Quantified NTL

1. Quanti

2. ed CTL Nicolas Markey LSV { ENS Cachan (joint work with Francois Laroussinie) Nord-Pas-de-Calais { Belgium congress of mathematics Valenciennes, 28 October 2013

3. Veri

4. cation of computerised systems Computers are everywhere

5. Veri

6. cation of computerised systems Computers are everywhere Bugs are everywhere...

7. Veri

8. cation of computerised systems Computers are everywhere Bugs are everywhere... Veri

9. cation should be everywhere!

10. Model checking and synthesis system: [http://www.embedded.com] property: 8 8 a! b? a? b! AG( : B.overfull ^ : B.dried up) model-checking algorithm yes/no

11. Model checking and synthesis system: [http://www.embedded.com] property: 8 8 a! b! ? AG( : B.overfull b? a? ^ : B.dried up) synthesis algorithm a? b!

12. Outline of the presentation 1 Basics about CTL expressing properties of reactive systems ecient veri

13. cation algorithms 2 Quanti

14. ed CTL CTL with quanti

15. cation over atomic propositions model checking and satis

16. ability are mostly decidable 3 Temporal logics for games: ATL and extensions expressing properties of complex interacting systems QCTL-based decision procedures for ATLsc

17. Computation-Tree Logic (CTL) atomic propositions: , , ...

18. Computation-Tree Logic (CTL) atomic propositions: , , ... boolean combinators: :', ' _ , ' ^ , ...

19. Computation-Tree Logic (CTL) atomic propositions: , , ... boolean combinators: :', ' _ , ' ^ , ... path quanti

20. ers: E' ' A' ' ' ' ' ' '

22. ers: E' ' A' ' ' ' ' ' ' temporal modalities: X ' ' next ' ' U ' ' ' until

24. ers: E' ' A' ' ' ' ' ' ' temporal modalities: X ' ' next ' ' U ' ' ' until true U ' F ' ' eventually ' : F :' G ' ' ' ' ' ' always '

25. Examples of CTL formulas In CTL, each temporal modality is in the immediate scope of a path quanti

26. er.

28. er. E F is reachable

30. er. E F is reachable 3 3 3

32. er. EG(E F ) there is a path along which is always reachable

34. er. EG(|E F{z } p ) there is a path along which is always reachable p p p

36. er. EG(|E F{z } p ) there is a path along which is always reachable 3 p 3 p p

38. er. Theorem ([CE81,QS82]) CTL model checking is PTIME-complete. [CE81] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons using Branching-Time Temporal Logic. LOP'81. [QS82] Queille, Sifakis. Speci

39. cation and veri

40. cation of concurrent systems in CESAR. SOP'82.

41. Examples of CTL formulas In CTL, we have no restriction on modalities and quanti

42. ers.

44. ers. EG F there is a path visiting in

45. nitely many times 3 3 3

47. ers. A(G F ) G F ) any path that visits in

48. nitely many times, also visits in

49. nitely many times

51. ers. Theorem ([EH86]) CTL model checking is PSPACE-complete. [EH86] Emerson, Halpern. Sometimes and Not Never Revisited: On Branching versus Linear Time Temporal Logic. J.ACM, 1986.

57. Quanti

58. ed CTL [Kup95,Fre01] QCTL extends CTL with propositional quanti

59. ers 9p: ' means that there exists a labelling of the model with p under which ' holds. [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quanti

60. cation over Atomic Propositions. CAV, 1995. [Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.

