Quantifying Bounds in Strategy Logic

LIPICS - Leibniz International Proceedings in Informatics, Aug 2018

Program synthesis constructs programs from specifications in an automated way. Strategy Logic (SL) is a powerful and versatile specification language whose goal is to give theoretical foundations for program synthesis in a multi-agent setting. One limitation of Strategy Logic is that it is purely qualitative. For instance it cannot specify quantitative properties of executions such as "every request is quickly granted", or quantitative properties of trees such as "most executions of the system terminate". In this work, we extend Strategy Logic to include quantitative aspects in a way that can express bounds on "how quickly" and "how many". We define Prompt Strategy Logic, which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal operator), and we define Bounded-Outcome Strategy Logic which has a bounded quantifier on paths. We supply a general technique, based on the study of automata with counters, that solves the model-checking problems for both these logics.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

http://drops.dagstuhl.de/opus/volltexte/2018/9690/pdf/LIPIcs-CSL-2018-23.pdf

Quantifying Bounds in Strategy Logic

C S L Quantifying Bounds in Strategy Logic Sasha Rubin 0 2 4 5 0 Aniello Murano University of Naples “Federico II” , Naples , Italy 1 University of Naples “Federico II” , Naples, Italy https://orcid.org/0000-0002-9081-2920 2 Bastien Maubert 3 CNRS, LaBRI, Bordeaux, France Alan Turing Institute of data science , London , United Kingdom https ://orcid. org/0000-0002-6576-4680 4 Nathanaël Fijalkow 5 University of Naples “Federico II” , Naples , Italy Program synthesis constructs programs from specifications in an automated way. Strategy Logic (SL) is a powerful and versatile specification language whose goal is to give theoretical foundations for program synthesis in a multi-agent setting. One limitation of Strategy Logic is that it is purely qualitative. For instance it cannot specify quantitative properties of executions such as “every request is quickly granted”, or quantitative properties of trees such as “most executions of the system terminate”. In this work, we extend Strategy Logic to include quantitative aspects in a way that can express bounds on “how quickly” and “how many”. We define Prompt Strategy Logic, which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal operator), and we define Bounded-Outcome Strategy Logic which has a bounded quantifier on paths. We supply a general technique, based on the study of automata with counters, that solves the model-checking problems for both these logics. 2012 ACM Subject Classification Theory of computation → Logic and verification and phrases Prompt LTL; Strategy Logic; Model checking; Automata with counters - In order to reason about strategic aspects in distributed systems, temporal logics of programs (such as LTL [38], CTL [5] and CTL∗ [19]) have been extended with operators expressing the existence of strategies for coalitions of components. Among the most successful proposals are Alternating-time Temporal Logic (ATL) [3] and, more recently, the more expressive Strategy Logic (SL) [13, 36]. Both logics can express the existence of strategies for coalitions that 1 This project has received funding from the Alan Turing Institute under EPSRC grant EP/N510129/1 and the DeLTA project (ANR-16-CE40-0007). 2 This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No 709188. ensure some temporal properties against all possible behaviours of the remaining components. Moreover, if such strategies exist, one can also obtain witnessing finite-state strategies. As a result, synthesizing reactive systems from temporal specifications [39, 30, 31] can be reduced to model checking such strategic logics. Although quite expressive, for instance Strategy Logic can express important gametheoretic concepts such as the existence of Nash equilibria, such logics can only express qualitative properties. On the other hand important properties of distributed systems, such as bounding the maximal number of steps between an event and its reaction, are quantitative. Parametric extensions of temporal logics have been introduced to capture such properties. A simple way to extend temporal operators is to annotate them with constant bounds, e.g., F≤kϕ says that ϕ holds within k steps where k ∈ N is a constant. However, one may not know such bounds or care for their exact value when writing the specification (or it may not be practical to compute the bound). Instead, one may replace the constants by variables N and ask about the possible valuations of the variables that make the formula true. For instance, Prompt-LTL [2, 32] is an extension of LTL with the operator F≤N where N is a (unique) variable. The model-checking problem asks if there exists a valuation of the variable N such that the formula holds. In order to reason about and synthesize strategies that ensure such parametric properties, we introduce “Prompt Strategy Logic”, an extension of SL with the F≤N operator. For instance, the formula ∃s1(a1, s1)∀s2(a2, s2)∃N AGF≤N p expresses that there exists a strategy for agent a1 such that for all strategies of agent a2 there is a bound N (that can depend on the strategy for a2) such that in all outcomes (generated by the remaining agents) the atom p holds at least once every N steps. Another way to parameterise temporal logics is to bound the path quantifiers, expressing, for instance, that at least k different paths satisfy ψ, or all but k paths satisfy ψ [8]. Such operators can bound, for instance, how well a linear-time temporal property holds, thus giving a measure of “coverage”. We introduce “Bounding-Outcome Strategy Logic” which extends Strategy Logic with a bounded outcome quantifier A≤N which allows one to express that all but N outcomes satisfy some property. For instance, the formula ∃s(a, s)∃N A≤N GFp expresses that there exists a strategy for agent a such that for all but finitely many outcomes, the atom p holds infinitely often. The algorithmic contribution of this paper is a solution to the model-checking problem for both these logics (and their combination). We do this by applying the theory of regular cost functions. A cost function is an equivalence class of mappings from the domain (e.g., infinite words) to N ∪ {∞} with an equivalence relation that, intuitively speaking, forgets the precise values and focuses on boundedness [14, 16]. Our results allow us to solve a problem left open in [ 10 ] that considers games with two players and a third player called “nature” (indicating that it is uncontrollable), and asks whether there is a strategy for player 1 (having very general linear-time objectives) such that for all strategies of player 2, in the resulting tree (i.e., where nature’s strategy is not fixed), the number of plays in which player 1 does not achieve her objective is “small”. In particular, in case the linear-time objective is the LTL formula ψ and “small” is instantiated to mean “finite”, our main result allows one to solve this problem by reducing to model checking Bounding-outcome Strategy Logic formula ∃s1(a1, s1)∀s2(a2, s2)∃N A≤N ¬ψ. In fact our automata construction can be adapted to deal with all omega-regular objectives. Related work. Parametric-LTL [2] extends LTL with operators of the form F≤x and G≤x, where x is a variable. The interpretation of F≤xψ is that ψ holds within x steps, and the interpretation of G≤x is that ψ holds for at least the next x steps. That paper studies variations on the classic decision problems, e.g., model checking asks to decide if there is a valuation of the variables x1, · · · , xk such that the formula ϕ(x1, · · · , xk) holds in the given structure. Note that for this problem, the formula is equivalent to one in which all variables are replaced by a single variable. The complexity of these problems is no worse than for ordinary LTL, i.e., PSPACE. The technique used in this paper to prove these upper-bounds is a pumping lemma that allows one to reduce/enlarge the parameters. Parametric-LTL has been studied in the context of open systems and games. For instance, [41] studies the problem of synthesizing a strategy for an agent with a parametric-LTL objective in a turn-based graph-game against an adversarial environment. A number of variations are studied, e.g., decide whether there exists a valuation (resp. for all valuations) of the variables such that there exists a strategy for the agent that enforces the given parametricLTL formula. The complexity of these problems is, again, no worse than that of solving ordinary LTL games, i.e., 2EXPTIME. The technique used to prove these upper bounds is the