Conference PaperPDF Available

Quantifying bounds in strategy logic

Authors:

Abstract

Program synthesis constructs programs from specifications in an automated way. Strategy Logic (SL) is a powerful and versatile specification language whose goal is to give theoretical foundations for program synthesis in a multi-agent setting. One limitation of Strategy Logic is that it is purely qualitative. For instance it cannot specify quantitative properties of executions such as "every request is quickly granted", or quantitative properties of trees such as "most executions of the system terminate". In this work, we extend Strategy Logic to include quantitative aspects in a way that can express bounds on "how quickly" and "how many". We define Prompt Strategy Logic, which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal operator), and we define Bounded-Outcome Strategy Logic which has a bounded quantifier on paths. We supply a general technique, based on the study of automata with counters, that solves the model-checking problems for both these logics.
Quantifying Bounds in Strategy Logic
Nathanaël Fijalkow1
CNRS, LaBRI, Bordeaux, France
Alan Turing Institute of data science, London, United Kingdom
nfijalkow@turing.ac.uk
0000-0002-6576-4680
Bastien Maubert2
University of Naples “Federico II”, Naples, Italy
bastien.maubert@gmail.com
0000-0002-9081-2920
Aniello Murano
University of Naples “Federico II”, Naples, Italy
murano@na.infn.it
Sasha Rubin
University of Naples “Federico II”, Naples, Italy
sasha.rubin@unina.it
Abstract
Program synthesis constructs programs from specifications in an automated way. Strategy Logic
(SL) is a powerful and versatile specification language whose goal is to give theoretical foundations
for program synthesis in a multi-agent setting. One limitation of Strategy Logic is that it is purely
qualitative. For instance it cannot specify quantitative properties of executions such as “every
request is quickly granted”, or quantitative properties of trees such as “most executions of the
system terminate”. In this work, we extend Strategy Logic to include quantitative aspects in a way
that can express bounds on “how quickly” and “how many”. We define Prompt Strategy Logic,
which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal
operator), and we define Bounded-Outcome Strategy Logic which has a bounded quantifier on
paths. We supply a general technique, based on the study of automata with counters, that solves
the model-checking problems for both these logics.
2012 ACM Subject Classification Logic and Verification
Keywords and phrases Prompt LTL, Strategy Logic, Model checking, Automata with counters
Digital Object Identifier 10.4230/LIPIcs.CVIT.2016.23
1 Introduction
In order to reason about strategic aspects in distributed systems, temporal logics of programs
(such as LTL [
35
], CTL [
5
] and
CTL
[
19
]) have been extended with operators expressing the
existence of strategies for coalitions of components. Among the most successful proposals are
Alternating-time Temporal Logic (ATL) [
3
] and, more recently, the more expressive Strategy
Logic (SL) [
13
,
33
]. Both logics can express the existence of strategies for coalitions that
1
This project has received funding from the Alan Turing Institute under EPSRC grant EP/N510129/1
and the DeLTA project (ANR-16-CE40-0007).
2
This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under the Marie Sklodowska-Curie grant agreement No 709188.
©Nathanaël Fijalkow, Bastien Maubert, Aniello Murano and Sasha Rubin;
licensed under Creative Commons License CC-BY
42nd Conference on Very Important Topics (CVIT 2016).
Editors: John Q. Open and Joan R. Access; Article No. 23; pp. 23:1–23:23
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
23:2 Quantifying Bounds in Strategy Logic
ensure some temporal properties against all possible behaviours of the remaining components.
Moreover, if such strategies exist, one can also obtain witnessing finite-state strategies. As a
result, synthesizing reactive systems from temporal specifications [
36
,
28
,
29
] can be reduced
to model checking such strategic logics.
Although quite expressive, for instance Strategy Logic can express important game-
theoretic concepts such as the existence of Nash equilibria, such logics can only express
qualitative properties. On the other hand important properties of distributed systems, such
as bounding the maximal number of steps between an event and its reaction, are quantitative.
Parametric extensions of temporal logics have been introduced to capture such properties.
A simple way to extend temporal operators is to annotate them with constant bounds,
e.g.,
Fkϕ
says that
ϕ
holds within
k
steps where
kN
is a constant. However, one may
not know such bounds or care for their exact value when writing the specification (or it may
not be practical to compute the bound). Instead, one may replace the constants by variables
N
and ask about the possible valuations of the variables that make the formula true. For
instance, Prompt-LTL [
2
,
30
] is an extension of LTL with the operator
FN
where
N
is a
(unique) variable. The model-checking problem asks if there exists a valuation of the variable
N
such that the formula holds. In order to reason about and synthesize strategies that ensure
such parametric properties, we introduce “Prompt Strategy Logic”, an extension of SL with
the
FN
operator. For instance, the formula
s1
(
a1, s1
)
s2
(
a2, s2
)
NAGFNp
expresses
that there exists a strategy for agent
a1
such that for all strategies of agent
a2
there is a
bound
N
(that can depend on the strategy for
a2
) such that in all outcomes (generated by
the remaining agents) the atom pholds at least once every Nsteps.
Another way to parameterise temporal logics is to bound the path quantifiers, expressing,
for instance, that at least
k
different paths satisfy
ψ
, or all but
k
paths satisfy
ψ
[
8
]. Such
operators can bound, for instance, how well a linear-time temporal property holds, thus giving
a measure of “coverage”. We introduce “Bounding-Outcome Strategy Logic” which extends
Strategy Logic with a bounded outcome quantifier
AN
which allows one to express that
all but
N
outcomes satisfy some property. For instance, the formula
s
(
a, s
)
NANGFp
expresses that there exists a strategy for agent
a
such that for all but finitely many outcomes,
the atom
p
holds infinitely often. The algorithmic contribution of this paper is a solution
to the model-checking problem for both these logics (and their combination). We do this
by applying the theory of regular cost functions. A cost function is an equivalence class of
mappings from the domain (e.g., infinite words) to
N∪ {∞}
with an equivalence relation
that, intuitively speaking, forgets the precise values and focuses on boundedness [14, 16].
Our results allow us to solve a problem left open in [
10
] that considers games with two
players and a third player called “nature” (indicating that it is uncontrollable), and asks
whether there is a strategy for player 1(having very general linear-time objectives) such
that for all strategies of player 2, in the resulting tree (i.e., where nature’s strategy is not
fixed), the number of plays in which player 1does not achieve her objective is “small”. In
particular, in case the linear-time objective is the LTL formula
ψ
and “small” is instantiated
to mean “finite”, our main result allows one to solve this problem by reducing to model
checking Bounding-outcome Strategy Logic formula
s1
(
a1, s1
)
s2
(
a2, s2
)
NAN¬ψ
. In
fact our automata construction can be adapted to deal with all omega-regular objectives.
Related work.
Parametric-LTL [
2
] extends LTL with operators of the form
Fx
and
Gx
,
where
x
is a variable. The interpretation of
Fxψ
is that
ψ
holds within
x
steps, and the
interpretation of
Gx
is that
ψ
holds for at least the next
x
steps. That paper studies
variations on the classic decision problems, e.g., model checking asks to decide if there is a
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:3
valuation of the variables
x1,· · · , xk
such that the formula
ϕ
(
x1,· · · , xk
)holds in the given
structure. Note that for this problem, the formula is equivalent to one in which all variables
are replaced by a single variable. The complexity of these problems is no worse than for
ordinary LTL, i.e., PSPACE. The technique used in this paper to prove these upper-bounds
is a pumping lemma that allows one to reduce/enlarge the parameters.
Parametric-LTL has been studied in the context of open systems and games. For in-
stance, [
37
] studies the problem of synthesizing a strategy for an agent with a parametric-LTL
objective in a turn-based graph-game against an adversarial environment. A number of
variations are studied, e.g., decide whether there exists a valuation (resp. for all valuations) of
the variables such that there exists a strategy for the agent that enforces the given parametric-
LTL formula. The complexity of these problems is, again, no worse than that of solving
ordinary LTL games, i.e., 2
EXPTIME
. The technique used to prove these upper bounds is
the alternating-colour technique of [
30
] that allows one to replace a prompt formula by an
LTL formula, and was originally introduced to reason about Prompt-LTL, the fragment of
parametric-LTL without
Gx
. We remark that Church’s synthesis for Prompt-LTL formulas
was shown in [30] to have complexity no worse than that of LTL, i.e., 2EXPTIME.
Promptness was first studied in the context of multi-agent systems in [
4
]. They study
the model-checking problem for the logic
Prompt-ATL
and its fragments, for memoryless
and memoryful strategies. Again, one finds that the complexity of model checking prompt
variations is no worse than the non-prompt ones. That paper also studies the case of systems
with imperfect information. We remark that the formula of Prompt Strategy Logic mentioned
above is not a formula of
Prompt-ATL
because the bound
N
can depend on the strategy
of agent a2, which is not possible in Prompt-ATL.
Promptness has also been studied in relation with classic infinitary winning conditions
in games on graphs. In bounded parity games, the even colors represent requests and odd
colors represent grants, and the objective of the player is to ensure that every request is
promptly followed by a larger grant [
12
,
34
]. We discuss this in Example 6. Such winning
conditions have been generalised to games with costs in [
21
,
22
], leading to the construction
of efficient algorithms for synthesizing controllers with prompt specifications.
Promptness in automata can be studied using various notions of automata with counters
that only affect the acceptance condition. For instance, a run in a prompt Büchi-automaton
is successful if there is a bound on the time between visits to the Büchi set. The expressive
power, the cost of translating between such automata, and complexity of decision problems
(such as containment) have been studied in [1, 12].
The theory of regular cost functions [
14
,
16
] defines automata and logics able to express
boundedness properties in various settings. For instance, the logics Prompt-LTL,PLTL and
kTL are in some precise sense subsumed by the
LTL
logic from [
26
], which extends LTL with
a bounded until
ϕUNϕ0
allowing
ϕ
not to hold in at most
N
(possibly non-consecutive)
places before
ϕ0
holds. A decision procedure for this logic has been given through the
compilation into cost automata on words. In this paper, we rely on several results from
the theory of regular cost functions, and develop some new ones for the study of Prompt
Strategy Logic and Bounding-outcome Strategy Logic. A major open problem in the theory
of regular cost functions over infinite trees is the equivalence between general cost automata.
To handle the bounded until operator in branching-time logics one would need to first prove
this equivalence, which has been proved to be beyond our reach today [
20
]. In this work we
rely on a weaker version of this equivalence for distance automata.
To the best of our knowledge, the only previous works on quantitative extensions of
Strategy Logic consider games with counters and allow for the expression of constraints on
CVIT 2016
23:4 Quantifying Bounds in Strategy Logic
their values in formulas. The model-checking problem for these logics is undecidable, even
when restricted to the case of energy constraints, which can only state that the counters
remain above certain thresholds [
23
]. For the Boolean Goal fragment of Strategy Logic in
the case of one counter, the problem is still open [
9
,
23
]. The present work thus provides the
first decidable quantitative extension of Strategy Logic.
Plan.
