From logic to games Igor Walukiewicz CNRS, Bordeaux . p.1/ ?? The - - PowerPoint PPT Presentation

From logic to games Igor Walukiewicz CNRS, Bordeaux

. – p.1/??

The big picture

• α

⇓

. . . . . . . . . Model Formula Game

. – p.2/??

The big picture

• α

⇓

. . . . . . . . . Model Formula Game Strategy

. – p.2/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.3/??

Logic at the birth of Computer Science

• A. Turing, ‘‘On computable numbers, with an

application to the Entscheidungsproblem’’, Proc of London Mathematical Society, 1936 Shows that the famous “Hilbert’s Entscheidungsproblem” is algorithmically unsolvable. Proposes a precise definition of the fundamental notion of algorithm. Shows limitations of this notions. Introduces the concept of universal machine.

. – p.4/??

Beginnings of logic

Frege proposes an universal formal language in which one can express all ordinary mathematics. Problem: Cantor’s paradox Hilbert’s program. Get rid of the worries about foundations of mathematics by: simulating ordinary mathematics in a sufficiently strong formal system; showing with elementary means (“finitist methods”, which are not subject to doubt) that in this formal system a contradiction like 0 = 1 could not be derived. The second point demands a procedure which can decide if a given formula is derivable in the calculus. This was shown impossible by Turing (and Church at the same time). But the first part of Hilbert’s program was realized (ZFC).

. – p.5/??

The need of formal language

Leibniz in XVII th century formulated a far-reaching vision of characteristica universalis: It should be possible to set up a kind of alphabet of human thoughts, and to invent and to decide everything by a combination of its letters and by analysis of the words composed from them. In a sense ZFC satisfies this requirement. But it is arguably practical. In CS we want formal systems so computers can understand it. We prefer decidable systems: computer can decide if something is true. We are looking for something lighter (more specific) than ZFC.

. – p.6/??

Modeling computer systems

A computer system can be anything: processor, communication protocol, airbag controller. A simple way of modelling such a system is by labelled graphs: S, {Ra}a∈Act, where Act = {a, b, . . . } is some set of actions. a b c c

. – p.7/??

Modelling computer systems, cont.

a b c c We need a decidable formal language. Where it is possible/easy to write interesting properties. Which has relatively low complexity of verification.

. – p.8/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.9/??

MSOL on labelled graphs

MSOL (monadic second order logic) is an extension of FOL with set quantification. Ra(x, y) | ϕ ∨ ψ | ¬ϕ | ∃x. ϕ | y ∈ X | ∃X. ϕ Models M = S, {Ra}a∈Act. Semantics: M, V ϕ: – M, V y ∈ X if V (y) ∈ V (X); – M, V ∃X.ϕ if there is S ⊆ {0, 1}∗, s.t., M, V [S/X] ϕ. Set quantification allows to express many new properties: connectivity, reachability, 3-colorability. Problem: FOL theory of graphs is undecidable.

. – p.10/??

MSOL over trees

A tree is graph where each node is reachable by a unique path from a distinguished node called the root. 1 1 1 Thm [Rabin’69]: The MSOL theory of trees is decidable. Thm [Mayer’74]: The complexity of the MSOL theory of trees is not elementary.

. – p.11/??

The µ-calculus

Formulas of the µ-calculus: tt | ff | α ∨ β | α ∧ β| aα | [a]α | X | µX.α(X) | νX.α(X) Models M = S, {Ra}a∈Act. Semantics α M

V ,

(V : Var → P(S)) tt M

V =S

ff M

V = ∅

α ∨ β M

V = α M V ∪ β M V

aα M

V ={s : ∃s′. Ra(s, s′) ∧ s′ ∈ α M V )}

a b ∈ abtt ∈ btt ∈ tt

. – p.12/??

The µ-calculus

Formulas of the µ-calculus: tt | ff | α ∨ β | α ∧ β| aα | [a]α | X | µX.α(X) | νX.α(X) Models M = S, {Ra}a∈Act. Semantics α M

V ,

(V : Var → P(S)) tt M

V =S

ff M

V = ∅

α ∨ β M

V = α M V ∪ β M V

aα M

V ={s : ∃s′. Ra(s, s′) ∧ s′ ∈ α M V )}

X M

V =V (X)

µX.α(X) M

V =

• {S′ ⊆ S : α M

V [S′/X] ⊆ S′}

. – p.12/??