alternating-colour technique of [32] that allows one to replace a prompt formula by an LTL formula, and was originally introduced to reason about Prompt-LTL, the fragment of parametric-LTL without G≤x. We remark that Church’s synthesis for Prompt-LTL formulas was shown in [32] to have complexity no worse than that of LTL, i.e., 2EXPTIME. Promptness was first studied in the context of multi-agent systems in [4]. They study the model-checking problem for the logic Prompt-ATL∗ and its fragments, for memoryless and memoryful strategies. Again, one finds that the complexity of model checking prompt variations is no worse than the non-prompt ones. That paper also studies the case of systems with imperfect information. We remark that the formula of Prompt Strategy Logic mentioned above is not a formula of Prompt-ATL∗ because the bound N can depend on the strategy of agent a2, which is not possible in Prompt-ATL∗. Promptness has also been studied in relation with classic infinitary winning conditions in games on graphs. In bounded parity games, the even colors represent requests and odd colors represent grants, and the objective of the player is to ensure that every request is promptly followed by a larger grant [12, 37]. We discuss this in Example 6. Such winning conditions have been generalised to games with costs in [21, 22], leading to the construction of efficient algorithms for synthesizing controllers with prompt specifications. Promptness in automata can be studied using various notions of automata with counters that only affect the acceptance condition. For instance, a run in a prompt Büchi-automaton is successful if there is a bound on the time between visits to the Büchi set. The expressive power, the cost of translating between such automata, and complexity of decision problems (such as containment) have been studied in [1, 12]. The theory of regular cost functions [14, 16] defines automata and logics able to express boundedness properties in various settings. For instance, the logics Prompt-LTL, PLTL and kTL are in some precise sense subsumed by the LTL≤ logic from [27], which extends LTL with a bounded until ϕU≤N ϕ0 allowing ϕ not to hold in at most N (possibly non-consecutive) places before ϕ0 holds. A decision procedure for this logic has been given through the compilation into cost automata on words. In this paper, we rely on several results from the theory of regular cost functions, and develop some new ones for the study of Prompt Strategy Logic and Bounding-outcome Strategy Logic. A major open problem in the theory of regular cost functions over infinite trees is the equivalence between general cost automata. To handle the bounded until operator in branching-time logics one would need to first prove this equivalence, which has been proved to be beyond our reach today [20]. In this work we rely on a weaker version of this equivalence for distance automata. To the best of our knowledge, the only previous works on quantitative extensions of Strategy Logic consider games with counters and allow for the expression of constraints on their values in formulas. The model-checking problem for these logics is undecidable, even when restricted to the case of energy constraints, which can only state that the counters remain above certain thresholds [24]. For the Boolean Goal fragment of Strategy Logic in the case of one counter, the problem is still open [9, 24]. The present work thus provides the first decidable quantitative extension of Strategy Logic. Plan. In Section 2 we recall Branching-time Strategy Logic. We introduce and motivate our two quantitative extensions, Prompt-SL and BOSL, in Section 3 and Section 4 respectively. In Section 5 we solve their model-checking problem by introducing the intermediary logic Bound-QCTL∗ and developing an automata construction based on automata with counters. 2 Branching-time Strategy Logic In this section we recall Branching-time Strategy Logic [26], a variant of Strategy Logic [36]. For the rest of the paper we fix a number of parameters: AP is a finite set of atomic propositions, Ag is a finite set of agents or players, Act is a finite set of actions, and Var is a finite set of strategy variables. The alphabet is Σ = 2AP. Notations. A finite (resp. infinite) word over Σ is an element of Σ∗ (resp. Σω). The length of a finite word w = w0w1 . . . wn is |w| = n + 1, and last(w) = wn is its last letter. Given a finite (resp. infinite) word w and 0 ≤ i < |w| (resp. i ∈ N), we let wi be the letter at position i in w, w≤i is the prefix of w that ends at position i and w≥i is the suffix of w that starts at position i. We write w 4 w0 if w is a prefix of w0. The cardinal of a set S is written Card(S). 2.1 Games We start with classic notions related to concurrent games on graphs. I Definition 1 (Game). A concurrent game structure (or game for short) is a structure G = (V, v0, Δ, `) where V is the set of vertices, v0 ∈ V is the initial vertex, Δ : V ×ActAg → V is the transition function, and ` : V → Σ is the labelling function. Joint actions. In a vertex v ∈ V , each player a ∈ Ag chooses an action c(a) ∈ Act, and the game proceeds to the vertex Δ(v, c), where c ∈ ActAg stands for the joint action (c(a))a∈Ag. Given a joint action c = (c(a))a∈Ag and a ∈ Ag, we let c(a) denote c(a). Plays and strategies. A finite (resp. infinite) play is a finite (resp. infinite) word ρ = v0 . . . vn (resp. π = v0v1 . . .) such that for every i such that 0 ≤ i < |ρ| − 1 (resp. i ≥ 0), there exists a joint action c such that Δ(vi, c) = vi+1. A strategy is a partial function σ : V + * Act mapping each finite play to an action, and Strat is the set of all strategies. Assignments. An assignment is a partial function χ : Ag ∪ Var * Strat, assigning to each player and variable in its domain a strategy. For an assignment χ, a player a and a strategy σ, χ[a 7→ σ] is the assignment of domain dom(χ) ∪ {a} that maps a to σ and is equal to χ on the rest of its domain, and χ[s 7→ σ] is defined similarly, where s is a variable; also, χ[a 7→?] is the assignment of domain dom(χ) \ {a}, on which it is equal to χ. Outcomes. For assignment χ and finite play ρ, Out(χ, ρ) is the set of infinite plays that start with ρ and are then extended by letting players follow the strategies assigned by χ. Formally, Out(χ, ρ) is the set of plays ρ · v1v2 . . . such that for all i ≥ 0, there exists c such that for all a ∈ dom(χ) ∩ Ag, ca ∈ χ(a)(ρ · v1 . . . vi) and vi+1 = Δ(vi, c), with v0 = last(ρ). 2.2 BSL syntax The core of Branching-time Strategy Logic, on which we build Prompt Strategy Logic and Bounding-outcome Strategy Logic, is the full branching-time temporal logic CTL∗. This differs from usual variants of Strategy Logic which are based on the linear-time temporal logic LTL. The main difference is the introduction of an outcome quantifier which quantifies on outcomes of the currently fixed strategies. While in SL temporal operators could only be evaluated in contexts where all agents were assigned a strategy, this outcome quantifier allows for evaluation of (branching-time) temporal properties on partial assignments of strategies to agents. We recall Branching-time Strategy Logic, introduced in [26], which has the same expressive power as SL but allows to express branching-time properties without resorting to computationally expensive strategy quantifications. At the syntax level, in addition to usual boolean connectives and temporal operators, we have four constructs: strategy quantification: ∃sϕ, which means “there exists a strategy s such that ϕ holds”, assigning a strategy to a player: (a, s)ϕ, which is interpreted as “when the agent a plays according to s, ϕ holds”, unbinding a player: (a, ?)ϕ, which is interpreted as “ϕ holds after agent a has been unbound from her strategy, if any”, and quantifying over outcomes: Aψ, which reads as “ψ holds in all outcomes of the strategies currently assigned to agents”. The difference between BSL and SL lies in the last two constructs. Note that unbinding agents was irrelevant in linear-time SL, where assignments need to be total to evaluate temporal properties. I Definition 2 (BSL syntax). The set of BSL formulas is the set of state formulas given by the following grammar: ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ∃sϕ | (a, s)ϕ | (a, ?)ϕ | Aψ ψ ::= ϕ | ¬ψ | ψ ∨ ψ | Xψ | ψUψ, where p ∈ AP, a ∈ Ag and s ∈ Var. We use classic abbreviations > = p ∨ ¬p, Fψ = >Uψ, Gψ = ¬F¬ψ and ∀sϕ = ¬∃s¬ϕ. A variable s appears free in a formula ϕ if it appears in a binding operator (a, s) that is not in the scope of any strategy quantifier hhsii. 