quantified ntl
Post on 30-Jun-2015
128 Views
Preview:
DESCRIPTION
TRANSCRIPT
Quantified CTL
Nicolas MarkeyLSV – ENS Cachan
(joint work with Francois Laroussinie)
Nord-Pas-de-Calais – Belgium congress of mathematics
Valenciennes, 28 October 2013
Verification of computerised systems
Computers are everywhere
Verification of computerised systems
Computers are everywhere
Bugs are everywhere...
Verification of computerised systems
Computers are everywhere
Bugs are everywhere...
Verification should be everywhere!
Model checking and synthesis
system:
[http://www.embedded.com]
8 8property:
a!b?
a?b!
A G(¬ B.overfull∧ ¬ B.dried up)
model-checking
algorithm
yes/no
a?b!
Model checking and synthesis
system:
[http://www.embedded.com]
8 8property:
a!b?
a?b! ? A G(¬ B.overfull
∧ ¬ B.dried up)
synthesis
algorithm
yes/no
a?b!
Outline of the presentation
1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms
2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable
3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc
Computation-Tree Logic (CTL)
atomic propositions: , , ...
boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
path quantifiers:
Eϕϕ
Aϕ
ϕϕϕϕϕϕ
temporal modalities:
X ϕ ϕ “next ϕ”
ϕ U ψ ϕ ϕ ψ “ϕ until ψ”
ϕ “eventually ϕ”true U ϕ ≡ F ϕ
¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”
Computation-Tree Logic (CTL)
atomic propositions: , , ...
boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
path quantifiers:
Eϕϕ
Aϕ
ϕϕϕϕϕϕ
temporal modalities:
X ϕ ϕ “next ϕ”
ϕ U ψ ϕ ϕ ψ “ϕ until ψ”
ϕ “eventually ϕ”true U ϕ ≡ F ϕ
¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”
Computation-Tree Logic (CTL)
atomic propositions: , , ...
boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
path quantifiers:
Eϕϕ
Aϕ
ϕϕϕϕϕϕ
temporal modalities:
X ϕ ϕ “next ϕ”
ϕ U ψ ϕ ϕ ψ “ϕ until ψ”
ϕ “eventually ϕ”true U ϕ ≡ F ϕ
¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”
Computation-Tree Logic (CTL)
atomic propositions: , , ...
boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
path quantifiers:
Eϕϕ
Aϕ
ϕϕϕϕϕϕ
temporal modalities:
X ϕ ϕ “next ϕ”
ϕ U ψ ϕ ϕ ψ “ϕ until ψ”
ϕ “eventually ϕ”true U ϕ ≡ F ϕ
¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”
Computation-Tree Logic (CTL)
atomic propositions: , , ...
boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...
path quantifiers:
Eϕϕ
Aϕ
ϕϕϕϕϕϕ
temporal modalities:
X ϕ ϕ “next ϕ”
ϕ U ψ ϕ ϕ ψ “ϕ until ψ”
ϕ “eventually ϕ”true U ϕ ≡ F ϕ
¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
p p
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
E F is reachable
p p
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
E F is reachable
3
p
3
p
3
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
E G(E F ) there is a path along which is always reachable
p p
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
E G(E F︸ ︷︷ ︸p
) there is a path along which is always reachable
p p
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
E G(E F︸ ︷︷ ︸p
) there is a path along which is always reachable
3p
3p
p
Examples of CTL formulas
In CTL, each temporal modality is in the immediate scope of apath quantifier.
Theorem ([CE81,QS82])
CTL model checking is PTIME-complete.
p p
p
[CE81] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons using Branching-TimeTemporal Logic. LOP’81.[QS82] Queille, Sifakis. Specification and verification of concurrent systems in CESAR. SOP’82.
Examples of CTL formulas
In CTL∗, we have no restriction on modalities and quantifiers.
p p
p
Examples of CTL formulas
In CTL∗, we have no restriction on modalities and quantifiers.
E G F there is a path visiting infinitely many times
3
p
3
p
3
p
Examples of CTL formulas
In CTL∗, we have no restriction on modalities and quantifiers.
A(G F ⇒ G F ) any path that visits infinitely many times,
also visits infinitely many times
p p
p
Examples of CTL formulas
In CTL∗, we have no restriction on modalities and quantifiers.