The meaning of the fixpoint

In µX.α(X) variable X appears only positively in α(X). The formula α(X) defines a function: λX. α(X) M

V

: P(S) → P(S) The function is monotonic: α(B1) M

V ⊆ α(B2) M V

if B1 ⊆ B2. There are the least and the greatest fixpoints of this function: µX.α(X) V

M = {B ⊆ S : α(B) V M ⊆ B}

νX.α(X) V

M = {B ⊆ S : B ⊆ α(B) V M}

. – p.13/??

Examples

a ∈ [ [att] ] µX.aX = ∅ a ∈ νX.aX

. – p.14/??

Examples

Reachability: ·∗P ≡ µX. P ∨ ·X.

. – p.15/??

Examples

Reachability: ·∗P ≡ µX. P ∨ ·X. s0 s1 s2 α ≡µX.P ∨ ·X

. – p.15/??

Examples

Reachability: ·∗P ≡ µX. P ∨ ·X. s0 s1 s2 α ≡µX.P ∨ ·X P∨·α

. – p.15/??

Examples

Reachability: ·∗P ≡ µX. P ∨ ·X. s0 s1 s2 α ≡µX.P ∨ ·X P∨·α α P∨·α

. – p.15/??

Examples

Reachability: ·∗P ≡ µX. P ∨ ·X. s0 s1 s2 α ≡µX.P ∨ ·X P∨·α α P∨·α α P∨·α

. – p.15/??

More examples

Reachability: ·∗P ≡ µX. P ∨ ·X. Existential until: ∃(QUP) ≡ µX. P ∨ (Q ∧ ·X). Universal until: ∀(QUP) ≡ µX. P ∨ (Q ∧ [ ]X). Alternating reachability µX. P ∨ (Q∃ ∧ ·X) ∨ (Q∀ ∧ [ ]X) ∃ ∀ ∃

P

∀

P

∀ ∃ ∀

. – p.16/??

Examples (µ vs. ν)

µX. P ∨ ·X holds in s whenever from s one can reach a state where P holds. s0 s1 s2 α ≡µX.P ∨ ·X P∨·α α P∨·α α P∨·α

. – p.17/??

Examples (µ vs. ν)

µX. P ∨ ·X holds in s whenever from s one can reach a state where P holds. s0 s1 s2 α ≡µX.P ∨ ·X P∨·α α P∨·α α P∨·α νX. P ∨ ·X holds in s also if there is an infinite path from s. s0 s1 s2 α ≡νX.P ∨ ·X P∨·α α P∨·α α P∨·α

. – p.17/??

Examples (alternating fixpoints)

Almost always P on some path µY.νX. (P ∧ ·X) ∨ ·Y Infinitely often P on some path νX.µY. (P ∧ ·X) ∨ ·Y

. – p.18/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.19/??

Comparing MSOL and the µ-calculus

We can compare the two formalisms for defining graph properties. A µ-calculus sentence α defines a property: class of pairs (M, s) such that s ∈ α M. An MSOL formula with one free variable ϕ(x) defines a property: class of pairs (M, s) such that M ϕ(s). We can compare which properties are definable in MSOL and which in the µ-calculus.

. – p.20/??

Why the µ-calculus?

Thm: The µ-calculus theory of labeled graphs is

EXPTIME-complete.(not decidable for MSOL)

. – p.21/??

Why the µ-calculus?

Thm: The µ-calculus theory of labeled graphs is

EXPTIME-complete.(not decidable for MSOL)

Racall : Two nodes of a (deterministic) transition system are in bisimulation iff unwindings from these two nodes are isomorphic. a a a a

. – p.21/??

Why the µ-calculus?

Thm: The µ-calculus theory of labeled graphs is

EXPTIME-complete.(not decidable for MSOL)

Racall : Two nodes of a (deterministic) transition system are in bisimulation iff unwindings from these two nodes are isomorphic. Fact: µ-calculus properties are bisimulation invariant (if s α and s ≈ s′ then s′ α.) Thm [Janin & W.]: A property is expressible in the µ-calculus iff it is expressible in MSOL and bisimulation invariant. It is not decidable if an MSOL formula is bisimulation invariant.