2.3 BSL semantics Given a formula ϕ ∈ BSL, an assignment is variable-complete for ϕ if its domain contains all free strategy variables of ϕ. I Definition 3 (BSL semantics). The semantics of a state formula is defined on a game G, an assignment χ that is variable-complete for ϕ, and a finite play ρ. For a path formula ψ, the finite play is replaced with an infinite play π and an index i ∈ N. The definition by mutual induction is as follows: G, χ, ρ |= p G, χ, ρ |= ¬ϕ G, χ, ρ |= ϕ ∨ ϕ0 G, χ, ρ |= ∃sϕ G, χ, ρ |= (a, s)ϕ G, χ, ρ |= (a, ?)ϕ G, χ, ρ |= Aψ G, χ, π, i |= ϕ G, χ, π, i |= ¬ψ G, χ, π, i |= ψ ∨ ψ0 G, χ, π, i |= Xψ G, χ, π, i |= ψUψ0 if if if if if if if if if if if if p ∈ `(last(ρ)) G, χ, ρ 6|= ϕ G, χ, ρ |= ϕ or G, χ, ρ |= ϕ0 there exists σ ∈ Strat s.t. G, χ[s 7→ σ], ρ |= ϕ G, χ[a 7→ χ(s)], ρ |= ϕ G, χ[a 7→?], ρ |= ϕ for all π ∈ Out(χ, ρ), G, χ, π, |ρ| − 1 |= ψ G, χ, π≤i |= ϕ G, χ, π, i 6|= ψ G, χ, π, i |= ψ or G, χ, π, i |= ψ0 G, χ, π, i + 1 |= ψ ∃ j ≥ i s.t. G, χ, π, j |= ψ0 and ∀ k s.t. i ≤ k < j, G, χ, π, k |= ψ BSL has the same expressivity as SL, and there are linear translations in both directions [26]. More precisely, the translation from BSL to SL is linear in the size of the formula times the number of players; indeed, the outcome quantifier is simulated in SL by a strategy quantification and a binding for each player who is not currently bound to a strategy. This translation may thus increase the nesting and alternation depth of strategy quantifiers in the formula, which is known to increase the complexity of the model-checking problem [13, 36]. 3 Prompt Strategy Logic In this section we introduce Prompt-SL, an extension of both BSL and Prompt-LTL. 3.1 Prompt-SL syntax The syntax of Prompt-SL extends that of branching-time strategy logic BSL with two additional constructs, where N is a variable over natural numbers: a bounded version of the classical “eventually” operator written F≤N , and an existential quantification on the values of variable N , written ∃N . As in Prompt-LTL, the formula F≤N ψ states that ψ will hold at the latest within N steps from the present. For a formula ϕ of Prompt-SL there is a unique bound variable N : indeed, in the spirit of Prompt-LTL where a unique bound must exist for all prompteventualities, formulas of our logic cannot use more than one bound variable. However, in Prompt-SL, existential quantification on N is part of the syntax, which allows to freely combine quantification on the (unique) bound variable N with other operators of the logic. In particular one can express the existence of a unique bound that should work for all strategies, or instead that the bound may depend on the strategy (see Example 6). I Definition 4 (Prompt-SL syntax). The syntax of Prompt-SL formulas is defined by the following grammar: where p ∈ AP, s ∈ Var, a ∈ Ag and N is a fixed bounding variable. A Prompt-SL sentence is a state formula with no free strategy variable, in which every F≤N is in the scope of some ∃N , and F≤N and ∃N always appear positively, i.e. under an even number of negations. 3.2 Prompt-SL semantics We now define the semantics of Prompt-SL. I Definition 5 (Prompt-SL semantics). The semantics is defined inductively as follows, where ϕ (resp. ψ) is a cost-SL state (resp. path) formula, G is a game, χ is an assignment variable-complete for ϕ (resp. ψ), ρ is a finite play, π an infinite one, i ∈ N is a point in time and n ∈ N is a bound. G, χ, ρ, n |= p G, χ, ρ, n |= ¬ϕ G, χ, ρ, n |= ϕ ∨ ϕ0 G, χ, ρ, n |= ∃sϕ G, χ, ρ, n |= (a, s)ϕ G, χ, ρ, n |= (a, ?)ϕ G, χ, ρ, n |= Aψ G, χ, ρ, n |= ∃N ϕ G, χ, π, i, n |= ϕ if G, χ, π, i, n |= ¬ψ if G, χ, π, i, n |= ψ ∨ ψ0 if G, χ, π, i, n |= Xψ if G, χ, π, i, n |= ψUψ0 if G, χ, π, i, n |= F≤N ψ if if if if if if if if if p ∈ `(last(ρ)) G, χ, ρ, n 6|= ϕ G, χ, ρ, n |= ϕ or G, χ, ρ, n |= ϕ0 there exists σ ∈ Strat s.t. G, χ[s 7→ σ], ρ, n |= ϕ G, χ[a 7→ χ(s)], ρ, n |= ϕ G, χ[a 7→?], ρ, n |= ϕ for all π ∈ Out(χ, ρ), G, χ, π, |ρ| − 1, n |= ϕ there exists n0 ∈ N such that G, χ, ρ, n0 |= ϕ G, χ, π≤i, n |= ϕ G, χ, π, i, n 6|= ψ G, χ, π, i, n |= ψ or G, χ, π, i, n |= ψ0 G, χ, π, i + 1, n |= ψ ∃ j ≥ i s.t. G, χ, π, j, n |= ψ0 and ∀ k s.t. i ≤ k < j, G, χ, π, k, n |= ψ there exists j ∈ [i, n] such that G, χ, π, j, n |= ψ. " " The semantics of a sentence Φ does not depend on the bound n, and we may write G, χ, ρ |= Φ if G, χ, ρ, n |= Φ for some n. In addition a sentence does not require an assignment for its evaluation. Given a game G with initial vertex v0 and a sentence Φ, we write G |= Φ if G, ∅, v0 |= Φ, where ∅ is the empty assignment. I Example 6. In bounded parity games [12, 37] the odd colours represent requests and even colours represent grants, and the objective of the player a1 is to ensure against player a2 that every request is promptly followed by a larger grant. Solving such games can be cast as a model-checking problem of the Prompt-SL formula ∃s1(a1, s1)∀s2(a2, s2)∃N AG ^ c → F≤N c odd _ d>c even # d on the structure in which every vertex is labelled by its color. The finitary parity condition relaxes the constraint by only requiring requests that appear infinitely often to be promptly granted, and solving such games can be reduced to model checking the Prompt-SL formula ∃s1(a1, s1)∀s2(a2, s2)∃N AG ^ (c ∧ GFc) → F≤N c odd _ d>c even # d . Observe that in both these definitions, the bound on the delay between requests and grants can depend on the outcome, i.e. on the opponent’s strategy. We can also express uniform variants of these objectives by moving the quantification on the bound ∃N before the quantification on opponent’s strategies ∀s2. Such games are studied in the context of the theory of regular cost functions [14, 16, 15], and their relationship to the non-uniform variants has been investigated in [11]. The solution to the model-checking problem for Prompt-SL that we present here allows us to solve both types of games, uniform and non-uniform. 4 Bounding-outcomes Strategy Logic We now define our second quantitative extension of Strategy Logic, which we call Boundingoutcomes Strategy Logic, or BOSL. BOSL can also be seen as Prompt-SL without the bounded eventually F≤N but with the novel bounded outcome quantifier A≤N . While formula Aψ states that ψ holds in all outcomes of the current assignment, A≤N ψ states that ψ holds in all of these outcomes except for at most N of them. I Definition 7 (BOSL syntax). The syntax of BOSL formulas is given by the following grammar: State formulas: Path formulas: ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ∃sϕ | (a, s)ϕ | (a, ?)ϕ | Aψ | A≤N ψ | ∃N ϕ ψ ::= ϕ | ¬ψ | ψ ∨ ψ | Xψ | ψUψ where p ∈ AP, s ∈ Var, a ∈ Ag and N is a fixed bounding variable. A BOSL sentence is a state formula with no free strategy variable, in which every A≤N is in the scope of some ∃N , and where A≤N and ∃N always appear positively, i.e. under an even number of negations. 4.2 BOSL semantics I Definition 8 (BOSL semantics). We only give the definition for the new operator A≤N , the others are as in Definition 5. G, χ, ρ, n |= A≤N ψ if Card({π ∈ Out(ρ, χ) : G, χ, π, |ρ| − 1, n 6|= ψ}) ≤ n The full semantics can be found in Appendix A.1. Once again, for a sentence Φ we write G |= Φ if G, ∅, v0, n |= Φ for some n ∈ N, where ∅ is the empty assignment. I Example 9. As an example we consider the framework of Carayol and Serre [ 10 ] that considers games with two players and a third player called “nature”. The usual semantics is for nature to be a random player, in which case we are interested in whether player 1 has a strategy ensuring to win almost all paths. The paper [ 10 ] suggests other formalisations for the third player, of topological, measure-theoretic, and combinatorial nature, and provides general reductions. For instance, one may fix a constant N and write the following formula ∃s1(a1, s1)∀s2(a2, s2)A≤N ψ, stating that player a1 has a strategy ensuring to win all but N paths. If N is a constant the above question is solved in [ 10 ]. However the latter work leaves open the question of ensuring that player a1 wins all but a bounded number of paths, which is expressible by the Bounding-outcome Strategy Logic formula ∃N ∃s1(a1, s1)∀s2(a2, s2)A≤N ψ. One could also consider the variant where the bound can depend on the opponent’s strategy, which can be expressed by the formula ∃s1(a1, s1)∀s2∃N (a2, s2)A≤N ψ. In this paper we show that the model-checking problem for Bounding-outcome Strategy Logic is decidable, thereby giving a solution to both variants of this question. Model checking In this section we solve the model-checking problem for both Prompt-SL and BOSL with a uniform approach which, in fact, works also for the combination of the two logics. As done in [35] for ATL with strategy context, in [6] for an extension of it with imperfect information and in [7] for Strategy Logic with imperfect information, we go through an adequate extension of QCTL∗, which itself extends CTL∗ with second-order quantification. This approach makes automata constructions and their proof of correctness easier and clearer. In our case we define an extension of QCTL∗ called Bound-QCTL∗, which contains the bounded eventually F≤N from Prompt-LTL and Prompt-SL, a bounded path quantifier A≤N similar to the bounded outcome quantifier from BOSL, and the quantifier on bounds ∃N present in both Prompt-SL and BOSL. We then recall definitions and results about cost automata, that we use to solve the model-checking problem for Bound-QCTL∗. We finally solve the model-checking problem for both Prompt-SL and BOSL by reducing them to model checking Bound-QCTL∗. 