The interest for games naturally arises in many contexts. In the formal analysis of systems, games are closely related to the controller synthesis problem and to the veri cation of open systems, and are useful tools for solving decision problems such as, for example, the model-checking of the -calculus formulas (see [ 6, 9 ]).

In controller synthesis, given a description of the system where some of the choices depend upon the input and some represent uncontrollable internal nondeterminism, the goal is to design a controller that supplies inputs to the system ? This work was partially funded by the MIUR grants FARB 2009-2010 Universita degli Studi di Salerno (Italy). so that the product of the controller and the system satis es the correctness speci cation, that clearly corresponds to computing winning strategies in twoplayer games. See [ 10 ] for a survey.

In the open systems setting, for instance, the Alternating Temporal Logic allows speci cation of requirements such as \module A can ensure delivery of the message no matter how module B behaves" [ 2 ]; module checking deals with the problem of checking whether a module behaves correctly no matter in which environment it is placed [ 8 ].

In this paper, we focus on pushdown systems. Pushdown systems accurately model the control ow in programs of sequential imperative programming languages with recursive procedure calls. A large number of hardware and software systems can be captured by this model, such as programs of object oriented languages, systems with distributed architectures and communication protocols. The study of games on such systems has traditionally focused on determining the existence of a winning strategy, that is a mapping that speci es for each play ending into a controlled state the next move such that each resulting play satis es the winning conditions [ 5, 12 ].

Here, we consider modular strategies [ 4 ], that are strategies where the next move is determined only looking at the local memory of the current activation of the current module. It is known that modular reachability games are NPcomplete [ 4 ]. Also, modular strategies have been considered for winning conditions expressed as an !-regular language, using Buchi, Co-Buchi automata or linear temporal logic formulas, and in particular, modular LTL games are known to be 2ExpTime-complete [ 3 ].

We extend the results on modular strategies to a more general class of winning conditions. We allow winning conditions expressed as formulas of the temporal logic CaRet [ 1 ]. The logic CaRet combines the temporal modalities of LTL with di erent kinds of successor (global, abstract and caller ) and can express both regular requirements and a variety of non-regular properties such as partial and total correctness of program blocks or inspection of the stack. By using an automaton theoretic approach, we show that solving the modular CaRet games is decidible within double exponential time. Since modular LTL games are already 2ExpTime-hard and CaRet sintactically includes LTL, we get that also modular CaRet games are 2ExpTime-complete. 2

Recursive game graph. A recursive game graph (RGG) is composed of game modules that are essentially two-player graphs (i.e., graphs whose vertices are partitioned into two sets depending on the player who controls the outgoing moves) with entry and exit nodes and two di erent kinds of vertices: the nodes and the boxes. A node is a standard graph vertex and a box corresponds to invocations of other game modules in a potentially recursive manner (in particular, entering into a box corresponds to a module call and exiting from a box corresponds to a return from a module). Each RGG has a distinct game module which is called the start module. A state of an RGG is composed by a call stack and a node. The notion of run can be de ned analogously to the computation of a standard procedural program (the modules corresponding to the procedures). A play of an RGG is a run starting from an entry node of the start module.

For a formal de nition of an RGG we refer the reader to [ 4 ].

Strategies. Given a player P , a strategy is a function that associates a move to every run that ends in a node controlled by P . A modular strategy consists of a set of local strategies, one for each game module, that are used together as a global strategy for a player . A local strategy for a module can only refer to the local memory of the module, i.e. the sequence of vertices that correspond to internal nodes, call or returns of the module. This sequence corresponds to the portion of the play concerning to the current invocation of the module.

For detailed comments and formal de nitions on recursive game graphs, strategies and modular strategies we refer the reader to [ 4 ].

