recalls the background definitions and results; Section 4 defines the optimal model checking problem;

must reach a goal position avoiding an opponent, for example a fox that must reach a chicken and it is hindered by a dog, as shown in Figure 1.

The fox and the dog move in a grid, while the chicken stays in the upper right corner. The possible movements are: move up, down, left, right, or stop. Suppose that the fox moves faster than the dog (i.e. the fox can move at each step while the dog moves every other step) and that the dog is not standing still. The strategy of the fox can be to go towards the chicken unless the dog is on the way and in that case, it just stops until the dog moves and then it goes ahead. However, such a strategy does Figure 1: The fox-dog-chicken example. not reach the goal as soon as possible. Since the fox is quicker than the dog, a better strategy is to pass around the dog.

Given a set of propositional variables Σ , an STS over Σ is a tuple ⟨, Σ , , ⟩, where is a set of state variables disjoint from Σ , is a formula over , and is a formula over ∪ Σ ∪ ′. We assume the reader to be familiar with the standard notions of paths, traces, and products of STSs.

In order to specify properties, we consider Linear Temporal Logic with future and past operators, denoted by LTL and interpreted over infinite sequences of states. Two notable classes of properties that can be expressed in LTL are safety and co-safety properties. Safety properties are those properties which can be refuted by a bad-prefix, i.e., a finite computation than cannot be extended to an infinite computation that satisfies the formula. Conversely, co-safety properties are those properties which can be verified by identifying a good-prefix, i.e., a finite computation such that all infinite extensions satisfy the formula. In this paper we use the syntactic fragment LTLEBR [ 1 ] to express safety properties, and the dual fragment co-LTLEBR for co-safety ones.

Definition 3.1 (The logic co-LTLEBR). Let , ∈ N, a LTLEBR formula is inductively defined as follows: := | ¬ | 1 ∨ 2 | Y | 1S 2 := | ¬ | 1 ∨ 2 | X | 1U[,] 2 := | 1 ∧ 2 | X | F | U := | 1 ∨ 2 | 1 ∧ 2 (Pure Past Layer) (Bounded Future Layer)

(Future Layer) (Boolean Layer)

In the rest of the paper, we assume that Σ = ∪ is divided into two disjoint sets and of, respectively, controllable and uncontrollable variables.

Definition 3.2. An arena for a reachability game is given by a deterministic STS = ⟨, Σ , , ⟩ and a formula over , called winning condition. We say that a strategy for controller : (2 )+ → 2 wins the reachability game with arena and winning condition if for all sequences of choices made by environment = 1, 2, · · · ∈ (2 ), there exists such that the -th state of the unique path over the trace 1 · (1), 2 · (12), . . . satisfies .

Definition 3.3 (Reactive Synthesis problem). Let be a temporal formula over the alphabet Σ = ∪ . We say that is realizable if and only if there exists a strategy : (2 )+ → 2 such that for all = (1, 2, . . .) ∈ (2 ), it holds that the sequence satisfies 1 · (1), 2 · (12), . . . |= . The synthesis problem is the decision problem to say whether is realizable or not. If is realizable, the corresponding strategy is computed.

For co-safety properties, reactive synthesis can be reduced to finding a winning strategy in a reachability game defined from the formula. In [ 1 ] is shown how reactive synthesis from LTLEBR formulas can be reduced to solving a safety game over a monitor built directly from the specifications. Such monitor accepts only those traces satisfying the formula from which is built, while it goes into error state whenever a trace not satisfying the formula is met. Thanks to the duality between safety and reachability games, it is possible to synthesize a co-LTLEBR formula exploiting the monitor built from the corresponding LTLEBR formula, i.e. the negation.

LTL[ℱ ] and LTLdisc[ ]. In general, quantitative semantics assign a real value , K ∈ [ 0, 1 ] to J a formula over a sequence . As in [ 3 ], we extend the evaluation of a formula to a system as J, K := inf {J, K | ∈ ℒ ()}, and thus to a strategy as J, K := inf {J(), K | ∈ (2 )}.

to completely diferent runs. Thus, it is not possible to compare the semantics of × and ′ × on single runs. This is why in Def. 4.1, we use J × , K, which takes the minimum value of over all if and only if there exists a controller such that J × , K ≥ .

alphabet Σ =

∪ and is a plant model. We say that is realizable under assumption with value Suppose we can compute the value =

J

K × , , then we can reduce the optimal model checking problem to quantitative realizability of under the assumption with a value ′ > . In the next sections, we will show how this reduction can rely on qualitative realizability in the particular case of the ASAP quantitative semantics.