5.1 Bound Quantified CTL* In this section we define Bound Quantified CTL∗, or Bound-QCTL∗, which extends PromptLTL to the branching-time setting and adds quantification on atomic propositions. One can also see it as an extension of Quantified CTL∗ [40, 29, 30, 23, 34] with the bounded eventually operator and a bounded version of the universal path quantifier. Unlike Prompt-LTL, but similarly to our Prompt-SL and BOSL, an existential quantification on the bound for the bounded eventually and bounded outcome quantifier is also part of the syntax. 5.1.1 Bound-QCTL* syntax I Definition 10. The syntax of Bound-QCTL∗ is defined by the following grammar: ϕ = p | ¬ϕ | ϕ ∨ ϕ | Aψ | A≤N ψ | ∃p ϕ | ∃N ϕ ψ = ϕ | ¬ψ | ψ ∨ ψ | Xψ | ψUψ | F≤N ψ where p ∈ AP, and N is a fixed bounding variable. As usual, formulas of type ϕ are called state formulas, those of type ψ are called path formulas, and QCTL∗ consists of all the state formulas defined by the grammar. We further distinguish between positive formulas, in which operators F≤N , A≤N and ∃N appear only positively (under an even number of negations), and negative formulas, in which operators F≤N , A≤N and ∃N appear only negatively (under an odd number of negations). A Bound-QCTL∗ sentence is a positive formula such that all operators F≤N and A≤N in the formula are in the scope of some ∃N . Note that we will be interested in model checking sentences, and every subformula of a sentence is either positive or negative. 5.1.2 Bound-QCTL* semantics Bound-QCTL∗ formulas are evaluated on (unfoldings of) Kripke structures. I Definition 11. A (finite) Kripke structure is a tuple S = (S, s0, R, `), where S is a finite set of states, s0 ∈ S is an initial state, R ⊆ S × S is a left-total transition relation3, and ` : S → Σ is a labelling function. 3 i.e., for all s ∈ S, there exists s0 such that (s, s0) ∈ R. A path in S is a finite word λ over S such that for all i, (λi, λi+1) ∈ R. For s ∈ S, we let Paths(s) ⊆ S+ be the set of all paths that start in s. Trees. Let S be a finite set of directions and Σ a set of labels. A (Σ, S)-tree (or simply tree) is a pair t = (τ, `) where ` : τ → Σ is a labelling and τ ⊆ S+ is the domain such that: there exists r ∈ S+, called the root of τ , such that each u ∈ τ starts with r, i.e. r 4 u, if u · s ∈ τ and u · s 6= r, then u ∈ τ , if u ∈ τ then there exists s ∈ S such that u · s ∈ τ . The elements of τ are called nodes. If u · s ∈ τ , we say that u · s is a child of u. A branch λ in t is an infinite sequence of nodes such that λ0 ∈ τ and for all i, λi+1 is a child of λi, and Branches(t, u) is the set of branches that start in node u. We let Branches(t) denote the set of branches that start in the root. If S is a singleton, a tree becomes an infinite word. I Definition 12. The tree unfolding of a Kripke structure S from state s is the tree tS (s) = (Paths(s), `0), where for every u ∈ Paths(s), we have `0(u) = `(last(u)). We may write tS for tS (s0), the unfolding from the initial state. Projection and subtrees. Given two trees t, t0 and a proposition p, we write t ≡p t0 if they have same domain τ and for all p0 in AP such that p0 6= p, for all u in τ , we have p0 ∈ `(u) if, and only if, p0 ∈ `0(u). Given a tree t = (τ, `) and a node u ∈ τ , we define the subtree of t rooted in u as the tree tu = (τu, `0) where τu = {v ∈ S+ : u 4 v} and `0 is ` restricted to τu. I Definition 13. The semantics t, u, n |= ϕ and t, λ, n |= ψ are defined inductively, where ϕ is a Bound-QCTL∗ state formula, ψ is a Bound-QCTL∗ path formula, t = (τ, `) is a tree, u is a node, λ is a branch in t, and n in N a bound (the inductive cases for classic CTL∗ operators can be found in Appendix A.2): t, u, n |= A≤N ψ t, u, n |= ∃p ϕ t, u, n |= ∃N ϕ t, λ, n |= F≤N ψ if if if if Card({λ ∈ Branches(t, u) : t, λ, n 6|= ψ}) ≤ n ∃ t0 ≡p t such that t0, u, n |= ϕ ∃ n0 ∈ N such that t, u, n0 |= ϕ, ∃ j such that 0 ≤ j ≤ n and t, λ≥j , n |= ψ The value JϕKinf(t) (resp. JϕKsup(t)) of a positive (resp. negative) state formula ϕ on a tree t with root r is defined as JϕKinf(t) = inf {n ∈ N : t, r, n |= ϕ} and JϕKsup(t) = sup {n ∈ N : t, r, n |= ϕ} , with the usual convention that inf ∅ = ∞ and sup ∅ = 0. In case it is not a positive or negative formula, its value is undefined. We remark that {n ∈ N : t, r, n |= ϕ} is downward (resp. upward) closed if ϕ is negative (resp. positive). The value of a sentence Φ is always either 0 or ∞ (recall that sentences are necessarily positive formulas and N is always quantified), and given a Kripke structure S, we write S |= Φ if JΦKinf(tS ) = 0. 5.2 Regular cost functions In this section we develop the theory of regular cost functions over trees for distance automata. To this end we define and study the two dual models of distance and distance-automata for recognising cost functions [14], referred to as cost automata. Let E be a set of structures (such as infinite words or trees). We define an equivalence relation ≈ on functions E → N ∪ {∞} by f ≈ g if for all X ⊆ E, f (X) is bounded if, and only if, g(X) is bounded. A cost function over E is an equivalence class of the relation ≈. In Section 5.2.1 we define cost games whose objectives may refer to a single counter that, in each step, can be incremented or left unchanged. In Section 5.2.2 we define automata whose semantics are given using cost games. We introduce distance-automata and their duals distance-automata that compute functions E → N ∪ {∞}. In Section 5.2.3 we focus on automata over infinite words and the notion of history-deterministic automata. The novel technical contribution of this section is an extension of the classical property of history-deterministic automata: the original result says that given a history-deterministic automaton over infinite words, one can simulate it along every branch of a tree. This is the key argument to handle the A operator in Prompt-SL. In Section 5.2.4 we extend this result by allowing the automaton to skip a bounded number of paths, which will allow us to capture the bounded-outcome operator A≤N in BOSL. 5.2.1 Cost games The semantics of cost automata are given by turn-based two-player games, which are essentially a special case of the general notion of games given in Section 3.2. We give here a slightly modified definition better fitting the technical developments. I Definition 14. A game is given by G = (V, VE , VA, v0, E, c), where V = VE ] VA is a set of vertices divided into the vertices VE controlled by Eve and the vertices VA controlled by Adam, v0 ∈ V is an initial vertex, E ⊆ V × V is a left-total transition relation, c : V → Ω is a labelling function. A finite (resp. infinite) play is a finite (resp. infinite) word ρ = v0 . . . vn (resp. π = v0v1 . . .) such that for every i such that 0 ≤ i < |ρ| − 1 (resp. i ≥ 0), (vi, vi+1) ∈ E. A strategy for Eve (resp. for Adam) is a function σ : V ∗ · VE → V (resp. σ : V ∗ · VA → V ) such that for all finite play ρ ∈ V ∗ · VE (resp. ρ ∈ V ∗ · VA), we have (last(ρ), σ(ρ)) ∈ E. Given a strategy σ for Eve and σ0 for Adam, we let Outcome(σ, σ0) be the unique infinite play that starts in v0 and is consistent with σ and σ0. An objective is a set W ⊆ Ωω. To make the objective explicit we speak of W -games, which are games with objective W . A strategy σ for Eve ensures W ⊆ Ωω if for all strategy σ0 of Adam, the infinite word obtained by applying c to each position of the play Outcome(σ, σ0) is in W . Eve wins the W -game G if there exists a strategy for her that ensures W . The same notions apply to Adam. We now introduce the objectives we will be using. Given d ∈ N∗, the parity objective parity ⊆ {1, . . . , d}ω is the set of infinite words in which the maximum label appearing infinitely many times is even. The distance objective uses the set of labels { , i} acting on a counter taking values in the natural numbers and initialised to 0. The labels and i are seen as actions on the counter: the action leaves the counter unchanged and i increments the counter by 1. For n ∈ N, the distance objective distance(n) ⊆ { , i}ω is the set of infinite words such that the counter is bounded by n. The regular distance objective fininc ⊆ { , i}ω is the set of infinite words such that the counter is incremented finitely many times. The co-distance objective uses set of labels { , i}, where and i have the same interpretation as in distance(n). For n ∈ N, the objective distance(n) ⊆ { , i}ω is the set of infinite words such that the counter eventually reaches value n. The objectives can be combined: parity ∩ distance(n) ⊆ ({1, . . . , d} × { , i})ω is the Cartesian product of the parity and the distance objective (where a pair of infinite words is assimilated with the infinite word formed of the pairs of letters at same position). The following result, proven in [11], relates distance and fininc in the context of games. I Lemma 15. Let G be a finite game. There exists n ∈ N such that Eve wins for parity ∩ distance(n) iff Eve wins for parity ∩ fininc. 