In Section 2 we recall Branching-time Strategy Logic. We introduce and motivate our
two quantitative extensions, Prompt-SL and BOSL, in Section 3 and Section 4 respectively.
In Section 5 we solve their model-checking problem by introducing the intermediary logic
Bound-QCTL
and developing an automata construction based on automata with counters.
2 Branching-time Strategy Logic
In this section we recall Branching-time Strategy Logic [
25
], a variant of Strategy Logic [
33
].
For the rest of the paper we fix a number of parameters:
AP
is a finite set of atomic
propositions,
Ag
is a finite set of agents or players,
Act
is a finite set of actions, and
Var
is a
finite set of strategy variables. The alphabet is Σ=2AP.
Notations.
Afinite (resp. infinite)word over Σis an element of Σ
(resp. Σ
ω
). The length
of a finite word
w
=
w0w1. . . wn
is
|w|
=
n
+ 1, and
last
(
w
) =
wn
is its last letter. Given a
finite (resp. infinite) word
w
and 0
i < |w|
(resp.
iN
), we let
wi
be the letter at position
i
in
w
,
wi
is the prefix of
w
that ends at position
i
and
wi
is the suffix of
w
that starts at
position
i
. We write
w4w0
if
w
is a prefix of
w0
. The cardinal of a set
S
is written
Card
(
S
).
2.1 Games
We start with classic notions related to concurrent games on graphs.
IDefinition 1
(Game)
.
Aconcurrent game structure (or game for short) is a structure
G
= (
V, v0,
, `
)where
V
is the set of vertices,
v0V
is the initial vertex,∆ :
V×ActAg V
is the transition function, and `:VΣis the labelling function.
Joint actions.
In a vertex
vV
, each player
aAg
chooses an action
c
(
a
)
Act
, and the
game proceeds to the vertex ∆(
v, c
), where
cActAg
stands for the joint action (
c
(
a
))
aAg
.
Given a joint action c= (c(a))aAg and aAg, we let c(a)denote c(a).
Plays and strategies.
Afinite (resp. infinite)play is a finite (resp. infinite) word
ρ
=
v0. . . vn
(resp.
π
=
v0v1. . .
) such that for every
i
such that 0
i < |ρ| −
1(resp.
i
0),
there exists a joint action
c
such that ∆(
vi,c
) =
vi+1
. A strategy is a partial function
σ:V+*Act mapping each finite play to an action, and Strat is the set of all strategies.
Assignments.
An assignment is a partial function
χ
:
Ag Var *Strat
, assigning to each
player and variable in its domain a strategy. For an assignment
χ
, a player
a
and a strategy
σ
,
χ
[
a7→ σ
]is the assignment of domain
dom
(
χ
)
∪ {a}
that maps
a
to
σ
and is equal to
χ
on
the rest of its domain, and
χ
[
s7→ σ
]is defined similarly, where
s
is a variable; also,
χ
[
a7→
?]
is the assignment of domain dom(χ)\ {a}, on which it is equal to χ.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:5
Outcomes.
For assignment
χ
and finite play
ρ
,
Out
(
χ, ρ
)is the set of infinite plays that
start with
ρ
and are then extended by letting players follow the strategies assigned by
χ
.
Formally,
Out
(
χ, ρ
)is the set of plays
ρ·v1v2. . .
such that for all
i
0, there exists
c
such
that for all adom(χ)Ag, caχ(a)(ρ·v1. . . vi)and vi+1 = ∆(vi,c), with v0=last(ρ).
2.2 BSL syntax
The core of Branching-time Strategy Logic, on which we build Prompt Strategy Logic and
Bounding-outcome Strategy Logic, is the full branching-time temporal logic
CTL
. This
differs from usual variants of Strategy Logic which are based on the linear-time temporal
logic LTL. The main difference is the introduction of an outcome quantifier which quantifies
on outcomes of the currently fixed strategies. While in SL temporal operators could only be
evaluated in contexts where all agents were assigned a strategy, this outcome quantifier allows
for evaluation of (branching-time) temporal properties on partial assignments of strategies to
agents. We recall Branching-time Strategy Logic, introduced in [
25
], which has the same
expressive power as SL but allows to express branching-time properties without resorting to
computationally expensive strategy quantifications.
At the syntax level, in addition to usual boolean connectives and temporal operators, we
have four constructs:
strategy quantification:
, which means “there exists a strategy
s
such that
ϕ
holds”,
assigning a strategy to a player: (
a, s
)
ϕ
, which is interpreted as “when the agent
a
plays
according to s,ϕholds”,
unbinding a player: (
a,
?)
ϕ
, which is interpreted as “
ϕ
holds after agent
a
has been
unbound from her strategy, if any”, and
quantifying over outcomes:
Aψ
, which reads as “
ψ
holds in all outcomes of the strategies
currently assigned to agents”.
The difference between BSL and SL lies in the last two constructs. Note that unbinding
agents was irrelevant in linear-time SL, where assignments need to be total to evaluate
temporal properties.
IDefinition 2
(BSL syntax)
.
The set of BSL formulas is the set of state formulas given by
the following grammar:
State formulas: ϕ::= p| ¬ϕ|ϕϕ| ∃|(a, s)ϕ|(a, ?)ϕ|Aψ
Path formulas: ψ::= ϕ| ¬ψ|ψψ|Xψ|ψUψ,
where pAP, a Ag and sVar.
We use classic abbreviations >=p∨ ¬p,Fψ=>Uψ,Gψ=¬F¬ψand =¬∃s¬ϕ.
A variable
s
appears free in a formula
ϕ
if it appears in a binding operator (
a, s
)that is
not in the scope of any strategy quantifier hhsii.
2.3 BSL semantics
Given a formula
ϕBSL
, an assignment is variable-complete for
ϕ
if its domain contains all
free strategy variables of ϕ.
IDefinition 3
(BSL semantics)
.
The semantics of a state formula is defined on a game
G
,
an assignment
χ
that is variable-complete for
ϕ
, and a finite play
ρ
. For a path formula
CVIT 2016
23:6 Quantifying Bounds in Strategy Logic
ψ
, the finite play is replaced with an infinite play
π
and an index
iN
. The definition by
mutual induction is as follows:
G, χ, ρ |=pif p`(last(ρ))
G, χ, ρ |=¬ϕif G, χ, ρ 6|=ϕ
G, χ, ρ |=ϕϕ0if G, χ, ρ |=ϕor G, χ, ρ |=ϕ0
G, χ, ρ |=if there exists σStrat s.t. G, χ[s7→ σ], ρ |=ϕ
G, χ, ρ |= (a, s)ϕif G, χ[a7→ χ(s)], ρ |=ϕ
G, χ, ρ |= (a, ?)ϕif G, χ[a7→?], ρ |=ϕ
G, χ, ρ |=Aψif for all πOut(χ, ρ),G, χ, π, |ρ| − 1|=ψ
G, χ, π, i |=ϕif G, χ, πi|=ϕ
G, χ, π, i |=¬ψif G, χ, π , i 6|=ψ
G, χ, π, i |=ψψ0if G, χ, π , i |=ψor G, χ, π , i |=ψ0
G, χ, π, i |=Xψif G, χ, π , i + 1 |=ψ
G, χ, π, i |=ψUψ0if jis.t. G, χ, π , j |=ψ0and ks.t. ik < j, G, χ, π, k |=ψ
BSL has the same expressivity as SL, and there are linear translations in both directions [
25
].
More precisely, the translation from BSL to SL is linear in the size of the formula times
the number of players; indeed, the outcome quantifier is simulated in SL by a strategy
quantification and a binding for each player who is not currently bound to a strategy. This
translation may thus increase the nesting and alternation depth of strategy quantifiers in the
formula, which is known to increase the complexity of the model-checking problem [13, 33].
3 Prompt Strategy Logic
In this section we introduce Prompt-SL, an extension of both BSL and Prompt-LTL.
3.1 Prompt-SL syntax
The syntax of Prompt-SL extends that of branching-time strategy logic BSL with two
additional constructs, where Nis a variable over natural numbers:
a bounded version of the classical “eventually” operator written FN, and
an existential quantification on the values of variable N, written N.
As in Prompt-LTL, the formula
FNψ
states that
ψ
will hold at the latest within
N
steps from the present. For a formula
ϕ
of Prompt-SL there is a unique bound variable
N
: indeed, in the spirit of Prompt-LTL where a unique bound must exist for all prompt-
eventualities, formulas of our logic cannot use more than one bound variable. However, in
Prompt-SL, existential quantification on
N
is part of the syntax, which allows to freely
combine quantification on the (unique) bound variable
N
with other operators of the logic. In
particular one can express the existence of a unique bound that should work for all strategies,
or instead that the bound may depend on the strategy (see Example 6).
IDefinition 4
(Prompt-SL syntax)
.
The syntax of Prompt-SL formulas is defined by the
following grammar:
State formulas: ϕ::= p| ¬ϕ|ϕϕ| ∃|(a, s)ϕ|(a, ?)ϕ|Aψ| ∃Nϕ
Path formulas: ψ::= ϕ| ¬ψ|ψψ|Xψ|ψUψ|FNψ
where
pAP
,
sVar
,
aAg
and
N
is a fixed bounding variable. A Prompt-SL sentence
is a state formula with no free strategy variable, in which every
FN
is in the scope of some
N, and FNand Nalways appear positively, i.e. under an even number of negations.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:7
3.2 Prompt-SL semantics
We now define the semantics of Prompt-SL.
IDefinition 5
(Prompt-SL semantics)
.
The semantics is defined inductively as follows,
where
ϕ
(resp.
ψ
) is a cost-SL state (resp. path) formula,
G
is a game,
χ
is an assignment
variable-complete for
ϕ
(resp.
ψ
),
ρ
is a finite play,
π
an infinite one,
iN
is a point in time
and nNis a bound.
G, χ, ρ, n |=pif p`(last(ρ))
G, χ, ρ, n |=¬ϕif G, χ, ρ, n 6|=ϕ
G, χ, ρ, n |=ϕϕ0if G, χ, ρ, n |=ϕor G, χ, ρ, n |=ϕ0
G, χ, ρ, n |=if there exists σStrat s.t. G, χ[s7→ σ], ρ, n |=ϕ
G, χ, ρ, n |= (a, s)ϕif G, χ[a7→ χ(s)], ρ, n |=ϕ
G, χ, ρ, n |= (a, ?)ϕif G, χ[a7→?], ρ, n |=ϕ
G, χ, ρ, n |=Aψif for all πOut(χ, ρ),G, χ, π, |ρ| − 1|=ϕ
G, χ, ρ, n |=N ϕ if there exists n0Nsuch that G, χ, ρ, n0|=ϕ
G, χ, π, i, n |=ϕif G, χ, πi|=ϕ
G, χ, π, i, n |=¬ψif G, χ, π , i, n 6|=ψ
G, χ, π, i, n |=ψψ0if G, χ, π , i, n |=ψor G, χ, π, i, n |=ψ0
G, χ, π, i, n |=Xψif G, χ, π , i + 1, n |=ψ
G, χ, π, i, n |=ψUψ0if jis.t. G, χ, π , j |=ψ0
and ks.t. ik < j, G, χ, π, k |=ψ
G, χ, π, i, n |=FNψif there exists j[i, n]such that G, χ, π, j, n |=ψ.
