GR(1)*: GR(1) specifications extended with existential guarantees

Reactive synthesis is an automated procedure to obtain a correct-by-construction reactive system from its temporal logic specification. GR(1) is an expressive assume-guarantee fragment of LTL that enables efficient synthesis and has been recently used in different contexts and application domains. A common form of providing system's requirements is through use cases, which are existential in nature. However, GR(1), as a fragment of LTL, is limited to universal properties. In this paper we introduce GR(1)*, which extends GR(1) with existential guarantees. We show that GR(1)* is strictly more expressive than GR(1) as it enables the expression of guarantees that are inexpressible in LTL. We solve the realizability problem for GR(1)* and present a symbolic strategy construction algorithm for GR(1)* specifications. Importantly, in comparison to GR(1), GR(1)* remains efficient: the time complexity of our realizability checking and synthesis procedures for GR(1)* is identical to the time complexity of the known corresponding procedures for GR(1).


Introduction
Reactive synthesis is an automated procedure to obtain a correct-by-construction reactive system from its temporal logic specification [PR89]. Rather than manually constructing an implementation and using model checking to verify it against a specification, synthesis offers an approach where a correct implementation of the system is automatically obtained for a given specification, if such an implementation exists.
GR(1) is a fragment of linear temporal logic (LTL) [Pnu77], which has an efficient symbolic synthesis algorithm [BJP + 12, PPS06] and whose expressive power covers most of the well-known LTL specification patterns of Dwyer et al. [DAC99,MR15a]. GR(1) specifications include assumptions and guarantees about what needs to hold on all initial states, on all states and transitions (safety), and infinitely often on every run (justice). GR(1) synthesis has been used and extended in different contexts and for different application domains, including robotics [KFP09, MSP + 16, MR15b], scenario-based specifications [MS12], aspect languages [MS11], event-based behavior models [DBPU13], hybrid systems [FDL + 16], and device drivers [WR14], to name a few.
A common form of providing system's requirements is through use cases [AM04,Jac04,Poh10]. In contrast to universal behaviors, i.e., which must hold on all possible system runs, use cases describe possible, existential behaviors. Use cases are commonly used in the early stages of requirements analysis and specification, as they are natural to define from a user's perspective and as in these stages, invariants may be too strong to be specified correctly. Use cases are useful also in specifying alternative and exceptional behaviors, which, by nature, do not appear in every run, and in specifying examples of behaviors that should not be possible. They are further commonly used again in later stages of development, to prescribe test cases. Despite all the above, to the best of our knowledge, no previous work has proposed efficient reactive synthesis for specifications that include not only universal but also existential properties.
In this work we present GR(1)*, which extends GR(1) specifications and synthesis with existential guarantees. GR(1)* allows engineers to naturally describe use cases as part of the specification and to efficiently synthesize a correct-by-construction controller that guarantees to make them possible.
We formally define GR(1)* and show that it is strictly more expressive than GR(1) (as it can express properties that are in CTL* [EH86] and outside LTL). We show how to solve GR(1)* games using a symbolic fixed-point algorithm, and present a corresponding controller construction.
Importantly, in comparison to GR(1) [BJP + 12], GR(1)* induces the same cost in terms of time complexity. Specifically, in [BJP + 12], GR(1) games are solved in time O(nmN 2 ) where n is the number of justice guarantees, m is the number of justice assumptions, and N is the size of the state space, 2 X ∪Y . The time complexity of our solution for GR(1)* games is O((nm + k 1 | reg k |)N 2 ), where reg 1 , . . . reg are the regular expressions that appear in the existential guarantees. Hence, both games are solved in time O((| ϕ | N ) 2 ) where ϕ is the GR(1) or GR(1)* formula.
A preliminary version of the present work has appeared in [AMP19]. In this journal paper we extend it as follows. First, we present a complete definition of GR(1)*, which uses regular expressions. This complete definition generalizes the original restricted definition and makes it flexible and strictly more expressive. Second, we present another existential operator GE + (Sect. 7), a discussion and extensions for the case where the specification is well-separated (Sect. 8), and a discussion and results on unrealizability in GR(1)* games (Sect. 9). Third, we present an extended empirical evaluation, including an implementation of the proposed extended technique, and experiments performed over the well-known AMBA specification benchmark [ARM, BGJ + 07], extended with existential guarantees (Sects. 2 and 10). Finally, we include proofs, which were not included in [AMP19].
The paper is organized as follows. Section 2 presents a motivating example, the well-known AMBA specification extended with existential guarantees. Section 3 presents required background definitions. In Sect. 4 we introduce GR(1)* formulas, and show that they extend the expressive power of the GR(1) fragment of LTL. In Sect. 5 we show how to solve GR(1)* games using a symbolic fixed-point algorithm, and in Sect. 6 we present a corresponding controller construction. In Sect. 7 we present additional forms of existential guarantees, and corresponding ways to support them. In particular, we also show how to support past LTL formulas in existential guarantees. In Sect. 8 we prove that with well-separated environment specifications [KP10,MR16], our solution achieves a stronger winning condition, and in Sect. 8.2, we show that a well-separated environment enables support for deterministic Büchi properties in existential guarantees. In Sect. 9 we discuss GR(1)* unrealizability, and show that in contrast to GR(1), some GR(1)* games admit states from which neither the system nor the environment has a winning strategy. Finally, in Sect. 10 we present an empirical evaluation of the proposed synthesis technique. Section 11 discusses related work and Sect. 12 concludes and suggests future research directions. All proofs are provided in Appx. A.

Example: ARM AMBA AHB arbiter 2.1. Background
ARM Advanced Microcontroller Bus Architecture (AMBA) is a widely acceptable industrial standard bus interface [ARM]. The most known bus defined within AMBA, Advanced High-performance Bus (AHB), constitutes a popular GR(1) specification example and benchmark [BGJ + 07, BJK14, CRST08, FMR20, GCH13, KHB13, KMR17, MRS19, MS20a, MS20b,PPS06]. The AHB arbiter handles data transfers from masters to slaves. Each master can raise a request to deliver data. The request can be an ordinary request or a locked-request.
When a locked-request is granted by the arbiter, the master performs a locked-access to the bus, which will not be interrupted until data-transfer is completed. There are three types of data-transfers: a single transfer, a four-length transfer, and an unspecified-length transfer.
We now present the input and output variables, with a description of their intuitive interpretation. For convenience, we also use finite-type variables that are not Boolean. Formally, these variables are to be replaced with several Boolean variables that model the value they store. In our description below, we specify the type of the variable only in case of a non-Boolean variable.
We start with the environment variables: • HBUSREQ i -Master i raises a request to access the bus.
• HLOCK i -Master i raises a request to a locked-access to the bus. HLOCK i is raised together with HBUSREQ i .
• HBURST-Store values from the set {SINGLE, BURST4, INCR}, which indicate if the master requests to deliver a single transfer, a four-length transfer, or an unspecified-length transfer, respectively. When master i gets a permission to a locked-access to the bus, it announces the type of the transfer through variable HBURST. • HREADY-Raised by a slave to indicate that data-processing is completed.
We continue with the system variables: • HGRANT i -The request by master i is granted, and master i can start and transfer data in the next step.
• HMASTER-Store values from {0, . . . , n}. For i > 0, HMASTER=i means that master i currently owns the bus, and can deliver data. HMASTER=0 indicates that no master is currently allowed to use the bus. • HMASTLOCK-Raised when the master that currently owns the bus is performing a locked-access.
• START-Raised when a master starts to transfer data.
• LOCKED-Raised when some master performs a locked-access.
• DECIDE-Raised when the arbiter decides to grant a request by some master. Raising DECIDE enables changing the value of LOCKED, if the arbiter grants a locked-access, and the value of HGRANT i , when master i 's request is to be granted.
We refer the reader to [BGJ + 07] for the complete specification of AMBA AHB. The specification ensures that the following hold: • The bus cannot be accessed by two masters simultaneously.
• Every request to access the bus will be granted eventually.
• A granted locked-access will not be interrupted.
The above can be written as a GR(1) specification.

Adding examples of existential guarantees
We now describe example existential guarantees one can add to the AMBA specification using GR(1)*. An existential guarantee is an expression of the form GEF (reg) where reg is a regular expression. The meaning of this expression is discussed and formally defined in Sect. 4.
First, assume that the requirements document describes a typical use case: master i requests a locked-access, and after a while its request is granted; while master i uses the bus, master j raises a request and is forced to wait at least until data-transfer by master i is completed. Thus, in our example, the engineer formalizes the following guarantees and adds them to the specification: Use case A i,j . Master j i waits while master i performs a locked-access. GEF (reg) where reg Amram et al. Second, the engineer is aware that sometimes a synthesized controller may achieve its goals by preventing certain events from happening, and she wishes to avoid such vacuous solutions and problematic situations. As an example, she considers the allegedly possible situation, in which the arbiter always prevents unlocked-accesses from being completed. She thus formalizes and adds the following guarantees to the specification: Use case B i . Master i successfully completes an unlocked transfer. GEF (reg) where reg (HMASTER i ∧ ¬HMASTLOCK) + HREADY.
Finally, an example of using a negative scenario as a 'test'. The engineer believes that the specified arbiter satisfies a strong fairness property: it is impossible that a master's request remains pending while another master gets access to the bus twice.
To test this hypothesis, she checks whether the specification with the following additional existential guarantees is unrealizable: Master i raises a request, and master j gets to access the bus twice before granting master i 's request. GEF (reg) where reg

Preliminaries
In this section we present notations and definitions we use throughout the paper. We further survey some fundamental facts in the field that are important to establish our results. Our notations are standard and mostly based on [BJP + 12].