5.2.2 Cost automata We now define automata over (Σ, S)-trees. I Definition 16. A (non-deterministic) automaton is a tuple A = (Q, q0, δ, c) where Q is a finite set of states, q0 ∈ Q is an initial state, δ ⊆ Q × Σ × QS is a transition relation, and c : Q → Ω is a labelling function. When an automaton is equipped with an objective W ⊆ Ωω we speak of an W -automaton. To define the semantics of W -automata, we define acceptance games. Given an W -automaton A and a (Σ, S)-tree t = (τ, `), we define the acceptance W -game GA,t as follows. The set of vertices is (Q × τ ) ∪ (Q × τ × QS ). The vertices of the form Q × τ are controlled by Eve, the others by Adam. The initial vertex is (q0, r), where r is the root of t. The transition relation relates the vertex (q, u) to (q, u, h) if (q, `(u), h) ∈ δ, and (q, u, h) is related to (h(s), u · s) for every s ∈ S. The label of a vertex (q, u) is c(q), and the other vertices are not labelled. We say that t is accepted by A if Eve wins the acceptance W -game GA,t. An equivalent point of view is to say that t is accepted by A if there exists a (Q, S)-tree with same domain as t respecting the transition relation δ with respect to t, such that all branches satisfy W . We instantiate this definition for cost automata: the objective parity ∩ distance gives rise to the notion of distance-automata. A distance-automaton A computes the function JAKd over trees defined by JAKd(t) = inf {n ∈ N : t is accepted by A with objective parity ∩ distance(n)} , and it recognises the ≈-equivalence class of the function JAKd. Dually, the objective parity ∩ distance(n) gives rise to distance-automata. A distanceautomaton A computes the function JAKd over trees defined by JAKd(t) = sup n ∈ N : t is accepted by A with objective parity ∩ distance(n) and recognises the ≈-equivalence class of the function JAKd. If A recognises the ≈-equivalence class of the function f : E → (N ∪ {∞}) we abuse notation and say that A recognises the function f . To illustrate the definition of distance-automata, we now give an example that will be useful later on to capture the bounded path quantifier A≤N . I Lemma 17. Let p ∈ AP. There exists a distance-automaton recognising the function that counts the number of paths with infinitely many p’s. Proof. Let us say that a path is bad if it contains infinitely many p. The distance-automaton A has four states: q0, , whose intuitive semantics is “the tree contains one bad path”, q0,i, meaning “the tree contains at least two bad paths”, q1,p and q1,¬p, which mean “the tree does not contain any bad path”. All states are initial (note that this is an inconsequential abuse because we defined automata with a single initial state). We use the set of labels Ω = {2, 3} × { , i}. The transitions are as follows, where q0 = {q0, , q0,i} and q1 = {q1,p, q1,¬p}.  (q0, , a, h) if h contains at most one q0 δ =  (q0,i, a, h) if h contains at least two q0  (q1,¬p, a, h) if p ∈/ a and h contains only q1  (q1,p, a, h) if p ∈ a and h contains only q1 The labelling function is c(q0, ) = (2, ), c(q0,i) = (2, i), c(q1,¬p) = (2, ), and c(q1,p) = (3, ). We claim that the following two properties hold, which implies Lemma 17. if t contains n bad paths, then JAKd(t) ≤ n − 1, if JAKd(t) ≤ n, then t contains at most Card(S)n bad paths. Assume that t contains n bad paths, we construct a run for A (i.e., a labelling of t with states of A) as follows. A node u of the tree is labelled by: q0, if exactly one tu·s contains a bad path for some direction s ∈ S, q0,i if tu·s contain a bad path for at least two different directions s ∈ S, q1,¬p if tu does not contain a bad path and p ∈/ `(u), q1,p if tu does not contain a bad path and p ∈ `(u). This yields a valid run whose branches all satisfy the parity condition. Along a branch the counter is incremented each time there are at least two subtrees with a bad path, which can happen at most n − 1 times because there are n bad paths. Hence the maximal value of the counter on a branch is n − 1, implying that JAKd(t) ≤ n − 1. We show the second point by induction on n. If JAKd(t) = 0, then t contains at most one bad path. If JAKd(t) = n + 1, consider a (Q, S)-tree representing a run of value n + 1. Because JAKd(t) ≥ 1, there is at least one node labelled q0,i. By definition of the transition relation, if there are two nodes on the same level labelled q0,i, then they must descend from another node q0,i higher in the tree. Thus there is a unique node u labelled q0,i that is closest to the root (it may be the root itself). Except for u’s ancestors, which are labelled with q0, , all nodes outside of the subtree rooted in u are necessarily labelled with q1. The subtrees rooted in u’s children have a run with value at most n. By induction hypothesis each of these subtrees contains at most Card(S)n bad paths, so the tree rooted in u contains at most Card(S)n+1 bad paths. Since nodes labelled by q1 cannot contain a bad path, this means that t contains at most Card(S)n+1 bad paths. J The objective parity gives rise to parity automata. The following lemma follows from the observation that fininc is an ω-regular objective. I Lemma 18. For every automaton with objective parity ∩ fininc one can construct an equivalent parity automaton. 5.2.3 Regular cost functions over words The definitions of cost-automata can be applied to infinite words, which is the particular case where S is a singleton. A central notion in the theory of regular cost functions is that of history-deterministic automata over infinite words. Informally, a non-deterministic automaton is history-deterministic if its non-determinism can be resolved by a function considering only the input read so far. This notion has been introduced for studying ω-automata in [25]. We specialise it here to the case of cost functions, involving a relaxation on the values allowing for a good interplay with the definition of equivalence for cost functions. To give a formal definition we introduce the notation Aσ for A a W -automaton and a strategy σ : Σ∗ → δ, where δ is the transition relation of A: Aσ is a (potentially infinite) deterministic W -automaton (Q×Σ∗, (q0, ε), δσ, cσ) where ((q, w), a, (q0, wa)) ∈ δσ just if σ(w) = (q, a, q0), and cσ(q, w) = c(q). The automaton Aσ is infinite but deterministic, as for each situation the strategy σ chooses the transition to follow. I Definition 19 ([14, 17]). We say that a distance-automaton A over infinite words is history-deterministic if there exists a function α : N → N such that for every n there exists a strategy σ such that for all words w we have JAKd(w) ≤ n =⇒ JAσKd(w) ≤ α(n). We now explain the usefulness of the notion of history-deterministic automata. The situation is the following: we consider a language L over infinite words, and we want to construct an automaton for the language of trees “all branches are in L”. Given a deterministic automaton for L one can easily solve this problem by constructing an automaton running the deterministic automaton on all branches. In the quantitative setting we consider here, we have a function f : Σω → N ∪ {∞} instead of L, and we wish to construct an automaton computing the function over trees t 7→ sup {f (λ) : λ ∈ Branches(t)} . Unfortunately, distance-automata do not determinise, so the previous approach needs to be refined. The construction fails for non-deterministic automata, because two branches may have very different accepting runs even on their shared prefix. The notion of history-deterministic automata yields a solution to this problem, as stated in the following theorem. I Theorem 20 ([18]). Let A be a history-deterministic distance-automaton over infinite words. One can construct a distance-automaton recognising the function over trees t 7→ sup {JAKd(λ) : λ ∈ Branches(t)} We present an extension of this result where the function can remove a bounded number of paths in the computation. The proof is in Appendix A.3. I Theorem 21. Let A be a history-deterministic distance-automaton over infinite words. One can construct a distance-automaton recognising the function over trees t 7→ inf {max(Card(B), sup {JAKd(λ) : λ ∈/ B}) : B ⊆ Branches(t)} . The idea is to combine A with the automaton defined in the proof of Lemma 17. 