Quantifying Bounds in Strategy Logic
C S L
Quantifying Bounds in Strategy Logic
Sasha Rubin 0 2 4 5
0 Aniello Murano University of Naples “Federico II” , Naples , Italy
1 University of Naples “Federico II” , Naples, Italy https://orcid.org/0000000290812920
2 Bastien Maubert
3 CNRS, LaBRI, Bordeaux, France Alan Turing Institute of data science , London , United Kingdom https ://orcid. org/0000000265764680
4 Nathanaël Fijalkow
5 University of Naples “Federico II” , Naples , Italy
Program synthesis constructs programs from specifications in an automated way. Strategy Logic (SL) is a powerful and versatile specification language whose goal is to give theoretical foundations for program synthesis in a multiagent setting. One limitation of Strategy Logic is that it is purely qualitative. For instance it cannot specify quantitative properties of executions such as “every request is quickly granted”, or quantitative properties of trees such as “most executions of the system terminate”. In this work, we extend Strategy Logic to include quantitative aspects in a way that can express bounds on “how quickly” and “how many”. We define Prompt Strategy Logic, which encompasses Prompt LTL (itself an extension of LTL with a prompt eventuality temporal operator), and we define BoundedOutcome Strategy Logic which has a bounded quantifier on paths. We supply a general technique, based on the study of automata with counters, that solves the modelchecking problems for both these logics. 2012 ACM Subject Classification Theory of computation → Logic and verification
and phrases Prompt LTL; Strategy Logic; Model checking; Automata with counters

In order to reason about strategic aspects in distributed systems, temporal logics of programs
(such as LTL [38], CTL [5] and CTL∗ [19]) have been extended with operators expressing the
existence of strategies for coalitions of components. Among the most successful proposals are
Alternatingtime Temporal Logic (ATL) [3] and, more recently, the more expressive Strategy
Logic (SL) [13, 36]. Both logics can express the existence of strategies for coalitions that
1 This project has received funding from the Alan Turing Institute under EPSRC grant EP/N510129/1
and the DeLTA project (ANR16CE400007).
2 This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under the Marie SklodowskaCurie grant agreement No 709188.
ensure some temporal properties against all possible behaviours of the remaining components.
Moreover, if such strategies exist, one can also obtain witnessing finitestate strategies. As a
result, synthesizing reactive systems from temporal specifications [39, 30, 31] can be reduced
to model checking such strategic logics.
Although quite expressive, for instance Strategy Logic can express important
gametheoretic concepts such as the existence of Nash equilibria, such logics can only express
qualitative properties. On the other hand important properties of distributed systems, such
as bounding the maximal number of steps between an event and its reaction, are quantitative.
Parametric extensions of temporal logics have been introduced to capture such properties.
A simple way to extend temporal operators is to annotate them with constant bounds,
e.g., F≤kϕ says that ϕ holds within k steps where k ∈ N is a constant. However, one may
not know such bounds or care for their exact value when writing the specification (or it may
not be practical to compute the bound). Instead, one may replace the constants by variables
N and ask about the possible valuations of the variables that make the formula true. For
instance, PromptLTL [2, 32] is an extension of LTL with the operator F≤N where N is a
(unique) variable. The modelchecking problem asks if there exists a valuation of the variable
N such that the formula holds. In order to reason about and synthesize strategies that ensure
such parametric properties, we introduce “Prompt Strategy Logic”, an extension of SL with
the F≤N operator. For instance, the formula ∃s1(a1, s1)∀s2(a2, s2)∃N AGF≤N p expresses
that there exists a strategy for agent a1 such that for all strategies of agent a2 there is a
bound N (that can depend on the strategy for a2) such that in all outcomes (generated by
the remaining agents) the atom p holds at least once every N steps.
Another way to parameterise temporal logics is to bound the path quantifiers, expressing,
for instance, that at least k different paths satisfy ψ, or all but k paths satisfy ψ [8]. Such
operators can bound, for instance, how well a lineartime temporal property holds, thus giving
a measure of “coverage”. We introduce “BoundingOutcome Strategy Logic” which extends
Strategy Logic with a bounded outcome quantifier A≤N which allows one to express that
all but N outcomes satisfy some property. For instance, the formula ∃s(a, s)∃N A≤N GFp
expresses that there exists a strategy for agent a such that for all but finitely many outcomes,
the atom p holds infinitely often. The algorithmic contribution of this paper is a solution
to the modelchecking problem for both these logics (and their combination). We do this
by applying the theory of regular cost functions. A cost function is an equivalence class of
mappings from the domain (e.g., infinite words) to N ∪ {∞} with an equivalence relation
that, intuitively speaking, forgets the precise values and focuses on boundedness [14, 16].
Our results allow us to solve a problem left open in [
10
] that considers games with two
players and a third player called “nature” (indicating that it is uncontrollable), and asks
whether there is a strategy for player 1 (having very general lineartime objectives) such
that for all strategies of player 2, in the resulting tree (i.e., where nature’s strategy is not
fixed), the number of plays in which player 1 does not achieve her objective is “small”. In
particular, in case the lineartime objective is the LTL formula ψ and “small” is instantiated
to mean “finite”, our main result allows one to solve this problem by reducing to model
checking Boundingoutcome Strategy Logic formula ∃s1(a1, s1)∀s2(a2, s2)∃N A≤N ¬ψ. In
fact our automata construction can be adapted to deal with all omegaregular objectives.
Related work. ParametricLTL [2] extends LTL with operators of the form F≤x and G≤x,
where x is a variable. The interpretation of F≤xψ is that ψ holds within x steps, and the
interpretation of G≤x is that ψ holds for at least the next x steps. That paper studies
variations on the classic decision problems, e.g., model checking asks to decide if there is a
valuation of the variables x1, · · · , xk such that the formula ϕ(x1, · · · , xk) holds in the given
structure. Note that for this problem, the formula is equivalent to one in which all variables
are replaced by a single variable. The complexity of these problems is no worse than for
ordinary LTL, i.e., PSPACE. The technique used in this paper to prove these upperbounds
is a pumping lemma that allows one to reduce/enlarge the parameters.
ParametricLTL has been studied in the context of open systems and games. For
instance, [41] studies the problem of synthesizing a strategy for an agent with a parametricLTL
objective in a turnbased graphgame against an adversarial environment. A number of
variations are studied, e.g., decide whether there exists a valuation (resp. for all valuations) of
the variables such that there exists a strategy for the agent that enforces the given
parametricLTL formula. The complexity of these problems is, again, no worse than that of solving
ordinary LTL games, i.e., 2EXPTIME. The technique used to prove these upper bounds is
the alternatingcolour technique of [32] that allows one to replace a prompt formula by an
LTL formula, and was originally introduced to reason about PromptLTL, the fragment of
parametricLTL without G≤x. We remark that Church’s synthesis for PromptLTL formulas
was shown in [32] to have complexity no worse than that of LTL, i.e., 2EXPTIME.