The semantics of a sentence Φdoes not depend on the bound
n
, and we may write
G, χ, ρ |
= Φ if
G, χ, ρ, n |
= Φ for some
n
. In addition a sentence does not require an
assignment for its evaluation. Given a game
G
with initial vertex
v0
and a sentence Φ, we
write G |= Φ if G,, v0|= Φ, where is the empty assignment.
IExample 6.
In bounded parity games [
12
,
34
] the odd colours represent requests and even
colours represent grants, and the objective of the player
a1
is to ensure against player
a2
that every request is promptly followed by a larger grant. Solving such games can be cast as
a model-checking problem of the Prompt-SL formula
s1(a1, s1)s2(a2, s2)NAG "^
codd
cFN_
d>c even
d#
on the structure in which every vertex is labelled by its color. The finitary parity condition
relaxes the constraint by only requiring requests that appear infinitely often to be promptly
granted, and solving such games can be reduced to model checking the Prompt-SL formula
s1(a1, s1)s2(a2, s2)NAG "^
codd
(cGFc)FN_
d>c even
d#.
Observe that in both these definitions, the bound on the delay between requests and grants
can depend on the outcome, i.e. on the opponent’s strategy. We can also express uniform
variants of these objectives by moving the quantification on the bound
N
before the
quantification on opponent’s strategies
s2
. Such games are studied in the context of the
theory of regular cost functions [
14
,
16
,
15
], and their relationship to the non-uniform variants
has been investigated in [
11
]. The solution to the model-checking problem for Prompt-SL
that we present here allows us to solve both types of games, uniform and non-uniform.
CVIT 2016
23:8 Quantifying Bounds in Strategy Logic
4 Bounding-outcomes Strategy Logic
We now define our second quantitative extension of Strategy Logic, which we call Bounding-
outcomes Strategy Logic, or BOSL.
4.1 BOSL syntax
The syntax of BOSL extends that of strategy logic BSL with two additional constructs:
a bounded version of the outcome quantifier written AN,
an existential quantification on the values of variable N, written N.
BOSL can also be seen as Prompt-SL without the bounded eventually
FN
but with
the novel bounded outcome quantifier
AN
. While formula
Aψ
states that
ψ
holds in all
outcomes of the current assignment,
ANψ
states that
ψ
holds in all of these outcomes
except for at most Nof them.
IDefinition 7
(BOSL syntax)
.
The syntax of BOSL formulas is given by the following
grammar:
State formulas: ϕ::= p| ¬ϕ|ϕϕ| ∃|(a, s)ϕ|(a, ?)ϕ|Aψ|ANψ| ∃Nϕ
Path formulas: ψ::= ϕ| ¬ψ|ψψ|Xψ|ψUψ
where
pAP
,
sVar
,
aAg
and
N
is a fixed bounding variable. A BOSL sentence is a
state formula with no free strategy variable, in which every
AN
is in the scope of some
N
,
and where ANand Nalways appear positively, i.e. under an even number of negations.
4.2 BOSL semantics
IDefinition 8
(BOSL semantics)
.
We only give the definition for the new operator
AN
,
the others are as in Definition 5.
G, χ, ρ, n |=ANψif Card({πOut(ρ, χ) : G, χ, π, |ρ| − 1, n 6|=ψ})n
The full semantics can be found in Appendix A.1. Once again, for a sentence Φwe write
G |= Φ if G,, v0, n |= Φ for some nN, where is the empty assignment.
IExample 9.
As an example we consider the framework of Carayol and Serre [
10
] that
considers games with two players and a third player called “nature”. The usual semantics
is for nature to be a random player, in which case we are interested in whether player 1
has a strategy ensuring to win almost all paths. The paper [
10
] suggests other formalisa-
tions for the third player, of topological, measure-theoretic, and combinatorial nature, and
provides general reductions. For instance, one may fix a constant
N
and write the following
formula
s1
(
a1, s1
)
s2
(
a2, s2
)
AN¬ψ
, stating that player
a1
has a strategy ensuring to win
all but
N
paths. If
N
is a constant the above question is solved in [
10
]. However the
latter work leaves open the question of ensuring that player
a1
wins all but a bounded
number of paths, which is expressible in the Bounding-outcome Strategy Logic formula
s1
(
a1, s1
)
s2
(
a2, s2
)
NAN¬ψ
. Note that the subtlety here is that the value of
N
is
not fixed and may depend on the opponent’s strategy. In this paper we show that the
model-checking problem for Bounding-outcome Strategy Logic is decidable, thereby giving a
solution to this question.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:9
5 Model checking
In this section we solve the model-checking problem for both Prompt-SL and BOSL with a
uniform approach which, in fact, works also for the combination of the two logics. As done
in [
32
] for ATL with strategy context, in [
6
] for an extension of it with imperfect information
and in [
7
] for Strategy Logic with imperfect information, we go through an adequate extension
of
QCTL
, which itself extends
CTL
with second-order quantification. This approach makes
automata constructions and their proof of correctness easier and clearer. In our case we define
an extension of
QCTL
called
Bound-QCTL
, which contains the bounded eventually
FN
from Prompt-LTL and Prompt-SL, a bounded path quantifier
AN
similar to the bounded
outcome quantifier from BOSL, and the quantifier on bounds
N
present in both Prompt-SL
and BOSL. We then recall definitions and results about cost automata, that we use to solve
the model-checking problem for
Bound-QCTL
. We finally solve the model-checking problem
for both Prompt-SL and BOSL by reducing them to model checking Bound-QCTL.
5.1 Bound Quantified QCTL
In this section we define Bound Quantified
CTL
, or
Bound-QCTL
, which extends Prompt-
LTL to the branching-time setting and adds quantification on atomic propositions. One can
also see it as an extension of Quantified
CTL
[
32
] with the bounded eventually operator
and a bounded version of the universal path quantifier. Unlike Prompt-LTL, but similarly
to our Prompt-SL and BOSL, an existential quantification on the bound for the bounded
eventually and bounded outcome quantifier is also part of the syntax.
5.1.1 Bound-QCTLsyntax
IDefinition 10. The syntax of Bound-QCTLis defined by the following grammar:
ϕ=p| ¬ϕ|ϕϕ|Aψ|ANψ| ∃p ϕ | ∃Nϕ
ψ=ϕ| ¬ψ|ψψ|Xψ|ψUψ|FNψ
where pAP, and Nis a fixed bounding variable.
As usual, formulas of type
ϕ
are called state formulas, those of type
ψ
are called
path formulas, and
QCTL
consists of all the state formulas defined by the grammar. We
further distinguish between positive formulas, in which operators
FN
,
AN
and
N
appear
only positively (under an even number of negations), and negative formulas, in which
operators
FN
,
AN
and
N
appear only negatively (under an odd number of negations).
A
Bound-QCTL
sentence is a positive formula such that all operators
FN
and
AN
in
the formula are in the scope of some
N
. Note that we will be interested in model checking
sentences, and every subformula of a sentence is either positive or negative.
5.1.2 Bound-QCTLsemantics
Bound-QCTLformulas are evaluated on (unfoldings of) Kripke structures.
IDefinition 11.
A (finite) Kripke structure is a tuple
S
= (
S, s0, R, `
), where
S
is a finite
set of states,
s0S
is an initial state,
RS×S
is a left-total transition relation
3
, and
`:SΣis a labelling function.
3i.e., for all sS, there exists s0such that (s, s0)R.
CVIT 2016
23:10 Quantifying Bounds in Strategy Logic
Apath in
S
is a finite word
λ
over
S
such that for all
i
,(
λi, λi+1
)
R
. For
sS
, we let
Paths(s)S+be the set of all paths that start in s.
Trees.
Let
S
be a finite set of directions and Σa set of labels. A
, S
)-tree (or simply tree)
is a pair t= (τ, `)where `:τΣis a labelling and τS+is the domain such that:
there exists rS+, called the root of τ, such that each uτstarts with r,i.e. r4u,
if u·sτand u·s6=r, then uτ,
if uτthen there exists sSsuch that u·sτ.
The elements of
τ
are called nodes. If
u·sτ
, we say that
u·s
is a child of
u
. A branch
λ
in
t
is an infinite sequence of nodes such that
λ0τ
and for all
i
,
λi+1
is a child of
λi
, and
Branches
(
t, u
)is the set of branches that start in node
u
. We let
Branches
(
t
)denote the set
of branches that start in the root. If Sis a singleton, a tree becomes an infinite word.
IDefinition 12.
The tree unfolding of a Kripke structure
S
from state
s
is the tree
tS
(
s
) =
(
Paths
(
s
)
, `0
), where for every
uPaths
(
s
), we have
`0
(
u
) =
`
(
last
(
u
)). We may write
tS
for
tS(s0), the unfolding from the initial state.
Projection, subtrees and regular trees.
Given two trees
t, t0
and a proposition
p
, we write
tpt0
if they have same domain
τ
and for all
p0
in
AP
such that
p06
=
p
, for all
u
in
τ
, we
have
p0`
(
u
)if, and only if,
p0`0
(
u
). Given a tree
t
= (
τ, `
)and a node
uτ
, we define
the subtree of
t
rooted in
u
as the tree
tu
= (
τu, `0
)where
τu
=
{vS+:u4v}
and
`0
is
`
restricted to τu. A tree tis said regular if it is the unfolding of a finite Kripke structure.
IDefinition 13.
The semantics
t, u, n |
=
ϕ
and
t, λ, n |
=
ψ
are defined inductively, where
ϕ
is a
Bound-QCTL
state formula,
ψ
is a
Bound-QCTL
path formula,
t
= (
τ, `
)is a tree,
u
is a node,
λ
is a branch in
t
, and
n
in
N
a bound (the inductive cases for classic
CTL
operators can be found in Appendix A.2):
t, u, n |=ANψif Card({λBranches(t, u) : t, λ, n 6|=ψ})n
t, u, n |=p ϕ if t0ptsuch that t0, u, n |=ϕ
t, u, n |=N ϕ if n0Nsuch that t, u, n0|=ϕ,
t, λ, n |=FNψif jsuch that 0jnand t, λj, n |=ψ
The value
JϕKinf
(
t
)(resp.
JϕKsup
(
t
)) of a positive (resp. negative) state formula
ϕ
on a tree
twith root ris defined as
JϕKinf(t) = inf {nN:t, r, n |=ϕ}and JϕKsup(t) = sup {nN:t, r, n |=ϕ},
with the usual convention that
inf
=
and
sup
= 0. In case it is not a positive or negative
formula, its value is undefined. We remark that
{nN:t, r, n |=ϕ}
is downward (resp.
upward) closed if
ϕ
is negative (resp. positive). The value of a sentence Φis always either 0
or
(recall that sentences are necessarily positive formulas and
N
is always quantified),
and given a Kripke structure S, we write S |= Φ if JΦKinf(tS)=0.
