Quantified CTL

Nicolas MarkeyLSV – ENS Cachan

(joint work with Francois Laroussinie)

Nord-Pas-de-Calais – Belgium congress of mathematics

Valenciennes, 28 October 2013

Verification of computerised systems

Computers are everywhere

Verification of computerised systems

Computers are everywhere

Bugs are everywhere...

Verification of computerised systems

Computers are everywhere

Bugs are everywhere...

Verification should be everywhere!

Model checking and synthesis

system:

[http://www.embedded.com]

8 8property:

a!b?

a?b!

A G(¬ B.overfull∧ ¬ B.dried up)

model-checking

algorithm

yes/no

a?b!

Model checking and synthesis

system:

[http://www.embedded.com]

8 8property:

a!b?

a?b! ? A G(¬ B.overfull

∧ ¬ B.dried up)

synthesis

algorithm

yes/no

a?b!

Outline of the presentation

1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms

2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable

3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc

Computation-Tree Logic (CTL)

atomic propositions: , , ...

boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...

path quantifiers:

Eϕϕ

Aϕ

ϕϕϕϕϕϕ

temporal modalities:

X ϕ ϕ “next ϕ”

ϕ U ψ ϕ ϕ ψ “ϕ until ψ”

ϕ “eventually ϕ”true U ϕ ≡ F ϕ

¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”

Computation-Tree Logic (CTL)

atomic propositions: , , ...

boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...

path quantifiers:

Eϕϕ

Aϕ

ϕϕϕϕϕϕ

temporal modalities:

X ϕ ϕ “next ϕ”

ϕ U ψ ϕ ϕ ψ “ϕ until ψ”

ϕ “eventually ϕ”true U ϕ ≡ F ϕ

¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”

Computation-Tree Logic (CTL)

atomic propositions: , , ...

boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...

path quantifiers:

Eϕϕ

Aϕ

ϕϕϕϕϕϕ

temporal modalities:

X ϕ ϕ “next ϕ”

ϕ U ψ ϕ ϕ ψ “ϕ until ψ”

ϕ “eventually ϕ”true U ϕ ≡ F ϕ

¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”

Computation-Tree Logic (CTL)

atomic propositions: , , ...

boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...

path quantifiers:

Eϕϕ

Aϕ

ϕϕϕϕϕϕ

temporal modalities:

X ϕ ϕ “next ϕ”

ϕ U ψ ϕ ϕ ψ “ϕ until ψ”

ϕ “eventually ϕ”true U ϕ ≡ F ϕ

¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”

Computation-Tree Logic (CTL)

atomic propositions: , , ...

boolean combinators: ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ...

path quantifiers:

Eϕϕ

Aϕ

ϕϕϕϕϕϕ

temporal modalities:

X ϕ ϕ “next ϕ”

ϕ U ψ ϕ ϕ ψ “ϕ until ψ”

ϕ “eventually ϕ”true U ϕ ≡ F ϕ

¬ F ¬ϕ ≡ G ϕ ϕ ϕ ϕ ϕ ϕ “always ϕ”

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

p p

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

E F is reachable

p p

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

E F is reachable

3

p

3

p

3

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

E G(E F ) there is a path along which is always reachable

p p

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

E G(E F︸ ︷︷ ︸p

) there is a path along which is always reachable

p p

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

E G(E F︸ ︷︷ ︸p

) there is a path along which is always reachable

3p

3p

p

Examples of CTL formulas

In CTL, each temporal modality is in the immediate scope of apath quantifier.

Theorem ([CE81,QS82])

CTL model checking is PTIME-complete.

p p

p

[CE81] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons using Branching-TimeTemporal Logic. LOP’81.[QS82] Queille, Sifakis. Specification and verification of concurrent systems in CESAR. SOP’82.

Examples of CTL formulas

In CTL∗, we have no restriction on modalities and quantifiers.

p p

p

Examples of CTL formulas

In CTL∗, we have no restriction on modalities and quantifiers.

