-safe) formulae (cf. Table 1) by performing a single test with k = 0, in the case of reductions to Uk CW games, and k = 1, in the case of reductions to Nk BW games. Proof sketch. The proof follows from applying Lemma 3 in Theorems 2, 3, 4, and 5, with a construction of an NBW with absorbing accepting states. Here, we sketch the proof of one case. Let ϕ be a co-safe LTL formula, and let A = (A, NBW) be an automaton that accepts the models of ϕ. X, Y, ϕ Moore is realizable iff X, Y, (A, Nk BW) Moore is winning for all k, but this happens iff X, Y, (A, Nk BW) Moore is winning for k = 1 (because A has absorbing accepting states). Lemma 3 derives that this only happens iff Y, X, (A, Uk CW) Mealy is not winning for k = 0.

5 Automata Games via Planning In recent years there has been increased interest in the development of algorithms that exploit automated planning tech-

niques to synthesize programs of varying sorts including so-called generalized planning (e.g., [Aguas et al., 2016; Bonet et al., 2017]) and LTL synthesis. Camacho et al. [2018b] studied the correspondence between LTL synthesis and planning, and presented an algorithm to synthesize strategies, via planning, that is complete when the formula is transformed into deterministic B uchi automata, but not in general. Together with this work, it constitutes the first approach to LTL synthesis via planning. Also related to this work is [Camacho et al., 2018a], where planning technology is used to solve LTL synthesis for LTL interpreted over finite words [De Giacomo and Vardi, 2015]. Approaching LTL synthesis as planning enables the use of highly optimized search techniques and heuristics. Planning algorithms can reason about action costs, stochasticity, plan quality, and preferences. Our work opens the door to using planning technology for richer notions of LTL synthesis, including those that optimize for high-quality strategies [Almagor and Kupferman, 2016]. In this section we present reductions of Uk CW and Nk BW games to FOND planning. These reductions comprise the first complete approach to LTL realizability and synthesis via planning. For an LTL specification X, Y, ϕ , and a test strategy from Table 1, our approach consists of three steps:

(1) construct an automaton A (2) solve a sequence of automata games via FOND planning (3) determine realizability or unrealizability

In addition, and if the test is constructive, a fourth step can be performed to synthesize a winning strategy if realizable or a certificate of unrealizability if unrealizable. Step 1: LTL to automata In the first step we construct an automaton (A, NBW) that accepts the models of ϕ or ϕ, according to the strategy selected from Table 1. Our FOND compilation requires post-processing of the set of automaton transitions. Each transition t = (q, guard(t), q ) in A with guard guard(t) = W i ci in DNF is decomposed into a set of transitions ti = (q, ci, q ). Each ti has guard ci, that is a conjunctive formula over variables in X Y. For each ti, we denote by macro(ti) the set of transitions derived from t. It can be proved that the decomposition of the transitions does not affect the language accepted by the automaton. Step 2: Construction of a FOND Problem The second step takes as input the automaton generated in Step 1, and constructs a series of FOND problems Pk, for k 0. Each Pk

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

simulates a game over a Uk CW or Nk BW automaton in accordance with the strategy selected from Table 1. We detail the FOND compilations for Uk CW and Nk BW automata games in Sections 5.1 and 5.2. Step 3: Determine Realizability or Unrealizability The compiled FOND problems Pk have the following property: Pk has a solution iffthe simulated automata game is winning. This property is exploited in the following manner: our technique searches for existence of solutions to the FOND problems Pk for k = 0, 1, . . . until the test in Table 1 is passed. Note that the tests are not guaranteed to terminate if, for instance, LTL realizability for an unrealizable specification is checked. However, termination can be achieved by combining two strategies in parallel: one that checks realizability, and another that checks unrealizability. Step 4: Construction of a strategy A finite state controller that implements a strategy that solves the synthesis p roblem for specification ϕ can be constructed from a policy for Pk. See [Patrizi et al., 2013; Camacho et al., 2017] for details.

