Model-Checking Games: from CTL to ATL

Transcription

1 Model-Checking Games: from CTL to ATL Sophie Pinchinat May 4, 2007

2

3 Introduction - Outline Model checking of CTL is PSPACE-complete Presentation of Martin Lange and Colin Stirling Model Checking Games for Branching Time Logics Int. Conf. on Temporal Logic, ICTL 2000 Journal of Logic and Computation, Oxford Univ Press Martin Lange s PhD thesis Model checking games for ATL Recall the Model checking of ATL is 2EXPTIME-complete

4 Preliminaries Prop = {true,false,q,q,...}, where q = q and true = false

5 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) with: (S, T) a directed graph (and each vertex has a successor) L : S 2 Prop is such that for all s S: false / L(s), true L(s), and q L(s) iff q / L(s).

6 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) with: (S, T) a directed graph (and each vertex has a successor) L : S 2 Prop is such that for all s S: false / L(s), true L(s), and q L(s) iff q / L(s). s t {q} {q}

7 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L)

8 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) Formulas are built up from elements of Prop, Boolean connectives et, the temporal next (X), until (U), the dual release (R), and the path quantifiers A and E

9 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) Formulas are built up from elements of Prop, Boolean connectives et, the temporal next (X), until (U), the dual release (R), and the path quantifiers A and E The set of subformulas defined as usual, except that: Sub(ϕUψ) = {ϕuψ,x(ϕuψ),ϕ X(ϕUψ)} {ψ ϕ X(ϕUψ)} Subϕ Subψ Sub(ϕRψ) = {ϕrψ,x(ϕrψ),ϕ X(ϕRψ)} {ψ (ϕ X(ϕRψ))} Subϕ Subψ

10 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) Formulas are built up from elements of Prop, Boolean connectives et, the temporal next (X), until (U), the dual release (R), and the path quantifiers A and E The set of subformulas defined as usual, except that: Sub(ϕUψ) = {ϕuψ,x(ϕuψ),ϕ X(ϕUψ)} {ψ ϕ X(ϕUψ)} Subϕ Subψ Sub(ϕRψ) = {ϕrψ,x(ϕrψ),ϕ X(ϕRψ)} {ψ (ϕ X(ϕRψ))} Subϕ Subψ Fϕ := trueuϕ and Gϕ := falserϕ

11 Preliminaries Prop = {true,false,q,q,...} A transition system T is a triple (S,T,L) Formulas are built up from elements of Prop, Boolean connectives et, the temporal next (X), until (U), the dual release (R), and the path quantifiers A and E The set of subformulas defined as usual, except that: Sub(ϕUψ) = {ϕuψ,x(ϕuψ),ϕ X(ϕUψ)} {ψ ϕ X(ϕUψ)} Subϕ Subψ Sub(ϕRψ) = {ϕrψ,x(ϕrψ),ϕ X(ϕRψ)} {ψ (ϕ X(ϕRψ))} Subϕ Subψ Fϕ := trueuϕ and Gϕ := falserϕ Sub(Φ) := ϕ Φ Sub(ϕ)

12 Semantics (Full) Paths in T : π = s 0 s 1 s 2... π =q iff q L(s 0 ) π =ϕ ψ iff T,π = ϕ and T,π = ψ π =ϕ ψ iff T,π = ϕ or T,π = ψ π =Aϕ iff for all paths σ = s 0 σ : σ = ϕ π =Eϕ iff there exists a path σ = s 0 σ and σ = ϕ π =Xϕ iff T,π (1) = ϕ π =ϕuψ iff... π =ϕrψ iff...

