Content uploaded by Aniello Murano
Author content
All content in this area was uploaded by Aniello Murano on Nov 09, 2018
Content may be subject to copyright.
Quantifying Bounds in Strategy Logic
Nathanaël Fijalkow1
CNRS, LaBRI, Bordeaux, France
Alan Turing Institute of data science, London, United Kingdom
nﬁjalkow@turing.ac.uk
0000000265764680
Bastien Maubert2
University of Naples “Federico II”, Naples, Italy
bastien.maubert@gmail.com
0000000290812920
Aniello Murano
University of Naples “Federico II”, Naples, Italy
murano@na.infn.it
Sasha Rubin
University of Naples “Federico II”, Naples, Italy
sasha.rubin@unina.it
Abstract
Program synthesis constructs programs from speciﬁcations in an automated way. Strategy Logic
(SL) is a powerful and versatile speciﬁcation language whose goal is to give theoretical foundations
for program synthesis in a multiagent setting. One limitation of Strategy Logic is that it is purely
qualitative. For instance it cannot specify quantitative properties of executions such as “every
request is quickly granted”, or quantitative properties of trees such as “most executions of the
system terminate”. In this work, we extend Strategy Logic to include quantitative aspects in a way
that can express bounds on “how quickly” and “how many”. We deﬁne Prompt Strategy Logic,
which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal
operator), and we deﬁne BoundedOutcome Strategy Logic which has a bounded quantiﬁer on
paths. We supply a general technique, based on the study of automata with counters, that solves
the modelchecking problems for both these logics.
2012 ACM Subject Classiﬁcation Logic and Veriﬁcation
Keywords and phrases Prompt LTL, Strategy Logic, Model checking, Automata with counters
Digital Object Identiﬁer 10.4230/LIPIcs.CVIT.2016.23
1 Introduction
In order to reason about strategic aspects in distributed systems, temporal logics of programs
(such as LTL [
35
], CTL [
5
] and
CTL∗
[
19
]) have been extended with operators expressing the
existence of strategies for coalitions of components. Among the most successful proposals are
Alternatingtime Temporal Logic (ATL) [
3
] and, more recently, the more expressive Strategy
Logic (SL) [
13
,
33
]. Both logics can express the existence of strategies for coalitions that
1
This project has received funding from the Alan Turing Institute under EPSRC grant EP/N510129/1
and the DeLTA project (ANR16CE400007).
2
This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under the Marie SklodowskaCurie grant agreement No 709188.
©Nathanaël Fijalkow, Bastien Maubert, Aniello Murano and Sasha Rubin;
licensed under Creative Commons License CCBY
42nd Conference on Very Important Topics (CVIT 2016).
Editors: John Q. Open and Joan R. Access; Article No. 23; pp. 23:1–23:23
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – LeibnizZentrum für Informatik, Dagstuhl Publishing, Germany
23:2 Quantifying Bounds in Strategy Logic
ensure some temporal properties against all possible behaviours of the remaining components.
Moreover, if such strategies exist, one can also obtain witnessing ﬁnitestate strategies. As a
result, synthesizing reactive systems from temporal speciﬁcations [
36
,
28
,
29
] can be reduced
to model checking such strategic logics.
Although quite expressive, for instance Strategy Logic can express important game
theoretic concepts such as the existence of Nash equilibria, such logics can only express
qualitative properties. On the other hand important properties of distributed systems, such
as bounding the maximal number of steps between an event and its reaction, are quantitative.
Parametric extensions of temporal logics have been introduced to capture such properties.
A simple way to extend temporal operators is to annotate them with constant bounds,
e.g.,
F≤kϕ
says that
ϕ
holds within
k
steps where
k∈N
is a constant. However, one may
not know such bounds or care for their exact value when writing the speciﬁcation (or it may
not be practical to compute the bound). Instead, one may replace the constants by variables
N
and ask about the possible valuations of the variables that make the formula true. For
instance, PromptLTL [
2
,
30
] is an extension of LTL with the operator
F≤N
where
N
is a
(unique) variable. The modelchecking problem asks if there exists a valuation of the variable
N
such that the formula holds. In order to reason about and synthesize strategies that ensure
such parametric properties, we introduce “Prompt Strategy Logic”, an extension of SL with
the
F≤N
operator. For instance, the formula
∃s1
(
a1, s1
)
∀s2
(
a2, s2
)
∃NAGF≤Np
expresses
that there exists a strategy for agent
a1
such that for all strategies of agent
a2
there is a
bound
N
(that can depend on the strategy for
a2
) such that in all outcomes (generated by
the remaining agents) the atom pholds at least once every Nsteps.
Another way to parameterise temporal logics is to bound the path quantiﬁers, expressing,
for instance, that at least
k
diﬀerent paths satisfy
ψ
, or all but
k
paths satisfy
ψ
[
8
]. Such
operators can bound, for instance, how well a lineartime temporal property holds, thus giving
a measure of “coverage”. We introduce “BoundingOutcome Strategy Logic” which extends
Strategy Logic with a bounded outcome quantiﬁer
A≤N
which allows one to express that
all but
N
outcomes satisfy some property. For instance, the formula
∃s
(
a, s
)
∃NA≤NGFp
expresses that there exists a strategy for agent
a
such that for all but ﬁnitely many outcomes,
the atom
p
holds inﬁnitely often. The algorithmic contribution of this paper is a solution
to the modelchecking problem for both these logics (and their combination). We do this
by applying the theory of regular cost functions. A cost function is an equivalence class of
mappings from the domain (e.g., inﬁnite words) to
N∪ {∞}
with an equivalence relation
that, intuitively speaking, forgets the precise values and focuses on boundedness [14, 16].
Our results allow us to solve a problem left open in [
10
] that considers games with two
players and a third player called “nature” (indicating that it is uncontrollable), and asks
whether there is a strategy for player 1(having very general lineartime objectives) such
that for all strategies of player 2, in the resulting tree (i.e., where nature’s strategy is not
ﬁxed), the number of plays in which player 1does not achieve her objective is “small”. In
particular, in case the lineartime objective is the LTL formula
ψ
and “small” is instantiated
to mean “ﬁnite”, our main result allows one to solve this problem by reducing to model
checking Boundingoutcome Strategy Logic formula
∃s1
(
a1, s1
)
∀s2
(
a2, s2
)
∃NA≤N¬ψ
. In
fact our automata construction can be adapted to deal with all omegaregular objectives.
Related work.
ParametricLTL [
2
] extends LTL with operators of the form
F≤x
and
G≤x
,
where
x
is a variable. The interpretation of
F≤xψ
is that
ψ
holds within
x
steps, and the
interpretation of
G≤x
is that
ψ
holds for at least the next
x
steps. That paper studies
variations on the classic decision problems, e.g., model checking asks to decide if there is a
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:3
valuation of the variables
x1,· · · , xk
such that the formula
ϕ
(
x1,· · · , xk
)holds in the given
structure. Note that for this problem, the formula is equivalent to one in which all variables
are replaced by a single variable. The complexity of these problems is no worse than for
ordinary LTL, i.e., PSPACE. The technique used in this paper to prove these upperbounds
is a pumping lemma that allows one to reduce/enlarge the parameters.
ParametricLTL has been studied in the context of open systems and games. For in
stance, [
37
] studies the problem of synthesizing a strategy for an agent with a parametricLTL
objective in a turnbased graphgame against an adversarial environment. A number of
variations are studied, e.g., decide whether there exists a valuation (resp. for all valuations) of
the variables such that there exists a strategy for the agent that enforces the given parametric
LTL formula. The complexity of these problems is, again, no worse than that of solving
ordinary LTL games, i.e., 2
EXPTIME
. The technique used to prove these upper bounds is
the alternatingcolour technique of [
30
] that allows one to replace a prompt formula by an
LTL formula, and was originally introduced to reason about PromptLTL, the fragment of
parametricLTL without
G≤x
. We remark that Church’s synthesis for PromptLTL formulas
was shown in [30] to have complexity no worse than that of LTL, i.e., 2EXPTIME.
Promptness was ﬁrst studied in the context of multiagent systems in [
4
]. They study
the modelchecking problem for the logic
PromptATL∗
and its fragments, for memoryless
and memoryful strategies. Again, one ﬁnds that the complexity of model checking prompt
variations is no worse than the nonprompt ones. That paper also studies the case of systems
with imperfect information. We remark that the formula of Prompt Strategy Logic mentioned
above is not a formula of
PromptATL∗
because the bound
N
can depend on the strategy
of agent a2, which is not possible in PromptATL∗.
Promptness has also been studied in relation with classic inﬁnitary winning conditions
in games on graphs. In bounded parity games, the even colors represent requests and odd
colors represent grants, and the objective of the player is to ensure that every request is
promptly followed by a larger grant [
12
,
34
]. We discuss this in Example 6. Such winning
conditions have been generalised to games with costs in [
21
,
22
], leading to the construction
of eﬃcient algorithms for synthesizing controllers with prompt speciﬁcations.
Promptness in automata can be studied using various notions of automata with counters
that only aﬀect the acceptance condition. For instance, a run in a prompt Büchiautomaton
is successful if there is a bound on the time between visits to the Büchi set. The expressive
power, the cost of translating between such automata, and complexity of decision problems
(such as containment) have been studied in [1, 12].
The theory of regular cost functions [
14
,
16
] deﬁnes automata and logics able to express
boundedness properties in various settings. For instance, the logics PromptLTL,PLTL and
kTL are in some precise sense subsumed by the
LTL≤
logic from [
26
], which extends LTL with
a bounded until
ϕU≤Nϕ0
allowing
ϕ
not to hold in at most
N
(possibly nonconsecutive)
places before
ϕ0
holds. A decision procedure for this logic has been given through the
compilation into cost automata on words. In this paper, we rely on several results from
the theory of regular cost functions, and develop some new ones for the study of Prompt
Strategy Logic and Boundingoutcome Strategy Logic. A major open problem in the theory
of regular cost functions over inﬁnite trees is the equivalence between general cost automata.
To handle the bounded until operator in branchingtime logics one would need to ﬁrst prove
this equivalence, which has been proved to be beyond our reach today [
20
]. In this work we
rely on a weaker version of this equivalence for distance automata.