Promptness was first studied in the context of multiagent systems in [4]. They study
the modelchecking problem for the logic PromptATL∗ and its fragments, for memoryless
and memoryful strategies. Again, one finds that the complexity of model checking prompt
variations is no worse than the nonprompt ones. That paper also studies the case of systems
with imperfect information. We remark that the formula of Prompt Strategy Logic mentioned
above is not a formula of PromptATL∗ because the bound N can depend on the strategy
of agent a2, which is not possible in PromptATL∗.
Promptness has also been studied in relation with classic infinitary winning conditions
in games on graphs. In bounded parity games, the even colors represent requests and odd
colors represent grants, and the objective of the player is to ensure that every request is
promptly followed by a larger grant [12, 37]. We discuss this in Example 6. Such winning
conditions have been generalised to games with costs in [21, 22], leading to the construction
of efficient algorithms for synthesizing controllers with prompt specifications.
Promptness in automata can be studied using various notions of automata with counters
that only affect the acceptance condition. For instance, a run in a prompt Büchiautomaton
is successful if there is a bound on the time between visits to the Büchi set. The expressive
power, the cost of translating between such automata, and complexity of decision problems
(such as containment) have been studied in [1, 12].
The theory of regular cost functions [14, 16] defines automata and logics able to express
boundedness properties in various settings. For instance, the logics PromptLTL, PLTL and
kTL are in some precise sense subsumed by the LTL≤ logic from [27], which extends LTL with
a bounded until ϕU≤N ϕ0 allowing ϕ not to hold in at most N (possibly nonconsecutive)
places before ϕ0 holds. A decision procedure for this logic has been given through the
compilation into cost automata on words. In this paper, we rely on several results from
the theory of regular cost functions, and develop some new ones for the study of Prompt
Strategy Logic and Boundingoutcome Strategy Logic. A major open problem in the theory
of regular cost functions over infinite trees is the equivalence between general cost automata.
To handle the bounded until operator in branchingtime logics one would need to first prove
this equivalence, which has been proved to be beyond our reach today [20]. In this work we
rely on a weaker version of this equivalence for distance automata.
To the best of our knowledge, the only previous works on quantitative extensions of
Strategy Logic consider games with counters and allow for the expression of constraints on
their values in formulas. The modelchecking problem for these logics is undecidable, even
when restricted to the case of energy constraints, which can only state that the counters
remain above certain thresholds [24]. For the Boolean Goal fragment of Strategy Logic in
the case of one counter, the problem is still open [9, 24]. The present work thus provides the
first decidable quantitative extension of Strategy Logic.
Plan. In Section 2 we recall Branchingtime Strategy Logic. We introduce and motivate our
two quantitative extensions, PromptSL and BOSL, in Section 3 and Section 4 respectively.
In Section 5 we solve their modelchecking problem by introducing the intermediary logic
BoundQCTL∗ and developing an automata construction based on automata with counters.
2
Branchingtime Strategy Logic
In this section we recall Branchingtime Strategy Logic [26], a variant of Strategy Logic [36].
For the rest of the paper we fix a number of parameters: AP is a finite set of atomic
propositions, Ag is a finite set of agents or players, Act is a finite set of actions, and Var is a
finite set of strategy variables. The alphabet is Σ = 2AP.
Notations. A finite (resp. infinite) word over Σ is an element of Σ∗ (resp. Σω). The length
of a finite word w = w0w1 . . . wn is w = n + 1, and last(w) = wn is its last letter. Given a
finite (resp. infinite) word w and 0 ≤ i < w (resp. i ∈ N), we let wi be the letter at position
i in w, w≤i is the prefix of w that ends at position i and w≥i is the suffix of w that starts at
position i. We write w 4 w0 if w is a prefix of w0. The cardinal of a set S is written Card(S).
2.1
Games
We start with classic notions related to concurrent games on graphs.
I Definition 1 (Game). A concurrent game structure (or game for short) is a structure
G = (V, v0, Δ, `) where V is the set of vertices, v0 ∈ V is the initial vertex, Δ : V ×ActAg → V
is the transition function, and ` : V → Σ is the labelling function.
Joint actions. In a vertex v ∈ V , each player a ∈ Ag chooses an action c(a) ∈ Act, and the
game proceeds to the vertex Δ(v, c), where c ∈ ActAg stands for the joint action (c(a))a∈Ag.
Given a joint action c = (c(a))a∈Ag and a ∈ Ag, we let c(a) denote c(a).
Plays and strategies. A finite (resp. infinite) play is a finite (resp. infinite) word ρ =
v0 . . . vn (resp. π = v0v1 . . .) such that for every i such that 0 ≤ i < ρ − 1 (resp. i ≥ 0),
there exists a joint action c such that Δ(vi, c) = vi+1. A strategy is a partial function
σ : V + * Act mapping each finite play to an action, and Strat is the set of all strategies.
Assignments. An assignment is a partial function χ : Ag ∪ Var * Strat, assigning to each
player and variable in its domain a strategy. For an assignment χ, a player a and a strategy
σ, χ[a 7→ σ] is the assignment of domain dom(χ) ∪ {a} that maps a to σ and is equal to χ on
the rest of its domain, and χ[s 7→ σ] is defined similarly, where s is a variable; also, χ[a 7→?]
is the assignment of domain dom(χ) \ {a}, on which it is equal to χ.
Outcomes. For assignment χ and finite play ρ, Out(χ, ρ) is the set of infinite plays that
start with ρ and are then extended by letting players follow the strategies assigned by χ.
Formally, Out(χ, ρ) is the set of plays ρ · v1v2 . . . such that for all i ≥ 0, there exists c such
that for all a ∈ dom(χ) ∩ Ag, ca ∈ χ(a)(ρ · v1 . . . vi) and vi+1 = Δ(vi, c), with v0 = last(ρ).
2.2
BSL syntax
The core of Branchingtime Strategy Logic, on which we build Prompt Strategy Logic and
Boundingoutcome Strategy Logic, is the full branchingtime temporal logic CTL∗. This
differs from usual variants of Strategy Logic which are based on the lineartime temporal
logic LTL. The main difference is the introduction of an outcome quantifier which quantifies
on outcomes of the currently fixed strategies. While in SL temporal operators could only be
evaluated in contexts where all agents were assigned a strategy, this outcome quantifier allows
for evaluation of (branchingtime) temporal properties on partial assignments of strategies to
agents. We recall Branchingtime Strategy Logic, introduced in [26], which has the same
expressive power as SL but allows to express branchingtime properties without resorting to
computationally expensive strategy quantifications.
