From logic to games Igor Walukiewicz CNRS, Bordeaux . p.1/ ?? The - PowerPoint PPT Presentation

Propositional logic (model checking) P | ¬ P | ϕ ∨ ψ | ϕ ∧ ψ Valuation: V : Prop → { 0 , 1 } Model checking rules Eve Adam V � ϕ ∨ ψ V � ϕ ∧ ψ chooses chooses V � ϕ V � ψ V � ϕ V � ψ V � P Eve wins if V ( P ) = 1 . V � ¬ P Eve wins if V ( P ) = 0 . Eve has a winning strategy from V � ϕ iff ϕ is true in V . . – p.24/ ??

Example V ≡ ( P = 0 , Q = 1) V � P ∨ ( ¬ P ∧ Q ) V � ¬ P ∧ Q V � P V � Q V � ¬ P . – p.25/ ??

Model-checking We are given a transition system M and a formula α 0 . Model checking rules s � α ∨ β s � α ∧ β s � � a � α s � [ a ] α s � β s � β s � α s � α t � α t � α ( s, t ) ∈ E a Eve wins if s ∈ P M ; Eve wins if s �∈ P M . s � P s � ¬ P s � µX.α ( X ) s � νX.α ( X ) s � α ( µX.α ( X )) s � α ( νX.α ( X )) The last two rules may be a source of infinite plays. . – p.26/ ??

Plan Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games. . – p.27/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b . – p.28/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b . – p.28/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b . – p.28/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b . – p.28/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b . – p.28/ ??

Path forming games G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � c b a a c b Eve wins if the labeling of the path is in Acc . (There is an edge from every node.) V � P ∨ ( ¬ P ∧ Q ) V � ¬ P ∧ Q V � P V � Q V � ¬ P . – p.28/ ??

Winning conditions 3 2 0 2 1 3 G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � Inf( � v ) : the set of colours appearing infinitely often on a path � v . Muller condition: given by a partition of P ( C ) into ( F E , F A ) . � v ∈ Acc iff { � v : Inf( � v ) ∈ F E } Parity condition is given by a function Ω : V → { 0 , . . . , d } . � v ∈ Acc min(Inf Ω ( � v )) is even. iff . – p.29/ ??

Model-checking We are given a transition system M and a formula α 0 . Model checking rules s � α ∨ β s � α ∧ β s � � a � α s � [ a ] α s � β s � β s � α s � α t � α t � α ( s, t ) ∈ E a Eve wins if s ∈ P M ; Eve wins if s �∈ P M . s � P s � ¬ P s � µX.α ( X ) s � νX.α ( X ) s � α ( µX.α ( X )) s � α ( νX.α ( X )) The last two rules may be a source of infinite plays. . – p.30/ ??

Infinite plays s a s � µX. � a � X s � νX. � a � X s � � a � µX. � a � X s � � a � ( νX. � a � X ) s � µX. � a � X s � νX. � a � X . . . . . . Eve should win in the second game but not in the first. . – p.31/ ??

Approximations τ ∈ Ord µ τ X.β ( X ) µX.β ( X ) = � M [ µ 0 X.β ( X )] [ ] Val = ∅ ] M [ µ τ +1 X.β ( X )] [ ] =[ [ β ( X )] ] M [ µ τ X.β ( X )] Val [[ Val /X ] M � [ µ τ ′ X.β ( X )] ] M [ µ τ X.β ( X )] [ Val = [ ] if τ is a limit ordinal Val τ ′ <τ τ ∈ Ord ν τ X.β ( X ) νX.β ( X ) = � M [ ν 0 X.β ( X )] [ ] Val = V ] M [ ν τ +1 X.β ( X )] [ ] =[ [ β ( X )] ] M [ ν τ X.β ( X )] Val [[ Val /X ] M � [ ν τ ′ X.β ( X )] ] M [ ν τ X.β ( X )] [ Val = [ ] if τ is a limit ordinal Val τ ′ <τ . – p.32/ ??

Infinite plays s a s � µ τ X. � a � X s � ν τ X. � a � X s � � a � ( µ τ − 1 X. � a � X ) s � � a � ( ν τ X. � a � X ) s � ν τ X. � a � X s � µ τ − 1 X. � a � X . . . . . . Eve should win in the second game but not in the first. . – p.33/ ??

Infinite plays s a s � 3 µ τ X. � a � X s � 3 ν τ X. � a � X s � 1 � a � ( µ τ − 1 X. � a � X ) s � 2 � a � ( ν τ X. � a � X ) s � 3 ν τ X. � a � X s � 3 µ τ − 1 X. � a � X . . . . . . Eve should win in the second game but not in the first. Assign rank 1 to µ -regeneration and rank 2 to ν -regeneration. . – p.33/ ??