To the best of our knowledge, the only previous works on quantitative extensions of
Strategy Logic consider games with counters and allow for the expression of constraints on
CVIT 2016
23:4 Quantifying Bounds in Strategy Logic
their values in formulas. The modelchecking problem for these logics is undecidable, even
when restricted to the case of energy constraints, which can only state that the counters
remain above certain thresholds [
23
]. For the Boolean Goal fragment of Strategy Logic in
the case of one counter, the problem is still open [
9
,
23
]. The present work thus provides the
ﬁrst decidable quantitative extension of Strategy Logic.
Plan.
In Section 2 we recall Branchingtime Strategy Logic. We introduce and motivate our
two quantitative extensions, PromptSL and BOSL, in Section 3 and Section 4 respectively.
In Section 5 we solve their modelchecking problem by introducing the intermediary logic
BoundQCTL∗
and developing an automata construction based on automata with counters.
2 Branchingtime Strategy Logic
In this section we recall Branchingtime Strategy Logic [
25
], a variant of Strategy Logic [
33
].
For the rest of the paper we ﬁx a number of parameters:
AP
is a ﬁnite set of atomic
propositions,
Ag
is a ﬁnite set of agents or players,
Act
is a ﬁnite set of actions, and
Var
is a
ﬁnite set of strategy variables. The alphabet is Σ=2AP.
Notations.
Aﬁnite (resp. inﬁnite)word over Σis an element of Σ
∗
(resp. Σ
ω
). The length
of a ﬁnite word
w
=
w0w1. . . wn
is
w
=
n
+ 1, and
last
(
w
) =
wn
is its last letter. Given a
ﬁnite (resp. inﬁnite) word
w
and 0
≤i < w
(resp.
i∈N
), we let
wi
be the letter at position
i
in
w
,
w≤i
is the preﬁx of
w
that ends at position
i
and
w≥i
is the suﬃx of
w
that starts at
position
i
. We write
w4w0
if
w
is a preﬁx of
w0
. The cardinal of a set
S
is written
Card
(
S
).
2.1 Games
We start with classic notions related to concurrent games on graphs.
IDeﬁnition 1
(Game)
.
Aconcurrent game structure (or game for short) is a structure
G
= (
V, v0,
∆
, `
)where
V
is the set of vertices,
v0∈V
is the initial vertex,∆ :
V×ActAg →V
is the transition function, and `:V→Σis the labelling function.
Joint actions.
In a vertex
v∈V
, each player
a∈Ag
chooses an action
c
(
a
)
∈Act
, and the
game proceeds to the vertex ∆(
v, c
), where
c∈ActAg
stands for the joint action (
c
(
a
))
a∈Ag
.
Given a joint action c= (c(a))a∈Ag and a∈Ag, we let c(a)denote c(a).
Plays and strategies.
Aﬁnite (resp. inﬁnite)play is a ﬁnite (resp. inﬁnite) word
ρ
=
v0. . . vn
(resp.
π
=
v0v1. . .
) such that for every
i
such that 0
≤i < ρ −
1(resp.
i≥
0),
there exists a joint action
c
such that ∆(
vi,c
) =
vi+1
. A strategy is a partial function
σ:V+*Act mapping each ﬁnite play to an action, and Strat is the set of all strategies.
Assignments.
An assignment is a partial function
χ
:
Ag ∪Var *Strat
, assigning to each
player and variable in its domain a strategy. For an assignment
χ
, a player
a
and a strategy
σ
,
χ
[
a7→ σ
]is the assignment of domain
dom
(
χ
)
∪ {a}
that maps
a
to
σ
and is equal to
χ
on
the rest of its domain, and
χ
[
s7→ σ
]is deﬁned similarly, where
s
is a variable; also,
χ
[
a7→
?]
is the assignment of domain dom(χ)\ {a}, on which it is equal to χ.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:5
Outcomes.
For assignment
χ
and ﬁnite play
ρ
,
Out
(
χ, ρ
)is the set of inﬁnite plays that
start with
ρ
and are then extended by letting players follow the strategies assigned by
χ
.
Formally,
Out
(
χ, ρ
)is the set of plays
ρ·v1v2. . .
such that for all
i≥
0, there exists
c
such
that for all a∈dom(χ)∩Ag, ca∈χ(a)(ρ·v1. . . vi)and vi+1 = ∆(vi,c), with v0=last(ρ).
2.2 BSL syntax
The core of Branchingtime Strategy Logic, on which we build Prompt Strategy Logic and
Boundingoutcome Strategy Logic, is the full branchingtime temporal logic
CTL∗
. This
diﬀers from usual variants of Strategy Logic which are based on the lineartime temporal
logic LTL. The main diﬀerence is the introduction of an outcome quantiﬁer which quantiﬁes
on outcomes of the currently ﬁxed strategies. While in SL temporal operators could only be
evaluated in contexts where all agents were assigned a strategy, this outcome quantiﬁer allows
for evaluation of (branchingtime) temporal properties on partial assignments of strategies to
agents. We recall Branchingtime Strategy Logic, introduced in [
25
], which has the same
expressive power as SL but allows to express branchingtime properties without resorting to
computationally expensive strategy quantiﬁcations.
At the syntax level, in addition to usual boolean connectives and temporal operators, we
have four constructs:
strategy quantiﬁcation:
∃sϕ
, which means “there exists a strategy
s
such that
ϕ
holds”,
assigning a strategy to a player: (
a, s
)
ϕ
, which is interpreted as “when the agent
a
plays
according to s,ϕholds”,
unbinding a player: (
a,
?)
ϕ
, which is interpreted as “
ϕ
holds after agent
a
has been
unbound from her strategy, if any”, and
quantifying over outcomes:
Aψ
, which reads as “
ψ
holds in all outcomes of the strategies
currently assigned to agents”.
The diﬀerence between BSL and SL lies in the last two constructs. Note that unbinding
agents was irrelevant in lineartime SL, where assignments need to be total to evaluate
temporal properties.
IDeﬁnition 2
(BSL syntax)
.
The set of BSL formulas is the set of state formulas given by
the following grammar:
State formulas: ϕ::= p ¬ϕϕ∨ϕ ∃sϕ (a, s)ϕ(a, ?)ϕAψ
Path formulas: ψ::= ϕ ¬ψψ∨ψXψψUψ,
where p∈AP, a ∈Ag and s∈Var.
We use classic abbreviations >=p∨ ¬p,Fψ=>Uψ,Gψ=¬F¬ψand ∀sϕ =¬∃s¬ϕ.
A variable
s
appears free in a formula
ϕ
if it appears in a binding operator (
a, s
)that is
not in the scope of any strategy quantiﬁer hhsii.
2.3 BSL semantics
Given a formula
ϕ∈BSL
, an assignment is variablecomplete for
ϕ
if its domain contains all
free strategy variables of ϕ.
IDeﬁnition 3
(BSL semantics)
.
The semantics of a state formula is deﬁned on a game
G
,
an assignment
χ
that is variablecomplete for
ϕ
, and a ﬁnite play
ρ
. For a path formula
CVIT 2016
23:6 Quantifying Bounds in Strategy Logic
ψ
, the ﬁnite play is replaced with an inﬁnite play
π
and an index
i∈N
. The deﬁnition by
mutual induction is as follows:
G, χ, ρ =pif p∈`(last(ρ))
G, χ, ρ =¬ϕif G, χ, ρ 6=ϕ
G, χ, ρ =ϕ∨ϕ0if G, χ, ρ =ϕor G, χ, ρ =ϕ0
G, χ, ρ =∃sϕ if there exists σ∈Strat s.t. G, χ[s7→ σ], ρ =ϕ
G, χ, ρ = (a, s)ϕif G, χ[a7→ χ(s)], ρ =ϕ
G, χ, ρ = (a, ?)ϕif G, χ[a7→?], ρ =ϕ
G, χ, ρ =Aψif for all π∈Out(χ, ρ),G, χ, π, ρ − 1=ψ
G, χ, π, i =ϕif G, χ, π≤i=ϕ
G, χ, π, i =¬ψif G, χ, π , i 6=ψ
G, χ, π, i =ψ∨ψ0if G, χ, π , i =ψor G, χ, π , i =ψ0
G, χ, π, i =Xψif G, χ, π , i + 1 =ψ
G, χ, π, i =ψUψ0if ∃j≥is.t. G, χ, π , j =ψ0and ∀ks.t. i≤k < j, G, χ, π, k =ψ
BSL has the same expressivity as SL, and there are linear translations in both directions [
25
].
More precisely, the translation from BSL to SL is linear in the size of the formula times
the number of players; indeed, the outcome quantiﬁer is simulated in SL by a strategy
quantiﬁcation and a binding for each player who is not currently bound to a strategy. This
translation may thus increase the nesting and alternation depth of strategy quantiﬁers in the
formula, which is known to increase the complexity of the modelchecking problem [13, 33].
3 Prompt Strategy Logic
In this section we introduce PromptSL, an extension of both BSL and PromptLTL.
3.1 PromptSL syntax
The syntax of PromptSL extends that of branchingtime strategy logic BSL with two
additional constructs, where Nis a variable over natural numbers:
a bounded version of the classical “eventually” operator written F≤N, and
an existential quantiﬁcation on the values of variable N, written ∃N.
As in PromptLTL, the formula
F≤Nψ
states that
ψ
will hold at the latest within
N
steps from the present. For a formula
ϕ
of PromptSL there is a unique bound variable
N
: indeed, in the spirit of PromptLTL where a unique bound must exist for all prompt
eventualities, formulas of our logic cannot use more than one bound variable. However, in
PromptSL, existential quantiﬁcation on
N
is part of the syntax, which allows to freely
combine quantiﬁcation on the (unique) bound variable
N
with other operators of the logic. In
particular one can express the existence of a unique bound that should work for all strategies,
or instead that the bound may depend on the strategy (see Example 6).
IDeﬁnition 4
(PromptSL syntax)
.