Game structures and strategies
For a set of Boolean variables V, a state is an element s ∈ 2 V , an assertion is a Boolean formula over V, and | is the satisfaction relation between a state and an assertion. true and false are the assertions satisfied by every state and by no state, resp. As an assertion naturally corresponds to the set of states by which it is satisfied, we refer to sets of states as assertions and we may write s | A instead of s ∈ A. For Z ⊆ V and s ∈ 2 V , s | Z denotes the state s ∩ Z ∈ 2 Z . For a set of variables V, V is the set of variables obtained by replacing each v ∈ V with v . Likewise, for s ∈ 2 V and an assertion a over V, s ∈ 2 V and a are the state and assertion obtained by replacing each variable v with v . If V 1 , . . . , V k are pairwise disjoint sets of variables and s i ∈ 2 V i , we write (s 1 , . . . , s k ) as an abbreviation for s 1 ∪ · · · ∪ s k . Thus, (s 1 , . . . , s k ) is a state over V V 1 ∪ · · · ∪ V k . A game structure is a tuple G S (X , Y, θ e , θ s , ρ e , ρ s ), where X , Y are disjoint sets of variables, θ e is an assertion over X , θ s is a assertion over X ∪ Y, ρ e is an assertion over X ∪ Y ∪ X , and ρ s is an assertion over X ∪ Y ∪ X ∪ Y . Intuitively, a game structure defines how two players, the environment and the system, choose inputs and outputs repeatedly. θ e and θ s set rules for the beginning of the play; the environment chooses an initial input s x | θ e and, in response, the system chooses an output s y such that (s x , s y ) | θ s . Afterwards, the players take turns choosing inputs and outputs in compliance with the safety assumptions and guarantees, ρ e and ρ s , resp. Specifically, from a state s ∈ 2 X ∪Y , the environment can choose an input s x ∈ 2 X , such that (s, s x ) | ρ e , and the system may respond with an output A state s is said to be a deadlock for the system if there exists s x ∈ 2 X such that (s, s x ) | ρ e and for all s y ∈ 2 Y , (s, s x , s y ) | ρ s . Analogously, a deadlock for the environment is a state s for which there is no s x such that (s, s x ) | ρ e . A play is a sequence of states, s 0 , s 1 , s 2 , . . . , such that (1) for two consecutive states s i , s i+1 , (s i , s i+1 ) | ρ e ∧ ρ s , and (2) either it is infinite or it ends in a deadlock.
A strategy for the system from S ⊆ 2 X ∪Y is a partial function f s : (2 X ∪Y ) + × 2 X → 2 Y such that (1) for s 0 ∈ S , (s 0 ) is consistent with f s ; (2) if (s 0 , . . . , s k ) is consistent with f s , s k is not a deadlock for the system, and (s k , s x ) | ρ e for s x ∈ 2 X , then f s (s 0 , . . . , s k , s x ) is defined, and for s y f s (s 0 , . . . , s k , s x ), (s k , s x , s y ) | ρ s , and the sequence (s 0 , . . . , s k , (s x , s y )) is consistent with f s . We say that an infinite sequence of states is consistent with f s if any of its finite prefixes is consistent with f s . A strategy for the environment player is a partial function f e : (2 X ∪Y ) + → 2 X that satisfies the analogous requirements. Consistency of a sequence with f e is also defined analogously.
A controller determines a strategy from S ⊆ 2 X ∪Y for the system using a finite memory. Formally, a controller C is a partial function with a set of memory values M . The controller has an initial value m 0 , and for some tuples A controller C , from S , can also be viewed as a partial function over (2 X ∪Y ) + × 2 X . C (s 0 , . . . , s k , s x ) (s y , m) if, from state s 0 , by receiving inputs s 1 | X , . . . , s k | X , s x , the controller replies with s 1 | Y , . . . , s k | Y , s y , and the final value of its memory is m. Formally, we require that the following holds: • For s 0 ∈ S , (s 0 ) is consistent with C and for every s x ∈ 2 X such that (s 0 , s x ) | ρ e , we require that C (s 0 , s x , m 0 ) is defined, and if C (s 0 , s x , m 0 ) (s y , m 1 ), we write C (s 0 , s x ) (s y , m 1 ); • Assume that (s 0 , . . . , s k ) is consistent with C where s 0 ∈ S , and for s x ∈ 2 X , C (s 0 , . . . , s k , s x ) (s y , m k +1 ).
Then, (s 0 , . . . , s k , (s x , s y )) is consistent with C , and we require that for every Clearly, a controller C defines a strategy for the system f s

Linear temporal logic and the GR(1) fragment
Linear temporal logic (LTL) [Pnu77] is a language to specify properties over infinite words. Given a set of variables, V, LTL formulas are generated by the grammar where p is an assertion over V and parenthesis may be used to determine the order of operator activations. Given an infinite sequence of states π ∈ (2 V ) ω , π i denotes the suffix of π that starts from the i -th state in π (counting from zero). The term π | ϕ is defined inductively on the structure of ϕ: (6) Boolean operators are treated standardly.
Given a game structure G S (X , Y, θ e , θ s , ρ e , ρ s ), an LTL formula ϕ, and a play π , π wins for the system w.r.t. ϕ in G S if either it ends in a deadlock for the environment, or it is infinite and π | ϕ. Otherwise, it wins for the environment w.r.t. ϕ in G S. A strategy for the system (resp. environment) f s (resp. f e ) wins from s ∈ 2 X ∪Y w.r.t. ϕ in G S if every play from s, consistent with f s (resp. f e ), wins for the system (resp. environment) w.r.t. ϕ in G S. A strategy for the system (resp. environment) f s (resp. f e ) wins from S ⊆ 2 X ∪Y w.r.t. ϕ in G S if it wins from every s ∈ S . The winning region of the system (resp. environment) is the maximal set of states from which the system (resp. environment) wins. A strategy for the system f s is a winning strategy w.r.t. ϕ in G S if for every s x | θ e there exists s y ∈ 2 Y such that (s x , s y ) | θ s and f s wins from (s x , s y ) w.r.t. ϕ in G S. Analogously, a strategy for the environment f e is a counter-strategy w.r.t. ϕ in G S if there exists s x | θ e such that for every Among LTL formulas, of special interest to us is the GR(1) fragment [BJP + 12]. A GR(1) formula is an LTL formula of the form m j 1 GF (a j ) → n i 1 GF (g i ), where a 1 , . . . , a m , g 1 , . . . , g n are assertions. The assertions a 1 , . . . , a m are called justice assumptions, and g 1 , . . . , g n are called justice guarantees.

m-calculus over game structures
Modal μ-calculus [Koz82] is a modal logic enriched by least and greatest fixed-point (l.f.p. and g.f.p.) operators. Since we are interested in games that model reactive systems, we adopt the form of [BJP + 12], which uses the controllable predecessor operators and .
where p is an assertion over V. A μ-calculus formula defines a subset of 2 V . In words, φ defines the set of states from which the system can enforce reaching next a state in the set that φ defines, and φ defines the set of states from which the environment can enforce reaching next a state in the set that φ defines. μ and ν denote the l.f.p. and g.f.p. operators, resp. For a game structure, G S (X , Y, θ e , θ s , ρ e , ρ s ), and a valuation E : V ar → 2 (2 X ∪Y ) , the semantics of a μ-calculus formula over X ∪ Y is defined by: • For an assertion p, p E G S {s ∈ 2 V : s | p}; • For X ∈ V ar, X E If all relational variables in φ are bound by fixed-point operators, we omit the notation E, and just write φ G S . We remark that by Knaster-Tarski theorem [Tar55], μ X φ E G S and νX φ E G S indeed return the l.f.p. and g.f.p. of the function S → φ . This theorem can be applied since the positive form ensures that the function is monotone, so l.f.p. and g.f.p. exist.

