tu clausthal · about this course in part i of this lecture we introduce modal logic and show how...

Model Checking Temporaland Strategic Logics

Nils Bulling and Jürgen Dix

EASSS 2010École Nationale Supérieure des Mines

Saint-Étienne, France

23–27 August 2010

Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 1

TimeDuration: 6 hoursThursday, 26. August: 16:30–18:30,Friday, 27. August: 11:00–13:00 ,16:30–18:30

Course typeLevel: advancedPrerequisites: knowledge of propositional logic, basics ofautomata and complexity theory

Course websitehttp://cig.in.tu-clausthal.de/easss2010


http://cig.in.tu-clausthal.de/easss2010

About this courseIn Part I of this lecture we introduce modal logic and showhow it can be used to reason about knowledge of agents.We also discuss the correspondence of axioms withsemantic properties of the models.In Part II we consider the temporal logics LTL, CTL andCTL?. We discuss in Part III the model checking problemand elaborates on the complexity needed to solve it for theconsidered temporal logics. We follow an automatatheoretic approach.In Part IV we introduce strategic logics which are used tomodel the abilities of agents. We discuss the effect ofperfect and imperfect information and perfect andimperfect recall. Finally, in Part V, we consider the modelchecking problems of these logics.


Course OverviewPart I: Modal Logics and Agents

90 minutesPart II: Temporal Logics

60 minutesPart III: Model Checking I: Temporal Logics

90 minutesPart IV: Strategic Logics

60 minutesPart V: Model Checking II: Strategic Logics

60 minutes


Reading Material I

Alur, R., Henzinger, T. A., and Kupferman, O. (2002).Alternating-time Temporal Logic.Journal of the ACM, 49:672–713.

Baier, C. and Katoen, J.-P. (2008).Principles of Model Checking.The MIT Press.

Blackburn, P., de Rijke, M., and Venema, Y. (2001).Modal Logic.Number 53 in Cambridge Tracts in Theoretical ComputerScience. Cambridge University Press, Cambridge, UK.


Reading Material II

Blackburn, P., Benthem, J. F. A. K. v., and Wolter, F. (2006a).Handbook of Modal Logic, Volume 3 (Studies in Logic andPractical Reasoning).Elsevier Science Inc., New York, NY, USA.

Bulling, N., Dix, J., and Jamroga, W. (2010).Model checking logics of strategic ability: Complexity.In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors,Specification and Verification of Multi-Agent Systems. Springer.


Reading Material III

Clarke, E., Grumberg, O., and Peled, D. (1999).Model Checking.MIT Press.

Fagin, R., Halpern, J. Y., Moses, Y., and Vardi, M. Y. (1995).Reasoning about Knowledge.MIT Press: Cambridge, MA.

Schnoebelen, P. (2003).The complexity of temporal model checking.In Advances in Modal Logics, Proceedings of AiML 2002. WorldScientific.


Outline

1 Modal Logics and Agents

2 Temporal Logics

3 Model Checking Temporal Logics

4 Reasoning about Strategies

5 Model Checking Strategic Logics


1 Modal Logics and Agents

1. Modal Logics and Agents1 Modal Logics and Agents

Propositional LogicBasic Modal LogicCorrespondence TheoryEpistemic Logic


1 Modal Logics and Agents1.1 Propositional Logic

1.1 Propositional Logic



SyntaxThe propositional language is built uponPropositional symbols: p, q, r, . . . , p1, p2, p3, . . .Logical connectives: ¬ and ∨Grouping symbols: (, )

Often we consider only a finite, nonempty set ofpropositional symbols and refer to it as Prop.Propositional language LPL(Prop):ϕ ::= p | ¬ϕ | ϕ ∨ ϕMacros:

⊥ := p ∧ ¬p> := ¬⊥

ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ)

ϕ→ ψ := ¬ϕ ∨ ψϕ↔ ψ := (ϕ→ ψ) ∧ (ψ → ϕ)



SemanticsA valuation (or truth assignment) v : Prop → {t, f} fora language LPL(Prop) is a mapping from the set ofpropositional constants defined by Prop into the set{t, f}.Inductively, we define the notion of a formula ϕ beingtrue or satisfied by v (denoted by v |= ϕ):v |= p iff v(p) = t and p ∈ Prop,v |= ¬ϕ iff not v |= ϕ,v |= ϕ ∨ ψ iff v |= ϕ or v |= ψ

For a set Σ ⊆ LPL we write v |= Σ iff v |= ϕ for all ϕ ∈ Σ.We use v 6|= ϕ instead of not v |= ϕ.



Truth Tables

Truth tables are a conceptually simple way of working withPL (invented by Wittgenstein in 1918).

p q ¬p p ∨ q p ∧ q p→ q p↔ qt t f t t t tf t t t f t ft f f t f f ff f t f f t t



Fundamental Semantical ConceptsIf it is possible to find some valuation v that makes ϕtrue, then we say ϕ is satisfiable.If v |= ϕ for all valuations v then we say that ϕ is validand write |= ϕ . ϕ is also called tautology.A theory is a set of formulae: T ⊆ LPL.A theory T is called consistent if there is a valuation vwith v |= T .A theory T is called complete if for each formula ϕ inthe language, ϕ ∈ T or ¬ϕ ∈ T .

Two simple examplesIs p ∧ ¬b satisfiable?Is a ∨ ¬a valid?



ConsequencesGiven a theory T we are interested in the followingquestion: Which facts can be derived from T? We candistinguish two approaches:

1 semantical consequences, and2 syntactical inference.

Let T be a theory and ϕ be a formula. We say that ϕ is asemantical consequence of T if for all valuations v:

v |= T implies v |= ϕ.

If new facts can be derived from old ones in analgorithmic fashion, we say that such a fact issyntactically derivable.Inference rules allow to derive new facts:

(MP )ϕ ϕ→ψ

ψ


1 Modal Logics and Agents1.2 Basic Modal Logic

1.2 Basic Modal Logic



What is a Logic?We present a framework for thinking about logics as:

languages for describing a problem,ways of talking about relational structures andmodels.

These are the two key components in the way we willapproach logic:

1 Language:fairly simple, precisely defined, formal languages.

2 Model (or relational structure):simple “world” that the logic talks about.



Various modal logics

knowledge→ epistemic logic,beliefs→ doxastic logic,obligations→ deontic logic,actions→ dynamic logic,time→ temporal logic,and combinations of the above.

Most famous multimodal logics:BDI logics of beliefs, desires, intentions (and time).



Relational StructuresA relational structure is given by (W, {R1, . . . ,Rn}) andconsists of:

A non-empty set W , the elements of which are ourobjects of interest. They are called points, states,nodes, worlds, times, instants or situations.A non-empty set {R1, . . . ,Rn} of relations on W .

Example 1.1 (Finite State Automaton for anbm)

Given the formal language anbm with n,m > 0. Therelational structure is:

r s ta

a

b

b

Here, r is the start state and t is the only final state.Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 19


The Basic Modal LanguageStandard propositional logic can be seen as aone-point relational structure.But relational structures can describe much more. Wecan talk about points, lines etc.Therefore, we introduce the basic modal language.

We build the basic modal language on top of thepropositional language by extending LPL(Prop) with twonew operators:

Possibility and necessity♦ϕ: ϕ is possible

(We see one or more states where ϕ holds.)

� ϕ: ϕ is necessary(In all reachable states ϕ holds.)



A Language for Relational Structures

Definition 1.2 (Basic Modal Language LBML)Let Prop be a set of propositions. The basic modallanguage LBML(Prop) consists of all formulae defined by thefollowing grammar:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ♦ϕ

where p ∈ Prop.

Boolean macros are defined in the standard way.Additionally, we have the dual � (called “box”) of ♦:

�ϕ:=¬♦¬ϕ



We can talk about attributes by adding labels to nodes(e.g. painting them in a particular color).

Example 1.3 (Colored Graph I)Imagine standing in a node of a colored graph. What canwe see?

♦ blue

♦ blue

♦black♦blue♦red



Example 1.4 (Colored Graph II)We imagine standing in a node of a colored graph. Whatcan we see?

♦(black ∧ red) ∧ ♦♦green



Colored Graph II

Example 1.5

blue→ �blackgreen→ �black yellow → ♦yellow



Definition 1.6 (Kripke Frame)A Kripke frame is given by F = (W,R) where

W is a non-empty set, called set of domains or worlds,R ⊆ W ×W is a binary relation.

Frames are mainly used to talk about validities: They standfor a whole set of models.

Definition 1.7 (Kripke Model)A Kripke model is given by M = (W,R, V ) where

(W,R) is a Kripke frame,V : Prop → P(W ) is called labeling function orvaluation. We also use V : W → P(Prop).

Kripke frames (resp. models) are simply relationalstructures (resp. with labels)!



Example 1.8Consider the frame F = ({w1, w2, w3, w4, w5},R) whereRwiwj iff j = i+ 1 and V (p) = {w2, w3},V (q) = {w1, w2, w3, w4, w5}, V (r) = ∅.

w1

q

w2

q, pw3

q, pw4

q

w5

q



Frames vs. Models?FramesMathematical pictures of ontologies that we findinteresting. That is, frames define the fundamentalstructure of the domain of interest.

For example, we model time as a collection of pointsordered by a strict partial order.

ModelsFrames are extended by contingent information. That is,models extend the mathematical structure provided byframes by additional information.

Can Kripke models be used to interpret thepropositional language?



Internal and Local

Satisfaction of formulae is internal and local!

Internal: Formulae are evaluated inside models at somegiven world.

Local: Given a world it is only possible to refer to directsucessors of this world.

How does first-order logic compare to that?



Some Examples

Example 1.10F = ({w1, w2, w3, w4, w5},R) where Rwiwj iff j = i+ 1 andV (p) = {w2, w3}, V (q) = {w1, w2, w3, w4, w5}, V (r) = ∅.

w1

q

w2

q, pw3

q, pw4

q

w5

q

1 M, w1 |= ♦�p2 M, w1 6|= ♦�p→ p

3 M, w2 |= ♦(p ∧ ¬r)4 M, w1 |= q ∧ ♦(q ∧ ♦(q ∧ ♦(q ∧ ♦q))))5 M |= �q



Validity and (Global) SatisfactionWe take on a global point of view.

Given a specification like ϕ := �¬crash. In which statesshould it be true?

Definition 1.11 (Validity)

A formula ϕ is called valid or globally true in a model M iffM, w |= ϕ for all w ∈ WM. We write M |= ϕ.

ϕ is satisfiable in M if M, w |= ϕ for some w ∈ WM.

Analogously, we say that a set Σ of formulae is valid (resp.satisfiable) in M iff all formulae in Σ are valid (resp.satisfiable) in M.

Validity and satisfiability are dual concepts!



Modal Consequence RelationUp to now we verified formulae in a given model and state.Often, it is interesting to know whether a property followsfrom a given set of formulae.

Definition 1.13 (Local Consequence Relation)LetM be a class of models, Σ be a set of formulae and ϕbe a formula.

ϕ is a (local) semantic consequence of Σ over M,written Σ |=M ϕ , if for all M ∈M and all w ∈ WM itholds that M, w |= Σ implies M, w |= ϕ .IfM is the class of all models we just say that ϕ is a(local) consequence of Σ and write Σ |= ϕ .



Frames and ValidityIn Example 1.12 we have seen that a formula can betrue/false for all valuations. We can speak about structuralproperties ignoring contingent information.

Definition 1.14 (Frame Validity: F |= ϕ)Let F be a frame and ϕ ∈ LBML.

1 ϕ is valid in F and w ∈ WF, written F, w |= ϕ , ifM, w |= ϕ for all models M = (F, π) based on F.

2 ϕ is valid in F , written F |= ϕ, if F, w |= ϕ for all w ∈ WF.3 Let F be class of frames. ϕ is said to be valid in F , if ϕ

is valid in each frame F ∈ F .



Lemma 1.15 (Distribution Axioms)

The two formulae

♦(p ∨ q)→ (♦p ∨ ♦q)�(p→ q)→ (�p→ �q)

are both valid in all Kripke frames F. The last formula is alsocalled axiom K.

Proof. Exercise and Example 1.12.



Example 1.16Is ♦> valid in all frames? In which class is the formula valid?

w1 w2 w1 w2

What about �>? blackboard

Example 1.17Is ♦♦p→ ♦p true in w1?

w1 w2

p

w3

p

w1 w2 w3

p

In which class of frames is the formula valid? blackboard



Example 1.18Let M be the class of transitive models. Then:

1 ♦♦p |=M ♦p,2 �p |=M ��p, but3 ��p |=M �p does not hold.

Is there a class of modelsM for which ♦♦p |=M ♦p holds,but no model inM is transitive?


1 Modal Logics and Agents1.3 Correspondence Theory

1.3 Correspondence Theory



Correspondence TheoryWe have learnt that some formulae are valid in particularframes. E.g. ♦♦ϕ→ ♦ϕ is valid in all transitive frames.Here, we consider such correspondences systematically.

Definition 1.19 (KDT45)We assume that we have available one modal operator �.

K �(p→ q)→ (�p→ �q)D ¬�(p ∧ ¬p)T �p→ p

4 �p→ ��p5 ¬�p→ �¬�p

In epistemic logic, e.g., these formulae will have intuitiveepistemic properties.



Properties of Frame (1)We consider properties of the accessibility relations R offrames:

Serial: For all w there is a w′ with wRw′.Reflexive: For all w: wRw.Transitive: For all w,w′, w′′: wRw′ and w′Rw′′ implies

wRw′′.Euclidean: For all w,w′, w′′: wRw′ and wRw′′ implies

w′Rw′′.Symmetric: For all w,w′: wRw′ implies w′Rw.

Definition 1.20 (Frame property)We say a frame F = (W,R) has property X if its relation Rhas property X.

Remember Slide 37 where we discussed transitive frames .Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 40


Example 1.21We have

F |= �p→ p iff F is reflexive.