N ∪ {∞}. We then cast the semantics to [ 0, 1 ] ⊂ R that accepts exactly all informative prefixes of to be aligned with the standard definitions of quantitative semantics. Moreover, we introduce an alternative recursive definition of the ASAP semantics and show that the two definitions are equivalent.

The ASAP semantics is related to the notion of informative prefix introduced in [ 5 ] as the syntactical counterpart of the notion of “good prefix” for a co-safety formula: a finite computation that witnesses the satisfaction of the formula. While liveness, persistence, and reactivity LTL formulas do not necessarily have an informative prefix, if is a safety LTL formula then it is possible to build an automaton ¬ ¬ [ 5 ]. This “tightness” results on the monitor for a formula can be extended to LTLEBR by redefining the definition of informative prefix to include past operators as follows. and only if there exists a mapping : {0, . . . , } ↦→ 2() that respects the following conditions: We say that a finite computation = 0 1 . . . − 1 is an informative prefix for an LTL formula if 1. ∈ (0) 2. () is empty. 3. For all 0 ≤ ≤ − 1 and ∈ (): • if is ⊤, , or ¬, then it is satisfied by ; • if = 1 ∧ 2, then 1 ∈ () and 2 ∈ (); • if = 1 ∨ 2, then 1 ∈ () or 2 ∈ (); • if = X 1, then 1 ∈ ( + 1); • if = Y 1, then > 0 and 1 ∈ ( − 1); • if = Z 1, then = 0 or 1 ∈ ( − 1); • if = 1 U 2, then 2 ∈ () or [ 1 ∈ () and 1 U 2 ∈ ( + 1) ]; • if = 1R 2, then 2 ∈ () and [ 1 ∈ () or 1R 2 ∈ ( + 1) ]; • if = 1S 2, then 2 ∈ () or [ 1 ∈ () and 1S 2 ∈ ( − 1) ]; • if = 1T 2, then 2 ∈ () and [ 1 ∈ () or 1T 2 ∈ ( − 1) ].

recursively as follows: Definition 5.2

(ASAP recursive semantics). Let be an LTL formula and be a trace. The ASAP semantics of evaluated on at position is a natural number , denoted by , , KASAP and defined J {︃1 {︃1 +∞ +∞ +∞ 1 ≥ 0 ≥ 0 ︂{ ︂{ J , , 1 U 2KASAP = min J , , 1R2KASAP = max J , , 1S2KASAP = min 0≤ ≤ , , 1T2KASAP = max 0≤ ≤ max min ︂{ ︂{ ︂{ ︂{ max min ︂{ ︂{ J , + , 2KASAP + , max {︀ , + , 1KASAP + }︀

J 0≤ < J , + , 2KASAP + , min {︀ , + , 1KASAP + }︀

J 0≤ < J , − , 2KASAP − , max {︀ , − , 1KASAP −

︀}

J 0<≤ J , − , 2KASAP − , min {︀ , − , 1KASAP −

︀}

J 0≤ < ︂} ︂} ︂} ︂} if and only if , 0, KASAP = .

J ∞ − = ∞, if ∈ N, 0 − = 0, if ∈ N ∪ {∞}, and − ∞

where , , +, and − are defined on the extended natural numbers N ∪ {∞}. We recall that = 0, if ∈ N. We say that J, KASAP = the prefix of of length . If is a minimal informative prefix for , then , KASAP = , KASAP. J J Theorem 5.1. Let be an LTL formula, = 0 1 . . . be an infinite trace, and = 0 1 . . . − 1 be

LTL semantics can be reduced to a reachability game. The key step is to build an arena with a parametrized winning condition () so that there exists a winning strategy if there exists a controller such that J × , KASAP < . With such a construction, we can reduce the optimal model checking problem to a qualitative synthesis problem. This is achieved by 1) computing = J × , KASAP and 2) checking if there exists a winning strategy for the game with winning condition ().