Finite automata
We survey few fundamental definitions and results from the field of automata theory. A non-deterministic finite automaton (NFA) is a tuple A (Q, 2 V , , q 0 , F) where Q is a finite set of states, V is a set of variables, : Q × 2 V → 2 Q is the transition function, q 0 ∈ Q is the initial state, and F ⊆ Q is the set of accepting states. For q i , q j ∈ Q and s ∈ 2 V , we write q i s −→ q j as a shorthand for q j ∈ (q i , s). We extend the notation q i −→ q j over words, inductively: (1) for every q ∈ Q, q ε −→ q; (2) for q i , q j ∈ Q, and w ∈ ( The language of the automaton, L(A) ⊆ (2 V ) * , is the set of all words accepted by the automaton A.
An NFA A (Q, 2 V , , q 0 , F) is a deterministic finite automaton (DFA) if for every q ∈ Q and s ∈ 2 V | (q, s) | 1. Standardly, from this point on, we shall prefer the notation δ to denote the transition function of a DFA, and we prefer to denote the transition function of an NFA which is not deterministic. Moreover, for a DFA A (Q, 2 V , δ, q 0 , F), q i , q j ∈ Q, and s ∈ 2 V , we write δ(q, s) q j instead of δ(q i , s) {q j }.
Let V be a set of states. A regular expression is generated by the grammar where p is an assertion. The semantics of a regular expression reg is a language, L(reg) ⊆ (2 V ) * , defined by: • For reg ∅, L(reg) ∅.
A fundamental result states that a language L ⊆ (2 V ) * is accepted by some NFA iff it is accepted by some DFA iff it is the language of some regular expression [Hop08].
A non-deterministic Büchi automaton (NBW) accepts infinite words. It is defined in the same way as an NFA, and differs from a NFA in its acceptance condition. An NBW A (Q, 2 V , , q 0 , F) accepts a word w ∈ (2 V ) ω if w can be written as a concatenation of non-empty finite words w w 1 w 2 · · · such that there exists a sequence of accepting states q 1 , q 2 , · · · ∈ F ω that satisfies: Thus, the language of an NBW is an ω-language i.e. a language of infinite words. An NBW is a deterministic Büchi automaton (DBW) if for every q ∈ Q and s ∈ 2 V , | (q, s) | 1. As for finite automata, we shall use the notation δ to denote the transition function of a DBW, and write δ( An ω-regular expression is an expression of the form reg 1 reg 1 ω + · · · + reg n reg n ω where reg 1 , reg 1 , . . . , reg n , reg n are regular expressions, and for each i ∈ {1, . . . , n}, ε ∈ L( reg i ). The language of the ω-regular expression reg 1 reg 1 ω + · · · + reg n reg n ω is an ω-language defined by L(reg) if w can be written as w w 0 w 1 · · · such that w 0 ∈ L(reg i ), and ∀ j > 0(w j ∈ L( reg i )). Such a language is said to be an ω-regular language. An ω-language is an ω-regular language iff it is the language of some NBW. But, some ω-regular languages are not recognized by any DBW [GTW02].

GR(1)*: going beyond LTL
We are now ready to define GR(1)* formulas and winning conditions. Following the definition, we first show that GR(1)* formulas capture properties that are inexpressible in LTL. In fact, already the restricted form of GR(1)* that we presented in the preliminary version of this paper [AMP19], allows one to express properties that are expressible neither in LTL nor in CTL [CE81]. We then show that the more general GR(1)* we define here captures properties that are inexpressible in CTL*.
We further prove that in the context of game-structures, a GR(1)* winning condition cannot be expressed via an LTL formula. Consequently, in particular, this implies that GR(1)* winning conditions are more expressive than GR(1) winning conditions.

GR(1)* formulas
GR(1)* extends the GR(1) fragment of LTL with existential guarantees of the form GEF (reg), where reg is a regular expression over a set of variables V. As in the case of justice guarantees, these existential guarantees should hold if all justice assumptions are satisfied infinitely often. Therefore, since this formula prescribes a possible behavior, the synthesized controller should either make it possible to satisfy reg infinitely often, or enforce the violation of at least one of the assumptions.

Definition 4.1 (GR(1)*) A GR(1)* formula over a set of variables V is a formula of the form
where a 1 , . . . , a m , g 1 , . . . , g n are assertions over V, and reg 1 , . . . , reg are regular expressions over V.
GR(1)* uses CTL* operators, together with regular expressions. We treat regular expressions as atomic path formulas, with the natural semantics: π ). Note that our definition includes existential guarantees but no existential assumptions. Adding such assumptions would only make it easier for the system to win by enforcing violation of the assumptions, which is undesirable. Still, importantly, note that the existential guarantees in GR(1)* may use not only system variables but also environment variables. , we presented a restricted form of GR(1)*, in which the existential guarantees are of the form GEF (e 1 ∧ F (e 2 ∧ F (e 3 · · · F (e r ) · · · ))), where e 1 , . . . , e r are assertions. This is, effectively, a restricted form of GR(1)* since such an existential guarantee can be replaced with GEF (reg) where reg is a regular expression whose language is that of the following NFA: In words, for i < j , q i e i+1 ∧···∧e j −→ q j , and for i > 0, q i true → q i . For the scope of this section, we denote this restricted fragment of GR(1)* from [AMP19] by GR(1)*[rest].
In [AMP19], we showed that both syntactically and semantically, GR(1)*[rest] is a fragment of CTL* that is neither a subset of LTL nor a subset of CTL. For instance, the GR(1)*[rest] formula A GF (a) → (GF (g) ∧ GEF (e)) is expressible neither in LTL nor in CTL (this can be proved using arguments similar to [EH86]). Moreover, the GR(1)* formula A(GF (true) → (GF (true)∧GEF ((ab) * c))) is inexpressible in CTL* [MMDdJ11]. All the above establish the relationships depicted in Fig. 1.

GR(1)* winning condition
We now define when a strategy is winning w.r.t. a GR(1)* winning condition. As GR(1)* uses CTL* operators, we essentially apply the definition of winning strategies for reactive systems with CTL* winning conditions [KV00] (while treating regular expressions as path formulas, as explained above). That is, roughly, we wish to say that a strategy is winning if it induces a computation tree that satisfies the GR(1)* formula. However, since, in contrast to [KV00], we consider game structures that restrict the steps that the players can perform, we cannot directly apply the definition of [KV00], and some technical changes are necessary. Specifically, a strategy may induce a tree that has a branch that is finite (rather than infinite) and ends in a deadlock. Thus, this tree is not a computation tree in the sense of [KV00], and our formal definition takes this fact into consideration.
Consider a game structure G S (X , Y, θ e , θ s , ρ e , ρ s ), and a GR(1)* formula ψ Definition 4.2 Let f s be a strategy for the system, and π π (0), π(1), . . . a play in G S, consistent with f s . The pair (f s , π) wins for the system w.r.t. ψ in G S if one of the following holds: 1. π is finite and it reaches a deadlock for the environment. 2. π is infinite and π | FG(¬a j ) for some justice assumption a j . 3. π is infinite, and the following hold: k 1 GEF (reg k ): For every i ≥ 0, and an existential guarantee GEF (reg k ), the i th prefix of π , π (0), . . . , π(i ), can be extended to a playπ , consistent with f s , such that for some r 0 and r 1 , with i ≤ r 0 ≤ r 1 , it holds thatπ(r 0 ) · · ·π (r 1 ) ∈ L(reg k ).

Definition 4.3 (GR(1)* winning condition)
A strategy for the system f s wins from a state s w.r.t. ψ in G S, if for every play π from s, consistent with f s , the pair (f s , π) wins for the system w.
Throughout the paper, when the GR(1)* formula or the game structure we discuss are clear from the context, we omit their name and write, for example, "f s is a winning strategy" instead of "f s is a winning strategy w.r.t. ψ in G S".

Inexpressibility of GR(1)* winning conditions in LTL
The fact that GR(1)* is inexpressible in LTL (see Sect. 4.1), does not imply that a GR(1)* winning condition cannot always be replaced with an LTL winning condition. To conclude this form of inexpressibility, we show that the arguments of [EH86] apply in the context of synthesized reactive systems.
We say that an LTL winning condition ϕ is equivalent to a GR(1)* winning condition ψ, if for any game structure G S, and for any strategy Unsurprisingly, the example of [EH86] works in our context as well, and proves that GR(1)* winning conditions are inexpressible in LTL.

Proposition 4.4 GR(1)* winning conditions are inexpressible in LTL.
The proof of Prop. 4.4 reveals that even a winning condition as simple as A(GEF (y)) is inexpressible in LTL. Using similar arguments one can show that every existential guarantee from our motivating example (Sect. 2) is inexpressible in LTL.
Remark 4.5 Note that we consider equivalence only in terms of the winning condition. This does not mean that GR(1)* winning conditions cannot be expressed by other formulas, while imposing more radical changes in the game structure. In the context of reactive synthesis, such seemingly unexpected reductions exist. For example, CTL* formulas can be expressed by LTL winning conditions, but the encoding is involved with the addition of an exponential number of variables [BSK17]. Similarly, using the technique of [MR15a] (which we also use in Sect. 7), GR(1)* can be expressed by GR(1)*[rest] where each regular expression reg adds log | reg | variables to the game structure. We do not know if GR(1)* can be reduced to LTL or GR(1) while changing also the game structure, or what is the expected cost of such a reduction, if one exists.