The syntax of PromptSL formulas is deﬁned by the
following grammar:
State formulas: ϕ::= p ¬ϕϕ∨ϕ ∃sϕ (a, s)ϕ(a, ?)ϕAψ ∃Nϕ
Path formulas: ψ::= ϕ ¬ψψ∨ψXψψUψF≤Nψ
where
p∈AP
,
s∈Var
,
a∈Ag
and
N
is a ﬁxed bounding variable. A PromptSL sentence
is a state formula with no free strategy variable, in which every
F≤N
is in the scope of some
∃N, and F≤Nand ∃Nalways appear positively, i.e. under an even number of negations.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:7
3.2 PromptSL semantics
We now deﬁne the semantics of PromptSL.
IDeﬁnition 5
(PromptSL semantics)
.
The semantics is deﬁned inductively as follows,
where
ϕ
(resp.
ψ
) is a costSL state (resp. path) formula,
G
is a game,
χ
is an assignment
variablecomplete for
ϕ
(resp.
ψ
),
ρ
is a ﬁnite play,
π
an inﬁnite one,
i∈N
is a point in time
and n∈Nis a bound.
G, χ, ρ, n =pif p∈`(last(ρ))
G, χ, ρ, n =¬ϕif G, χ, ρ, n 6=ϕ
G, χ, ρ, n =ϕ∨ϕ0if G, χ, ρ, n =ϕor G, χ, ρ, n =ϕ0
G, χ, ρ, n =∃sϕ if there exists σ∈Strat s.t. G, χ[s7→ σ], ρ, n =ϕ
G, χ, ρ, n = (a, s)ϕif G, χ[a7→ χ(s)], ρ, n =ϕ
G, χ, ρ, n = (a, ?)ϕif G, χ[a7→?], ρ, n =ϕ
G, χ, ρ, n =Aψif for all π∈Out(χ, ρ),G, χ, π, ρ − 1=ϕ
G, χ, ρ, n =∃N ϕ if there exists n0∈Nsuch that G, χ, ρ, n0=ϕ
G, χ, π, i, n =ϕif G, χ, π≤i=ϕ
G, χ, π, i, n =¬ψif G, χ, π , i, n 6=ψ
G, χ, π, i, n =ψ∨ψ0if G, χ, π , i, n =ψor G, χ, π, i, n =ψ0
G, χ, π, i, n =Xψif G, χ, π , i + 1, n =ψ
G, χ, π, i, n =ψUψ0if ∃j≥is.t. G, χ, π , j =ψ0
and ∀ks.t. i≤k < j, G, χ, π, k =ψ
G, χ, π, i, n =F≤Nψif there exists j∈[i, n]such that G, χ, π, j, n =ψ.
The semantics of a sentence Φdoes not depend on the bound
n
, and we may write
G, χ, ρ 
= Φ if
G, χ, ρ, n 
= Φ for some
n
. In addition a sentence does not require an
assignment for its evaluation. Given a game
G
with initial vertex
v0
and a sentence Φ, we
write G = Φ if G,∅, v0= Φ, where ∅is the empty assignment.
IExample 6.
In bounded parity games [
12
,
34
] the odd colours represent requests and even
colours represent grants, and the objective of the player
a1
is to ensure against player
a2
that every request is promptly followed by a larger grant. Solving such games can be cast as
a modelchecking problem of the PromptSL formula
∃s1(a1, s1)∀s2(a2, s2)∃NAG "^
codd
c→F≤N_
d>c even
d#
on the structure in which every vertex is labelled by its color. The ﬁnitary parity condition
relaxes the constraint by only requiring requests that appear inﬁnitely often to be promptly
granted, and solving such games can be reduced to model checking the PromptSL formula
∃s1(a1, s1)∀s2(a2, s2)∃NAG "^
codd
(c∧GFc)→F≤N_
d>c even
d#.
Observe that in both these deﬁnitions, the bound on the delay between requests and grants
can depend on the outcome, i.e. on the opponent’s strategy. We can also express uniform
variants of these objectives by moving the quantiﬁcation on the bound
∃N
before the
quantiﬁcation on opponent’s strategies
∀s2
. Such games are studied in the context of the
theory of regular cost functions [
14
,
16
,
15
], and their relationship to the nonuniform variants
has been investigated in [
11
]. The solution to the modelchecking problem for PromptSL
that we present here allows us to solve both types of games, uniform and nonuniform.
CVIT 2016
23:8 Quantifying Bounds in Strategy Logic
4 Boundingoutcomes Strategy Logic
We now deﬁne our second quantitative extension of Strategy Logic, which we call Bounding
outcomes Strategy Logic, or BOSL.
4.1 BOSL syntax
The syntax of BOSL extends that of strategy logic BSL with two additional constructs:
a bounded version of the outcome quantiﬁer written A≤N,
an existential quantiﬁcation on the values of variable N, written ∃N.
BOSL can also be seen as PromptSL without the bounded eventually
F≤N
but with
the novel bounded outcome quantiﬁer
A≤N
. While formula
Aψ
states that
ψ
holds in all
outcomes of the current assignment,
A≤Nψ
states that
ψ
holds in all of these outcomes
except for at most Nof them.
IDeﬁnition 7
(BOSL syntax)
.
The syntax of BOSL formulas is given by the following
grammar:
State formulas: ϕ::= p ¬ϕϕ∨ϕ ∃sϕ (a, s)ϕ(a, ?)ϕAψA≤Nψ ∃Nϕ
Path formulas: ψ::= ϕ ¬ψψ∨ψXψψUψ
where
p∈AP
,
s∈Var
,
a∈Ag
and
N
is a ﬁxed bounding variable. A BOSL sentence is a
state formula with no free strategy variable, in which every
A≤N
is in the scope of some
∃N
,
and where A≤Nand ∃Nalways appear positively, i.e. under an even number of negations.
4.2 BOSL semantics
IDeﬁnition 8
(BOSL semantics)
.
We only give the deﬁnition for the new operator
A≤N
,
the others are as in Deﬁnition 5.
G, χ, ρ, n =A≤Nψif Card({π∈Out(ρ, χ) : G, χ, π, ρ − 1, n 6=ψ})≤n
The full semantics can be found in Appendix A.1. Once again, for a sentence Φwe write
G = Φ if G,∅, v0, n = Φ for some n∈N, where ∅is the empty assignment.
IExample 9.
As an example we consider the framework of Carayol and Serre [
10
] that
considers games with two players and a third player called “nature”. The usual semantics
is for nature to be a random player, in which case we are interested in whether player 1
has a strategy ensuring to win almost all paths. The paper [
10
] suggests other formalisa
tions for the third player, of topological, measuretheoretic, and combinatorial nature, and
provides general reductions. For instance, one may ﬁx a constant
N
and write the following
formula
∃s1
(
a1, s1
)
∀s2
(
a2, s2
)
A≤N¬ψ
, stating that player
a1
has a strategy ensuring to win
all but
N
paths. If
N
is a constant the above question is solved in [
10
]. However the
latter work leaves open the question of ensuring that player
a1
wins all but a bounded
number of paths, which is expressible in the Boundingoutcome Strategy Logic formula
∃s1
(
a1, s1
)
∀s2
(
a2, s2
)
∃NA≤N¬ψ
. Note that the subtlety here is that the value of
N
is
not ﬁxed and may depend on the opponent’s strategy. In this paper we show that the
modelchecking problem for Boundingoutcome Strategy Logic is decidable, thereby giving a
solution to this question.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:9
5 Model checking
In this section we solve the modelchecking problem for both PromptSL and BOSL with a
uniform approach which, in fact, works also for the combination of the two logics. As done
in [
32
] for ATL with strategy context, in [
6
] for an extension of it with imperfect information
and in [
7
] for Strategy Logic with imperfect information, we go through an adequate extension
of
QCTL∗
, which itself extends
CTL∗
with secondorder quantiﬁcation. This approach makes
automata constructions and their proof of correctness easier and clearer. In our case we deﬁne
an extension of
QCTL∗
called
BoundQCTL∗
, which contains the bounded eventually
F≤N
from PromptLTL and PromptSL, a bounded path quantiﬁer
A≤N
similar to the bounded
outcome quantiﬁer from BOSL, and the quantiﬁer on bounds
∃N
present in both PromptSL
and BOSL. We then recall deﬁnitions and results about cost automata, that we use to solve
the modelchecking problem for
BoundQCTL∗
. We ﬁnally solve the modelchecking problem
for both PromptSL and BOSL by reducing them to model checking BoundQCTL∗.
5.1 Bound Quantiﬁed QCTL∗
In this section we deﬁne Bound Quantiﬁed
CTL∗
, or
BoundQCTL∗
, which extends Prompt
LTL to the branchingtime setting and adds quantiﬁcation on atomic propositions. One can
also see it as an extension of Quantiﬁed
CTL∗
[
32
] with the bounded eventually operator
and a bounded version of the universal path quantiﬁer. Unlike PromptLTL, but similarly
to our PromptSL and BOSL, an existential quantiﬁcation on the bound for the bounded
eventually and bounded outcome quantiﬁer is also part of the syntax.
5.1.1 BoundQCTL∗syntax
IDeﬁnition 10. The syntax of BoundQCTL∗is deﬁned by the following grammar:
ϕ=p ¬ϕϕ∨ϕAψA≤Nψ ∃p ϕ  ∃Nϕ
ψ=ϕ ¬ψψ∨ψXψψUψF≤Nψ
where p∈AP, and Nis a ﬁxed bounding variable.
As usual, formulas of type
ϕ
are called state formulas, those of type
ψ
are called
path formulas, and
QCTL∗
consists of all the state formulas deﬁned by the grammar. We
further distinguish between positive formulas, in which operators
F≤N
,
A≤N
and
∃N
appear
only positively (under an even number of negations), and negative formulas, in which
operators
F≤N
,
A≤N
and
∃N
appear only negatively (under an odd number of negations).
A
BoundQCTL∗
sentence is a positive formula such that all operators
F≤N
and
A≤N
in
the formula are in the scope of some
∃N
. Note that we will be interested in model checking
sentences, and every subformula of a sentence is either positive or negative.
5.1.2 BoundQCTL∗semantics
BoundQCTL∗formulas are evaluated on (unfoldings of) Kripke structures.
IDeﬁnition 11.
A (ﬁnite) Kripke structure is a tuple
S
= (
S, s0, R, `
), where
S
is a ﬁnite
set of states,
s0∈S
is an initial state,
R⊆S×S
is a lefttotal transition relation
3
, and
`:S→Σis a labelling function.
