Temporal logics for multi-agent systems Nicolas Markey LSV ENS - - PowerPoint PPT Presentation
Temporal logics for multi-agent systems Nicolas Markey LSV ENS Cachan (based on joint works with Thomas Brihaye, Arnaud Da Costa-Lopes, Franois Laroussinie Patricia Bouyer, Patrick Gardy) Centre Fdr en Vrification Brussels,
Nicolas Markey
LSV – ENS Cachan
(based on joint works with Thomas Brihaye, Arnaud Da Costa-Lopes, François Laroussinie Patricia Bouyer, Patrick Gardy)
Centre Fédéré en Vérification
Brussels, January 29, 2016
system:
[http://www.embedded.com]
property
a! b? a? b!
A G( ¬ B.overfull ∧ ¬ B.dried_up)
model-checking algorithm
yes/no
system:
[http://www.embedded.com]
property
a! b? a? b! ?
A G( ¬ B.overfull ∧ ¬ B.dried_up)
synthesis algorithm
a? b!
1
Introduction
2
Basics of CTL and ATL expressing properties of reactive systems efficient verification algorithms
3
ATL with strategy contexts specifying properties of complex interacting systems expressive power of ATLsc translation into Quantified CTL (QCTL) algorithms for ATLsc
4
Strategy Logic
5
Conclusions and future works
1
Introduction
2
Basics of CTL and ATL expressing properties of reactive systems efficient verification algorithms
3
ATL with strategy contexts specifying properties of complex interacting systems expressive power of ATLsc translation into Quantified CTL (QCTL) algorithms for ATLsc
4
Strategy Logic
5
Conclusions and future works
atomic propositions: , , ...
atomic propositions: , , ... boolean combinators: ¬ ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
atomic propositions: , , ... boolean combinators: ¬ ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ... temporal modalities: X ϕ
ϕ
“next ϕ” ϕ U ψ
ϕ ϕ ψ
“ϕ until ψ”
atomic propositions: , , ... boolean combinators: ¬ ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ... temporal modalities: X ϕ
ϕ
“next ϕ” ϕ U ψ
ϕ ϕ ψ
“ϕ until ψ”
ϕ
“eventually ϕ” true U ϕ ≡ F ϕ ¬ F ¬ ϕ ≡ G ϕ
ϕ ϕ ϕ ϕ ϕ
“always ϕ”
atomic propositions: , , ... boolean combinators: ¬ ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ... temporal modalities: X ϕ
ϕ
“next ϕ” ϕ U ψ
ϕ ϕ ψ
“ϕ until ψ”
ϕ
“eventually ϕ” true U ϕ ≡ F ϕ ¬ F ¬ ϕ ≡ G ϕ
ϕ ϕ ϕ ϕ ϕ
“always ϕ” path quantifiers: Eϕ ϕ Aϕ ϕ ϕ ϕ ϕ ϕ ϕ
In CTL, each temporal modality is in the immediate scope of a path quantifier.
In CTL, each temporal modality is in the immediate scope of a path quantifier. E F is reachable
In CTL, each temporal modality is in the immediate scope of a path quantifier. E F is reachable ✓ ✓ ✓
In CTL, each temporal modality is in the immediate scope of a path quantifier. E G( ¬ ∧ E F ) there is a path along which is always reachable, but never reached
In CTL, each temporal modality is in the immediate scope of a path quantifier. E G( ¬ ∧ E F
p
) there is a path along which is always reachable, but never reached p p p
In CTL, each temporal modality is in the immediate scope of a path quantifier. E G( ¬ ∧ E F
p
) there is a path along which is always reachable, but never reached ✓ p ✓ p p
In CTL, each temporal modality is in the immediate scope of a path quantifier.
Theorem ([CE81,QS82])
CTL model checking is PTIME-complete.
[CE81] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons... LOP, 1981. [QS82] Queille, Sifakis. Specification and verification of concurrent systems in CESAR. SOP, 1982.
In CTL, each temporal modality is in the immediate scope of a path quantifier.
Theorem ([CE81,QS82])
CTL model checking is PTIME-complete.
Theorem ([KVW94])
CTL model checking
product structures is PSPACE-complete.
[CE81] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons... LOP, 1981. [QS82] Queille, Sifakis. Specification and verification of concurrent systems in CESAR. SOP, 1982. [KVW94] Kupferman, Vardi, Wolper. An automata-theoretic approach to branching-time... CAV, 1994.