Solving GR(1)* games
In this section we present a μ-calculus formula that computes the winning region of the system player in GR(1)* games. Consider a game structure G S (X , Y, θ e , θ s , ρ e , ρ s ), together with a GR(1) ) . To compute the system's winning region, we present a μ-calculus formula that consists of three components: V , g(Z ), and {h k (Z ) : k 1, . . . , }, each of which we define next. First, note that enforcing a violation of the assumptions, if possible, ensures winning. The states from which the system can violate the assumptions are those from which it can win the game whose winning condition is the LTL formula m j 1 FG(¬a j ). By [KPP05,Lem. 9], these states are characterized by the μ-calculus formula: ) G S , the set of states computed by the μ-calculus formula in Eq. 1.
The second component we consider is the formula from [BJP + 12] for solving GR(1) games. The justice assumptions and guarantees part of our GR(1)* formula, m j 1 GF (a j ) → n i 1 GF (g i ), is solved by the formula in Eq. 2: For the third component, we turn to look at the regular expressions that appear in the existential guarantees of the GR(1)* formula, {reg k : 1 ≤ k ≤ }. For a regular expression reg k and a set of states Z , we are interested in the set of states from which there exists a path in Z that satisfies F (reg k ). Equivalently, we consider the set of all states s 0 ∈ Z for which there exists a path of states in Z , (s 0 , . . . , s r ) ∈ L(true * reg k ), such that (s i , s i+1 ) | ρ s ∧ ρ e for each two consecutive states in that sequence.
To compute this set of states we look at the graph obtained by the product of the game structure with an automaton for L(true * reg k ), and identify the states from which there is a path that leads to an accepting state of the automaton. For the construction, for each regular expression reg k that appears in the formula, we fix an The vertices of the graph we define next are of the form (q, s) where q ∈ Q k and s is a state. Intuitively, the state (q, s) indicates that the automaton has reached state q, after reading the symbol s.
Thus, the third component we consider is: Note that this time complexity is achieved as we construct an NFA A k from reg k , a construction performed in linear time. The fact that we do not need to determinize A k enables the efficiency of our synthesis technique.
Finally, combining the three components from Eq.1-3, we obtain the formula in Eq. 4, which computes the winning region of the system in the GR(1)* game: ) G S is the winning region of the system player in the GR(1)* game.
In the next section, we show how to construct a winning strategy from the set νZ (V ∨(g(Z )∧ k 1 h k (Z ))) G S . Hence, to conclude the correctness of Thm. 5.2, we need to show that the system cannot win from every state in the complementary set of νZ (V ∨ (g(Z ) ∧ k 1 h k (Z ))) G S .
)) G S , then no strategy for the system wins from s. By Thm. 5.2, a naive approach provides a realizability check for GR(1)* games in O(nmN 3 + ( k 1 | reg k | )N 2 ) symbolic steps. As in the case of GR(1), with the technique proposed in [BCJ + 97], this can be improved to O((nm + k 1 | reg k |)N 2 ) steps. We see that the time complexity of the realizability check for GR(1)* formulas is the same as the time complexity of the realizability check for GR(1) formulas. Specifically, both are solved in time O((| ϕ | N ) 2 ), where ϕ is the GR(1) or GR(1)* formula.

Strategy construction
In this section we present a construction for a GR(1)* controller, which wins the GR(1)* game from the system's winning region W , computed by the formula in Eq. 4. The basic idea behind the construction is simple, and we start by describing it along with an informal description of a GR(1)* controller construction. Then, we point out that this simple construction has a significant disadvantage. We therefore suggest a way to improve the construction and present a detailed construction for an improved GR(1)* controller.

Construction discussion and overview
The basic idea of the construction is to alternate between two phases. Phase I is the well-known GR(1) strategy from [BJP + 12]. The GR(1) controller satisfies the justice guarantees g 1 , . . . , g n , one by one, provided that it will fail to satisfy g i only in case the justice assumptions are violated forever. We add to this phase the requirement that if the controller reaches a state in V , it forces violation of the justice assumptions for the remainder of the play. After satisfying the justice guarantees, the GR(1)* controller proceeds to phase II in which it chooses a regular expression reg k , and tries, cooperatively, to satisfy F (reg k ).
Although correct, the strategy outlined above suffers from a significant drawback: it forces the violation of the assumptions whenever possible, although in some cases the system can win the game while giving the environment an opportunity to satisfy its assumptions. In the context of GR(1) games, some works suggested to settle this issue by allowing the satisfaction of the assumptions in cases where the justice guarantees can be satisfied as well [BEK15,EKB15,MPS19]. In our context of GR(1)*, this approach should be taken carefully, since it is possible that such a strategy will not allow the satisfaction of the existential guarantees. Specifically, by taking this approach, a play can be led into a state from which there is no path that satisfies F (reg k ) for some regular expression reg k .
To improve the described GR(1)* controller by avoiding unnecessary coercion of justice assumption violation, we note that the existential guarantees can be satisfied from the set k 1 h k (W ). Hence, we refer to V W \ k 1 h k (W ) as the "unsafe" region, from which we must force violation of the assumptions. The following Lemma claims that, indeed, the system can force violation of the assumptions from V .
Therefore, we improve the GR(1)* construction described above as follows: in phase I we satisfy the justice guarantees one by one, and in phase II we try to satisfy, cooperatively, an existential guarantee. Further, if the play reaches V while in phase I, we turn to force violation of the justice assumptions for the remainder of the play.
C V . C V is a memoryless controller that forces from V the violation of the assumptions, i.e., it wins from V the game whose winning condition is m j 1 FG(¬a j ). Clearly, m j 1 FG(¬a j ) ≡ ( m j 1 FG(¬a j )) ∨ F (false ∧ V ). Hence, we apply the results of [KPP05,Lem. 9] and construct C V using the technique proposed in [BJP + 12]. C (GR(1),i) . For each 1 ≤ i ≤ n, C (GR(1),i) is a memoryless controller that forces from g(W ) G S (see Eq. 2) the satisfaction of the formula ( m j 1 FG(¬a j )) ∨ F (g i ∧ W ). The construction of these controllers is described in [BJP + 12]. We construct C (GR(1),i) so that it keeps taking steps also after reaching its goal. That is, if s ∈ g(W ) G S , s | g i ∧ W , and (s, s x ) | ρ e , then C (GR(1),i) (s, s x ) s y such that (s, s x , s y ) | ρ s and (s x , s y ) ∈ W .
C k . C k is a | Q k |-memory controller (see Def. 5.1 and the discussion that precedes it) that, from each s ∈ h k (W ), tries to walk on a path in W that satisfies F (reg k ). Roughly speaking, the controller's memory variable mem stores the current state of the automaton. Hence, if C k (s, s x , i ) (s y , j ), then q k j ∈ k (q k i , (s x , s y )) (or, equivalently, Possibly, for some states (s, s x ) ∈ W × 2 X , the controller has no defined response. We assume that in those cases the controller returns a designated "undefined" value. We present the construction in Alg. 1. The operator is used in Alg. 1 to denote the set of all predecessors of a set of vertices. That is, for a set of vertices X of graph choose (q k i , s y ) as above 7: end for 10: X ← X ∪ X 11: X ← X \ X 12: end while Algorithm 2 presents the GR(1)* controller's construction. For clarity of presentation, we present the GR(1)* controller via a simple pseudocode. The translation of the code into a construction of a symbolic controller using BDD [Bry86] operations is straightforward.
The GR(1)* controller's memory consists of several variables. next jus specifies the number of the next justice guarantee the controller strives to fulfill, and thus stores values from {1, . . . , n}. next ex specifies the number of the ensuing existential guarantee that we aim to satisfy, and thus stores values from {1, . . . , }. mem is a variable used by the controllers C 1 , . . . , C . Hence, it stores values from {0, . . . , | Q k | −1}, where | Q k | max{| Q k | : 1 ≤ k ≤ }. phase indicates which phase we now aim to. When phase 1, we want to satisfy the justice guarantee g next jus (phase I), and when phase 2, we are trying, cooperatively, to satisfy the existential guarantee reg next ex (phase II). In line 19, ⊕1 means that we write the next value to next ex. That is, for k < , k ⊕ 1 k + 1, and ⊕ 1 1.
In phase I, first, the GR(1)* controller checks if the play reached a V -state, and if so, the GR(1)* controller activates C V for the remainder of the play and thus forces violation of the justice assumptions (line 2). Otherwise, the GR(1)* controller activates C (GR(1),next jus) . The controller C (GR(1),next jus) either violates the justice assumptions, or reaches a stateŝ | g next jus ∧ W . When the latter occurs, the GR(1)* controller increases next jus by 1 (line 5), unless next jus stores n. In the case where next jus stores n (line 7), the GR(1)* controller checks if the existential guarantee next ex can be satisfied (line 8). If the condition in line 8 holds, the GR(1)* controller initializes mem and switches to phase II: the next state in that play is (s x , s y ). Thus, the GR(1)* controller writes a value i to mem, such that q next ex 0 (s x ,s y ) −→ q next ex i (line 9), and itwrites 2 to phase (line 10). Note that if the GR(1)*: GR(1) specifications extended with existential guarantees 741 condition in line 8 does not hold, then the ensuing state (s x , s y ) ∈ h next ex (W ) and thus (s x , s y ) ∈ V . In this case, the GR(1)* controller does not perform a phase-switch, and it will activate C V for the remainder of the play.
Finally, if phase stores 2 (line 15), the GR(1)* controller activates C next ex . This controller tries, with the cooperation of the environment, to satisfy the existential guarantee F (reg next ex ). Once F (reg next ex ) has been satisfied, or once the GR(1)* controller receives an input that is not in correspondence with the path that the controller C next ex is trying to walk on, the GR(1)* controller switches back to phase I (line 19). In addition, it writes 1 to next jus to satisfy, again, all of the justice guarantees one by one, and replaces next ex with next ex ⊕ 1.