5.2 Regular cost functions
In this section we develop the theory of regular cost functions over trees for distance automata.
To this end we define and study the two dual models of
distance
and
distance
-automata
for recognising cost functions [14], referred to as cost automata.
Let
E
be a set of structures (such as infinite words or trees). We define an equivalence
relation
on functions
EN∪ {∞}
by
fg
if for all
XE
,
f
(
X
)is bounded if, and
only if, g(X)is bounded. A cost function over Eis an equivalence class of the relation .
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:11
In Section 5.2.1 we define cost games whose objectives may refer to a single counter that,
in each step, can be incremented or left unchanged. In Section 5.2.2 we define automata
whose semantics are given using cost games. We introduce
distance
-automata and their
duals distance-automata that compute functions EN∪ {∞}. In Section 5.2.3 we focus
on automata over infinite words and the notion of history-deterministic automata.
The novel technical contribution of this section is an extension of the classical property
of history-deterministic automata: the original result says that given a history-deterministic
automaton over infinite words, one can simulate it along every branch of a tree. This is
the key argument to handle the
A
operator in Prompt-SL. In Section 5.2.4 we extend this
result by allowing the automaton to skip a bounded number of paths, which will allow us to
capture the bounded-outcome operator ANin BOSL.
5.2.1 Cost games
The semantics of cost automata are given by turn-based two-player games, which are
essentially a special case of the general notion of games given in Section 3.2. We give here a
slightly modified definition better fitting the technical developments.
IDefinition 14.
Agame is given by
G
= (
V, VE, VA, v0, E , c
), where
V
=
VE]VA
is a set
of vertices divided into the vertices
VE
controlled by Eve and the vertices
VA
controlled by
Adam,
v0V
is an initial vertex,
EV×V
is a left-total transition relation,
c
:
V
is
a labelling function.
Afinite (resp. infinite)play is a finite (resp. infinite) word
ρ
=
v0. . . vn
(resp.
π
=
v0v1. . .
)
such that for every
i
such that 0
i < |ρ| −
1(resp.
i
0), (
vi, vi+1
)
E
. A strategy for
Eve (resp. for Adam) is a function
σ
:
V·VEV
(resp.
σ
:
V·VAV
)such that for all
finite play
ρV·VE
(resp.
ρV·VA
), we have (
last
(
ρ
)
, σ
(
ρ
))
E
. Given a strategy
σ
for Eve and
σ0
for Adam, we let
Outcome
(
σ, σ0
)be the unique infinite play that starts in
v0
and is consistent with σand σ0.
An objective is a set
W
ω
. To make the objective explicit we speak of
W
-games, which
are games with objective
W
. A strategy
σ
for Eve ensures
W
ω
if for all strategy
σ0
of
Adam, the infinite word obtained by applying
c
to each position of the play
Outcome
(
σ, σ0
)
is in
W
. Eve wins the
W
-game
G
if there exists a strategy for her that ensures
W
. The
same notions apply to Adam. We now introduce the objectives we will be using.
Given
dN
, the parity objective
parity ⊆ {1, . . . , d}ω
is the set of infinite words in
which the maximum label appearing infinitely many times is even.
The distance objective uses the set of labels
{, i}
acting on a counter taking values in
the natural numbers and initialised to 0. The labels
and
i
are seen as actions on the
counter: the action
leaves the counter unchanged and
i
increments the counter by 1.
For
nN
, the distance objective
distance
(
n
)
⊆ {, i}ω
is the set of infinite words such
that the counter is bounded by n.
The regular distance objective
fininc ⊆ {, i}ω
is the set of infinite words such that the
counter is incremented finitely many times.
The co-distance objective uses set of labels
{, i}
, where
and
i
have the same interpret-
ation as in
distance
(
n
). For
nN
, the objective
distance
(
n
)
⊆ {, i}ω
is the set of
infinite words such that the counter eventually reaches value n.
The objectives can be combined:
parity distance
(
n
)
({1, . . . , d}×{, i})ω
is the
Cartesian product of the parity and the distance objective (where a pair of infinite words
is assimilated with the infinite word formed of the pairs of letters at same position).
CVIT 2016
23:12 Quantifying Bounds in Strategy Logic
The following result, proven in [
11
], relates
distance
and
fininc
in the context of games.
ILemma 15.
Let
G
be a finite game. There exists
nN
such that Eve wins for
parity
distance(n)iff Eve wins for parity fininc.
5.2.2 Cost automata
We now define automata over , S)-trees.
IDefinition 16.
A (non-deterministic) automaton is a tuple
A
= (
Q, q0, δ, c
)where
Q
is a
finite set of states,
q0Q
is an initial state,
δQ×
Σ
×QS
is a transition relation, and
c:Qis a labelling function.
When an automaton is equipped with an objective
W
ω
we speak of an
W
-automaton.
To define the semantics of
W
-automata, we define acceptance games. Given an
W
-automaton
Aand a , S)-tree t= (τ , `), we define the acceptance W-game GA,t as follows.
The set of vertices is (
Q×τ
)
(
Q×τ×QS
). The vertices of the form
Q×τ
are controlled
by Eve, the others by Adam.
The initial vertex is (q0, r), where ris the root of t.
The transition relation relates the vertex (
q, u
)to (
q, u, h
)if (
q, `
(
u
)
, h
)
δ
, and (
q, u, h
)
is related to (h(s), u ·s)for every sS.
The label of a vertex (q, u)is c(q), and the other vertices are not labelled.
We say that tis accepted by Aif Eve wins the acceptance W-game GA,t.
An equivalent point of view is to say that
t
is accepted by
A
if there exists a (
Q, S
)-tree
with same domain as
t
respecting the transition relation
δ
with respect to
t
, such that all
branches satisfy W.
We instantiate this definition for cost automata: the objective
parity distance
gives
rise to the notion of
distance
-automata. A
distance
-automaton
A
computes the function
JAKdover trees defined by
JAKd(t) = inf {nN:tis accepted by Awith objective parity distance(n)},
and it recognises the -equivalence class of the function JAKd.
Dually, the objective
paritydistance
(
n
)gives rise to
distance
-automata. A
distance
-
automaton Acomputes the function JAKdover trees defined by
JAKd(t) = sup nN:tis accepted by Awith objective parity distance(n)
and recognises the -equivalence class of the function JAKd.
If
A
recognises the
-equivalence class of the function
f
:
E
(
N∪ {∞}
)we abuse
notation and say that Arecognises the function f.
To illustrate the definition of
distance
-automata, we now give an example that will be
useful later on to capture the bounded path quantifier AN.
ILemma 17.
Let
pAP
. There exists a
distance
-automaton recognising the function that
counts the number of paths with infinitely many p’s.
Proof.
Let us say that a path is bad if it contains infinitely many
p
. The
distance
-automaton
Ahas four states:
q0,, whose intuitive semantics is “the tree contains one bad path”,
q0,i, meaning “the tree contains at least two bad paths”,
q1,p and q1,¬p, which mean “the tree does not contain any bad path”.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:13
All states are initial (note that this is an inconsequential abuse because we defined automata
with a single initial state). We use the set of labels Ω = {2,3} × {, i}. The transitions are
as follows, where q0={q0,, q0,i}and q1={q1,p, q1,¬p}.
δ=
(q0,, a, h)if hcontains at most one q0
(q0,i, a, h)if hcontains at least two q0
(q1,¬p, a, h)if p /aand hcontains only q1
(q1,p, a, h)if paand hcontains only q1
The labelling function is
c
(
q0,
) = (2
, 
)
, c
(
q0,i
) = (2
,i
)
, c
(
q1,¬p
) = (2
, 
), and
c
(
q1,p
) = (3
, 
).
We claim that the following two properties hold, which implies Lemma 17.
if tcontains nbad paths, then JAKd(t)n1,
if JAKd(t)n, then tcontains at most Card(S)nbad paths.
Assume that
t
contains
n
bad paths, we construct a run for
A
(i.e., a labelling of
t
with
states of A) as follows. A node uof the tree is labelled by:
q0, if exactly one tu·scontains a bad path for some direction sS,
q0,iif tu·scontain a bad path for at least two different directions sS,
q1,¬pif tudoes not contain a bad path and p /`(u),
q1,p if tudoes not contain a bad path and p`(u).
This yields a valid run whose branches all satisfy the parity condition. Along a branch the
counter is incremented each time there are at least two subtrees with a bad path, which can
happen at most
n
1times because there are
n
bad paths. Hence the maximal value of the
counter on a branch is n1, implying that JAKd(t)n1.
We show the second point by induction on
n
. If
JAKd
(
t
) = 0, then
t
contains at most
one bad path. If
JAKd
(
t
) =
n
+ 1, consider a (
Q, S
)-tree representing a run of value
n
+ 1.
Because
JAKd
(
t
)
1, there is at least one node labelled
q0,i
. By definition of the transition
relation, if there are two nodes on the same level labelled
q0,i
, then they must descend from
another node
q0,i
higher in the tree. Thus there is a unique node
u
labelled
q0,i
that is
closest to the root (it may be the root itself). Except for
u
’s ancestors, which are labelled
with
q0,
, all nodes outside of the subtree rooted in
u
are necessarily labelled with
q1
. The
subtrees rooted in
u
’s children have a run with value at most
n
. By induction hypothesis
each of these subtrees contains at most
Card
(
S
)
n
bad paths, so the tree rooted in
u
contains
at most
Card
(
S
)
n+1
bad paths. Since nodes labelled by
q1
cannot contain a bad path, this
means that tcontains at most Card(S)n+1 bad paths. J
The objective
parity
gives rise to parity automata. The following lemma follows from
the observation that fininc is an ω-regular objective.
ILemma 18.
For every automaton with objective
parity fininc
one can construct an
equivalent parity automaton.
5.2.3 Regular cost functions over words
The definitions of cost-automata can be applied to infinite words, which is the particular
case where
S
is a singleton. A central notion in the theory of regular cost functions is that of
history-deterministic automata over infinite words. Informally, a non-deterministic automaton
is history-deterministic if its non-determinism can be resolved by a function considering only
the input read so far. This notion has been introduced for studying
ω
-automata in [
24
]. We
specialise it here to the case of cost functions, involving a relaxation on the values allowing
for a good interplay with the definition of equivalence for cost functions.
CVIT 2016
23:14 Quantifying Bounds in Strategy Logic
To give a formal definition we introduce the notation
Aσ
for
A
a
W
-automaton and a
strategy
σ
: Σ
δ
, where
δ
is the transition relation of
A
:
Aσ
is a (potentially infinite) de-
terministic
W
-automaton (
Q×
Σ
,
(
q0, ε
)
, δσ, cσ
)where ((
q, w
)
, a,
(
q0, wa
))
δσjust if σ
(
w
) =
(
q, a, q0
)
,
and
cσ
(
q, w
) =
c
(
q
). The automaton
Aσ
is infinite but deterministic, as for each
situation the strategy σchooses the transition to follow.