5.2.4 Regular cost functions over trees We introduce the notion of nested automata, which is parameterised by an objective W ⊆ Ωω. Nested automata can be seen as a special form of alternating automata which will be convenient to work with in the technical developments. I Definition 22. A nested W -automaton with k slaves over (Σ, S)-trees is given by a master automaton A, which is a W -automaton over (2k, S)-trees, and k slave automata (Ai)i∈[k], which are W -automata over (Σ, S)-trees. The transition relation of the master is δ ⊆ Q × 2k × QS . We describe the modus operandi of a nested automaton informally. Let t be a tree and u a node in t, labelled with state q. To take the next transition the master automaton interrogates its slaves: the transition (q, v, h) ∈ δ is allowed if for all i ∈ v, the subtree tu is accepted by Ai. The formal semantics of nested W -automata can be found in Appendix A.4. The following theorem shows the equivalence between distance and distance-automata over trees. I Theorem 23 ([15]). Let f be a cost function over trees. The following statements are effectively equivalent: there exists a distance-automaton recognising f , there exists a nested distance-automaton recognising f , there exists a distance-automaton recognising f , there exists a nested distance-automaton recognising f . 5.3 Model checking Bound-QCTL* The model-checking problem for Bound-QCTL∗ is the following decision problem: given an instance (Φ, S) where Φ is a sentence of Bound-QCTL∗ and S is a Kripke structure, return ‘Yes’ if S |= Φ and ‘No’ otherwise. In this section we prove that this problem is decidable by reducing it to the emptiness problem of parity automata. We will use the following result about distance-automata over infinite words. I Theorem 24 ([27, 28]). For every Prompt-LTL formula ψ, we can construct a historydeterministic distance-automaton A such that JAKd ≈ JψKinf. I Theorem 25. Let Φ be a sentence of Bound-QCTL∗. We construct a non-deterministic parity automaton AΦ over (Σ, S)-trees such that for every Kripke structure S over the set of states S, we have S |= Φ if, and only if, AΦ accepts the unfolding tS . Proof. Let Φ be a sentence and S a finite set of states. For each subformula ϕ of Φ, we construct by induction on ϕ the following automata: 1. if ϕ is positive, a distance-automaton Aϕ such that JAϕKd ≈ JϕKinf, 2. if ϕ is negative, a distance-automaton Aϕ such that JAϕKd ≈ JϕKsup. We give the most interesting inductive cases, the remaining ones can be found in Appendix A.5. ϕ = Aψ : The idea is similar to the automata construction for branching-time logic [33]: intuitively, treat ψ as an LTL formula over maximal state subformulas, run a deterministic automaton for ψ on all branches of the tree, and launch automata for the maximal state subformulas of ψ when needed. In our case, we will construct a nested automaton to do this, and in place of a deterministic parity automaton for ψ we will use a history-deterministic distance-automaton. Finally, we will convert the nested distance-automaton into a distance-automaton. Suppose that ϕ is positive (the case that ϕ is negative is treated dually). Then also ψ is positive. We will construct a nested distance-automaton B such that JBKd ≈ JϕKinf. Let ϕ1, . . . , ϕk be the maximal state subformulas of the path formula ψ. We see these formulas as atomic propositions, so that the formula ψ can be seen as a Prompt-LTL formula on infinite words over the alphabet 2k. Apply Theorem 24 to ψ to get a historydeterministic distance-automaton Aψ over infinite words such that JAψKd ≈ JψKinf. Then, apply Theorem 20 to Aψ to get a distance-automaton A such that JAKd(t) = sup {JAψKd(λ) : λ ∈ Branches(t)}. The master of B is A. Since ψ is positive, the formulas ϕ1, . . . , ϕk are either positive or negative. By the induction hypothesis, for every i, if ϕi is positive we construct a distance-automaton Ai such that JAiKd ≈ JϕiKinf; and if ϕi is negative, we construct a distance-automaton A0i such that JA0iKd ≈ JϕiKsup. In the latter case, thanks to Theorem 23 we construct a distance-automaton Ai such that JAiKd ≈ JϕiKsup. The slaves of B are A1, . . . , Ak. This completes the construction of B, see Appendix A.5 for its correctness. ϕ = A≤Nψ : The construction is the same as for Aψ, except for the construction of the master A, in which we replace Theorem 20 by Theorem 21 to account for the possibility of removing a bounded number of paths. ϕ = ∃N ϕ0 : Note that ϕ cannot be negative. Since ϕ is positive, also ϕ0 is positive. By the induction hypothesis, there exists a distance-automaton Aϕ0 such that JAϕ0 Kd ≈ Jϕ0Kinf. Since ϕ is a positive sentence, we have JϕKinf(t) ∈ {0, ω} for every t. Now, JϕKinf(t) = 0 ⇐⇒ ∃n ∈ N, Jϕ0Kinf(t) ≤ n ⇐⇒ ∃n ∈ N, Eve wins GAϕ0 ,t for the objective parity ∩ distance(n) ⇐⇒ Eve wins GAϕ0 ,t for the objective parity ∩ fininc The third equivalence follows from Lemma 15. We can now apply Lemma 18 to the parity ∩ fininc-automaton Aϕ0 to get an equivalent parity automaton Aϕ. Then the last item is equivalent to Eve winning the parity game GAϕ,t, which is equivalent to JAϕKd(t) = 0 (since JAϕKd(t) ∈ {0, ω} because Aϕ has no counter). This completes the proof of the inductive hypothesis. Finally, since Φ is a sentence, AΦ is a parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a counter (if there was not one already), the ∃N step removes the counter, and other operators applied to arguments that do not have a counter produce automata with no counters. J 5.4 Model checking Prompt-SL and BOSL The model-checking problem for Prompt-SL (resp. BOSL) is the following: given a game G and a sentence Φ of Prompt-SL (resp. BOSL), decide whether G |= Φ. As for ATL∗ with strategy context [35] and Strategy Logic with imperfect information [7], the model-checking problems for both Prompt-SL and BOSL (as well as their combination) can be easily reduced to that of Bound-QCTL∗ (see Appendix A.6). As a consequence of these reductions and of Theorem 25, we get: I Theorem 26. The model-checking problem is decidable for Prompt-SL and BOSL. The model-checking procedure is nonelementary, but because Prompt-SL and BOSL subsume SL we know from [36] that no elementary procedure exists. We leave precise complexity analysis for future work. 6 Conclusion We introduced two quantitative extensions of Branching-time Strategy Logic (BSL), i.e., Prompt-SL that extends BSL with F≤N that limits the range of the eventuality, and BOSL that extends BSL with A≤N that limits the range of the outcome quantifier. We proved that model checking both these logics is decidable. To the best of our knowledge these are the first quantitative extensions of SL with decidable model-checking problem. In order to prove our results we used notions from the theory of regular cost functions to develop new technical insights necessary to address Prompt-SL and BOSL. Moreover, as an intermediate formalism between cost automata and logics for strategic reasoning we introduced Bound-QCTL∗, a quantitative extension of QCTL∗, and proved its model checking decidable. Using this, it is easy to see that also the extension of BSL with ∃N and both F≤N and A≤N has a decidable model-checking problem. 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 Nathanaël Fijalkow and Martin Zimmermann. Parity and Streett games with costs. Logical Methods in Computer Science, 10(2), 2014. doi:10.2168/LMCS-10(2:14)2014. Tim French. Decidability of quantifed propositional branching time logics. In AJCAI’01, pages 165–176, 2001. doi:10.1007/3-540-45656-2_15. Patrick Gardy. Semantics of Strategy Logic. Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France, 2017. URL: https://tel.archives-ouvertes.fr/ tel-01561802. Thomas A. Henzinger and Nir Piterman. Solving games without determinization. In CSL, pages 395–410, 2006. Sophia Knight and Bastien Maubert. Dealing with imperfect information in strategy logic. In SR, 2015. Denis Kuperberg. Linear temporal logic for regular cost functions. Logical Methods in Computer Science, 10(1), 2014. Denis Kuperberg and Michael Vanden Boom. On the expressive power of cost logics over infinite words. In ICALP, pages 287–298, 2012. Orna Kupferman. Augmenting branching temporal logics with existential quantification over atomic propositions. JLC, 9(2):135–147, 1999. doi:10.1093/logcom/9.2.135. Orna Kupferman, P. Madhusudan, P. S. Thiagarajan, and Moshe Y. Vardi. Open systems in reactive environments: Control and synthesis. In CONCUR, LNCS 1877, pages 92–107. Springer, 2000. A Appendix A.1 BOSL semantics I Definition 4. The semantics is defined inductively as follows, where ϕ (resp. ψ) is a cost-SL state (resp. path) formula, G is a game, χ is an assignment variable-complete for ϕ (resp. ψ), ρ is a finite play, π an infinite one, i ∈ N is a point in time and n ∈ N is a bound. G,χ,ρ,n |= p if p ∈ `(last(ρ)) G,χ,ρ,n |= ¬ϕ if G,χ,ρ,n 6|= ϕ G,χ,ρ,n |= ϕ ∨ ϕ0 if G,χ,ρ,n |= ϕ or G,χ,ρ,n |= ϕ0 G,χ,ρ,n |= ∃sϕ if there exists σ ∈ Strat s.t. G,χ[s 7→ σ],ρ,n |= ϕ G,χ,ρ,n |= (a,s)ϕ if G,χ[a 7→ χ(s)],ρ,n |= ϕ G,χ,ρ,n |= (a,?)