Algorithm 2
The GR(1)* controller /* Initialization */ input: s x | θ e 1: (next jus, next ex, mem, phase) ← (1, 1, 1, 1  The reader may notice few seemingly problematic issues concerning the construction that require clarification: (1) once the play reaches V , it must not leave V ; (2) the controllers C (GR(1),1) , . . . , C (GR(1),n) operate from g(W ) G S , but the initialization in Alg. 2 returns a state in W ; (3) similarly, after reaching a state s | g i ∧ W , we want to activate C (GR(1),i+1) , which operate from g(W ) G S ; (4) phase I ends by reaching a state s | g n ∧ W , from which we want to activate some C k , which operates from h k (W ). The correctness proof we provide in the appendix settles these issues as follows: (1) we show that if s ∈ V and (s, s x ) | ρ e , then (s x , C V (s, s x )) ∈ V ; (2,3) we show that W ∪ W ⊆ g(W ) G S ; (4) we show that W ⊆ W and thus, 1 if s | W , then either s ∈ V and C V can be activated, or s ∈ k 1 h k (W ), and each C k can be activated.
Theorem 6.2 (Controller construction) The controller C as constructed according to Alg. 2 implements a winning strategy for the system from W with a memory of size 2 · n · · (max 1≤k ≤ | Q k |).
As a final remark, note that in lines 5 and 7, the condition (s x , s y ) | g next jus ∧ W can be replaced with (s x , s y ) | g next jus , for optimization purposes. We now explain the correctness of this replacement. In the proof of Thm. 6.2, we show that W ⊆ W . Moreover, Thm. 6.2 and Lem. 5.3 ensure that a play that is consistent with the GR(1) controller, as constructed in Alg. 2, never reaches a deadlock for the system, and never leaves W . Hence, for every state s that is reachable by the GR(1) controller, s | W and there is no reason to check this condition.

The GE + operator
In this section we motivate and define another existential operator for GR(1)*, GE + , which relates to satisfaction from every prefix rather than from every reachable state. We then show that the new operator is useful in expressing several different kinds of existential requirements, including, e.g., ones involving past LTL operators.

Motivating and defining the GE + operator
Consider again the example in Sect. 2, together with another use case: Use case D i,j . Master i raises a request and, although master j raises a request afterwards and master i does not lower its request, master j gets to access the bus before master i .
One may suggest to use the GR(1)* GEF (reg) operator in order to express use case D. However, as we show next, this suggestion may not reflect the engineer's intention. The existential guarantee GEF (reg) expresses the requirement that from every reachable state, the described scenario can be eventually satisfied. But, the engineer's intention was to express the requirement that every prefix of a play can be completed into a play that, eventually, satisfies the scenario.
Note that these two requirements are indeed different. For illustration, consider a prefix of a play, π (0), . . . , π(i ), such that π (i − 1) | (HBUSREQ i ∧ ¬HBUSREQ j ∧ HMASTER i ∧ HMASTER j ), and π (i ) | (HBUSREQ i ∧ HMASTER i ). Extending this prefix with a continuation of the form (HBUSREQ i ∧ HMASTER i ) t (HMASTER j ) meets the engineer's intention, since the concatenation of the play's prefix with such a continuation satisfies reg. However, this intention is not captured by GEF (reg). GEF (reg) expresses the requirement that there exists a way to satisfy reg, starting from a future state. In contrast, the operator we shall shortly define, GE + (reg), means that the states traversed so far can be concatenated to a possible future behavior that satisfies reg (and hence we choose the notation '+' to denote this concatenation).
Definition 7.1 Consider a game structure G S (X , Y, θ e , θ s , ρ e , ρ s ), and a formula ψ Let f s be a strategy for the system, and π π (0), π(1), . . . a play in G S, consistent with f s . The pair (f s , π) wins for the system w.r.t. ψ in G S if one of the following holds: 1. π is finite and it reaches a deadlock for the environment. 2. π is infinite and π | FG(¬a j ) for some justice assumption a j . 3. π is infinite, and the following hold: k 1 GEF (reg k ): For every i ≥ 0, and an existential guarantee GEF (reg k ), the i -th prefix of π , π (0), . . . , π(i ), can be extended to a playπ , consistent with f s , such that there exist i ≤ i 0 ≤ j , withπ (i 0 ) · · ·π (j ) ∈ L(reg k ). r t 1 GE + ( reg t ): For every i ≥ 0, and an existential guarantee GE + ( reg t ), the i -th prefix of π , π (0), . . . , π(i ), can be extended to a playπ , consistent with f s , such that there exists j ≥ i , withπ (0) · · ·π (j ) ∈ L( reg t ).
We support existential guarantees of the form GE + ( reg) via a reduction to GR(1)* formulas, as were defined in Sect. 4. Specifically, we show that GE + ( reg) can be expressed by the GEF operator. Our reduction involves the addition of a new (non-Boolean) auxiliary variable, along with a corresponding modification of the transition relation ρ s . We modify ρ s to update the value of the newly added variable in each step, so that a certain assertion assrt holds exactly when the play's prefix, traversed so far, satisfies the regular expression reg. This allows us to replace GE + ( reg) with the existential guarantee GEF (assrt).
The reduction is formally defined as follows. Take a DFA, A reg (Q, 2 X ∪Y , δ, q 0 , F) with L(A reg ) L( reg). We add a new variable y, controlled by the system, that stores the current state of the automaton, 2 and we replace θ s and ρ s withθ s andρ s , respectively. Let vals(y) {0, . . . | Q | −1} be the set of values that y may store. For s ∈ 2 X ∪Y and u ∈ vals(y), (s, u) | θ s if s | θ s , and δ(q 0 , s) q u . In words, (s, u) | θ s if s | θ s , and by reading s from the initial state q 0 , the automaton traverses to state q u . Now, for every transition δ(q u , t) q v , let T rans (u,t) be the assertion T rans (u,t) : (y u) ∧ t ∧ (y v ), and letρ s : ρ s ∧ ( (u,t)∈vals(y)×2 X ∪Y T rans (u,t) ). In words, ((s, u), (t , v )) | ρ s if (s, t ) | ρ s , and when the automaton reads t from state q u , it traverses to q v .
Remark 7.2 Note that unlike in the case of an existential guarantee GEF (reg), a DFA that recognizes reg is crucial for the construction, and it cannot be replaced with an NFA. The reason is that with an NFA, the system can mistakenly track an "incorrect" path, and thus incorrectly conclude that reg has not been satisfied. In particular, it is possible that at runtime, the system will not be able to choose the "correct path", because it depends on the future behavior of the environment. We therefore follow [MR15a] here, and use DFAs to track the satisfaction of the regular expressions.

A special case: past LTL
An important special case of the GE + (reg) extension is the support for past LTL formulas. The authors of [BJP + 12] noted that atomic past LTL formulas can be tested by Boolean auxiliary variables, and described how the GR(1) scheme can be extended to support past LTL assumptions and guarantees.
In [KPR98] it was shown how to construct testers for the operators Y and S . We repeat that construction and extend it to O and H as well. Consider a game structure, G S (X , Y, θ e , θ s , ρ e , ρ s ), and assertions, a and  b. For each formula Y (a), O(a), H (a), and aSb, we show how to replace it with an auxiliary variable y that indicates when the original formula holds. This is done by modifying the game structure as follows: Y (a). θ s is replaced with θ s ∧ ¬y. ρ s is replaced with ρ s ∧ (y ↔ a). O(a). θ s is replaced with θ s ∧ (y ↔ a). ρ s is replaced with ρ s ∧ (y ↔ (y ∨ a )). H (a). θ s is replaced with θ s ∧ (y ↔ a). ρ s is replaced with ρ s ∧ (y ↔ (y ∧ a )). aSb. θ s is replaced with θ s ∧ (y ↔ b). ρ s is replaced with ρ s ∧ (y ↔ (b ∨ (y ∧ a ))).
By this construction, nested formulas can be unfolded to be tested by auxiliary variables. As an example, we consider again our regular expression, reg true * (HBUSREQ i ∧ ¬HBUSREQ j ∧ HMASTER i ∧ HMASTER j )(HBUSREQ i ∧ HMASTER i ) * (HMASTER j ). This regular expression is equivalent to the past LTL formula: The tester for (HBUSREQ i ∧HMASTER i )S (HBUSREQ i ∧¬HBUSREQ j ∧HMASTER i ∧HMASTER j ) is y 1 , and Y (y 1 ) is tested by y 2 . Therefore: This way, the engineer integrates the existential guarantee GE + (reg) into the specification, with the cost of adding two Boolean variables, by replacing GE + (reg) with the existential guarantee GEF (HMASTER j ∧ y 2 ). In general, this construction enables supporting existential guarantees of the form GE + (ϕ) where ϕ is a past LTL formula, and each past LTL sub-formula of ϕ adds a new single variable to the game structure.