. – p.21/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.22/??

The model checking problem ?

• α

Given a finite labelled graph M, its vertex s and a sentence α, decide if s ∈ α M. This problem reduces to a problem of solving games.

. – p.23/??

Propositional logic (model checking)

P | ¬P | ϕ ∨ ψ | ϕ ∧ ψ Valuation: V : Prop → {0, 1} Model checking rules V ϕ ∨ ψ V ϕ V ψ Eve chooses V ϕ ∧ ψ V ϕ V ψ Adam chooses V P Eve wins if V (P) = 1. V ¬P Eve wins if V (P) = 0. Eve has a winning strategy from V ϕ iff ϕ is true in V .

. – p.24/??

Example

V ≡ (P = 0, Q = 1) V P ∨ (¬P ∧ Q) V P V ¬P ∧ Q V ¬P V Q

. – p.25/??

Model-checking

We are given a transition system M and a formula α0. Model checking rules s α ∨ β s α s β s α ∧ β s α s β s aα t α s [a]α t α (s, t) ∈ Ea s P Eve wins if s ∈ P M; s ¬P Eve wins if s ∈ P M. s µX.α(X) s α(µX.α(X)) s νX.α(X) s α(νX.α(X)) The last two rules may be a source of infinite plays.

. – p.26/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.27/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c

. – p.28/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c

. – p.28/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c

. – p.28/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c

. – p.28/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c

. – p.28/??

Path forming games

G = VE, VA, R, λ : V → C, Acc ⊆ Cω a b c a b c Eve wins if the labeling of the path is in Acc.

(There is an edge from every node.)

V P ∨ (¬P ∧ Q) V P V ¬P ∧ Q V ¬P V Q

. – p.28/??

Winning conditions

2 3 1 2 3 G = VE, VA, R, λ : V → C, Acc ⊆ Cω Inf( v): the set of colours appearing infinitely often on a path v. Muller condition: given by a partition of P(C) into (FE, FA).

• v ∈ Acc

iff { v : Inf( v) ∈ FE} Parity condition is given by a function Ω : V → {0, . . . , d}.

• v ∈ Acc

iff min(InfΩ( v)) is even.

. – p.29/??

Model-checking

We are given a transition system M and a formula α0. Model checking rules s α ∨ β s α s β s α ∧ β s α s β s aα t α s [a]α t α (s, t) ∈ Ea s P Eve wins if s ∈ P M; s ¬P Eve wins if s ∈ P M. s µX.α(X) s α(µX.α(X)) s νX.α(X) s α(νX.α(X)) The last two rules may be a source of infinite plays.

. – p.30/??

Infinite plays

s a . . . . . . s µX.aX s νX.aX s aµX.aX s a(νX.aX) s µX.aX s νX.aX Eve should win in the second game but not in the first.

. – p.31/??

Approximations

µX.β(X) =

τ∈Ord µτX.β(X)

[ [µ0X.β(X)] ]

M Val =∅

[ [µτ+1X.β(X)] ] =[ [β(X)] ]M

Val[[ [µτX.β(X)] ]M

Val/X]

[ [µτX.β(X)] ]M

Val =

• τ ′<τ

[ [µτ ′X.β(X)] ]

M Val

if τ is a limit ordinal νX.β(X) =

τ∈Ord ντX.β(X)

[ [ν0X.β(X)] ]

M Val =V

[ [ντ+1X.β(X)] ] =[ [β(X)] ]M

Val[[ [ντX.β(X)] ]M

Val/X]

[ [ντX.β(X)] ]M

Val =

• τ ′<τ

[ [ντ ′X.β(X)] ]

M Val

if τ is a limit ordinal

. – p.32/??

Infinite plays

s a . . . . . . s µτ−1X.aX s ντX.aX s a(µτ−1X.aX) s a(ντX.aX) s µτX.aX s ντX.aX Eve should win in the second game but not in the first.

. – p.33/??

Infinite plays

s a . . . . . . s 3µτ−1X.aX s 3ντX.aX s 1a(µτ−1X.aX) s 2a(ντX.aX) s 3µτX.aX s 3ντX.aX Eve should win in the second game but not in the first. Assign rank 1 to µ-regeneration and rank 2 to ν-regeneration.

