Synthesis weakness of standard approach. Rational Synthesis

Similar documents
Complexity Bounds for Muller Games 1

Reasoning about Strategies: From module checking to strategy logic

Solution Concepts and Algorithms for Infinite Multiplayer Games

Synthesis with Rational Environments

Proofs, Strings, and Finite Automata. CS154 Chris Pollett Feb 5, 2007.

Revisiting Synthesis of GR(1) Specifications

Learning Regular ω-languages

Synthesis from Probabilistic Components

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

A Survey of Partial-Observation Stochastic Parity Games

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Synthesis of Designs from Property Specifications

Alan Bundy. Automated Reasoning LTL Model Checking

Timo Latvala. March 7, 2004

Selecting Efficient Correlated Equilibria Through Distributed Learning. Jason R. Marden

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

Admissible Strategies for Synthesizing Systems

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Nondeterministic finite automata

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

Lecture 7 Synthesis of Reactive Control Protocols

Automata-based Verification - III

Optimal Bounds in Parametric LTL Games

From Liveness to Promptness

Semi-Automatic Distributed Synthesis

Price of Stability in Survivable Network Design

Compositional Reasoning

Automata, Logic and Games: Theory and Application

Some Remarks on Alternating Temporal Epistemic Logic

Integrating Induction and Deduction for Verification and Synthesis

The State Explosion Problem

Automatic Synthesis of Distributed Protocols

SVEN SCHEWE Universität des Saarlandes, Fachrichtung Informatik, Saarbrücken, Germany

Robust Controller Synthesis in Timed Automata

Chapter 4: Computation tree logic

Reasoning about Equilibria in Game-like Concurrent Systems

Automata-based Verification - III

Lecture 9 Synthesis of Reactive Control Protocols

Assume-admissible synthesis

On the coinductive nature of centralizers

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

Finitary Winning in \omega-regular Games

Automata-Theoretic Model Checking of Reactive Systems

T Reactive Systems: Temporal Logic LTL

Multiple Equilibria in the Citizen-Candidate Model of Representative Democracy.

Solving Partial-Information Stochastic Parity Games

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

A Survey of Stochastic ω-regular Games

Computer-Aided Program Design

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

The priority promotion approach to parity games

Robust Knowledge and Rationality

Theoretical Computer Science

Equilibrium Computation

Further discussion of Turing machines

Realization Plans for Extensive Form Games without Perfect Recall

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

CSci 311, Models of Computation Chapter 4 Properties of Regular Languages

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Automata Theory for Presburger Arithmetic Logic

The Planning Spectrum One, Two, Three, Infinity

Language Stability and Stabilizability of Discrete Event Dynamical Systems 1

Synthesis of Asynchronous Systems

On Promptness in Parity Games (preprint version)

An Introduction to Hybrid Systems Modeling

Multiagent Systems and Games

Alternating Time Temporal Logics*

Representing Arithmetic Constraints with Finite Automata: An Overview

Alternating nonzero automata

Theory of computation: initial remarks (Chapter 11)

Timo Latvala. February 4, 2004

PURE NASH EQUILIBRIA IN CONCURRENT DETERMINISTIC GAMES

Introduction to Game Theory

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Introduction to the Theory of Computing

Abstractions and Decision Procedures for Effective Software Model Checking

Evolutionary Dynamics and Extensive Form Games by Ross Cressman. Reviewed by William H. Sandholm *

Sanjit A. Seshia EECS, UC Berkeley

Scenario Graphs and Attack Graphs

Advanced Automata Theory 11 Regular Languages and Learning Theory

Social Network Games

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

Exact and Approximate Equilibria for Optimal Group Network Formation

Industrial Organization Lecture 3: Game Theory

Nash Equilibria in Concurrent Games with Büchi Objectives

Undecidable Problems. Z. Sawa (TU Ostrava) Introd. to Theoretical Computer Science May 12, / 65

Microeconomics. 2. Game Theory

Extensive games (with perfect information)

Automata-Theoretic LTL Model-Checking

Lecture December 2009 Fall 2009 Scribe: R. Ring In this lecture we will talk about

arxiv: v2 [cs.lo] 9 Apr 2012

Chapter 9. PSPACE: A Class of Problems Beyond NP. Slides by Kevin Wayne Pearson-Addison Wesley. All rights reserved.