Concurrent games
A concurrent game is made of a transition system; q0 q1 q2
Concurrent games
A concurrent game is made of a transition system; a set of agents (or players); q0 q1 q2
Concurrent games
A concurrent game is made of a transition system; a set of agents (or players); a table indicating the transition to be taken given the actions
q0 q1 q2 q0 q2 q1 q1 q0 q2 q2 q1 q0 player 1 player 2
Concurrent games
A concurrent game is made of a transition system; a set of agents (or players); a table indicating the transition to be taken given the actions
Turn-based games
A turn-based game is a game where only one agent plays at a time.
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Strategy for player
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Strategy for player
alternately go to and (starting with ).
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Strategy for player
alternately go to and (starting with ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Strategy for player
alternately go to and (starting with ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Strategy for player
alternately go to and (starting with ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Memoryless strategy for player
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Memoryless strategy for player
always go to .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Memoryless strategy for player
always go to .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Memoryless strategy for player
always go to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strategies
A (pure) strategy for a given player is a function telling which action to play depending on what has happened previously.
Example Memoryless strategy for player
always go to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
Semantics of A ϕ
Existential quantification (over strategies) implicitly includes a universal quantification (over outcomes): G, | = A ϕ ⇐ ⇒ ∃σA. ∀π ∈ Out( , σA). π | = ϕ.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ. ✓ ✓ ✓ ✓
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ. ✓ ✓
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
F )
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ. p p
F ) ≡ G p p
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ. ✗ ✗ p ✗ ✗ p
F ) ≡ G p p
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
Theorem ([AHK02])
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
Theorem ([AHK02])
Model checking ATL is PTIME-complete.
Theorem ([LMO08])
In PTIME only if the transition table is given explicitly (size |Moves||Agt|)
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002. [LMO08] Laroussinie, Markey, Oreiby. On the Expressiveness and Complexity of ATL. LMCS, 2008
ATL extends CTL with strategy quantifiers
ϕ expresses that A has a strategy to enforce ϕ.
Theorem ([AHK02])
Model checking ATL is PTIME-complete.
Theorem ([LMO08])
In PTIME only if the transition table is given explicitly (size |Moves||Agt|) Memoryless strategies are sufficient for ATL.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002. [LMO08] Laroussinie, Markey, Oreiby. On the Expressiveness and Complexity of ATL. LMCS, 2008
1
Introduction
2
Basics of CTL and ATL expressing properties of reactive systems efficient verification algorithms
3
ATL with strategy contexts specifying properties of complex interacting systems expressive power of ATLsc translation into Quantified CTL (QCTL) algorithms for ATLsc
4
Strategy Logic
5
Conclusions and future works
Example
F )
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Example
F ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Example
F ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Player in always plays to .
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Example
F ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Player in always plays to .
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Example
F ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Player in always plays to .
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Example
F ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Player in always plays to ; Player in then plays to .
Brihaye, Da Costa, Laroussinie, Markey. ATL with strategy contexts and bounded memory. LFCS, 2009. Da Costa, Laroussinie, Markey. ATL with strategy contexts: expressiveness and ... FSTTCS, 2010.
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
ϕ ≡ ·Agt \ A· ϕ (useful for getting formulas that do not depend on Agt);
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
ϕ ≡ ·Agt \ A· ϕ (useful for getting formulas that do not depend on Agt);
0 ϕ is similar to ·A· ϕ but quantifies over memoryless strategies;
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
ϕ ≡ ·Agt \ A· ϕ (useful for getting formulas that do not depend on Agt);
0 ϕ is similar to ·A· ϕ but quantifies over memoryless strategies; A ϕ drops the assigned strategies for A.