IDefinition 19
([
14
,
17
])
.
We say that a
distance
-automaton
A
over infinite words is
history-deterministic if there exists a function
α
:
NN
such that for every
n
there exists a
strategy σsuch that for all words wwe have JAKd(w)n=JAσKd(w)α(n).
We now explain the usefulness of the notion of history-deterministic automata. The
situation is the following: we consider a language
L
over infinite words, and we want to
construct an automaton for the language of trees “all branches are in
L
. Given a deterministic
automaton for
L
one can easily solve this problem by constructing an automaton running
the deterministic automaton on all branches.
In the quantitative setting we consider here, we have a function
f
: Σ
ωN∪ {∞}
instead of
L
, and we wish to construct an automaton computing the function over trees
t7→ sup {f(λ) : λBranches(t)}.
Unfortunately,
distance
-automata do not determinise,
so the previous approach needs to be refined. The construction fails for non-deterministic
automata, because two branches may have very different accepting runs even on their shared
prefix. The notion of history-deterministic automata yields a solution to this problem, as
stated in the following theorem.
ITheorem 20
([
18
])
.
Let
A
be a history-deterministic
distance
-automaton over infinite
words. One can construct a distance-automaton recognising the function over trees
t7→ sup {JAKd(λ) : λBranches(t)}
We present an extension of this result where the function can remove a bounded number
of paths in the computation. The proof is in Appendix A.3.
ITheorem 21.
Let
A
be a history-deterministic
distance
-automaton over infinite words.
One can construct a distance-automaton recognising the function over trees
t7→ inf {max(Card(B),sup {JAKd(λ) : λ /B}) : BBranches(t)}.
The idea is to combine Awith the automaton defined in the proof of Lemma 17.
5.2.4 Regular cost functions over trees
We introduce the notion of nested automata, which is parameterised by an objective
W
ω
.
Nested automata can be seen as a special form of alternating automata which will be
convenient to work with in the technical developments.
IDefinition 22. Anested W-automaton with kslaves over , S)-trees is given by
amaster automaton A, which is a W-automaton over (2k, S)-trees, and
kslave automata (Ai)i[k], which are W-automata over , S)-trees.
The transition relation of the master is
δQ×
2
k×QS
. We describe the modus operandi
of a nested automaton informally. Let
t
be a tree and
u
a node in
t
, labelled with state
q
. To take the next transition the master automaton interrogates its slaves: the transition
(
q, v, h
)
δ
is allowed if for all
iv
, the subtree
tu
is accepted by
Ai
. The formal semantics
of nested W-automata can be found in Appendix A.4.
The following theorem shows the equivalence between
distance
and
distance
-automata
over regular trees.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:15
ITheorem 23
([
15
])
.
Let
f
be a cost function over regular trees. The fol lowing statements
are effectively equivalent:
there exists a distance-automaton recognising f,
there exists a nested distance-automaton recognising f,
there exists a distance-automaton recognising f,
there exists a nested distance-automaton recognising f.
5.3 Model checking Bound-QCTL
The model-checking problem for Bound-QCTLis the following decision problem: given an
instance
,S
)where Φis a sentence of
Bound-QCTL
and
S
is a Kripke structure, return
‘Yes’ if
S |
= Φ and ‘No’ otherwise. In this section we prove that this problem is decidable by
reducing it to the emptiness problem of parity automata.
We will use the following result about distance-automata over infinite words.
ITheorem 24
([
26
,
27
])
.
For every Prompt-LTL formula
ψ
, we can construct a history-
deterministic distance-automaton Asuch that JAKdJψKinf.
ITheorem 25.
Let Φbe a sentence of
Bound-QCTL
. We construct a non-deterministic
parity automaton
AΦ
over
, S
)-trees such that for every Kripke structure
S
over the set of
states S, we have S |= Φ if, and only if, AΦaccepts the unfolding tS.
Proof.
Let Φbe a sentence and
S
a finite set of states. Throughout this proof, by trees we
mean regular trees, so in particular is understood over such trees.
For each subformula ϕof Φ, we construct by induction on ϕthe following automata:
1. if ϕis positive, a distance-automaton Aϕsuch that JAϕKdJϕKinf,
2. if ϕis negative, a distance-automaton Aϕsuch that JAϕKdJϕKsup.
We give the most interesting inductive cases, the remaining ones can be found in Appendix A.5.
ϕ=Aψ:
The idea is similar to the automata construction for branching-time logic [
31
]:
intuitively, treat
ψ
as an LTL formula over maximal state subformulas, run a deterministic
automaton for
ψ
on all branches of the tree, and launch automata for the maximal state
subformulas of
ψ
when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for
ψ
we will use a history-deterministic
distance
-automaton. Finally, we will convert the nested
distance
-automaton into a
distance-automaton.
Suppose that
ϕ
is positive (the case that
ϕ
is negative is treated dually). Then also
ψ
is
positive. We will construct a nested distance-automaton Bsuch that JBKdJϕKinf.
Let
ϕ1, . . . , ϕk
be the maximal state subformulas of the path formula
ψ
. We see these
formulas as atomic propositions, so that the formula
ψ
can be seen as a Prompt-LTL
formula on infinite words over the alphabet 2
k
. Apply Theorem 24 to
ψ
to get a history-
deterministic
distance
-automaton
Aψ
over infinite words such that
JAψKdJψKinf
.
Then, apply Theorem 20 to
Aψ
to get a
distance
-automaton
A
such that
JAKd
(
t
) =
sup {JAψKd(λ) : λBranches(t)}. The master of Bis A.
Since
ψ
is positive, the formulas
ϕ1, . . . , ϕk
are either positive or negative. By the
induction hypothesis, for every
i
, if
ϕi
is positive we construct a
distance
-automaton
Ai
such that
JAiKdJϕiKinf
; and if
ϕi
is negative, we construct a
distance
-automaton
A0
i
such that
JA0
iKdJϕiKsup
. In the latter case, thanks to Theorem 23 we construct a
distance-automaton Aisuch that JAiKdJϕiKsup. The slaves of Bare A1,...,Ak.
This completes the construction of B, see Appendix A.5 for its correctness.
CVIT 2016
23:16 Quantifying Bounds in Strategy Logic
ϕ=ANψ:
The construction is the same as for
Aψ
, except for the construction of the
master
A
, in which we replace Theorem 20 by Theorem 21 to account for the possibility
of removing a bounded number of paths.
ϕ=Nϕ0:
Note that
ϕ
cannot be negative. Since
ϕ
is positive, also
ϕ0
is positive. By the
induction hypothesis, there exists a
distance
-automaton
Aϕ0
such that
JAϕ0KdJϕ0Kinf
.
Since ϕis a positive sentence, we have JϕKinf(t)∈ {0, ω}for every t. Now,
JϕKinf(t)=0⇒ ∃nN,Jϕ0Kinf(t)n
⇒ ∃nN,Eve wins GAϕ0,t for the objective parity distance(n)
Eve wins GAϕ0,t for the objective parity fininc
The third equivalence follows from Lemma 15. We can now apply Lemma 18 to the
parity fininc
-automaton
Aϕ0
to get an equivalent parity automaton
Aϕ
. Then the
last item is equivalent to Eve winning the parity game
GAϕ,t
, which is equivalent to
JAϕKd(t) = 0 (since JAϕKd(t)∈ {0, ω }because Aϕhas no counter).
This completes the proof of the inductive hypothesis. Finally, since Φis a sentence,
AΦ
is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the
N
step removes the counter, and other operators
applied to arguments that do not have a counter produce automata with no counters. J
5.4 Model checking Prompt-SL and BOSL
The model-checking problem for Prompt-SL (resp. BOSL) is the following: given a game
G
and a sentence Φof Prompt-SL (resp. BOSL), decide whether G |= Φ.
As for
ATL
with strategy context [
32
] and Strategy Logic with imperfect information [
7
],
the model-checking problems for both Prompt-SL and BOSL (as well as their combination)
can be easily reduced to that of
Bound-QCTL
(see Appendix A.6). As a consequence of
these reductions and of Theorem 25, we get:
ITheorem 26. The model-checking problem is decidable for Prompt-SL and BOSL.
The model-checking procedure is nonelementary, but because Prompt-SL and BOSL
subsume SL we know from [
33
] that no elementary procedure exists. We leave precise
complexity analysis for future work.
6 Conclusion
We introduced two quantitative extensions of Branching-time Strategy Logic (BSL), i.e.,
Prompt-SL that extends BSL with
FN
that limits the range of the eventuality, and BOSL
that extends BSL with
AN
that limits the range of the outcome quantifier. We proved that
model checking both these logics is decidable. To the best of our knowledge these are the
first quantitative extensions of SL with decidable model-checking problem.
In order to prove our results we used notions from the theory of regular cost functions
to develop new technical insights necessary to address Prompt-SL and BOSL. Moreover,
as an intermediate formalism between cost automata and logics for strategic reasoning we
introduced
Bound-QCTL
, a quantitative extension of
QCTL
, and proved its model checking
decidable. Using this, it is easy to see that also the extension of BSL with
N
and both
FNand ANhas a decidable model-checking problem.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:17
References
1Shaull Almagor, Yoram Hirshfeld, and Orna Kupferman. Promptness in ω-regular auto-
mata. In ATVA, LNCS 6252, pages 22–36. Springer, 2010.
2Rajeev Alur, Kousha Etessami, Salvatore La Torre, and Doron Peled. Parametric temporal
logic for “model measuring”. ACM Transactions on Computational Logic, 2(3):388–407,
2001.
3Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman. Alternating-time temporal logic.
Journal of the ACM, 49(5):672–713, 2002.
4Benjamin Aminof, Aniello Murano, Sasha Rubin, and Florian Zuleger. Prompt alternating-
time epistemic logics. In KR, pages 258–267. AAAI Press, 2016. URL: http://www.aaai.
org/ocs/index.php/KR/KR16/paper/view/12890.
5Mordechai Ben-Ari, Zohar Manna, and Amir Pnueli. The temporal logic of branching time.
In POPL, pages 164–176, 1981.
6Raphaël Berthon, Bastien Maubert, and Aniello Murano. Decidability results for ATL*
with imperfect information and perfect recall. In AAMAS, 2017.
7Raphaël Berthon, Bastien Maubert, Aniello Murano, Sasha Rubin, and Moshe Y. Vardi.
Strategy logic with imperfect information. In LICS, 2017.
8Alessandro Bianco, Fabio Mogavero, and Aniello Murano. Graded computation tree logic.
ACM Transactions on Computational Logic, 13(3):25:1–25:53, 2012. URL: http://doi.
acm.org/10.1145/2287718.2287725,doi:10.1145/2287718.2287725.
9Patricia Bouyer, Patrick Gardy, and Nicolas Markey. Weighted strategy logic with boolean
goals over one-counter games. In FSTTCS 2015, pages 69–83, 2015. URL: https://doi.
org/10.4230/LIPIcs.FSTTCS.2015.69,doi:10.4230/LIPIcs.FSTTCS.2015.69.