A Semantics of Evidence for Classical Arithmetic

Basic Game Theory. Kate Larson. January 7, University of Waterloo. Kate Larson. What is Game Theory? Normal Form Games. Computing Equilibria

Alternating-Time Temporal Logic

Boundedness Games. Séminaire du LIGM, April 16th, Nathanaël Fijalkow. Institute of Informatics, Warsaw University Poland

9. PSPACE 9. PSPACE. PSPACE complexity class quantified satisfiability planning problem PSPACE-complete

FINITE MEMORY DETERMINACY

Transcription:

1 Synthesis weakness of standard approach Rational Synthesis

3 Overview Introduction to formal verification Reactive systems Verification Synthesis Introduction to Formal Verification of Reactive Systems Rational Synthesis Rational Synthesis What we want (roughly) Some concepts from game theory Some Concepts from Rational Synthesis formal definition Game Theory How to solve the rational synthesis problem

4 What are reactive systems? Lets start with what they are not Processing Input Output Arithmetic problems: Input: x, y. Output: x+y. Decision problems: Input: Graph G, two vertices s and t. Output: Is vertex t reachable from s?. Compilers: Input: source code. Output: machine code.

What are reactive systems? Transformational Systems Processing Reactive Systems Processing Input Output Input Output Elevator System Outer world/ Environment 5

6 A Simple Reactive System: An Elevator The elevator moves among the floors, stops at certain floors and open/closes doors in response to the buttons pressed within the elevator and at the different floors outputs inputs

What are reactive systems? Reactive Systems Web browser Mail client Input Processing Output Operating system Elevator ATM machine Cellular phone System Outer world/ Environment 7

8 A Simple Reactive System: An Elevator The elevator moves among the floors, stops at certain floors and open/closes doors in response to the buttons pressed within the elevator and at the different floors outputs inputs

9 A Simple Reactive System: An Elevator The elevator moves among the floors, stops at certain floors and open/closes doors How do we reason about such systems? in response to the buttons pressed within the elevator and at the different floors outputs There is no point in time where inputs we can stop and ask whether the system behaved correctly

10 A Simple Reactive System: An Elevator Specification: If the button i was pressed then the elevator eventually stops at the i th floor. always (pressed j! eventually (at j Æ door_open)) If button j was pressed before button k and the elevator is now at floor i and i < j < k then the elevator will stop at the j th floor before it stops at the k th floor. k j i

11 A Simple Reactive System: An Elevator Specification: If the button i was pressed then the elevator Such eventually specifications stops at the i th floor. are conveniently phrased using Temporal Logic always (pressed j! eventually (at j Æ door_open)) If button j was pressed before button k and the elevator is now at floor i and i < j < k then the elevator will stop at the j th floor before it stops at the k th floor. k j i

12 Verification system specification Finite state machine (transducer) Temporal logic Both are defined over the corresponding inputs and outputs

13 Model Checking S specification A computation of S defines an infinite word i 0 o 0 i 1 o 1 i 2 o 2 i 3 o 3 The system S defines a set of infinite words L(S) A formula holds/does not hold on such an infinite wor i 0 o 0 i 1 o 1 i 2 o 2 i 3 o 3 The formula defines the set of infinite words L( )

14 Model Checking S specification L(S) The computations of S µ L( ) specification The models of

15 Model Checking The automata theoretic approach [WVS83,VW94]: S A S Å A: = Complexity (LTL): time polynomial in the size of the system, exponential in the size of the formula.

Model Checking The automata theoretic approach [WVS83,VW94]: S A word (computation) witnessing the nonemptiness provides a counter example A S Å A: = Complexity (LTL): time polynomial in the size of the system, exponential in the size of the formula. 16

17 Model Checking The automata theoretic approach [WVS83,VW94]: Use automata over infinite words c a b A S b Åa c a A:

18 Synthesis The automatic construction of a system out of its specification. The system should produces correct outputs in response to every possible sequence of inputs!!! specification system If such a system exists we say that it realizes the specification. If no such system exists the specification is unrealizable.

19 Synthesis The automatic construction of a system out of its specification. Why bother to build a system and only then The system should verify produces it? correct outputs in response to Can t one automatically every possible sequence of built a system that is inputs!!! correct by construction? specification system If such a system exists we say that it realizes the specification. If no such system exists the specification is unrealizable.

Representing the realizing system We can represent a system by full tree whose directions are the inputs nodes are labeled by outputs O 0 i 0 i 0 i 0 Each path of the tree corresponds to a possible sequence of inputs, and the respective output responses If there exists such a tree where the formula holds on all paths then the formula is realizable. O 1 i 1 i 1 i 1 O 2 O 2 O 2 O 1 O 1 i 1 i 1 i 1 i 1 i 1 i 1 20

21 Synthesis Suppose we have an infinite tree satisfying the specification Who says there is a finite transducer implementing this tree?