At the syntax level, in addition to usual boolean connectives and temporal operators, we
have four constructs:
strategy quantification: ∃sϕ, which means “there exists a strategy s such that ϕ holds”,
assigning a strategy to a player: (a, s)ϕ, which is interpreted as “when the agent a plays
according to s, ϕ holds”,
unbinding a player: (a, ?)ϕ, which is interpreted as “ϕ holds after agent a has been
unbound from her strategy, if any”, and
quantifying over outcomes: Aψ, which reads as “ψ holds in all outcomes of the strategies
currently assigned to agents”.
The difference between BSL and SL lies in the last two constructs. Note that unbinding
agents was irrelevant in lineartime SL, where assignments need to be total to evaluate
temporal properties.
I Definition 2 (BSL syntax). The set of BSL formulas is the set of state formulas given by
the following grammar:
ϕ ::= p  ¬ϕ  ϕ ∨ ϕ  ∃sϕ  (a, s)ϕ  (a, ?)ϕ  Aψ
ψ ::= ϕ  ¬ψ  ψ ∨ ψ  Xψ  ψUψ,
where p ∈ AP, a ∈ Ag and s ∈ Var.
We use classic abbreviations > = p ∨ ¬p, Fψ = >Uψ, Gψ = ¬F¬ψ and ∀sϕ = ¬∃s¬ϕ.
A variable s appears free in a formula ϕ if it appears in a binding operator (a, s) that is
not in the scope of any strategy quantifier hhsii.
2.3
BSL semantics
Given a formula ϕ ∈ BSL, an assignment is variablecomplete for ϕ if its domain contains all
free strategy variables of ϕ.
I Definition 3 (BSL semantics). The semantics of a state formula is defined on a game G,
an assignment χ that is variablecomplete for ϕ, and a finite play ρ. For a path formula
ψ, the finite play is replaced with an infinite play π and an index i ∈ N. The definition by
mutual induction is as follows:
G, χ, ρ = p
G, χ, ρ = ¬ϕ
G, χ, ρ = ϕ ∨ ϕ0
G, χ, ρ = ∃sϕ
G, χ, ρ = (a, s)ϕ
G, χ, ρ = (a, ?)ϕ
G, χ, ρ = Aψ
G, χ, π, i = ϕ
G, χ, π, i = ¬ψ
G, χ, π, i = ψ ∨ ψ0
G, χ, π, i = Xψ
G, χ, π, i = ψUψ0
if
if
if
if
if
if
if
if
if
if
if
if
p ∈ `(last(ρ))
G, χ, ρ 6= ϕ
G, χ, ρ = ϕ or G, χ, ρ = ϕ0
there exists σ ∈ Strat s.t. G, χ[s 7→ σ], ρ = ϕ
G, χ[a 7→ χ(s)], ρ = ϕ
G, χ[a 7→?], ρ = ϕ
for all π ∈ Out(χ, ρ), G, χ, π, ρ − 1 = ψ
G, χ, π≤i = ϕ
G, χ, π, i 6= ψ
G, χ, π, i = ψ or G, χ, π, i = ψ0
G, χ, π, i + 1 = ψ
∃ j ≥ i s.t. G, χ, π, j = ψ0 and ∀ k s.t. i ≤ k < j, G, χ, π, k = ψ
BSL has the same expressivity as SL, and there are linear translations in both directions [26].
More precisely, the translation from BSL to SL is linear in the size of the formula times
the number of players; indeed, the outcome quantifier is simulated in SL by a strategy
quantification and a binding for each player who is not currently bound to a strategy. This
translation may thus increase the nesting and alternation depth of strategy quantifiers in the
formula, which is known to increase the complexity of the modelchecking problem [13, 36].
3
Prompt Strategy Logic
In this section we introduce PromptSL, an extension of both BSL and PromptLTL.
3.1
PromptSL syntax
The syntax of PromptSL extends that of branchingtime strategy logic BSL with two
additional constructs, where N is a variable over natural numbers:
a bounded version of the classical “eventually” operator written F≤N , and
an existential quantification on the values of variable N , written ∃N .
As in PromptLTL, the formula F≤N ψ states that ψ will hold at the latest within N
steps from the present. For a formula ϕ of PromptSL there is a unique bound variable
N : indeed, in the spirit of PromptLTL where a unique bound must exist for all
prompteventualities, formulas of our logic cannot use more than one bound variable. However, in
PromptSL, existential quantification on N is part of the syntax, which allows to freely
combine quantification on the (unique) bound variable N with other operators of the logic. In
particular one can express the existence of a unique bound that should work for all strategies,
or instead that the bound may depend on the strategy (see Example 6).
I Definition 4 (PromptSL syntax). The syntax of PromptSL formulas is defined by the
following grammar:
where p ∈ AP, s ∈ Var, a ∈ Ag and N is a fixed bounding variable. A PromptSL sentence
is a state formula with no free strategy variable, in which every F≤N is in the scope of some
∃N , and F≤N and ∃N always appear positively, i.e. under an even number of negations.
3.2
PromptSL semantics
We now define the semantics of PromptSL.
I Definition 5 (PromptSL semantics). The semantics is defined inductively as follows,
where ϕ (resp. ψ) is a costSL state (resp. path) formula, G is a game, χ is an assignment
variablecomplete for ϕ (resp. ψ), ρ is a finite play, π an infinite one, i ∈ N is a point in time
and n ∈ N is a bound.
G, χ, ρ, n = p
G, χ, ρ, n = ¬ϕ
G, χ, ρ, n = ϕ ∨ ϕ0
G, χ, ρ, n = ∃sϕ
G, χ, ρ, n = (a, s)ϕ
G, χ, ρ, n = (a, ?)ϕ
G, χ, ρ, n = Aψ
G, χ, ρ, n = ∃N ϕ
G, χ, π, i, n = ϕ if
G, χ, π, i, n = ¬ψ if
G, χ, π, i, n = ψ ∨ ψ0 if
G, χ, π, i, n = Xψ if
G, χ, π, i, n = ψUψ0 if
G, χ, π, i, n = F≤N ψ
if
if
if
if
if
if
if
if
if
p ∈ `(last(ρ))
G, χ, ρ, n 6= ϕ
G, χ, ρ, n = ϕ or G, χ, ρ, n = ϕ0
there exists σ ∈ Strat s.t. G, χ[s 7→ σ], ρ, n = ϕ
G, χ[a 7→ χ(s)], ρ, n = ϕ
G, χ[a 7→?], ρ, n = ϕ
for all π ∈ Out(χ, ρ), G, χ, π, ρ − 1, n = ϕ
there exists n0 ∈ N such that G, χ, ρ, n0 = ϕ
G, χ, π≤i, n = ϕ
G, χ, π, i, n 6= ψ
G, χ, π, i, n = ψ or G, χ, π, i, n = ψ0
G, χ, π, i + 1, n = ψ
∃ j ≥ i s.t. G, χ, π, j, n = ψ0
and ∀ k s.t. i ≤ k < j, G, χ, π, k, n = ψ
there exists j ∈ [i, n] such that G, χ, π, j, n = ψ.