Theorem ([EH86])
CTL∗ model checking is PSPACE-complete.
[EH86] Emerson, Halpern. ”Sometimes” and ”Not Never” Revisited: On Branching versus LinearTime Temporal Logic. J.ACM, 1986.
Outline of the presentation
1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms
2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable
3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc
Quantified CTL [Kup95,Fre01]
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.
E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)
]
≡ uniq( )
; true if we label the Kripke structure;
; false if we label the computation tree;
[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
Quantified CTL [Kup95,Fre01]
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.
E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)
]
≡ uniq( )
; true if we label the Kripke structure;
; false if we label the computation tree;
[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
Quantified CTL [Kup95,Fre01]
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.
E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)
]≡ uniq( )
; true if we label the Kripke structure;
; false if we label the computation tree;
[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
Quantified CTL [Kup95,Fre01]
QCTL extends CTL with propositional quantifiers
∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.
E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)
]≡ uniq( )
; true if we label the Kripke structure;
; false if we label the computation tree;
[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.
Semantics of QCTL
structure semantics:
|=s ∃p.ϕ ⇔p
|= ϕ
tree semantics:
|=t ∃p.ϕ ⇔ p
p p
p
|= ϕ
Semantics of QCTL
structure semantics:
|=s ∃p.ϕ ⇔p
|= ϕ
tree semantics:
|=t ∃p.ϕ ⇔ p
p p
p
|= ϕ
Expressiveness of QCTL
QCTL can “count”:
E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]
E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]
QCTL can express (least or greatest) fixpoints:
µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]
Theorem
QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
Expressiveness of QCTL
QCTL can “count”:
E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]
E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]
QCTL can express (least or greatest) fixpoints:
µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]
Theorem
QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
Expressiveness of QCTL
QCTL can “count”:
E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]
E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]
QCTL can express (least or greatest) fixpoints:
µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]
Theorem
QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
QCTL with structure semantics
Theorem
Model checking QCTL for the structure semantics isPSPACE-complete.
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
QCTL with structure semantics
Theorem
Model checking QCTL for the structure semantics isPSPACE-complete.
Proof
Membership:
Iteratively(nondeterministically) pick a labelling,
check the subformula.
Hardness:QBF is a special case (without even using temporal modalities).
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Encode the problem of tiling finite square grids.
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
each state has one or two successors
A G(E X1 true ∨ E X2 true)
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
two successors of the same state have a common successor:
A G(∀z .(E X E X z ⇒ A X E X z))
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
h
h
h
h
h
h
[... many more conditions ...]
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with structure semantics
Theorem
QCTL satisfiability for the structure semantics is undecidable.
Proof
Reduction: is there a finite Kripke structure such that
?
h
h
h
h
h
h
for any tiling, there is a position where the neighbouring tilesdo not match
Given a set of tiles, whether all finite square grids can be tiled isundecidable.
[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0
q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1
q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1
q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
Using alternating tree automata:
q0
q1q0
q1 q0 q1 q1
q1 q1 q1 q1q1 q1 q1 q1
This automaton corresponds to E U
δ(q0, ) = (q0, q1) ∨ (q1, q0)
δ(q0, ) = (q1, q1)
δ(q0, ) = (q2, q2)
δ(q1, ? ) = (q1, q1)
δ(q2, ? ) = (q2, q2)
QCTL with tree semantics
Theorem
Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.
Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.
Proof
polynomial-size automata for CTL;
quantification is handled by projection, which first requiresremoving alternation (exponential blowup);
an automaton equivalent to a QCTL formula can be builtinductively;
emptiness of an alternating parity tree automaton can bedecided in exponential time.