5.1 Uk CW Games via Planning

Figure 1 describes the details of the compilation of a game with automaton A = Q, Σ, q0, δ, α into a FOND planning problem Pk. For illustration purposes, we assume the game is in the form X, Y, (A, Uk CW) Mealy, that is, we are searching for winning strategies for P2. At the end of the section we show how the dynamics of Pk can be modified to compile games in the form X, Y, (A, Uk CW) Moore. The dynamics of Pk simulates an infinite sequence of rounds in the two-player game. Each round is divided into three sequential stages. The first stage simulates the move of the environment and agent players. The move of P1 is simulated with a cascade of actions that non-deterministically assign a value to the variables in X. In turn, the moves of P2 are simulated with a cascade of deterministic actions that assign a value to the variables in Y. As a consequence of the player moves, some automaton transitions are deemed unfeasible. The second stage performs all automaton transitions. Fluents F(q) are true in a planning state if there exists a run of A on the play being simulated that ends in q. The third stage sets the value of the counters associated to each automaton state q. A fluent new Cnt(q, m) is true if there exists a run of A on the simulated play that ends in q and hits m accepting states. The fluent old Cnt(q, m) keeps track of the maximum number of hits for a fluent q. At the end of the third stage, the first stage is reestablished to simulate the next round. There are two important things to notice about the dynamics of Pk. First, when an input word being simulated is not accepted by (A, Uk CW) (that is, a run visits more than k accepting states), a deadend in Pk is incurred. This is because a fluent new Cnt(q, k + 1) prevents sync F actions to disable the fluent F(q), action continue is no longer applicable, and the first stage can no longer be reestablished. Second, the non-determinism of action continue ensures that execution of strong-cyclic solutions yield an infinite number of rounds in the game being simulated (cf. [Patrizi et al., 2013]). Finally, the turn-taking of player moves mandated by the semantics of the specification (Moore vs. Mealy) is forced by

Components of the Safe2FOND compilation:

F B {turn(vi)}0 i |X Y| {sync, goal} {poss(t)}t T {old Cnt(q, m), new Cnt(q, m)}q Q,0 m k I B {sync, old Cnt(q0, 0)} {safe(t)}t Safe(T) {poss(t)}t.orig=q0 Safe(T) B {(q, σ, q ) T | q < α} O B {move X(v)}v X {move Pos Y(v), move Neg Y(v)}v Y {trans Acc(t, m), trans Rej(t, m)}t T,0 m k {start Sync, continue} {sync F(q, m)}q Q,0 m k G B {goal} Stage 1: Actions that simulate X and Y moves:

Premove X(vi) = {turn(vi)} Effmove X(vi) = {turn(vi+1), turn(vi)} oneof(e1, e2) Premove Pos Y(vi) = {turn(vi)} Effmove Pos Y(vi) = {turn(vi+1), turn(vi)} e1 Premove Neg Y(vi) = {turn(vi)} Effmove Neg Y(vi) = {turn(vi+1), turn(vi)} e2 e1 = { poss(t)}t T, vi Lits(guard(t)) e2 = { poss(t)}t T,vi Lits(guard(t)) Stage2: Actions that simulate transitions, t T, 0 m k:

Pretrans Rej(t,m) = turn(v|X Y|), poss(t), safe(t), old Cnt(q, m)

Efftrans Rej(t,m) = {F(q ), new Cnt(q , m)} { poss(t )}t macro(t) Pretrans Acc(t,m) = turn(v|X Y|), poss(t), safe(t), old Cnt(q, m)

Efftrans Acc(t,m) = {F(q ), new Cnt(q , m + 1)} { poss(t )}t macro(t) Stage 3: Actions that synchronize the automaton, q Q, 0 m k:

Prestart Sync = turn(v|X Y|) { poss(t)}t T Effstart Sync = sync, turn(v|X Y|) { old Cnt(q, m)}q Q,0 m k Presync F(q,m) = {sync, F(q), new Cnt(q, m)} { new Cnt(q, n)}m<n k Effsync F(q,m) = {poss(t)}t.orig=q {old Cnt(q, m)} { F(q)} new Cnt(q, n)0 n k

Action that reestablishes the dynamics of the problem:

Precontinue = {sync} { F(q)}q Q Effcontinue = oneof(e3, e4) e3 = {goal} e4 = {turn(v0), sync}

Figure 1: Details of the Safe2FOND compilation for a game S = X, Y, (A, Uk CW) s with automaton A = Q, Σ, q0, δ, α .

establishing a fixed order in the variables v X Y. E.g. with the Moore semantics, the order must guarantee that the fluents turn(vi) first iterate over all variables in Y. Safe2FOND(S) denotes the FOND problem constructed from specification S = X, Y, (A, Uk CW) s, where s Moore, Mealy . The construction of Safe2FOND(S) is polynomial, and thus existence of a winning strategy for S can be determined in time that is exponential in the size of A. Recall that FOND planning is EXPTIME-complete in the size of succinct representations of the problem [Rintanen, 2004].