Defining winning conditions µX 1 . νX 2 . µX 3 . νX 4 . . . ϕ ( X 1 , X 2 , . . . ) 4 · · · 1 2 3 µ ’s have odd ranks, ν ’s have even ranks, if β is a subformula of α then β has bigger rank than α . . – p.34/ ??

Tableau Model checking rules s � α ∨ β s � α ∧ β s � � a � α s � [ a ] α s � β s � β s � α s � α t � α t � α ( s, t ) ∈ E a s � µX.α ( X ) s � νX.α ( X ) s � α ( µX.α ( X )) s � α ( νX.α ( X )) Eve wins if s ∈ P M ; Eve wins if s �∈ P M . s � ¬ P s � P . – p.35/ ??

Tableau Tableaux rules α ∨ β α ∧ β � a � α [ a ] α a a ϕ α β ψ α α µX.α ( X ) νX.α ( X ) α ( µX.α ( X )) α ( νX.α ( X )) These rules define a tableau T α for a formula α . Operation M ⊗ T α of “synchronized product” of a transition system and a tableau that gives the MC game. Obs: M , s 0 � α iff Eve wins from ( s 0 , α ) in M ⊗ T α . . – p.36/ ??

Example νY.µX. ( P ∧ � a � Y ) ∨ � b � X β 2 a s Y b a β 3 X M P ∧ � a � Y � b � X � a � Y P T β Y . – p.37/ ??

Example νY.µX. ( P ∧ � a � Y ) ∨ � b � X s � β 2 a s Y a s � β 3 X M s � P ∧ � b � Y s � � b � X s � � a � Y s � P M ⊗ T β Y . – p.38/ ??

From MC to games Given a structure M and a formula α we construct the game G ( M , α ) such that: M , s � α Eve wins from ( s � α ) in G ( M , α ) iff The winning condition in G ( M , α ) is a parity condition which size is the depth of alternation of fixpoints in α . One can define a tableau T α and a synchronized product M ⊗ T a so that G ( M , α ) = M ⊗ T α . In particular the size of |M| ⊗ |T α | is |M| · | α | . This works also for infinite transition systems. . – p.39/ ??

From games to MC A game can be represented as a transition system where propositions P E designates Eve’s positions, propostions P 0 , . . . , P d define Ω : V → { 0 , . . . , d } . Thm [Emerson & Jutla]: There is a formula of the mu-calculus ε d such that M G , v � ε d Eve wins from v in G . iff γ ( Z 0 , . . . , Z d ) = � � � � � � P E ∧ ( P i ⇒ �·� Z i ) ∨ ¬ P E ∧ ( P i ⇒ [ ] Z i ) i =0 ,...,d i =0 ,...,d ε d = νZ 0 .µZ 1 . . . . σZ d . γ ( Z 0 , . . . , Z d ) . – p.40/ ??

In summary Parity games and model-checking for the mu-calculus are very close to each other (inter-reducible in linear time). The tableau construction gives an alternating automaton accepting models of the formula. The M ⊗ T α operation defines the space of runs of the automaton T α on the structure M . As T α accepts all models of α the satisfiabiality problem reduces to the emptiness test of T α . Indeed the satisfiability game is obtained from converting T α into a nondeterministic automaton. Because of this translation it is enough to consider the games solving problem instead of MC problem. . – p.41/ ??

Plan Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games. . – p.42/ ??

Open problem: Solving parity games Given a finite parity game G = � V E , V a , R, Ω : ( V E ∪ V a ) → N � decide if Eve has a winning strategy from a given position. This problem is in NP and its complement is also in NP . We do not know if the problem is in P TIME . This is one of the very few problems that have this status . – p.43/ ??

Strategies G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � Strategy for Eve is σ : V ∗ × V E → V such that σ ( � vv E ) ∈ R ( v E ) A strategy σ for Eve is winning from v if all plays from v respecting the strategy are winning for Eve. 3 2 0 2 1 3 Positional/memoryless strategy for Eve is a function σ : V E → V such that σ ( v ) ∈ R ( v ) . . – p.44/ ??

Strategy with memory: example a c b Muller condition: F E = {{ a, b, c }} . (Both a and b appear infinitely often.) Eve has a winning strategy in this game but no positional winning strategy. . – p.45/ ??

Basic results Thm [Martin]: Every game with a Muller winning condition is determined, i.e., from every vertex one of the players has a winning strategy. Thm [Mostowski, Emerson & Jutla]: In a parity game a player has a memoryless winning strategy from each of his winning vertices. Def: To solve a game is to determine for each position who has a winning strategy from this position. Fact : There is an algorithm for solving finite Muller games. . – p.46/ ??