. – p.33/??

Defining winning conditions

µX1. νX2. µX3. νX4 . . . ϕ(X1, X2, . . . ) 1 2 3 4 · · · µ’s have odd ranks, ν’s have even ranks, if β is a subformula of α then β has bigger rank than α.

. – p.34/??

Tableau

Model checking rules s α ∨ β s α s β s α ∧ β s α s β s aα t α s [a]α t α (s, t) ∈ Ea s µX.α(X) s α(µX.α(X)) s νX.α(X) s α(νX.α(X)) s P Eve wins if s ∈ P M; s ¬P Eve wins if s ∈ P M.

. – p.35/??

Tableau

Tableaux rules α ∨ β ϕ α α ∧ β β ψ aα α a [a]α α a µX.α(X) α(µX.α(X)) νX.α(X) α(νX.α(X)) These rules define a tableau Tα for a formula α. Operation M ⊗ Tα of “synchronized product” of a transition system and a tableau that gives the MC game. Obs: M, s0 α iff Eve wins from (s0, α) in M ⊗ Tα.

. – p.36/??

Example

νY.µX. (P ∧ aY ) ∨ bX aY P ∧ aY P β3

X

β2

Y

bX b a s a

M TβY

. – p.37/??

Example

νY.µX. (P ∧ aY ) ∨ bX s aY s P ∧ bY s P s β3

X

s β2

Y

s bX a s a

M M ⊗ TβY

. – p.38/??

From MC to games

Given a structure M and a formula α we construct the game G(M, α) such that: M, s α iff Eve wins from (s α) in G(M, α) The winning condition in G(M, α) is a parity condition which size is the depth of alternation of fixpoints in α. One can define a tableau Tα and a synchronized product M ⊗ Ta so that G(M, α) = M ⊗ Tα. In particular the size of |M| ⊗ |Tα| is |M| · |α|. This works also for infinite transition systems.

. – p.39/??

From games to MC

A game can be represented as a transition system where propositions PE designates Eve’s positions, propostions P0, . . . , Pd define Ω : V → {0, . . . , d}. Thm [Emerson & Jutla]: There is a formula of the mu-calculus εd such that MG, v εd iff Eve wins from v in G. γ(Z0, . . . , Zd) =

• PE ∧
• i=0,...,d

(Pi ⇒ ·Zi)

• ∨
• ¬PE ∧
• i=0,...,d

(Pi ⇒ [ ]Zi)

• εd = νZ0.µZ1. . . . σZd. γ(Z0, . . . , Zd)

. – p.40/??

In summary

Parity games and model-checking for the mu-calculus are very close to each other (inter-reducible in linear time). The tableau construction gives an alternating automaton accepting models of the formula. The M ⊗ Tα operation defines the space of runs of the automaton Tα on the structure M. As Tα accepts all models of α the satisfiabiality problem reduces to the emptiness test of Tα. Indeed the satisfiability game is obtained from converting Tα into a nondeterministic automaton. Because of this translation it is enough to consider the games solving problem instead of MC problem.

. – p.41/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.42/??

Open problem: Solving parity games

Given a finite parity game G = VE, Va, R, Ω : (VE ∪ Va) → N decide if Eve has a winning strategy from a given position. This problem is in NP and its complement is also in NP. We do not know if the problem is in PTIME. This is one of the very few problems that have this status

. – p.43/??

Strategies

G = VE, VA, R, λ : V → C, Acc ⊆ Cω Strategy for Eve is σ : V ∗ × VE → V such that σ( vvE) ∈ R(vE) A strategy σ for Eve is winning from v if all plays from v respecting the strategy are winning for Eve. 2 3 1 2 3 Positional/memoryless strategy for Eve is a function σ : VE → V such that σ(v) ∈ R(v).

. – p.44/??

Strategy with memory: example

c a b Muller condition: FE = {{a, b, c}}.

(Both a and b appear infinitely often.)

Eve has a winning strategy in this game but no positional winning strategy.

. – p.45/??