Let F be a frame satisfying �p→ p. That is,

for all w ∈ W , F, w |= �p→ p.

This is the case, if for all models M over F and

for all w ∈ W , M, w |= �p→ p.

Which properties must R satisfy? Suppose R is notreflexive. Then, there is a state w′ with not w′Rw′. Make p

true at all states of W\{w′}. Then, M, w′ 6|= �p→ p andhence F 6|= �p→ p. Contradiction! blackboard



Now suppose we are given a reflexive frame F andsuppose F 6|= �p→ p.

Then, there is a model M = (F, π) and a state w,M, w 6|= �p→ p.That is, M, w |= �p and M, w 6|= p.By reflexivity we have wRw.But then, from M, w |= �p it follows that M, w |= p.Contradiction!We must have F |= �p→ p.

In other words, axiom T characterises reflexive frames.



Validity in Several Frames (3)

Lemma 1.22 (Appropriate Frames)

Let (W,R) be a Kripke frame. Then the following holds:K: (W,R) |= �(p→ q)→ (�p→ �q).D: (W,R) |= ¬�(p ∧ ¬p) iff R is serial.T: (W,R) |= �p→ p iff R is reflexive.4: (W,R) |= �p→ ��p iff R is transitive.5: (W,R) |= ¬�p→ �¬�p iff R is Euclidean.B: (W,R) |= p→ �♦p iff R is symmetric.

Proof. : Exercise.



Axiomatic SystemsAs in classical logic, one can ask about a complete axiomsystem. Is there a calculus that allows to derive all sentencestrue in all Kripke models?

Definition 1.23 (System K)The system K is an extension of the propositional calculusby the axiom

K (�ϕ ∧�(ϕ→ ψ))→ �ψ

and the inference ruleϕ�ϕ (Necessitation).

We also need the duality axiom �ϕ↔ ¬♦¬ϕ (as weintroduced � as macro).

Note, ϕ and ψ can be substituted by any formula.Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 44


Proposition 1.24Axiom K is equivalent to �(ϕ→ ψ)→ (�ϕ→ �ψ).

Example 1.25Proof that `K (�p ∧�q)→ �(p ∧ q). blackboard



Theorem 1.26 (Sound-/Completeness of K)System K is sound and complete with respect to arbitraryKripke models.

Note that we have not assumed any properties of theaccessibility relation R: It is just any binary relation.

Assuming that R is an equivalence relation, whatadditional statements (axioms) are true in all suchKripke models?



Theorem 1.27 (Sound/complete Subsystems)Let X be any subset of {D,T,4,5} and let X be the subsetof {serial, reflexive, transitive, euclidean} corresponding toX.Then system K extended with axioms X is sound andcomplete with respect to Kripke frames which satisfyproperties X .

For example, we have the following important instance:

Corollary 1.28 (KT45)System KT45 is sound and complete with respect to Kripkeframes with an accessibility relation which is an equivalencerelation.



Example 1.29KT45 and KTD45 are both sound and complete withrespect to Kripke frames in which the accessibility relation isan equivalence relation.

What does that mean for the properties corresponding tothese axioms?

Any reflexive, transitive and euclidean relation is alsoserial!



Some ExercisesShow that

1 The axiom D follows from KT45.2 Show that KD45 is not equivalent to K45: axiom D

does not follow from K45.

One can argue semantically:Each Kripke model satisfying the axioms KT45, alsosatisfies the axiom D.There is a Kripke model satisfying K45 in which D doesnot hold.


1 Modal Logics and Agents1.4 Epistemic Logic

1.4 Epistemic Logic



Interpreting �i as knowledgeLet us now assume we have several agents i and weinterpret �iϕ as agent i knows that ϕ. In that case oneoften writes

Kiϕ instead of �iϕ.

Accessibility relationWhat does the equivalence relation encode? Incompleteinformation:

wRw′ The agent cannot distinguish w and w′. Bothstates provide the same information.

Knowledge = Truth in all indistinguishable states



What other properties should hold when interpreting �as knowledge?

K K(p→ q)→ (Kp→ Kq)D ¬K⊥ consistencyT Kp→ p truth4 Kp→ KKp positive introspection5 ¬Kp→ K¬Kp negative introspection



Muddy Children

Example 1.30 (Muddy Children)A group of playing children is called back by theirfather. They gather around him.Some of them have become dirty:

1 they may have mud on their forehead,2 children can only see whether others are muddy,3 and not if there is any mud on their own forehead.

All this is commonly known, and the children areperfect logicians.



Now the father announces the following:Father: “At least one of you has mud on his or herforehead.”Father: “Will those who know whether they aremuddy please step forward.”If nobody steps forward, father keeps repeating therequest.

QuestionWhat happens?



3

1

2

mm

c

mm

c

cm

c

cm

c

cc

c

cc

c

mc

c

mc

c1

2

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

33

m1 ∈ V (w) iff w = qmxxm2 ∈ V (w) iff w = qxmxm3 ∈ V (w) iff w = qxxm



mm

c

mm

c

M, qmmc |= m1 ∧m2 ∧ ¬m3



3

1

2

mm

c

mm

c

cm

c

cm

c

mc

c

mc

c

mm

m

mm

m

M, qmmc |= m1 ∧m2 ∧ ¬m3

M, qmmc |= ¬K1m1 ∧K1m2



3

1

2

mm

c

mm

c

cm

c

cm

c

cc

c

cc

c

mc

c

mc

c1

2

mm

m

mm

m1

2

cm

m

cm

m

mc

m

3

3

M, qmmc |= m1 ∧m2 ∧ ¬m3


M, qmmc |= K1K3m2 ∧K1¬K2m2



3

1

2

mm

c

mm

c

cm

c

cm

c

cc

c

cc

c

mc

c

mc

c1

2

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

33

M, qmmc |= m1 ∧m2 ∧ ¬m3


M, qmmc |= K1K3m2 ∧K1¬K2m2

. . .



3

1

2

mm

c

mm

c

cm

c

cm

c

cc

c

cc

c

mc

c

mc

c1

2

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

33

Father: “At least one is muddy.”¬K1m1 ∧ ¬K2m2 ∧ ¬K3m3



3

1

2

mm

c

mm

c

cm

c

cm

c

mc

c

mc

c1

2

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

33

Father: “At least one is muddy.”¬K1m1 ∧ ¬K2m2 ∧ ¬K3m3



3

1

2

mm

c

mm

c

cm

c

cm

c

mc

c

mc

c

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

3

Father (1): “If you know thatyou’re muddy, raise your hand.”

Nothing happens.



3

1

2

mm

c

mm

c

cm

c

cm

c

mc

c

mc

c

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

3

Father (2): “If you knowthat you’re muddy, raiseyour hand.”The kids see that nobodyhas raised their handsafter (1)!Children with mud caneliminate worlds. . .



3

1

2

mm

c

mm

c

cm

c

cm

c

mc

c

mc

c

mm

m

mm

m1

2

cm

m

cm

m

cc

m

cc

m

mc

m1

2

3

3

Father (2): “If you knowthat you’re muddy, raiseyour hand.”The kids see that nobodyhas raised their handsafter. (1)!Children with mud caneliminate worlds. . .



3

mm

c

mm

c

mm

m

mm

m1

2

cm

m

cm

m

mc

m

Father (2): “If you knowthat you’re muddy, raiseyour hand.”The kids see that nobodyhas raised their handsafter (1)!Children with mud caneliminate worlds. . .What happens? Kids 1 and 2 raisetheir hands:K1m1 ∧K2m2 ∧ ¬K3m3



Interpreting � as beliefUp to now we were thinking of �i as agent i knows that ϕ.What if we interpret the operator as belief?

Under such an interpretation axiom T is usually notassumed to hold. But all other axioms make sense.

Definition 1.31 (System KD45)Axiom system KD45 is called the standard logic of beliefs.Axiom K is called logical omniscience, axiom D is calledconsistency, axiom 4 (resp. axiom 5) is called positive(resp. negative) introspection.


2 Temporal Logics

2. Temporal Logics2 Temporal Logics

Linear-Time LogicBranching-Time LogicsReferences


2 Temporal Logics2.1 Linear-Time Logic

2.1 Linear-Time Logic



Reasoning about Time

The accessibility relation represents time.Time: linear vs. branching.

start

start



Temporal logic was originally developed in order torepresent tense in natural language.

Within Computer Science, it has achieved a significant rolein the formal specification and verification of concurrentand distributed systems.

Much of this popularity has been achieved because anumber of useful concepts can be formally, and concisely,specified using temporal logics, e.g.

safety propertiesliveness propertiesfairness properties



Typical temporal operators

©©©ϕ ϕ is true in the next moment in time��ϕ ϕ is true in all future moments♦♦♦ϕ ϕ is true in some future momentϕU ψ ϕ is true until the moment when ψ becomes

true

��((¬passport ∨ ¬ticket) → ©©©¬board_flight)

send(msg, rcvr) → ♦♦♦receive(msg, rcvr)



Safety Properties

“something bad will not happen”“something good will always hold”

Typical examples:

��¬bankrupt��fuelOKand so on . . .

Usually: ��¬....



Liveness Properties

“something good will happen”

Typical examples:

♦♦♦richpower_on→ ♦♦♦onlineand so on . . .

Usually: ♦♦♦....



Fairness PropertiesCombinations of safety and liveness possible:♦♦♦��dead��(request_taxi→ ♦♦♦arrive_taxi) fairness

Strong fairness“If something is requested then it will be allocated”:

��(attempt → ♦♦♦success),��♦♦♦attempt → ��♦♦♦success.

Scheduling processes, responding to messages, etc.No process is blocked forever, etc.



Linear-Time Temporal Logic

Reasoning about a particular computation of asystem.

Time is linear: just one possible future moment!

Models: paths (e.g. obtained from Kripke structures)

λ : N0 → Q.



Definition 2.1 (Language LLTL [Pnueli, 1977])

The language LLTL(Prop) is given by all formulae generatedby the following grammar, where p ∈ Prop is a proposition:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | ϕU ϕ | jϕ.The additional operators♦ (now or sometime from now on) and� (always from now on)

can be defined as macros :

♦ϕ ≡ >U ϕ and �ϕ ≡ ¬♦¬ϕThe standard Boolean connectives >,⊥,∨,→, and↔ aredefined in their usual way.



Models of LTLThe semantics is given over paths, which are infinitesequences of states from Q, and a standard labellingfunction π : Q→ P(Prop) that determines whichpropositions are true at which states.

Definition 2.2 (Path λ)

A path λ over a set of states Q is an infinite sequencefrom Qω. We also identify it with a mapping N0 → Q.

We useλ[i] to denote the ith position on path λ (starting fromi = 0) andλ[i,∞] to denote the subpath of λ starting from i(λ[i,∞] = λ[i]λ[i+ 1] . . . ).



Other temporal operators

λ, π |= ♦ϕ iff λ[i,∞], π |= ϕ for some i ∈ N0 ;λ, π |= �ϕ iff λ[i,∞], π |= ϕ for all i ∈ N0 ;

ExerciseProve that the semantics does indeed match the definitions♦ϕ ≡ >U ϕ and �ϕ ≡ ¬♦¬ϕ.



q2q1q0 q2q1q0

pos1 pos1pos0 pos0pos2 pos2

λ, π |= ♦pos1

λ′ = λ[1,∞], π |= pos1

pos1 ∈ π(λ′[0])



q2q1q0 q2q1q0

pos1 pos1pos0 pos0pos2 pos2

λ, π |= �♦pos1 iff

λ[0,∞], π |= ♦pos1 andλ[1,∞], π |= ♦pos1 andλ[2,∞], π |= ♦pos1 and

. . .



Representation of paths

Paths are infinite entities.

They are theoretical constructs.

We need a finite representation!

We consider paths in a Kripke structure.

We use a (pointed) Kripke model M, q and consider theproblem whether an LLTL-formula holds on all paths of M

starting in q.



Definition 2.4 (M-path, ΛM(q))

An M-path (or computation) is given by λ ∈ QωM such that

subsequent states are connected by transitions from RM.We use the same notation for these paths as introducedabove.For q ∈ Q we use ΛM(q) to denote the set of all M-pathsstarting in q and we define ΛM as

⋃q∈Q ΛM(q).

The subscript “M” is often omitted and we refer to anM-path simply as path when clear from context.



Computational vs. behaviouralstructure

System Computational str.

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1pos2



Computational str. Behavioural str.

q0

q2 q1

pos0

pos1pos2

q0

q0

q0

q1

q1 q1 q2

Important!The behavioural structure is usually infinite! Here, it is aninfinite tree. We say it is the q0-unraveling of the model.



Some Exercises

Example 2.5Formalise the following as LTL formulae:

1 r should never occur.2 r should occur exactly once.3 At least once r should directly be followed by s.

blackboard


2 Temporal Logics2.2 Branching-Time Logics

2.2 Branching-Time Logics



Branching Time

CTL, CTL?: Computation Tree Logics.

Reasoning about possible computations of a system.

Time is branching: We want all alternativecomputations included!

Models: states (time points, situations), transitions(changes). ( Kripke models).

Paths: courses of action, computations. ( LTL)



Path quantifiers: A (for all paths), E (there is a path);

Temporal operators: j(nexttime), ♦ (sometime), �(always) and U (until);

CTL: each temporal operator must be immediatelypreceded by exactly one path quantifier;

CTL*: no syntactic restrictions.



Definition 2.6 (LCTL∗ [Emerson and Halpern, 1986])

The language LCTL∗(Prop) is given by all formulae generatedby the following grammar:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | Eγ

where

γ ::= ϕ | ¬γ | γ ∧ γ | γ U γ | jγand p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp.path) formulae.

We use the same abbreviations as for LLTL.



The LCTL∗-formula E♦ϕ, for instance, ensures that thereis at least one path on which ϕ holds at some (future)time moment.

The formula A♦�ϕ states that ϕ holds almosteverywhere . More precisely, on all paths it alwaysholds from some future time moment.

LCTL∗-formulae do not only talk about temporal patternson a given path, they also quantify (existentially oruniversally) over such paths.

The logic is complex! For practical purposes, afragment with better computational properties isoften sufficient.



Definition 2.7 (LCTL [Clarke and Emerson, 1981])

The language LCTL(Prop) is given by all formulae generatedby the following grammar, where p ∈ Prop is a proposition:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | E(ϕU ϕ) | E jϕ | E�ϕ.

For example, A�E jp is a LCTL-formula whereas A�♦p is not.



We define the Boolean connectives as usual.It remains to define the other temporal operators. Whatabout ♦ϕ ≡ ¬�¬ϕ?

We introduce the following macros:

♦ϕ ≡ >U ϕ,A jϕ ≡ ¬E j¬ϕ,A�ϕ ≡ ¬E♦¬ϕ, andAϕU ψ ≡ . . . Exercise!



ExampleAre the following CTL? or CTL formulae? What do theformulae express?

1 E♦A jshutdown2 E♦ jshutdown3 A�♦rain4 A�A♦rain (Is it different from (3)?)5 E♦�broken



The semantics is given over Kripke models with a serialtransition relation (time flows forever!).

Definition 2.8 (Semantics |=CTL?

)

Let M be a Kripke model, q ∈ Q and λ ∈ Λ. The semanticsof LCTL∗- and LCTL-formulae is given by the satisfactionrelation |=CTL? for state formulae by

M, q |=CTL?p iff λ[0] ∈ π(p) and p ∈ Prop;

M, q |=CTL? ¬ϕ iff M, q 6|=CTL?ϕ;

M, q |=CTL?ϕ ∧ ψ iff M, q |=CTL?

ϕ and M, q |=CTL?ψ;

M, q |=CTL?Eϕ iff there is a path λ ∈ Λ(q) such that

M, λ |=CTL?ϕ;



Example 2.9 (Robots and Carriage)

1 2

1

2

1

2

pos0

pos1pos2

Figure 1: Tworobots and acarriage.

Two robots push a carriage fromopposite sides.Carriage can move clockwise oranticlockwise, or it can remain inthe same place.3 positions of the carriage.We label the states withpropositions pos0, pos1, pos2,respectively, to allow for referring tothe current position of the carriagein the object language.



1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1pos2

Figure 2: Two robots and a carriage: A schematic view (left) and atransition system M0 that models the scenario (right).



q0

q2 q1

pos0

pos1pos2

M0, q0 |=CTL E♦pos1: In state q0,there is a path such that thecarriage will reach position 1sometime in the future.The same is not true for allpaths, so we also have:M0, q0 6|=CTL A♦pos1.

It becomes more interesting if abilities of agents areconsidered ATL.



Example: Rocket and Cargo

A rocket and a cargo.The rocket can be moved between London (propositionroL) and Paris (proposition roP ).The cargo can be in London (caL), Paris (caP ), or insidethe rocket (caR).The rocket can be moved only if it has its fuel tank full(fuelOK).When it moves, it consumes fuel, and nofuel holds aftereach flight.




nofuelroL

caR

fuelOK nofuel fuelOK

nofuel fuelOK nofuel fuelOK


1

5 6

2

3 4

87

9 10 1211

roL roP

roL roL

roLroL

roP

roP roP

roP

roP

caL caL caLcaL

caR caR caR

caP caP caP caP

roL→ E♦roP

A�(roL ∨ roP )

roL→ A j(roP → nofuel)




nofuelroL

caR

fuelOK nofuel fuelOK



1

5 6

2

4

87

9 10 1211

roL roP

roL roL

roLroL

roP

roP roP

roP

roP

caL caL caLcaL

caR caR caR

caP caP caP caP

3

E♦caP


2 Temporal Logics2.3 References

2.3 References



R. Alur, T. A. Henzinger, and O. Kupferman (2002).Alternating-time Temporal Logic.Journal of the ACM, 49:672–713.

E. A. Emerson (1990).Temporal and modal logic.Handbook of Theoretical Computer Science, volume B, 995–1072. Elsevier.

Fagin, R., Halpern, J. Y., Moses, Y. & Vardi, M. Y. (1995).Reasoning about Knowledge.MIT Press.

Wojtek Jamroga and Jürgen Dix (2008).Model Checking Abilities of Agents: A Closer Look.Theory of Computing Systems, 42(3), 366–410.



Wojtek Jamroga and Jürgen Dix (2005).Do Agents Make Model Checking Explode (Computationally)?M. Pechoucek and P. Petta and L.Z. Varga (Eds.), Proceedings of the 4th International Central and EasternEuropean Conference on Multi-Agent Systems (CEEMAS ’05), pages 398-407. LNCS 3690. Springer, 2005.

Kripke, S. (1963a).Semantical analysis of modal logic I. Normal propositional calculi.Zeitschrift für math. Logik und Grundlagen der Mathematik, 9, 67–96.

Kripke, S. (1963b).Semantical considerations on modal logic.Acta Philosophica Fennica, 16, 83–94.



3. Model Checking TemporalLogics

3 Model Checking Temporal LogicsMotivationThe Model Checking Problem and CTLBüchi AutomataModel Checking LTLModel Checking CTL∗

References


3 Model Checking Temporal Logics3.1 Motivation

3.1 Motivation



Why do we need verification methods?

AT&T Telephone Network Outage (1990)Problem in New York City: 9 hour outage of large partsof US telephone network.Costs: several 100 million $.Source: wrong interpretation of a break statement inC.

Acknowledgment: The following presentation is partly basedon the book “Principles of Model Checking” by Christel Baier andJoost-Pieter Katoen.




Pentium FDIV BUG (1994)(FDIV: Floating point division unit)

Incorrect results.Costs: 500 million $ and image loss.Source: flaw in realisation of floating-point division.




Ariane 5 Desaster (1996)Crash of Ariane 5-missle.Costs: > 500 million $.Source: flaw in data conversion from a 64-bit floatingpoint to a 16-bit signed integer.

What are the lessons learned?

Verification may pay off!

In such cases the extra costs and efforts put into properverification techniques may be cheaper as the results of anerror.




Software becomes larger.Use in safety-critical systems, important domains.Increasing need for reliable software.

Why?

Errors can be costly and fatal (Ariane-5 launch, stockmarket systems,...).Mass production of products (errors are expensive,computer chips,...).



Formal Verification Techniques

Testing and reviewing ( non-formal methods)

Deductive methods (Hoare Calculus), code integration( undecidable, expertise during programmingnecessary)

Model checking ( how is the correct modelobtained?)



What is Model Checking

system requirement

formal model formal specification

model checker

true

false

counterexample

flaw in system


3 Model Checking Temporal Logics3.2 The Model Checking Problem and CTL

3.2 The Model CheckingProblem and CTL



What is Model Checking

1 2

1

2

1

2

pos0

pos1pos2

1 2

halt

Figure 1: Two robots and a carriage: a schematicview

set of agents. Alternating-time temporal logic comes in sev-eral variants, of which ATL∗ is the broadest. Formally, thelanguage of ATL∗ is given by formulae ϕ generated by thegrammar below, where A ⊆ Agt is a set of agents, and p ∈ Πis an atomic proposition:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | ��A��γ,γ ::= ϕ | ¬γ | γ ∧ γ | ❢γ | γ U γ.

Formulae ϕ are called state formulae, and γ path formulaeof ATL∗.

The best known variant of the alternating time tempo-ral logics is ATL (sometimes called “ATL without star” or“vanilla” ATL) in which every occurrence of a cooperationmodality is immediately followed by exactly one temporaloperator. In this paper, however, we study the model check-ing problem for ATL+, a variant that sits between ATL∗

and ATL. The language of ATL+ includes only formulaewhere each temporal operator is followed by a state for-mula, and allows cooperation modalities to be followed by aBoolean combination of path subformulae; i.e. path formu-lae are defined by γ ::= ¬γ | γ ∧ γ | ❢ϕ | ϕU ϕ.

Example 1. The ATL formula ��jamesbond��✸win saysthat James Bond can eventually win, no matter how theother agents act. On the other hand, ��jamesbond��✷(assigned→ ✸accomplished) is an ATL∗ formula which clearly be-longs to neither ATL nor ATL+ and deems agent 007 to beable to accomplish all his future missions. Finally,��jamesbond��(✷¬crash ∧ ✸land) (James Bond can preventthe space ship from crashing and make it eventually land) isa formula of ATL+ but not of ATL.

2.2 SemanticsThe semantics of ATL∗ is defined over a variant of transi-

tion systems where transitions are labeled with combinationsof actions, one per agent. Formally, a concurrent game struc-ture (CGS) is a tuple M = �Agt, St, Π, π, Act, d, o� whichincludes a nonempty finite set of all agents Agt = {1, . . . , k},a nonempty set of states St, a set of atomic propositions Πand their valuation π : Π → 2St, and a nonempty finite set of(atomic) actions Act. Function d : Agt× St → 2Act definesnonempty sets of actions available to agents at each state,and o is a (deterministic) transition function that assigns theoutcome state q� = o(q, α1, . . . , αk) to state q and a tuple ofactions �α1, . . . , αk� for αi ∈ d(i, q) and 1 ≤ i ≤ k, thatcan be executed by Agt in q. Thus, we assume that all the

q0

q2 q1

pos0

pos1

wait,wait

wait,wait

halt,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

halt,push qh

halt

Figure 2: Two robots and a carriage: concurrentgame structure M1 that models the scenario

agents execute their actions synchronously; the combinationof the actions, together with the current state, determinesthe next transition of the system.

A path λ = q0q1q2 . . . is an infinite sequence of states suchthat there is a transition between each qi, qi+1. We use λ[i]to denote the ith position on path λ (starting from i = 0)and λ[i,∞] to denote the subpath of λ starting from i.

Example 2 (Robots and Carriage). Consider thescenario depicted in Figures 1 and 2. Two robots push acarriage from opposite sides. As a result, the carriage canmove clockwise or anticlockwise, or it can remain in thesame place. We assume that each robot can either push(action push) or refrain from pushing (action wait). More-over, they both use the same force when pushing. Thus, ifthe robots push simultaneously or wait simultaneously, thecarriage does not move. When only one of the robots ispushing, the carriage moves accordingly. Finally, when thecarriage is in position 0, robot 1 may try to retire it to ahalting position.

To make our model of the domain discrete, we identify 4different positions of the carriage, and associate them withstates q0, q1, q2, and qh. We label the states with proposi-tions pos0, pos1, pos2, halt, respectively, to allow for referringto the current position of the carriage in the object language.

A strategy of agent a is a plan that specifies what a is goingto do in each situation. It makes sense, from a conceptualand computational point of view, to distinguish between twotypes of strategies: an agent may base his decision on thecurrent state or on the whole history of events that havehappened. Also, the agent may have complete or incompleteknowledge about the current global state of the system. Todistinguish between those cases, we use the taxonomy andnotation introduced in [15]: ATLxy where x = i (resp. I )stands for imperfect (resp. perfect) information and y = r(resp. R) for imperfect (resp. perfect) recall. Here we aremainly interested in the IR-setting.

A perfect information perfect recall strategy (IR-strategy)for agent a is a function sa : St+ → Act such thatsa(q0q1 . . . qn) ∈ da(qn) for any finite history q0q1 . . . qn. Aperfect information memoryless strategy (Ir-strategy) is afunction sa : St → Act such that sa(q) ∈ da(q) for eachq. We do not consider the model checking problem for im-perfect information games in this paper, so we will omitdefinitions of ir - and iR-strategies here.

A collective strategy for a group of agents A = {a1, . . . , ar} ⊆Agt is simply a tuple of individual strategies sA = �sa1 , . . . , sar �.

1 2

1

2

1

2

pos0

pos1pos2

1 2

halt

Figure 1: Two robots and a carriage: a schematicview

set of agents. Alternating-time temporal logic comes in sev-eral variants, of which ATL∗ is the broadest. Formally, thelanguage of ATL∗ is given by formulae ϕ generated by thegrammar below, where A ⊆ Agt is a set of agents, and p ∈ Πis an atomic proposition:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | ��A��γ,γ ::= ϕ | ¬γ | γ ∧ γ | ❢γ | γ U γ.

Formulae ϕ are called state formulae, and γ path formulaeof ATL∗.

The best known variant of the alternating time tempo-ral logics is ATL (sometimes called “ATL without star” or“vanilla” ATL) in which every occurrence of a cooperationmodality is immediately followed by exactly one temporaloperator. In this paper, however, we study the model check-ing problem for ATL+, a variant that sits between ATL∗

and ATL. The language of ATL+ includes only formulaewhere each temporal operator is followed by a state for-mula, and allows cooperation modalities to be followed by aBoolean combination of path subformulae; i.e. path formu-lae are defined by γ ::= ¬γ | γ ∧ γ | ❢ϕ | ϕU ϕ.

Example 1. The ATL formula ��jamesbond��✸win saysthat James Bond can eventually win, no matter how theother agents act. On the other hand, ��jamesbond��✷(assigned→ ✸accomplished) is an ATL∗ formula which clearly be-longs to neither ATL nor ATL+ and deems agent 007 to beable to accomplish all his future missions. Finally,��jamesbond��(✷¬crash ∧ ✸land) (James Bond can preventthe space ship from crashing and make it eventually land) isa formula of ATL+ but not of ATL.

2.2 SemanticsThe semantics of ATL∗ is defined over a variant of transi-

tion systems where transitions are labeled with combinationsof actions, one per agent. Formally, a concurrent game struc-ture (CGS) is a tuple M = �Agt, St, Π, π, Act, d, o� whichincludes a nonempty finite set of all agents Agt = {1, . . . , k},a nonempty set of states St, a set of atomic propositions Πand their valuation π : Π → 2St, and a nonempty finite set of(atomic) actions Act. Function d : Agt× St → 2Act definesnonempty sets of actions available to agents at each state,and o is a (deterministic) transition function that assigns theoutcome state q� = o(q, α1, . . . , αk) to state q and a tuple ofactions �α1, . . . , αk� for αi ∈ d(i, q) and 1 ≤ i ≤ k, thatcan be executed by Agt in q. Thus, we assume that all the

q0

q2 q1

pos0

pos1

wait,wait

wait,wait

halt,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

halt,push qh

halt

Figure 2: Two robots and a carriage: concurrentgame structure M1 that models the scenario

agents execute their actions synchronously; the combinationof the actions, together with the current state, determinesthe next transition of the system.

A path λ = q0q1q2 . . . is an infinite sequence of states suchthat there is a transition between each qi, qi+1. We use λ[i]to denote the ith position on path λ (starting from i = 0)and λ[i,∞] to denote the subpath of λ starting from i.

Example 2 (Robots and Carriage). Consider thescenario depicted in Figures 1 and 2. Two robots push acarriage from opposite sides. As a result, the carriage canmove clockwise or anticlockwise, or it can remain in thesame place. We assume that each robot can either push(action push) or refrain from pushing (action wait). More-over, they both use the same force when pushing. Thus, ifthe robots push simultaneously or wait simultaneously, thecarriage does not move. When only one of the robots ispushing, the carriage moves accordingly. Finally, when thecarriage is in position 0, robot 1 may try to retire it to ahalting position.

To make our model of the domain discrete, we identify 4different positions of the carriage, and associate them withstates q0, q1, q2, and qh. We label the states with proposi-tions pos0, pos1, pos2, halt, respectively, to allow for referringto the current position of the carriage in the object language.

A strategy of agent a is a plan that specifies what a is goingto do in each situation. It makes sense, from a conceptualand computational point of view, to distinguish between twotypes of strategies: an agent may base his decision on thecurrent state or on the whole history of events that havehappened. Also, the agent may have complete or incompleteknowledge about the current global state of the system. Todistinguish between those cases, we use the taxonomy andnotation introduced in [15]: ATLxy where x = i (resp. I )stands for imperfect (resp. perfect) information and y = r(resp. R) for imperfect (resp. perfect) recall. Here we aremainly interested in the IR-setting.

A perfect information perfect recall strategy (IR-strategy)for agent a is a function sa : St+ → Act such thatsa(q0q1 . . . qn) ∈ da(qn) for any finite history q0q1 . . . qn. Aperfect information memoryless strategy (Ir-strategy) is afunction sa : St → Act such that sa(q) ∈ da(q) for eachq. We do not consider the model checking problem for im-perfect information games in this paper, so we will omitdefinitions of ir - and iR-strategies here.

A collective strategy for a group of agents A = {a1, . . . , ar} ⊆Agt is simply a tuple of individual strategies sA = �sa1 , . . . , sar �.

... problem

Formal model

... a property to be verified

Logical (formal) specification

Let's MODEL CHECK....

M, q0 |= ��1, 2��♦ haltϕ = ��1, 2��♦ halt

COMPLEXITY?

I have a ....

?



What is Model Checking? (1)Model checking refers to the problem to determinewhether a given formula ϕ is satisfied in a state q ofmodel M .

Local model checking is the decision problem thatdetermines membership in the setMC(L, Struc, |=) := {(M, q, ϕ) ∈ Struc×L | M, q |= ϕ} ,where

L is a logical language,Struc is a class of (pointed) models for L (i.e. a tupleconsisting of a model and a state), and|= is a semantic satisfaction relation compatible withL and Struc.



What is Model Checking? (2)

It is often useful to compute the set of states in M thatsatisfy formula ϕ instead of checking if ϕ holds in aparticular state. This variant of the problem is known asglobal model checking.Here: The complexities of local and global modelchecking coincide.We are interested in the decidability and thecomputational complexity of determining whether aninput instance (M, q, ϕ) belongs to MC(. . . ).



Input sizeImportantThe complexity is always relative to the size of the input!

That is, the size of the representation of the modeland the representation of the formula that we use.In order to establish the complexity, it is necessary to fixhow we represent the input and how we measure itssize.

Remark 3.1Sometimes it makes sense to only consider the size of themodel or of the formula.

In this course, we always consider the size of the modeland of the formula .



Input sizeThe size of the model (|M|) is given by the number oftransitions in M, and the size of the formula (|ϕ|) isgiven by its length (i.e., the number of elements it iscomposed of, apart from parentheses).

Why do we not consider the number of states in amodel?

For example, the formula A j(pos0 ∨ pos1) has length 5.

Be careful......if numbers are involved!



Model Checking LTL/CTLLet M be a Kripke model and q be a state in the model.

Model checking a LCTL/LCTL∗-formula ϕ in M, q meansto determine whether M, q |= ϕ, i.e., whether ϕ holds inM, q.

For LTL, checking M, q |= ϕ means that we check thevalidity of ϕ in the pointed model M, q, i.e., whether ϕholds on all the paths in M that start from q.

That is, it is equivalent to CTL? model checking of aformula Aϕ in M, q.



Model Checking CTL

Let the function pre(Q′) return all states such that thereis a transition leading to a state in Q′ .

The following algorithm is based on the followingfixed-point characterisations:

E�ϕ ↔ ϕ ∧ E jE�ϕ,Eϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ E jEϕ1 U ϕ2).



Model Checking CTLfunction mcheck(M, ϕ).case ϕ ≡ p : return {q ∈ Q | p ∈ π(q)}case ϕ ≡ ¬ψ : return Q \mcheck(M, ψ)case ϕ ≡ ψ1 ∧ ψ2 : return mcheck(M, ψ1) ∩mcheck(M, ψ2)case ϕ ≡ E jψ : return pre(mcheck(M, ψ))case ϕ ≡ E�ψ :Q1 := Q; Q2 := Q3 := mcheck(M, ψ);while Q1 6⊆ Q2 do Q1 := Q1 ∩Q2; Q2 := pre(Q1) ∩Q3 od;return Q1

case ϕ ≡ Eψ1 U ψ2 :Q1 := ∅; Q2 := mcheck(M, ψ2); Q3 := mcheck(M, ψ1);while Q2 6⊆ Q1 do Q1 := Q1 ∪Q2; Q2 := pre(Q1) ∩Q3 od;return Q1

end case

Figure 3: CTL-model checking algorithm



Model Checking CTL

Theorem 3.2(CTL [Clarke et al., 1986, Schnoebelen, 2003])

Model checking CTL is P-complete, and can be done in timeO(|M| · |ϕ|), where |M| is given by the number oftransitions.

ProofThe algorithm determining the states in a model at which agiven formula holds is presented in Figure 3 on Slide 124.The lower bound (P-hardness) can be for instance provenby a reduction of the Circuit-Value-Problem[Schnoebelen, 2003].



Model Checking LTL and CTLOften, one is only interested in the complexity class ofmodel checking and not in a specific algorithm and itsdetailed complexity. Is there a more convenient way todetermine the complexity without working out thealgorithm?

Automata-theory to build algorithms.Unified approach.Automata are well studied.Simplifies complexity analysis.Usually, one is only interested in a complexity class. Itis very time-demanding to come up with a goodalgorithm.


3 Model Checking Temporal Logics3.3 Büchi Automata

3.3 Büchi Automata



Büchi Automata

We would like to use finite automata to solve themodel checking problem.

Finite automata (on finite words) accept only finitewords but paths are infinite.

We need to extend the model to finite automata thataccept infinite words.

How can we accept infinite words?



Definition 3.3 (ω-automaton)

An ω-automaton is a quintuple

A = (Q,Σ,∆, qI , C)

where1 Q is a finite set of states;2 Σ is a finite alphabet;3 ∆ ⊆ Q× Σ×Q a transition relation ;4 qI is the initial state; and5 C an acceptance component (which is specialised in

the following).

The crucial point is the acceptance condition!



Depending on the acceptance condition various types ofautomata arise (e.g., Büchi, Rabin, Muller automata).

Definition 3.4 (Run)

A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a wordw = w1w2 · · · ∈ Σω is an infinite sequence of states of Asuch that:

1 ρ(0) = qI

2 ρ(i) ∈ ∆(ρ(i− 1), wi) for i ≥ 1.

We define Inf (ρ) as the set of all states that occur infinitelyoften on ρ; that is,

Inf (ρ) = {q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)}



Definition 3.5 (Büchi automaton)

A Büchi automaton is a ω-automaton

A = (Q,Σ,∆, qI , F )

where F ⊆ Q with the following acceptance condition: Aaccepts w ∈ Σω if, and only if, there is a run ρ of A such that

Inf (ρ) ∩ F 6= ∅Thus, such an automaton accepts all words such that somestate from F is visited infinitely often on a correspondingrun.



Definition 3.6 (Acceptable language)

The language accepted by A, L(A), consists of all wordsaccepted by A. That is,

L(A) = {w ∈ Σω | A accepts w}.

A language is said to be (Büchi) acceptable if there is aBüchi automaton that accepts it.

Remark 3.7 (Other automata types)Other acceptance conditions yield different automata types:Rabin automata, Muller automata.



Example 3.8

Is there a Büchi Automaton that accepts the followinglanguage L over Σ = {a, b, c}?

L = {w ∈ Σω | w contains infinitely many a or b and onlyfinitely many c }

blackboard



Example 3.9

Is there a Büchi Automaton that accepts the followinglanguage L over Σ = {a, b}?

L = {w ∈ Σω | w ends with aω or (ab)ω}



Proposition 3.10 (Closure propeties)

1 Büchi acceptable languages are closed under union,intersection, and negation.

2 If A is a regular language with ε 6∈ A, then, Aω is Büchiacceptable.

3 If A is a regular language and B is Büchi recognizable,then AB is Büchi acceptable.



Proof sketch1 Union: Nondeterministically guess which automata

should be executed. ExerciseIntersection: Product automaton yields a generalizedBüchi automaton. The acceptance set is given by{F1 × S2, S1 × F2}. ExerciseComplementation: This part is non-trivial and cannotbe done in the scope of this lecture.

2 Idea: Connect transitions to final states also with theinitial state Exercise

3 Idea: Connect transitions to final states of the finiteautomaton with the initial state of the Büchiautomaton. Exercise



Theorem 3.11 (Characterization Theorem)

A language L is Büchi acceptable if, and only if, there arefinitely many regular languages U1, . . . , Un and V1, . . . , Vnsuch that

L =⋃

i=1,...,n

Ui(Vi)ω

This shows that any language L 6= ∅ acceptable by a Büchiautomaton contains an ultimately periodic word.

Example 3.12For the language L = {w ∈ Σω | w ends with aω or (ab)ω}from Example 3.9 we have that L = Σ∗{a}ω ∪ Σ∗{ab}ω.



Proof of Theorem 3.11“⇒”: Let W (q, q′) = {w ∈ Σ∗ | q →w q′}. Each languageW (q, q′) is regular. Then,

L(A) =⋃q∈Qf

W (qI , q)(W (q, q))ω.

“⇐”: Let L =⋃i=1,...,n Ui(Vi)

ω where each Ui, Vi is regular. ByProposition 3.10 we have that (Vi)

ω and Ui(Vi)ω are Büchirecognizable. Thus also their finite union.



Definition 3.13 (Generalized Büchi automaton)

A generalized Büchi automaton is an ω-automaton

A = (Q,Σ,∆, qI , F )

where F ⊆ P(Q) with the following acceptance condition:A accepts w ∈ Σω if, and only if, there is a run ρ of A suchthat for each Fi ∈ F

Inf (ρ) ∩ Fi 6= ∅.Thus, such an automaton accepts all words such that somestate from each Fi is visited infinitely often on acorresponding run.



We will use generalized Büchi automata for model checkingLTL. How is the relation between Büchi and generalizedBüchi automata?

Proposition 3.14 (Generalized Büchi Büchi)

For each generalized Büchi automaton one can constructan equivalent Büchi automaton.

Proof.Idea: Consider state-tuples: S × {1, . . . , k}. If the GBA movesto the next acceptance set a counter is incremented(modulo k). Then, a run visits states from each Fi infinitelyoften iff states from F1 × {1} appear infinitely often.



Proof ctd.Let A = (Σ, S,∆, S0, {F1, . . . , Fn}) be a generalized Büchiautomaton. We construct the Büchi AutomatonA′ = (Σ, S ′,∆′, S ′0, F

′):S ′ = S × {1, . . . , n};S ′0 = S0 × {1};((s, j), a, (t, i)) ∈ ∆′ iff

(s, a, t) ∈ ∆ and

{i = j , if s 6∈ Fj;i = (j + 1) mod k , if s ∈ Fj;

F ′ = F1 × {1}.



Proof ctd.It remains to prove that both automata accept the samelanguages. We present the main ideas.“⇒“: Let A be a GBA that accepts the word w. Then, there isa run ρ such that states from each Fi, i = 1, . . . , k, occurinfinitely often on ρ. That is, there is an infinitesubsequence (q1 . . . qk)

ω of ρ such that qi ∈ Fi. Hence, thestate (q1, 1) is visited infinitely often in the automaton A′.

“⇐“: Let A′ accept the word w. Then, some state (q1, 1) withq1 ∈ F1 is visited infinitely often.After it has been visitedonce the automaton is in a state (q, 2) and can only returnto (q′, 1) if some state q ∈ F2 is visited, some from F3 and soon is visited.



Example 3.15

q1

a

a

bb

q0

F1 F2

q0, 1 q1, 1

q1, 2q0, 2

aa

a

a

b

b

b

b



Checking EmptinessFor the model checking algorithms we need to checkwhether the language of a Büchi automaton is empty.

Definition 3.16 (Graph reachability)

Let G = (V,E) be graph. Given two vertices u, v ∈ V thegraph-reachability problem is the question whether v isreachable from u.

Theorem 3.17 ([Jones, 1977, Jones, 1975])The graph-reachability problem isNLOGSPACE-complete under logspace-reductions.



Theorem 3.18 ([Emerson and Lei, 1987])

The emptiness problem for Büchi automata is solvable inlinear time and in nondeterministic logarithmic space .

ProofWe check whether there is some ultimately periodic wordby finding an accepting state reachable from the initial stateand form itself. The following algorithm runs innon-deterministic logarithmic space:

1 Guess an accepting state r, and2 check whether reach(r, r).



How does reach(x , y) work?1 Chose some x-successor x′ (non-determinism!).2 Return “yes”, if x′ = y else reach(x ′, y).

Hardness is shown by a reduction of theNLOGSPACE-complete problem of graph reachabilityfrom Definition 3.16. Given G, u, v, transform G to a Büchiautomaton with initial state u and final state v and add aloop to v.

v reachable from u in G iff automaton non-empty.


3 Model Checking Temporal Logics3.4 Model Checking LTL

3.4 Model Checking LTL



Automata and Model CheckingHow can we use automata for the model checkingproblem?

The basic idea is the following:

1 We build an automaton AM,q0 accepting the paths ofmodel M, q0.

2 We build an automaton Aϕ accepting all pathssatisfying ϕ.

3 Then, we have:M |= ϕ iff L(AM,q0) ⊆ L(Aϕ).



Büchi Automata and Kripke ModelsWe can relate a Kripke model M = (Q,R, π) and a stateq0 ∈ Q to a Büchi automaton AM,q0 = (Σ, Q, q0,∆, Q) where

Σ = P(Prop): Each input symbol is a set ofpropositions,q′ ∈ ∆(q, w) iff ((q, q′) ∈ R and w = π(q)),all states being accepting states (i.e. each infinite runof the automaton is accepting).

ImportantThe automaton accepts words over P(Prop) but paths aresequences of states! What now?



LTL Semantics RevisitedThe truth of λ, π |= ϕ does only depend on thepropositions true at states.

Clearly, for path λ, λ′ we have the following:

If for all i ∈ N0

π(λ[i]) = π(λ′[i]) then λ, π |= ϕ iff λ′, π |= ϕ.

Hence, we can also use the infinite word

λπ := π(λ[0])π(λ[1])π(λ[2]) · · · ∈ P(Prop)ω

to give truth to LTL-formulae.

How do the semantic clauses change?



Alternative LTL SemanticsThe original clauses had the following form:

λ, π |=LTL p iff λ[0] ∈ π(p);λ, π |=LTL ¬ϕ iff λ, π 6|=LTL ϕ;λ, π |=LTL ϕ ∧ ψ iff λ, π |=LTL ϕ and λ, π |=LTL ψ.

What happens if we use λπ instead of λ, π?

We simply replace “λ, π” by “λπ” everywhere and modifythe clause for propositions as follows:

λπ |=LTL p iff p ∈ λπ[0].

Note, we use the same notations for λπ as for paths!



We can state the relation between ΛM, M, q and AM,q

precisely.

Proposition 3.19Let M = (Q,R, π) and q0 ∈ Q. The automaton AM,q0 acceptsthe language

{λπ | λ ∈ ΛM(q0)}.

Proof.Exercise!



In the following we define the automaton Aϕ acceptingexactly those infinite words w over P(Prop) such thatw |= ϕ. Then, we have:

M,q |= ϕ iff L(AM,q) ⊆ L(Aϕ) iff L(AM,q) ∩ L(Aϕ) = ∅.

How can we avoid the complementation of the Büchiautomaton (this operation is expensive)? We have:

L(AM,q) ∩ L(Aϕ) = ∅ iff L(AM,q) ∩ L(A¬ϕ) = ∅.



The Automaton Aϕ

In the following we are concerned with construction theautomaton Aϕ.

Theorem 3.20 ([Sistla and Clarke, 1985,Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986])

For a given LLTL-formula ϕ a Büchi AutomatonAϕ = (S,Σ,∆, S0, F ) accepting exactly the words satisfying ϕcan be constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)).

In the following we introduce additional notation andconstruct the automaton.



How does the automaton look like?

States will consist of subformulae of ϕ (or theirnegations).A run ρ = S1S2 . . . of the automaton is an infinitesequence of such subformulae sets.

Note that we showed how to interpret LTL formulae overwords of P(Prop).

Given such a word λπ = w1w2 . . . we would like to extendeach wi with subformulae to Si such that

λπ[i,∞] |= ψ iff ψ ∈ Si



Definition 3.21 (Closure cl(ϕ))The closure cl(ϕ) is defined as follows:

1 ϕ ∈ cl(ϕ),2 φ ∧ ψ ∈ cl(ϕ) implies φ, ψ ∈ cl(ϕ),3 ¬ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ),4 ψ ∈ cl(ϕ) and ψ 6= ¬φ implies ¬ψ ∈ cl(ϕ),5 jψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ),6 ψ U φ ∈ cl(ϕ) implies ψ, φ ∈ cl(ϕ).

Note, that it holds that |cl(ϕ)| ≤ 2|ϕ|.



Example 3.22 (Closure)

How does the closure for ϕ = r U (s ∨ t) look like?The closure cl(ϕ) consists of the following formulae:

1 ϕ

2 s ∨ t3 r

4 s

5 t

and their negations!

What other properties should such sets fulfill? Note, that weare interested in a correspondence to runs.



Definition 3.23 (Logically consistent)We call B ⊆ cl(ϕ) logically consistent iff for allϕ1 ∧ ϕ2, ψ ∈ cl(ϕ):

1 ϕ1 ∧ ϕ2 ∈ B iff ϕ1 ∈ B and ϕ2 ∈ B,2 ψ ∈ B implies ¬ψ 6∈ B,3 > ∈ cl(ϕ) implies > ∈ B.

We identify ¬¬ϕ with ϕ.

Definition 3.24 (Locally consistent)We call B ⊆ cl(ϕ) locally consistent iff for allϕ1 U ϕ2 ∈ cl(ϕ):

1 ϕ2 ∈ B implies ϕ1 U ϕ2 ∈ B.2 ϕ1 U ϕ2 ∈ B and ϕ2 6∈ B implies ϕ1 ∈ B.



Definition 3.25 (Maximal consistent)We call B ⊆ cl(ϕ) maximal iff for all ψ ∈ cl(ϕ)

ψ 6∈ B implies ¬ψ ∈ B.We identify ¬¬ϕ with ϕ.

Definition 3.26 (Elementary, EL(ϕ))We call B ⊆ cl(ϕ) elementary iff B is logically and locallyconsistent and maximal.We define EL(ϕ) as the set of all elementary subsets ofcl(ϕ).

In the following we construct infinite words over EL(ϕ) thatcorresponds to accepting paths.



The closure of ϕ = r U s is given by {ϕ,¬ϕ, r, s,¬r,¬s}.Which of the following sets are elementary?

1 ∅2 {r U s, r, s}3 {r U s, r}4 {r U s,¬r,¬s}5 {r U s,¬r, s}6 {r U s, r,¬s}7 {r U s, r,¬r,¬s}8 {¬r U s, r,¬s}9 {¬r U s,¬r,¬s}



Example 3.27 (Elementary sets)

The closure of ϕ = r U s is given by

cl(ϕ) = {ϕ,¬ϕ, r, s,¬r,¬s}

The following list contains all elementary sets of ϕ:

1 E1 = {r U s, r, s}2 E2 = {r U s,¬r, s}3 E3 = {r U s, r,¬s}4 E4 = {¬r U s, r,¬s}5 E5 = {¬r U s,¬r,¬s}



It is easily seen that we have the following fixed-pointequivalence

ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ jϕ1 U ϕ2).

We construct a path over EL(ϕ):

Definition 3.28 (ϕ-closure-labelling)A ϕ-closure-labelling is a function

τ : N0 → EL(ϕ)

such that:(C1) jϕ ∈ τ(i) iff ϕ ∈ τ(i+ 1),(C2) ϕ1 U ϕ2 ∈ τ(i) iff

ϕ2 ∈ τ(i) or (ϕ1 ∈ τ(i) and ϕ1 U ϕ2 ∈ τ(i+ 1)),(C3) ϕ1 U ϕ2 ∈ τ(i) implies ∃j(j ≥ i and ϕ2 ∈ τ(j)).

(C1) – (C3) mirror the semantics of path formulae of LTL.Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 162


Remark 3.29The fixed-point equivalence is modelled by (C2). Still, the“valid” closure labelling has to ensure that sometimes ϕ2

becomes eventually the case. This is captured by (C3).

Given a word λπ a closure labelling corresponding to λπ

should agree with the propositional symbols.

Definition 3.30 (λπ-valid)A ϕ-closure-labelling τ is said to be λπ-valid iff for allp ∈ Prop it holds that

1 p ∈ τ(i) implies p ∈ λπ[i], and2 ¬p ∈ τ(i) implies p 6∈ λπ[i].



Lemma 3.31 (Soundness Lemma)

Let ϕ ∈ LLTL(Prop) and τ be a λπ-valid closure labelling.Then, for all ϕ′ ∈ cl(ϕ) and all i ≥ 0 it holds that

ϕ′ ∈ τ(i) iff λπ[i,∞] |= ϕ′.

Lemma 3.32 (Existence Lemma)

Let ϕ ∈ LLTL(Prop). If λπ |= ϕ. Then, there is a λπ-validϕ-closure labelling τ such that ϕ ∈ τ(0).



Proof of Lemma 3.31.The proof is done by structural induction on ϕ′. Exercise!

Proof of Lemma 3.32.The labelling is constructed from λπ and by the subformulaetrue at each point. Exercise!

From these lemmata we obtain the following theorem.

Theorem 3.33

Let ϕ ∈ LLTL(Prop). Then, λπ |= ϕ iff there is a λπ-validϕ-closure labelling τ such that ϕ ∈ τ(0).

Now we proceed with the proof of Theorem 3.20.



Proof Idea

λ = q0q1q2 . . .

τ = B0B1B2 . . .

λπ = π(q0)π(q1)π(q2) . . .

τ is λπ-valid ϕ-closure labelling iff

run of the automaton given λπ

λπ |= ϕ iff

λ,π |= ϕ iff λπ |= ϕ

τ accepted by the automaton



Proof of Theorem 3.20Using Theorem 3.33 we build a generalised Büchiautomaton accepting all the in finite words λπ thatcorrespond to a λπ-valid ϕ-closure-labelling.

Idea:1 The automaton reads λπ.2 Each symbol causes a state change, states are

elementary sets.3 Runs ρ of the automaton correspond to ϕ-closure

labellings.4 ρ is accepted iff it is λπ-valid and satisfies ϕ.



The automaton is defined as A = (Σ, S,∆, S0, F ) where1 Σ = P(Prop)

2 S = EL(ϕ)

3 S0 = {s ∈ S | ϕ ∈ s}4 F see below5 (s, a, t) ∈ ∆ iff

1 s ∩ Prop = a2 ∀ iψ ∈ cl(ϕ) : iψ ∈ s iff ψ ∈ t3 ∀ϕ1 U ϕ2 ∈ cl(ϕ) :

ϕ1 U ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1 U ϕ2 ∈ t))



Proof of Theorem 3.20 ctd.How to define the set of accepting states?We need to ensure that condition (C3) of aϕ-closure-labelling is satisfied; that is, that eventualitiesbecome actually satisfied.

So, once a state containing an eventuality ϕ1 U ϕ2 is visitedsometime in the future a state containing ϕ2 must be visited.

We require that states containing

(ϕ2 and ϕ1 U ϕ2) or not ϕ1 U ϕ2

occur infinitely often.



Proof of Theorem 3.20 ctd.So, let ϕ1 U ψ1, . . . , ϕn U ψn be all eventualities occuring incl(ϕ). Then, we define F = {F1, . . . , Fn} with

Fi = {s ∈ S | {ϕi U ψi, ψi} ⊆ s or ϕi U ψi 6∈ s}.

That is,

F = {{s ∈ Q | ϕ1 U ϕ2 6∈ s or ϕ2 ∈ s} | ϕ1 U ϕ2 ∈ cl(ϕ)}.



Proof of Theorem 3.20 ctd.In line with Theorem 3.33 we have to show that A acceptsλπ iff there is an accepting run ρ with ϕ ∈ ρ(0) and whichis an λπ-valid ϕ-closure labelling. This is immediate byconstruction.

Finally, we convert the generalised Büchi automaton to aBüchi automaton (cf. Proposition 3.14).The number of states of the automaton is exponential in thelength of the formula.



Encoding as Generalised BüchiAutomaton

How did we encode the logical elements?

Semantics of propositional logic? statesj-operator? transition relationU -operator? states plus transition relation plusacceptance condition

ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ jϕ1 U ϕ2)



Example 3.34We consider the formula ϕ = r U s. Elementary sets of ϕ:

1 E1 = {r U s, r, s}2 E2 = {r U s,¬r, s}3 E3 = {r U s, r,¬s}4 E4 = {¬r U s, r,¬s}5 E5 = {¬r U s,¬r,¬s}



Constructing the Automaton for rU s

rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

Initial states?{s ∈ S | ϕ ∈ s}

Accepting states?If ϕ1 U ϕ2 ∈ cl(ϕ)thenϕ1 U ϕ2 6∈ s orϕ2 ∈ s



rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

Initial states?{s ∈ S | ϕ ∈ s}Accepting states?If ϕ1 U ϕ2 ∈ cl(ϕ)thenϕ1 U ϕ2 6∈ s orϕ2 ∈ s

A reads {r}

∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))



rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

{r}

{r}

{r}

{r}

{r}A reads {r}

A reads {s}




rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

{s}

{s}{s}

{s}

{s}

A reads {s}

A reads {r, s}




rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

{r, s}

{r, s} {r, s}

{r, s}

{r, s}

A reads {r, s}

A reads ∅




rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

∅

∅

∅

∅

∅

A reads ∅




rU sr, s

rU s¬r, s

rU sr,¬s

¬(rU s)r,¬s

¬(rU s)¬r,¬s

{r, s}

{r}

{r}

{r}

{r}

{s}

{s}{s}

{s}

{s}

{r, s} {r, s}

{r, s}

{r, s}

{r}

∅

∅

∅

∅

∅

The completeautomaton




Theorem 3.35 (LTL [Sistla and Clarke, 1985,

Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986])

Model checking LTL is PSPACE-complete, and can bedone in time 2O(|ϕ|)O(|M|), where |M| is given by the numberof transitions.



Proof: Upper BoundGiven an LLTL-formula ϕ.

1 Construct Büchi automaton A¬ϕ of size 2O(|ϕ|)

accepting exactly the words satisfying ¬ϕ.2 Kripke model M, q can directly be interpreted as a

Büchi automaton AM,q of size O(|M|) accepting allpossible words in the Kripke model starting in q.

3 The model checking problem reduces to thenon-emptiness check of L(AM,q) ∩ L(A¬ϕ) which canbe done in time O(|M|) · 2O(|ϕ|) by constructing theproduct automaton.



Proof: Lower BoundSimulate nk-space bounded deterministic Turingmachine A = (S,Σ, δ, s0, Sf ).

Tape Cell 1 Tape Cell 2 Tape Cell n^k

Content of one cell

A configuration (Instant Description)ID-Start

ID-End

Prop = (S × Σ) ∪ Σ ∪ {ID − Start, ID − End}



Proof: Lower BoundA path will be related to a sequence of instantaneousdescriptions.

1 Use nk j-operators to describe an ID.2 ψw: Encodes the input w.3 ψvalid: Checks whether an ID is valid.4 ψnext: Ensures that each successive ID follows from the

current one.5 ψaccept: Describes the halting configurations.

Let ψ := ψw ∧ ψvalid ∧ ψnext ∧ ψaccept. Then, we have

M, q0 6|= ¬ψ iff ∃λ ∈ Λ(q0) : λ, π |= ψ iff A accepts w.


3 Model Checking Temporal Logics3.5 Model Checking CTL∗

3.5 Model Checking CTL∗



Theorem 3.36(CTL? [Clarke et al., 1986, Emerson and Lei, 1987])

Model checking CTL? is PSPACE-complete, and can bedone in time 2O(|ϕ|)O(|M|), where |M| is given by the numberof transitions.

Proof.The hardness of CTL? model checking is immediate fromTheorem 3.35 as LLTL “can be seen” as a fragment ofLCTL∗.



Upper bound: Combine CTL and LTL model checking.

Consider LCTL∗-formula ϕ containing Eψ where ψ is apure LLTL-formula.Determine all states which satisfy Eψ (these are allstates q with M, q 6|=LTL ¬ψ), Complexity: PSPACE.Label them by a fresh proposition, say p, and replace

Eψ in ϕ by p: E j(

p2︷︸︸︷r ∧ E♦s︸︷︷︸

p1

) E j(p2 ∧ p1)

Applying this procedure recursively yields a pureLCTL-formula which can be verified in polynomial time.Complexity: PPSPACE = PSPACE

This is a standard approach often used!



Summary

Model checking CTL is P-complete.

Model checking LTL is PSPACE-complete. Thealgorithm has been constructed from Büchi automata.

Model checking CTL? is also PSPACE-complete. Thealgorithm is obtained by the ones for CTL and LTL.


3 Model Checking Temporal Logics3.6 References

3.6 References



Alur, R., Henzinger, T. A., and Kupferman, O. (1997).Alternating-time Temporal Logic.In Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS), pages 100–109. IEEEComputer Society Press.


Baier, C. and Katoen, J.-P. (2008).Principles of Model Checking.The MIT Press.

Beeri, C. (1980).On the menbership problem for functional and multivalued dependencies in relational databases.ACM Trans. Database Syst., 5(3):241–259.

Clarke, E. and Emerson, E. (1981).Design and synthesis of synchronization skeletons using branching time temporal logic.In Proceedings of Logics of Programs Workshop, volume 131 of Lecture Notes in Computer Science, pages 52–71.

Clarke, E., Emerson, E., and Sistla, A. (1986).Automatic verification of finite-state concurrent systems using temporal logic specifications.ACM Transactions on Programming Languages and Systems, 8(2):244–263.



Emerson, E. and Halpern, J. (1986).Sometimes and not never revisited: On branching versus linear time temporal logic.Journal of the ACM, 33(1):151–178.

Emerson, E. A. and Lei, C.-L. (1987).Modalities for model checking: Branching time logic strikes back.Science of Computer Programming, 8(3):275–306.

Immerman, N. (1981).Number of quantifiers is better than number of tape cells.Journal of Computer and System Sciences, 22(3):384 – 406.

Jones, N. D. (1975).Space-bounded reducibility among combinatorial problems.Journal of Computer and System Sciences, 11(1):68 – 85.

Jones, N. D. (1977).Corrigendum: Space-bounded reducibility among combinatorial problems.J. Comput. Syst. Sci., 15(2):241.

Lichtenstein, O. and Pnueli, A. (1985).Checking that finite state concurrent programs satisfy their linear specification.In POPL ’85: Proceedings of the 12th ACM SIGACT-SIGPLAN symposium on Principles of programming languages,pages 97–107, New York, NY, USA. ACM.



Pnueli, A. (1977).The temporal logic of programs.In Proceedings of FOCS, pages 46–57.

Schnoebelen, P. (2003).The complexity of temporal model checking.In Advances in Modal Logics, Proceedings of AiML 2002. World Scientific.

Schobbens, P. Y. (2004).Alternating-time logic with imperfect recall.Electronic Notes in Theoretical Computer Science, 85(2).

Sistla, A. P. and Clarke, E. M. (1985).The complexity of propositional linear temporal logics.J. ACM, 32(3):733–749.

Vardi, M. Y. and Wolper, P. (1986).An automata-theoretic approach to automatic program verification (preliminary report).In Proceedings of the First Annual IEEE Symposium on Logic in Computer Science (LICS 1986), pages 332–344. IEEEComputer Society Press.


4 Reasoning about Strategies

4. Reasoning aboutStrategies

4 Reasoning about StrategiesAlternating-Time Temporal LogicsImperfect InformationReferences


4 Reasoning about Strategies4.1 Alternating-Time Temporal Logics

4.1 Alternating-TimeTemporal Logics



The picture so far...What kind of logics did we introduce so far?

Basic Modal Logics: modelling what is possible andnecessary

Instantiations: epistemic logics, dynamic logics, . . .Linear-time temporal logic (LTL)Branching-time logics (CTL and CTL?)

In the temporal case each transition modelled a time step.We considered only “actor”.

Now: Modelling abilities of multiple agents.

Agents can execute actions and cooperate. Actionprofiles determine the behaviour of the system.



Alternating-time Temporal Logics

ATL, ATL∗ [Alur et al. 1997]Temporal logic meets game theoryModeling abilities of multiple agentsMain idea: cooperation modalities

〈〈A〉〉ϕ: coalition A has a collective strategy toenforce ϕ

Enforcement is understood in the game-theoretical sense:There is a winning strategy.



The syntax is given as for the computation-tree logics.

Definition 4.1 (Language LATL∗[Alur et al., 1997])The language LATL∗ is given by all formulae generated bythe following grammar:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | 〈〈A〉〉γ whereγ ::= ϕ | ¬γ | γ ∧ γ | γ U γ | jγ,

A ⊆ Agt, and p ∈ Prop. Formulae ϕ (resp. γ) are called state(resp. path) formulae.



The language LATLrestricts LATL∗ in the same way as LCTLrestricts LCTL∗: Each temporal operator must be directlypreceded by a cooperation modality.

Definition 4.2 (Language LATL[Alur et al., 1997])

The language LATL is given by all formulae generated by thefollowing grammar:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | 〈〈A〉〉 jϕ | 〈〈A〉〉�ϕ | 〈〈A〉〉ϕU ϕwhere A ⊆ Agt and p ∈ Prop.



The language LATL+restricts LATL∗ but extends LATL. It allowsfor Boolean combinations of path formulae.

Definition 4.3 (Language LATL+)

The language LATL+ is given by all formulae generated bythe following grammar:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | 〈〈A〉〉γ,γ ::= ¬γ | γ ∧ γ | jϕ | ϕU ϕ.

where A ⊆ Agt and p ∈ Prop.



ATL Models: Concurrent GameStructures

Agents, actions, transitions, atomic propositionsAtomic propositions + interpretationActions are abstract

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,pushpu

sh,w

ait

push,wait

push,wait

wait,push

pos2

wait,pushw

ait,p

ush



Definition 4.4 (Concurrent Game Structure)A concurrent game structure is a tupleM = 〈Agt, Q, π, Act, d, o〉, where:

Agt: a finite set of all agents;Q: a set of states;π : Q→ P(Prop): a valuation of propositions;Act: a finite set of (atomic) actions;d : Agt×Q→ P(Act) defines actions available to anagent in a state;o: a deterministic transition function that assignsoutcome states q′ = o(q, α1, . . . , αk) to states and tuplesof actions.



Recall and informationA strategy of agent a is a conditional plan that specifieswhat a is going to do in each situation.

Two types of “situations”: Decisions are based onthe current state only ( memoryless strategies)

sa : Q→ Act.

on the whole history of events that have happened( prefect recall strategies)

sa : Q+ → Act.

We also distinguish between agents withperfect information (all states are distinguishable).

imperfect information (some state areindistinguishable).



Perfect Information Strategies

Definition 4.5 (IR- and Ir-strategies)A perfect information perfect recall strategy foragent a (IR-strategy for short) is a function

sa : Q+ → Act such that sa(q0q1 . . . qn) ∈ da(qn).The set of such strategies is denoted by ΣIR

a .

A perfect information memoryless strategy for agenta (Ir-strategy for short) is given by a function

sa : Q→ Act where sa(q) ∈ da(q).The set of such strategies is denoted by ΣIr

a .

i (resp. I) stands for imperfect (resp. perfect) information and r(resp. R) for imperfect (resp. perfect) recall. [Schobbens, 2004]



Some NotationThe following holds for all kind of strategies:

A collective strategy for a group of agentsA = {a1, . . . , ar} ⊆ Agt is a set

sA = {sa | a ∈ A}of strategies, one per agent from A.sA|a, we denote agent a’s part of the collectivestrategy sA, sA|a = sA ∩ Σa.s∅ = ∅ denotes the strategy of the empty coalition.ΣA denotes the set of all collective strategies of A.Σ = ΣAgt



Outcome of a strategyout(q, sA)= set of all paths that may occurwhen agents A execute sA from state q onward.

Definition 4.6 (Outcome)λ = q0q1 . . . ∈ Q ∈ out(q, sA) ⊆ Qω iff

1 q0 = q

2 for each i = 1, . . . there is a tuple (αi−11 , . . . , αi−1

k ) ∈ Actksuch that

αi−1a ∈ da(qi−1) for each a ∈ Agtαi−1a = sA|a(q0q1 . . . qi−1) for each a ∈ Ao(qi−1, α

i−11 , . . . , αi−1

k ) = qi }

For an Ir-strategy replace “sA|a(q0q1 . . . qi−1)” by“sA|a(qi−1)”.



Example: Robots and Carriage

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

pos0 → 〈〈1〉〉�¬pos1



Definition 4.8 (ATLIx, ATL+Ix, ATL∗Ix, ATL, ATL∗)

We define ATLIx, ATL+Ix, and ATL∗Ix as the logics (LATL, |=Ix),

(LATL+ , |=Ix) and (LATL∗ , |=Ix) where x ∈ {r, R}, respectively.Moreover, we use ATL (resp. ATL∗) as an abbreviation forATLIR (resp. ATL∗IR).

Intuitively, a logic is given by the set of all valid formulae.

Example 4.9 (A simple scenario) blackboard



Theorem 4.10

For LATL, the perfect recall semantics is equivalent to thememoryless semantics under perfect information , i.e.,M, q |=IR ϕ iff M, q |=Ir ϕ. Both semantics are different forLATL∗. That is

ATL = ATLIr = ATLIR.

Proof idea.The first “non-looping part” of each path has to satisfy aformula. Exercise

The property has been first observed in [Schobbens, 2004]but it follows from [Alur et al., 2002] in a straightforwardway.



Example: Robots and Carriage (2)

1 2

1

2

1

2

pos0

pos1pos2

1 2

halt q0

q2 q1

pos0

pos1

wait,wait

wait,wait

halt,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

halt,push qh

halt

What about 〈〈1, 2〉〉(♦pos1 ∧ ♦halt)?M, q0 |= IR〈〈1, 2〉〉(♦pos1 ∧ ♦halt)M, q0 6|= Ir〈〈1, 2〉〉(♦pos1 ∧ ♦halt)


4 Reasoning about Strategies4.2 Imperfect Information

4.2 Imperfect Information



Imperfect informationHow can we reason about agents/extensive games withimperfect information?

We combine ATL∗ and epistemic logic.We extend CGSS with indistinguishability relations∼a⊆ Q×Q, one per agent. The relations are assumedto be equivalence relations.

We interpret 〈〈A〉〉 epistemically ( |=iR and |=ir)

Problems!

Strategic ability and knowledge are not independent.



Definition 4.11 (CEGS)A concurrent epistemic game structure (CEGS) is a tuple

M = (Agt, Q,Π, π, Act, d, o, {∼a | a ∈ Agt}) with

(Agt, Q,Π, π, Act, d, o) a CGS and∼a⊆ Q×Q equivalence relations (indistinguishabilityrelations).



Example: Robots and Carriage

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

1

2

What about 〈〈Agt〉〉 jpos1 in q0?M, q0 |= Ir〈〈Agt〉〉 jpos1

M, q0 6|= ir〈〈Agt〉〉 jpos1



Problem:Strategic and epistemic abilities are not independent!

〈〈A〉〉Φ = A can enforce Φ

It should at least mean that A are able to identify andexecute the right strategy!

Executable strategies = uniform strategies



Definition 4.12 (Uniform strategy)Strategy sa is uniform iff it specifies the same choices forindistinguishable situations :

Memoryless strategies:if q ∼a q′ then sa(q) = sa(q

′).Perfect recall:

if λ ≈a λ′ then⇒ sa(λ) = sa(λ′),

where λ ≈a λ′ iff λ[i] ∼a λ′[i] for every i.

A collective strategy is uniform iff it consists only ofuniform individual strategies.



Imperfect Information Strategies

Definition 4.13 (IR- and Ir-strategies)A imperfect information perfect recall strategy foragent a (iR-strategy for short) is a uniform IR-strategy.A imperfect information memoryless strategy foragent a (ir-strategy for short) is a uniform Ir-strategy.

The outcome is defined as before.



Imperfect Information SemanticsThe imperfect information semantics is defined as before,only the clause for

M, q |=Ix 〈〈A〉〉ϕ iff there is a collective Ix-strategy sA suchthat, for each path λ ∈ out(q, sA), we have M, λ |=Ix ϕ.

is replaced by

M, q |=ix 〈〈A〉〉ϕ iff there is a collective ix-strategysA such that, for each path λ ∈ ⋃q′:q∼Aq′ out(q′, sA), wehave M, λ |=ix ϕ

where x ∈ {r, R} and ∼A:= ∪a∈A ∼a.Remark 4.14This definition models that “everybody in A knows that ϕ”.



The fixed-point characterisation do not hold anymore!

Theorem 4.15The following formulae are not valid for ATLir:〈〈A〉〉�ϕ ↔ ϕ ∧ 〈〈A〉〉 j〈〈A〉〉�ϕ〈〈A〉〉ϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ 〈〈A〉〉 j〈〈A〉〉ϕ1 U ϕ2).

Proof. : Exercise.

blackboard


4 Reasoning about Strategies4.3 References

4.3 References



Åqvist, L. (1984).Deontic logic.In D. M. Gabbay and F. Guenther (Eds.), Handbook of Philosophical Logic, Vol II, pp. 605–714. Reidel.

R. Alur, T. A. Henzinger, and O. Kupferman (2002).Alternating-time Temporal Logic.Journal of the ACM, 49:672–713.

Broersen, J., Dastani, M., Huang, Z., and van der Torre, L. (2001a).The BOID architecture: conflicts between beliefs, obligations, intentions and desires.In Müller, J., Andre, E., Sen, S., and Frasson, C., editors, Proceedings of the Fifth International Conference onAutonomous Agents, pages 9–16. ACM Press.

Bulling, N., Dix, J., and Jamroga, W. (2010).Model checking logics of strategic ability: Complexity.In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors, Specification and Verification of Multi-Agent Systems.Springer.

Cohen, P. and Levesque, H. (1990).Intention is choice with commitment.Artificial Intelligence, 42:213–261.



E. A. Emerson (1990).Temporal and modal logic.Handbook of Theoretical Computer Science, volume B, 995–1072. Elsevier.

Fagin, R., Halpern, J. Y., Moses, Y. & Vardi, M. Y. (1995).Reasoning about Knowledge.MIT Press: Cambridge, MA.

Fausto Giunchiglia and Paolo Traverso (2000).In Susanne Biundo and Maria Fox (Eds.) Recent Advances in AI Planning, 5th European Conference on Planning,ECP’99, Durham, UK, September 8-10, 1999, Proceedings, 1–20, LNCS 1809, Springer 2000.

Hindriks, K. V., F. S. de Boer, H. Hoek, and J.-J. C. Meyer (1998).Formal semantics of the core of AGENT-0.In ECAI’98 Workshop on Practical Reasoning and Rationality, pp. 20–29.

Huth, M. & Ryan, M. (2000).Logic in Computer Science: Modeling and reasoning about systems.Cambridge University Press.

Jamroga, W. (2004).Strategic planning through model checking of ATL formulae.In L. R. et al., editors, Artificial Intelligence and Soft Computing: Proceedings of ICAISC’04, volume 3070 of LectureNotes in Computer Science, pages 879–884. Springer Verlag.



Wojtek Jamroga and Jürgen Dix (2005).Model Checking Strategic Abilities of Agents under Incomplete Information.In Mario Coppo, Elena Lodi and G. Michele Pinna (Eds.), Proceedings of the Italian Conference on TheoreticalComputer Science (ICTCS ’05), pages 295–308. LNCS 3701. Springer, 2005.

Wojtek Jamroga and Jürgen Dix (2005).Do Agents Make Model Checking Explode (Computationally)?M. Pechoucek and P. Petta and L.Z. Varga (Eds.), Proceedings of the 4th International Central and EasternEuropean Conference on Multi-Agent Systems (CEEMAS ’05), pages 398-407. LNCS 3690. Springer, 2005.

Wojtek Jamroga and Jürgen Dix. (2008)Model Checking Abilities of Agents: A closer look.Journal of Computing Systems, 42(3), 366–410.

Kripke, S. (1963a).Semantical analysis of modal logic I. Normal propositional calculi.Zeitschrift fur math. Logik und Grundlagen der Mathematik 9, 67–96.

Kripke, S. (1963b).Semantical considerations on modal logic.Acta Philosophica Fennica 16, 83–94.



Kripke, S. (1965).Semantical analysis of modal logic II. Non-normal modal propositional calculi.In Addison, Henkin, and Tarski (Eds.), The theory of models, Amsterdam, North-Holland, pp. 206–220.

Pistore, M. and Traverso, P. (2001).Planning as model checking for extended goals in non-deterministic domains.In Proceedings of IJCAI, pages 479–486.

Rao, A. S. and M. Georgeff (1991).Modeling Rational Agents within a BDI-Architecture.In J. F. Allen, R. Fikes, and E. Sandewall (Eds.), Proceedings of the International Conference on KnowledgeRepresentation and Reasoning, Cambridge, MA, pp. 473–484. Morgan Kaufmann.

von Wright, G. H. (1951).Deontic logic.Mind 60, 1–15.Reprinted in G. H. von Wright, Logical Studies, pp. 58–74. Routledge and Kegan Paul, 1957.

Wooldridge, M. (2000).Reasoning about Rational Agents.MIT Press : Cambridge, Mass.



5. Model Checking StrategicLogics

5 Model Checking Strategic LogicsComplexity TheoryTypes of StategiesATLATL∗

ATL+

Imperfect Information and Perfect RecallSummaryReferences



Overview

In this section we turn to model checking strategiclogics (more precisely, alternating-time temporallogics).

The results make use of techniques introduced forLTL and CTL?.

We assume familiarity with basic concepts ofcomplexity theory.


5 Model Checking Strategic Logics5.1 Complexity Theory

5.1 Complexity Theory



Complexity ClassesDeterministic Turing machine (DTM)

infinite (readable and writable) tapefinitely many statesdeterministic moves

Non-deterministic Turing machine (NTM)Like a DTM but non-deterministic moves are allowed.

Orcale Machine (OTM)Let A be a language . An A-oracle machine is a DTMor NTM with a subroutine which allows to decide inone step whether w ∈ A for some word w.For a complexity class C a C-oracle machine is aA-oracle machine for any A ∈ C.



Complexity Classes ΣP2 , ∆P

2 , ∆P3

ΣPi : problems solvable in polynomial time by a

non-deterministic Turing machine making adaptivequeries to a ΣP

i−1 oracle; i.e. by ΣPi−1-oracle polynomial

time NTMs.ΣP

2 = NPNP: problems solvable in polynomial time bya non-deterministic Turing machine making adaptivequeries to an NP oracle.∆P

2 = PNP: A problem is in ∆P2 = PNP if it can be solved

in deterministic polynomial time with subcalls to anNP-oracle. We also have ∆P

3 := P[NPNP] and ∆P1 = P.

We have:

P = ∆P1 ⊆ ΣP

1 = NP ⊆ ∆P2 ⊆ ΣP

2 ⊆ · · · ⊆ PH ⊆ PSPACE.


5 Model Checking Strategic Logics5.2 Types of Stategies

5.2 Types of Stategies



StrategiesWe have introduced four types of strategies:

1 ir-strategies;2 Ir-strategies;3 IR-strategies;4 iR-strategies.

How many strategies are there for each type?1 exponentially many;2 exponentially many;3 infinitely many;4 infinitely many.

Exponentially many wrt the size of the input! ≈ |Act||Q|



Assume we are looking for a “good” Ir-strategy wrt someproperty P . How complex is this task? (Upper bound)

It is in NP, provided P ∈ P!1 Guess sA;2 check whether sA satisfies P .

And the case for “good” ir-strategies?

It is also in NP, provided P ∈ P! Why? What aboutuniformity?

1 Guess Ir-strategy sA;2 check whether it is an ir-strategy, i.e. for uniformity (Q

is finite!);3 check whether sA satisfies P .



What if P is verifiable in C for an arbitrary complexityclass C?

Finding ir- and Ir-strategies is in NPC.

What about perfect recall strategies?

There are infinitely many: So there is no general method!


5 Model Checking Strategic Logics5.3 ATL

5.3 ATL



Perfect InformationRecall Theorem 4.10: ATL = ATLIr = ATLIR

The ATL model checking algorithm employs the well-knownfixpoint characterisations :

〈〈A〉〉�ϕ ↔ ϕ ∧ 〈〈A〉〉 j〈〈A〉〉�ϕ,〈〈A〉〉ϕ1 U ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ 〈〈A〉〉 j〈〈A〉〉ϕ1 U ϕ2.

Do these characterisations also hold for incompleteinformation?

No! A choice of an action at a state q has non-localconsequences: It automatically fixes choices at all states q′

indistinguishable from q for the coalition A.



function mcheck(M,ϕ).Returns states q with M, q |= ϕ.case ϕ ∈ Π : return π(p)case ϕ = ¬ψ : return Q \mcheck(M,ψ)case ϕ = ψ1 ∨ ψ2 : return mcheck(M,ψ1) ∪mcheck(M,ψ2)case ϕ = 〈〈A〉〉 jψ : return pre(M,A,mcheck(M,ψ))case ϕ = 〈〈A〉〉�ψ :Q1 := Q; Q2 := mcheck(M,ψ); Q3 := Q2;while Q1 6⊆ Q2

do Q1 := Q2; Q2 := pre(M,A,Q1) ∩Q3 od;return Q1

case ϕ = 〈〈A〉〉ψ1 U ψ2 :Q1 := ∅; Q2 := mcheck(M,ψ1);Q3 := mcheck(M,ψ2);while Q3 6⊆ Q1

do Q1 := Q1 ∪Q3; Q3 := pre(M,A,Q1) ∩Q2 od;return Q1

end case

Multi-agent extension of CTL model checking.



function pre(M,A,Q).Auxiliary function; returns the exact set of states Q′ suchthat, when the system is in a state q ∈ Q′, agents A cancooperate and enforce the next state to be in Q.return {q | ∃αA∀αAgt\A o(q, αA, αAgt\A) ∈ Q}

The function follows the same idea as the pre-imagefunction of CTL model checking.



Theorem 5.1 (ATLIr and ATLIR [Alur et al., 2002])

Model checking ATLIr and ATLIR is P-complete, and can bedone in time O(|M| · |ϕ|), where |M| is given by the number oftransitions in M.

Note, that the size of M is exponential in the number ofstates and agents!

Proof: Upper BoundEach case of the algorithm is called at most O(|ϕ|) timesand terminates after O(|M|).The latter is shown by translating the model to atwo-player game [Alur et al., 2002], and then solvingthe “invariance game” on it in polynomial time([Beeri, 1980], [Alur et al., 2002]).



And-Or-Graph ReachabilityFor the lower bound, we reduce reachability inand-or-graphs.

An and-or graph [Immerman, 1981]is a tuple (E, V, l) such that G = (E, V ) is a directedacyclic graph and l : V → {∧,∨} a labeling function.

Let x1, . . . , xn denote all successor nodes of u. v is said to bereachable from u iff

1 u = v; or2 l(u) = ∧, n ≥ 1, and v is reachable from all xi’s; or,3 l(u) = ∨, n ≥ 1, and v is reachable from some xi.

Theorem 5.2 ([Immerman, 1981])

The and-or-graph reachability problem is P-complete.Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 240


Proof: Lower BoundHardness is shown by a reduction of reachability inAnd-Or-Graphs:

Transform and-or-graph to a CGS;

Player 1 owns or-states;

Player 2 owns and-states;

v reachable from a iff M, a |= 〈〈1〉〉♦lv.



Imperfect InformationAgent’s ability to identify a strategy as winning also variesthroughout the game in an arbitrary way (agents can learnas well as forget). This suggests that winning strategiescannot be synthesized incrementally.

How to model check a formula M, q |= 〈〈A〉〉γ where γincludes no nested cooperation modalities ?

Theorem 5.3 (ATLir)Model checking ATLir is ∆P

2 -complete.

Proof: Lower BoundReduction of SNSAT1.



Recall: ∆P2 = PNP

Proof: Upper BoundLet 〈〈A〉〉γ be given where γ includes no nested cooperationmodalities.

1 Guess a strategy sA of A.2 “ Prune” M to M|sA

; i.e. remove transitions that cannotoccur according to sA.

3 Remove labels from M|sAand interpret it as Kripke

structure M′|sA

4 Then,M, q |= 〈〈A〉〉γ iff M′|sA

, q |=CTL Aγ

The basic idea is to guess a strategy and apply CTL modelchecking.



ATL and CTL: Pruning

(α,α)

(α,α)(α,α)

(α,α)

(α,α)

(α,α)

(α,α)

(β,α)

(β,α)

(α,β) (α,β)

(α,β) (α,α)(α,α)

(β,α)

Guess the strategy s1 in which 1 always plays α .