3i.e., for all s∈S, there exists s0such that (s, s0)∈R.
CVIT 2016
23:10 Quantifying Bounds in Strategy Logic
Apath in
S
is a ﬁnite word
λ
over
S
such that for all
i
,(
λi, λi+1
)
∈R
. For
s∈S
, we let
Paths(s)⊆S+be the set of all paths that start in s.
Trees.
Let
S
be a ﬁnite set of directions and Σa set of labels. A (Σ
, S
)tree (or simply tree)
is a pair t= (τ, `)where `:τ→Σis a labelling and τ⊆S+is the domain such that:
there exists r∈S+, called the root of τ, such that each u∈τstarts with r,i.e. r4u,
if u·s∈τand u·s6=r, then u∈τ,
if u∈τthen there exists s∈Ssuch that u·s∈τ.
The elements of
τ
are called nodes. If
u·s∈τ
, we say that
u·s
is a child of
u
. A branch
λ
in
t
is an inﬁnite sequence of nodes such that
λ0∈τ
and for all
i
,
λi+1
is a child of
λi
, and
Branches
(
t, u
)is the set of branches that start in node
u
. We let
Branches
(
t
)denote the set
of branches that start in the root. If Sis a singleton, a tree becomes an inﬁnite word.
IDeﬁnition 12.
The tree unfolding of a Kripke structure
S
from state
s
is the tree
tS
(
s
) =
(
Paths
(
s
)
, `0
), where for every
u∈Paths
(
s
), we have
`0
(
u
) =
`
(
last
(
u
)). We may write
tS
for
tS(s0), the unfolding from the initial state.
Projection, subtrees and regular trees.
Given two trees
t, t0
and a proposition
p
, we write
t≡pt0
if they have same domain
τ
and for all
p0
in
AP
such that
p06
=
p
, for all
u
in
τ
, we
have
p0∈`
(
u
)if, and only if,
p0∈`0
(
u
). Given a tree
t
= (
τ, `
)and a node
u∈τ
, we deﬁne
the subtree of
t
rooted in
u
as the tree
tu
= (
τu, `0
)where
τu
=
{v∈S+:u4v}
and
`0
is
`
restricted to τu. A tree tis said regular if it is the unfolding of a ﬁnite Kripke structure.
IDeﬁnition 13.
The semantics
t, u, n 
=
ϕ
and
t, λ, n 
=
ψ
are deﬁned inductively, where
ϕ
is a
BoundQCTL∗
state formula,
ψ
is a
BoundQCTL∗
path formula,
t
= (
τ, `
)is a tree,
u
is a node,
λ
is a branch in
t
, and
n
in
N
a bound (the inductive cases for classic
CTL∗
operators can be found in Appendix A.2):
t, u, n =A≤Nψif Card({λ∈Branches(t, u) : t, λ, n 6=ψ})≤n
t, u, n =∃p ϕ if ∃t0≡ptsuch that t0, u, n =ϕ
t, u, n =∃N ϕ if ∃n0∈Nsuch that t, u, n0=ϕ,
t, λ, n =F≤Nψif ∃jsuch that 0≤j≤nand t, λ≥j, n =ψ
The value
JϕKinf
(
t
)(resp.
JϕKsup
(
t
)) of a positive (resp. negative) state formula
ϕ
on a tree
twith root ris deﬁned as
JϕKinf(t) = inf {n∈N:t, r, n =ϕ}and JϕKsup(t) = sup {n∈N:t, r, n =ϕ},
with the usual convention that
inf ∅
=
∞
and
sup ∅
= 0. In case it is not a positive or negative
formula, its value is undeﬁned. We remark that
{n∈N:t, r, n =ϕ}
is downward (resp.
upward) closed if
ϕ
is negative (resp. positive). The value of a sentence Φis always either 0
or
∞
(recall that sentences are necessarily positive formulas and
N
is always quantiﬁed),
and given a Kripke structure S, we write S = Φ if JΦKinf(tS)=0.
5.2 Regular cost functions
In this section we develop the theory of regular cost functions over trees for distance automata.
To this end we deﬁne and study the two dual models of
distance
and
distance
automata
for recognising cost functions [14], referred to as cost automata.
Let
E
be a set of structures (such as inﬁnite words or trees). We deﬁne an equivalence
relation
≈
on functions
E→N∪ {∞}
by
f≈g
if for all
X⊆E
,
f
(
X
)is bounded if, and
only if, g(X)is bounded. A cost function over Eis an equivalence class of the relation ≈.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:11
In Section 5.2.1 we deﬁne cost games whose objectives may refer to a single counter that,
in each step, can be incremented or left unchanged. In Section 5.2.2 we deﬁne automata
whose semantics are given using cost games. We introduce
distance
automata and their
duals distanceautomata that compute functions E→N∪ {∞}. In Section 5.2.3 we focus
on automata over inﬁnite words and the notion of historydeterministic automata.
The novel technical contribution of this section is an extension of the classical property
of historydeterministic automata: the original result says that given a historydeterministic
automaton over inﬁnite words, one can simulate it along every branch of a tree. This is
the key argument to handle the
A
operator in PromptSL. In Section 5.2.4 we extend this
result by allowing the automaton to skip a bounded number of paths, which will allow us to
capture the boundedoutcome operator A≤Nin BOSL.
5.2.1 Cost games
The semantics of cost automata are given by turnbased twoplayer games, which are
essentially a special case of the general notion of games given in Section 3.2. We give here a
slightly modiﬁed deﬁnition better ﬁtting the technical developments.
IDeﬁnition 14.
Agame is given by
G
= (
V, VE, VA, v0, E , c
), where
V
=
VE]VA
is a set
of vertices divided into the vertices
VE
controlled by Eve and the vertices
VA
controlled by
Adam,
v0∈V
is an initial vertex,
E⊆V×V
is a lefttotal transition relation,
c
:
V→
Ωis
a labelling function.
Aﬁnite (resp. inﬁnite)play is a ﬁnite (resp. inﬁnite) word
ρ
=
v0. . . vn
(resp.
π
=
v0v1. . .
)
such that for every
i
such that 0
≤i < ρ −
1(resp.
i≥
0), (
vi, vi+1
)
∈E
. A strategy for
Eve (resp. for Adam) is a function
σ
:
V∗·VE→V
(resp.
σ
:
V∗·VA→V
)such that for all
ﬁnite play
ρ∈V∗·VE
(resp.
ρ∈V∗·VA
), we have (
last
(
ρ
)
, σ
(
ρ
))
∈E
. Given a strategy
σ
for Eve and
σ0
for Adam, we let
Outcome
(
σ, σ0
)be the unique inﬁnite play that starts in
v0
and is consistent with σand σ0.
An objective is a set
W⊆
Ω
ω
. To make the objective explicit we speak of
W
games, which
are games with objective
W
. A strategy
σ
for Eve ensures
W⊆
Ω
ω
if for all strategy
σ0
of
Adam, the inﬁnite word obtained by applying
c
to each position of the play
Outcome
(
σ, σ0
)
is in
W
. Eve wins the
W
game
G
if there exists a strategy for her that ensures
W
. The
same notions apply to Adam. We now introduce the objectives we will be using.
Given
d∈N∗
, the parity objective
parity ⊆ {1, . . . , d}ω
is the set of inﬁnite words in
which the maximum label appearing inﬁnitely many times is even.
The distance objective uses the set of labels
{, i}
acting on a counter taking values in
the natural numbers and initialised to 0. The labels
and
i
are seen as actions on the
counter: the action
leaves the counter unchanged and
i
increments the counter by 1.
For
n∈N
, the distance objective
distance
(
n
)
⊆ {, i}ω
is the set of inﬁnite words such
that the counter is bounded by n.
The regular distance objective
ﬁninc ⊆ {, i}ω
is the set of inﬁnite words such that the
counter is incremented ﬁnitely many times.
The codistance objective uses set of labels
{, i}
, where
and
i
have the same interpret
ation as in
distance
(
n
). For
n∈N
, the objective
distance
(
n
)
⊆ {, i}ω
is the set of
inﬁnite words such that the counter eventually reaches value n.
The objectives can be combined:
parity ∩distance
(
n
)
⊆({1, . . . , d}×{, i})ω
is the
Cartesian product of the parity and the distance objective (where a pair of inﬁnite words
is assimilated with the inﬁnite word formed of the pairs of letters at same position).
CVIT 2016
23:12 Quantifying Bounds in Strategy Logic
The following result, proven in [
11
], relates
distance
and
ﬁninc
in the context of games.
ILemma 15.
Let
G
be a ﬁnite game. There exists
n∈N
such that Eve wins for
parity ∩
distance(n)iﬀ Eve wins for parity ∩ﬁninc.
5.2.2 Cost automata
We now deﬁne automata over (Σ, S)trees.
IDeﬁnition 16.
A (nondeterministic) automaton is a tuple
A
= (
Q, q0, δ, c
)where
Q
is a
ﬁnite set of states,
q0∈Q
is an initial state,
δ⊆Q×
Σ
×QS
is a transition relation, and
c:Q→Ωis a labelling function.
When an automaton is equipped with an objective
W⊆
Ω
ω
we speak of an
W
automaton.
To deﬁne the semantics of
W
automata, we deﬁne acceptance games. Given an
W
automaton
Aand a (Σ, S)tree t= (τ , `), we deﬁne the acceptance Wgame GA,t as follows.
The set of vertices is (
Q×τ
)
∪
(
Q×τ×QS
). The vertices of the form
Q×τ
are controlled
by Eve, the others by Adam.
The initial vertex is (q0, r), where ris the root of t.
The transition relation relates the vertex (
q, u
)to (
q, u, h
)if (
q, `
(
u
)
, h
)
∈δ
, and (
q, u, h
)
is related to (h(s), u ·s)for every s∈S.
The label of a vertex (q, u)is c(q), and the other vertices are not labelled.
We say that tis accepted by Aif Eve wins the acceptance Wgame GA,t.
An equivalent point of view is to say that
t
is accepted by
A
if there exists a (
Q, S
)tree
with same domain as
t
respecting the transition relation
δ
with respect to
t
, such that all
branches satisfy W.