13 Semantics (Full) Paths in T : π = s 0 s 1 s 2... π =q iff q L(s 0 ) π =ϕ ψ iff T,π = ϕ and T,π = ψ π =ϕ ψ iff T,π = ϕ or T,π = ψ π =Aϕ iff for all paths σ = s 0 σ : σ = ϕ π =Eϕ iff there exists a path σ = s 0 σ and σ = ϕ π =Xϕ iff T,π (1) = ϕ π =ϕuψ iff... π =ϕrψ iff... CTL formulas are of the form ϕ ::= ψ ::= Aψ q ψ ψ ψ ψ Xψ ψ Uψ ψ Rψ Aψ Eψ

14 Games Two players I and II. If x is one of them, then x denotes is the other one. Player II (she) has to show that the formula is satisfied whereas Player I (he) tries to show the converse Configurations Conf(T,ϕ) := {I,II} S Sub(ϕ) 2 Sub(ϕ)

15 Games Two players I and II. If x is one of them, then x denotes is the other one. Player II (she) has to show that the formula is satisfied whereas Player I (he) tries to show the converse Configurations A configuration C is written x, s [ϕ], Φ x is the path player, x is the focus player, and ϕ is the focus

16 Games Two players I and II. If x is one of them, then x denotes is the other one. Player II (she) has to show that the formula is satisfied whereas Player I (he) tries to show the converse Configurations x,s [ϕ],φ The path player x constructs a path π in T starting with s in a state-by-state manner; the focus player x tries to highlight a particular formula ϕ from the set of all formulas in the configuration such that π = ϕ if x = I and π = ϕ if x = II

17 Games Two players I and II. If x is one of them, then x denotes is the other one. Player II (she) has to show that the formula is satisfied whereas Player I (he) tries to show the converse Configurations x,s [ϕ],φ If x = II, then she wants to show that there is a path π = s... s.t. π = ϕ ψ ψ Φ although Player I believes π = ϕ If x = I, then he wants to show that there is a path π = s... s.t. π = ϕ ψ Φ ψ although Player II believes π = ϕ

18 Games Two players I and II. If x is one of them, then x denotes is the other one. Player II (she) has to show that the formula is satisfied whereas Player I (he) tries to show the converse Configurations x,s [ϕ],φ The initial configuration is I,s 0 [ϕ] Rules x,s, [ϕ],φ x,s, [ϕ ],Φ x If the actual configuration is x,s, [ϕ],φ then player x has to perform a choice and the next configuration is x,s, [ϕ ],Φ

19 The Rules x,s [Aϕ],Φ I,s [ϕ] (1) x,s [E ϕ],φ II,s [ϕ] (2)

20 The Rules x,s [Aϕ],Φ I,s [ϕ] (1) x,s [E ϕ],φ II,s [ϕ] (2) x,s [ϕ],qϕ,φ x,s [ϕ],φ x (3) x,s [ϕ],q,φ x,s [ϕ],φ x (4)

21 The Rules x,s [Aϕ],Φ I,s [ϕ] (1) x,s [E ϕ],φ II,s [ϕ] (2) x,s [ϕ],qϕ,φ x,s [ϕ],φ x (3) x,s [ϕ],q,φ x,s [ϕ],φ x (4) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],Φ I (5) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],ϕ 1 i,φ II (6)

22 The Rules x,s [Aϕ],Φ I,s [ϕ] (1) x,s [E ϕ],φ II,s [ϕ] (2) x,s [ϕ],qϕ,φ x,s [ϕ],φ x (3) x,s [ϕ],q,φ x,s [ϕ],φ x (4) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],Φ I (5) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],ϕ 1 i,φ II (6) II,s [ϕ 0 ϕ 1 ],Φ II,s [ϕ i ],Φ II (7) II,s [ϕ 0 ϕ 1 ],Φ II,s [ϕ i ],ϕ 1 i,φ I (8)

23 The Rules x,s [Aϕ],Φ I,s [ϕ] (1) x,s [E ϕ],φ II,s [ϕ] (2) x,s [ϕ],qϕ,φ x,s [ϕ],φ x (3) x,s [ϕ],q,φ x,s [ϕ],φ x (4) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],Φ I (5) I,s [ϕ 0 ϕ 1 ],Φ I,s [ϕ i ],ϕ 1 i,φ II (6) II,s [ϕ 0 ϕ 1 ],Φ II,s [ϕ i ],Φ II (7) II,s [ϕ 0 ϕ 1 ],Φ II,s [ϕ i ],ϕ 1 i,φ I (8) x,s [ϕuψ],φ x,s [ψ ϕ X(ϕUψ)],Φ (9) x,s [ϕrψ],φ x,s [ψ (ϕ X(ϕUψ))],Φ (10)