We first define an STS counting the transitions from the initial state. It has a new state variable steps so that initially steps has value 0 and at each step it is increased by 1. Formally, we define the STS steps as follows: steps := ⟨{steps}, ∅, steps = 0, steps′ ↔ ite(steps < max , steps + 1, steps)⟩, where ite is the Boolean encoding of an if-then-else term and max is a suficiently large constant. Let be a deterministic STS with a boolean condition on the STS variables that is reached by any informative prefix of and built starting from an LTLEBR formula, as given by [ 1 ]. Recall that a boolean condition is reached by a STS if there exists a finite path 0 . . . in such that |= . Step 1, i.e. computing , can be solved by looking for a minimal such that × × × steps |= F( ∧ steps ≤ ).

Theorem 6.2. The ASAP LTL model checking problem for co-LTLEBR is 2EXPTIME-complete. Remark. It is not possible to synthesize a controller winning the game enforcing the monitor plant into error state, since the plant is assumed to be input-enabled and so the built monitor accepts any possible combination of controllable variables. Therefore, it is up to the environment to choose whether it goes into error state or not.

addressed optimization of the memory size of the controller (i.e., number of states of the automaton) [ 7 ] and minimization of waiting times for request-response conditions [ 8 ]. In this paper, we relate the problem of model checking open systems, also studied in [ 9 ], to the problem of optimal synthesis, using a quantitative semantics for LTL to define the problem of optimal model checking in terms of synthesis of a better strategy.

Several formalisms for quantitative semantics for temporal logic exist in the literature [10, 11, 12, 13, 14, 15, 16]. While these formalisms can be used to define optimality criteria, most of the current works concentrate on the model checking problem and do not consider the synthesis problem. Notable exceptions are the logics LTL[ℱ ] and LTLdisc[ ], introduced in [ 4 ], which extend LTL, the first, with propositional quality operators to prioritize and weight diferent satisfaction possibilities and, the second, with discounting operators, to take into account the delay incurred in the satisfaction of eventualities. The logic LTL[ℱ ] has been subsequently used to develop algorithms for quantitative assume-guarantee synthesis of GR(1) properties [ 3 ], for compositional assume-guarantee synthesis [17], and for the synthesis of finite-memory controllers of discrete event systems [ 18]. In particular, the ASAP quantitative semantics is very related to the logic LTLdisc[ ], which extends LTL with a “discounted until” U operator that takes into consideration the length of the prefix needed to satisfy the eventualities. It is parametrized by a function over the natural numbers. Indeed, with discounting function () = +11 , if and are propositional, the semantics of U is the same as the ASAP semantics of U . In [ 4 ], it is also remarked that a discounted next can be expressed using the normal X and the discounted until: one has to define () such that () = ( + 1) and then define the discounted next X ( ) as X(⊥ U ). However, in this case, the semantics of the discounted next and the discounted until use diferent discount functions. Moreover, the recursive definition of the temporal operators are not valid for LTLdisc[ ]. Thus, although the motivations are the same, the quantitative semantics that we propose difer from LTL disc[ ] and is more natural to express ASAP requirements in the sense that it is directly connected to the length of informative prefixes that satisfy the formula.

A line of research related to this paper is the study of “good enough/best efort synthesis”, a variant of synthesis in which the system is required to satisfy the specification only as long and as much as allowed by the environment, and it is allowed to fail when a satisfying computation does not exist [19, 20, 21, 22, 23]. While the formalisms and the algorithms are related to our work, the setting is quite diferent, as they aim to synthesize a controller that is “good enough” to at least partially respect the desired properties when they cannot be enforced, and not to synthesize the “best controller” under some optimality criteria.

have proved that the given controller is not optimal, since it enforces the specification in 15 steps, while the toolchain synthesized a controller which satisfies the specification in 7 steps.

To test the tool, we considered scalable formulas of increasing size. Since there are no other tools solving the optimal model checking problems for ASAP LTL, there are no comparisons with other software. The first formula considers a scenario where a car moves on a × square grid. The initial controller can only move the car up, down, left and right. The optimal controller synthesized by the tool is allowed also to move diagonally. We require the controller to reach points along the diagonal of the grid, avoiding a set of bad states, as formalized by: ¬ U (− 1 ∧ O(− 2 ∧ O(− 3 ∧ O(. . . ∧ O0)))), (1) where is the set of bad states defined as follows: = ⋁︀⌊− 1⌋( = ∧ = + 1). =0