22 Synthesis Synthesis can also be seen as a game between the system and the environment O 0 i 0 i 0 i 0 The system makes a move then the environment and so on The system s objective is to satisfy the specification. The environment s objective is the opposite O 1 O 1 O 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 O 2 O 2 O 2

23 Synthesis The specification is realizable if there is a winning strategy for the system As it means the system can cope with any input sequence Results in the theory of ω-regular games guarantee that if there is a winning strategy there is one with finite memory A strategy with finite memory is a transducer

24 Synthesis The automata theoretic approach: A 8 accepts all trees all of whose (infinite) paths satisfy A tree T witnessing the non-emptiness of A 8 defines a transducer implementing. A 8 = Complexity (LTL): doubly-exponential time in the size of the formula.

25 Synthesis Limitations What do you do when the specification is unrealizable? Either refine the specification. Or pose limitations/requirements on the environment.

26 Rational Synthesis

27 Synthesis weakness of standard approach Modern systems often interact with other systems System Environment The standard approach abstracts the way in which the environment is composed of its underlying agents. The actions of the agents fall into the universally quantified input signals, and there is an implicit assumption that the system should satisfy its specification no matter how the agents behave. As if the agents conspire to fail the system - (hostile env.)

28 Synthesis weakness of standard approach Win the casino In real life, however, with the many system? times agents have goals of their own, other than to fail the system. The approach taken in the field of algorithmic game theory is to assume that agents interacting with a computational system are rational, i.e., agents act to achieve their own goals. Find a date Read a paper System Our question Environment is: Can system synthesizers capitalize on the rationality and goals of other agents interacting

29 Synthesis weakness of standard approach Win the casino Find a date Read a paper System Environment In real life, however, many times agents have goals of their own, other than to fail the system. The approach taken in the field of algorithmic game theory is to assume that agents interacting with a computational system are rational, i.e., agents act to achieve their own goals.

30 Rational Synthesis - Example Peer-to-peer network (2 agents) Alice upload upload Bob download download Each agent is interested in downloading, but has no incentive to upload. An agent can download only if the other agent uploads.

31 Rational Synthesis - Example Peer-to-peer network (2 agents) Formally, for each i 2 {Alice,Bob}, Agent i controls the bits u i - Agent i tries to upload d i - Agent i tries to download. The objective of Alice is Property is not realizable since it poses requirements on the inputs always eventually (d Alice Æ u Bob ).

32 peer-to-peer example Assume Alice declares and follows the following strategy (known as tit-for-tat) I will upload at the first time step u Alice (0) := True And from that point onward I will reciprocate the actions of Bob. u Alice (k) := u Bob (k-1) Against this strategy, Bob can only ensure his objective by satisfying Alice s objective as well. Thus, assuming Bob acts rationally, Alice can ensure her objective.

33 peer-to-peer example Assume Alice declares and follows the following strategy (known as tit-for-tat) I will upload at the first time step Thus, a synthesizer can capitalize on the rationality of agents involved! u Alice (0) := True And from that point onward I will reciprocate the actions of Bob. u Alice (k) := u Bob (k-1) Against this strategy, Bob can only ensure his objective by satisfying Alice s objective as well. Thus, assuming Bob acts rationally, Alice can ensure her objective.

34 Rational Synthesis We would like to generate a protocol for the system and each of the agents such that If all follow the protocol, the system s speciation is met. and The agents have no incentive to deviate from the protocol (assuming they are rational) agent 1 agent 3 system agent 2 agent 4

35 Rationality How can one formally define rationality? What does it mean that an agent has no incentive to deviate from the protocol? Such questions are studied in game theory, and algorithmic mechanism design.

36 Overview Introduction to formal verification Reactive systems Verification Synthesis Rational Synthesis What we want (roughly) Some concepts from game theory Rational Synthesis formal definition How to solve the rational synthesis problem

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of nodes 37

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial nodes node 38

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial Set nodes node of players White, Black 39

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial Set nodes node of players White = Set of actions for player i White, Black White pawn moves, White knight moves, White queen moves, 40

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial Set nodes node of players White = Set of actions Transition Relation : V for player i 1 n! V White, Black White pawn moves, White knight moves, White queen moves, Let I = {1,,n}. c2 Pawn: 2 steps 41

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial Set nodes node of players White = Set of actions Transition Relation : V for player i 1 n! V for Player i at each node White, Black White pawn moves, Pawn a can move White knight moves, White queen moves, Let I = {1,,n}. i : V! 2 i specifies the allowed actions c2 Pawn: 2 steps Pawn b can move Knight b can move Knight g can move 42