ϕ if G,χ[a 7→?],ρ,n |= ϕ G,χ,ρ,n |= Aψ if for all π ∈ Out(χ,ρ), G,χ,π,|ρ| − 1,n |= ϕ G,χ,ρ,n |= A≤Nψ if |{π ∈ Out(ρ,χ) | G,χ,π,|ρ| − 1,n 6|= ψ}| ≤ n G,χ,ρ,n |= ∃Nϕ if there exists n0 ∈ N such that G,χ,ρ,n0 |= ϕ G,χ,π,i,n |= ϕ if G,χ,π≤i,n |= ϕ G,χ,π,i,n |= ¬ψ if G,χ,π,i,n 6|= ψ G,χ,π,i,n |= ψ ∨ ψ0 if G,χ,π,i,n |= ψ or G,χ,π,i,n |= ψ0 G,χ,π,i,n |= Xψ if G,χ,π,i + 1,n |= ψ G,χ,π,i,n |= ψUψ0 if ∃j ≥ i s.t. G,χ,π,j,n |= ψ0 and ∀k s.t. i ≤ k < j, G,χ,π,k,n |= ψ A.2 Bound-QCTL* semantics Given two trees t,t0 and an atomic proposition p, we write t ≡p t0 if they have the same domain τ and for all p0 in AP such that p0 6= p, for all u in τ, we have p0 ∈ `(u) iff p0 ∈ `0(u); I Definition 7. The semantics t,u,n |= ϕ and t,λ,n |= ψ are defined inductively, where ϕ is a Bound-QCTL∗ state formula, ψ is a Bound-QCTL∗ path formula, t = (τ,`) is a tree, u is a node, λ is a branch in t, and n in N a bound: t,u,n |= p if p ∈ `(u) t,u,n |= ¬ϕ if t,u,n 6|= ϕ t,u,n |= ϕ ∨ ϕ0 if t,u,n |= ϕ or t,u,n |= ϕ0 t,u,n |= Aψ if ∀λ ∈ Branches(t,u) we have t,λ,n |= ψ t,u,n |= A≤Nψ if Card({λ ∈ Branches(t,u) : t,λ,n 6|= ψ}) ≤ n t,u,n |= ∃pϕ if ∃t0 ≡p t such that t0,u,n |= ϕ t,u,n |= ∃Nϕ if ∃n0 ∈ N such that t,u,n0 |= ϕ, t,λ,n |= ϕ if t,λ0,n |= ϕ t,λ,n |= ¬ψ if t,λ,n 6|= ψ t,λ,n |= ψ ∨ ψ0 if t,λ,n |= ψ or t,λ,n |= ψ0 t,λ,n |= Xψ if t,λ≥1,n |= ψ t,λ,n |= ψUψ0 if ∃j ≥ 0 such that t,λ≥j,n |= ψ0 and ∀k such that 0 ≤ k < j, t,λ≥k,n |= ψ t,λ,n |= F≤Nψ if ∃j such that 0 ≤ j ≤ n and t,λ≥j,n |= ψ Proof of Theorem 21 I Theorem 21. Let A be a history-deterministic distance-automaton over infinite words. One can construct a distance-automaton recognising the function over trees f : t 7→ inf {max(n, sup {JAKd(λ) : λ ∈/ B}) : n ∈ N, B ⊆ Branches(t), Card(B) ≤ n} . To prove Theorem 21 we combine A with the automaton defined in the proof of Lemma 17. Proof. We write A = (Q, q0, δ, c) for the history-deterministic distance-automaton over infinite words, and let us say that the set of labels is {1, . . . , d} × { , i} with d even. We construct a distance-automaton B for f as follows. The set of states is Q × {p0, , p0,i, p1}, where the semantics of p0, and p0,i is “some path will be skipped” and p1 means “no path will be skipped”. The initial state is (q0, p0, ). The first component simulates the automaton A on all branches, while the second acts as follows, with p0 = {p0, , p0,i}.  (p0, , a, h) if h contains at most one p0 δ =  (p0,i, a, h) if h contains at least two p0  (p1, a, h) if h contains only p1 The labelling function c0 is c0(q, p0, ) c0(q, p0,i) c0(q, p1) = = = (d, a) (d, i) c(q) where c(q) = (o, a) where c(q) = (o, a) The proof of correctness is the same as for Lemma 17, substantiating the following claims: if f (t) ≤ n, then JBKd(t) ≤ n, if JBKd(t) ≤ n, then f (t) ≤ Card(S)n. J A.4 Semantics of nested W -automata I Definition 22. A nested W -automaton with k slaves over (Σ, S)-trees is given by a master automaton A, which is a W -automaton over (2k, S)-trees, and k slave automata (Ai)i∈[k], which are W -automata over (Σ, S)-trees. The transition relation of the master is δ ⊆ Q × 2k × QS . We describe the modus operandi of a nested automaton informally. Let t be a tree and u a node in t, labelled with state q. To take the next transition the master automaton interrogates its slaves: the transition (q, v, h) ∈ δ is allowed if for all i ∈ v, the subtree tu is accepted by Ai. To define the semantics of nested W -automata, we define the corresponding acceptance games. Given a nested W -automaton B = (A, (Ai)i∈[k]) and a tree t, we define the acceptance W -game GB,t as follows. Let A = (Q, q0, δ, c). The set of vertices is (Q × t) ∪ (Q × t × QS ). The vertices of the form (q, u) are controlled by Eve, those of the form (q, u, h) by Adam. The initial vertex is (q0, r), where r is the root of t. The transition relation E is defined as follows ((q, u) E (q, u, h) (q, u, h) E (h(s), u · s). if (q, `(u), h) ∈ δ and ∀i ∈ v, tu is accepted by Ai, . The labelling function maps (q, u) to c(q), the other vertices are not labelled. We say that t is accepted by B if Eve wins the acceptance W -game GB,t. Proof of Theorem 25 I Theorem 25. Let Φ be a sentence of Bound-QCTL∗. We construct a non-deterministic parity automaton AΦ over (Σ, S)-trees such that for every Kripke structure S over the set of states S, we have S |= Φ if, and only if, AΦ accepts the unfolding tS . Proof. Let Φ be a sentence and S a finite set of states. Throughout this proof, by trees we mean regular trees, so in particular ≈ is understood over such trees. For each subformula ϕ of Φ, we construct by induction on ϕ the following automata: 1. if ϕ is positive, a distance-automaton Aϕ such that JAϕKd ≈ JϕKinf, 2. if ϕ is negative, a distance-automaton Aϕ such that JAϕKd ≈ JϕKsup. Here are the constructions or proofs of correctness not present in the body of the paper. ϕ = p : The formula ϕ is both positive and negative. Seeing it a positive formula, we define a distance-automaton Ap with one state q0 and transition function defined as follows: δ(q0, a) = ( > if p ∈ a ⊥ otherwise. Seeing ϕ as a negative formula, we define a distance-automaton Ap in exactly the same way. ϕ = ¬ϕ0 : If ϕ is negative, then ϕ0 is positive. By definition, JϕKsup(t) = sup {n ∈ N : t, r, n |= ϕ} = inf {n ∈ N : t, r, n |= ϕ0} − 1 = Jϕ0Kinf(t) − 1. In particular, JϕKsup ≈ Jϕ0Kinf. By induction hypothesis, there exists a distanceautomaton Aϕ0 such that JAϕ0 Kd ≈ Jϕ0Kinf. Thanks to Theorem 23, there exists a distance-automaton Aϕ such that JAϕKd ≈ JAϕ0 Kd. It follows that JAϕKd ≈ JϕKsup. If ϕ is positive, then ϕ0 is negative, and a similar reasoning applies, using Theorem 23 to turn a distance-automaton into an equivalent distance-automaton. ϕ = ϕ1 ∨ ϕ2 : If ϕ is positive, then both ϕ1 and ϕ2 are positive. By induction hypothesis, there exist two distance-automata Aϕ1 and Aϕ2 such that JAϕ1 Kd ≈ Jϕ1Kinf and JAϕ2 Kd ≈ Jϕ2Kinf. We construct Aϕ by taking the disjoint union of Aϕ1 and Aϕ2 and adding a new initial state that nondeterministically chooses which of Aϕ1 or Aϕ2 to execute on the input tree, so that JAϕKd = min {JAϕ1 Kd, JAϕ2 Kd} ≈ min {Jϕ1Kinf, Jϕ2Kinf} = JϕKinf. If ϕ is negative, both ϕ1 and ϕ2 are negative. The same construction yields an automaton Aϕ such that JAϕKd = max JAϕ1 Kd, JAϕ2 Kd ≈ max {Jϕ1Ksup, Jϕ2Ksup} = JϕKsup. ϕ = Aψ : The idea is similar to the automata construction for branching-time logic [33]: intuitively, treat ψ as an LTL formula over maximal state subformulas, run a deterministic automaton for ψ on all branches of the tree, and launch automata for the maximal state subformulas of ψ when needed. In our case, we will construct a nested automaton to do this, and in place of a deterministic parity automaton for ψ we will use a history-deterministic distance-automaton. Finally, we will convert the nested distance-automaton into a distance-automaton. So, suppose that ϕ is positive (the case that ϕ is negative is treated dually). Then also ψ is positive. We will construct a nested distance-automaton B such that JBKd ≈ JϕKinf. Let ϕ1, . . . , ϕk be the maximal state subformulas of the path formula ψ. We see these formulas as atomic propositions, so that the formula ψ can be seen as a Prompt-LTL formula on infinite words over the alphabet 2k. Apply Theorem 24 to ψ to get a historydeterministic distance-automaton Aψ over infinite words such that JAψKd ≈ JψKinf. Then, apply Theorem 20 to Aψ to get a distance-automaton A such that JAKd(t) = sup {JAψKd(λ) : λ ∈ Branches(t)}. The master of B is A. Since ψ is positive, the formulas ϕ1, . . . , ϕk are either positive or negative. By the induction hypothesis, for every i, if ϕi is positive we construct a distance-automaton Ai such that JAiKd ≈ JϕiKinf; and if ϕi is negative, we construct a distance-automaton A0i such that JA0iKd ≈ JϕiKsup. In the latter case, thanks to Theorem 23 we construct a distance-automaton Ai such that JAiKd ≈ JϕiKsup. The slaves of B are A1, . . . , Ak. This completes the construction of B. We now prove that JBKd ≈ JϕKinf. For the sake of simplicity, we assume that JAψKd = JψKd and JAiKd = JϕiK for every i, i.e. we replace ≈ by equality. This