Timed Alternating Tree Automata: The Automata-Theoretic Solution to the TCTL Model Checking Problem

We introduce timed alternating tree automata as a natural extension of timed automata for the purpose of solving the model checking problem for timed computation tree logic (TCTL) following the automata-theoretic approach. This settles a problem posed by Hen-zinger, Kupferman, and Vardi. With their pioneering work in the late fties and early sixties, BBchi, Rabin, Trakhtenbrot and others demonstrated that automata theory is a powerful tool for studying mathematical theories. Since then automata theory has been successfully applied to a variety of problems in mathematical logic and to numerous logic-related problems in computer science. A direction that has been particularly successful is the application of automata theory to model checking problems ; for as diierent speciication logics as LTL, CTL, CTL , and the-calculus, model checking algorithms have been obtained using an automata-theoretic approach , see, for instance, 13, 7, 12, 5]. Although the model checking problem for timed computation tree logic (TCTL) has been known to be decidable (to be precise, PSPACE-complete) for almost a decade now, see, for instance, 1, 2], it has withstood a satisfying treatment within an automata-theoretic framework. In fact, as Henzinger, Kupferman, and Vardi point out in the conclusion of 9], an appropriate automata-theoretic framework has not been available. In this paper , we present such a framework for the rst time and show how, within this framework, one can derive a model checking algorithm for TCTL. Moreover, the worst-case complexity of the algorithm thus obtained matches the worst-case complexity of previous algorithms. The automata-theoretic approach to model checking problems can be roughly explained as follows. To check whether or not a given formula ' holds in a system S, one rst constructs an automaton A ' that accepts the unravelings of all systems in which ' holds, then forms an appropriate product automaton A ' S, and nally solves a certain word problem (or the emptiness problem) for A ' S. As pointed out in 9], the particular problem that arises in the timed framework is the following. On the one hand, TCTL satissability is undecidable; on the other hand, TCTL model checking is decidable, see 2]. So the automaton model to be used in the timed setting would have to have an undecidable emptiness problem (for automata of the form A ') but some kind of decidable word problem (for automata of the form A ' S). This is exactly what happens …