- Rajeev Alur, Thomas A. Henzinger, Orna Kupferman
- COMPOS
- 1997

Temporal logic comes in two varieties: <i>linear-time temporal logic</i> assumes implicit universal quantification over all paths that are generated by the execution of a system; <i>branching-time temporal logic</i> allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic:… (More)

- Orna Kupferman, Moshe Y. Vardi, Pierre Wolper
- J. ACM
- 2000

Translating linear temporal logic formulas to automata has proven to be an effective approach for implementing linear-time model-checking, and for obtaining many extensions and improvements to this verification method. On the other hand, for branching temporal logic, automata-theoretic techniques have long been thought to introduce an exponential penalty,… (More)

- Orna Kupferman, Moshe Y. Vardi
- Formal Methods in System Design
- 1999

Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proof-based approach to verification, making verification of safety properties simpler than verification of general properties. In this paper… (More)

- Rajeev Alur, Thomas A. Henzinger, Orna Kupferman, Moshe Y. Vardi
- CONCUR
- 1998

Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the system (which may involve some or all components), in alternating… (More)

- Orna Kupferman, Moshe Y. Vardi
- ACM Trans. Comput. Log.
- 1997

Automata on infinite words are used for specification and verification of nonterminating programs. Different types of automata induce different levels of expressive power, of succinctness, and of complexity. <italic>Alternating automata</italic> have both existential and universal branching modes and are particularly suitable for specification of programs.… (More)

- Orna Kupferman, Moshe Y. Vardi
- International Journal on Software Tools for…
- 1999

One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the… (More)

- Luca de Alfaro, Thomas A. Henzinger, Orna Kupferman
- Theor. Comput. Sci.
- 1998

An open system can be modeled as a two-player game between the system and its environment. At each round of the game, player 1 (the system) and player 2 (the environment) independently and simultaneously choose moves, and the two choices determine the next state of the game. Properties of open systems can be modeled as objectives of these two-player games.… (More)

- Orna Kupferman, Moshe Y. Vardi
- LICS
- 2001

In system synthesis, we transform a spe i ation into a system that is guaranteed to satisfy the spe i ation. When the system is distributed, the goal is to onstru t the system's underlying pro esses. Results on multi-player games imply that the synthesis problem for linear spe i ations is unde idable for general ar hite tures, and is nonelementary de idable… (More)

We continue the study of combinatorial property testing. For a property ψ, an ε-test for ψ, for 0 < ε ≤ 1, is a randomized algorithm that given an input x, returns “yes” if x satisfies ψ, and returns “no” with high probability if x is ε-far from satisfying ψ, where ε-far essentially means that an ε-fraction of x needs to be changed in order for it to… (More)

- Orna Kupferman, Moshe Y. Vardi
- 46th Annual IEEE Symposium on Foundations of…
- 2005

The automata-theoretic approach is one of the most fundamental approaches to developing decision procedures in mathematical logics. To decide whether a formula in a logic with the tree-model property is satisfiable, one constructs an automaton that accepts all (or enough) tree models of the formula and then checks that the language of this automaton is… (More)