Theorem 7. The construction Safe2FOND(S) is a polynomial reduction of Uk CW games S into FOND planning. If π is a strong cyclic solution to Safe2FOND(S) then a winning strategy for S can be constructed from π.

Proof sketch. The proof of correctness for Uk CW-based

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

automata compilations follows the intuition explained below. The dynamics of the automaton are captured by planning actions. Each planning state s simulates an automaton macrostate (as in the powerset construction), and has the property that F(q) s iffthere exists a run on the automaton in the simulated play that ends in q. In addition, planning states count the maximum number of times automaton runs hit accepting states. Given the properties above, and a fixed k, the Uk CW game has a winning strategy iffthere exists a policy that (1) only visits planning states with associated counter that is not greater than k, and (2) runs in perpetuity. Property (1) is achieved by forcing planning states with associated counter equal to k to be deadends and this is actually done in the current compilation. Property (2) is achieved by strong-cyclic solutions, with the trick of introducing the artificial non-deterministic action continue and dummy goals (cf. [Patrizi et al., 2013]). The construction of Safe2FOND(S) is polynomial. A transducer that implements a winning strategy can be constructed by unfolding a strong cyclic solution, collapsing states that belong to the same simulated turn.

5.2 Nk BW Games via Planning

The construction Safe2FOND presented in Section 5.1 can be modified into an algorithm, Reach2FOND, that solves Nk BW games via reduction to strong FOND planning. The main modifications follow. In contrast to safety games, solutions to a reachability game have to yield good prefixes. Recall that the compiled FOND problem has fluents new Cnt(q, m) that keep track of whether there exists a run of A on the play being simulated that hits m accepting states. In a Nk BW reachability game, a good prefix is achieved when a state in which new Cnt(q, k) holds is visited. As such, in Reach2FOND(S) the goal is no longer the dummy fluent goal, but to reach one of the fluents new Cnt(q, k) for q Q. The action continue is now deterministic, and its unique effect reestablishes the first stage. This time, not all runs of the automaton need to be carried over. To this end, action continue does not require all F(q) to be false, and instead falsifies all of them. Finally, strong solutions to Reach2FOND(S) yield winning strategies for S. The correctness and complexity results obtained in Section 5.1 extend to FOND compilations of Nk BW games.

Theorem 8. The construction Reach2FOND(S) is a polynomial reduction of Nk BW games S into FOND planning. If π is a strong solution to Reach2FOND(S) then a winning strategy for S can be constructed from π.

Proof sketch. Similar to the proof of correctness of Theorem 7, the dynamics of Reach2FOND(S) simulate plays of the game. This time, the dynamics simulate transitions in a NBW automaton. Planning states can do bookkeeping of some runs of the NBW (not necessarily all), and count the maximum number of times that these runs hit accepting states. In other words, a fixed play can be simulated by carrying over some runs of the NBW, or all, at the discretion of the planner. As such, strong solutions to Reach2FOND(S) yield winning strategies to S. A transducer that implements a winning strategy can be constructed by unfolding a strong

solution, collapsing states that belong to the same simulated turn. In the other direction, winning strategies can be simulated with the dynamics of Reach2FOND(S). The construction of Reach2FOND(S) is polynomial.