E G F there is a path visiting infinitely many times

3

p

3

p

3

p

Examples of CTL formulas

In CTL∗, we have no restriction on modalities and quantifiers.

A(G F ⇒ G F ) any path that visits infinitely many times,

also visits infinitely many times

p p

p

Examples of CTL formulas

In CTL∗, we have no restriction on modalities and quantifiers.

Theorem ([EH86])

CTL∗ model checking is PSPACE-complete.

[EH86] Emerson, Halpern. ”Sometimes” and ”Not Never” Revisited: On Branching versus LinearTime Temporal Logic. J.ACM, 1986.

Outline of the presentation

1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms

2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable

3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc

Quantified CTL [Kup95,Fre01]

QCTL extends CTL with propositional quantifiers

∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.

E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)

]

≡ uniq( )

; true if we label the Kripke structure;

; false if we label the computation tree;

[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.

Quantified CTL [Kup95,Fre01]

QCTL extends CTL with propositional quantifiers

∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.

E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)

]

≡ uniq( )

; true if we label the Kripke structure;

; false if we label the computation tree;

[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.

Quantified CTL [Kup95,Fre01]

QCTL extends CTL with propositional quantifiers

∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.

E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)

]≡ uniq( )

; true if we label the Kripke structure;

; false if we label the computation tree;

[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.

Quantified CTL [Kup95,Fre01]

QCTL extends CTL with propositional quantifiers

∃p. ϕ means that there exists a labelling of the modelwith p under which ϕ holds.

E F ∧ ∀p.[E F(p ∧ ) ⇒ A G( ⇒ p)

]≡ uniq( )

; true if we label the Kripke structure;

; false if we label the computation tree;

[Kup95] Kupferman. Augmenting Branching Temporal Logics with Existential Quantification overAtomic Propositions. CAV, 1995.[Fre01] French. Decidability of Quantifed Propositional Branching Time Logics. AJCAI, 2001.

Semantics of QCTL

structure semantics:

|=s ∃p.ϕ ⇔p

|= ϕ

tree semantics:

|=t ∃p.ϕ ⇔ p

p p

p

|= ϕ

Semantics of QCTL

structure semantics:

|=s ∃p.ϕ ⇔p

|= ϕ

tree semantics:

|=t ∃p.ϕ ⇔ p

p p

p

|= ϕ

Expressiveness of QCTL

QCTL can “count”:

E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]

E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]

QCTL can express (least or greatest) fixpoints:

µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]

Theorem

QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

Expressiveness of QCTL

QCTL can “count”:

E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]

E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]

QCTL can express (least or greatest) fixpoints:

µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]

Theorem

QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

Expressiveness of QCTL

QCTL can “count”:

E X1 ϕ ≡ E X ϕ ∧ ∀p. [E X(p ∧ ϕ) ⇒ A X(ϕ ⇒ p)]

E X2 ϕ ≡ ∃q. [E X1(ϕ ∧ q) ∧ E X1(ϕ ∧ ¬ q)]

QCTL can express (least or greatest) fixpoints:

µT .ϕ(T ) ≡ ∃t. [A G(t ⇐⇒ ϕ(t))∧(∀t.′(A G(t ′ ⇐⇒ ϕ(t ′)) ⇒ A G(t ⇒ t ′)))]

Theorem

QCTL, QCTL∗ and MSO are equally expressive (under bothsemantics).

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

QCTL with structure semantics

Theorem

Model checking QCTL for the structure semantics isPSPACE-complete.

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

QCTL with structure semantics

Theorem

Model checking QCTL for the structure semantics isPSPACE-complete.

Proof

Membership:

Iteratively(nondeterministically) pick a labelling,

check the subformula.

Hardness:QBF is a special case (without even using temporal modalities).

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Encode the problem of tiling finite square grids.