61. Quanti

63. ers 9p: ' means that there exists a labelling of the model with p under which ' holds. E F ^ 8p: E F(p ^ ) ) AG( ) p) [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quanti

65. Quanti

67. ers 9p: ' means that there exists a labelling of the model with p under which ' holds. E F ^ 8p: E F(p ^ ) ) AG( ) p) uniq( ) [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quanti

69. Quanti

71. ers 9p: ' means that there exists a labelling of the model with p under which ' holds. E F ^ 8p: E F(p ^ ) ) AG( ) p) uniq( ) ; true if we label the Kripke structure; ; false if we label the computation tree; [Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quanti

73. Semantics of QCTL structure semantics: j=s 9p:' , p j= '

74. Semantics of QCTL structure semantics: j=s 9p:' , p j= ' tree semantics: j=t 9p:' , p p p p j= '

75. Expressiveness of QCTL QCTL can count: EX1 ' EX ' ^ 8p: [EX(p ^ ') ) AX(' ) p)] EX2 ' 9q: [EX1(' ^ q) ^ EX1(' ^ : q)] [DLM12] Da Costa, Laroussinie, M. Quanti

76. ed CTL: expressiveness and model checking. CONCUR, 2012.

77. Expressiveness of QCTL QCTL can count: EX1 ' EX ' ^ 8p: [EX(p ^ ') ) AX(' ) p)] EX2 ' 9q: [EX1(' ^ q) ^ EX1(' ^ : q)] QCTL can express (least or greatest)

78. xpoints: T:'(T) 9t: [AG(t () '(t))^ (8t:0(AG(t0 () '(t0)) ) AG(t ) t0)))] [DLM12] Da Costa, Laroussinie, M. Quanti

80. Expressiveness of QCTL QCTL can count: EX1 ' EX ' ^ 8p: [EX(p ^ ') ) AX(' ) p)] EX2 ' 9q: [EX1(' ^ q) ^ EX1(' ^ : q)] QCTL can express (least or greatest)

81. xpoints: T:'(T) 9t: [AG(t () '(t))^ (8t:0(AG(t0 () '(t0)) ) AG(t ) t0)))] Theorem QCTL, QCTL and MSO are equally expressive (under both semantics). [DLM12] Da Costa, Laroussinie, M. Quanti

83. QCTL with structure semantics Theorem Model checking QCTL for the structure semantics is PSPACE-complete. [DLM12] Da Costa, Laroussinie, M. Quanti

85. QCTL with structure semantics Theorem Model checking QCTL for the structure semantics is PSPACE-complete. Proof Membership: Iteratively (nondeterministically) pick a labelling, check the subformula. Hardness: QBF is a special case (without even using temporal modalities). [DLM12] Da Costa, Laroussinie, M. Quanti

87. QCTL with structure semantics Theorem QCTL satis

88. ability for the structure semantics is undecidable.

90. ability for the structure semantics is undecidable. Proof Encode the problem of tiling

91. nite square grids.

109. nite square grids. ?

112. nite square grids. ? Given a set of tiles, whether all

113. nite square grids can be tiled is undecidable.

115. ability for the structure semantics is undecidable. Proof Reduction: is there a

116. nite Kripke structure such that

119. nite Kripke structure such that

122. nite Kripke structure such that each state has one or two successors AG(EX1 true _ EX2 true)

125. nite Kripke structure such that two successors of the same state have a common successor: AG(8z:(EX EX z ) AX EX z))

128. nite Kripke structure such that h h h h h h [... many more conditions ...]

131. nite Kripke structure such that h h h h h h for any tiling, there is a position where the neighbouring tiles do not match

132. QCTL with tree semantics Theorem Model checking QCTL with k quanti

133. ers in the tree semantics is k-EXPTIME-complete. Satis

134. ability of QCTL with k quanti

135. ers in the tree semantics is (k+1)-EXPTIME-complete. [DLM12] Da Costa, Laroussinie, M. Quanti

136. ed CTL: expressiveness and model checking. CONCUR, 2012. [LM13a] Laroussinie, M. Quanti

137. ed CTL: expressiveness and complexity. Submitted, 2013.

141. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata:

145. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata:

149. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

153. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

157. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

161. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

165. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 q1 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

169. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 q1 q1 q1 q1 q1 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

173. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

177. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1 q1 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2)

181. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof Using alternating tree automata: q0 q0 q1 q1 q0 q1 q1 q1 q1 q1 q1 q1 q1 q1 q1 (q0; ) = (q0; q1) _ (q1; q0) (q0; ) = (q1; q1) (q0; ) = (q2; q2) (q1; ? ) = (q1; q1) (q2; ? ) = (q2; q2) This automaton corresponds to E U

185. ers in the tree semantics is (k+1)-EXPTIME-complete. Proof polynomial-size automata for CTL; quanti

186. cation is handled by projection, which

187. rst requires removing alternation (exponential blowup); an automaton equivalent to a QCTL formula can be built inductively; emptiness of an alternating parity tree automaton can be decided in exponential time.

193. Reasoning about multi-agent systems Concurrent games A concurrent game is made of a transition system; q0 q1 q2

194. Reasoning about multi-agent systems Concurrent games A concurrent game is made of a transition system; a set of agents (or players); q0 q1 q2

195. Reasoning about multi-agent systems Concurrent games A concurrent game is made of a transition system; a set of agents (or players); a table indicating the transition to be taken given the actions of the players. q0 q1 q2 player 1 q0 q2 q1 q1 q0 q2 q2 q1 q0 player 2

196. Reasoning about multi-agent systems Concurrent games A concurrent game is made of a transition system; a set of agents (or players); a table indicating the transition to be taken given the actions of the players. Turn-based games A turn-based game is a game where only one agent plays at a time.

197. Reasoning about open systems Strategies A strategy for a given player is a function telling what to play depending on what has happened previously.

198. Reasoning about open systems Strategies A strategy for a given player is a function telling what to play depending on what has happened previously. Strategy for player : alternately go to and .

199. Reasoning about open systems Strategies A strategy for a given player is a function telling what to play depending on what has happened previously. Strategy for player : alternately go to and . ... ... ... ...

200. Temporal logics for games: ATL ATL extends CTL with strategy quanti

201. ers hhAii ' expresses that A has a strategy to enforce '. [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

203. ers hhAii ' expresses that A has a strategy to enforce '. hh ii F [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

205. ers hhAii ' expresses that A has a strategy to enforce '. 3 3 3 3 hh ii F [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

207. ers hhAii ' expresses that A has a strategy to enforce '. hh ii F hh ii F [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

209. ers hhAii ' expresses that A has a strategy to enforce '. 3 3 hh ii F hh ii F [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

211. ers hhAii ' expresses that A has a strategy to enforce '. hh ii F hh ii F hh ii G( hh ii F ) [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

213. ers hhAii ' expresses that A has a strategy to enforce '. p p hh ii F hh ii F hh ii G( hh ii F ) hh ii G p p [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

215. ers hhAii ' expresses that A has a strategy to enforce '. p p hh ii F hh ii F hh ii G( hh ii F ) hh ii G p p Theorem Model checking ATL is PTIME-complete. [AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

216. ATL with strategy contexts [BDLM09] hh ii G( hh ii F ) [BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

217. ATL with strategy contexts [BDLM09] hh ii G( hh ii F ) consider the following strategy of Player : always go to ; [BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

218. ATL with strategy contexts [BDLM09] hh ii G( hh ii F ) consider the following strategy of Player : always go to ; [BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

219. ATL with strategy contexts [BDLM09] hh ii G( hh ii F ) consider the following strategy of Player : always go to ; in the remaining tree, Player can always enforce a visit to . [BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

220. What ATLsc can express Client-server interactions for accessing a shared resource: hServeri G 2 66664 ^ c2Clients hci F accessc ^ : ^ c6=c0 accessc ^ accessc0 3 77775

221. What ATLsc can express Client-server interactions for accessing a shared resource: hServeri G 2 66664 ^ c2Clients hci F accessc ^ : ^ c6=c0 accessc ^ accessc0 3 77775 Existence of Nash equilibria: hA1; :::;Ani ^ i ( hAi i 'Ai ) 'Ai )