A funny game a 1 b 2 • c 3 4 d The biggest number seen infinitely often = the number of letters seen infinitely often. Examples: a 1 a 1 a 1 . . . , a 1 c 1 c 1 c 1 . . . , a 1 c 2 a 1 c 1 a 2 c 2 . . . . Eve has a winning strategy with finite memory in this game. . – p.47/ ??

LAR example a 1 b 2 • c 3 4 d → 1 a b c d . – p.48/ ??

LAR example a 1 b 2 • c 3 4 d → 1 a b c d b . – p.48/ ??

LAR example a 1 b 2 • c 3 4 d → 1 a b c d b → 3 a c d b . – p.48/ ??

LAR example a 1 b 2 • c 3 4 d → 1 a b c d b a c d b → 3 d . – p.48/ ??

LAR example a 1 b 2 • c 3 a b c d → 1 4 d b → 3 a c d b d → 2 a c b d . – p.48/ ??

LAR example a 1 b 2 • c 3 → 1 a b c d 4 d b → 3 a c d b d → 2 a c b d a . – p.48/ ??

LAR example a 1 b 2 • c 3 → 1 a b c d b 4 d → 3 a c d b d → 2 a c b d a → 4 c b d a . – p.48/ ??

LAR example a 1 b 2 • c 3 → 1 a b c d b 4 d → 3 a c d b d a c b d → 2 a → 4 c b d a d . – p.48/ ??

LAR example a 1 b 2 • → 1 a b c d c 3 b a c d b → 3 4 d d → 2 a c b d a → 4 c b d a d c b a d → 2 . – p.48/ ??

LAR example a 1 b 2 • a b c d → 1 c 3 b → 3 a c d b 4 d d → 2 a c b d a → 4 c b d a d → 2 c b a d d . – p.48/ ??

LAR example a 1 b 2 → 1 • a b c d b c 3 → 3 a c d b d 4 d → 2 a c b d a → 4 c b d a d → 2 c b a d d → 1 c b a d . – p.48/ ??

LAR example a 1 b 2 → 1 a b c d • b c 3 → 3 a c d b d 4 d → 2 a c b d a c b d a → 4 d → 2 c b a d d → 1 c b a d a . – p.48/ ??

LAR example a 1 → 1 a b c d b 2 • b → 3 a c d b c 3 d a c b d → 2 4 d a → 4 c b d a d → 2 c b a d d c b a d → 1 a → 2 c b d a . – p.48/ ??

LAR example a 1 → 1 a b c d b 2 b • a c d b → 3 c 3 d → 2 a c b d 4 d a → 4 c b d a d → 2 c b a d d → 1 c b a d a c b d a → 2 d . – p.48/ ??

LAR example a 1 b 2 • a b c d → 1 c 3 b → 3 a c d b 4 d d → 2 a c b d a If from now on only a and d will appear c b d a → 4 d then we will see 2 infinitely often and → 2 c b a d never 3 or 4 . d → 1 c b a d a → 2 c b d a d → 2 c b a d . – p.48/ ??

Parity games admit memoryless strategies Thm [Mostowski, Emerson & Jutla]: In a finite parity game Eve has a memoryless strategy winning from each of her winning vertices. Proof by induction on the number of edges from Eve’s positions If each position has one outgoing edge then this is the strategy for Eve. 3 2 0 2 1 3 . – p.49/ ??

Memoryless strategies: induction step G a G G s s σ 1 Eve σ 2 Eve ρ 1 Adam ρ 2 Adam If σ 1 or σ 2 is winning in G then we can use it. Suppose not. Then Adam can win from s in G . ρ 1 ρ 2 ρ 1 ρ 2 s s s s ρ 1 ρ 1 s s max inf odd ρ 2 ρ 2 s s max inf odd . – p.50/ ??

Complexity classes A problem L ⊆ { 0 , 1 } ∗ is in P TIME iff there is a machine M and a polynomial p ( n ) such that on every input w ∈ { 0 , 1 } ∗ machine M does at most p ( | w | ) steps and answers yes/no correctly. A problem L ⊆ { 0 , 1 } ∗ is in NP iff there is a polynomial p ′ ( n ) such that for every w ∈ L there is w ′ ∈ { 0 , 1 } ∗ of size < p ′ ( | w | ) such that { w $ w ′ : w ∈ L } is in P TIME . Example: Satisfiability of a propositional formula: ( x 1 ∨ x 2 ∨ ¬ x 3 ) ∧ ( ¬ x 1 ∨ ¬ x 2 ∨ x 3 ) Guess a valuation and check. Example: Parity games Guess a memoryless strategy and check. . – p.51/ ??