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

each state has one or two successors

A G(E X1 true ∨ E X2 true)

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

two successors of the same state have a common successor:

A G(∀z .(E X E X z ⇒ A X E X z))

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

h

h

h

h

h

h

[... many more conditions ...]

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with structure semantics

Theorem

QCTL satisfiability for the structure semantics is undecidable.

Proof

Reduction: is there a finite Kripke structure such that

?

h

h

h

h

h

h

for any tiling, there is a position where the neighbouring tilesdo not match

Given a set of tiles, whether all finite square grids can be tiled isundecidable.

[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.[LM13a] Laroussinie, M. Quantified CTL: expressiveness and complexity. Submitted, 2013.

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0

q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1

q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1

q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

Using alternating tree automata:

q0

q1q0

q1 q0 q1 q1

q1 q1 q1 q1q1 q1 q1 q1

This automaton corresponds to E U

δ(q0, ) = (q0, q1) ∨ (q1, q0)

δ(q0, ) = (q1, q1)

δ(q0, ) = (q2, q2)

δ(q1, ? ) = (q1, q1)

δ(q2, ? ) = (q2, q2)

QCTL with tree semantics

Theorem

Model checking QCTL with k quantifiers in the tree semanticsis k-EXPTIME-complete.

Satisfiability of QCTL with k quantifiers in the tree semanticsis (k+1)-EXPTIME-complete.

Proof

polynomial-size automata for CTL;

quantification is handled by projection, which first requiresremoving alternation (exponential blowup);

an automaton equivalent to a QCTL formula can be builtinductively;

emptiness of an alternating parity tree automaton can bedecided in exponential time.

Outline of the presentation

1 Basics about CTLexpressing properties of reactive systemsefficient verification algorithms

2 Quantified CTLCTL with quantification over atomic propositionsmodel checking and satisfiability are mostly decidable

3 Temporal logics for games: ATL and extensionsexpressing properties of complex interacting systemsQCTL-based decision procedures for ATLsc

Reasoning about multi-agent systems

Concurrent games

A concurrent game is made of

a transition system;

a set of agents (or players);

a table indicating the transition to be taken given the actionsof the players.

q0

q1

q2

q0 q2 q1

q1 q0 q2

q2 q1 q0

player 1

pla

yer

2

Reasoning about multi-agent systems

Concurrent games

A concurrent game is made of

a transition system;

a set of agents (or players);

a table indicating the transition to be taken given the actionsof the players.

q0

q1

q2

q0 q2 q1

q1 q0 q2

q2 q1 q0

player 1

pla

yer

2

Reasoning about multi-agent systems

Concurrent games

A concurrent game is made of

a transition system;

a set of agents (or players);

a table indicating the transition to be taken given the actionsof the players.

q0

q1

q2

q0 q2 q1

q1 q0 q2

q2 q1 q0

player 1

pla

yer

2

Reasoning about multi-agent systems

Concurrent games

A concurrent game is made of

a transition system;

a set of agents (or players);

a table indicating the transition to be taken given the actionsof the players.

Turn-based games

A turn-based game is a gamewhere only one agent plays ata time.

Reasoning about open systems

Strategies

A strategy for a given player is a function telling what to playdepending on what has happened previously.

Strategy for player :alternately go to and .

...

...

......

Reasoning about open systems

Strategies

A strategy for a given player is a function telling what to playdepending on what has happened previously.

Strategy for player :alternately go to and .

...

...

......

Reasoning about open systems

Strategies

A strategy for a given player is a function telling what to playdepending on what has happened previously.

Strategy for player :alternately go to and .

...

...

......

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

p

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F )

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

33

p

33

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F )

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

p

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F )

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

3

p

3

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F )

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

p

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F )

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

p

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F ) ≡ 〈〈 〉〉 G p

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

Temporal logics for games: ATL

ATL extends CTL with strategy quantifiers

〈〈A〉〉ϕ expresses that A has a strategy to enforce ϕ.

p

p

〈〈 〉〉 F

〈〈 〉〉 F

〈〈 〉〉 G( 〈〈 〉〉 F ) ≡ 〈〈 〉〉 G p

p

Theorem

Model checking ATL is PTIME-complete.