Basic results

Thm [Martin]: Every game with a Muller winning condition is determined, i.e., from every vertex one of the players has a winning strategy. Thm [Mostowski, Emerson & Jutla]: In a parity game a player has a memoryless winning strategy from each of his winning vertices. Def: To solve a game is to determine for each position who has a winning strategy from this position. Fact : There is an algorithm for solving finite Muller games.

. – p.46/??

A funny game

d c b a 4 3 2 1

• The biggest number seen infinitely often =

the number of letters seen infinitely often. Examples: a1a1a1 . . . , a1c1c1c1 . . . , a1c2a1c1a2c2 . . . . Eve has a winning strategy with finite memory in this game.

. – p.47/??

LAR example

a b c d → 1 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a d → 1 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a d → 1 a d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a d → 1 a c b d a → 2 d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a d → 1 a c b d a → 2 d d c b a 4 3 2 1

• . – p.48/??

LAR example

a b c d → 1 b a c d b → 3 d a c b d → 2 a c b d a → 4 d c b a d → 2 d c b a d → 1 a c b d a → 2 d c b a d → 2 d c b a 4 3 2 1

• If from now on only a and d will appear

then we will see 2 infinitely often and never 3 or 4.

. – p.48/??

Parity games admit memoryless strategies

Thm [Mostowski, Emerson & Jutla]: In a finite parity game Eve has a memoryless strategy winning from each of her winning vertices. Proof by induction on the number of edges from Eve’s positions If each position has one outgoing edge then this is the strategy for Eve. 2 3 1 2 3

. – p.49/??

Memoryless strategies: induction step

a

G

s

G σ1 Eve ρ1 Adam

s

G σ2 Eve ρ2 Adam If σ1 or σ2 is winning in G then we can use it. Suppose not. Then Adam can win from s in G. s s s s

ρ1 ρ2 ρ1 ρ2

s s

ρ2 ρ2

max inf odd s s

ρ1 ρ1

max inf odd

. – p.50/??

Complexity classes

A problem L ⊆ {0, 1}∗ is in PTIME iff there is a machine M and a polynomial p(n) such that on every input w ∈ {0, 1}∗ machine M does at most p(|w|) steps and answers yes/no correctly. A problem L ⊆ {0, 1}∗ is in NP iff there is a polynomial p′(n) such that for every w ∈ L there is w′ ∈ {0, 1}∗ of size < p′(|w|) such that {w$w′ : w ∈ L} is in PTIME. Example: Satisfiability of a propositional formula: (x1 ∨ x2 ∨ ¬x3) ∧ (¬x1 ∨ ¬x2 ∨ x3) Guess a valuation and check. Example: Parity games Guess a memoryless strategy and check.

. – p.51/??

Digression: Primes

COMPOSITE: Is a given number a composite number. In NP: guess a decomposition. PRIMES: Is a given number a prime. In NP: Lucas-Lehmer test. Number n is a prime iff ∃a s.t.: an ≡ 1 (mod n) and ax ≡ 1 (mod n) for all x = 1, . . . , n − 2. In 2002 PRIMES were shown to be in PTIME [M. Agarwal, N. Saxena, N. Kayal]

. – p.52/??

Model checking ?

• α

⇓ G = VE, VA, R, λ : V → {0, . . . , d}

Current algorithms work in time |G|O(d) where d is the size of the range of λ. The size of d is related with the nesting depth of fixpoints in α.

. – p.53/??

Discounted pay-off games

G = VE, VA, R, w : (VE ∪ VA) → R Outcome of v0, v1, . . . is (1 − δ) ∞

i=0 δiw(vi); here 0 < δ < 1 is a

discount factor. Value of the game in a vertex v is a number Vv such that: Eve has a strategy from v to have an outcome ≥ Vv, and Adam has a strategy from v to have an outcome ≤ Vv. Thm [Zwick and Paterson]: For every finite discounted pay-off game the value exists in every vertex and is given as a unique solution of the set of equations: xv = (1 − δ)w(v) + max(v,u)∈R δxu if v ∈ VE min(v,u)∈R δxu if v ∈ VA

. – p.54/??