Supporting additional forms of existential guarantees
GEF (reg) means that from every state we can satisfy reg, starting from a future state, while GE + (reg) means that from every state, we are able to satisfy reg, starting from the first state of the play.
Another natural form of an existential guarantee that the engineer may wish to express is to require that reg can be satisfied by concatenating a suffix of the sequence of states traversed so far, to some future behavior. That is, the engineer may require that for any play π and i ≥ 0, there exists a playπ such that (π (0), . . . , π(i )) (π(0), . . . ,π (i )), and for which there exist i 0 , j , such that i 0 ≤ j , i ≤ j , andπ (i 0 ) · · ·π (j ) ∈ L(reg). Note that this requirement differs from GEF (reg) since we include the possibility i 0 < i . Thanks to the GE + (reg) defined above, GR(1)* supports such form of an existential guarantee by writing GE + (true * reg).
Another possible requirement the engineer may wish to express is that every play-prefix can be extended to a play that includes a subword that satisfies reg. That is, to require that for every play π and i ≥ 0, π (0), . . . , π(i ) can be extended to a playπ , for which there exist i 0 , j , such that i 0 ≤ j , andπ (i 0 ) · · ·π (j ) ∈ L(reg). This requirement differs from previous forms of existential guarantees by including the possibility j < i . Again, thanks to the GE + (reg) defined above, GR(1)* supports such form of an existential guarantee by writing GE + (true * reg true * ).

The well-separated case
In some cases, the system can win a GR(1)* game from a certain state by forcing a violation of the assumptions. Specifications that allow this possibility, termed non-well-separated [KP10], are considered to be problematic. Maoz and Ringert [MR16] showed a technique to detect non-well-separation in GR(1) specifications. As nonwell-separation is a property of the assumptions in the specification, the technique works for GR(1)* as well.
In this section we show that when the specification is well-separated, the GR(1)* controller achieves more than required. First, the existential guarantees hold regardless of the satisfaction or dissatisfaction of the environment's justice assumptions. Second, any existential guarantee GEF (reg) is satisfied iff a stronger existential guarantee GEF ((reg true * ) ω ) is satisfied. Finally, we show that when the specification is well-separted, GR(1)* can support existential guarantees with deterministic Büchi properties, which enable the specification of patterns [MR15a].

Achieving more than required in a well-separated environment
Inspired by the definition of well-separation for GR(1) games [KP10], we define: Y, θ e , θ s , ρ e , ρ s ) be a game structure and let a 1 , . . . , a m be assertions over X ∪ Y. The pair (G S, {a 1 , . . . , a m }) has a well-separated environment if from every s ∈ 2 X ∪Y , the environment has a strategy to force satisfaction of the formula m j 1 GF (a j ).

Consider a GR(1)* formula
) . We argue that in case of a well-separated environment, a winning strategy achieves more than required and the winning condition is satisfied. This formula differs from the GR(1)* formula in two ways: (1) the modified existential guarantees appear after the conjunction operator ∧, and not as an implication of the → operator; (2) each existential guarantee GEF (reg) is replaced with the stronger GEF ((reg true * ) ω ). This means that (1) any of the existential guarantees should hold from any reachable state, and not just along plays that satisfy the justice assumptions; (2) the controller and the environment can satisfy, cooperatively, the stronger existential guarantee GEF (reg true * ) ω .

Lemma 8.3
Let G S (X , Y, θ e , θ s , ρ e , ρ s ) be a game structure, φ A m j 1 GF (a j ) → ( n i 1 GF (g i ) ∧ k 1 GEF (reg k )) a GR(1)* formula, and f s a strategy for the system player. If the pair (G S, {a 1 , . . . , a m }) has a well-separated environment, then f s is a winning strategy w.r.t. φ in G S iff it is a winning strategy w.r.t. ψ A ( m j 1 GF (a j ) → n i 1 GF (g i )) ∧ k 1 GEF ((reg k true * ) ω ) in G S. Therefore, in case of a well-separated environment, the controller we construct is robust against assumption violations: it ensures that the regular expressions of the existential guarantees can be satisfied infinitely many times from any reachable state, in all plays, and not only in plays that satisfy the justice assumptions. In particular, this means that the system must avoid any kind of deadlock.
To illustrate this robustness, consider our running example from Sect. 2, with additional assumptions that make it non-well-separated. First, consider the following safety assumption: where n is the number of masters. This means that when some master asks for a locked-access, no master is allowed to raise a new request. Second, consider the following justice assumptions: for i ∈ {1, . . . , n}, which assumes that at any point in time, each master will eventually ask to access the bus. Now, assume that at some point, master 1 uses the bus, and master 2 asks for a locked-access. In this case, a synthesized controller may decide to act as follows: it waits until master 1 finishes to transfer its data, and then it grants no requests for the rest of the play. By doing that, this controller forces violation of the justice assumptions: since master 2 asks for a locked-access, master 1 is not allowed to raise a request, due to the added safety assumption. As a result, the added justice assumption GF (HBUSREQ 1 ) is violated. Note that the behavior of this synthesized controller is undesirable not only because it does not satisfy its justice guarantees, but also because, from some point on, its existential guarantees cannot be realized anymore.
Using the technique proposed in [MR16], the engineer can identify that the added assumptions caused nonwell-separation. She can decide to remove the problematic justice assumptions, and the environment is again well-separated. This time, the controller cannot force violation of the assumptions from any state and thus it will be obligated to satisfy each existential guarantee GEF (reg k ) from any reachable state. Therefore, the engineer now knows that the synthesized controller will satisfy the stronger existential guarantees GEF ((reg k true * ) ω ).

Deterministic Büchi properties and patterns as existential guarantees
Maoz and Ringert [MR15a] showed how to extend the GR(1) fragment to support deterministic Büchi properties as justice guarantees. That is, to support ω-regular properties that can be accepted by a DBW. This includes 52 out of the 55 patterns suggested by Dwyer et al. [DAC99], e.g., the well-known and useful response pattern G(req → F (ack)), accepted by a 2-state DBW. We will now show that the construction of [MR15a] (outlined in Sect. 7) and the result of Sect. 8.1 enable, in case the specification is well-separated, to integrate such properties as existential guarantees, with the semantics of the GE + operator from Sect. 7. The cost of this extension is only logarithmic in the number of states of the DBW that recognizes the property: we add log | Q | variables to the game structure. Since according to [MR15a], any of these patterns is accepted by a DBW with at most 8-states, any of the 52 patterns mentioned above induces a cost of adding, at most, three Boolean variables to the game structure.
For illustration, consider our example from Sect. 2. Suppose that the engineer wants to add to the specification the use case in which master 1 accesses the bus exactly once. Note that this property is accepted by a DBW with 3 states.
Use case F. Whenever a request by master 1 is granted, a request by master n will eventually be granted afterwards.
More generally, we wish to support formulas of the form: GR(1)*: GR(1) specifications extended with existential guarantees 747 where each ψ t is a deterministic Büchi property. GE + (ψ t ) means that for each play π and i ≥ 0, the prefix of the play π (0) . . . π(i ) can be extended into a play π , consistent with the system's strategy, such that π | ψ t (see Sect.7 and Def. 7.1 for a discussion about the GE + operator).
To support this extension, we use the technique outlined in Sect. 7. Consider a game structure G S (X , Y, θ e , θ s , ρ e , ρ s ), and assume that the pair (G S, {a 1 , . . . , a m }) has a well-separated environment. For each t ∈ {1, . . . , r }, let A t (Q t , 2 X ∪Y , δ t , q t 0 , F t ) be a DBW that recognizes the property ψ t . We extend the game structure intoG S (X , Y ∪ {y 1 , . . . , y r }, θ e ,θ s , ρ e ,ρ s ) as in Sect. 7. Thus, plays in G S and inG S correspond to each other: • Ifπ is a play inGS , then the play π , defined by π (i ) π (i ) | X ∪Y , is a play in G S. • If π is a play in G S, then there is a unique playπ inG S such thatπ (i ) | X ∪Y π (i ). Further, for each Therefore, a strategy f s for the system inG S also constitutes a strategy for the system in the game structure G S .  For f s (s 0 , . . . , s k , s x ) s y , we naturally define f s (s 0 | X ∪Y , . . . , The following lemma is implied by the construction elaborated in Sect. 7 and by Lem. 8.3.

Lemma 8.4
Let f s be a strategy for the system inG S. If the pair (G S, {a 1 , . . . , a m }) has a well-separated environment, then f s is a winning strategy w.
Roughly, the lemma is proved using the following arguments. First, relying on Lem. 8.3, the well-separation property implies that a winning strategy for the system inG S satisfies the stronger existential guarantees GEF (((y t ∈ F t )true * ) ω ). Moreover, as explained in Sect. 7, the assertion y t ∈ F t holds inG S iff the play-prefix traversed leads the automaton to an F t -state. Hence, GEF (((y t ∈ F t )true * ) ω ) holds iff GE + (ψ t ) holds. A detailed proof is given in Appx. A.