We instantiate this deﬁnition for cost automata: the objective
parity ∩distance
gives
rise to the notion of
distance
automata. A
distance
automaton
A
computes the function
JAKdover trees deﬁned by
JAKd(t) = inf {n∈N:tis accepted by Awith objective parity ∩distance(n)},
and it recognises the ≈equivalence class of the function JAKd.
Dually, the objective
parity∩distance
(
n
)gives rise to
distance
automata. A
distance

automaton Acomputes the function JAKdover trees deﬁned by
JAKd(t) = sup n∈N:tis accepted by Awith objective parity ∩distance(n)
and recognises the ≈equivalence class of the function JAKd.
If
A
recognises the
≈
equivalence class of the function
f
:
E→
(
N∪ {∞}
)we abuse
notation and say that Arecognises the function f.
To illustrate the deﬁnition of
distance
automata, we now give an example that will be
useful later on to capture the bounded path quantiﬁer A≤N.
ILemma 17.
Let
p∈AP
. There exists a
distance
automaton recognising the function that
counts the number of paths with inﬁnitely many p’s.
Proof.
Let us say that a path is bad if it contains inﬁnitely many
p
. The
distance
automaton
Ahas four states:
q0,, whose intuitive semantics is “the tree contains one bad path”,
q0,i, meaning “the tree contains at least two bad paths”,
q1,p and q1,¬p, which mean “the tree does not contain any bad path”.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:13
All states are initial (note that this is an inconsequential abuse because we deﬁned automata
with a single initial state). We use the set of labels Ω = {2,3} × {, i}. The transitions are
as follows, where q0={q0,, q0,i}and q1={q1,p, q1,¬p}.
δ=
(q0,, a, h)if hcontains at most one q0
(q0,i, a, h)if hcontains at least two q0
(q1,¬p, a, h)if p /∈aand hcontains only q1
(q1,p, a, h)if p∈aand hcontains only q1
The labelling function is
c
(
q0,
) = (2
,
)
, c
(
q0,i
) = (2
,i
)
, c
(
q1,¬p
) = (2
,
), and
c
(
q1,p
) = (3
,
).
We claim that the following two properties hold, which implies Lemma 17.
if tcontains nbad paths, then JAKd(t)≤n−1,
if JAKd(t)≤n, then tcontains at most Card(S)nbad paths.
Assume that
t
contains
n
bad paths, we construct a run for
A
(i.e., a labelling of
t
with
states of A) as follows. A node uof the tree is labelled by:
q0, if exactly one tu·scontains a bad path for some direction s∈S,
q0,iif tu·scontain a bad path for at least two diﬀerent directions s∈S,
q1,¬pif tudoes not contain a bad path and p /∈`(u),
q1,p if tudoes not contain a bad path and p∈`(u).
This yields a valid run whose branches all satisfy the parity condition. Along a branch the
counter is incremented each time there are at least two subtrees with a bad path, which can
happen at most
n−
1times because there are
n
bad paths. Hence the maximal value of the
counter on a branch is n−1, implying that JAKd(t)≤n−1.
We show the second point by induction on
n
. If
JAKd
(
t
) = 0, then
t
contains at most
one bad path. If
JAKd
(
t
) =
n
+ 1, consider a (
Q, S
)tree representing a run of value
n
+ 1.
Because
JAKd
(
t
)
≥
1, there is at least one node labelled
q0,i
. By deﬁnition of the transition
relation, if there are two nodes on the same level labelled
q0,i
, then they must descend from
another node
q0,i
higher in the tree. Thus there is a unique node
u
labelled
q0,i
that is
closest to the root (it may be the root itself). Except for
u
’s ancestors, which are labelled
with
q0,
, all nodes outside of the subtree rooted in
u
are necessarily labelled with
q1
. The
subtrees rooted in
u
’s children have a run with value at most
n
. By induction hypothesis
each of these subtrees contains at most
Card
(
S
)
n
bad paths, so the tree rooted in
u
contains
at most
Card
(
S
)
n+1
bad paths. Since nodes labelled by
q1
cannot contain a bad path, this
means that tcontains at most Card(S)n+1 bad paths. J
The objective
parity
gives rise to parity automata. The following lemma follows from
the observation that ﬁninc is an ωregular objective.
ILemma 18.
For every automaton with objective
parity ∩ﬁninc
one can construct an
equivalent parity automaton.
5.2.3 Regular cost functions over words
The deﬁnitions of costautomata can be applied to inﬁnite words, which is the particular
case where
S
is a singleton. A central notion in the theory of regular cost functions is that of
historydeterministic automata over inﬁnite words. Informally, a nondeterministic automaton
is historydeterministic if its nondeterminism can be resolved by a function considering only
the input read so far. This notion has been introduced for studying
ω
automata in [
24
]. We
specialise it here to the case of cost functions, involving a relaxation on the values allowing
for a good interplay with the deﬁnition of equivalence for cost functions.
CVIT 2016
23:14 Quantifying Bounds in Strategy Logic
To give a formal deﬁnition we introduce the notation
Aσ
for
A
a
W
automaton and a
strategy
σ
: Σ
∗→δ
, where
δ
is the transition relation of
A
:
Aσ
is a (potentially inﬁnite) de
terministic
W
automaton (
Q×
Σ
∗,
(
q0, ε
)
, δσ, cσ
)where ((
q, w
)
, a,
(
q0, wa
))
∈δσjust if σ
(
w
) =
(
q, a, q0
)
,
and
cσ
(
q, w
) =
c
(
q
). The automaton
Aσ
is inﬁnite but deterministic, as for each
situation the strategy σchooses the transition to follow.
IDeﬁnition 19
([
14
,
17
])
.
We say that a
distance
automaton
A
over inﬁnite words is
historydeterministic if there exists a function
α
:
N→N
such that for every
n
there exists a
strategy σsuch that for all words wwe have JAKd(w)≤n=⇒JAσKd(w)≤α(n).
We now explain the usefulness of the notion of historydeterministic automata. The
situation is the following: we consider a language
L
over inﬁnite words, and we want to
construct an automaton for the language of trees “all branches are in
L
”. Given a deterministic
automaton for
L
one can easily solve this problem by constructing an automaton running
the deterministic automaton on all branches.
In the quantitative setting we consider here, we have a function
f
: Σ
ω→N∪ {∞}
instead of
L
, and we wish to construct an automaton computing the function over trees
t7→ sup {f(λ) : λ∈Branches(t)}.
Unfortunately,
distance
automata do not determinise,
so the previous approach needs to be reﬁned. The construction fails for nondeterministic
automata, because two branches may have very diﬀerent accepting runs even on their shared
preﬁx. The notion of historydeterministic automata yields a solution to this problem, as
stated in the following theorem.
ITheorem 20
([
18
])
.
Let
A
be a historydeterministic
distance
automaton over inﬁnite
words. One can construct a distanceautomaton recognising the function over trees
t7→ sup {JAKd(λ) : λ∈Branches(t)}
We present an extension of this result where the function can remove a bounded number
of paths in the computation. The proof is in Appendix A.3.
ITheorem 21.
Let
A
be a historydeterministic
distance
automaton over inﬁnite words.
One can construct a distanceautomaton recognising the function over trees
t7→ inf {max(Card(B),sup {JAKd(λ) : λ /∈B}) : B⊆Branches(t)}.
The idea is to combine Awith the automaton deﬁned in the proof of Lemma 17.
5.2.4 Regular cost functions over trees
We introduce the notion of nested automata, which is parameterised by an objective
W⊆
Ω
ω
.
Nested automata can be seen as a special form of alternating automata which will be
convenient to work with in the technical developments.
IDeﬁnition 22. Anested Wautomaton with kslaves over (Σ, S)trees is given by
amaster automaton A, which is a Wautomaton over (2k, S)trees, and
kslave automata (Ai)i∈[k], which are Wautomata over (Σ, S)trees.
The transition relation of the master is
δ⊆Q×
2
k×QS
. We describe the modus operandi
of a nested automaton informally. Let
t
be a tree and
u
a node in
t
, labelled with state
q
. To take the next transition the master automaton interrogates its slaves: the transition
(
q, v, h
)
∈δ
is allowed if for all
i∈v
, the subtree
tu
is accepted by
Ai
. The formal semantics
of nested Wautomata can be found in Appendix A.4.
The following theorem shows the equivalence between
distance
and
distance
automata
over regular trees.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:15
ITheorem 23
([
15
])
.
Let
f
be a cost function over regular trees. The fol lowing statements
are eﬀectively equivalent:
there exists a distanceautomaton recognising f,
there exists a nested distanceautomaton recognising f,
there exists a distanceautomaton recognising f,
there exists a nested distanceautomaton recognising f.
5.3 Model checking BoundQCTL∗
The modelchecking problem for BoundQCTL∗is the following decision problem: given an
instance (Φ
,S
)where Φis a sentence of
BoundQCTL∗
and
S
is a Kripke structure, return
‘Yes’ if
S 
= Φ and ‘No’ otherwise. In this section we prove that this problem is decidable by
reducing it to the emptiness problem of parity automata.
We will use the following result about distanceautomata over inﬁnite words.
ITheorem 24
([
26
,
27
])
.
For every PromptLTL formula
ψ
, we can construct a history
deterministic distanceautomaton Asuch that JAKd≈JψKinf.
ITheorem 25.
Let Φbe a sentence of
BoundQCTL∗
. We construct a nondeterministic
parity automaton
AΦ
over (Σ
, S
)trees such that for every Kripke structure
S
over the set of
states S, we have S = Φ if, and only if, AΦaccepts the unfolding tS.
Proof.
Let Φbe a sentence and
S
a ﬁnite set of states. Throughout this proof, by trees we
mean regular trees, so in particular ≈is understood over such trees.
For each subformula ϕof Φ, we construct by induction on ϕthe following automata:
1. if ϕis positive, a distanceautomaton Aϕsuch that JAϕKd≈JϕKinf,
2. if ϕis negative, a distanceautomaton Aϕsuch that JAϕKd≈JϕKsup.
We give the most interesting inductive cases, the remaining ones can be found in Appendix A.5.