Proof

Define F : Rn → Rn by: Fi( x) = (1 − δ)w(i) + max(i,j)∈R δxj if i ∈ VE min(i,j)∈R δxj if i ∈ VA Consider the max norm || x|| = max |xi|. We have: ∀ x,

• y. ||F(

x) − F( y)|| ≤ δ|| x − y|| As 0 < δ < 1, mapping F is contracting with respect to the

• norm. So there is the unique fixed point

z = F( z). It is easy to see that Eve has a strategy to be not below z and Adam has a strategy to be not above z.

. – p.55/??

Mean pay-off games

G = VE, VA, R, w : (VE ∪ VA) → N Outcome for Eve of a play v0, v1, . . . is lim infn→inf

1 n

n

i=1 w(vi).

For Adam it is lim supn→inf

1 n

n

i=1 w(vi).

Thm [Ehrenfeucht & Mycielski]: Every vertex has a value v such that Eve has a strategy to be not below v and Adam a strategy to be not above v. Moreover the two players have memoryless strategies to achieve this. Thm [Zwick & Paterson]: When δ → 1 then VZP

δ

(v) → VEM(v). Recall pay-off in ZP: (1 − δ) ∞

i=0 δiw(vi)

. – p.56/??

Relation to parity games

Loop games. G = VE, VA, R, w : (VE ∪ VA) → N. Players play until a cycle is closed. The outcome is the mean of the weights

• n the cycle.

Thm [Ehrenfeucht & Mycielski]: For all vertices Vloop(v) = VEM(v). Reduction of parity games to loop games: G = VE, VA, R, Ω : (VE ∪ VA) → {0, . . . , d}. Define w(v) = (−n)Ω(v), where n is the number of vertices. Obs: Eve has a winning strategy in a parity game with λ iff she has a strategy to obtain a positive value in the loop game with w.

. – p.57/??

Plan

Why logical formalisms. Two formalisms for model-checking. Advantages of formal systems. Model-checking as a game. Two player infinite games. Solving games. Special strategies in games.

. – p.58/??

Strategies: remainder

G = VE, VA, R, λ : V → C, Acc ⊆ Cω Strategy for Eve is σ : V ∗ × VE → V such that σ( vvE) ∈ R(vE) A strategy σ for Eve is winning from v if all plays from v respecting the strategy are winning for Eve. c a b Positional/memoryless strategy for Eve is a function σ : VE → V such that σ(v) ∈ R(v).

. – p.59/??

Conditions admitting positional strategies

Memoryless strategies are interesting as: they are much easier to handle technically, the algorithms for finding them are simpler (of lower complexity), strategies are simple to describe (and use). A game is positionally determined iff both players have memoryless winning strategies from their winning positions. A winning condition admits positional determinacy iff all the games with this condition are positionally determined. Thm [McNaughton]: Parity conditions are the only Muller conditions admitting positional determinacy.

. – p.60/??

Infinite number of colours?

Colouring function is now λ : V → ω Min-parity condition: min(Inf(p)) is even or does not exist Max-parity condition: max(Inf(p)) is even or does not exist 1 3 · · · 2k + 1 · · · What if all the vertices need to be colored?

. – p.61/??

Infinite number of colours?

Colouring function is now λ : V → ω Min-parity condition: min(Inf(p)) is even or does not exist Max-parity condition: max(Inf(p)) is even or does not exist 1 3 · · · 2k + 1 · · · What if all the vertices need to be colored?

. – p.61/??

Infinite number of colours?

Colouring function is now λ : V → ω Min-parity condition: min(Inf(p)) is even or does not exist Max-parity condition: max(Inf(p)) is even or does not exist n 1 3 · · · 2k + 1 · · · What if all the vertices need to be colored?

. – p.61/??

Characterization of winning conditions

Muller conditions with infinite number of colours. G = {VE, VA, E, λ : V → ω} Infinite parity condition: Eve wins iff min(Inf(p)) is even or Inf(p) = ∅. Thm[Graedel & W.]: Games with infinite parity condition admit memoryless determinacy. All other conditions need infinite memory. Thm[Graedel & W.]: The conditions given by λ : V → (ω + 1) admit positional determinacy over graphs of bounded out-degree. Thm [Colcombet & Niwi´ nski]: If partial colouring functions are allowed then only finite parity conditions admit positional determinacy.

. – p.62/??

Conclusions

Formal languages are necessary for verification (if only due to the number of cases to check). The important issues are those of expessivity and complexity of a language. MSOL/bisimulation ≡ µ-calculus. Verification process can usually be reduced to the problem of solving games. M

?