"
"
The semantics of a sentence Φ does not depend on the bound n, and we may write
G, χ, ρ = Φ if G, χ, ρ, n = Φ for some n. In addition a sentence does not require an
assignment for its evaluation. Given a game G with initial vertex v0 and a sentence Φ, we
write G = Φ if G, ∅, v0 = Φ, where ∅ is the empty assignment.
I Example 6. In bounded parity games [12, 37] the odd colours represent requests and even
colours represent grants, and the objective of the player a1 is to ensure against player a2
that every request is promptly followed by a larger grant. Solving such games can be cast as
a modelchecking problem of the PromptSL formula
∃s1(a1, s1)∀s2(a2, s2)∃N AG
^ c → F≤N
c odd
_
d>c even
#
d
on the structure in which every vertex is labelled by its color. The finitary parity condition
relaxes the constraint by only requiring requests that appear infinitely often to be promptly
granted, and solving such games can be reduced to model checking the PromptSL formula
∃s1(a1, s1)∀s2(a2, s2)∃N AG
^ (c ∧ GFc) → F≤N
c odd
_
d>c even
#
d .
Observe that in both these definitions, the bound on the delay between requests and grants
can depend on the outcome, i.e. on the opponent’s strategy. We can also express uniform
variants of these objectives by moving the quantification on the bound ∃N before the
quantification on opponent’s strategies ∀s2. Such games are studied in the context of the
theory of regular cost functions [14, 16, 15], and their relationship to the nonuniform variants
has been investigated in [11]. The solution to the modelchecking problem for PromptSL
that we present here allows us to solve both types of games, uniform and nonuniform.
4
Boundingoutcomes Strategy Logic
We now define our second quantitative extension of Strategy Logic, which we call
Boundingoutcomes Strategy Logic, or BOSL.
BOSL can also be seen as PromptSL without the bounded eventually F≤N but with
the novel bounded outcome quantifier A≤N . While formula Aψ states that ψ holds in all
outcomes of the current assignment, A≤N ψ states that ψ holds in all of these outcomes
except for at most N of them.
I Definition 7 (BOSL syntax). The syntax of BOSL formulas is given by the following
grammar:
State formulas:
Path formulas:
ϕ ::= p  ¬ϕ  ϕ ∨ ϕ  ∃sϕ  (a, s)ϕ  (a, ?)ϕ  Aψ  A≤N ψ  ∃N ϕ
ψ ::= ϕ  ¬ψ  ψ ∨ ψ  Xψ  ψUψ
where p ∈ AP, s ∈ Var, a ∈ Ag and N is a fixed bounding variable. A BOSL sentence is a
state formula with no free strategy variable, in which every A≤N is in the scope of some ∃N ,
and where A≤N and ∃N always appear positively, i.e. under an even number of negations.
4.2
BOSL semantics
I Definition 8 (BOSL semantics). We only give the definition for the new operator A≤N ,
the others are as in Definition 5.
G, χ, ρ, n = A≤N ψ if Card({π ∈ Out(ρ, χ) : G, χ, π, ρ − 1, n 6= ψ}) ≤ n
The full semantics can be found in Appendix A.1. Once again, for a sentence Φ we write
G = Φ if G, ∅, v0, n = Φ for some n ∈ N, where ∅ is the empty assignment.
I Example 9. As an example we consider the framework of Carayol and Serre [
10
] that
considers games with two players and a third player called “nature”. The usual semantics is
for nature to be a random player, in which case we are interested in whether player 1 has a
strategy ensuring to win almost all paths. The paper [
10
] suggests other formalisations for
the third player, of topological, measuretheoretic, and combinatorial nature, and provides
general reductions. For instance, one may fix a constant N and write the following formula
∃s1(a1, s1)∀s2(a2, s2)A≤N ψ, stating that player a1 has a strategy ensuring to win all but N
paths. If N is a constant the above question is solved in [
10
]. However the latter work leaves
open the question of ensuring that player a1 wins all but a bounded number of paths, which is
expressible by the Boundingoutcome Strategy Logic formula ∃N ∃s1(a1, s1)∀s2(a2, s2)A≤N ψ.
One could also consider the variant where the bound can depend on the opponent’s strategy,
which can be expressed by the formula ∃s1(a1, s1)∀s2∃N (a2, s2)A≤N ψ. In this paper we
show that the modelchecking problem for Boundingoutcome Strategy Logic is decidable,
thereby giving a solution to both variants of this question.
Model checking
In this section we solve the modelchecking problem for both PromptSL and BOSL with a
uniform approach which, in fact, works also for the combination of the two logics. As done
in [35] for ATL with strategy context, in [6] for an extension of it with imperfect information
and in [7] for Strategy Logic with imperfect information, we go through an adequate extension
of QCTL∗, which itself extends CTL∗ with secondorder quantification. This approach makes
automata constructions and their proof of correctness easier and clearer. In our case we define
an extension of QCTL∗ called BoundQCTL∗, which contains the bounded eventually F≤N
from PromptLTL and PromptSL, a bounded path quantifier A≤N similar to the bounded
outcome quantifier from BOSL, and the quantifier on bounds ∃N present in both PromptSL
and BOSL. We then recall definitions and results about cost automata, that we use to solve
the modelchecking problem for BoundQCTL∗. We finally solve the modelchecking problem
for both PromptSL and BOSL by reducing them to model checking BoundQCTL∗.
5.1
Bound Quantified CTL*
In this section we define Bound Quantified CTL∗, or BoundQCTL∗, which extends
PromptLTL to the branchingtime setting and adds quantification on atomic propositions. One can
also see it as an extension of Quantified CTL∗ [40, 29, 30, 23, 34] with the bounded eventually
operator and a bounded version of the universal path quantifier. Unlike PromptLTL, but
similarly to our PromptSL and BOSL, an existential quantification on the bound for the
bounded eventually and bounded outcome quantifier is also part of the syntax.