ϕ=Aψ:
The idea is similar to the automata construction for branchingtime logic [
31
]:
intuitively, treat
ψ
as an LTL formula over maximal state subformulas, run a deterministic
automaton for
ψ
on all branches of the tree, and launch automata for the maximal state
subformulas of
ψ
when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for
ψ
we will use a historydeterministic
distance
automaton. Finally, we will convert the nested
distance
automaton into a
distanceautomaton.
Suppose that
ϕ
is positive (the case that
ϕ
is negative is treated dually). Then also
ψ
is
positive. We will construct a nested distanceautomaton Bsuch that JBKd≈JϕKinf.
Let
ϕ1, . . . , ϕk
be the maximal state subformulas of the path formula
ψ
. We see these
formulas as atomic propositions, so that the formula
ψ
can be seen as a PromptLTL
formula on inﬁnite words over the alphabet 2
k
. Apply Theorem 24 to
ψ
to get a history
deterministic
distance
automaton
Aψ
over inﬁnite words such that
JAψKd≈JψKinf
.
Then, apply Theorem 20 to
Aψ
to get a
distance
automaton
A
such that
JAKd
(
t
) =
sup {JAψKd(λ) : λ∈Branches(t)}. The master of Bis A.
Since
ψ
is positive, the formulas
ϕ1, . . . , ϕk
are either positive or negative. By the
induction hypothesis, for every
i
, if
ϕi
is positive we construct a
distance
automaton
Ai
such that
JAiKd≈JϕiKinf
; and if
ϕi
is negative, we construct a
distance
automaton
A0
i
such that
JA0
iKd≈JϕiKsup
. In the latter case, thanks to Theorem 23 we construct a
distanceautomaton Aisuch that JAiKd≈JϕiKsup. The slaves of Bare A1,...,Ak.
This completes the construction of B, see Appendix A.5 for its correctness.
CVIT 2016
23:16 Quantifying Bounds in Strategy Logic
ϕ=A≤Nψ:
The construction is the same as for
Aψ
, except for the construction of the
master
A
, in which we replace Theorem 20 by Theorem 21 to account for the possibility
of removing a bounded number of paths.
ϕ=∃Nϕ0:
Note that
ϕ
cannot be negative. Since
ϕ
is positive, also
ϕ0
is positive. By the
induction hypothesis, there exists a
distance
automaton
Aϕ0
such that
JAϕ0Kd≈Jϕ0Kinf
.
Since ϕis a positive sentence, we have JϕKinf(t)∈ {0, ω}for every t. Now,
JϕKinf(t)=0⇐⇒ ∃n∈N,Jϕ0Kinf(t)≤n
⇐⇒ ∃n∈N,Eve wins GAϕ0,t for the objective parity ∩distance(n)
⇐⇒ Eve wins GAϕ0,t for the objective parity ∩ﬁninc
The third equivalence follows from Lemma 15. We can now apply Lemma 18 to the
parity ∩ﬁninc
automaton
Aϕ0
to get an equivalent parity automaton
Aϕ
. Then the
last item is equivalent to Eve winning the parity game
GAϕ,t
, which is equivalent to
JAϕKd(t) = 0 (since JAϕKd(t)∈ {0, ω }because Aϕhas no counter).
This completes the proof of the inductive hypothesis. Finally, since Φis a sentence,
AΦ
is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the
∃N
step removes the counter, and other operators
applied to arguments that do not have a counter produce automata with no counters. J
5.4 Model checking PromptSL and BOSL
The modelchecking problem for PromptSL (resp. BOSL) is the following: given a game
G
and a sentence Φof PromptSL (resp. BOSL), decide whether G = Φ.
As for
ATL∗
with strategy context [
32
] and Strategy Logic with imperfect information [
7
],
the modelchecking problems for both PromptSL and BOSL (as well as their combination)
can be easily reduced to that of
BoundQCTL∗
(see Appendix A.6). As a consequence of
these reductions and of Theorem 25, we get:
ITheorem 26. The modelchecking problem is decidable for PromptSL and BOSL.
The modelchecking procedure is nonelementary, but because PromptSL and BOSL
subsume SL we know from [
33
] that no elementary procedure exists. We leave precise
complexity analysis for future work.
6 Conclusion
We introduced two quantitative extensions of Branchingtime Strategy Logic (BSL), i.e.,
PromptSL that extends BSL with
F≤N
that limits the range of the eventuality, and BOSL
that extends BSL with
A≤N
that limits the range of the outcome quantiﬁer. We proved that
model checking both these logics is decidable. To the best of our knowledge these are the
ﬁrst quantitative extensions of SL with decidable modelchecking problem.
In order to prove our results we used notions from the theory of regular cost functions
to develop new technical insights necessary to address PromptSL and BOSL. Moreover,
as an intermediate formalism between cost automata and logics for strategic reasoning we
introduced
BoundQCTL∗
, a quantitative extension of
QCTL∗
, and proved its model checking
decidable. Using this, it is easy to see that also the extension of BSL with
∃N
and both
F≤Nand A≤Nhas a decidable modelchecking problem.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:17
References
1Shaull Almagor, Yoram Hirshfeld, and Orna Kupferman. Promptness in ωregular auto
mata. In ATVA, LNCS 6252, pages 22–36. Springer, 2010.
2Rajeev Alur, Kousha Etessami, Salvatore La Torre, and Doron Peled. Parametric temporal
logic for “model measuring”. ACM Transactions on Computational Logic, 2(3):388–407,
2001.
3Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman. Alternatingtime temporal logic.
Journal of the ACM, 49(5):672–713, 2002.
4Benjamin Aminof, Aniello Murano, Sasha Rubin, and Florian Zuleger. Prompt alternating
time epistemic logics. In KR, pages 258–267. AAAI Press, 2016. URL: http://www.aaai.
org/ocs/index.php/KR/KR16/paper/view/12890.
5Mordechai BenAri, Zohar Manna, and Amir Pnueli. The temporal logic of branching time.
In POPL, pages 164–176, 1981.
6Raphaël Berthon, Bastien Maubert, and Aniello Murano. Decidability results for ATL*
with imperfect information and perfect recall. In AAMAS, 2017.
7Raphaël Berthon, Bastien Maubert, Aniello Murano, Sasha Rubin, and Moshe Y. Vardi.
Strategy logic with imperfect information. In LICS, 2017.
8Alessandro Bianco, Fabio Mogavero, and Aniello Murano. Graded computation tree logic.
ACM Transactions on Computational Logic, 13(3):25:1–25:53, 2012. URL: http://doi.
acm.org/10.1145/2287718.2287725,doi:10.1145/2287718.2287725.
9Patricia Bouyer, Patrick Gardy, and Nicolas Markey. Weighted strategy logic with boolean
goals over onecounter games. In FSTTCS 2015, pages 69–83, 2015. URL: https://doi.
org/10.4230/LIPIcs.FSTTCS.2015.69,doi:10.4230/LIPIcs.FSTTCS.2015.69.
10 Arnaud Carayol and Olivier Serre. How good is a strategy in a game with nature? In
LICS, pages 609–620. IEEE Computer Society, 2015.
11 Krishnendu Chatterjee and Nathanaël Fijalkow. Inﬁnitestate games with ﬁnitary condi
tions. In CSL, pages 181–196, 2013. URL: https://doi.org/10.4230/LIPIcs.CSL.2013.
181,doi:10.4230/LIPIcs.CSL.2013.181.
12 Krishnendu Chatterjee, Thomas A Henzinger, and Florian Horn. Finitary winning in ω
regular games. ACM Transactions on Computational Logic, 11(1):1, 2009.
13 Krishnendu Chatterjee, Thomas A. Henzinger, and Nir Piterman. Strategy Logic. Inform
ation and Computation, 208(6):677–693, 2010. URL: http://dx.doi.org/10.1016/j.ic.
2009.07.004,doi:10.1016/j.ic.2009.07.004.
14 Thomas Colcombet. The theory of stabilisation monoids and regular cost functions. In
ICALP, 2009.
15 Thomas Colcombet. Fonctions régulières de coût. Habilitation Thesis, 2013.
16 Thomas Colcombet. Regular cost functions, part I: logic and algebra over words. Logical
Methods in Computer Science, 9(3), 2013.
17 Thomas Colcombet and Nathanaël Fijalkow. The bridge between regular cost functions
and ωregular languages. In ICALP, pages 126:1–126:13, 2016. URL: https://doi.org/
10.4230/LIPIcs.ICALP.2016.126,doi:10.4230/LIPIcs.ICALP.2016.126.
18 Thomas Colcombet and Christof Löding. Regular cost functions over ﬁnite trees. In LICS,
pages 70–79, 2010. URL: https://doi.org/10.1109/LICS.2010.36,doi:10.1109/LICS.
2010.36.
19 E. Allen Emerson and Joseph Y. Halpern. “Sometimes” and “Not Never” revisited: On
branching versus linear time. In POPL, pages 127–140, 1983.
20 Nathanaël Fijalkow, Florian Horn, Denis Kuperberg, and Michał Skrzypczak. Trading
bounds for memory in games with counters. In ICALP, pages 197–208, 2015. URL: https:
//doi.org/10.1007/9783662476666_16,doi:10.1007/978366247666 6_16.
CVIT 2016
23:18 Quantifying Bounds in Strategy Logic
21 Nathanaël Fijalkow and Martin Zimmermann. CostParity and CostStreet Games. In
FSTTCS, volume LIPIcs 18, pages 124–135, 2012.
22 Nathanaël Fijalkow and Martin Zimmermann. Parity and Streett games with costs. Logical
Methods in Computer Science, 10(2), 2014. URL: https://doi.org/10.2168/LMCS10(2:
14)2014,doi:10.2168/LMCS10(2:14)2014.
23 Patrick Gardy. Semantics of Strategy Logic. Thèse de doctorat, Laboratoire Spéciﬁcation
et Vériﬁcation, ENS Cachan, France, June 2017. URL: https://tel.archives ouvertes.
fr/tel01561802.
24 Thomas A. Henzinger and Nir Piterman. Solving games without determinization. In CSL,
pages 395–410, 2006.
25 Sophia Knight and Bastien Maubert. Dealing with imperfect information in strategy logic.
In SR, 2015.