α → finding a winner in G(M, α) Games with memoryless strategies are easier to work with. Classes of games admitting positional determinacy

. – p.63/??

Modelchecking infnite graphs From pushdown to regular graphs

. – p.64/??

Graphs of pushdown machines

Pushdown machine (deterministic): Q, Σ, Γ, q0 ∈ Q, δ : Q×Σ×Γ → Q×{pop, push(z) : z ∈ Γ}, F ⊆ Q. Configuration: (q, w) ∈ Q × Γ∗. Configuration graph nodes: configurations transitions: (q, zw) → (q′, w) if there is a ∈ Σ and δ(q, a, z) = (q′, pop) (q, zw) → (q′, z′zw) if there is a ∈ Σ and δ(q, a, z) = (q′, push(z′)) Rem: The input alphabet and accepting states do not play any role. Determinism is also not important.

. – p.65/??

Rewriting rules

Pushdown system: P = (Q, Γ, ∆) Rewrite rules: ∆ ⊆ Q × Γ × Q × ({ε} ∪ Γ2) qz ֌ q′ qz ֌ q′z′z Pushdown graph: G(P) Vertices: Q × Γ∗ Edges: qw → q′w′ according to the rules applied to prefixes. q0 is always the initial state and ⊥ is the initial stack symbol. TM graph: rules of the form aqb ֌ q′a′b or aqb ֌ ab′q′ without restrictions on the place of application.

. – p.66/??

Pushdown graph: an example

q0⊥ q0a⊥ q0aa⊥ q0aaa⊥ · · · q0ak⊥ · · · q1⊥ q1a⊥ q1aa⊥ · · · q1ak−1⊥ · · · This is (a part of) the graph of the system: q0⊥ ֌q0a⊥ q1⊥ ֌q0a⊥ q0a ֌q0aa q0a ֌q1 q1a ֌q1

. – p.67/??

Prefix-recognizable graphs

Pushdown system: P = (Γ, ∆) Rewrite rules: ∆ ⊆ P(Q∗) × P(Q∗) L ֌ L′ for L and L′ regular languages. Prefix-recognizable graph: G(P) Vertices: Γ∗ Edges: wu → w′u if w ∈ L and w′ ∈ L′ for some L ֌ L′. Rem: Prefix-recognizable graph of finite degree is a pushdown graph. Thm [Carayol & Wöhrle]: Prefix-recognizable graphs are ε-closures of pushdown graphs.

. – p.68/??

Example of a prefix recognizable graph

. . .

. – p.69/??

Synchronized rational and rational graphs

A relation R ⊆ Γ∗ × Γ∗ is rational if it is recognizable by a finite automaton with two heads moving asynchronously from left to right. A relation R ⊆ Γ∗ × Γ∗ is synchronous rational if the heads of the automaton always move together. A graph is rational if it is (Γ∗, R) where R is a rational relation. Rem: TM graphs are synchronous rational. Rem: Synchronous rational are also called automatic.

. – p.70/??

Examples of automatic and rational graphs

Synchrnous rational graph: grid Ru = {(0n1n, 0n+11n) : n ∈ N} Rr = {(0n1n, 0n1n+1) : n ∈ N} ε 1 11 00 01 011 001 0011 Rational graph: Given (u1, . . . , un), (v1, . . . , vn) of a Post correspondence problem define: R = {(ui1 . . . uik, vi1 . . . vik) : i1, . . . , ik ∈ {1, . . . , n}} In general this is not a synchronous rational graph.

. – p.71/??

MSOL over trees

The Σ-tree is Σ∗ with the root ε and wb the b son of w. MSOL over Σ-trees: succb(x, y) | Z(x) | ¬ϕ | ϕ ∧ ψ | ∃x.ϕ | ∃Z.ϕ Semantics in the Σ-tree. + G, V succb(x, y) iff V (x)b = V (y) + G, V ∃Z.α iff G, V [A/Z] α for some A ⊆ E. Thm[Rabin]: The MSO theory of the Σ-tree is decidable. Thm[Caucal]: A pushdown tree can be defined inside the Σ-tree using MSOL formulas. Cor[Muller, Schupp]: The MSO theory of a pushdown tree is decidable

. – p.72/??