222. What ATLsc can express Client-server interactions for accessing a shared resource: hServeri G 2 66664 ^ c2Clients hci F accessc ^ : ^ c6=c0 accessc ^ accessc0 3 77775 Existence of Nash equilibria: hA1; :::;Ani ^ i ( hAi i 'Ai ) 'Ai ) Existence of dominating strategy: hAi [B] (:' ) [A] :')

223. Translating ATLsc into QCTL player A has moves mA 1 , ..., mA n ; from the transition table, we can compute the set Next( );A;mA i ) of states that can be reached from when player A plays mA i . [DLM12] Da Costa, Laroussinie, M. Quanti

225. Translating ATLsc into QCTL player A has moves mA 1 , ..., mA n ; from the transition table, we can compute the set Next( );A;mA i ) of states that can be reached from when player A plays mA i . hAi ' can be encoded as follows: 9mA 1 : 9mA 2 : : : 9mA n : this corresponds to a strategy: AG(mA i , V :mA j ); the outcomes all satisfy ': A G(q ^ mA . i ) X Next(q; A;mA i )) ) ' [DLM12] Da Costa, Laroussinie, M. Quanti

227. Translating ATLsc into QCTL player A has moves mA 1 , ..., mA n ; from the transition table, we can compute the set Next( );A;mA i ) of states that can be reached from when player A plays mA i . Corollary ATLsc model checking is decidable. Corollary ATL0 sc (memoryless quanti

228. cation) model checking is decidable. [DLM12] Da Costa, Laroussinie, M. Quanti

230. What about satis

231. ability? Theorem QCTL satis

232. ability is decidable.

235. ability is decidable. But Theorem (TW12) ATLsc satis

236. ability is undecidable. [TW12] Troquard, Walther. On Satis

237. ability in ATL with Strategy Contexts. JELIA, 2012.

240. ability is decidable. But Theorem (TW12) ATLsc satis

241. ability is undecidable. Why? The translation from ATLsc to QCTL assumes that the game structure is

242. xed! [TW12] Troquard, Walther. On Satis

243. ability in ATL with Strategy Contexts. JELIA, 2012.

244. Satis

245. ability for turn-based games Theorem (LM13b) When restricted to turn-based games, ATLsc satis

246. ability is decidable. [LM13b] Laroussinie, M. Satis

247. ability of ATL with strategy contexts. Gandalf, 2013.

248. Satis

250. ability is decidable. player has moves , and . a strategy can be encoded by marking some of the nodes of the tree with proposition movA. hAi ' can be encoded as follows: 9movA: it corresponds to a strategy: AG(turnA ) EX1 movA); the outcomes all satisfy ': A G(turnA ^ X movA) ) ' . [LM13b] Laroussinie, M. Satis

252. Satis

254. ability is decidable. Theorem Model checking ATLsc with only memoryless quanti

255. cation is PSPACE-complete. [LM13b] Laroussinie, M. Satis

257. What about Strategy Logic? [CHP07,MMV10] Strategy logic Explicit quanti

258. cation over strategies + strategy assignement Example hAi ' 91:assign(1; A):' Strategy logic can also be translated into QCTL. Theorem Strategy-logic satis

259. ability is decidable when restricted to turn-based games. Memoryless strategy-logic satis

260. ability is undecidable. [CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007. [MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.

261. Conclusions and future works Conclusions QCTL is a powerful extension of CTL; it is equivalent to MSO over

262. nite graphs and regular trees; it is a nice tool to understand temporal logics for games (ATL with strategy contexts, Strategy Logic, ...);

263. Conclusions and future works Conclusions QCTL is a powerful extension of CTL; it is equivalent to MSO over

264. nite graphs and regular trees; it is a nice tool to understand temporal logics for games (ATL with strategy contexts, Strategy Logic, ...); Future directions De

265. ning interesting (expressive yet tractable) fragments of those logics; Obtaining practicable algorithms. Considering randomised strategies.

Quantified NTL

More Related Content

Quantified NTL