26 Denis Kuperberg. Linear temporal logic for regular cost functions. Logical Methods in
Computer Science, 10(1), 2014.
27 Denis Kuperberg and Michael Vanden Boom. On the expressive power of cost logics over
inﬁnite words. In ICALP, pages 287–298, 2012.
28 O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in
reactive environments: Control and synthesis. In CONCUR, LNCS 1877, pages 92–107.
Springer, 2000.
29 Orna Kupferman, Giuseppe Perelli, and Moshe Y. Vardi. Synthesis with rational en
vironments. Annals of Mathematics and Artiﬁcial Intelligence, 78(1):3–20, 2016. URL:
https://doi.org/10.1007/s1047201695088,doi:10.1007/s1047201695088.
30 Orna Kupferman, Nir Piterman, and Moshe Y Vardi. From liveness to promptness. Formal
Methods in System Design, 34(2):83–103, 2009.
31 Orna Kupferman, Moshe Y. Vardi, and Pierre Wolper. An automatatheoretic approach
to branchingtime model checking. Journal of the ACM, 47(2):312–360, 2000. URL: http:
//doi.acm.org/10.1145/333979.333987,doi:10.1145/333979.333987.
32 François Laroussinie and Nicolas Markey. Augmenting ATL with strategy contexts. In
formation and Computation, 245:98–123, 2015.
33 Fabio Mogavero, Aniello Murano, Giuseppe Perelli, and Moshe Y. Vardi. Reasoning
about strategies: On the modelchecking problem. ACM Transactions on Computa
tional Logic, 15(4):34:1–34:47, 2014. URL: http://doi.acm.org/10.1145/2631917,doi:
10.1145/2631917.
34 Fabio Mogavero, Aniello Murano, and Loredana Sorrentino. On promptness in parity games.
Fundamenta Informaticae, 139(3):277–305, 2015.
35 Amir Pnueli. The temporal logic of programs. In FOCS, pages 46–57, 1977.
36 Amir Pnueli and Roni Rosner. On the synthesis of a reactive module. In POPL, pages
179–190, 1989.
37 Martin Zimmermann. Optimal bounds in parametric LTL games. Theoretical Computer
Science, 493:30–45, 2013. URL: http://dx.doi.org/10.1016/j.tcs.2012.07.039,doi:
10.1016/j.tcs.2012.07.039.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:19
A Appendix
A.1 BOSL semantics
IDeﬁnition 4.
The semantics is deﬁned inductively as follows, where
ϕ
(resp.
ψ
) is a
costSL state (resp. path) formula,
G
is a game,
χ
is an assignment variablecomplete for
ϕ
(resp.
ψ
),
ρ
is a ﬁnite play,
π
an inﬁnite one,
i∈N
is a point in time and
n∈N
is a bound.
G, χ, ρ, n =pif p∈`(last(ρ))
G, χ, ρ, n =¬ϕif G, χ, ρ, n 6=ϕ
G, χ, ρ, n =ϕ∨ϕ0if G, χ, ρ, n =ϕor G, χ, ρ, n =ϕ0
G, χ, ρ, n =∃sϕ if there exists σ∈Strat s.t. G, χ[s7→ σ], ρ, n =ϕ
G, χ, ρ, n = (a, s)ϕif G, χ[a7→ χ(s)], ρ, n =ϕ
G, χ, ρ, n = (a, ?)ϕif G, χ[a7→?], ρ, n =ϕ
G, χ, ρ, n =Aψif for all π∈Out(χ, ρ),G, χ, π, ρ − 1=ϕ
G, χ, ρ, n =A≤Nψif {π∈Out(ρ, χ) G, χ, π, ρ − 1, n 6=ψ} ≤ n
G, χ, ρ, n =∃N ϕ if there exists n0∈Nsuch that G, χ, ρ, n0=ϕ
G, χ, π, i, n =ϕif G, χ, π≤i=ϕ
G, χ, π, i, n =¬ψif G, χ, π , i, n 6=ψ
G, χ, π, i, n =ψ∨ψ0if G, χ, π , i, n =ψor G, χ, π, i, n =ψ0
G, χ, π, i, n =Xψif G, χ, π , i + 1, n =ψ
G, χ, π, i, n =ψUψ0if ∃j≥is.t. G, χ, π , j =ψ0
and ∀ks.t. i≤k < j, G, χ, π, k =ψ
A.2 BoundQCTL∗semantics
Given two trees
t, t0
and an atomic proposition
p
, we write
t≡pt0
if they have the same
domain
τ
and for all
p0
in
AP
such that
p06
=
p
, for all
u
in
τ
, we have
p0∈`
(
u
)iﬀ
p0∈`0
(
u
);
IDeﬁnition 7.
The semantics
t, u, n 
=
ϕ
and
t, λ, n 
=
ψ
are deﬁned inductively, where
ϕ
is a
BoundQCTL∗
state formula,
ψ
is a
BoundQCTL∗
path formula,
t
= (
τ, `
)is a tree,
u
is a node, λis a branch in t, and nin Na bound:
t, u, n =pif p∈`(u)
t, u, n =¬ϕif t, u, n 6=ϕ
t, u, n =ϕ∨ϕ0if t, u, n =ϕor t, u, n =ϕ0
t, u, n =Aψif ∀λ∈Branches(t, u)we have t, λ, n =ψ
t, u, n =A≤Nψif Card({λ∈Branches(t, u) : t, λ, n 6=ψ})≤n
t, u, n =∃p ϕ if ∃t0≡ptsuch that t0, u, n =ϕ
t, u, n =∃N ϕ if ∃n0∈Nsuch that t, u, n0=ϕ,
t, λ, n =ϕif t, λ0, n =ϕ
t, λ, n =¬ψif t, λ, n 6=ψ
t, λ, n =ψ∨ψ0if t, λ, n =ψor t, λ, n =ψ0
t, λ, n =Xψif t, λ≥1, n =ψ
t, λ, n =ψUψ0if ∃j≥0such that t, λ≥j, n =ψ0
and ∀ksuch that 0≤k < j, t, λ≥k, n =ψ
t, λ, n =F≤Nψif ∃jsuch that 0≤j≤nand t, λ≥j, n =ψ
CVIT 2016
23:20 Quantifying Bounds in Strategy Logic
A.3 Proof of Theorem 21
ITheorem 21.
Let
A
be a historydeterministic
distance
automaton over inﬁnite words.
One can construct a distanceautomaton recognising the function over trees
f:t7→ inf {max(n, sup {JAKd(λ) : λ /∈B}) : n∈N, B ⊆Branches(t),Card(B)≤n}.
To prove Theorem 21 we combine
A
with the automaton deﬁned in the proof of Lemma 17.
Proof.
We write
A
= (
Q, q0, δ, c
)for the historydeterministic
distance
automaton over
inﬁnite words, and let us say that the set of labels is {1, . . . , d}×{, i}with deven.
We construct a
distance
automaton
B
for
f
as follows. The set of states is
Q×
{p0,, p0,i, p1}
, where the semantics of
p0,
and
p0,i
is “some path will be skipped” and
p1
means “no path will be skipped”. The initial state is (
q0, p0,
). The ﬁrst component simulates
the automaton Aon all branches, while the second acts as follows, with p0={p0,, p0,i}.
δ=
(p0,, a, h)if hcontains at most one p0
(p0,i, a, h)if hcontains at least two p0
(p1, a, h)if hcontains only p1
The labelling function c0is
c0(q, p0, ) = (d, a)where c(q)=(o, a)
c0(q, p0,i)=(d, i)where c(q)=(o, a)
c0(q, p1) = c(q)
The proof of correctness is the same as for Lemma 17, substantiating the following claims:
if f(t)≤n, then JBKd(t)≤n,
if JBKd(t)≤n, then f(t)≤Card(S)n.
J
A.4 Semantics of nested Wautomata
IDeﬁnition 22. Anested Wautomaton with kslaves over (Σ, S)trees is given by
amaster automaton A, which is a Wautomaton over (2k, S)trees, and
kslave automata (Ai)i∈[k], which are Wautomata over (Σ, S)trees.
The transition relation of the master is
δ⊆Q×
2
k×QS
. We describe the modus operandi
of a nested automaton informally. Let
t
be a tree and
u
a node in
t
, labelled with state
q
. To take the next transition the master automaton interrogates its slaves: the transition
(q, v, h)∈δis allowed if for all i∈v, the subtree tuis accepted by Ai.
To deﬁne the semantics of nested
W
automata, we deﬁne the corresponding acceptance
games. Given a nested
W
automaton
B
= (
A,
(
Ai
)
i∈[k]
)and a tree
t
, we deﬁne the acceptance
Wgame GB,t as follows. Let A= (Q, q0, δ, c).
The set of vertices is (
Q×t
)
∪
(
Q×t×QS
). The vertices of the form (
q, u
)are controlled
by Eve, those of the form (q, u, h)by Adam.
The initial vertex is (q0, r), where ris the root of t.
The transition relation Eis deﬁned as follows
((q, u)E(q, u, h)if (q , `(u), h)∈δand ∀i∈v, tuis accepted by Ai,
(q, u, h)E(h(s), u ·s)..
The labelling function maps (q, u)to c(q), the other vertices are not labelled.
We say that tis accepted by Bif Eve wins the acceptance Wgame GB,t.
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:21
A.5 Proof of Theorem 25
ITheorem 25.
Let Φbe a sentence of
BoundQCTL∗
. We construct a nondeterministic
parity automaton
AΦ
over (Σ
, S
)trees such that for every Kripke structure
S
over the set of
states S, we have S = Φ if, and only if, AΦaccepts the unfolding tS.
Proof.
Let Φbe a sentence and
S
a ﬁnite set of states. Throughout this proof, by trees we
mean regular trees, so in particular ≈is understood over such trees.
For each subformula ϕof Φ, we construct by induction on ϕthe following automata:
1. if ϕis positive, a distanceautomaton Aϕsuch that JAϕKd≈JϕKinf,
2. if ϕis negative, a distanceautomaton Aϕsuch that JAϕKd≈JϕKsup.
Here are the constructions or proofs of correctness not present in the body of the paper.