Games A game arena is a tuple G = V, v 0, I, ( i ) i2i, ( i ) i2i,, set of initial Set nodes node of players White = Set of actions Transition Relation : V for player i 1 n! V for Player i at each node White, Black White pawn moves, Pawn a can move White knight moves, White queen moves, Let I = {1,,n}. i : V! 2 i specifies the allowed actions c2 Pawn: 2 steps Pawn b can move Knight b can move Knight g can move 43

44 Strategies and related notions

45 Strategies and related notions With each outcome there is an associated payoff for each of the agents. The payoff is usually a real number which the player aims to maximize. In our setting the goals are temporal specifications, so the payoff is 1 if the specification is met and 0 otherwise. A strategy profile = ( 1,, n ) is termed a solution concept, if the players have no incentive to deviate from. Roughly speaking, they will not deviate if a deviating does not increase their payoff. Let see some specifics.

Infinite Multiplayer Games - Example Player Actions Alice, Bob, Charlie, Objective of each player is to visit infinitely often a node label by his initial. 46

47 Solution Concepts - DS A dominant strategy i * is a strategy that a player can never lose by adhering to, regardless of the strategies of the other players. A strategy profile = ( 1,, n ) is in dominant strategies equilibrium if each strategy i is a dominant strategy.

48 Dominant strategies - Example Player Bob Dominant strategy Charlie both and Alice none Indeed, in many games not all agents have a dominant strategy, and so a dominant strategy equilibrium may not exists.

49 Solution Concepts - Nash Profile =( 1,..., n ) is a Nash equilibrium if for every player i strategy i is the best response of player i to the strategies ( j ) j i of the other player. In other words, =( 1,..., n ) is a Nash equilibrium if a player gains nothings by unilaterally deviating from.

50 Nash equilibrium - Example Player Alice Bob Charlie Strategy Strategy Profile Nash equilibrium exists in almost every game.

Nash equilibrium Another Example Player Alice Bob Charlie Strategy Strategy Profile It is irrational for Bob to stick to his strategy if Alice has deviated from hers! Nash propels nothing on the case where agents deviate from their strategy! 51

52 Solution Concepts - SPE =( 1,..., n ) is in subgame-perfect equilibrium (SPE) if it forms a Nash equilibrium from every possible history (including those non-reachable by ).

53 SPE equilibrium - Example Player Alice Bob Charlie Strategy Strategy Profile

54 Overview Introduction to formal verification Reactive systems Verification Synthesis Rational Synthesis What we want (roughly) Some concepts from game theory Rational Synthesis formal definition How to solve the rational synthesis problem

55 Rational Synthesis Problem Given LTL formulas, 1, 2,, n (specifying the objectives of the system and the other agents) and a solution concept (DS, Nash, SPE, or other) Return a strategy profile =( 0, 1,, n ) in the induced game G such that both 1 2 n 0 1 2 n outcome( ) = the strategy profile ( 1,, n ) is a solution with respect to the solution concept, in the game G 0 induced by the system adhering to 0. If such exists

56 Rational Synthesis Problem If exists such a profile we say that the specification 1 2 n, 1, 2,, n 0 1 2 n is rationally-realizable with respect to solution concept Otherwise we say it is rationally-irrealizable (with respect to solution concept )

57 Solution Idea We can represent a profile of strategies by strategyprofile trees (next slides) We can check that the profile of strategies meets the requirements imposed by rational synthesis using tree automata 1 2 n A 8 A, 1, 2,, n, = =

58 Strategy Tree Standard Approach O 0 i 0 i 0 i 0 O 1 O 1 O 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 i 1 O 2 O 2 O 2

Strategy-Profile Tree For Alice: and Bob: ab a Labeling: Strategies advice a b a B A b A B Ab A AB A ab a Ab A ab ab Ab AB ab ab Ab AB ab ab Ab AB ab ab Ab AB A single obedient path Player Alice Bob Actions a, A b, B 59

60 Starting to Solve Using tree automata we can check for example that holds on the single obedient path. Ã i holds on every path in which only player i deviated from his strategy and all other players adhere to this strategy. and so on Given a tree automaton (TA) A 1 and TA A 2 we can build the TA A 1 Å A 2 accepting L(A 1 )Å L(A 2 ) and so on In this way we can obtain a tree automaton accepting only the strategy profiles we seek for An emptiness check will provide us with a desired strategy profile

61 Towards a generic solution Strategy Logic [CHP07] is a logic that treats strategies in games as explicit first-order objects. Can express: DS and Nash Cannot express: SPE. In order to express SPE we enhance it with first order variables that range over arbitrary histories of the game.