[AHK02] Alur, Henzinger, Kupferman. Alternating-time Temporal Logic. J. ACM, 2002.

ATL with strategy contexts [BDLM09]

〈〈 〉〉 G( 〈〈 〉〉 F )

consider the following strategyof Player : “always go to ”;

in the remaining tree, Playercan always enforce a visit to .

[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

ATL with strategy contexts [BDLM09]

〈〈 〉〉 G( 〈〈 〉〉 F )

consider the following strategyof Player : “always go to ”;

in the remaining tree, Playercan always enforce a visit to .

[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

ATL with strategy contexts [BDLM09]

〈〈 〉〉 G( 〈〈 〉〉 F )

consider the following strategyof Player : “always go to ”;

in the remaining tree, Playercan always enforce a visit to .

[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

ATL with strategy contexts [BDLM09]

〈〈 〉〉 G( 〈〈 〉〉 F )

consider the following strategyof Player : “always go to ”;

in the remaining tree, Playercan always enforce a visit to .

[BDLM09] Brihaye, Da Costa, Laroussinie, M. ATL with strategy contexts. LFCS, 2009.

What ATLsc can express

Client-server interactions for accessing a shared resource:

〈·Server·〉 G

∧

c∈Clients

〈·c ·〉 F accessc

∧¬∧c 6=c ′

accessc ∧ accessc ′

Existence of Nash equilibria:

〈·A1, ...,An·〉∧i

( 〈·Ai ·〉ϕAi⇒ ϕAi

)

Existence of dominating strategy:

〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)

What ATLsc can express

Client-server interactions for accessing a shared resource:

〈·Server·〉 G

∧

c∈Clients

〈·c ·〉 F accessc

∧¬∧c 6=c ′

accessc ∧ accessc ′

Existence of Nash equilibria:

〈·A1, ...,An·〉∧i

( 〈·Ai ·〉ϕAi⇒ ϕAi

)

Existence of dominating strategy:

〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)

What ATLsc can express

Client-server interactions for accessing a shared resource:

〈·Server·〉 G

∧

c∈Clients

〈·c ·〉 F accessc

∧¬∧c 6=c ′

accessc ∧ accessc ′

Existence of Nash equilibria:

〈·A1, ...,An·〉∧i

( 〈·Ai ·〉ϕAi⇒ ϕAi

)

Existence of dominating strategy:

〈·A·〉 [·B·] (¬ϕ ⇒ [·A·] ¬ϕ)

Translating ATLsc into QCTL

player A has moves mA1 , ..., mA

n ;

from the transition table, we can compute theset Next( ),A,mA

i ) of states that can be

reached from when player A plays mAi .

〈·A·〉ϕ can be encoded as follows:

∃mA1 . ∃mA

2 . . . ∃mAn .

this corresponds to a strategy: A G(mAi ⇔

∧¬mA

j );

the outcomes all satisfy ϕ:

A[G(q ∧ mA

i ⇒ X Next(q,A,mAi )) ⇒ ϕ

].

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

Translating ATLsc into QCTL

player A has moves mA1 , ..., mA

n ;

from the transition table, we can compute theset Next( ),A,mA

i ) of states that can be

reached from when player A plays mAi .

〈·A·〉ϕ can be encoded as follows:

∃mA1 . ∃mA

2 . . . ∃mAn .

this corresponds to a strategy: A G(mAi ⇔

∧¬mA

j );

the outcomes all satisfy ϕ:

A[G(q ∧ mA

i ⇒ X Next(q,A,mAi )) ⇒ ϕ

].