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
ϕ ≡ ·Agt \ A· ϕ (useful for getting formulas that do not depend on Agt);
0 ϕ is similar to ·A· ϕ but quantifies over memoryless strategies; A ϕ drops the assigned strategies for A. [ ·A· ] ϕ is dual to ·A· ϕ: [ ·A· ] ϕ ≡ ¬ ·A· ¬ ϕ
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
Definition
Semantics of ATL strategy quantifier: G, | = A ϕ ⇔ ∃σA. ∀π ∈ Out( , σA). π | = ϕ
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
Definition
Semantics of ATL strategy quantifier: G, | = A ϕ ⇔ ∃σA. ∀π ∈ Out( , σA). π | = ϕ Semantics of ATLsc strategy quantifier: G, | =σB ·A· ϕ ⇔ ∃σA. ∀π ∈ Out( , σA ◦ σB). π | =σA◦σB ϕ
Definition
ATLsc has new strategy quantifiers:
ϕ is similar to A ϕ but assigns the corresponding strategy to A for evaluating ϕ;
Definition
Semantics of ATLsc strategy quantifier: G, | =σB ·A· ϕ ⇔ ∃σA. ∀π ∈ Out( , σA ◦ σB). π | =σA◦σB ϕ newly selected strategies added to the context: σA ◦ σB : a → σA(a) if a ∈ A \ B b → σB(b) if b ∈ B \ A c → σA(c) if c ∈ B ∩ A
Client-server interactions for accessing a shared resource:
G
F accessc ∧ ¬
accessc ∧ accessc′
Client-server interactions for accessing a shared resource:
G
F accessc ∧ ¬
accessc ∧ accessc′ Existence of Nash equilibria:
( ·Ai· ϕAi ⇒ ϕAi)
Client-server interactions for accessing a shared resource:
G
F accessc ∧ ¬
accessc ∧ accessc′ Existence of Nash equilibria:
( ·Ai· ϕAi ⇒ ϕAi) Existence of dominating strategy:
[ ·B· ] ( ¬ ϕ ⇒ [ ·A· ] ¬ ϕ)
Theorem
ATLsc is strictly more expressive than ATL
Theorem
ATLsc is strictly more expressive than ATL
Proof
ϕ ≡ ∅ ·A· ˆ ϕ
Theorem
ATLsc is strictly more expressive than ATL
Proof
( ·2· X a ∧ ·2· X b) is only true in the second game. But ATL cannot distinguish between these two games. s a b s′ a b
1.1,2.2 1.1,2.2,3.3 1.2 1.2,1.3,3.2 2.1 2.1,2.3,3.1
1
Introduction
2
Basics of CTL and ATL expressing properties of reactive systems efficient verification algorithms
3
ATL with strategy contexts specifying properties of complex interacting systems expressive power of ATLsc translation into Quantified CTL (QCTL) algorithms for ATLsc
4
Strategy Logic
5
Conclusions and future works
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the model with p under which ϕ holds.
[ES84] Emerson and Sistla. Deciding Full Branching Time Logic. Information & Control, 1984. [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification... CAV, 1995. [Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the model with p under which ϕ holds. E F ∧ ∀p.
) ⇒ A G( ⇒ p)
[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification... CAV, 1995. [Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the model with p under which ϕ holds. E F ∧ ∀p.
) ⇒ A G( ⇒ p)
)
[ES84] Emerson and Sistla. Deciding Full Branching Time Logic. Information & Control, 1984. [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification... CAV, 1995. [Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the model with p under which ϕ holds. E F ∧ ∀p.
) ⇒ A G( ⇒ p)
) true if we label the Kripke structure; false if we label the computation tree;
[ES84] Emerson and Sistla. Deciding Full Branching Time Logic. Information & Control, 1984. [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification... CAV, 1995. [Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
structure semantics: | =s ∃p.ϕ ⇔
p
| = ϕ
structure semantics: | =s ∃p.ϕ ⇔
p
| = ϕ tree semantics: | =t ∃p.ϕ ⇔
p p p p
| = ϕ
QCTL can “count”: E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)] E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
QCTL can “count”: E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)] E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)] QCTL can express (least or greatest) fixpoints: µT.ϕ(T) ≡ ∃t. [A G(t ⇐ ⇒ ϕ(t)) ∧ (∀t.′(A G(t′ ⇐ ⇒ ϕ(t′)) ⇒ A G(t ⇒ t′)))]
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
QCTL can “count”: E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)] E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)] QCTL can express (least or greatest) fixpoints: µT.ϕ(T) ≡ ∃t. [A G(t ⇐ ⇒ ϕ(t)) ∧ (∀t.′(A G(t′ ⇐ ⇒ ϕ(t′)) ⇒ A G(t ⇒ t′)))]
Theorem
QCTL, QCTL∗ and MSO are equally expressive (under both semantics).
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Theorem
Model checking QCTL for the structure semantics is PSPACE-complete.
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Theorem
Model checking QCTL for the structure semantics is PSPACE-complete.
Proof
Membership: labelling algorithm. Iteratively (nondeterministically) pick a labelling, check the subformula. Hardness: QBF is a special case (without even using temporal modalities).
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Theorem
Model checking QCTL for the structure semantics is PSPACE-complete.
Proof
Membership: labelling algorithm. Iteratively (nondeterministically) pick a labelling, check the subformula. Hardness: QBF is a special case (without even using temporal modalities).
Theorem
QCTL satisfiability for the structure semantics is undecidable.