Syntax Semantics ' := p j ' _ ' j : ' j g' j a' j ' j ' Ug' j ' Ua' j ' U ' (where p 2 AP [ fcall, ret, intg ) for a word = 1; 2; 3; :::; n; ::: 2 ^! and n 2 N : { ( ; n) j= p i n = (X; d) and p 2 X or p = d { ( ; n) j= '1 _ '2 i ( ; n) j= '1 or ( ; n) j= '2 { ( ; n) j= :'g 'i i( (; n;)s2uc'cg (n)) j= ', i.e., i ( ; n + 1) j= ' { ( ; n) j= { ( ; n) j= a' i succa (n)) 6= ? and ( ; succa (n)) j= ' { ( ; n) j= ' i succ (n)) 6= ? and ( ; succ (n)) j= ' { ( ; n) j= '1 Ub'2 (for any b 2 fg; a; g) i there is a sequence of position i0; i1; :::; ik; where i0 = n; ( ; ik) j= '2 and for every 0 j k 1; ij + 1 = succb (ij)) and ( ; ij) j= '1

CaRet. Let = 2AP where AP is a nite set of atomic propositions. We consider the augmented alphabet of that is ^ = fcall; ret; intg.

The syntax and the semantics of CaRet are reported in Fig. 1. We refer the reader to [ 1 ] for a detailed de nition of CaRet.

In this logic, three di erent notions of successor are used: { the global-successor (succg) which is the usual successor function. It points to next node, whatever module it belongs; { the abstract-successor (succa) which, for internal moves, corresponds to the global successor and for calls corresponds to the matching returns; { the caller successor (succ ) which is a "past" modality that points to the innermost unmatched call.

Typical properties that can be expressed by the logic CaRet are pre and post conditions. An example is the formula 2[(call ^ p ^ pA) ! aq]. If we assume that all calls to procedure A are characterized by the proposition pA, the formula expresses that if the pre-condition p holds when the procedure A is invoked, then the procedure terminates and the post-condition q is satis ed upon the return. This is the requirement of total correctness. Observe the use of the abstract next operator to refer to the return associated with the call. Modular CaRet games. A modular CaRet game is a pair hG; 'i where G is a RGG whose vertices (nodes, calls and returns) are labeled with a set of propositions and ' is a CaRet formula. Given a modular CaRet game hG; 'i we want solve the problem of deciding whether there exists a modular strategy such that the resulting plays are guaranteed to satisfy '.

Detailed comments and formal de nitions for modular CaRet games can be found in [ 13 ]. 3

In this section, we brie y sketch our solution to CaRet games. For the omitted details, we refer the interested reader to [ 13 ].

Our solution consists of three main steps.

Let hG; 'i be a modular CaRet game.

The rst step consists of constructing from hG; 'i an equivalent game hG0; colori with parity winning conditions such that jG0j = O(2j'j) . We build on the top of the construction given in [ 1 ] for model checking CaRet formulas. The main di erences are that we apply the construction to the negation of the formula ' instead of to the formula ' directly, and introduce fresh nodes to ensure the correct semantics of the interaction of the two players. Negating the formula is needed to use correctly the construction from [ 1 ]. We recall that this construction, such as all the constructions which are tableau based, are nondeterministic and therefore cannot be directly combined with a game graph in a cross product. Starting from the negated formula, we can apply the same tableau construction but now interpreting the nondeterminism as universality, and thus dualizing also the winning conditions we obtain a game graph which is equivalent to the starting one with respect to the considered decision problem. The resulting winning condition is the conjunction of a Buchi condition with a generalized co-Buchi one, that can be simpli ed to a single pair Rabin condition and thus to an equivalent parity condition.

Also, notice that both G and ' can de ne context-free languages, and problems such as inclusion and emptiness of intersection are undecidable for contextfree languages [ 7 ]. Therefore, translating ' into an automaton and then intersecting it with the recursive game graph does not seem feasible.

The second step consists of constructing from the parity game hG0; colori a two-way alternating parity tree automaton Awin similarly to what is done in [ 3 ]. The resulting automaton accepts a strategy tree i it corresponds to a winning modular strategy.

For the last step of our solution, we observe that by using [ 11 ] we can convert Awin to a one-way nondeterministic tree automaton and take its intersection with the Astrat that is a tree automaton accepting strategy trees. Thus, we get a one-way nondeterministic automaton A0 which accepts a tree i it corresponds to a winning strategy tree. Checking the emptiness of this automaton takes polynomial time in the number of states and exponential in the number of colors in the parity condition [ 10 ].

Since the constructed recursive game graph G0 is doubly exponential in the formula ' and linear in the recursive game graph G, color is constant and LTL games are already 2ExpTime-hard, we get: Theorem 1. Deciding modular CaRet games is 2ExpTime-complete.