62 Extended Strategy Logic (ESL) ESL Syntax: LTL formula z = (z 1,,z n ) is a tuple of strategy variables h is a history variable (z) - the LTL formula holds on the single path where all players follow their strategy in z=(z 1,,z n ). (z,h) - the LTL formula holds on the single path where starting when history h ends all players follow their strategies in z=(z 1,,z n ). 9z i. - there exists a strategy z i such that (,z i, ) holds. 9h. - there exists a history h such that (,h, ) holds.

63 Expressing Solution Concepts Expressing that y =(y 1,,y n ) is a DS, Nash or SPE with respect to I and 1, 2,, n All players adhere to y i except for player i We express the solution which to the adheres rational to z i synthesis problem given 2{DS,Nash,SPE}

64 Expressing Rational Synthesis Expressing the solution to the rational synthesis problem given 2 {DS, Nash, SPE}

65 Generic Solution = Reduction to ESL We have phrased the problem of rational synthesis in ESL. If we can determine ESL that is, given a formula in ESL, answer whether it is satisfiable, and if it is, find a satisfying assignment Then, given a rational synthesis problem we can in this manner answer whether it is rationally-realizable, and if it is, provide a desired strategy profile as an answer. 1 2 n 0 1 2 n

66 Dealing with Arbitrary Histories How do we extend Strategy Logic to deal with arbitrary histories? A formula (z,h) stipulates that should hold along the path that starts at the root of the tree, goes through h and then follows the profile z. Thus, adding history variables to strategy logic results in a memoryful logic [KV06] The construction there involves a satellite implementing the subset construction of this automaton. Here we use instead strategy-history trees, defined next.

Strategy-History Tree ab a a b a B A b A B Ab A AB A ab ab ah Ab A ab ab Ab AB ab ab Ab AB ab ab Ab AB ab ab Ab AB A single path whose prefix follows the history and whose suffix follows the strategy 67

68 ESL Decidability The tree automaton A for [ ] is defined by induction on the structure of. We can build a tree automaton that checks that holds on the respective path

ESL Decidability The tree automaton A for [ ] is defined by induction on the structure of. A We can build a 1 and A 2 tree automaton that checks thata s.t. holds on the respective L(A) path = L(A 1 ) [ L(A 2 ) A = A 1 + A 2 69

ESL Decidability The tree automaton A for [ ] is defined by induction on the structure of. A 1 and AAover an alphabet. We can build a 2 tree automaton that checks that A over alphabet such that A s.t. A s.t. holds on the L(A ) respective L(A) path = L(A ) 1 ) [ = L(A) 2 ) c = L(A) A = A 1 + A 2 A = 2 A k A A = A 70

ESL Decidability The tree automaton A for [ ] is defined by induction on the structure of. A A 1 and A We can build a 2 tree automaton that checks thata s.t. A s.t. holds on the respective L(A) path = L(A 1 ) [ L(A 2 ) A = A 1 + A 2 L(A ) = L(A) c A = A 71

ESL Decidability The tree automaton A for [ ] is defined by induction on the structure of. A 1 and AAover an alphabet. We can build a 2 tree automaton that checks that A over alphabet such that A s.t. A s.t. holds on the L(A ) respective L(A) path = L(A ) 1 ) [ = L(A) 2 ) c = L(A) A = A 1 + A 2 A = 2 A k A A = A 72

74 ESL Decidability Theorem Let be an ESL formula over a game G. Let d be the alternation depth of. We can construct an APT A accepting [ ] G whose emptiness can be checked in time (d+1)-exptime in.

75 Rational Synthesis Theorem The LTL rational-synthesis problem is 2EXPTIME-complete for the solution concepts of dominant strategies, Nash equilibrium, and Same complexity as traditional LTL synthesis subgame-perfect equilibrium.

Conclusion Defined & solved synthesis that considers an environment composed of rational agents. Can salvage non realizable specifications. We do NOT limit the environment. Instead, we capitalize on the environment goals and rationality! Complexity: 2EXPTIME-complete (as standard synthesis). We didn t see: an extension for multi-valued setting.

77 Discussion A limitation of our work is that it assumes a fixed number of players, the specification for each of them is know. It is desirable to extend it to a parameterized setting, where the number of players can vary and the specification is parameterized.

78 Synthesis weakness of standard approach Questions? Thank you for your attention!

80 The End Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback