Model Checking Games Erich Grädel
[email protected].
Aachen University
Outline of this tutorial Part I: simple logics and finite games
• model checking games for first-order logic • the strategy problem for finite games • fragments of first-order logics with efficient model checking: modal logic and guarded logic Part II: fixed point logics and infinite games
• theory of infinite games • fixed point logics: LFP and modal µ-calculus • model checking games for fixed point logics • cases that admit efficient solutions and open problems • the strategy improvement algorithm Erich Grädel
Model Checking Games
Model checking via games The model checking problem for a logic L Given: Question:
Erich Grädel
structure A formula ψ ∈ L A |= ψ ?
Model Checking Games
Model checking via games The model checking problem for a logic L Given: Question:
structure A formula ψ ∈ L A |= ψ ?
Reduce model checking problem A |= ψ to strategy problem for model checking game G(A, ψ), played by – Falsifier (also called Player 1, or Alter), and – Verifier (also called Player 0, or Ego), such that A |= ψ ⇐⇒ Verifier has winning strategy for G(A, ψ)
Erich Grädel
Model Checking Games
Model checking via games The model checking problem for a logic L Given: Question:
structure A formula ψ ∈ L A |= ψ ?
Reduce model checking problem A |= ψ to strategy problem for model checking game G(A, ψ), played by – Falsifier (also called Player 1, or Alter), and – Verifier (also called Player 0, or Ego), such that A |= ψ ⇐⇒ Verifier has winning strategy for G(A, ψ)
=⇒ Model checking via construction of winning strategies Erich Grädel
Model Checking Games
Games and logics Do games provide efficient solutions for model checking problems?
Erich Grädel
Model Checking Games
Games and logics Do games provide efficient solutions for model checking problems? This depends on the logic, and on what we mean by efficient!
Erich Grädel
Model Checking Games
Games and logics Do games provide efficient solutions for model checking problems? This depends on the logic, and on what we mean by efficient!
• How complicated are the resulting model checking games? -
are all plays necessarily finite?
-
if not, what are the winning conditions for infinite plays?
-
structural complexity of the game graphs?
-
do the players always have complete information?
• How big are the resulting game graphs? how does the size of the game depend on different parameters of the input structure and the formula?
Erich Grädel
Model Checking Games
Logics and games First-order logic (FO) or modal logic (ML): Model checking games have
•
only finite plays
•
positional winning condition
winning regions computable in linear time wrt. size of game graph
Erich Grädel
Model Checking Games
Logics and games First-order logic (FO) or modal logic (ML): Model checking games have
•
only finite plays
•
positional winning condition
winning regions computable in linear time wrt. size of game graph Fixed-point logics (LFP or Lµ ): Model checking games are parity games
•
admit infinite plays
•
parity winning condition
Open problem: Are winning regions and winning strategies of parity games computable in polynomial time?
Erich Grädel
Model Checking Games
ML: propositional modal logic Syntax:
ψ ::= Pi | ¬Pi | ψ ∧ ψ | ψ ∨ ψ | haiψ | [a]ψ
Example: P1 ∨ hai(P2 ∧ [b]P1 ) Semantics:
transition systems = Kripke structures = labeled graphs K = (
V
(Ea )a∈A
,
(Pi )i∈I
,
actions binary relations
states elements
)
atomic propositions unary relations
a
•
P2 a
•
b
P1 , P2
•
a
•
b
P1
•
b
a
P1 , P2
•
b
[[ψ]]K = {v : K, v |= ψ} = {v : ψ holds at state v in K} K, v |= Erich Grädel
haiψ [a]ψ
:⇐⇒
K, w |= ψ for
some all
w with (v, w) ∈ Ea Model Checking Games
Model checking game for ML Game G(K, ψ)
Erich Grädel
(for transition system K and ψ ∈ ML)
Model Checking Games
Model checking game for ML Game G(K, ψ) Positions:
(φ, v)
(for transition system K and ψ ∈ ML) φ subformula of ψ,
v∈V
From position (φ, v), Verifier wants to show that K, v |= φ, while Falsifier wants to prove that K, v 6|= φ.
Erich Grädel
Model Checking Games
Model checking game for ML Game G(K, ψ) Positions:
(for transition system K and ψ ∈ ML)
(φ, v)
φ subformula of ψ,
v∈V
From position (φ, v), Verifier wants to show that K, v |= φ, while Falsifier wants to prove that K, v 6|= φ. Verifier moves:
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Erich Grädel
(haiφ, v)
(φ, w),
w ∈ vEa
Model Checking Games
Model checking game for ML Game G(K, ψ) Positions:
(for transition system K and ψ ∈ ML)
(φ, v)
φ subformula of ψ,
v∈V
From position (φ, v), Verifier wants to show that K, v |= φ, while Falsifier wants to prove that K, v 6|= φ. Verifier moves:
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
Erich Grädel
(φ ∧ ϑ, v)
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(φ, w),
w ∈ vEa
Model Checking Games
Model checking game for ML Game G(K, ψ) Positions:
(for transition system K and ψ ∈ ML)
(φ, v)
φ subformula of ψ,
v∈V
From position (φ, v), Verifier wants to show that K, v |= φ, while Falsifier wants to prove that K, v 6|= φ. Verifier moves:
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
(φ ∧ ϑ, v)
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(φ, w),
w ∈ vEa
Terminal positions: (Pi , v), (¬Pi , v) If K, v |= Pi then Verifier has won at (Pi , v), otherwise Falsifier has won.
Erich Grädel
Model Checking Games
Model checking game for ML Game G(K, ψ) Positions:
(for transition system K and ψ ∈ ML)
(φ, v)
φ subformula of ψ,
v∈V
From position (φ, v), Verifier wants to show that K, v |= φ, while Falsifier wants to prove that K, v 6|= φ. Verifier moves:
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
(φ ∧ ϑ, v)
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(φ, w),
w ∈ vEa
Terminal positions: (Pi , v), (¬Pi , v) If K, v |= Pi then Verifier has won at (Pi , v), otherwise Falsifier has won. Lemma. Erich Grädel
K, v |= φ
⇐⇒
Verifier has winning strategy from (φ, v). Model Checking Games
Finite games: basic definitions Two-player games with complete information and positional winning condition, given by game graph (also called arena) G = (V, E), V = V 0 ∪ V1
• Player 0 (Ego) moves from positions v ∈ V0 , Player 1 (Alter) moves from v ∈ V1 ,
• moves are along edges a play is a finite or infinite sequence π = v0 v1 v2 · · · with (vi , vi+1 ) ∈ E
• winning condition: move or lose! Player σ wins at position v if v ∈ V1−σ and vE = ∅ Note: this is a purely positional winning condition applying to finite plays only (infinite plays are draws)
Erich Grädel
Model Checking Games
Winning strategies and winning regions Strategy for Player σ:
f : {v ∈ Vσ : vE 6= ∅} → V
with (v, f (v)) ∈ E.
f is winning from position v if Player σ wins all plays that start at v and are consistent with f .
Erich Grädel
Model Checking Games
Winning strategies and winning regions Strategy for Player σ:
f : {v ∈ Vσ : vE 6= ∅} → V
with (v, f (v)) ∈ E.
f is winning from position v if Player σ wins all plays that start at v and are consistent with f . Winning regions W0 , W1 : Wσ = {v ∈ V : Player σ has winning strategy from position v}
Erich Grädel
Model Checking Games
Winning strategies and winning regions Strategy for Player σ:
f : {v ∈ Vσ : vE 6= ∅} → V
with (v, f (v)) ∈ E.
f is winning from position v if Player σ wins all plays that start at v and are consistent with f . Winning regions W0 , W1 : Wσ = {v ∈ V : Player σ has winning strategy from position v} Algorithmic problems: Given a game G
• compute winning regions W0 , W1 • compute winning strategies Associated decision problem: G := {(G, v) : Player 0 has winning strategy for G from position v}
Erich Grädel
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|).
Erich Grädel
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|). remains true for strictly alternating games on graphs G = (V, E).
Erich Grädel
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|). remains true for strictly alternating games on graphs G = (V, E). A simple polynomial-time algorithm Compute winning regions inductively: Wσ =
Erich Grädel
S
n W σ where n∈N
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|). remains true for strictly alternating games on graphs G = (V, E). A simple polynomial-time algorithm Compute winning regions inductively: Wσ = • Wσ0 = {v ∈ V1−σ : vE = ∅} (winning terminal positions for Player σ)
Erich Grädel
S
n W σ where n∈N
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|). remains true for strictly alternating games on graphs G = (V, E). A simple polynomial-time algorithm Compute winning regions inductively: Wσ = • Wσ0 = {v ∈ V1−σ : vE = ∅} (winning terminal positions for Player σ)
S
n W σ where n∈N
• Wσn+1 = {v ∈ Vσ : vE ∩ Wσn 6= ∅} ∪ {v ∈ V1−σ : vE ⊆ Wσn } (positions with winning strategy in ≤ n + 1 moves for Player i)
Erich Grädel
Model Checking Games
Algorithms for finite games Theorem G is P-complete and solvable in time O(|V| + |E|). remains true for strictly alternating games on graphs G = (V, E). A simple polynomial-time algorithm Compute winning regions inductively: Wσ = • Wσ0 = {v ∈ V1−σ : vE = ∅} (winning terminal positions for Player σ)
S
n W σ where n∈N
• Wσn+1 = {v ∈ Vσ : vE ∩ Wσn 6= ∅} ∪ {v ∈ V1−σ : vE ⊆ Wσn } (positions with winning strategy in ≤ n + 1 moves for Player i) until Wσn+1 = Wσn
Erich Grädel
(this happens for n ≤ |V|).
Model Checking Games
A linear time algorithm for G Input: A game G = (V, V0 , V1 , E) forall v ∈ V let (∗ 1: initialisation ∗) win[v] := ⊥, P[v] := {u : (u, v) ∈ E}, n[v] := |vE| forall σ ∈ {0, 1}, v ∈ Vσ (∗ 2: calculate win ∗) if n[v] = 0 then Propagate(v, 1 − σ) return win end procedure Propagate(v, σ) if win[v] 6= ⊥ then return win[v] := σ (∗ 3: mark v as winning for Player σ ∗) forall u ∈ P[v] do (∗ 4: propagate change to predecessors ∗) n[u] := n[u] − 1 if u ∈ Vσ or n[u] = 0 then Propagate(u, σ) enddo Erich Grädel
Model Checking Games
Alternating algorithms nondeterministic algorithms, with states divided into accepting, rejecting, existential, and universal states
Erich Grädel
Model Checking Games
Alternating algorithms nondeterministic algorithms, with states divided into accepting, rejecting, existential, and universal states Acceptance condition: game with Players ∃ and ∀, played on computation graph C(M, x) of M on input x Positions: configurations of M Moves: C → C0 for C0 successor configuration of C -
Player ∃ moves at existential configurations wins at accepting configurations Player ∀ moves at universal configurations wins at rejecting configurations
Erich Grädel
Model Checking Games
Alternating algorithms nondeterministic algorithms, with states divided into accepting, rejecting, existential, and universal states Acceptance condition: game with Players ∃ and ∀, played on computation graph C(M, x) of M on input x Positions: configurations of M Moves: C → C0 for C0 successor configuration of C -
Player ∃ moves at existential configurations wins at accepting configurations Player ∀ moves at universal configurations wins at rejecting configurations
M accepts x Erich Grädel
:⇐⇒
Player ∃ has winning strategy for game on C(M, x) Model Checking Games
Alternating versus deterministic complexity classes Alternating time ≡ deterministic space Alternating space ≡ exponential deterministic time
L ⊆
P ||
⊆ P ⊆ E ⊆ E ||
||
||
A ⊆ A ⊆ A ⊆ A
Erich Grädel
Model Checking Games
Alternating versus deterministic complexity classes Alternating time ≡ deterministic space Alternating space ≡ exponential deterministic time
L ⊆
P ||
⊆ P ⊆ E ⊆ E ||
||
||
A ⊆ A ⊆ A ⊆ A
Alternating logspace algorithm for G: Play the game !
Erich Grädel
Model Checking Games
Evaluation game for FO FO: ψ ::= Ri x | ¬Ri x | x = y | x 6= y | ψ ∧ ψ | ψ ∨ ψ | ∃xψ | ∀xψ
Erich Grädel
Model Checking Games
Evaluation game for FO FO: ψ ::= Ri x | ¬Ri x | x = y | x 6= y | ψ ∧ ψ | ψ ∨ ψ | ∃xψ | ∀xψ The game G(A, ψ)
Erich Grädel
(for A = (A, R1 , . . . , Rm ),
R i ⊆ A ri )
Model Checking Games
Evaluation game for FO FO: ψ ::= Ri x | ¬Ri x | x = y | x 6= y | ψ ∧ ψ | ψ ∨ ψ | ∃xψ | ∀xψ The game G(A, ψ) Positions:
Erich Grädel
φ(a)
(for A = (A, R1 , . . . , Rm ), φ(x) subformula of ψ,
R i ⊆ A ri )
a ∈ Ak
Model Checking Games
Evaluation game for FO FO: ψ ::= Ri x | ¬Ri x | x = y | x 6= y | ψ ∧ ψ | ψ ∨ ψ | ∃xψ | ∀xψ The game G(A, ψ) Positions:
φ(a)
Verifier moves:
(for A = (A, R1 , . . . , Rm ), φ(x) subformula of ψ,
φ∨ϑ
∃xφ(x, b)
φ(a, b)
(a ∈ A)
∀xφ(x, b)
φ(a, b)
(a ∈ A)
φ φ∧ϑ ϑ
Erich Grädel
a ∈ Ak
φ ϑ
Falsifier moves:
R i ⊆ A ri )
Model Checking Games
Evaluation game for FO FO: ψ ::= Ri x | ¬Ri x | x = y | x 6= y | ψ ∧ ψ | ψ ∨ ψ | ∃xψ | ∀xψ The game G(A, ψ) Positions:
φ φ∨ϑ ϑ
Falsifier moves:
a ∈ Ak
φ(x) subformula of ψ,
φ(a)
Verifier moves:
R i ⊆ A ri )
(for A = (A, R1 , . . . , Rm ),
∃xφ(x, b)
φ(a, b)
(a ∈ A)
∀xφ(x, b)
φ(a, b)
(a ∈ A)
φ φ∧ϑ ϑ
Winning condition: φ atomic / negated atomic Verifier Falsifier
Erich Grädel
wins at φ(a) ⇐⇒ A
|= 6|=
φ(a)
Model Checking Games
Complexity of FO model checking To decide whether A |= ψ, construct the game G(A, ψ) and check whether Verifier has winning strategy from initial position ψ. Efficient implementation:
Erich Grädel
on-the-fly construction of game while solving it
Model Checking Games
Complexity of FO model checking To decide whether A |= ψ, construct the game G(A, ψ) and check whether Verifier has winning strategy from initial position ψ. Efficient implementation:
on-the-fly construction of game while solving it
Size of game graph can be exponential: |G(A, ψ)| ≤ |ψ| · |A|width(ψ) width(ψ): maximal number of free variables in subformulae
Erich Grädel
Model Checking Games
Complexity of FO model checking To decide whether A |= ψ, construct the game G(A, ψ) and check whether Verifier has winning strategy from initial position ψ. Efficient implementation:
on-the-fly construction of game while solving it
Size of game graph can be exponential: |G(A, ψ)| ≤ |ψ| · |A|width(ψ) width(ψ): maximal number of free variables in subformulae Complexity of FO model checking: alternating time: O(|ψ| + qd(ψ) log |A|) qd(ψ): quantifier-depth of ψ alternating space: O(width(ψ) · log |A| + log |ψ|)
Erich Grädel
Model Checking Games
Complexity of FO model checking To decide whether A |= ψ, construct the game G(A, ψ) and check whether Verifier has winning strategy from initial position ψ. Efficient implementation:
on-the-fly construction of game while solving it
Size of game graph can be exponential: |G(A, ψ)| ≤ |ψ| · |A|width(ψ) width(ψ): maximal number of free variables in subformulae Complexity of FO model checking: alternating time: O(|ψ| + qd(ψ) log |A|) qd(ψ): quantifier-depth of ψ alternating space: O(width(ψ) · log |A| + log |ψ|) deterministic time: O(|ψ| · |A|width(ψ) ) deterministic space: O(|ψ| + qd(ψ) log |A|)
Erich Grädel
Model Checking Games
Complexity of FO model checking • Structure complexity (ψ fixed) : A ⊆ L • Expression complexity and combined complexity: P
Erich Grädel
Model Checking Games
Complexity of FO model checking • Structure complexity (ψ fixed) : A ⊆ L • Expression complexity and combined complexity: P Crucial parameter for complexity: width of formula FOk := {ψ ∈ FO : width(ψ) ≤ k} = k-variable fragment of FO
Erich Grädel
Model Checking Games
Complexity of FO model checking • Structure complexity (ψ fixed) : A ⊆ L • Expression complexity and combined complexity: P Crucial parameter for complexity: width of formula FOk := {ψ ∈ FO : width(ψ) ≤ k} = k-variable fragment of FO ModCheck(FOk ) is P-complete and solvable in time O(|ψ| · |A|k )
Erich Grädel
Model Checking Games
Complexity of FO model checking • Structure complexity (ψ fixed) : A ⊆ L • Expression complexity and combined complexity: P Crucial parameter for complexity: width of formula FOk := {ψ ∈ FO : width(ψ) ≤ k} = k-variable fragment of FO ModCheck(FOk ) is P-complete and solvable in time O(|ψ| · |A|k ) Fragments of FO with model checking complexity O(|ψ| · kAk)): — ML : propositional modal logic — FO2 : formulae of width two — GF : the guarded fragment of first-order logic
Erich Grädel
Model Checking Games
ML: propositional modal logic Transition systems
=
K = (
Kripke structures V
,
actions binary relations
states elements
Syntax of ML:
(Ea )a∈A
=
labeled graphs (Pi )i∈I
,
)
atomic propositions unary relations
ψ ::= Pi | ¬Pi | ψ ∧ ψ | ψ ∨ ψ | haiψ | [a]ψ
Example: P1 ∨ hai(P2 ∧ [b]P1 ) Semantics: K, v |=
Erich Grädel
[[ψ]]K = {v : K, v |= ψ} = {v : ψ holds at state v in K}. haiψ [a]ψ
:⇐⇒
K, w |= ψ for
some all
w with (v, w) ∈ Ea
Model Checking Games
Model checking game for ML Game G(K, ψ) for K = (V, (Ea )a∈A , (Pi )i∈I ) and ψ ∈ ML
Erich Grädel
Model Checking Games
Model checking game for ML Game G(K, ψ) for K = (V, (Ea )a∈A , (Pi )i∈I ) and ψ ∈ ML Positions:
(φ, v)
Verifier moves:
φ subformula of ψ,
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
(φ ∧ ϑ, v)
Terminal positions:
Erich Grädel
(Pi , v),
v∈V
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(w, φ),
w ∈ vEa
(¬Pi , v)
Model Checking Games
Model checking game for ML Game G(K, ψ) for K = (V, (Ea )a∈A , (Pi )i∈I ) and ψ ∈ ML Positions:
(φ, v)
Verifier moves:
φ subformula of ψ,
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
(φ ∧ ϑ, v)
Terminal positions:
(Pi , v),
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(w, φ),
w ∈ vEa
(¬Pi , v)
Verifier wins G(K, ψ) from position (φ, v)
Erich Grädel
v∈V
⇐⇒
K, v |= φ
Model Checking Games
Model checking game for ML Game G(K, ψ) for K = (V, (Ea )a∈A , (Pi )i∈I ) and ψ ∈ ML Positions:
(φ, v)
Verifier moves:
φ subformula of ψ,
(φ ∨ ϑ, v)
(φ, v) (ϑ, v)
Falsifier moves:
(φ ∧ ϑ, v)
Terminal positions:
(Pi , v),
v∈V
(φ, v) (ϑ, v)
(haiφ, v)
(φ, w),
w ∈ vEa
([a]φ, v)
(w, φ),
w ∈ vEa
(¬Pi , v)
Verifier wins G(K, ψ) from position (φ, v)
⇐⇒
K, v |= φ
kG(K, ψ)k = O(|ψ| · kKk)
Erich Grädel
Model Checking Games
The guarded fragment of first-order logic (GF) Fragment of first-order logic with only guarded quantification ∃y(α(x, y) ∧ φ(x, y))
∀y(α(x, y) → φ(x, y))
with guards α : atomic formulae containing all free variables of φ
Erich Grädel
Model Checking Games
The guarded fragment of first-order logic (GF) Fragment of first-order logic with only guarded quantification ∃y(α(x, y) ∧ φ(x, y))
∀y(α(x, y) → φ(x, y))
with guards α : atomic formulae containing all free variables of φ Generalizes modal quantification: ML ⊆ GF ⊆ FO haiφ ≡ ∃y(Ea xy ∧ φ(y))
[a]φ ≡ ∀y(Ea xy → φ(y))
Guarded logics generalize and, to some extent, explain the good algorithmic and model-theoretic properties of modal logics.
Erich Grädel
Model Checking Games
Model-theoretic and algorithmic properties of GF
• Satisfiability for GF is decidable
(Andréka, van Benthem, Németi)
• GF has finite model property (Grädel) • GF has (generalized) tree model property: every satisfiable formula has model of small tree width
• Extension by fixed points remains decidable
(Grädel)
(Grädel, Walukiewicz)
• ... • Guarded logics have small model checking games: kG(A, ψ)k = O(|ψ| · kAk) =⇒ efficient game-based model checking algorithms
Erich Grädel
Model Checking Games
Advantages of game based approach to model checking • intuitive top-down definition of semantics (very effective for teaching logic)
• versatile and general methodology, can be adapted to many logical formalisms
• isolates the real combinatorial difficulties of an evaluation problem, abstracts from syntactic details.
• if you understand games, you understand alternating algorithms • closely related to automata based methods • algorithms and complexity results for many logic problems follow from results on games
Erich Grädel
Model Checking Games
Model checking for propositional modal logic Theorem. ModelCheck(ML) is P-complete. - solvable in time O(|ψ| · kKk) via model checking game -
G (for strictly alternating games) G = (V, E), v
ψ0 := ¤0
G, v |= ψm
Erich Grädel
7−→
(G, v), ψn
ψ2m+1 = ♦ψ2m ,
⇐⇒
≤log
ModelCheck(ML) (n = |V|)
ψ2m+2 = ¤ψ2m+1
Player 0 wins G from v in ≤ m moves
Model Checking Games
Satisfiability of propositional Horn formulae Propositional Horn formulae: conjunctions of clauses of form X ← X1 ∧ · · · ∧ X n Theorem.
and
0 ← X1 ∧ · · · ∧ X n
S-H is P-complete and solvable in linear time.
(actually, G and S-H are essentially the same problem)
Erich Grädel
Model Checking Games
Satisfiability of propositional Horn formulae Propositional Horn formulae: conjunctions of clauses of form X ← X1 ∧ · · · ∧ X n Theorem.
and
0 ← X1 ∧ · · · ∧ X n
S-H is P-complete and solvable in linear time.
(actually, G and S-H are essentially the same problem) 1)
G
≤log-lin
S-H:
For G = (V0 ∪ V1 , E) construct Horn formula ψ with clauses u←v
for all u ∈ V0 and (u, v) ∈ E
u ← v1 ∧ · · · ∧ v m
for all u ∈ V1 , uE = {v1 , . . . , vm }
The minimal model of ψ is precisely the winning region of Player 0. (G, v) ∈ G Erich Grädel
⇐⇒
ψG ∧ (0 ← v) is unsatisfiable Model Checking Games
2)
S-H ≤log-lin
G:
Define game Gψ for Horn formula ψ(X1 , . . . , Xn ) = Positions:
{0} ∪ {X1 , . . . , Xn } ∪ {Ci : i ∈ I}
Moves of Player 0:
X→C
for X = head(C)
Moves of Player 1:
C→X
for X ∈ body(C)
Note:
V
i∈I
Ci
Player 0 wins iff play reaches clause C with body(C) = ∅
Player 0 has winning strategy from position X
⇐⇒
ψ |= X
Hence, Player 0 wins from position 0
Erich Grädel
⇐⇒
ψ unsatisfiable.
Model Checking Games
Logics and games First-order logic (FO) or modal logic (ML): Model checking games have
•
only finite plays
•
positional winning condition
Winning regions computable in linear time wrt. size of game graph
Erich Grädel
Model Checking Games
Logics and games First-order logic (FO) or modal logic (ML): Model checking games have
•
only finite plays
•
positional winning condition
Winning regions computable in linear time wrt. size of game graph In many computer science applications, more expressive logics are needed: temporal logics, dynamic logics, fixed-point logics,. . . Model checking games for these logics admit infinite plays and need more complicated winning conditions.
Erich Grädel
Model Checking Games
Logics and games First-order logic (FO) or modal logic (ML): Model checking games have
•
only finite plays
•
positional winning condition
Winning regions computable in linear time wrt. size of game graph In many computer science applications, more expressive logics are needed: temporal logics, dynamic logics, fixed-point logics,. . . Model checking games for these logics admit infinite plays and need more complicated winning conditions. =⇒
Erich Grädel
we have to consider the theory of infinite games
Model Checking Games
Infinite games Arena: G = (V, E, Win), V = V 0 ∪ V1 Win defines winning condition for infinite plays
Erich Grädel
Model Checking Games
Infinite games Arena: G = (V, E, Win), V = V 0 ∪ V1 Win defines winning condition for infinite plays Play: finite or infinite sequence π = v0 v1 v2 · · · ∈ V ≤ω with (vi , vi+1 ) ∈ E
Erich Grädel
Model Checking Games
Infinite games Arena: G = (V, E, Win), V = V 0 ∪ V1 Win defines winning condition for infinite plays Play: finite or infinite sequence π = v0 v1 v2 · · · ∈ V ≤ω with (vi , vi+1 ) ∈ E Winning condition: – finite plays: who cannot move, loses – infinite plays: Player 0 wins π, if π ∈ Win, otherwise Player 1 wins.
Erich Grädel
Model Checking Games
Infinite games Arena: G = (V, E, Win), V = V 0 ∪ V1 Win defines winning condition for infinite plays Play: finite or infinite sequence π = v0 v1 v2 · · · ∈ V ≤ω with (vi , vi+1 ) ∈ E Winning condition: – finite plays: who cannot move, loses – infinite plays: Player 0 wins π, if π ∈ Win, otherwise Player 1 wins. Classical theory of Gale-Stewart games (descriptive set theory): – the arena is the infinite binary tree (or the infinite ω-branching tree) – players make alternating moves – abstract winning condition Win ⊆ {0, 1}ω (or Win ⊆ ωω )
Erich Grädel
Model Checking Games
Determinacy Winning regions W0 , W1 : Wσ = {v ∈ V : Player σ has winning strategy from position v} Clearly W0 ∩ W1 = ∅. A game G is determined if from every position, one of the players has a winning strategy: W0 ∪ W1 = V.
Erich Grädel
Model Checking Games
Determinacy Winning regions W0 , W1 : Wσ = {v ∈ V : Player σ has winning strategy from position v} Clearly W0 ∩ W1 = ∅. A game G is determined if from every position, one of the players has a winning strategy: W0 ∪ W1 = V.
•
games that admit only finite plays are determined
•
there exist nondetermined games
•
closed games are determined
•
Borel games are determined
Erich Grädel
(Zermelo)
(Gale-Stewart)
(Gale-Stewart) (Martin)
Model Checking Games
Finite-state games Given a function Ω : V → {0, . . . , d − 1}, assigning to each position a finite priority, winning conditions for plays π = v0 v1 v2 . . . refer to • Occ(π) := {c : (∃i)Ω(vi ) = c} • Inf(π) := {c : (∀i)(∃j > i)Ω(vj ) = c} (set of priorities that occur resp. occur infinitely often in the play)
Erich Grädel
Model Checking Games
Finite-state games Given a function Ω : V → {0, . . . , d − 1}, assigning to each position a finite priority, winning conditions for plays π = v0 v1 v2 . . . refer to • Occ(π) := {c : (∃i)Ω(vi ) = c} • Inf(π) := {c : (∀i)(∃j > i)Ω(vj ) = c} (set of priorities that occur resp. occur infinitely often in the play)
• Reachability games: Occ(π) ∩ F 6= ∅ (for given F ⊆ {0, . . . , d−1}) • Safety games: Occ(π) ⊆ F • Büchi games or recurrence games: Inf(π) ∩ F 6= ∅ • Muller games: Inf(π) ∈ F
(for given F ⊆ P({0, . . . , d − 1}))
• Parity games: Least priority occurring infinitely often is even
Erich Grädel
Model Checking Games
Finite-state games Given a function Ω : V → {0, . . . , d − 1}, assigning to each position a finite priority, winning conditions for plays π = v0 v1 v2 . . . refer to • Occ(π) := {c : (∃i)Ω(vi ) = c} • Inf(π) := {c : (∀i)(∃j > i)Ω(vj ) = c} (set of priorities that occur resp. occur infinitely often in the play)
• Reachability games: Occ(π) ∩ F 6= ∅ (for given F ⊆ {0, . . . , d−1}) • Safety games: Occ(π) ⊆ F • Büchi games or recurrence games: Inf(π) ∩ F 6= ∅ • Muller games: Inf(π) ∈ F
(for given F ⊆ P({0, . . . , d − 1}))
• Parity games: Least priority occurring infinitely often is even These are Borel games (on low levels of Borel hierarchy) and therefore determined Erich Grädel
Model Checking Games
Muller games and parity games Ω : V → {0, . . . , d − 1} Muller and parity conditions are Boolean combinations of Büchi (recurrence) conditions: Li := {π ∈ V ω : i ∈ Inf(π)} Muller condition:
(arbitrary Boolean combination, in DNF) _^ ^ π ∈ Li ∧ π 6∈ Li F∈F i∈F
Parity condition:
i6∈F
(Hausdorff difference form) π ∈ L0 ∪ (L2 \ L1 ) ∪ (L4 \ L3 ) ∪ . . .
The parity condition is also called Rabin chain condition or Mostowski condition
Erich Grädel
Model Checking Games
Muller games and parity games Ω : V → {0, . . . , d − 1} Muller and parity conditions are Boolean combinations of Büchi (recurrence) conditions: Li := {π ∈ V ω : i ∈ Inf(π)} Muller condition:
(arbitrary Boolean combination, in DNF) _^ ^ π ∈ Li ∧ π 6∈ Li F∈F i∈F
Parity condition:
i6∈F
(Hausdorff difference form) π ∈ L0 ∪ (L2 \ L1 ) ∪ (L4 \ L3 ) ∪ . . .
The parity condition is also called Rabin chain condition or Mostowski condition It looks somewhat artificial. Why are parity games important? Erich Grädel
Model Checking Games
Algorithmic issues The classical theory of infinite games has no algorithmic content. But algorithmic issues are crucial for modern applications.
Erich Grädel
Model Checking Games
Algorithmic issues The classical theory of infinite games has no algorithmic content. But algorithmic issues are crucial for modern applications. Finite-state games model behaviour of reactive systems (systems with nonterminating interaction with environment) specification: program: verification:
Erich Grädel
formal description of a game implementation of a strategy for one player check that strategy is winning
Model Checking Games
Algorithmic issues The classical theory of infinite games has no algorithmic content. But algorithmic issues are crucial for modern applications. Finite-state games model behaviour of reactive systems (systems with nonterminating interaction with environment) specification: program: verification:
formal description of a game implementation of a strategy for one player check that strategy is winning
(1)
Is decomposition V = W0 ∪ W1 computable? Efficiently?
(2)
Can one compute winning strategies for the two players?
(3)
Optimise the strategies: minimise complexity and memory (i.e., the dependence on the history of the play)
Erich Grädel
Model Checking Games
Significance of Muller and parity games Enlarge game graphs to simplify winning conditions many games with complicated winning strategies can be simulated by Muller and parity games (over larger game graphs)
• games with winning conditions formulated in temporal logic (LTL) or monadic second-order logic (S1S)
• games that model reactive systems
Erich Grädel
Model Checking Games
Significance of Muller and parity games Enlarge game graphs to simplify winning conditions many games with complicated winning strategies can be simulated by Muller and parity games (over larger game graphs)
• games with winning conditions formulated in temporal logic (LTL) or monadic second-order logic (S1S)
• games that model reactive systems For Muller games, one can effectively compute winning strategies which are executable by finite automata (Büchi, Landweber)
Erich Grädel
Model Checking Games
Positional determinacy In general, a strategy for Player σ in an infinite game is a partial function f : V ∗ Vσ → V
with f (v0 . . . vn ) ∈ vn E
Positional strategies depend only on current position, not on history In general, positional strategies do not suffice for Muller games:
Example:
•
•
•
winning condition: all positions must occur infinitely often
• But Muller games can be simulated by parity games (over larger game graphs)
• Positional strategies do suffice for parity games Erich Grädel
Model Checking Games
Positional Determinacy Positional Determinacy Theorem
(Emerson/Jutla, Mostowski)
Parity games are determined, and every player has a positional winning strategy on her winning region.
Erich Grädel
Model Checking Games
Positional Determinacy Positional Determinacy Theorem
(Emerson/Jutla, Mostowski)
Parity games are determined, and every player has a positional winning strategy on her winning region. Note:
Erich Grädel
“Stay inside your winning region” is not necessarily a winning strategy.
Model Checking Games
Positional strategies and solitaire games A positional winning strategy f for Player 0 on W ⊆ V is described by solitaire subgame (W, F) ⊆ (V, E):
• vF = {f (v)} for v ∈ W ∩ V0 vF = vE
for v ∈ W ∩ V1
• no terminal positions in W ∩ V0 the least priority on every cycle in (W, F) is even.
Erich Grädel
Model Checking Games
Positional strategies and solitaire games A positional winning strategy f for Player 0 on W ⊆ V is described by solitaire subgame (W, F) ⊆ (V, E):
• vF = {f (v)} for v ∈ W ∩ V0 vF = vE
for v ∈ W ∩ V1
• no terminal positions in W ∩ V0 the least priority on every cycle in (W, F) is even. Proposition It can be checked in polynomial time whether a subgraph (W, F) defines indeed a winning strategy on W.
Erich Grädel
Model Checking Games
Positional strategies and solitaire games A positional winning strategy f for Player 0 on W ⊆ V is described by solitaire subgame (W, F) ⊆ (V, E):
• vF = {f (v)} for v ∈ W ∩ V0 vF = vE
for v ∈ W ∩ V1
• no terminal positions in W ∩ V0 the least priority on every cycle in (W, F) is even. Proposition It can be checked in polynomial time whether a subgraph (W, F) defines indeed a winning strategy on W. Reachability algorithm
Erich Grädel
Model Checking Games
Complexity of parity games Theorem (Emerson, Jutla, Sistla) The parity game problem is in NP ∩ Co-NP
Erich Grädel
Model Checking Games
Complexity of parity games Theorem (Emerson, Jutla, Sistla) The parity game problem is in NP ∩ Co-NP Proof. Given a parity game G
• guess positional strategies (W0 , F0 ) and (W1 , F1 ) for Players 0,1 with W0 ∪ W 1 = V
• check that (Wσ , Fσ ) is winning strategy for Player σ.
Erich Grädel
Model Checking Games
Complexity of parity games Theorem (Emerson, Jutla, Sistla) The parity game problem is in NP ∩ Co-NP Proof. Given a parity game G
• guess positional strategies (W0 , F0 ) and (W1 , F1 ) for Players 0,1 with W0 ∪ W 1 = V
• check that (Wσ , Fσ ) is winning strategy for Player σ. Actually the parity game problem is in UP ∩ Co-UP (Jurdziński) Open problem: Is in in P ?
Erich Grädel
Model Checking Games
Complexity of parity games Theorem (Jurdziński) There is a deterministic algorithm computing winning sets and winning strategies for parity games in ¡ |V| ¢d/2 • time O(d · |E| · d/2 ) •
space O(d · |V|)
d = number of priorities
Erich Grädel
Model Checking Games
Least fixed point logics Extend a basic logical formalism by least and greatest fixed points FO (first-order logic) ML (modal logic) GF (guarded fragment) conjunctive queries
Erich Grädel
−→ −→ −→ −→
LFP (least fixed point logic) Lµ (modal µ-calculus) µGF (guarded fixed point logic) Datalog / Stratified Datalog
Model Checking Games
Least fixed point logics Extend a basic logical formalism by least and greatest fixed points FO (first-order logic) ML (modal logic) GF (guarded fragment) conjunctive queries
−→ −→ −→ −→
LFP (least fixed point logic) Lµ (modal µ-calculus) µGF (guarded fixed point logic) Datalog / Stratified Datalog
Idea: Capture recursion. For any definable monotone relational operator Fφ : T 7→ {x : φ(T, x)} make also the least and the greatest fixed point of Fφ definable: [lfp Tx . φ(T, x)](z) µX . φ Erich Grädel
[gfp Tx . φ(T, x)](z) νX . φ Model Checking Games
Modal µ-calculus Lµ : formal definition Syntax. Lµ extends ML by fixed point rule:
• With every formula ψ(X), where X occurs only positive in ψ Lµ also contains the formulae µX.ψ and νX.ψ Semantics. On transition system K, ψ(X) defines operator ψ K : X 7−→ [[ψ]](K,X) = {v : (K, X), v |= ψ} ψ K is monotone, and therefore has a least and a greatest fixed point \ [ K K K lfp(ψ ) = {X : ψ (X) ⊆ X}, gfp(ψ ) = {X : X ⊆ ψ K (X)}
• [[µX.ψ]]K := lfp(ψ K ),
Erich Grädel
[[νX.ψ]]K := gfp(ψ K )
Model Checking Games
Least fixed point logic LFP Syntax. LFP extends FO by fixed point rule:
• For every formula ψ(T, x1 . . . xk ) ∈ LFP[τ ∪ {T}], T k-ary relation variable, occuring only positive in ψ, build formulae [lfp Tx . ψ](x) and [gfp Tx . ψ](x) Semantics. On τ-structure A, ψ(T, x) defines monotone operator ψ A : P(Ak ) −→ P(Ak ) T
7−→ {a : (A, T) |= ψ(T, a)}
• A |= [lfp Tx . ψ(T, x)](a) :⇐⇒ a ∈ lfp(ψ A ) A |= [gfp Tx . ψ(T, x)](a) :⇐⇒ a ∈ gfp(ψ A )
Erich Grädel
Model Checking Games
Finite games and LFP • G is definable in LFP / Lµ Player 0 has winning strategy for game G from position v ⇐⇒ G = (V, V0 , V1 , E) |= [lfp Wx . (V0 x ∧ ∃y(Exy ∧ Wy)) ∨ (V1 x ∧ ∀y(Exy → Wy)](v) ⇐⇒ G, v |= µW . (V0 ∧ ♦W) ∨ (V1 ∧ ¤W)
Erich Grädel
Model Checking Games
Finite games and LFP • G is definable in LFP / Lµ Player 0 has winning strategy for game G from position v ⇐⇒ G = (V, V0 , V1 , E) |= [lfp Wx . (V0 x ∧ ∃y(Exy ∧ Wy)) ∨ (V1 x ∧ ∀y(Exy → Wy)](v) ⇐⇒ G, v |= µW . (V0 ∧ ♦W) ∨ (V1 ∧ ¤W)
• G is complete for LFP (via quantifier-free reductions on finite structures)
Erich Grädel
Model Checking Games
Inductive generation of fixed points ψ(X) defines operator ψ K : X 7→ {v : (K, X), v |= ψ} X 0 := ∅ X α+1 := ψ K (X α ) [ λ X := Xα
Y 0 := V
(λ limit ordinal)
α