Pushdown system inside a tree

Pushdown rules: qz ֌ q′ qz ֌ q′z′z Configuration is represented by a word qzkzk−1 . . . z1. Hence we can identify configurations with some nodes of the tree (Q ∪ Γ)∗. q z q′ qz ֌ q′ q z z′ q′ qz ֌ q′z′z

. – p.73/??

Model checking pushdown systems

Let ρ : Q → P(Prop) be a valuation. This extends to ρ : Q × Γ∗ → P(Prop) by ρ(qw) = ρ(q). So we have a model M(P, ρ). Model checking problem: Given a pushdown system P with a valuation ρ and a formula α check if M(P, ρ), q0⊥ α. Example: Alternating reachability Is there a choice of successors in E nodes such that every path from v passes through F.

. – p.74/??

EF, CTL, µ-calculus

EF logic p | ¬α | α ∧ β | ∃a | ∃Fα !No ∃Gα! CTL EF +

• ∃(α1Uα2) | ∃¬(α1Uα2)
• G, v ∃Fα iff there is v′ reachable from v with G, v′ α

G, v ∃Gα iff there is a path from v s.t. for every v′ on it we have G, v′ α. µ-calculus P | ¬P | X | α | α ∨ β | α ∧ β | aα | [a]α | µX.α | νX.α

. – p.75/??

Results

Thm: Model checking problem for the µ-calculus is EXPTIME-complete. Thm: The model checking problem for EF-logic is in PSPACE. It is PSPACE-hard [Bouajjani, Esparza, Maler] Thm: The same problem for CTL formulas is EXPTIME-complete. Rem: The problem is with ∃ αUβ.

. – p.76/??

Alt reachability: EXPTIME-hard

Take ASPACE(n) machine M and input w. Construct Pw: Pw has alt. reach. prop. iff w ∈ L(M).

• configurations

accumulated conifigurations

. . . . . . . . . . . .

How to check that a sequence of accumulated configurations is correct?

. – p.77/??

Checking consecutive configurations

Simpler problem: Given a word w of length n decide if the stack is of the form wk⊥ for some k. qa →q, qa

n

q⊥ →qF qa

nb →qa n−1

qa

0a →qF

qa

n

qa qb q qb

n

q q q w w

. – p.78/??

Summary of pushdown model checking

µ-calc EXPTIME-compl Alt reach EXPTIME-compl CTL EXPTIME-compl LTL EXPTIME-compl EF PSPACE-compl reach PTIME

. – p.79/??

Decidability: synchronized regular graphs

TM graphs are synchronized regular. As reachability is expressible in MSOL, synchronized regular graphs may have undecidable MSO theory. Thm: The FOL theory of a synchronized regular graph is decidable Every FOL definable relation in a synchronized regular graphs is synchronized regular. (Induction on the definition of the relation.)

. – p.80/??

Decidability: Regular graphs

Thm [Thomas]: There is a regular graph that has undecidable FO-theory. Consider a Post correspondence problem (u1, . . . , un), (v1, . . . , vn) and the associated graph: R = {(ui1 . . . uik, vi1 . . . vik) : i1, . . . , ik ∈ {1, . . . , n}} [Morvan] The problem has a solution iff there is a vertex with a self-loop: ui1 . . . uik = vi1 . . . vik We want a fixed graph with undecidable FOL theory. G(U) Post graph associated with an universal Turing machine. For every M and w: w ∈ L(M) iff the Post correspondence problem has a solution starting with w#c(M)# . . . Equivalently: w ∈ L(M) iff in G(U) there is a vertex with a self loop and with prefix w#c(M)#.

. – p.81/??

Decidability:summary

Push-down and prefix-recognizable graphs have decidable MSO theory. Push-down graphs have bounded out degree. Synchronous rational graphs have decidable FO theory. But may have undecidable MSO theory. Rational graphs may have undecidable FO theory. Cor: The strict inclusion of the classes of graphs.

. – p.82/??

Conclusions

Model checking pushdown graphs is almost as easy as finite graphs. For synchronous rational graphs only FOL theory is decidable (reachability is not ). Rational graphs may have undecidable even FOL theory.

. – p.83/??