5.1.1
BoundQCTL* syntax
I Definition 10. The syntax of BoundQCTL∗ is defined by the following grammar:
ϕ = p  ¬ϕ  ϕ ∨ ϕ  Aψ  A≤N ψ  ∃p ϕ  ∃N ϕ
ψ = ϕ  ¬ψ  ψ ∨ ψ  Xψ  ψUψ  F≤N ψ
where p ∈ AP, and N is a fixed bounding variable.
As usual, formulas of type ϕ are called state formulas, those of type ψ are called
path formulas, and QCTL∗ consists of all the state formulas defined by the grammar. We
further distinguish between positive formulas, in which operators F≤N , A≤N and ∃N appear
only positively (under an even number of negations), and negative formulas, in which
operators F≤N , A≤N and ∃N appear only negatively (under an odd number of negations).
A BoundQCTL∗ sentence is a positive formula such that all operators F≤N and A≤N in
the formula are in the scope of some ∃N . Note that we will be interested in model checking
sentences, and every subformula of a sentence is either positive or negative.
5.1.2
BoundQCTL* semantics
BoundQCTL∗ formulas are evaluated on (unfoldings of) Kripke structures.
I Definition 11. A (finite) Kripke structure is a tuple S = (S, s0, R, `), where S is a finite
set of states, s0 ∈ S is an initial state, R ⊆ S × S is a lefttotal transition relation3, and
` : S → Σ is a labelling function.
3 i.e., for all s ∈ S, there exists s0 such that (s, s0) ∈ R.
A path in S is a finite word λ over S such that for all i, (λi, λi+1) ∈ R. For s ∈ S, we let
Paths(s) ⊆ S+ be the set of all paths that start in s.
Trees. Let S be a finite set of directions and Σ a set of labels. A (Σ, S)tree (or simply tree)
is a pair t = (τ, `) where ` : τ → Σ is a labelling and τ ⊆ S+ is the domain such that:
there exists r ∈ S+, called the root of τ , such that each u ∈ τ starts with r, i.e. r 4 u,
if u · s ∈ τ and u · s 6= r, then u ∈ τ ,
if u ∈ τ then there exists s ∈ S such that u · s ∈ τ .
The elements of τ are called nodes. If u · s ∈ τ , we say that u · s is a child of u. A branch λ
in t is an infinite sequence of nodes such that λ0 ∈ τ and for all i, λi+1 is a child of λi, and
Branches(t, u) is the set of branches that start in node u. We let Branches(t) denote the set
of branches that start in the root. If S is a singleton, a tree becomes an infinite word.
I Definition 12. The tree unfolding of a Kripke structure S from state s is the tree tS (s) =
(Paths(s), `0), where for every u ∈ Paths(s), we have `0(u) = `(last(u)). We may write tS for
tS (s0), the unfolding from the initial state.
Projection and subtrees. Given two trees t, t0 and a proposition p, we write t ≡p t0 if they
have same domain τ and for all p0 in AP such that p0 6= p, for all u in τ , we have p0 ∈ `(u) if,
and only if, p0 ∈ `0(u). Given a tree t = (τ, `) and a node u ∈ τ , we define the subtree of t
rooted in u as the tree tu = (τu, `0) where τu = {v ∈ S+ : u 4 v} and `0 is ` restricted to τu.
I Definition 13. The semantics t, u, n = ϕ and t, λ, n = ψ are defined inductively, where ϕ
is a BoundQCTL∗ state formula, ψ is a BoundQCTL∗ path formula, t = (τ, `) is a tree,
u is a node, λ is a branch in t, and n in N a bound (the inductive cases for classic CTL∗
operators can be found in Appendix A.2):
t, u, n = A≤N ψ
t, u, n = ∃p ϕ
t, u, n = ∃N ϕ
t, λ, n = F≤N ψ
if
if
if
if
Card({λ ∈ Branches(t, u) : t, λ, n 6= ψ}) ≤ n
∃ t0 ≡p t such that t0, u, n = ϕ
∃ n0 ∈ N such that t, u, n0 = ϕ,
∃ j such that 0 ≤ j ≤ n and t, λ≥j , n = ψ
The value JϕKinf(t) (resp. JϕKsup(t)) of a positive (resp. negative) state formula ϕ on a tree
t with root r is defined as
JϕKinf(t) = inf {n ∈ N : t, r, n = ϕ}
and
JϕKsup(t) = sup {n ∈ N : t, r, n = ϕ} ,
with the usual convention that inf ∅ = ∞ and sup ∅ = 0. In case it is not a positive or negative
formula, its value is undefined. We remark that {n ∈ N : t, r, n = ϕ} is downward (resp.
upward) closed if ϕ is negative (resp. positive). The value of a sentence Φ is always either 0
or ∞ (recall that sentences are necessarily positive formulas and N is always quantified),
and given a Kripke structure S, we write S = Φ if JΦKinf(tS ) = 0.
5.2
Regular cost functions
In this section we develop the theory of regular cost functions over trees for distance automata.
To this end we define and study the two dual models of distance and distanceautomata
for recognising cost functions [14], referred to as cost automata.
Let E be a set of structures (such as infinite words or trees). We define an equivalence
relation ≈ on functions E → N ∪ {∞} by f ≈ g if for all X ⊆ E, f (X) is bounded if, and
only if, g(X) is bounded. A cost function over E is an equivalence class of the relation ≈.
In Section 5.2.1 we define cost games whose objectives may refer to a single counter that,
in each step, can be incremented or left unchanged. In Section 5.2.2 we define automata
whose semantics are given using cost games. We introduce distanceautomata and their
duals distanceautomata that compute functions E → N ∪ {∞}. In Section 5.2.3 we focus
on automata over infinite words and the notion of historydeterministic automata.
The novel technical contribution of this section is an extension of the classical property
of historydeterministic automata: the original result says that given a historydeterministic
automaton over infinite words, one can simulate it along every branch of a tree. This is
the key argument to handle the A operator in PromptSL. In Section 5.2.4 we extend this
result by allowing the automaton to skip a bounded number of paths, which will allow us to
capture the boundedoutcome operator A≤N in BOSL.
5.2.1
Cost games
The semantics of cost automata are given by turnbased twoplayer games, which are
essentially a special case of the general notion of games given in Section 3.2. We give here a
slightly modified definition better fitting the technical developments.
I Definition 14. A game is given by G = (V, VE , VA, v0, E, c), where V = VE ] VA is a set
of vertices divided into the vertices VE controlled by Eve and the vertices VA controlled by
Adam, v0 ∈ V is an initial vertex, E ⊆ V × V is a lefttotal transition relation, c : V → Ω is
a labelling function.
A finite (resp. infinite) play is a finite (resp. infinite) word ρ = v0 . . . vn (resp. π = v0v1 . . .)
such that for every i such that 0 ≤ i < ρ − 1 (resp. i ≥ 0), (vi, vi+1) ∈ E. A strategy for
Eve (resp. for Adam) is a function σ : V ∗ · VE → V (resp. σ : V ∗ · VA → V ) such that for all
finite play ρ ∈ V ∗ · VE (resp. ρ ∈ V ∗ · VA), we have (last(ρ), σ(ρ)) ∈ E. Given a strategy σ
for Eve and σ0 for Adam, we let Outcome(σ, σ0) be the unique infinite play that starts in v0
and is consistent with σ and σ0.
An objective is a set W ⊆ Ωω. To make the objective explicit we speak of W games, which
are games with objective W . A strategy σ for Eve ensures W ⊆ Ωω if for all strategy σ0 of
Adam, the infinite word obtained by applying c to each position of the play Outcome(σ, σ0)
is in W . Eve wins the W game G if there exists a strategy for her that ensures W . The
same notions apply to Adam. We now introduce the objectives we will be using.
Given d ∈ N∗, the parity objective parity ⊆ {1, . . . , d}ω is the set of infinite words in
which the maximum label appearing infinitely many times is even.
The distance objective uses the set of labels { , i} acting on a counter taking values in
the natural numbers and initialised to 0. The labels and i are seen as actions on the
counter: the action leaves the counter unchanged and i increments the counter by 1.
For n ∈ N, the distance objective distance(n) ⊆ { , i}ω is the set of infinite words such
that the counter is bounded by n.
The regular distance objective fininc ⊆ { , i}ω is the set of infinite words such that the
counter is incremented finitely many times.
The codistance objective uses set of labels { , i}, where and i have the same
interpretation as in distance(n). For n ∈ N, the objective distance(n) ⊆ { , i}ω is the set of
infinite words such that the counter eventually reaches value n.
The objectives can be combined: parity ∩ distance(n) ⊆ ({1, . . . , d} × { , i})ω is the
Cartesian product of the parity and the distance objective (where a pair of infinite words
is assimilated with the infinite word formed of the pairs of letters at same position).
The following result, proven in [11], relates distance and fininc in the context of games.
I Lemma 15. Let G be a finite game. There exists n ∈ N such that Eve wins for parity ∩
distance(n) iff Eve wins for parity ∩ fininc.
5.2.2
Cost automata
We now define automata over (Σ, S)trees.
I Definition 16. A (nondeterministic) automaton is a tuple A = (Q, q0, δ, c) where Q is a
finite set of states, q0 ∈ Q is an initial state, δ ⊆ Q × Σ × QS is a transition relation, and
c : Q → Ω is a labelling function.
When an automaton is equipped with an objective W ⊆ Ωω we speak of an W automaton.
To define the semantics of W automata, we define acceptance games. Given an W automaton
A and a (Σ, S)tree t = (τ, `), we define the acceptance W game GA,t as follows.
The set of vertices is (Q × τ ) ∪ (Q × τ × QS ). The vertices of the form Q × τ are controlled
by Eve, the others by Adam.
The initial vertex is (q0, r), where r is the root of t.
The transition relation relates the vertex (q, u) to (q, u, h) if (q, `(u), h) ∈ δ, and (q, u, h)
is related to (h(s), u · s) for every s ∈ S.
The label of a vertex (q, u) is c(q), and the other vertices are not labelled.
We say that t is accepted by A if Eve wins the acceptance W game GA,t.
An equivalent point of view is to say that t is accepted by A if there exists a (Q, S)tree
with same domain as t respecting the transition relation δ with respect to t, such that all
branches satisfy W .
We instantiate this definition for cost automata: the objective parity ∩ distance gives
rise to the notion of distanceautomata. A distanceautomaton A computes the function
JAKd over trees defined by
JAKd(t) = inf {n ∈ N : t is accepted by A with objective parity ∩ distance(n)} ,
and it recognises the ≈equivalence class of the function JAKd.
Dually, the objective parity ∩ distance(n) gives rise to distanceautomata. A
distanceautomaton A computes the function JAKd over trees defined by
JAKd(t) = sup n ∈ N : t is accepted by A with objective parity ∩ distance(n)
and recognises the ≈equivalence class of the function JAKd.
If A recognises the ≈equivalence class of the function f : E → (N ∪ {∞}) we abuse
notation and say that A recognises the function f .
To illustrate the definition of distanceautomata, we now give an example that will be
useful later on to capture the bounded path quantifier A≤N .
I Lemma 17. Let p ∈ AP. There exists a distanceautomaton recognising the function that
counts the number of paths with infinitely many p’s.
Proof. Let us say that a path is bad if it contains infinitely many p. The distanceautomaton
A has four states:
q0, , whose intuitive semantics is “the tree contains one bad path”,
q0,i, meaning “the tree contains at least two bad paths”,
q1,p and q1,¬p, which mean “the tree does not contain any bad path”.
All states are initial (note that this is an inconsequential abuse because we defined automata
with a single initial state). We use the set of labels Ω = {2, 3} × { , i}. The transitions are
as follows, where q0 = {q0, , q0,i} and q1 = {q1,p, q1,¬p}.
(q0, , a, h) if h contains at most one q0
δ = (q0,i, a, h) if h contains at least two q0
(q1,¬p, a, h) if p ∈/ a and h contains only q1
(q1,p, a, h) if p ∈ a and h contains only q1
The labelling function is c(q0, ) = (2, ), c(q0,i) = (2, i), c(q1,¬p) = (2, ), and c(q1,p) = (3, ).
We claim that the following two properties hold, which implies Lemma 17.
if t contains n bad paths, then JAKd(t) ≤ n − 1,
if JAKd(t) ≤ n, then t contains at most Card(S)n bad paths.
Assume that t contains n bad paths, we construct a run for A (i.e., a labelling of t with
states of A) as follows. A node u of the tree is labelled by:
q0, if exactly one tu·s contains a bad path for some direction s ∈ S,
q0,i if tu·s contain a bad path for at least two different directions s ∈ S,
q1,¬p if tu does not contain a bad path and p ∈/ `(u),
q1,p if tu does not contain a bad path and p ∈ `(u).
This yields a valid run whose branches all satisfy the parity condition. Along a branch the
counter is incremented each time there are at least two subtrees with a bad path, which can
happen at most n − 1 times because there are n bad paths. Hence the maximal value of the
counter on a branch is n − 1, implying that JAKd(t) ≤ n − 1.
We show the second point by induction on n. If JAKd(t) = 0, then t contains at most
one bad path. If JAKd(t) = n + 1, consider a (Q, S)tree representing a run of value n + 1.
Because JAKd(t) ≥ 1, there is at least one node labelled q0,i. By definition of the transition
relation, if there are two nodes on the same level labelled q0,i, then they must descend from
another node q0,i higher in the tree. Thus there is a unique node u labelled q0,i that is
closest to the root (it may be the root itself). Except for u’s ancestors, which are labelled
with q0, , all nodes outside of the subtree rooted in u are necessarily labelled with q1. The
subtrees rooted in u’s children have a run with value at most n. By induction hypothesis
each of these subtrees contains at most Card(S)n bad paths, so the tree rooted in u contains
at most Card(S)n+1 bad paths. Since nodes labelled by q1 cannot contain a bad path, this
means that t contains at most Card(S)n+1 bad paths. J
The objective parity gives rise to parity automata. The following lemma follows from
the observation that fininc is an ωregular objective.
I Lemma 18. For every automaton with objective parity ∩ fininc one can construct an
equivalent parity automaton.
5.2.3
Regular cost functions over words
The definitions of costautomata can be applied to infinite words, which is the particular
case where S is a singleton. A central notion in the theory of regular cost functions is that of
historydeterministic automata over infinite words. Informally, a nondeterministic automaton
is historydeterministic if its nondeterminism can be resolved by a function considering only
the input read so far. This notion has been introduced for studying ωautomata in [25]. We
specialise it here to the case of cost functions, involving a relaxation on the values allowing
for a good interplay with the definition of equivalence for cost functions.
To give a formal definition we introduce the notation Aσ for A a W automaton and a
strategy σ : Σ∗ → δ, where δ is the transition relation of A: Aσ is a (potentially infinite)
deterministic W automaton (Q×Σ∗, (q0, ε), δσ, cσ) where ((q, w), a, (q0, wa)) ∈ δσ just if σ(w) =
(q, a, q0), and cσ(q, w) = c(q). The automaton Aσ is infinite but deterministic, as for each
situation the strategy σ chooses the transition to follow.
I Definition 19 ([14, 17]). We say that a distanceautomaton A over infinite words is
historydeterministic if there exists a function α : N → N such that for every n there exists a
strategy σ such that for all words w we have JAKd(w) ≤ n =⇒ JAσKd(w) ≤ α(n).
We now explain the usefulness of the notion of historydeterministic automata. The
situation is the following: we consider a language L over infinite words, and we want to
construct an automaton for the language of trees “all branches are in L”. Given a deterministic
automaton for L one can easily solve this problem by constructing an automaton running
the deterministic automaton on all branches.
In the quantitative setting we consider here, we have a function f : Σω → N ∪ {∞}
instead of L, and we wish to construct an automaton computing the function over trees
t 7→ sup {f (λ) : λ ∈ Branches(t)} . Unfortunately, distanceautomata do not determinise,
so the previous approach needs to be refined. The construction fails for nondeterministic
automata, because two branches may have very different accepting runs even on their shared
prefix. The notion of historydeterministic automata yields a solution to this problem, as
stated in the following theorem.
I Theorem 20 ([18]). Let A be a historydeterministic distanceautomaton over infinite
words. One can construct a distanceautomaton recognising the function over trees
t 7→ sup {JAKd(λ) : λ ∈ Branches(t)}
We present an extension of this result where the function can remove a bounded number
of paths in the computation. The proof is in Appendix A.3.
I Theorem 21. Let A be a historydeterministic distanceautomaton over infinite words.
One can construct a distanceautomaton recognising the function over trees
t 7→ inf {max(Card(B), sup {JAKd(λ) : λ ∈/ B}) : B ⊆ Branches(t)} .
The idea is to combine A with the automaton defined in the proof of Lemma 17.
5.2.4
Regular cost functions over trees
We introduce the notion of nested automata, which is parameterised by an objective W ⊆ Ωω.
Nested automata can be seen as a special form of alternating automata which will be
convenient to work with in the technical developments.
I Definition 22. A nested W automaton with k slaves over (Σ, S)trees is given by
a master automaton A, which is a W automaton over (2k, S)trees, and
k slave automata (Ai)i∈[k], which are W automata over (Σ, S)trees.
The transition relation of the master is δ ⊆ Q × 2k × QS . We describe the modus operandi
of a nested automaton informally. Let t be a tree and u a node in t, labelled with state
q. To take the next transition the master automaton interrogates its slaves: the transition
(q, v, h) ∈ δ is allowed if for all i ∈ v, the subtree tu is accepted by Ai. The formal semantics
of nested W automata can be found in Appendix A.4.
The following theorem shows the equivalence between distance and distanceautomata
over trees.
I Theorem 23 ([15]). Let f be a cost function over trees. The following statements are
effectively equivalent:
there exists a distanceautomaton recognising f ,
there exists a nested distanceautomaton recognising f ,
there exists a distanceautomaton recognising f ,
there exists a nested distanceautomaton recognising f .
5.3
Model checking BoundQCTL*
The modelchecking problem for BoundQCTL∗ is the following decision problem: given an
instance (Φ, S) where Φ is a sentence of BoundQCTL∗ and S is a Kripke structure, return
‘Yes’ if S = Φ and ‘No’ otherwise. In this section we prove that this problem is decidable by
reducing it to the emptiness problem of parity automata.
We will use the following result about distanceautomata over infinite words.
I Theorem 24 ([27, 28]). For every PromptLTL formula ψ, we can construct a
historydeterministic distanceautomaton A such that JAKd ≈ JψKinf.
I Theorem 25. Let Φ be a sentence of BoundQCTL∗. We construct a nondeterministic
parity automaton AΦ over (Σ, S)trees such that for every Kripke structure S over the set of
states S, we have S = Φ if, and only if, AΦ accepts the unfolding tS .
Proof. Let Φ be a sentence and S a finite set of states.
For each subformula ϕ of Φ, we construct by induction on ϕ the following automata:
1. if ϕ is positive, a distanceautomaton Aϕ such that JAϕKd ≈ JϕKinf,
2. if ϕ is negative, a distanceautomaton Aϕ such that JAϕKd ≈ JϕKsup.
We give the most interesting inductive cases, the remaining ones can be found in Appendix A.5.
ϕ = Aψ : The idea is similar to the automata construction for branchingtime logic [33]:
intuitively, treat ψ as an LTL formula over maximal state subformulas, run a deterministic
automaton for ψ on all branches of the tree, and launch automata for the maximal state
subformulas of ψ when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for ψ we will use a historydeterministic
distanceautomaton. Finally, we will convert the nested distanceautomaton into a
distanceautomaton.
Suppose that ϕ is positive (the case that ϕ is negative is treated dually). Then also ψ is
positive. We will construct a nested distanceautomaton B such that JBKd ≈ JϕKinf.