Unrealizability of GR(1)* games
It is well known that ω-regular games (and thus LTL games and in particular GR(1) games) are determined [GTW02]; the winning regions of the system and the environment form a partition of the state space. Previous work on GR(1) has relied on its determinacy in the context of dealing with unrealizability. Specifically, to analyze and understand reasons for unrealizability, researchers suggested to construct a counter-strategy-a winning strategy for the environment from the complement of the system's winning region [KHB13,KMR17].
GR(1)* is not a fragment of LTL. Do unrealizable GR(1)* games always admit counter-strategies? In this section we prove a crucial result about the difficulty of tackling unrealizability of GR(1)* specifications. We show the existence of GR(1)* games for which both players have no winning strategy from certain states, i.e., GR(1)* games for which the winning regions of the system and the environment do not form a partition of the state space.
In Sect. 5 we characterized the exact set of states from which the system has a winning strategy in a GR(1)* game via a μ-calculus formula (Eq. 4), and in Sect. 6 we provided a controller construction from the system's winning region. However, as stems from what we prove below, the negation of the formula in Eq. 4 does not compute the set of states from which the environment has a winning strategy. In other words, in some GR(1)* games, some states belong neither to the winning region of the system player nor to the winning region of the environment player. From these states, for any strategy for the system f s , the environment has a strategy f e that yields a play π such that (f s , π) does not win for the system, and vice-versa, for any strategy for the environment f e , the system has a strategy f s that yields a play π such that (f s , π) wins for the system.
To clarify, one should not confuse the result we outlined above with the soundness and completeness of the solution we presented in Sect. 5. Given a GR(1)* specification, we are always able to compute the states from which the system can win: the formula in Eq. 4 fully computes the winning region for the system. The possible absence of a counter-strategy means that, in some cases, some states in the complement of this winning region are not winning for the environment.
Before we provide the relevant definitions and our result, we note a fundamental difference between GR(1)* games and general CTL* games. Previous works that study CTL* games define a winning strategy as one whose computation tree satisfies the winning condition, given as a CTL* formula [BSK17,KV99,KV00]. Hence, the system cannot win from a state s w.r.t. a CTL* winning condition ϕ, if for any strategy f s for the system from s, the computation tree induced by f s , T f s , satisfies: T f s | ϕ. This definition does not take into account the choices made by the environment during a specific play. Therefore, in this context, the notion of a counter-strategy is meaningless. In contrast, Def. 4.2 distinguishes between winning and losing plays that are consistent with the same strategy. This allows us to define a counter-strategy for GR(1)* games in a standard manner, i.e., as one that wins in every play, regardless of the strategy chosen by the system. Definition 9.1 (GR(1)* counter-strategy) Let G S (X , Y, θ e , θ s , ρ e , ρ s ) be a game structure, ψ a GR(1)* formula, and f e a strategy for the environment. f e wins for the environment from state s, if for every strategy for the system f s from s, for the unique play π , consistent with f e and f s , it holds that (f s , π) does not win for the system w.r.t. ψ.
We show through the next example that unlike GR(1) games, a GR(1)* game may admit states that do not belong to the winning region of any of the players.
Example 9.2 Let G S (X , Y, θ e , θ s , ρ e , ρ s ) be a game structure, and ψ A GF (true) → (GF (g) ∧ GEF (q)) a GR(1)* formula, where In Ex. 9.2, in each step the system assigns true to exactly one of the variables among {g, q}. Further, once the system assigns true to q, it must assign true to q in all ensuing states. Lemma 9.3 In Ex. 9.2, for every s ∈ 2 X ∪Y , the system has no winning strategy from s.
Clearly, the environment has a winning strategy from the set {s ∈ 2 X ∪Y : s | q}. This holds since if s | q, then any play π from s that is consistent with ρ e ∧ ρ s , satisfies π | ¬(GF (g)). Hence, in fact, any strategy for the environment is a winning strategy from {s ∈ 2 X ∪Y : s | q}. It is left to prove that the GR(1)* game of Ex. 9.2 admits states from which the environment does not win. Specifically, we show that the environment has no winning strategy from every state s such that s | ¬q.
Lemma 9.4 In Ex. 9.2, take s ∈ 2 X ∪Y and a strategy for the environment f e . If s | ¬q, then the system has a strategy f s , such that for the unique play π that is consistent with f s and f e , it holds that (f s , π) wins for the system. Lemmas 9.3 and 9.4 imply the main result of this section, which may be viewed as a form of indeterminacy.
Theorem 9.5 There exist a GR(1)* game and a state s, such that each of the two players, the system and the environment, has no winning strategy from s.
As a consequence, when dealing with GR(1)* games, existing techniques related to unrealizability, e.g., the examination of a counter-strategy, cannot be used directly. Thus, Thm. 9.5 induces future research directions. First, it is important to compute the set of states from which the environment has a winning strategy, and the set of states from which neither players has a winning strategy. Second, as the construction of a counter-strategy from the environment's winning region may help in understanding unrealizability, unrealizable GR(1)* specifications for which the environment's winning region is empty may pose a special challenge that requires further investigation.

Implementation and evaluation
We have implemented realizability checking for GR(1)* from Sect. 5, and integrated it in the Spectra language and synthesis environment [MR21,Spe], which already includes a GR(1) synthesizer and implementations of several additional analyses. Our implementation uses BDDs [Bry86] via the CUDD 3.0 [Som15] package. The implementation includes the heuristics for GR(1) realizability checking detailed in [FMR20].

Validation
We validated the correctness of our implementation as follows. First, to validate the correctness of the translation of regular expressions to NFAs, we implemented two separate translation schemes. The first is a pure BDD-based approach that constructs a symbolic Epsilon-NFA and then eliminates all of the epsilon transitions to obtain a symbolic NFA [VdHT10]. The second is an approach that uses the well-known Brics package. 3 While the second approach suffers from an inferior running time performance (as the translation to Brics regular expressions entails an exponential blowup of the alphabet), we used it as an oracle for validating our first translation scheme, which we used in our evaluation. Specifically, we randomly generated thousands of regular expressions and checked that the NFAs constructed by both approaches accept the same languages.
Second, to validate the correctness of the GR(1)* realizability checking implementation we tested it on many small synthetic specifications for which we were able to check that the realizability results reported by the implementation matched the ones we expected.
We make the implementation and all the specifications used in our experiments below available for inspection and reproduction. 4

Research questions
To evaluate the efficiency of our proposed technique of supporting existential guarantees and its implementation, we consider the following research questions:

RQ1.
What is the cost, in terms of realizability checking running time, of supporting existential guarantees as part of GR(1) specifications? Does the technique scale well? RQ2. Are some existential guarantees more costly than others?

Corpus and experiment setup
As the corpus for our experiments, we took the family of AMBA specifications used in our running example, where the number of masters ranges from 2 to 5. We denote by AMBAn the AMBA specification with n masters. Note that in addition to the variables listed in Sect. 2, each specification includes auxiliary variables that are used to express pattern properties, i.e., requirements that are neither safety nor justice properties (specifically, requirements A1, G2, G3, and G10 in [BGJ + 07]). Table 1 presents the state space, number of justice assumptions, and number of justice guarantees, for AMBA2 to AMBA5. It further shows the realizability checking running time for each of the four specifications. We used these as a baseline for our evaluation.
On top of the baseline specifications AMBA2 to AMBA5, we created new specifications with existential guarantees. Considering the use cases A, B, and C from Sect. 2, we added to the baseline specifications existential guarantees of the form GEF (reg), where reg is a regular expression of type A, B, or C. We divide all specifications into sets as follows.  Then, we wanted to create larger specifications with more existential guarantees. Note that we cannot add to AMBAn more than n existential guarantees of type B, but we can add up to n 2 − n existential guarantees of type A and C, as this is the exact number of ordered pairs of different masters. We therefore created another set as follows.
SET3. For each n ∈ {2, 3, 4, 5} and k ∈ {n + 1, . . . , n 2 − n}, we created a configuration by adding to AMBAn n + 2k existential guarantees: n different existential guarantees of type B , k different existential guarantees of type A, and k different existential guarantees of type C. Hence, SET3 includes 26 specifications.
Overall, excluding the baseline specifications, we considered 82 different configurations with up to 45 existential guarantees. The lengths of the formulas representing the use cases A, B, and C are 9, 3, and 10 respectively. 5 Hence, we added existential guarantees of total length up to 395 symbols, i.e., the total length of the added existential guarantees' regular expressions.
For each configuration, including the baseline specifications, we repeated realizability checking 10 times. 6 Each time, we randomly chose master indexes as values, to turn a parameterized configuration into a concrete specification. We measured realizability checking running times. We report median values of the 10 executions. We performed all the experiments on a rather ordinary desktop computer with an Intel Xeon W-2133 processor, 32 GB RAM, running Windows 10. Table 1 presents the median running times for the baseline specifications AMBA2 to AMBA5.