simplification does not affect the arguments and makes the proof easier to read. We prove that JϕKinf ≤ JBKd. It is sufficient to show that JBKd(t) ≤ n implies JϕKinf(t) ≤ n. A run of B on t witnessing that JBKd(t) ≤ n yields for each branch λ a run of Aψ such that JAψKd(λ) ≤ n. The slave automata diligently check that the atomic propositions ϕ1, . . . , ϕk have been correctly used, so indeed t, λ, n |= ψ, thus JϕKinf(t) ≤ n. We prove that JBKd ≤ JϕKinf. It is sufficient to show that JϕKinf(t) ≤ n implies JBKd(t) ≤ n. By the semantics of ϕ for all branches λ of t we have t, λ, n |= ψ. This yields a run of B on t witnessing that JBKd(t) ≤ n. Finally, applying Theorem 23 to the nested distance-automaton B we get a distanceautomaton Aϕ such that JAϕKd ≈ JBKd. ϕ = ∃p ϕ0 : If ϕ is positive, then ϕ0 is positive. In this case unravelling the definitions we have JϕKinf(t) = inf {Jϕ0Kinf(t0) : t0 ≡p t} . By the induction hypothesis, there exists a distance-automaton Aϕ0 such that JAϕ0 Kd ≈ Jϕ0Kinf. We obtain a distance-automaton Aϕ by performing the usual projection operation. Everything remains the same, but the transition relation: (q, a, h) is in the new transition relation if there exists a0 such that a0 ≡p a and (q, a0, h) is in δ, where a0 ≡p a if for all p0 in AP such that p0 6= p, we have p0 ∈ a0 if, and only if, p ∈ a. If ϕ is negative, then ϕ0 is negative. The same reasoning and construction applies in this case, with JϕKsup(t) = sup {Jϕ0Ksup(t0) : t0 ≡p t} . This completes the proof of the inductive hypothesis. Finally, since Φ is a sentence, AΦ is a parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a counter (if there was not one already), the ∃N step removes the counter, and every other operator applied to arguments that do not have a counter produces an automaton with no counters. J A.6 Reductions for Prompt-SL and BOSL Models transformation. We first define for every game G a Kripke structure SG and a bijection ρ 7→ uρ between the set of finite plays starting in the initial vertex and the set of nodes in tSG . We consider propositions APv = {pv | v ∈ V }, that we assume to be disjoint from AP. Define the Kripke structure SG = (S, R, s0, `0) where S = {sv | v ∈ V }, R = {(sv, sv0 ) | ∃c ∈ ActAg s.t. Δ(v, c) = v0} ⊆ S2, s0 = sv0 , and `0(sv) = `(v) ∪ {pv} ⊆ AP ∪ APv. For every finite play ρ = v0 . . . vk, define the node uρ = sv0 . . . svk in tSG (which exists, by definition of SG and of tree unfoldings). Note that the mapping ρ 7→ uρ defines a bijection between the set of paths from v0 and the set of nodes in tSG . Formulas translation. Given a game G and a formula ϕ of Prompt-SL or BOSL, we define a Bound-QCTL∗ formula (ϕ) such that G |= ϕ if and only if SG |= (ϕ) . More precisely, this translation is parameterised with a partial function f : Ag * Var which records bindings of agents to strategy variables. Suppose that Act = {c1, . . . , cl}. We define the two functions (·)sf and (·)pf by mutual induction on, respectively, state formulas ϕ and path formulas ψ. Here is the definition of (·)sf for state formulas: (p)sf = p (ϕ1 ∨ ϕ2)sf = (ϕ1)sf ∨ (ϕ2)sf ((a, s)ϕ)sf = (ϕ)sf[a7→s] where ψout(f ) = G ^ v∈V and for path formulas: (ϕ)pf = (ϕ)sf (ϕ1 ∨ ϕ2)pf = (ϕ1)pf ∨ (ϕ2)pf (ψUψ0)pf = (ψ)pf U(ψ0)pf (¬ϕ)sf = ¬(ϕ)sf (∃sϕ)sf = ∃pcs1 . . . ∃pcsl .ϕstr(s) ∧ (ϕ)sf , (Aψ)sf = A(ψout(f ) → (ψ)pf )  c∈ActAg a∈dom(f) One can prove the following lemma, where ϕ is either a Prompt-SL or a BOSL formula. The translation is essentially the same as in [35] and [7], and the cases for the new operators should be clear from their semantics. I Lemma 26. Suppose that dom(f ) = dom(χ) ∩ Ag and for all a ∈ dom(f ), f (a) = x implies χ(a) = χ(x). Then G, χ, ρ, n |= ϕ if and only if tSG , uρ, n |= (ϕ) f . Applying this to a sentence Φ, any assignment χ, the initial vertex v0 of G, any bound n and the empty function ∅, we get that G |= ϕ if and only if tSG |= (ϕ) ∅. Shaull Almagor , Yoram Hirshfeld, and Orna Kupferman . Promptness in ω-regular automata . In ATVA, LNCS 6252 , pages 22 - 36 . Springer, 2010 . Rajeev Alur , Kousha Etessami, Salvatore La Torre, and Doron Peled . Parametric temporal logic for “model measuring” . ACM Transactions on Computational Logic , 2 ( 3 ): 388 - 407 , 2001 . Journal of the ACM , 49 ( 5 ): 672 - 713 , 2002 . doi: 10 .1145/585265.585270. Benjamin Aminof , Aniello Murano, Sasha Rubin , and Florian Zuleger . Prompt alternatingtime epistemic logics . In KR , pages 258 - 267 . AAAI Press, 2016 . URL: http://www.aaai. org/ocs/index.php/KR/KR16/paper/view/12890. In POPL , pages 164 - 176 , 1981 . doi: 10 .1145/567532.567551. Raphaël Berthon , Bastien Maubert, and Aniello Murano . Decidability results for ATL* with imperfect information and perfect recall . In AAMAS , 2017 . Strategy logic with imperfect information . In LICS , 2017 . Alessandro Bianco , Fabio Mogavero, and Aniello Murano . Graded computation tree logic . ACM Transactions on Computational Logic , 13 ( 3 ): 25 : 1 - 25 : 53 , 2012 . doi: 10 .1145/ 2287718.2287725. Patricia Bouyer , Patrick Gardy, and Nicolas Markey . Weighted strategy logic with boolean goals over one-counter games . In FSTTCS 2015 , pages 69 - 83 , 2015 . doi: 10 .4230/LIPIcs. FSTTCS. 2015 . 69 . Arnaud Carayol and Olivier Serre . How good is a strategy in a game with nature? In LICS , pages 609 - 620 . IEEE Computer Society, 2015 . Krishnendu Chatterjee and Nathanaël Fijalkow . Infinite-state games with finitary conditions . In CSL , pages 181 - 196 , 2013 . doi: 10 .4230/LIPIcs.CSL. 2013 . 181 . Krishnendu Chatterjee , Thomas A Henzinger, and Florian Horn . Finitary winning in ω- regular games . ACM Transactions on Computational Logic , 11 ( 1 ): 1 , 2009 . Krishnendu Chatterjee , Thomas A. Henzinger , and Nir Piterman . Strategy Logic. Information and Computation , 208 ( 6 ): 677 - 693 , 2010 . doi: 10 .1016/j.ic. 2009 . 07 .004. Thomas Colcombet . The theory of stabilisation monoids and regular cost functions . In ICALP , 2009 . Thomas Colcombet . Fonctions régulières de coût. Habilitation Thesis , 2013 . Thomas Colcombet . Regular cost functions, part I: logic and algebra over words . Logical Methods in Computer Science , 9 ( 3 ), 2013 . Thomas Colcombet and Nathanaël Fijalkow . The bridge between regular cost functions and ω-regular languages . In ICALP , pages 126 : 1 - 126 : 13 , 2016 . doi: 10 .4230/LIPIcs.ICALP. Thomas Colcombet and Christof Löding . Regular cost functions over finite trees . In LICS , pages 70 - 79 , 2010 . doi: 10 .1109/LICS. 2010 . 36 . E. Allen Emerson and Joseph Y. Halpern . “Sometimes” and “Not Never” revisited: On branching versus linear time . In POPL , pages 127 - 140 , 1983 . doi: 10 .1145/567067. Nathanaël Fijalkow , Florian Horn, Denis Kuperberg, and Michał Skrzypczak . Trading bounds for memory in games with counters . In ICALP , pages 197 - 208 , 2015 . doi:10. Nathanaël Fijalkow and Martin Zimmermann . Cost-Parity and Cost-Street Games . In FSTTCS, volume LIPIcs 18 , pages 124 - 135 , 2012 . Orna Kupferman , Giuseppe Perelli, and Moshe Y. Vardi . Synthesis with rational environments . Annals of Mathematics and Artificial Intelligence , 78 ( 1 ): 3 - 20 , 2016 . doi: 10 .1007/s10472-016-9508-8. Orna Kupferman , Nir Piterman, and Moshe Y Vardi. From liveness to promptness . Formal Methods in System Design , 34 ( 2 ): 83 - 103 , 2009 . Orna Kupferman , Moshe Y. Vardi, and Pierre Wolper . An automata-theoretic approach to branching-time model checking . Journal of the ACM , 47 ( 2 ): 312 - 360 , 2000 . doi: 10 .1145/ 333979.333987. LMCS , 10 ( 4 ), 2014 . doi: 10 .2168/LMCS- 10 ( 4 :17) 2014 . François Laroussinie and Nicolas Markey . Augmenting ATL with strategy contexts . Information and Computation , 245 : 98 - 123 , 2015 . Fabio Mogavero , Aniello Murano, Giuseppe Perelli, and Moshe Y. Vardi . Reasoning about strategies: On the model-checking problem . ACM Transactions on Computational Logic , 15 ( 4 ): 34 : 1 - 34 : 47 , 2014 . doi: 10 .1145/2631917. Fundamenta Informaticae , 139 ( 3 ): 277 - 305 , 2015 . Amir Pnueli . The temporal logic of programs . In FOCS , pages 46 - 57 , 1977 . doi: 10 .1109/ SFCS. 1977 . 32 . Amir Pnueli and Roni Rosner . On the synthesis of a reactive module . In POPL , pages 179 - 190 , 1989 . PhD thesis , Harvard University, Cambridge, MA, USA, 1983 . Martin Zimmermann . Optimal bounds in parametric LTL games . Theoretical Computer Science , 493 : 30 - 45 , 2013 . doi: 10 .1016/j.tcs. 2012 . 07 .039.


This is a preview of a remote PDF: http://drops.dagstuhl.de/opus/volltexte/2018/9690/pdf/LIPIcs-CSL-2018-23.pdf

Nathana\"el Fijalkow, Bastien Maubert, Aniello Murano, Sasha Rubin. Quantifying Bounds in Strategy Logic, LIPICS - Leibniz International Proceedings in Informatics, 2018, 23:1-23:23, DOI: 10.4230/LIPIcs.CSL.2018.23