Outline of the presentation
1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms
2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable
3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc
Reasoning about multi-agent systems
Concurrent games
A concurrent game is made of
a transition system;
a set of agents (or players);
a table indicating the transition to be taken given the actionsof the players.
q0
q1
q2
q0 q2 q1
q1 q0 q2
q2 q1 q0
player 1
pla
yer
2
Reasoning about multi-agent systems
Concurrent games
A concurrent game is made of
a transition system;
a set of agents (or players);
a table indicating the transition to be taken given the actionsof the players.
q0
q1
q2
q0 q2 q1
q1 q0 q2
q2 q1 q0
player 1
pla
yer
2
Reasoning about multi-agent systems
Concurrent games
A concurrent game is made of
a transition system;
a set of agents (or players);
a table indicating the transition to be taken given the actionsof the players.
q0
q1
q2
q0 q2 q1
q1 q0 q2
q2 q1 q0
player 1
pla
yer
2
Reasoning about multi-agent systems
Concurrent games
A concurrent game is made of
a transition system;
a set of agents (or players);
a table indicating the transition to be taken given the actionsof the players.
Turn-based games
A turn-based game is a gamewhere only one agent plays ata time.
Reasoning about open systems
Strategies
A strategy for a given player is a function telling what to playdepending on what has happened previously.
Strategy for player :alternately go to and .
...
...
......
Reasoning about open systems
Strategies
A strategy for a given player is a function telling what to playdepending on what has happened previously.
Strategy for player :alternately go to and .
...
...
......
Reasoning about open systems
Strategies
A strategy for a given player is a function telling what to playdepending on what has happened previously.
Strategy for player :alternately go to and .
...
...
......
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
p
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F )
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
33
p
33
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F )
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
p
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F )
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
3
p
3
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F )
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
p
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F )
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
p
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F ) ≡ 〈〈 〉〉 G p
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
Temporal logics for games: ATL
ATL extends CTL with strategy quantifiers
〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.
p
p
〈〈 〉〉 F
〈〈 〉〉 F
〈〈 〉〉 G( 〈〈 〉〉 F ) ≡ 〈〈 〉〉 G p
p
Theorem
Model checking ATL is PTIME-complete.
[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.
ATL with strategy contexts [BDLM09]
〈〈 〉〉 G( 〈〈 〉〉 F )
consider the following strategyof Player : “always go to ”;
in the remaining tree, Playercan always enforce a visit to .
[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.
ATL with strategy contexts [BDLM09]
〈〈 〉〉 G( 〈〈 〉〉 F )
consider the following strategyof Player : “always go to ”;
in the remaining tree, Playercan always enforce a visit to .
[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.
ATL with strategy contexts [BDLM09]
〈〈 〉〉 G( 〈〈 〉〉 F )
consider the following strategyof Player : “always go to ”;
in the remaining tree, Playercan always enforce a visit to .
[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.
ATL with strategy contexts [BDLM09]
〈〈 〉〉 G( 〈〈 〉〉 F )
consider the following strategyof Player : “always go to ”;
in the remaining tree, Playercan always enforce a visit to .
[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.
What ATLsc can express
Client-server interactions for accessing a shared resource:
〈·Server·〉 G
∧
c∈Clients
〈·c ·〉 F accessc
∧¬∧c 6=c ′
accessc ∧ accessc ′
Existence of Nash equilibria:
〈·A1, ...,An·〉∧i
( 〈·Ai ·〉ϕAi⇒ ϕAi
)
Existence of dominating strategy:
〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)
What ATLsc can express
Client-server interactions for accessing a shared resource:
〈·Server·〉 G
∧
c∈Clients
〈·c ·〉 F accessc
∧¬∧c 6=c ′
accessc ∧ accessc ′
Existence of Nash equilibria:
〈·A1, ...,An·〉∧i
( 〈·Ai ·〉ϕAi⇒ ϕAi
)
Existence of dominating strategy:
〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)
What ATLsc can express
Client-server interactions for accessing a shared resource:
〈·Server·〉 G
∧
c∈Clients
〈·c ·〉 F accessc
∧¬∧c 6=c ′
accessc ∧ accessc ′
Existence of Nash equilibria:
〈·A1, ...,An·〉∧i
( 〈·Ai ·〉ϕAi⇒ ϕAi
)
Existence of dominating strategy:
〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)
Translating ATLsc into QCTL
player A has moves mA1 , ..., mA
n ;
from the transition table, we can compute theset Next( ),A,mA
i ) of states that can be
reached from when player A plays mAi .