Digression: Primes COMPOSITE: Is a given number a composite number. In NP : guess a decomposition. PRIMES: Is a given number a prime. In NP : Lucas-Lehmer test. Number n is a prime iff ∃ a s.t.: a n ≡ 1 (mod n ) and a x �≡ 1 (mod n ) for all x = 1 , . . . , n − 2 . In 2002 PRIMES were shown to be in P TIME [M. Agarwal, N. Saxena, N. Kayal] . – p.52/ ??

Model checking ? α � ⇓ G = � V E , V A , R, λ : V → { 0 , . . . , d }� Current algorithms work in time | G | O ( d ) where d is the size of the range of λ . The size of d is related with the nesting depth of fixpoints in α . . – p.53/ ??

Discounted pay-off games G = � V E , V A , R, w : ( V E ∪ V A ) → R � Outcome of v 0 , v 1 , . . . is (1 − δ ) � ∞ i =0 δ i w ( v i ) ; here 0 < δ < 1 is a discount factor. Value of the game in a vertex v is a number V v such that: Eve has a strategy from v to have an outcome ≥ V v , and Adam has a strategy from v to have an outcome ≤ V v . Thm [Zwick and Paterson]: For every finite discounted pay-off game the value exists in every vertex and is given as a unique solution of the set of equations: � max ( v,u ) ∈ R δx u if v ∈ V E x v = (1 − δ ) w ( v ) + if v ∈ V A min ( v,u ) ∈ R δx u . – p.54/ ??

Proof Define F : R n → R n by: � max ( i,j ) ∈ R δx j if i ∈ V E F i ( � x ) = (1 − δ ) w ( i ) + if i ∈ V A min ( i,j ) ∈ R δx j Consider the max norm || � x || = max | x i | . We have: ∀ � x, � y. ||F ( � x ) − F ( � y ) || ≤ δ || � x − � y || As 0 < δ < 1 , mapping F is contracting with respect to the z = F ( � norm. So there is the unique fixed point � z ) . It is easy to see that Eve has a strategy to be not below � z and Adam has a strategy to be not above � z . . – p.55/ ??

Mean pay-off games G = � V E , V A , R, w : ( V E ∪ V A ) → N � � n 1 Outcome for Eve of a play v 0 , v 1 , . . . is lim inf n → inf i =1 w ( v i ) . n � n 1 For Adam it is lim sup n → inf i =1 w ( v i ) . n Thm [Ehrenfeucht & Mycielski]: Every vertex has a value v such that Eve has a strategy to be not below v and Adam a strategy to be not above v . Moreover the two players have memoryless strategies to achieve this. When δ → 1 then V ZP ( v ) → V EM ( v ) . Thm [Zwick & Paterson]: δ Recall pay-off in ZP: (1 − δ ) � ∞ i =0 δ i w ( v i ) . – p.56/ ??

Relation to parity games Loop games. G = � V E , V A , R, w : ( V E ∪ V A ) → N � . Players play until a cycle is closed. The outcome is the mean of the weights on the cycle. Thm [Ehrenfeucht & Mycielski]: For all vertices V loop ( v ) = V EM ( v ) . Reduction of parity games to loop games: G = � V E , V A , R, Ω : ( V E ∪ V A ) → { 0 , . . . , d }� . Define w ( v ) = ( − n ) Ω( v ) , where n is the number of vertices. Obs: Eve has a winning strategy in a parity game with λ iff she has a strategy to obtain a positive value in the loop game with w . . – p.57/ ??

Plan Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games. . – p.58/ ??

Strategies: remainder G = � V E , V A , R, λ : V → C, Acc ⊆ C ω � Strategy for Eve is σ : V ∗ × V E → V such that σ ( � vv E ) ∈ R ( v E ) A strategy σ for Eve is winning from v if all plays from v respecting the strategy are winning for Eve. a c b Positional/memoryless strategy for Eve is a function σ : V E → V such that σ ( v ) ∈ R ( v ) . . – p.59/ ??

Conditions admitting positional strategies Memoryless strategies are interesting as: they are much easier to handle technically, the algorithms for finding them are simpler (of lower complexity), strategies are simple to describe (and use). A game is positionally determined iff both players have memoryless winning strategies from their winning positions. A winning condition admits positional determinacy iff all the games with this condition are positionally determined. Thm [McNaughton]: Parity conditions are the only Muller conditions admitting positional determinacy. . – p.60/ ??

Infinite number of colours? Colouring function is now λ : V → ω Min-parity condition: min (Inf( p )) is even or does not exist Max-parity condition: max (Inf( p )) is even or does not exist · · · · · · 2 k + 1 1 3 What if all the vertices need to be colored? . – p.61/ ??

Infinite number of colours? Colouring function is now λ : V → ω Min-parity condition: min (Inf( p )) is even or does not exist Max-parity condition: max (Inf( p )) is even or does not exist 0 · · · · · · 2 k + 1 1 3 What if all the vertices need to be colored? . – p.61/ ??

Infinite number of colours? Colouring function is now λ : V → ω Min-parity condition: min (Inf( p )) is even or does not exist Max-parity condition: max (Inf( p )) is even or does not exist n · · · · · · 2 k + 1 1 3 What if all the vertices need to be colored? . – p.61/ ??

Characterization of winning conditions Muller conditions with infinite number of colours. G = { V E , V A , E, λ : V → ω } Infinite parity condition: min(Inf( p )) is even or Inf( p ) = ∅ . Eve wins iff Thm[Graedel & W.]: Games with infinite parity condition admit memoryless determinacy. All other conditions need infinite memory. Thm[Graedel & W.]: The conditions given by λ : V → ( ω + 1) admit positional determinacy over graphs of bounded out-degree. Thm [Colcombet & Niwi´ nski]: If partial colouring functions are allowed then only finite parity conditions admit positional determinacy. . – p.62/ ??

Conclusions Formal languages are necessary for verification (if only due to the number of cases to check). The important issues are those of expessivity and complexity of a language. MSOL/bisimulation ≡ µ -calculus. Verification process can usually be reduced to the problem of solving games. ? �→ M � α finding a winner in G ( M, α ) Games with memoryless strategies are easier to work with. Classes of games admitting positional determinacy . – p.63/ ??

Modelchecking infnite graphs From pushdown to regular graphs . – p.64/ ??

Graphs of pushdown machines Pushdown machine (deterministic): � Q, Σ , Γ , q 0 ∈ Q, δ : Q × Σ × Γ → Q ×{ pop , push ( z ) : z ∈ Γ } , F ⊆ Q � . Configuration: ( q, w ) ∈ Q × Γ ∗ . Configuration graph nodes: configurations transitions: ( q, zw ) → ( q ′ , w ) if there is a ∈ Σ and δ ( q, a, z ) = ( q ′ , pop ) ( q, zw ) → ( q ′ , z ′ zw ) if there is a ∈ Σ and δ ( q, a, z ) = ( q ′ , push ( z ′ )) Rem: The input alphabet and accepting states do not play any role. Determinism is also not important. . – p.65/ ??

Rewriting rules Pushdown system: P = ( Q, Γ , ∆) ∆ ⊆ Q × Γ × Q × ( { ε } ∪ Γ 2 ) Rewrite rules: qz ֌ q ′ qz ֌ q ′ z ′ z Pushdown graph: G ( P ) Vertices: Q × Γ ∗ Edges: qw → q ′ w ′ according to the rules applied to prefixes. q 0 is always the initial state and ⊥ is the initial stack symbol. rules of the form aqb ֌ q ′ a ′ b or aqb ֌ ab ′ q ′ without TM graph: restrictions on the place of application. . – p.66/ ??

Pushdown graph: an example q 0 ⊥ q 0 a ⊥ q 0 aa ⊥ q 0 aaa ⊥ · · · q 0 a k ⊥ · · · · · · q 1 a k − 1 ⊥ · · · q 1 ⊥ q 1 a ⊥ q 1 aa ⊥ This is (a part of) the graph of the system: q 0 ⊥ ֌ q 0 a ⊥ q 1 ⊥ ֌ q 0 a ⊥ q 0 a ֌ q 0 aa q 0 a ֌ q 1 q 1 a ֌ q 1 . – p.67/ ??

Prefix-recognizable graphs Pushdown system: P = (Γ , ∆) ∆ ⊆ P ( Q ∗ ) × P ( Q ∗ ) Rewrite rules: for L and L ′ regular languages. L ֌ L ′ Prefix-recognizable graph: G ( P ) Vertices: Γ ∗ Edges: wu → w ′ u if w ∈ L and w ′ ∈ L ′ for some L ֌ L ′ . Rem: Prefix-recognizable graph of finite degree is a pushdown graph. Thm [Carayol & Wöhrle]: Prefix-recognizable graphs are ε -closures of pushdown graphs. . – p.68/ ??

Example of a prefix recognizable graph . . . . – p.69/ ??