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata: δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0 q1 q1
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0 q1 q1 q1 q1 q1 q1
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1 q1 q1
δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
Using (alternating) parity tree automata:
q0 q1 q0 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1 q1 q1
This automaton corresponds to E U δ(q0, ) = (q0, q1) ∨ (q1, q0) δ(q0, ) = (q1, q1) δ(q0, ) = (q2, q2) δ(q1, ⋆ ) = (q1, q1) δ(q2, ⋆ ) = (q2, q2)
Theorem
Model checking QCTL with k quantifiers in the tree semantics is k-EXPTIME-complete. Satisfiability of QCTL with k quantifiers in the tree semantics is (k+1)-EXPTIME-complete.
Proof
polynomial-size tree automata for CTL; quantification is handled by projection, which first requires removing alternation (exponential blowup); an automaton equivalent to a QCTL formula can be built inductively; emptiness of an alternating parity tree automaton can be decided in exponential time.
player A has moves mA
1 , ..., mA n ;
from the transition table, we can compute the set Next( , A, mA
i ) of states that can be
reached from when player A plays mA
i .
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
player A has moves mA
1 , ..., mA n ;
from the transition table, we can compute the set Next( , A, mA
i ) of states that can be
reached from when player A plays mA
i .
ϕ can be encoded as follows:
∃mA
1 . ∃mA 2 . . . ∃mA n .
this corresponds to a strategy: A G(mA
i ⇔ ¬ mA j );
the outcomes all satisfy ϕ: A
i
⇒ X Next(q, A, mA
i )) ⇒ ϕ
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
player A has moves mA
1 , ..., mA n ;
from the transition table, we can compute the set Next( , A, mA
i ) of states that can be
reached from when player A plays mA
i .
Corollary
ATLsc model checking is decidable, with non-elementary complexity.
Corollary
ATL0
sc (quantification restricted to memoryless strategies) model
checking is PSPACE-complete.
[DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012.
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1).
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1).
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1). p1 p1 p1 p1
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1). p1 p1 p1 p1 p2 p2 p2
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1). s a1 a2 p1 ¬ p1 ¬ p2 p2
Encode QLTL satisfiability
Example: Φ = ∀p1. ∃p2. G(p2 ⇐ ⇒ X p1). s a1 a2 p1 ¬ p1 ¬ p2 p2 [ · · ] · · · · G( s ) ∧ G
· · X X p2 ) ⇐ ⇒ (X · · X X p1 )
Theorem
QCTL satisfiability is decidable (for the tree semantics).
Theorem
QCTL satisfiability is decidable (for the tree semantics). But
Theorem ([TW12])
ATLsc satisfiability is undecidable.
[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.
Theorem
QCTL satisfiability is decidable (for the tree semantics). But
Theorem ([TW12])
ATLsc satisfiability is undecidable.
Why?
The translation from ATLsc to QCTL assumes that the game structure is given!
[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.
Theorem ([LM13])
When restricted to turn-based games, ATLsc satisfiability is decidable.
[LM13] Laroussinie, Markey. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
Theorem ([LM13])
When restricted to turn-based games, ATLsc satisfiability is decidable. player has moves , and . a strategy can be encoded by marking some of the nodes of the tree with proposition movA.
ϕ can be encoded as follows:
∃movA. it corresponds to a strategy: A G(turnA ⇒ E X1 movA); the outcomes all satisfy ϕ: A
[LM13] Laroussinie, Markey. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
1
Introduction
2
Basics of CTL and ATL expressing properties of reactive systems efficient verification algorithms
3
ATL with strategy contexts specifying properties of complex interacting systems expressive power of ATLsc translation into Quantified CTL (QCTL) algorithms for ATLsc
4
Strategy Logic
5
Conclusions and future works
Strategy logic
Explicit quantification and binding of strategies
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Strategy logic
Explicit quantification and binding of strategies
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ;
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Strategy logic
Explicit quantification and binding of strategies
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ;
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Strategy logic
Explicit quantification and binding of strategies
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
Example
∃σ.bind(A → σ). ϕ
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
Example
∃σ.bind(A → σ). ϕ ∃σ. ∀σ′.bind(A → σ). bind(B → σ′). ϕ
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
Example
∃σ.bind(A → σ). ϕ ∃σ. ∀σ′.bind(A → σ). bind(B → σ′). ϕ ≡ ·A· ϕ
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
Example
∃σ.bind(A → σ). ϕ ∃σ. ∀σ′.bind(A → σ). bind(B → σ′). ϕ ≡ ·A· ϕ ∃σ. bind(A → σ). bind(B → σ). ϕ
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Definition
Strategy Logic (SL) formulas are built using: strategy quantifications: ∃σ. ψ; strategy bindings: bind(A → σ). ϕ; LTL to express properties of paths (outcomes);
Example
∃σ.bind(A → σ). ϕ ∃σ. ∀σ′.bind(A → σ). bind(B → σ′). ϕ ≡ ·A· ϕ ∃σ. bind(A → σ). bind(B → σ). ϕ ∃σ. A G(bind(A → σ). ϕ)
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
What does ∃σ. A G(bind(A → σ). ϕ) mean?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[BGM16] Bouyer, Gardy, Markey. On the semantics of Strategy Logic. IPL, 2016.