6 Multiple Automata Decompositions

Our automata-based approaches to LTL synthesis rely on worst-case exponential transformations of the LTL formula into NBW and UCW automata. In practice, this complexity can be reduced by systematically decomposing LTL formula ϕ into smaller subformulae and transforming them into multiple automata that together capture the models of ϕ. Such transformations have been exploited in some previous approaches to LTL synthesis (e.g., [Camacho et al., 2017; Bohy et al., 2012; Camacho et al., 2018a]) and in approaches to planning with LTL goals and preferences (e.g. [Baier and Mc Ilraith, 2006]). In Acacia+, specification ϕ is systematically decomposed into the conjunction of a set of subformulae ϕi, each of which is transformed into a UCW Ai. The resulting game is the composition of potentially smaller safety subgames, each one with associated Uk CW Ai, which run in parallel. Winning strategies have to avoid bad prefixes in all of the subgames. In [Camacho et al., 2018a], we presented a reduction of LTLf synthesis that is, synthesis of LTL specifications interpreted over finite words into FOND planning. The construction of a FOND problem is similar to the Nk BW-based compilation presented in this paper, with the major exception that the target was non-deterministic finite-state automata (NFA). Automata decompositions take a specification ϕ in NNF, decompose it into a conjunction of subformulae ϕi, and transform each ϕi into an NFA Ai. The resulting game is the composition of potentially smaller subgames, each one with associated NFA Ai, that run in parallel. The dynamics of all subgames are integrated within a single FOND problem, and the goal is achieved whenever all subgames are winning. The FOND compilations that we presented in Section 5 are also amenable to automata decompositions. FOND compilations of Uk CW games can use multiple automata decompositions following Acacia+, whereas Nk BW games can use automata decompositions following Camacho et al. [2018a].

7 Evaluation

We implemented the algorithms for LTL realizability and synthesis via FOND in a tool we named Syn Kit [Camacho et al., 2018c]. Syn Kit implements the algorithms presented in this paper, and others (e.g., those in [Camacho et al., 2018a] for finite LTL synthesis). We use Spot to transform LTL formulae into NBW [Duret-Lutz et al., 2016]. Reductions to automata games listed in Table 1 are solved via FOND planning with Safe2FOND and Reach2FOND compilations. We use PRP to generate strong cyclic solutions [Muise et al., 2012], and My ND to generate strong solutions [Mattm uller et al., 2010]. Our experiments were run on an Intel Xeon E5-2430 2.2GHz processor, and each process was limited to 30 minute run times and 4GB memory usage. We configured Syn Kit to perform reductions to Uk CW games with k 2 and Nk BW games with k 3.

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

Real. Unreal.

Nk BW Uk CW

Nk BW Uk CW

Bowser Bosy ltlsynt Party

Amba Decomposed (23) 15 14 15 14 18 22 22 22 Detector (6) 1 2 2 4 3 4 3 6 Detector Unreal (6) 4 5 5 0 4 6 3 6 Full Arbiter (6) 1 2 2 4 2 2 5 6 Full Arbiter Unreal (12) 9 9 9 0 8 12 12 12 Genbuf (5) 0 0 0 4 0 0 0 3 Generalized Buffer (5) 0 0 0 5 0 0 0 3 Lilydemo (24) 16 16 5 5 21 19 24 24 23 24 Load Balancer (5) 1 2 2 2 2 2 3 4 Load Balancer Unreal (12) 11 11 11 0 7 11 11 11 Loadcomp (4) 1 2 2 4 4 4 4 4 Loadfull (4) 1 2 2 3 4 4 4 4 LTL2DBA (27) 18 23 23 26 24 24 27 27 LTL2DPA (24) 17 23 23 23 24 24 23 24 Prio Arbitrer (6) 1 1 1 5 3 3 4 5 Prio Arbitrer Unreal (4) 1 1 1 0 3 3 3 3 RR Arbiter (6) 1 1 1 3 3 3 5 2 RR Arbiter Unreal (4) 1 2 2 0 3 2 3 3 Simple Arbiter (6) 1 2 2 4 3 4 4 5 Simple Arbiter Unreal (11) 2 2 2 0 6 8 9 8

Table 2: Number of problems solved by Syn Kit on a collection of benchmarks used in SYNTCOMP 2017. Realizability (Real.) and unrealizability (Unreal.) tests were performed via reductions to Nk BW (i.e., safety) and Uk CW (i.e., reachability) games. Safety and reachability games were solved via FOND planning with Safe2FOND and Reach2FOND compilations, respectively. For reference and broad comparison, results for tools that participated at SYNTCOMP 2017 are also reported. Note that these results were run under more favorable computational settings.