24 The Rules for X -formulas I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0 I (11) I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0,ϕ 1 (12)

25 The Rules for X -formulas I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0 I (11) I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0,ϕ 1 (12) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0 II (13) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0,ϕ 1 (14)

26 The Rules for X -formulas I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0 I (11) I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0,ϕ 1 (12) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0 II (13) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0,ϕ 1 (14) x,s [Xχ],ϕUψ,Φ x,s [Xχ],ψ ϕ X(ϕUψ),Φ (15)

27 The Rules for X -formulas I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0 I (11) I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0,ϕ 1 (12) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0 II (13) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0,ϕ 1 (14) x,s [Xχ],ϕUψ,Φ x,s [Xχ],ψ ϕ X(ϕUψ),Φ x,s [Xχ],ϕRψ,Φ x,s [Xχ],ψ (ϕ X(ϕUψ)),Φ (15) (16)

28 The Rules for X -formulas I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0 I (11) I,s [Xϕ],ϕ 0 ϕ 1 I,s [Xϕ],ϕ 0,ϕ 1 (12) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0 II (13) II,s [Xϕ],ϕ 0 ϕ 1 II,s [Xϕ],ϕ 0,ϕ 1 (14) x,s [Xχ],ϕUψ,Φ x,s [Xχ],ψ ϕ X(ϕUψ),Φ x,s [Xχ],ϕRψ,Φ x,s [Xχ],ψ (ϕ X(ϕUψ)),Φ (15) (16) x,s, [Xϕ 0 ],Xϕ 1,...,Xϕ k x,t [ϕ 0 ],ϕ 1,...,ϕ k x, s t (17)

29 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18)

30 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play?

31 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule.

32 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule. When do we stop?

33 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule. When do we stop? When we reach a situation like: 1. x, s [q], Φ (terminal configuration), or 2. C = II, s [ϕuψ], Φ (resp. C = I, s [ϕrψ], Φ) after the play already went through C and x has never applied the Focus Change Rule in between, or 3. x, s [ϕ], Φ for the second time possibly using the Focus Change Rule in between.

34 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule. When do we stop? When we reach a situation like: 1. x, s [q], Φ Player II wins if q L(s), otherwise Player I wins 2. C = II, s [ϕuψ], Φ (resp. C = I, s [ϕrψ], Φ) after the play already went through C and x has never applied the Focus Change Rule in between, 3. x, s [ϕ], Φ for the second time possibly using the Focus Change Rule in between.

35 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule. When do we stop? When we reach a situation like: 1. x, s [q], Φ Player II wins if q L(s), otherwise Player I wins 2. C = II, s [ϕuψ], Φ (resp. C = I, s [ϕrψ], Φ) after the play already went through C and x has never applied the Focus Change Rule in between, Player I wins if the formula in focus is ϕuψ, and Player II wins if it is ϕrψ 3. x, s [ϕ], Φ for the second time possibly using the Focus Change Rule in between.

36 The Focus Change Rule x,s, [ϕ],ψ,φ x,s, ϕ,[ψ],φ x (18) How do we play? In two steps: First, by the path player and the focus, we know which rule from (1)-(17) to apply. Second, path player s opponent can apply the Focus Change Rule. When do we stop? When we reach a situation like: 1. x, s [q], Φ Player II wins if q L(s), otherwise Player I wins 2. C = II, s [ϕuψ], Φ (resp. C = I, s [ϕrψ], Φ) after the play already went through C and x has never applied the Focus Change Rule in between, Player I wins if the formula in focus is ϕuψ, and Player II wins if it is ϕrψ 3. x, s [ϕ], Φ for the second time possibly using the Focus Change Rule in between. Player x wins

37 Game and Correctness The game G(T,s,ϕ) Player x wins G(T,s,ϕ) if she can force every play into a configuration that makes her win the play. The successful game tree for a winner x of the game G(T,s,ϕ)

38 Game and Correctness The game G(T,s,ϕ) Player x wins G(T,s,ϕ) if she can force every play into a configuration that makes her win the play. The successful game tree for a winner x of the game G(T,s,ϕ) Theorem Player II wins G(T,s,ϕ) iff T,s = ϕ

39 Why the Focus Change Rule? Configuration with one formulas does not work: Consider the tautology A(X q X q). Player I should not win any game on any transition system. s t 0 t 1 {q} {q} Player II has to choose a disjunct before Player I choose the transition from s.