What does ∃σ. A G(bind(A → σ). ϕ) mean?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . σ is selected here...
[BGM16] Bouyer, Gardy, Markey. On the semantics of Strategy Logic. IPL, 2016.
What does ∃σ. A G(bind(A → σ). ϕ) mean?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . σ is selected here... ... but is applied there
[BGM16] Bouyer, Gardy, Markey. On the semantics of Strategy Logic. IPL, 2016.
What does ∃σ. A G(bind(A → σ). ϕ) mean?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . σ is selected here... ... but is applied there What is the history of σ when a player starts applying it?
[BGM16] Bouyer, Gardy, Markey. On the semantics of Strategy Logic. IPL, 2016.
Theorem
Strategy logic can be translated into QCTL.
Theorem
Strategy logic can be translated into QCTL. players has moves m1, ..., mn; from the transition table, we can compute the set Next( , A, mi) of states that can be reached from when player A plays mi.
SL can be translated as follows:
encoding of ∃σ. ψ: ∃mσ
1 ∃mσ 2 . . . ∃mσ k . A G(mσ i ⇔
j )
encoding of ϕ ∈ LTL (under full binding α: Agt → Strat): A
i
⇒ X Next(q, A, mα(A)
i
)) ⇒ ϕ
Theorem
Strategy logic can be translated into QCTL.
Theorem ([CHP07,MMV10,DLM12,LM13])
Strategy-logic model-checking is decidable. Strategy-logic satisfiability is decidable when restricted to turn-based games.
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010. [DLM12] Da Costa, Laroussinie, Markey. Quantified CTL: ... CONCUR, 2012. [LM13] Laroussinie, Markey. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
... then strategies cannot easily be stored on the execution tree
... then strategies cannot easily be stored on the execution tree
Theorem
SL model checking is undecidable in floating semantics.
... then strategies cannot easily be stored on the execution tree
Theorem
SL model checking is undecidable in floating semantics. a a ⊥
... then strategies cannot easily be stored on the execution tree
Theorem
SL model checking is undecidable in floating semantics. a a ⊥ Strategies for and characterized by the integer representing the first time they play to
⊥ .
... then strategies cannot easily be stored on the execution tree
Theorem
SL model checking is undecidable in floating semantics. a a ⊥ Strategies for and characterized by the integer representing the first time they play to
⊥ .
Checking that two strategies σ and σ represent the same integer: G( a ⇒ X a ) ∧ F
· · ] X X ⊥
s s s′ s′ s′′ s′′ main states a a ⊥ b b ⊥
s s s′ s′ s′′ s′′ main states a a ⊥ b b ⊥ Encode run of a deterministic 2-counter machine M: Player plays a strategy that mimics the run of M; Player checks validity of simulation.
s s s′ s′ s′′ s′′ main states a a ⊥ b b ⊥ Encode run of a deterministic 2-counter machine M: s: if c==0 then goto s’ else goto s” [ · · ] G
δ(s)=(c,s′,s′′)
s ⇒
(X c ∧ X X ⊥ )
X X s′
s s s′ s′ s′′ s′′ main states a a ⊥ b b ⊥ Encode run of a deterministic 2-counter machine M: s: if c==0 then goto s’ else goto s” s: c++; goto s’ [ · · ] G
⇒ ∃σcount. · · X( c ∧ bind( → σcount). ϕ=) ∧
X X( s′ ∧ X( c ∧ bind( → σcount). ϕ+1))
Conclusions
ATLsc is a very expressive, yet decidable extension of ATL; QCTL is a powerful extension of CTL; it is a nice tool to understand temporal logics for games (ATLsc, Strategy Logic, ...);
Conclusions
ATLsc is a very expressive, yet decidable extension of ATL; QCTL is a powerful extension of CTL; it is a nice tool to understand temporal logics for games (ATLsc, Strategy Logic, ...);
Future directions
Defining and studying symmetric automata for QCTL; Defining interesting fragments of those logics; Considering partial observation; Considering randomised strategies.
MOVEP 2016
12th Summer School MOVEP Genoa, Italy 27 June - 1 July
MOVEP 2016
12th Summer School MOVEP Genoa, Italy 27 June - 1 July
FORMATS 2016
14th Int. Conference FORMATS colocated with CONCUR and QEST Quebec City, Canada 24-26 August