ϕ=p:
The formula
ϕ
is both positive and negative. Seeing it a positive formula, we deﬁne a
distanceautomaton Apwith one state q0and transition function deﬁned as follows:
δ(q0, a) = (>if p∈a
⊥otherwise.
Seeing
ϕ
as a negative formula, we deﬁne a
distance
automaton
Ap
in exactly the same
way.
ϕ=¬ϕ0:
If ϕis negative, then ϕ0is positive. By deﬁnition,
JϕKsup(t) = sup {n∈N:t, r, n =ϕ}= inf {n∈N:t, r, n =ϕ0} − 1 = Jϕ0Kinf (t)−1.
In particular,
JϕKsup ≈Jϕ0Kinf
. By induction hypothesis, there exists a
distance

automaton
Aϕ0
such that
JAϕ0Kd≈Jϕ0Kinf
. Thanks to Theorem 23, there exists a
distanceautomaton Aϕsuch that JAϕKd≈JAϕ0Kd. It follows that JAϕKd≈JϕKsup.
If
ϕ
is positive, then
ϕ0
is negative, and a similar reasoning applies, using Theorem 23 to
turn a distanceautomaton into an equivalent distanceautomaton.
ϕ=ϕ1∨ϕ2:
If
ϕ
is positive, then both
ϕ1
and
ϕ2
are positive. By induction hypothesis, there exist
two
distance
automata
Aϕ1
and
Aϕ2
such that
JAϕ1Kd≈Jϕ1Kinf
and
JAϕ2Kd≈Jϕ2Kinf
.
We construct
Aϕ
by taking the disjoint union of
Aϕ1
and
Aϕ2
and adding a new initial
state that nondeterministically chooses which of
Aϕ1
or
Aϕ2
to execute on the input tree,
so that JAϕKd= min {JAϕ1Kd,JAϕ2Kd} ≈ min {Jϕ1Kinf,Jϕ2Kinf }=JϕKinf.
If
ϕ
is negative, both
ϕ1
and
ϕ2
are negative. The same construction yields an automaton
Aϕsuch that JAϕKd= max JAϕ1Kd,JAϕ2Kd≈max {Jϕ1Ksup ,Jϕ2Ksup}=JϕKsup .
ϕ=Aψ:
The idea is similar to the automata construction for branchingtime logic [
31
]:
intuitively, treat
ψ
as an LTL formula over maximal state subformulas, run a deterministic
automaton for
ψ
on all branches of the tree, and launch automata for the maximal state
subformulas of
ψ
when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for
ψ
we will use a historydeterministic
distance
automaton. Finally, we will convert the nested
distance
automaton into a
distanceautomaton.
So, suppose that
ϕ
is positive (the case that
ϕ
is negative is treated dually). Then also
ψ
is positive. We will construct a nested distanceautomaton Bsuch that JBKd≈JϕKinf.
Let
ϕ1, . . . , ϕk
be the maximal state subformulas of the path formula
ψ
. We see these
formulas as atomic propositions, so that the formula
ψ
can be seen as a PromptLTL
CVIT 2016
23:22 Quantifying Bounds in Strategy Logic
formula on inﬁnite words over the alphabet 2
k
. Apply Theorem 24 to
ψ
to get a history
deterministic
distance
automaton
Aψ
over inﬁnite words such that
JAψKd≈JψKinf
.
Then, apply Theorem 20 to
Aψ
to get a
distance
automaton
A
such that
JAKd
(
t
) =
sup {JAψKd(λ) : λ∈Branches(t)}. The master of Bis A.
Since
ψ
is positive, the formulas
ϕ1, . . . , ϕk
are either positive or negative. By the
induction hypothesis, for every
i
, if
ϕi
is positive we construct a
distance
automaton
Ai
such that
JAiKd≈JϕiKinf
; and if
ϕi
is negative, we construct a
distance
automaton
A0
i
such that
JA0
iKd≈JϕiKsup
. In the latter case, thanks to Theorem 23 we construct a
distanceautomaton Aisuch that JAiKd≈JϕiKsup. The slaves of Bare A1,...,Ak.
This completes the construction of
B
. We now prove that
JBKd≈JϕKinf
. For the sake of
simplicity, we assume that
JAψKd
=
JψKd
and
JAiKd
=
JϕiK
for every
i
, i.e. we replace
≈
by equality. This simpliﬁcation does not aﬀect the arguments and makes the proof easier
to read.
We prove that
JϕKinf ≤JBKd
. It is suﬃcient to show that
JBKd
(
t
)
≤n
implies
JϕKinf
(
t
)
≤n
. A run of
B
on
t
witnessing that
JBKd
(
t
)
≤n
yields for each branch
λ
a run of
Aψ
such that
JAψKd
(
λ
)
≤n
. The slave automata diligently check that the
atomic propositions
ϕ1, . . . , ϕk
have been correctly used, so indeed
t, λ, n 
=
ψ
, thus
JϕKinf(t)≤n.
We prove that
JBKd≤JϕKinf
. It is suﬃcient to show that
JϕKinf
(
t
)
≤n
implies
JBKd
(
t
)
≤n
. By the semantics of
ϕ
for all branches
λ
of
t
we have
t, λ, n 
=
ψ
. This
yields a run of Bon twitnessing that JBKd(t)≤n.
Finally, applying Theorem 23 to the nested
distance
automaton
B
we get a
distance

automaton Aϕsuch that JAϕKd≈JBKd.
ϕ=∃pϕ0:
If ϕis positive, then ϕ0is positive. In this case unravelling the deﬁnitions we have
JϕKinf(t) = inf {Jϕ0Kinf(t0) : t0≡pt}.
By the induction hypothesis, there exists a
distance
automaton
Aϕ0
such that
JAϕ0Kd≈
Jϕ0Kinf
. We obtain a
distance
automaton
Aϕ
by performing the usual projection oper
ation. Everything remains the same, but the transition relation: (
q, a, h
)is in the new
transition relation if there exists
a0
such that
a0≡pa
and (
q, a0, h
)is in
δ
, where
a0≡pa
if for all p0in AP such that p06=p, we have p0∈a0if, and only if, p∈a.
If
ϕ
is negative, then
ϕ0
is negative. The same reasoning and construction applies in this
case, with
JϕKsup(t) = sup {Jϕ0Ksup(t0) : t0≡pt}.
This completes the proof of the inductive hypothesis. Finally, since Φis a sentence,
AΦ
is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the
∃N
step removes the counter, and every other
operator applied to arguments that do not have a counter produces an automaton with no
counters. J
A.6 Reductions for PromptSL and BOSL
Models transformation.
We ﬁrst deﬁne for every game
G
a Kripke structure
SG
and a
bijection
ρ7→ uρ
between the set of ﬁnite plays starting in the initial vertex and the set of
nodes in
tSG
. We consider propositions
APv
=
{pvv∈V}
, that we assume to be disjoint
from AP. Deﬁne the Kripke structure SG= (S, R, s0, `0)where
N. Fijalkow, B. Maubert, N. Murano and S. Rubin 23:23
S={svv∈V},
R={(sv, sv0) ∃c∈ActAg s.t. ∆(v, c) = v0} ⊆ S2,
s0=sv0, and
`0(sv) = `(v)∪ {pv} ⊆ AP ∪APv.
For every ﬁnite play
ρ
=
v0. . . vk
, deﬁne the node
uρ
=
sv0. . . svk
in
tSG
(which exists, by
deﬁnition of
SG
and of tree unfoldings). Note that the mapping
ρ7→ uρ
deﬁnes a bijection
between the set of paths from v0and the set of nodes in tSG.
Formulas translation.
Given a game
G
and a formula
ϕ
of PromptSL or BOSL, we deﬁne
a
BoundQCTL∗
formula (
ϕ
)such that
G 
=
ϕ
if and only if
SG
= (
ϕ
). More precisely, this
translation is parameterised with a partial function
f
:
Ag *Var
which records bindings of
agents to strategy variables. Suppose that
Act
=
{c1, . . . , cl}
. We deﬁne the two functions
(·)f
sand (·)f
pby mutual induction on, respectively, state formulas ϕand path formulas ψ.
Here is the deﬁnition of (·)f
sfor state formulas:
(p)f
s=p(¬ϕ)f
s=¬(ϕ)f
s
(ϕ1∨ϕ2)f
s= (ϕ1)f
s∨(ϕ2)f
s(∃Nϕ)f
s=∃N(ϕ)f
s
((a, s)ϕ)f
s= (ϕ)f[a7→s]
s((a, ?)ϕ)f
s= (ϕ)f[a7→?]
s
(∃sϕ)f
s=∃ps
c1. . . ∃ps
cl.ϕstr(s)∧(ϕ)f
s,where ϕstr(s) = AG _
c∈Act
(ps
c∧^
c06=c
¬ps
c0)
(Aψ)f
s=A(ψout(f)→(ψ)f
p) (A≤Nψ)f
s=A≤N(ψout(f)→(ψ)f
p)
where
ψout(f) = G^
v∈V
pv→_
c∈ActAg
^
a∈dom(f)
pf(a)
ca∧Xp∆(v,c)
,
and for path formulas:
(ϕ)f
p= (ϕ)f
s(¬ψ)f
p=¬(ψ)f
p
(ϕ1∨ϕ2)f
p= (ϕ1)f
p∨(ϕ2)f
p(Xψ)f
p=X(ψ)f
p
(ψUψ0)f
p= (ψ)f
pU(ψ0)f
p(F≤Nψ)f
p=F≤N(ψ)f
p
One can prove the following lemma, where
ϕ
is either a PromptSL or a BOSL formula.
The translation is essentially the same as in [
32
] and [
7
], and the cases for the new operators
should be clear from their semantics.
ILemma 26.
Suppose that
dom
(
f
) =
dom
(
χ
)
∩Ag
and for all
a∈dom
(
f
),
f
(
a
) =
x
implies
χ(a) = χ(x). Then
G, χ, ρ, n =ϕif and only if tSG, uρ, n = (ϕ)f.
Applying this to a sentence Φ, any assignment
χ
, the initial vertex
v0
of
G
, any bound
n
and the empty function ∅, we get that
G =ϕif and only if tSG= (ϕ)∅.
CVIT 2016