Synthesis via Planning One of the main objectives of our experiments was to evaluate whether automated planning is a viable technology to address LTL synthesis. We tested the performance of our planning-based methods over a collection of benchmarks used in the sequential realizability track of the SYNTCOMP 2017 competition. Table 2 summarizes the aggregated coverage results (i.e., number of problems solved) obtained by Syn Kit. For reference, we include coverage results of participants in SYNTCOMP 2017: Party, ltlsynt, Bosy, Bowser, and Acacia+. These results are reported on the competition website. They were run with an Intel XEON E3-1271 3.6GHz processor, 32GB of memory, and a processing time limit of 60 minutes. Rather than giving a precise comparison of run time, our objective was to evaluate whether planning technology, and the algorithms presented in this paper are competitive with more mature synthesis tools. In terms of run time, we observed that most problems can be solved with low time and memory usage. In terms of coverage, while Syn Kit does not outperform any of the tools we compared with, it is very competitive and able to determine realizability for several problems that eluded other solvers. Advantage of Nk BW-based Reductions The second objective of our experiments was to assess the advantage of our novel bounded realizability methods over existing bounded synthesis. Table 2 details the coverage results obtained with the tests for determining realizability and unrealizabil-

ity listed in Table 1. The coverage obtained with reductions to Nk BW and Uk CW games is very similar. We observed that the run times differ significantly in some problems, and no method clearly dominates the other. Thus, bounded realizability can be an alternative to bounded synthesis.

8 Summary and Discussion

LTL synthesis is central to the automated construction of controllers and certain classes of programs. While LTL synthesis is a well-established problem, it has only been in the last decade that efficient tools have started to emerge. Common approaches to LTL synthesis reduce the problem to automata games and many modern tools make use of bounded synthesis techniques based on safety games played over Uk CW. In this paper we established the duality between so-called Mealy and Moore semantics of LTL specifications in the context of LTL synthesis. We exploited this duality to define novel reductions of LTL realizability to reachability games played over Nk BW automata. We also introduced the first complete approach to LTL realizability and synthesis via automated planning. Our approach compiles automata games into instances of FOND planning. Preliminary experimental results show that reductions to Nk BW games can be beneficial and complement other well-known reductions to Uk CW games. Moreover, they show that planning technology can be a competitive technique to approach synthesis.

Acknowledgements The authors gratefully acknowledge funding from the Natural Sciences and Engineering Research Council of Canada (NSERC) and Fondecyt grant numbers 1150328 and 1161526.

References [Aguas et al., 2016] Javier Segovia Aguas, Sergio Jim enez Celorrio, and Anders Jonsson. Generalized planning with procedural domain control knowledge. In ICAPS, pages 285 293, 2016. [Almagor and Kupferman, 2016] Shaull Almagor and Orna Kupferman. High-quality synthesis against stochastic environments. In CSL, pages 28:1 28:17, 2016. [Baier and Mc Ilraith, 2006] Jorge A. Baier and Sheila A. Mc Ilraith. Planning with temporally extended goals using heuristic search. In ICAPS, pages 342 345, 2006. [Bohy et al., 2012] Aaron Bohy, V eronique Bruy ere, Emmanuel Filiot, Naiyong Jin, and Jean-Franc ois Raskin. Acacia+, a tool for LTL synthesis. In CAV, 2012. [Bonet et al., 2017] Blai Bonet, Giuseppe De Giacomo, Hector Geffner, and Sasha Rubin. Generalized planning: Nondeterministic abstractions and trajectory constraints. In IJCAI, pages 873 879, 2017. [Camacho et al., 2017] Alberto Camacho, Eleni Triantafillou, Christian J. Muise, Jorge A. Baier, and Sheila A. Mc Ilraith. Non-deterministic planning with temporally extended goals: LTL over finite and infinite traces. In AAAI, pages 3716 3724, 2017.

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)

[Camacho et al., 2018a] Alberto Camacho, Jorge A. Baier, Christian J. Muise, and Sheila A. Mc Ilraith. Finite LTL synthesis as planning. In ICAPS, 2018. To appear.

[Camacho et al., 2018b] Alberto Camacho, Jorge A. Baier, Christian J. Muise, and Sheila A. Mc Ilraith. Synthesizing controllers: On the correspondence between LTL synthesis and non-deterministic planning. In Advances in Artificial Intelligence Proceedings of the 31st Canadian Conference on Artificial Intelligence, pages 45 59, 2018.

[Camacho et al., 2018c] Alberto Camacho, Christian J. Muise, Jorge A. Baier, and Sheila A. Mc Ilraith. Syn Kit: LTL synthesis as a service. In IJCAI, 2018. To appear.

[Cimatti et al., 2003] Alessandro Cimatti, Marco Pistore, Marco Roveri, and Paolo Traverso. Weak, strong, and strong cyclic planning via symbolic model checking. Artificial Intelligence, 147(1-2):35 84, 2003.