Results
Tables 2 and 3 present the ratios between the running time for the different configurations and the baseline. Table 2 refers to configurations of SET1, i.e., extensions of the baseline specifications with existential guarantees of a single type. Table 3 presents the results of all experiments in which the specifications are extended by several existential guarantees of each type. Table 3 is divided into two parts, separated by a horizontal line. The upper part refers to experiments with k 1, . . . , n existential guarantees of each type (SET2), and the lower part refers to experiments in which we added n existential guarantees of type B, and k > n existential guarantees of types A and C (SET3).
For illustration, as an example, in Table 3, the value of the cell on the column titled AMBA4 and the row titled 10, n, 10 is 135%. This means that when we augmented AMBA4 with 10 existential guarantees of type A, n 4 existential guarantees of type B, and 10 existential guarantees of type C, the median of 10 runs of realizability checking took 35% longer than the baseline, i.e., about 88 seconds.
Finally, Fig. 2 presents the running times ratios as a function of the number of existential guarantees added to each baseline specification, based on the results with the multi-type configurations (SET2 and SET3), as presented in Table 3.
To answer RQ1, based on the results of our experiments, we observe that adding existential guarantees to a GR(1) specification, as expected, has a cost. Yet, the results reveal that GR(1)* realizability checking is feasible. In 70 out of the 82 configurations, the running time was less than twice the running time of the corresponding baseline configuration. Among the remaining 12 configurations, only for the "heaviest" one, the running time was more than three times than the baseline configuration, specifically 3.29. Note that this specification includes 45 existential guarantees and only 13 justice constraints (assumptions and guarantees) from the corresponding baseline specification AMBA5.  273% 20, n, 20 329% The leftmost column specifies how many existential guarantees were added of each type among A, B, and C, respectively Moreover, interestingly, in 16 of the 82 configurations, the ratio was less than 100%, i.e., GR(1)* realizability checking was faster than that of GR(1). We may explain this phenomenon by observing that with additional existential guarantees, in each fixed-point iteration, a potentially larger set of states is removed from the set computed so far (consider the outer fixed-point operator in Eq. 4). Thus, adding existential guarantees may reduce the total number of fixed-point iterations and thus result in a faster realizability check.
Another notable observation is that GR(1)* realizability checking seems to scale well with the number and length of the added existential guarantees. Our experiments involved up to 45 existential guarantees, reaching a total length of 395 symbols. Figure 2 seems to suggest that the growth in running times is linear in the number of added existential guarantees, with a rather low slope.
Finally, to answer RQ2, the results for SET1, provided in Table 2, suggest no visible difference between the three types of existential guarantees we considered. Note however, that in comparison to RQ1, the data we obtained that is relevant to RQ2 is relatively small. Further experiments are required in order to provide a more reliable answer to RQ2.

Related work
Reactive synthesis for LTL was studied in [PR89] and shown to be 2EXPTIME-complete [Ros92]. The GR(1) fragment of LTL, which can be solved in time quadratic in the size of the state space, is proposed in [BJP + 12]. As GR(1)* extends GR(1) with existential requirements, it is in fact a fragment of an extension of CTL* [EH86] with regular expressions. Thus, GR(1)* can be expressed in CTRL [MMDdJ11]. Kupferman and Vardi showed that the synthesis problem for CTL* formulas is 2EXPTIME-complete [KV99,KV00]. Recently, Bloem et al. suggested a CTL* synthesis technique [BSK17], and a corresponding synthesis tool. As we show, GR(1)*, like GR(1), is solved in time quadratic in the size of the state space.
Synthesis techniques that consider existential requirements, use cases, and scenarios were suggested in the literature. Harel et al. [HK02,KHP + 05] studied synthesis of object systems from live sequence charts (LSCs). An LSC is an extension of a message sequence chart (MSC), which allows to specify universal and existential requirements. [KHP + 05] presents an efficient translation of an LSC into a temporal logic formula, which enables to apply temporal logic based analysis and synthesis tools over LSC specification. [HK02] presents a synthesis technique for (universal and existential) LSCs. Maoz and Sa'ar [MS12] present synthesis from assume-guarantee scenarios in the form of LSC, by reduction to GR(1), and thus support only universal scenarios.
Uchithel et al. [SUB08, SBUK13, UBC07, UBC09] studied synthesis of a modal-transition-system (MTS) from LSCs. [SUB08] proposes an MTS synthesis algorithm from an existential LSC that triggers a universal LSC. The synthesized MTS fulfills two properties: (1) some of its behaviors fulfill the existential requirement; (2) whenever the existential requirement holds, the universal requirement must hold afterwards. [SBUK13] presents extensions and describes an implementation of that technique. [UBC07] and its extended version [UBC09] present an MTS synthesis algorithm from safety properties and scenarios.
Besides these papers, discussions about the value of use cases, scenarios, and examples for their use in the specification and analysis of systems can be found in [AKRU12,ARRU09,SMMM98,ZMT05]. All these motivated us to extend GR(1) with existential guarantees.
In the context of GR(1), Bloem et al. [BEK15] defined levels of cooperation between the system and the environment. Some of these levels of cooperation require that the justice assumptions hold in an existential manner. Ehlers et al. [EKB15] and Majumdar et al. [MPS19] proposed a synthesis technique for a cooperative GR(1) controller, i.e., a controller that never forces violation of the justice assumptions. Thus, while these papers relate to the assertions of the justice assumptions as existential guarantees, our technique allows to add regular expression as existential guarantees. Note that the problem solved in these papers is not a special case of our solution, since [EKB15] and [MPS19] require that the justice assumptions may hold from any reachable state, while we require that the existential guarantees can be satisfied along plays that satisfy the justice assumptions.
To the best of our knowledge, our work is the first to extend GR(1) with existential guarantees.

Conclusion
We introduced GR(1)*, which extends GR(1) with existential guarantees. GR(1)* allows engineers to add example use cases to the specification, so as to ensure that the synthesized controller will make them possible. We proved that the 'exist' operator allows to express properties that are inexpressible in LTL. Moreover, as we use regular expressions, GR(1)* formulas are inexpressible in CTL*. We solved the realizability problem for GR(1)* specifications and presented a symbolic controller construction. Importantly, GR(1)* realizability check consumes O((nm + k 1 | reg k |)N 2 )-time where n is the number of justice guarantees, m is the number of justice assumptions, and reg 1 , . . . , reg are the regular expressions that appear in the existential guarantees. Hence, the time complexity of our realizability check is O((| ϕ | N ) 2 ) where ϕ is the GR(1)* formula to be synthesized. This time complexity is asymptotically identical to the time complexity of the known GR(1) realizability check [BJP + 12].
Intuitively, the existential operator we present, GEF (reg), means that, globally, the play prefix can be extended to a play in which reg is satisfied along a segment that starts from a future state. We presented extensions to support additional forms of existential guaranties: globally, the play prefix can be extended to a play in which reg holds along a segment that (1) starts from the initial state and ends in a future state; (2) starts from some (past or future) state and ends in a future state; and (3) starts from some state and ends in some state. Moreover, we showed that the first form can be expressed using either regular expressions or past LTL formulas.
Further, we proved that if the environment is well-separated, our controller achieves a stronger requirement: from any reachable state there exists a run in which every regular expression that appears in an existential guarantee is satisfied infinitely often. More precisely, in the well-separated case, the existential guarantee GEF (reg) can be replaced with the stronger guarantee GEF ((reg true * ) ω ). As we proved, when the environment is well-separated, this observation allows one to support existential guaranties with DBW properties.
Finally, we discussed unrealizable GR(1)* games. The μ-calculus formula in Eq. 4 computes the winning region of the system player, but the negation of this formula does not necessarily compute the environment's winning region. This holds since GR(1)* games may admit states from which neither players has a winning strategy.
We have implemented our synthesis technique, and integrated it in the Spectra GR(1) synthesizer [MR21,Spe]. To evaluate the efficiency of the suggested synthesis algorithm, we measured realizability checking times of baseline specifications without any existential guarantees and compared them to realizability checking times of the same specifications with different configurations of additional existential guarantees. The experiments revealed that our approach is efficient and scalable. The scalability of our work stems from its unique characteristics. Many proposed extensions of GR(1), e.g., [AKRV17, Ehl11, MPR16, MR15a], Sect. 5.2 in [BJP + 12], and our extensions in Sect. 7, involve the addition of fresh auxiliary variables, which enlarges the state space and limits scalability. In contrast, our solution for GR(1)* does not enlarge the state space. Moreover, we construct NFA's for the regular expressions with no need to determinize them. These two key factors enable the scalability of our work, as demonstrated in Fig. 2.
We consider the following future research directions. First, Firman et al. [FMR20] have recently presented several performance heuristics for GR(1) synthesis. These heuristics are transferred to realizability checking for GR(1)*, and we have used them in our experiments. It is interesting to look for additional heuristics that are tailored specifically for GR(1)* formulas.
Second, unrealizability is a well-known challenge for reactive synthesis in general and for GR(1) specifications in particular. Researchers have suggested to address GR(1) unrealizability using the concepts of unrealizable core, counter-strategy, and repair, see, e.g., [AMT13, CA17, CRST08, KHB13, KMR17, MRS19, MS13, MS21]. Since, as we proved, unrealizable GR(1)* games do not always admit counter-strategies, it is interesting to investigate these concepts in the context of GR(1)*.
Finally, we plan to implement and evaluate the extensions of GR(1)* we suggest in Sect. 7, including the support for past LTL existential guarantees and the operator GE + (reg) with its different suggested semantics.