〈·A·〉ϕ can be encoded as follows:
∃mA1 . ∃mA
2 . . . ∃mAn .
this corresponds to a strategy: A G(mAi ⇔
∧¬mA
j );
the outcomes all satisfy ϕ:
A[G(q ∧ mA
i ⇒ X Next(q,A,mAi )) ⇒ ϕ
].
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
Translating ATLsc into QCTL
player A has moves mA1 , ..., mA
n ;
from the transition table, we can compute theset Next( ),A,mA
i ) of states that can be
reached from when player A plays mAi .
〈·A·〉ϕ can be encoded as follows:
∃mA1 . ∃mA
2 . . . ∃mAn .
this corresponds to a strategy: A G(mAi ⇔
∧¬mA
j );
the outcomes all satisfy ϕ:
A[G(q ∧ mA
i ⇒ X Next(q,A,mAi )) ⇒ ϕ
].
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
Translating ATLsc into QCTL
player A has moves mA1 , ..., mA
n ;
from the transition table, we can compute theset Next( ),A,mA
i ) of states that can be
reached from when player A plays mAi .
Corollary
ATLsc model checking is decidable.
Corollary
ATL0sc (memoryless quantification) model checking is decidable.
[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.
What about satisfiability?
Theorem
QCTL satisfiability is decidable.
But
Theorem (TW12)
ATLsc satisfiability is undecidable.
Why?
The translation from ATLsc to QCTL assumesthat the game structure is fixed!
[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.
What about satisfiability?
Theorem
QCTL satisfiability is decidable.
But
Theorem (TW12)
ATLsc satisfiability is undecidable.
Why?
The translation from ATLsc to QCTL assumesthat the game structure is fixed!
[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.
What about satisfiability?
Theorem
QCTL satisfiability is decidable.
But
Theorem (TW12)
ATLsc satisfiability is undecidable.
Why?
The translation from ATLsc to QCTL assumesthat the game structure is fixed!
[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.
Satisfiability for turn-based games
Theorem (LM13b)
When restricted to turn-based games, ATLsc satisfiability isdecidable.
player has moves , and .
a strategy can be encoded by marking some ofthe nodes of the tree with proposition movA.
〈·A·〉ϕ can be encoded as follows:
∃movA.
it corresponds to a strategy: A G(turnA ⇒ E X1 movA);
the outcomes all satisfy ϕ: A[G(turnA ∧ X movA) ⇒ ϕ
].
[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
Satisfiability for turn-based games
Theorem (LM13b)
When restricted to turn-based games, ATLsc satisfiability isdecidable.
player has moves , and .
a strategy can be encoded by marking some ofthe nodes of the tree with proposition movA.
〈·A·〉ϕ can be encoded as follows:
∃movA.
it corresponds to a strategy: A G(turnA ⇒ E X1 movA);
the outcomes all satisfy ϕ: A[G(turnA ∧ X movA) ⇒ ϕ
].
[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
Satisfiability for turn-based games
Theorem (LM13b)
When restricted to turn-based games, ATLsc satisfiability isdecidable.
Theorem
Model checking ATLsc with only memoryless quantification isPSPACE-complete.
[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.
What about Strategy Logic? [CHP07,MMV10]
Strategy logic
Explicit quantification over strategies + strategy assignement
Example
〈·A·〉ϕ ≡ ∃σ1.assign(σ1,A).ϕ
Strategy logic can also be translated into QCTL.
Theorem
Strategy-logic satisfiability is decidable when restricted toturn-based games.
Memoryless strategy-logic satisfiability is undecidable.
[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007.[MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.
Conclusions and future works
Conclusions
QCTL is a powerful extension of CTL;
it is equivalent to MSO over finite graphs and regular trees;
it is a nice tool to understand temporal logics for games (ATLwith strategy contexts, Strategy Logic, ...);
Future directions
Defining interesting (expressive yet tractable) fragments ofthose logics;
Obtaining practicable algorithms.
Considering randomised strategies.
Conclusions and future works
Conclusions
QCTL is a powerful extension of CTL;
it is equivalent to MSO over finite graphs and regular trees;
it is a nice tool to understand temporal logics for games (ATLwith strategy contexts, Strategy Logic, ...);
Future directions
Defining interesting (expressive yet tractable) fragments ofthose logics;
Obtaining practicable algorithms.
Considering randomised strategies.
top related