10 Arnaud Carayol and Olivier Serre. How good is a strategy in a game with nature? In
LICS, pages 609–620. IEEE Computer Society, 2015.
11 Krishnendu Chatterjee and Nathanaël Fijalkow. Infinite-state games with finitary condi-
tions. In CSL, pages 181–196, 2013. URL: https://doi.org/10.4230/LIPIcs.CSL.2013.
181,doi:10.4230/LIPIcs.CSL.2013.181.
12 Krishnendu Chatterjee, Thomas A Henzinger, and Florian Horn. Finitary winning in ω-
regular games. ACM Transactions on Computational Logic, 11(1):1, 2009.
13 Krishnendu Chatterjee, Thomas A. Henzinger, and Nir Piterman. Strategy Logic. Inform-
ation and Computation, 208(6):677–693, 2010. URL: http://dx.doi.org/10.1016/j.ic.
2009.07.004,doi:10.1016/j.ic.2009.07.004.
14 Thomas Colcombet. The theory of stabilisation monoids and regular cost functions. In
ICALP, 2009.
15 Thomas Colcombet. Fonctions régulières de coût. Habilitation Thesis, 2013.
16 Thomas Colcombet. Regular cost functions, part I: logic and algebra over words. Logical
Methods in Computer Science, 9(3), 2013.
17 Thomas Colcombet and Nathanaël Fijalkow. The bridge between regular cost functions
and ω-regular languages. In ICALP, pages 126:1–126:13, 2016. URL: https://doi.org/
10.4230/LIPIcs.ICALP.2016.126,doi:10.4230/LIPIcs.ICALP.2016.126.
18 Thomas Colcombet and Christof Löding. Regular cost functions over finite trees. In LICS,
pages 70–79, 2010. URL: https://doi.org/10.1109/LICS.2010.36,doi:10.1109/LICS.
2010.36.
19 E. Allen Emerson and Joseph Y. Halpern. “Sometimes” and “Not Never” revisited: On
branching versus linear time. In POPL, pages 127–140, 1983.
20 Nathanaël Fijalkow, Florian Horn, Denis Kuperberg, and Michał Skrzypczak. Trading
bounds for memory in games with counters. In ICALP, pages 197–208, 2015. URL: https:
//doi.org/10.1007/978-3-662-47666-6_16,doi:10.1007/978-3-662-47666- 6_16.
CVIT 2016
23:18 Quantifying Bounds in Strategy Logic
21 Nathanaël Fijalkow and Martin Zimmermann. Cost-Parity and Cost-Street Games. In
FSTTCS, volume LIPIcs 18, pages 124–135, 2012.
22 Nathanaël Fijalkow and Martin Zimmermann. Parity and Streett games with costs. Logical
Methods in Computer Science, 10(2), 2014. URL: https://doi.org/10.2168/LMCS-10(2:
14)2014,doi:10.2168/LMCS-10(2:14)2014.
23 Patrick Gardy. Semantics of Strategy Logic. Thèse de doctorat, Laboratoire Spécification
et Vérification, ENS Cachan, France, June 2017. URL: https://tel.archives- ouvertes.
fr/tel-01561802.
24 Thomas A. Henzinger and Nir Piterman. Solving games without determinization. In CSL,
pages 395–410, 2006.
25 Sophia Knight and Bastien Maubert. Dealing with imperfect information in strategy logic.
In SR, 2015.
26 Denis Kuperberg. Linear temporal logic for regular cost functions. Logical Methods in
Computer Science, 10(1), 2014.
27 Denis Kuperberg and Michael Vanden Boom. On the expressive power of cost logics over
infinite words. In ICALP, pages 287–298, 2012.
28 O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in
reactive environments: Control and synthesis. In CONCUR, LNCS 1877, pages 92–107.
Springer, 2000.
29 Orna Kupferman, Giuseppe Perelli, and Moshe Y. Vardi. Synthesis with rational en-
vironments. Annals of Mathematics and Artificial Intelligence, 78(1):3–20, 2016. URL:
https://doi.org/10.1007/s10472-016-9508-8,doi:10.1007/s10472-016-9508-8.
30 Orna Kupferman, Nir Piterman, and Moshe Y Vardi. From liveness to promptness. Formal
Methods in System Design, 34(2):83–103, 2009.
31 Orna Kupferman, Moshe Y. Vardi, and Pierre Wolper. An automata-theoretic approach
to branching-time model checking. Journal of the ACM, 47(2):312–360, 2000. URL: http:
//doi.acm.org/10.1145/333979.333987,doi:10.1145/333979.333987.
32 François Laroussinie and Nicolas Markey. Augmenting ATL with strategy contexts. In-
formation and Computation, 245:98–123, 2015.
33 Fabio Mogavero, Aniello Murano, Giuseppe Perelli, and Moshe Y. Vardi. Reasoning
about strategies: On the model-checking problem. ACM Transactions on Computa-
tional Logic, 15(4):34:1–34:47, 2014. URL: http://doi.acm.org/10.1145/2631917,doi:
10.1145/2631917.
34 Fabio Mogavero, Aniello Murano, and Loredana Sorrentino. On promptness in parity games.
Fundamenta Informaticae, 139(3):277–305, 2015.
35 Amir Pnueli. The temporal logic of programs. In FOCS, pages 46–57, 1977.
36 Amir Pnueli and Roni Rosner. On the synthesis of a reactive module. In POPL, pages
179–190, 1989.
37 Martin Zimmermann. Optimal bounds in parametric LTL games. Theoretical Computer
Science, 493:30–45, 2013. URL: http://dx.doi.org/10.1016/j.tcs.2012.07.039,doi:
10.1016/j.tcs.2012.07.039.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:19
A Appendix
A.1 BOSL semantics
IDefinition 4.
The semantics is defined inductively as follows, where
ϕ
(resp.
ψ
) is a
cost-SL state (resp. path) formula,
G
is a game,
χ
is an assignment variable-complete for
ϕ
(resp.
ψ
),
ρ
is a finite play,
π
an infinite one,
iN
is a point in time and
nN
is a bound.
G, χ, ρ, n |=pif p`(last(ρ))
G, χ, ρ, n |=¬ϕif G, χ, ρ, n 6|=ϕ
G, χ, ρ, n |=ϕϕ0if G, χ, ρ, n |=ϕor G, χ, ρ, n |=ϕ0
G, χ, ρ, n |=if there exists σStrat s.t. G, χ[s7→ σ], ρ, n |=ϕ
G, χ, ρ, n |= (a, s)ϕif G, χ[a7→ χ(s)], ρ, n |=ϕ
G, χ, ρ, n |= (a, ?)ϕif G, χ[a7→?], ρ, n |=ϕ
G, χ, ρ, n |=Aψif for all πOut(χ, ρ),G, χ, π, |ρ| − 1|=ϕ
G, χ, ρ, n |=ANψif |{πOut(ρ, χ)| G, χ, π, |ρ| − 1, n 6|=ψ}| ≤ n
G, χ, ρ, n |=N ϕ if there exists n0Nsuch that G, χ, ρ, n0|=ϕ
G, χ, π, i, n |=ϕif G, χ, πi|=ϕ
G, χ, π, i, n |=¬ψif G, χ, π , i, n 6|=ψ
G, χ, π, i, n |=ψψ0if G, χ, π , i, n |=ψor G, χ, π, i, n |=ψ0
G, χ, π, i, n |=Xψif G, χ, π , i + 1, n |=ψ
G, χ, π, i, n |=ψUψ0if jis.t. G, χ, π , j |=ψ0
and ks.t. ik < j, G, χ, π, k |=ψ
A.2 Bound-QCTLsemantics
Given two trees
t, t0
and an atomic proposition
p
, we write
tpt0
if they have the same
domain
τ
and for all
p0
in
AP
such that
p06
=
p
, for all
u
in
τ
, we have
p0`
(
u
)iff
p0`0
(
u
);
IDefinition 7.
The semantics
t, u, n |
=
ϕ
and
t, λ, n |
=
ψ
are defined inductively, where
ϕ
is a
Bound-QCTL
state formula,
ψ
is a
Bound-QCTL
path formula,
t
= (
τ, `
)is a tree,
u
is a node, λis a branch in t, and nin Na bound:
t, u, n |=pif p`(u)
t, u, n |=¬ϕif t, u, n 6|=ϕ
t, u, n |=ϕϕ0if t, u, n |=ϕor t, u, n |=ϕ0
t, u, n |=Aψif λBranches(t, u)we have t, λ, n |=ψ
t, u, n |=ANψif Card({λBranches(t, u) : t, λ, n 6|=ψ})n
t, u, n |=p ϕ if t0ptsuch that t0, u, n |=ϕ
t, u, n |=N ϕ if n0Nsuch that t, u, n0|=ϕ,
t, λ, n |=ϕif t, λ0, n |=ϕ
t, λ, n |=¬ψif t, λ, n 6|=ψ
t, λ, n |=ψψ0if t, λ, n |=ψor t, λ, n |=ψ0
t, λ, n |=Xψif t, λ1, n |=ψ
t, λ, n |=ψUψ0if j0such that t, λj, n |=ψ0
and ksuch that 0k < j, t, λk, n |=ψ
t, λ, n |=FNψif jsuch that 0jnand t, λj, n |=ψ
CVIT 2016
23:20 Quantifying Bounds in Strategy Logic
A.3 Proof of Theorem 21
ITheorem 21.
Let
A
be a history-deterministic
distance
-automaton over infinite words.
One can construct a distance-automaton recognising the function over trees
f:t7→ inf {max(n, sup {JAKd(λ) : λ /B}) : nN, B Branches(t),Card(B)n}.
To prove Theorem 21 we combine
A
with the automaton defined in the proof of Lemma 17.
Proof.
We write
A
= (
Q, q0, δ, c
)for the history-deterministic
distance
-automaton over
infinite words, and let us say that the set of labels is {1, . . . , d}×{, i}with deven.
We construct a
distance
-automaton
B
for
f
as follows. The set of states is
Q×
{p0,, p0,i, p1}
, where the semantics of
p0,
and
p0,i
is “some path will be skipped” and
p1
means “no path will be skipped”. The initial state is (
q0, p0,
). The first component simulates
the automaton Aon all branches, while the second acts as follows, with p0={p0,, p0,i}.
δ=
(p0,, a, h)if hcontains at most one p0
(p0,i, a, h)if hcontains at least two p0
(p1, a, h)if hcontains only p1
The labelling function c0is
c0(q, p0, ) = (d, a)where c(q)=(o, a)
c0(q, p0,i)=(d, i)where c(q)=(o, a)
c0(q, p1) = c(q)
The proof of correctness is the same as for Lemma 17, substantiating the following claims:
if f(t)n, then JBKd(t)n,
if JBKd(t)n, then f(t)Card(S)n.
J
A.4 Semantics of nested W-automata
IDefinition 22. Anested W-automaton with kslaves over , S)-trees is given by
amaster automaton A, which is a W-automaton over (2k, S)-trees, and
kslave automata (Ai)i[k], which are W-automata over , S)-trees.
The transition relation of the master is
δQ×
2
k×QS
. We describe the modus operandi
of a nested automaton informally. Let
t
be a tree and
u
a node in
t
, labelled with state
q
. To take the next transition the master automaton interrogates its slaves: the transition
(q, v, h)δis allowed if for all iv, the subtree tuis accepted by Ai.
To define the semantics of nested
W
-automata, we define the corresponding acceptance
games. Given a nested
W
-automaton
B
= (
A,
(
Ai
)
i[k]
)and a tree
t
, we define the acceptance
W-game GB,t as follows. Let A= (Q, q0, δ, c).
The set of vertices is (
Q×t
)
(
Q×t×QS
). The vertices of the form (
q, u
)are controlled
by Eve, those of the form (q, u, h)by Adam.
The initial vertex is (q0, r), where ris the root of t.
The transition relation Eis defined as follows
((q, u)E(q, u, h)if (q , `(u), h)δand iv, tuis accepted by Ai,
(q, u, h)E(h(s), u ·s)..
The labelling function maps (q, u)to c(q), the other vertices are not labelled.
We say that tis accepted by Bif Eve wins the acceptance W-game GB,t.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:21
A.5 Proof of Theorem 25
ITheorem 25.
Let Φbe a sentence of
Bound-QCTL
. We construct a non-deterministic
parity automaton
AΦ
over
, S
)-trees such that for every Kripke structure
S
over the set of
states S, we have S |= Φ if, and only if, AΦaccepts the unfolding tS.
Proof.
Let Φbe a sentence and
S
a finite set of states. Throughout this proof, by trees we
mean regular trees, so in particular is understood over such trees.
For each subformula ϕof Φ, we construct by induction on ϕthe following automata:
1. if ϕis positive, a distance-automaton Aϕsuch that JAϕKdJϕKinf,
2. if ϕis negative, a distance-automaton Aϕsuch that JAϕKdJϕKsup.
Here are the constructions or proofs of correctness not present in the body of the paper.
ϕ=p:
The formula
ϕ
is both positive and negative. Seeing it a positive formula, we define a
distance-automaton Apwith one state q0and transition function defined as follows:
δ(q0, a) = (>if pa
otherwise.
Seeing
ϕ
as a negative formula, we define a
distance
-automaton
Ap
in exactly the same
way.
ϕ=¬ϕ0:
If ϕis negative, then ϕ0is positive. By definition,
JϕKsup(t) = sup {nN:t, r, n |=ϕ}= inf {nN:t, r, n |=ϕ0} − 1 = Jϕ0Kinf (t)1.
In particular,
JϕKsup Jϕ0Kinf
. By induction hypothesis, there exists a
distance
-
automaton
Aϕ0
such that
JAϕ0KdJϕ0Kinf
. Thanks to Theorem 23, there exists a
distance-automaton Aϕsuch that JAϕKdJAϕ0Kd. It follows that JAϕKdJϕKsup.
If
ϕ
is positive, then
ϕ0
is negative, and a similar reasoning applies, using Theorem 23 to
turn a distance-automaton into an equivalent distance-automaton.
ϕ=ϕ1ϕ2:
If
ϕ
is positive, then both
ϕ1
and
ϕ2
are positive. By induction hypothesis, there exist
two
distance
-automata
Aϕ1
and
Aϕ2
such that
JAϕ1KdJϕ1Kinf
and
JAϕ2KdJϕ2Kinf
.
We construct
Aϕ
by taking the disjoint union of
Aϕ1
and
Aϕ2
and adding a new initial
state that nondeterministically chooses which of
Aϕ1
or
Aϕ2
to execute on the input tree,
so that JAϕKd= min {JAϕ1Kd,JAϕ2Kd} ≈ min {Jϕ1Kinf,Jϕ2Kinf }=JϕKinf.
If
ϕ
is negative, both
ϕ1
and
ϕ2
are negative. The same construction yields an automaton
Aϕsuch that JAϕKd= max JAϕ1Kd,JAϕ2Kdmax {Jϕ1Ksup ,Jϕ2Ksup}=JϕKsup .
ϕ=Aψ:
The idea is similar to the automata construction for branching-time logic [
31
]:
intuitively, treat
ψ
as an LTL formula over maximal state subformulas, run a deterministic
automaton for
ψ
on all branches of the tree, and launch automata for the maximal state
subformulas of
ψ
when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for
ψ
we will use a history-deterministic
distance
-automaton. Finally, we will convert the nested
distance
-automaton into a
distance-automaton.
So, suppose that
ϕ
is positive (the case that
ϕ
is negative is treated dually). Then also
ψ
is positive. We will construct a nested distance-automaton Bsuch that JBKdJϕKinf.
Let
ϕ1, . . . , ϕk
be the maximal state subformulas of the path formula
ψ
. We see these
formulas as atomic propositions, so that the formula
ψ
can be seen as a Prompt-LTL
CVIT 2016
23:22 Quantifying Bounds in Strategy Logic
formula on infinite words over the alphabet 2
k
. Apply Theorem 24 to
ψ
to get a history-
deterministic
distance
-automaton
Aψ
over infinite words such that
JAψKdJψKinf
.
Then, apply Theorem 20 to
Aψ
to get a
distance
-automaton
A
such that
JAKd
(
t
) =
sup {JAψKd(λ) : λBranches(t)}. The master of Bis A.
Since
ψ
is positive, the formulas
ϕ1, . . . , ϕk
are either positive or negative. By the
induction hypothesis, for every
i
, if
ϕi
is positive we construct a
distance
-automaton
Ai
such that
JAiKdJϕiKinf
; and if
ϕi
is negative, we construct a
distance
-automaton
A0
i
such that
JA0
iKdJϕiKsup
. In the latter case, thanks to Theorem 23 we construct a
distance-automaton Aisuch that JAiKdJϕiKsup. The slaves of Bare A1,...,Ak.
This completes the construction of
B
. We now prove that
JBKdJϕKinf
. For the sake of
simplicity, we assume that
JAψKd
=
JψKd
and
JAiKd
=
JϕiK
for every
i
, i.e. we replace
by equality. This simplification does not affect the arguments and makes the proof easier
to read.
We prove that
JϕKinf JBKd
. It is sufficient to show that
JBKd
(
t
)
n
implies
JϕKinf
(
t
)
n
. A run of
B
on
t
witnessing that
JBKd
(
t
)
n
yields for each branch
λ
a run of
Aψ
such that
JAψKd
(
λ
)
n
. The slave automata diligently check that the
atomic propositions
ϕ1, . . . , ϕk
have been correctly used, so indeed
t, λ, n |
=
ψ
, thus
JϕKinf(t)n.
We prove that
JBKdJϕKinf
. It is sufficient to show that
JϕKinf
(
t
)
n
implies
JBKd
(
t
)
n
. By the semantics of
ϕ
for all branches
λ
of
t
we have
t, λ, n |
=
ψ
. This
yields a run of Bon twitnessing that JBKd(t)n.
Finally, applying Theorem 23 to the nested
distance
-automaton
B
we get a
distance
-
automaton Aϕsuch that JAϕKdJBKd.
ϕ=pϕ0:
If ϕis positive, then ϕ0is positive. In this case unravelling the definitions we have
JϕKinf(t) = inf {Jϕ0Kinf(t0) : t0pt}.
By the induction hypothesis, there exists a
distance
-automaton
Aϕ0
such that
JAϕ0Kd
Jϕ0Kinf
. We obtain a
distance
-automaton
Aϕ
by performing the usual projection oper-
ation. Everything remains the same, but the transition relation: (
q, a, h
)is in the new
transition relation if there exists
a0
such that
a0pa
and (
q, a0, h
)is in
δ
, where
a0pa
if for all p0in AP such that p06=p, we have p0a0if, and only if, pa.
If
ϕ
is negative, then
ϕ0
is negative. The same reasoning and construction applies in this
case, with
JϕKsup(t) = sup {Jϕ0Ksup(t0) : t0pt}.
This completes the proof of the inductive hypothesis. Finally, since Φis a sentence,
AΦ
is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the
N
step removes the counter, and every other
operator applied to arguments that do not have a counter produces an automaton with no
counters. J
A.6 Reductions for Prompt-SL and BOSL
Models transformation.
We first define for every game
G
a Kripke structure
SG
and a
bijection
ρ7→ uρ
between the set of finite plays starting in the initial vertex and the set of
nodes in
tSG
. We consider propositions
APv
=
{pv|vV}
, that we assume to be disjoint
from AP. Define the Kripke structure SG= (S, R, s0, `0)where
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:23
S={sv|vV},
R={(sv, sv0)| ∃cActAg s.t. ∆(v, c) = v0} ⊆ S2,
s0=sv0, and
`0(sv) = `(v)∪ {pv} ⊆ AP APv.
For every finite play
ρ
=
v0. . . vk
, define the node
uρ
=
sv0. . . svk
in
tSG
(which exists, by
definition of
SG
and of tree unfoldings). Note that the mapping
ρ7→ uρ
defines a bijection
between the set of paths from v0and the set of nodes in tSG.
Formulas translation.
Given a game
G
and a formula
ϕ
of Prompt-SL or BOSL, we define
a
Bound-QCTL
formula (
ϕ
)such that
G |
=
ϕ
if and only if
SG|
= (
ϕ
). More precisely, this
translation is parameterised with a partial function
f
:
Ag *Var
which records bindings of
agents to strategy variables. Suppose that
Act
=
{c1, . . . , cl}
. We define the two functions
(·)f
sand (·)f
pby mutual induction on, respectively, state formulas ϕand path formulas ψ.
Here is the definition of (·)f
sfor state formulas:
(p)f
s=p(¬ϕ)f
s=¬(ϕ)f
s
(ϕ1ϕ2)f
s= (ϕ1)f
s(ϕ2)f
s(Nϕ)f
s=N(ϕ)f
s
((a, s)ϕ)f
s= (ϕ)f[a7→s]
s((a, ?)ϕ)f
s= (ϕ)f[a7→?]
s
()f
s=ps
c1. . . ps
clstr(s)(ϕ)f
s,where ϕstr(s) = AG _
cAct
(ps
c^
c06=c
¬ps
c0)
(Aψ)f
s=A(ψout(f)(ψ)f
p) (ANψ)f
s=AN(ψout(f)(ψ)f
p)
where
ψout(f) = G^
vV
pv_
cActAg
^
adom(f)
pf(a)
caXp∆(v,c)
,
and for path formulas:
(ϕ)f
p= (ϕ)f
s(¬ψ)f
p=¬(ψ)f
p
(ϕ1ϕ2)f
p= (ϕ1)f
p(ϕ2)f
p(Xψ)f
p=X(ψ)f
p
(ψUψ0)f
p= (ψ)f
pU(ψ0)f
p(FNψ)f
p=FN(ψ)f
p
One can prove the following lemma, where
ϕ
is either a Prompt-SL or a BOSL formula.
The translation is essentially the same as in [
32
] and [
7
], and the cases for the new operators
should be clear from their semantics.
ILemma 26.
Suppose that
dom
(
f
) =
dom
(
χ
)
Ag
and for all
adom
(
f
),
f
(
a
) =
x
implies
χ(a) = χ(x). Then
G, χ, ρ, n |=ϕif and only if tSG, uρ, n |= (ϕ)f.
Applying this to a sentence Φ, any assignment
χ
, the initial vertex
v0
of
G
, any bound
n
and the empty function , we get that
G |=ϕif and only if tSG|= (ϕ).
CVIT 2016
... We build on the branching-time variant of SL [40], which does not add expressiveness with respect to the classic semantics [57] but presents several benefits (see [40] for more details), one of them being that it makes the connection with Quantified CTL tighter. ...
... We build on the branching-time variant of SL [40], which does not add expressiveness with respect to the classic semantics [57] but presents several benefits (see [40] for more details), one of them being that it makes the connection with Quantified CTL tighter. ...
... This reduction is a rather straightforward adaptation of the usual one for qualitative variants of SL (see e.g. [53,11,40]). We essentially observe that it can be lifted to the quantitative setting. ...
Preprint
Temporal logics are extensively used for the specification of on-going behaviours of reactive systems. Two significant developments in this area are the extension of traditional temporal logics with modalities that enable the specification of on-going strategic behaviours in multi-agent systems, and the transition of temporal logics to a quantitative setting, where different satisfaction values enable the specifier to formalise concepts such as certainty or quality. We introduce and study FSL---a quantitative extension of SL (Strategy Logic), one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an FSL formula is a real value in [0,1], reflecting `how much' or `how well' the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of FSL in quantitative reasoning about multi-agent systems, by showing how it can express concepts of stability in multi-agent systems, and how it generalises some fuzzy temporal logics. We also provide a model-checking algorithm for our logic, based on a quantitative extension of Quantified CTL*.
... We use a variant of the reductions presented in (Laroussinie and Markey 2015;Fijalkow et al. 2018;Berthon et al. 2017;Maubert and Murano 2018;Bouyer et al. 2019), which transform instances of the model-checking problem for various strategic logics to (extensions of) QCTL * . ...
Conference Paper
Nondeterministic strategies are strategies (or protocols, or plans) that, given a history in a game, assign a set of possible actions, all of which are winning. An important problem is that of refining such strategies. For instance, given a nondeterministic strategy that allows only safe executions, refine it to, additionally, eventually reach a desired state of affairs. We show that strategic problems involving strategy refinement can be solved elegantly in the framework of Strategy Logic (SL), a very expressive logic to reason about strategic abilities. Specifically, we introduce an extension of SL with nondeterministic strategies and an operator expressing strategy refinement. We show that model checking this logic can be done at no additional computational cost with respect to standard SL, and can be used to solve a variety of problems such as synthesis of maximally permissive strategies or refinement of Nash equilibria.
... Similarly, Bounded-Outcome SL adds a bound on the number of outcomes that must satisfy a given path formula. Again, model checking is decidable for those extensions [17]. ...
Article
Full-text available
Strategy Logic (SL) is a very expressive logic for specifying and verifying properties of multi-agent systems: in SL, one can quantify over strategies, assign them to agents, and express properties of the resulting plays. Such a powerful framework has two drawbacks: first, model checking SL has non-elementary complexity; second, the exact semantics of SL is rather intricate, and may not correspond to what is expected. In this paper, we focus on strategy dependences in SL, by tracking how existentially-quantified strategies in a formula may (or may not) depend on other strategies selected in the formula. We study different kinds of dependences, refining the approach of [Mogavero et al., Reasoning about strategies: On the model-checking problem, 2014], and prove that they give rise to different satisfaction relations. In the setting where strategies may only depend on what they have observed, we identify a large fragment of SL for which we prove model checking can be performed in 2EXPTIME.
Article
Full-text available
Synthesis is the automated construction of a system from its specification. The system has to satisfy its specification in all possible environments. The environment often consists of agents that have objectives of their own. Thus, it makes sense to soften the universal quantification on the behavior of the environment and take the objectives of its underlying agents into an account. Fisman et al. introduced rational synthesis: the problem of synthesis in the context of rational agents. The input to the problem consists of temporal logic formulas specifying the objectives of the system and the agents that constitute the environment, and a solution concept (e.g., Nash equilibrium). The output is a profile of strategies, for the system and the agents, such that the objective of the system is satisfied in the computation that is the outcome of the strategies, and the profile is stable according to the solution concept; that is, the agents that constitute the environment have no incentive to deviate from the strategies suggested to them. In this paper we continue to study rational synthesis. First, we suggest an alternative definition to rational synthesis, in which the agents are rational but not cooperative. We call such problem strong rational synthesis. In the strong rational synthesis setting, one cannot assume that the agents that constitute the environment take into account the strategies suggested to them. Accordingly, the output is a strategy for the system only, and the objective of the system has to be satisfied in all the compositions that are the outcome of a stable profile in which the system follows this strategy. We show that strong rational synthesis is 2ExpTime-complete, thus it is not more complex than traditional synthesis or rational synthesis. Second, we study a richer specification formalism, where the objectives of the system and the agents are not Boolean but quantitative. In this setting, the objective of the system and the agents is to maximize their outcome. The quantitative setting significantly extends the scope of rational synthesis, making the game-theoretic approach much more relevant. Finally, we enrich the setting to one that allows coalitions of agents that constitute the system or the environment.
Conference Paper
Full-text available
We study two-player games with counters, where the objective of the first player is that the counter values remain bounded. We investigate the existence of a trade-off between the size of the memory and the bound achieved on the counters, which has been conjectured by Colcombet and Löding. We show that unfortunately this conjecture does not hold: there is no trade-off between bounds and memory, even for finite arenas. On the positive side, we prove the existence of a trade-off for the special case of thin tree arenas.
Conference Paper
Full-text available
In temporal logics, the operator F expresses that at some time in the future something happens, e.g., a request is eventually granted. Unfortunately, there is no bound on the time until the eventuality is satisfied which in many cases does not correspond to the intuitive meaning system designers have, namely, that F abstracts the idea that there is a bound on this time although its magnitude is not known. An elegant way to capture this meaning is through Prompt-LTL, which extends LTL with the operator Fp (“prompt eventually”). We extend this work by studying alternating-time epistemic temporal logics extended with Fp . We study the model-checking problem of the logic Prompt-KATL*, which is ATL* extended with epistemic operators and prompt eventually. We also obtain results for the model-checking problem of some of its fragments. Namely, of Prompt-KATL (ATL with epistemic operators and prompt eventually), Prompt-KCTL* (CTL* with epistemic operators and prompt eventually), and finally the existential fragments of Prompt-KATL* and Prompt-KATL.
Article
Full-text available
Parity games are infinite-duration two-player turn-based games that provide powerful formal-method techniques for the automatic synthesis and verification of distributed and reactive systems. This kind of game emerges as a natural evaluation technique for the solution of the μ -calculus model-checking problem and is closely related to alternating ω -automata. Due to these strict connections, parity games are a well-established environment to describe liveness properties such as “every request that occurs infinitely often is eventually responded”. Unfortunately, the classical form of such a condition suffers from the strong drawback that there is no bound on the effective time that separates a request from its response, i.e., responses are not promptly provided. Recently, to overcome this limitation, several variants of parity game have been proposed, in which quantitative requirements are added to the classic qualitative ones. In this paper, we make a general study of the concept of promptness in parity games that allows to put under a unique theoretical framework several of the cited variants along with new ones. Also, we describe simple polynomial reductions from all these conditions to either Büchi or parity games, which simplify all previous known procedures. In particular, they allow to lower the complexity class of cost and bounded-cost parity games recently introduced. Indeed, we provide solution algorithms showing that determining the winner of these games is in UPTIME ∩ COUPTIME.
Conference Paper
We introduce an extension of Strategy logic for the imperfect-information setting, called SL ii , and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, the problem turns out to be undecidable. We introduce a syntactical class of " hierarchical instances " for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model. We prove that model-checking SL ii restricted to hierarchical instances is decidable. This result, because it allows for complex patterns of existential and universal quantification on strategies, greatly generalises previous ones, such as decidability of multi-player games with imperfect information and hierarchical observations, and decidability of distributed synthesis for hierarchical systems. To establish the decidability result, we introduce and study QCTL * ii , an extension of QCTL (itself an extension of CTL with second-order quantification over atomic propositions) by parameterising its quantifiers with observations. The simple syntax of QCTL * ii allows us to provide a conceptually neat reduction of SL ii to QCTL * ii that separates concerns, allowing one to forget about strategies and players and focus solely on second-order quantification. While the model-checking problem of QCTL * ii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable. The decidability result for SL ii follows since the reduction maps hierarchical instances of SL ii to hierarchical formulas of QCTL * ii .
Article
Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternative-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also, the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas. Depending on whether we admit arbitrary nesting of selective path quantifiers and temporal operators, we obtain the two alternating-time temporal logics ATL and ATL*. We interpret the formulas of ATL and ATL* over alternating transition systems. While in ordinary transitory systems, each transition corresponds to a possible step of the system, in alternating transition systems, each transition corresponds to a possible move in the game between the system and the environment. Fair alternating transition systems can capture both synchronous and asynchronous compositions f open systems. For synchronous systems, the expressive power of ATL beyond CTL comes at no cost: the model-checking complexity of synchronous ATL is linear in the size of the system and the length of the formula. The symbolic model-checking algorithm for CTL extends with few modifications to synchronous ATL, and with some work, also to asynchronous to ATL, whose model-checking complexity is quadratic. This makes ATL an obvious candidate for the automatic verification of open systems. In the case of ATL*, the model-checking problem is closely related to the synthesis problem for linear-time formulas, and requires doubly exponential time for both synchronous and asynchronous systems.
Article
We study the extension of the alternating-time temporal logic (ATL) with strategy contexts: contrary to the original semantics, in this semantics the strategy quantifiers do not reset the previously selected strategies.We show that our extension ATLsc is very expressive, but that its decision problems are quite hard: model checking is k-EXPTIME-complete when the formula has k nested strategy quantifiers; satisfiability is undecidable, but we prove that it is decidable when restricting to turn-based games. Our algorithms are obtained through a very convenient translation to QCTL (the computation-tree logic CTL extended with atomic quantification), which we show also applies to Strategy Logic, as well as when strategy quantification ranges over memoryless strategies.
Article
We consider two-player games played on finite graphs equipped with costs on edges and introduce two winning conditions, cost-parity and cost-Streett, which require bounds on the cost between requests and their responses. Both conditions generalize the corresponding classical ω-regular conditions as well as the corresponding finitary conditions. For cost-parity games we show that the first player has positional winning strategies and that determining the winner lies in NP ∩ coNP. For cost-Streett games we show that the first player has finite-state winning strategies and that determining the winner is EXPTIME-complete. This unifies the complexity results for the classical and finitary variants of these games. Both types of cost games can be solved by solving linearly many instances of their classical variants.