The other 6 categories consist of synthetic formulas which are conjunctions and disjunctions of next, bounded finally, bounded globally, and unbounded finally and until operators. The plant consists of controllable variables , uncontrollable variables and is defined to flip the values of uncontrollable variables at each step, forcing mutual exclusion between odd and even uncontrollable variable. The formulas 1https://drive.google.com/file/d/1qbs6FvfcFeUQitwFWGImfuQcjgOkzQ7I/view?usp=sharing are aimed to test the toolchain by increasing the number of variables and the nesting of next operators: ⋀︁− 1 X(F[ 0,6 ]( = )) (2)

=0 ⋀︁− 1(XG[ 0,3 ]F[ 0,3 ]( = )) (3) =0

for a controller assuming some constraints on the environment. In order to do that, we formalized the optimal model checking problem w.r.t. LTL with a quantitative semantics able to capture the time needed to fulfill a property and so that its optimal model checking problem corresponds to check the

evaluation shows that the approach is indeed feasible. The paper opens various problems left for future work, e.g., how to solve the optimal model checking with other semantics, how to generalize the reduction to synthesis to support larger fragments of ASAP LTL, and how to scale up the verification for example exploiting incremental approaches.

the insightful comments on a preliminary version of this paper. [10] T. Anevlavis, M. Philippe, D. Neider, P. Tabuada, Being correct is not enough: Eficient verification using robust linear temporal logic, ACM Trans. Comput. Logic 23 (2022). doi:10.1145/3491216. [11] P. Bouyer, N. Markey, R. M. Matteplackel, Averaging in LTL, in: CONCUR, volume 8704 of LNCS,

Springer, 2014, pp. 266–280. [12] K. Chatterjee, L. Doyen, T. A. Henzinger, Quantitative languages, ACM Trans. Comput. Log. 11 (2010) 23:1–23:38. doi:10.1145/1805950.1805953. [13] M. Droste, G. Grabolle, G. Rahonis, Weighted Linear Dynamic Logic, Int. J. Found. Comput. Sci.

35 (2024) 145–177. doi:10.1142/S0129054123480088. [14] M. Faella, A. Legay, M. Stoelinga, Model Checking Quantitative Linear Time Logic, in: QAPL, number 3 in Electronic Notes in Theoretical Computer Science, Elsevier, 2008, pp. 61–77. [15] P. Gastin, B. Monmege, A unifying survey on weighted logics and weighted automata, Soft

Comput. 22 (2018) 1047–1065. doi:10.1007/S00500-015-1952-6. [16] Y. Li, M. Droste, L. Lei, Model checking of linear-time properties in multi-valued systems, Inf. Sci.

377 (2017) 51–74. doi:10.1016/J.INS.2016.10.030. [17] R. Dewes, R. Dimitrova, Compositional high-quality synthesis, in: Automated Technology for

[18] A. Sakakibara, N. Urabe, T. Ushio, Finite-Memory Supervisory Control of Discrete Event Systems for LTL[ℱ ] Specifications, IEEE Transactions on Automatic Control 67 (2022) 6896–6903. doi: 10. 1109/TAC.2021.3139221. [19] S. Almagor, O. Kupferman, Good-enough synthesis, in: CAV, 2020, pp. 541–563. [20] B. Aminof, G. D. Giacomo, S. Rubin, Best-Efort Synthesis: Doing Your Best Is Not Harder Than

Giving Up, in: IJCAI, 2021, pp. 1766–1772. doi:10.24963/IJCAI.2021/243. [21] B. Aminof, G. D. Giacomo, S. Rubin, Reactive Synthesis of Dominant Strategies, in: AAAI, 2023, pp. 6228–6235. doi:10.1609/AAAI.V37I5.25767. [22] B. Aminof, G. D. Giacomo, A. Lomuscio, A. Murano, S. Rubin, Synthesizing Best-efort Strategies under Multiple Environment Specifications, in: KR, 2021, pp. 42–51. doi: 10.24963/KR.2021/5. [23] M. Lahijanian, S. Almagor, D. Fried, L. E. Kavraki, M. Y. Vardi, This Time the Robot Settles for a

2015, pp. 3664–3671. doi:10.1609/AAAI.V29I1.9670. [24] A. Biere, K. Heljanko, S. Wieringa, AIGER 1.9 And Beyond, Technical Report 11/2, Institute for