〈〈1〉〉♦γ guess s1 , check A♦γ in the pruned model


5 Model Checking Strategic Logics5.4 ATL∗

5.4 ATL∗



Tree automataω-automata accept infinite words.LTL formulae are interpreted over infinite words.Fixing a strategy and unraveling a CGS results in aninfinite tree.Tree automata on infinite trees accept infinite treesinstead of infinite words.The transition relation of a tree automata acceptingtrees with maximal branching k is given by

∆ : Q× Σ× {1, . . . , k} → P(∪i=1...kQi)

with ∆(q, a, i) ⊆ Qi.A tree is accepted if each branch of the tree is acceptedin the same way as for ω-automata.



Theorem 5.4 (ATL∗ir and ATL∗Ir [Schobbens, 2004])

Model checking ATL∗ir and ATL∗Ir is PSPACE-complete in thenumber of transitions in the model and the length of theformula.

Proof: Lower BoundLLTL is contained in LATL∗ which renders LATL∗ with theperfect information memoryless semantics to be at leastPSPACE-hard.



Proof: Upper BoundLet 〈〈A〉〉ψ where ψ is an LLTL-formula.

1 Guess an ir-strategy sA of A.2 “Prune” M to M|sA

; i.e. remove transitions that cannotoccur according to sA.

3 Remove labels from M|sAand interpret it as Kripke

structure M′|sA

4 Then,M, q |= 〈〈A〉〉γ iff M′|sA

, q |=CTL?Aγ

This procedure can be performed in NPPSPACE, whichrenders the complexity of the whole language to be inPNPPSPACE

= PSPACE.



Theorem 5.5 (ATL∗IR [Alur et al., 2002])

Model checking ATL∗IR is 2EXPTIME -complete in thenumber of transitions in the model and the length of theformula.

Proof sketchLet M be a CGS and 〈〈A〉〉ψ be an LATL∗-formula (where weassume that ψ is an LLTL-formula).

Given sA of A and a state q. Unfold model into aq-rooted tree representing all possible behaviors withagents A following their strategy sA.(q, A)-execution tree is induced by out(q, sA).



q1 q2

q1

q1 q2

q2q1 q1 q2

q1

q2

q1 q2

(α,α) (β,α) (α,α)

(α,β)Tree unravelling (q1, {1})-execution tree



Proof sketch: Upper Bound1 Construct Büchi tree automaton AM,q,A that accepts

exactly the (q, A)-execution trees2 Construct a Rabin tree automaton which accepts all

trees that satisfy the LCTL∗-formula Aψ[Emerson and Sistla, 1984].

3 product automaton Aψ × AM,q,A, accepting the treesaccepted by both automata, is a Rabin tree automatonwith n := O(|Aψ| · |AM,q,A|) many states and r := 2O(|ψ|)

many Rabin pairs4 Emptiness check can be done in time O(n · r)3r

Lower Bound: realizability of LTL-formulae[Pnueli and Rosner, 1989, Rosner, 1992, Alur et al., 2002].


5 Model Checking Strategic Logics5.5 ATL+

5.5 ATL+



Theorem 5.6 (ATL+ir and ATL+

Ir [Schobbens, 2004])

Model checking ATL+ir and ATL+

Ir is ∆3-complete in thenumber of transitions in the model and the length of theformula.

Proof1 Guess a strategy sA of A.2 “Prune” M to M|sA

.3 Remove labels from M|sA

M′|sA.

4 Then, M, q |= 〈〈A〉〉γ iff M′|sA, q |=CTL+

Aγ.

Complexity: ∆P2

∆P2 = ∆P

3 , Hardness: Reduction of theSNSAT3.



The following result of the upper bound is moresophisticated. The idea is that only a finite segment offixed length of an Ir-strategy is needed. For the lowerbound the QSAT problem is reduced to model checkingATL+

IR.

Theorem 5.7 (ATL+IR [Bulling and Jamroga, 2010])

Model checking ATL+IR is PSPACE-complete wrt the

size of the model andlength of the formula

(Even for turn-based models with two agents and “flat” LATL+

formulae.)



Proof of The Lower BoundWe prove the PSPACE-hardness by a reduction ofQuantified Boolean Satisfiability (QSAT), a canonicalPSPACE-complete problem.

Definition 5.8 (QSAT)Input: A Boolean formula Φ (in negation normal form)a

with n propositional variables x1, . . . , xn.

Output is

{true, if ∃x1∀x2 . . .Qnxn Φ is satisfiable,false, otherwise.

(Where Qn = ∀ if n is even, and Qn = ∃ if n is odd.)aThat is, negations occur only at literals.



Proof of The Lower Bound

Model as a game between verifierv and refuter r.Verifier chooses disjunctions,refuter conjunctions.

(a ∨ b) ∧ c

(a ∨ b) c

a b

r r

v v

The reduction proceeds in three stages:

1 Value-coice-section: v and r assign a value to “their”variables

∃x1︸︷︷︸v

∀x2︸︷︷︸r

. . . ∃/∀xn︸︷︷︸v/r

2 Formula-structure-section: The result of the ”game”determines a literal.

3 Literal-section: Check wether the literal is consistentwith the value of the variable.Nils Bulling and Jürgen Dix ·Model Checking Temporal and Strategic Logics EASSS, 2010 256


q1

q1�

x1

q1⊥

notx1

q2

q2�

x2

q2⊥

notx2

· · · qn

qn�

xn

qn⊥

notxn

qΦ

�

⊥

�

⊥

�

⊥

Figure 3: Construction of the concurrent gamestructure for QSAT: value choice section

formula Aγ in the resulting model. Note that a memory-less strategy can be guessed in polynomially many steps,and the trimming process requires only polynomially manysteps too. For nested cooperation modalities, we repeat theprocedure recursively (bottom-up). Since model checkingof the CTL+ formula Aγ can be done in nondeterministicpolynomial time [11], we get that the overall procedure runs

in time`∆P

2

ŃP= ∆P

3 [15].For agents with perfect recall, a similar argument seems

correct. Every formula of ATL+IR can be translated to an

equivalent formula of ATLIR with weak until [8], and forATL (also with weak until) it does not make a differencewhether the perfect recall or memoryless semantics is used,so memoryless strategies can be used instead. Hence, itis enough to guess a memoryless strategy, trim the modeletc. Unfortunately, this line of reasoning is wrong becausethe result of the translation (the ATLIR formula) may in-clude exponentially many cooperation modalities (instead ofone in the original ATL+

IR formula). For example, formula��A��(✸p ∧ ✸q) is translated to ��A��✸

`(p ∧ ��A��✸q) ∨ (q ∧

��A��✸p)´; for a longer list of achievement goals (✸pi) every

permutation must be explicitly enumerated. Thus, we mayneed to guess exponentially many polynomial-size strategies,which clearly cannot be done in polynomial time.

There seems to be an intuitive way of recovering from theproblem. Note that, in an actual execution, only a poly-nomial number of these strategies will be used. So, we cantry to first guess a sequence of goals (in the right order) forwhom strategies will be needed, then the strategies them-selves, fix those strategies in the model (cloning the modelinto as many copies as we need) and check the correspondingCTL+ formula in it. Unfortunately, this is also wrong: fordifferent execution paths, we may need different ordering ofthe goals (and hence strategies). And we have to considerexponentially many paths in the worst case.

So, what is the complexity of model checking ATL+IR in

the end? The problem turns out to be harder than ∆P3 ,

namely PSPACE-complete.

3.1 Lower BoundWe prove the PSPACE-hardness by a reduction of Quan-

tified Boolean Satisfiability (QSAT), a canonical PSPACE-complete problem.

Definition 1 (QSAT [14]). Input: A Boolean for-mula Φ in negation normal form (i.e., negations occur onlyat literals) with n propositional variables x1, . . . , xn.Output: True if ∃x1∀x2 . . . Qnxn Φ holds, false otherwise(where Qn = ∀ if n is even, and Qn = ∃ if n is odd).

qΦ

qL(Φ)

qR(Φ)

· · ·

ql1

qlm

L

R

L

R

L

R

Figure 4: CGS for QSAT: formula structure section

qxi

qxi�

xi

qxi⊥

notxi

q�

yes

q⊥

�

⊥

q¬xi

qxi⊥

notxi

qxi�

xi

q�

yes

q⊥

⊥

�

Figure 5: CGS for QSAT: sections of literals

Given an instance of QSAT we construct a turn-based3

concurrent game structure M with two players: the verifierv and the refuter r. The structure consists of the followingsections:

• Value choice section: a sequence of states qi, one pervariable xi, where the values of xi’s will be “declared”,see Figure 3. States qi with odd i are controlled byv, states with even i are controlled by r. The ownerof a state can choose between two possible valuations(�,⊥). Choosing � leads to a state where the propo-sition xi holds; choosing ⊥ leads to a state labeled bythe proposition notxi.

• Formula structure section: corresponds to the parsetree of Φ, see Figure 4. For every subformula Ψ of Φ,there is a state qΨ with two choices: L leading to stateqL(Ψ) and R leading to qR(Ψ), where L(Ψ) is the lefthand side subformula of Ψ and R(Ψ) is the right handside subformula of Ψ. The verifier controls qΨ if theoutermost connective in Ψ is a disjunction; the refutercontrols the state if it is a conjunction. Note that eachleaf state in the tree is named according to a literal lifrom Φ, that is, either with a variable xi or its negation¬xi.

• Sections of literals: for every literal l in Φ, we have asingle state ql, controlled by the owner of the Booleanvariable xi in l. Like in the value choice section, theagent chooses a value (� or ⊥) for the variable (not forthe literal!) which leads to a new state labeled with theproposition xi (for action �) or notxi (for ⊥). Finally,the system proceeds to the winning state q� (labeledwith the proposition yes) if the valuation of xi makesthe literal l true, and to the losing state q⊥ otherwise– see Figure 5 for details.

3A model is turn-based if each state has a single agent thatcontrols the subsequent transition, and the other agents haveno real choice there (which can be modeled by assumingdq(a) = {wait} for every agent a except the “owner” of q).

q1

q1�

x1

q1⊥

notx1

q2

q2�

x2

q2⊥

notx2

· · · qn

qn�

xn

qn⊥

notxn

qΦ

�

⊥

�

⊥

�

⊥



in time`∆P

2

ŃP= ∆P





`(p ∧ ��A��✸q) ∨ (q ∧










qΦ

qL(Φ)

qR(Φ)

· · ·

ql1

qlm

L

R

L

R

L

R


qxi

qxi�

xi

qxi⊥

notxi

q�

yes

q⊥

�

⊥

q¬xi

qxi⊥

notxi

qxi�

xi

q�

yes

q⊥

⊥

�








q1

q1�

x1

q1⊥

notx1

q2

q2�

x2

q2⊥

notx2

· · · qn

qn�

xn

qn⊥

notxn

qΦ

�

⊥

�

⊥

�

⊥



in time`∆P

2

ŃP= ∆P





`(p ∧ ��A��✸q) ∨ (q ∧










qΦ

qL(Φ)

qR(Φ)

· · ·

ql1

qlm

L

R

L

R

L

R


qxi

qxi�

xi

qxi⊥

notxi

q�

yes

q⊥

�

⊥

q¬xi

qxi⊥

notxi

qxi�

xi

q�

yes

q⊥

⊥

�








Value-Choice-Section

Formula-Structure-Section Literal-Section

Problem: How to ensure that choices are assigned to propositions uniformly?

1

2 3

rv

Consi ≡ �¬xi ∨�¬notxi: xi cannot be declared both > and⊥ during a single execution



Lemma 5.9∃x1∀x2 . . . Qnxn Φ iff

M, q1 |=IR 〈〈v〉〉( ∧i∈Odd

Consi ∧ (∧

i∈Even

Consi → ♦yes)).

Where is the perfect recall needed?


5 Model Checking Strategic Logics5.6 Imperfect Information and Perfect Recall

5.6 Imperfect Informationand Perfect Recall


5 Model Checking Strategic Logics5.6 Imperfect Information and Perfect Recall

Conjecture 1 (ATLiR)

Model checking ATLiR is undecidable.

Recently, a proof has been proposed by Dima and Tiplea(June 2010).

Conjecture 2 (ATL∗iR)

Model checking ATL∗iR is undecidable.

Conjecture 3 (ATL+iR)

Model checking ATL+iR is undecidable.


5 Model Checking Strategic Logics5.7 Summary

5.7 Summary



So, let’s model-check!

Not as easy as it seems.



Complexity of Model Checking CTLand ATL

Nice results: model checking CTL and ATL istractable.But: the result is relative to the size of the model andthe formulaWell known catch (CTL): size of models is exponentialwrt a higher-level descriptionAnother problem: transitions are labelledSo: the number of transitions can be exponential inthe number of agents.



Summary of Complexity Results

Ir IR ir iRLATL P P ∆P

2 Undecidable†

LATL+ ∆P3 PSPACE ∆P

3 Undecidable†

LATL∗ PSPACE 2EXPTIME PSPACE Undecidable†

Figure 4: † These problems are believed to be undecidable.


5 Model Checking Strategic Logics5.8 References

5.8 References




Bulling, N., Dix, J., and Jamroga, W. (2010).Model checking logics of strategic ability: Complexity.In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors, Specification and Verification of Multi-Agent Systems.Springer.

Bulling, N. and Jamroga, W. (2010).Verifying agents with memory is harder than it seemed.In Proceedings of AAMAS 2010, pages 699–706, Toronto, Canada. ACM Press.

Schobbens, P. Y. (2004).Alternating-time logic with imperfect recall.Electronic Notes in Theoretical Computer Science, 85(2).

Emerson, E. A. and Sistla, A. P. (1984).Deciding branching time logic.In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 14–24, New York,NY, USA. ACM.



Pnueli, A. and Rosner, R. (1989).On the synthesis of a reactive module.In POPL ’89: Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages,pages 179–190, New York, NY, USA. ACM.

Rosner, R. (1992).Modular Synthesis of Reactive Systems.PhD thesis, Weizmann Institute of Science.


tu clausthal · about this course in part i of this lecture we introduce modal logic and show how...

Documents