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

Translating ATLsc into QCTL

player A has moves mA1 , ..., mA

n ;

from the transition table, we can compute theset Next( ),A,mA

i ) of states that can be

reached from when player A plays mAi .

Corollary

ATLsc model checking is decidable.

Corollary

ATL0sc (memoryless quantification) model checking is decidable.

[DLM12] Da Costa, Laroussinie, M. Quantified CTL: expressiveness and model checking.CONCUR, 2012.

What about satisfiability?

Theorem

QCTL satisfiability is decidable.

But

Theorem (TW12)

ATLsc satisfiability is undecidable.

Why?

The translation from ATLsc to QCTL assumesthat the game structure is fixed!

[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.

What about satisfiability?

Theorem

QCTL satisfiability is decidable.

But

Theorem (TW12)

ATLsc satisfiability is undecidable.

Why?

The translation from ATLsc to QCTL assumesthat the game structure is fixed!

[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.

What about satisfiability?

Theorem

QCTL satisfiability is decidable.

But

Theorem (TW12)

ATLsc satisfiability is undecidable.

Why?

The translation from ATLsc to QCTL assumesthat the game structure is fixed!

[TW12] Troquard, Walther. On Satisfiability in ATL with Strategy Contexts. JELIA, 2012.

Satisfiability for turn-based games

Theorem (LM13b)

When restricted to turn-based games, ATLsc satisfiability isdecidable.

player has moves , and .

a strategy can be encoded by marking some ofthe nodes of the tree with proposition movA.

〈·A·〉ϕ can be encoded as follows:

∃movA.

it corresponds to a strategy: A G(turnA ⇒ E X1 movA);

the outcomes all satisfy ϕ: A[G(turnA ∧ X movA) ⇒ ϕ

].

[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.

Satisfiability for turn-based games

Theorem (LM13b)

When restricted to turn-based games, ATLsc satisfiability isdecidable.

player has moves , and .

a strategy can be encoded by marking some ofthe nodes of the tree with proposition movA.

〈·A·〉ϕ can be encoded as follows:

∃movA.

it corresponds to a strategy: A G(turnA ⇒ E X1 movA);

the outcomes all satisfy ϕ: A[G(turnA ∧ X movA) ⇒ ϕ

].

[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.

Satisfiability for turn-based games

Theorem (LM13b)

When restricted to turn-based games, ATLsc satisfiability isdecidable.

Theorem

Model checking ATLsc with only memoryless quantification isPSPACE-complete.

[LM13b] Laroussinie, M. Satisfiability of ATL with strategy contexts. Gandalf, 2013.

What about Strategy Logic? [CHP07,MMV10]

Strategy logic

Explicit quantification over strategies + strategy assignement

Example

〈·A·〉ϕ ≡ ∃σ1.assign(σ1,A).ϕ

Strategy logic can also be translated into QCTL.

Theorem

Strategy-logic satisfiability is decidable when restricted toturn-based games.

Memoryless strategy-logic satisfiability is undecidable.

[CHP07] Chatterjee, Henzinger, Piterman. Strategy Logic. CONCUR, 2007.[MMV10] Mogavero, Murano, Vardi. Reasoning about strategies. FSTTCS, 2010.

Conclusions and future works

Conclusions

QCTL is a powerful extension of CTL;

it is equivalent to MSO over finite graphs and regular trees;

it is a nice tool to understand temporal logics for games (ATLwith strategy contexts, Strategy Logic, ...);

Future directions

Defining interesting (expressive yet tractable) fragments ofthose logics;

Obtaining practicable algorithms.

Considering randomised strategies.

Conclusions and future works

Conclusions

QCTL is a powerful extension of CTL;

it is equivalent to MSO over finite graphs and regular trees;

it is a nice tool to understand temporal logics for games (ATLwith strategy contexts, Strategy Logic, ...);

Future directions

Defining interesting (expressive yet tractable) fragments ofthose logics;

Obtaining practicable algorithms.

Considering randomised strategies.