[De Giacomo and Vardi, 2015] Giuseppe De Giacomo and Moshe Y. Vardi. Synthesis for LTL and LDL on finite traces. In IJCAI, pages 1558 1564, 2015.

[Duret-Lutz et al., 2016] Alexandre Duret-Lutz, Alexandre Lewkowicz, Amaury Fauchille, Thibaud Michaud, Etienne Renault, and Laurent Xu. Spot 2.0 - A framework for LTL ω-automata manipulation. In ATVA, pages 122 129, 2016.

[Ehlers, 2010] R udiger Ehlers. Symbolic bounded synthesis. In CAV, volume 6174, pages 365 379. Springer, 2010.

[Ehlers, 2011] R udiger Ehlers. Experimental aspects of synthesis. In IWIGP, pages 1 16, 2011.

[Filiot et al., 2009] Emmanuel Filiot, Naiyong Jin, and Jean Franc ois Raskin. An antichain algorithm for LTL realizability. In CAV, pages 263 277, 2009.

[Geffner and Bonet, 2013] Hector Geffner and Blai Bonet. A Concise Introduction to Models and Methods for Automated Planning. Synthesis Lectures on Artificial Intelligence and Machine Learning, 7(2):1 141, 2013.

[Jacobs et al., 2016] Swen Jacobs, Felix Klein, and Sebastian Schirmer. A high-level LTL synthesis format: TLSF v1.1. In SYNT, pages 112 132, 2016.

[Jacobs et al., 2017] Swen Jacobs, Nicolas Basset, Roderick Bloem, Romain Brenguier, Maximilien Colange, Peter Faymonville, Bernd Finkbeiner, Ayrat Khalimov, Felix Klein, Thibaud Michaud, Guillermo A. P erez, Jean Franc ois Raskin, Ocan Sankur, and Leander Tentrup. The 4th reactive synthesis competition (SYNTCOMP 2017): Benchmarks, participants & results. In SYNT, pages 116 143, 2017.

[Jobstmann and Bloem, 2006] Barbara Jobstmann and Roderick Bloem. Optimizations for LTL synthesis. In FMCAD, pages 117 124, 2006.

[Khalimov et al., 2013] Ayrat Khalimov, Swen Jacobs, and Roderick Bloem. PARTY parameterized synthesis of token rings. In CAV, pages 928 933. Springer, 2013.

[Kupferman and Vardi, 2001] Orna Kupferman and Moshe Y. Vardi. Model checking of safety properties. Formal Methods in System Design, 19(3):291 314, 2001. [Kupferman and Vardi, 2005] Orna Kupferman and Moshe Y. Vardi. Safraless decision procedures. In FOCS, pages 531 542, 2005. [Kupferman, 2006] Orna Kupferman. Avoiding determinization. In LICS, pages 243 254, 2006. [Mattm uller et al., 2010] Robert Mattm uller, Manuela Ortlieb, Malte Helmert, and Pascal Bercher. Pattern database heuristics for fully observable nondeterministic planning. In ICAPS, pages 105 112, 2010. [Muise et al., 2012] Christian Muise, Sheila A. Mc Ilraith, and J. Christopher Beck. Improved Non-deterministic Planning by Exploiting State Relevance. In ICAPS, 2012. [Patrizi et al., 2013] Fabio Patrizi, Nir Lipovetzky, and Hector Geffner. Fair LTL synthesis for non-deterministic systems using strong cyclic planners. In IJCAI, 2013. [Pnueli and Rosner, 1989] Amir Pnueli and Roni Rosner. On the synthesis of a reactive module. In Conference Record of POPL, pages 179 190, 1989. [Rintanen, 2004] Jussi Rintanen. Complexity of planning with partial observability. In ICAPS, pages 345 354, 2004. [Schewe and Finkbeiner, 2007] Sven Schewe and Bernd Finkbeiner. Bounded synthesis. In ATVA, pages 474 488, 2007. [Sistla, 1994] A Prasad Sistla. Safety, liveness and fairness in temporal logic. Formal Aspects of Computing, 6(5):495 511, 1994. [Thomas, 1995] Wolfgang Thomas. On the synthesis of strategies in infinite games. In STACS, pages 1 13. Springer, 1995.

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence (IJCAI-18)