40 Why the Focus Change Rule? Configuration without the focus structure does not work: Consider E (Fq GFq) on T 1 and T 2 s s q q G(T 1,s,E(Fq GFq)) and G(T 2,s,E(Fq GFq)) look like II,s Fq,XGFq II,s Fq,GFq II,s Fq,XGFq II,s Fq,GFq

41 How bout ATL? Models are multi-player arenas (a one-player arena = a Kripke Structure) An example:

42 How bout ATL? Models are multi-player arenas (a one-player arena = a Kripke Structure) An example: States are elements of ZZ 3 0 v 1 v 2 v 3 1 C A s = (s 1,s 2,s 3 ) (s 1,s 2,s 3 ) = s v i is chosen by player i and ranges in {,+} s i = s i 1 if v i =, and s i = s i + 1 if v i = +

43 How bout ATL? However, from (0, 0, 0) only decision vectors + +, +, +, and

44 How bout ATL? However, from (0, 0, 0) only decision vectors + +, +, +, and (1,1, 1) ( 1,1,1) (1,1,1) (0,0,0) ( 1, 1, 1)

45 Refinement of the multi-player arena Coalition: players 1 and 2. Strategy of the coalition: 1 and 2 make their choices, say + and +, and 3 has now the choice between + and. Use? to mean player i has not made his choice yet, and add intermediate states.

46 Refinement of the multi-player arena Coalition: players 1 and 2. Strategy of the coalition: 1 and 2 make their choices, say + and +, and 3 has now the choice between + and. Use? to mean player i has not made his choice yet, and add intermediate states. (0,0,0)

47 Refinement of the multi-player arena Coalition: players 1 and 2. Strategy of the coalition: 1 and 2 make their choices, say + and +, and 3 has now the choice between + and. Use? to mean player i has not made his choice yet, and add intermediate states. ((0,0,0),(,,?))? +? + +? (0,0,0) ((0,0,0),(+,+,?)) ((0,0,0),(,+,?))

48 Refinement of the multi-player arena Coalition: players 1 and 2. Strategy of the coalition: 1 and 2 make their choices, say + and +, and 3 has now the choice between + and. Use? to mean player i has not made his choice yet, and add intermediate states. ((0,0,0),(,,?))? +? + +? (0,0,0) ((0,0,0),(+,+,?)) ((0,0,0),(,+,?))

49 Refinement of the multi-player arena Coalition: players 1 and 2. Strategy of the coalition: 1 and 2 make their choices, say + and +, and 3 has now the choice between + and. Use? to mean player i has not made his choice yet, and add intermediate states.

50 From CTL to ATL Assume a multi-player arena S and an ATL formula ϕ

51 From CTL to ATL Assume a multi-player arena S and an ATL formula ϕ The refined multi-player arena Ŝ: (Concrete) States States Intermediate states IntStates For each coalition P a transition relation P States IntStates for moves a transition relation P IntStates States for co-moves

52 From CTL to ATL Assume a multi-player arena S and an ATL formula ϕ The refined multi-player arena Ŝ: (Concrete) States States Intermediate states IntStates For each coalition P a transition relation P States IntStates for moves a transition relation P IntStates States for co-moves The (multi-modal) CTL formula ϕ such that S = ϕ iff Ŝ = ϕ

53 From CTL to ATL Assume a multi-player arena S and an ATL formula ϕ The refined multi-player arena Ŝ: (Concrete) States States Intermediate states IntStates For each coalition P a transition relation P States IntStates for moves a transition relation P IntStates States for co-moves The (multi-modal) CTL formula ϕ such that S = ϕ iff Ŝ = ϕ ( P Xϕ) would be E (X P )A(X P )( ϕ)