Let ϕ1, . . . , ϕk be the maximal state subformulas of the path formula ψ. We see these
formulas as atomic propositions, so that the formula ψ can be seen as a PromptLTL
formula on infinite words over the alphabet 2k. Apply Theorem 24 to ψ to get a
historydeterministic distanceautomaton Aψ over infinite words such that JAψKd ≈ JψKinf.
Then, apply Theorem 20 to Aψ to get a distanceautomaton A such that JAKd(t) =
sup {JAψKd(λ) : λ ∈ Branches(t)}. The master of B is A.
Since ψ is positive, the formulas ϕ1, . . . , ϕk are either positive or negative. By the
induction hypothesis, for every i, if ϕi is positive we construct a distanceautomaton
Ai such that JAiKd ≈ JϕiKinf; and if ϕi is negative, we construct a distanceautomaton
A0i such that JA0iKd ≈ JϕiKsup. In the latter case, thanks to Theorem 23 we construct a
distanceautomaton Ai such that JAiKd ≈ JϕiKsup. The slaves of B are A1, . . . , Ak.
This completes the construction of B, see Appendix A.5 for its correctness.
ϕ = A≤Nψ : The construction is the same as for Aψ, except for the construction of the
master A, in which we replace Theorem 20 by Theorem 21 to account for the possibility
of removing a bounded number of paths.
ϕ = ∃N ϕ0 : Note that ϕ cannot be negative. Since ϕ is positive, also ϕ0 is positive. By the
induction hypothesis, there exists a distanceautomaton Aϕ0 such that JAϕ0 Kd ≈ Jϕ0Kinf.
Since ϕ is a positive sentence, we have JϕKinf(t) ∈ {0, ω} for every t. Now,
JϕKinf(t) = 0 ⇐⇒ ∃n ∈ N, Jϕ0Kinf(t) ≤ n
⇐⇒ ∃n ∈ N, Eve wins GAϕ0 ,t for the objective parity ∩ distance(n)
⇐⇒ Eve wins GAϕ0 ,t for the objective parity ∩ fininc
The third equivalence follows from Lemma 15. We can now apply Lemma 18 to the
parity ∩ finincautomaton Aϕ0 to get an equivalent parity automaton Aϕ. Then the
last item is equivalent to Eve winning the parity game GAϕ,t, which is equivalent to
JAϕKd(t) = 0 (since JAϕKd(t) ∈ {0, ω} because Aϕ has no counter).
This completes the proof of the inductive hypothesis. Finally, since Φ is a sentence, AΦ is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the ∃N step removes the counter, and other operators
applied to arguments that do not have a counter produce automata with no counters. J
5.4
Model checking PromptSL and BOSL
The modelchecking problem for PromptSL (resp. BOSL) is the following: given a game G
and a sentence Φ of PromptSL (resp. BOSL), decide whether G = Φ.
As for ATL∗ with strategy context [35] and Strategy Logic with imperfect information [7],
the modelchecking problems for both PromptSL and BOSL (as well as their combination)
can be easily reduced to that of BoundQCTL∗ (see Appendix A.6). As a consequence of
these reductions and of Theorem 25, we get:
I Theorem 26. The modelchecking problem is decidable for PromptSL and BOSL.
The modelchecking procedure is nonelementary, but because PromptSL and BOSL
subsume SL we know from [36] that no elementary procedure exists. We leave precise
complexity analysis for future work.
6
Conclusion
We introduced two quantitative extensions of Branchingtime Strategy Logic (BSL), i.e.,
PromptSL that extends BSL with F≤N that limits the range of the eventuality, and BOSL
that extends BSL with A≤N that limits the range of the outcome quantifier. We proved that
model checking both these logics is decidable. To the best of our knowledge these are the
first quantitative extensions of SL with decidable modelchecking problem.
In order to prove our results we used notions from the theory of regular cost functions
to develop new technical insights necessary to address PromptSL and BOSL. Moreover,
as an intermediate formalism between cost automata and logics for strategic reasoning we
introduced BoundQCTL∗, a quantitative extension of QCTL∗, and proved its model checking
decidable. Using this, it is easy to see that also the extension of BSL with ∃N and both
F≤N and A≤N has a decidable modelchecking problem.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Nathanaël Fijalkow and Martin Zimmermann. Parity and Streett games with costs. Logical
Methods in Computer Science, 10(2), 2014. doi:10.2168/LMCS10(2:14)2014.
Tim French. Decidability of quantifed propositional branching time logics. In AJCAI’01,
pages 165–176, 2001. doi:10.1007/3540456562_15.
Patrick Gardy. Semantics of Strategy Logic. Thèse de doctorat, Laboratoire Spécification
et Vérification, ENS Cachan, France, 2017. URL: https://tel.archivesouvertes.fr/
tel01561802.
Thomas A. Henzinger and Nir Piterman. Solving games without determinization. In CSL,
pages 395–410, 2006.
Sophia Knight and Bastien Maubert. Dealing with imperfect information in strategy logic.
In SR, 2015.
Denis Kuperberg. Linear temporal logic for regular cost functions. Logical Methods in
Computer Science, 10(1), 2014.
Denis Kuperberg and Michael Vanden Boom. On the expressive power of cost logics over
infinite words. In ICALP, pages 287–298, 2012.
Orna Kupferman. Augmenting branching temporal logics with existential quantification
over atomic propositions. JLC, 9(2):135–147, 1999. doi:10.1093/logcom/9.2.135.
Orna Kupferman, P. Madhusudan, P. S. Thiagarajan, and Moshe Y. Vardi. Open systems
in reactive environments: Control and synthesis. In CONCUR, LNCS 1877, pages 92–107.
Springer, 2000.
A Appendix
A.1 BOSL semantics
I Definition 4. The semantics is defined inductively as follows, where ϕ (resp. ψ) is a
costSL state (resp. path) formula, G is a game, χ is an assignment variablecomplete for ϕ
(resp. ψ), ρ is a finite play, π an infinite one, i ∈ N is a point in time and n ∈ N is a bound.
G,χ,ρ,n = p if p ∈ `(last(ρ))
G,χ,ρ,n = ¬ϕ if G,χ,ρ,n 6= ϕ
G,χ,ρ,n = ϕ ∨ ϕ0 if G,χ,ρ,n = ϕ or G,χ,ρ,n = ϕ0
G,χ,ρ,n = ∃sϕ if there exists σ ∈ Strat s.t. G,χ[s 7→ σ],ρ,n = ϕ
G,χ,ρ,n = (a,s)ϕ if G,χ[a 7→ χ(s)],ρ,n = ϕ
G,χ,ρ,n = (a,?)ϕ if G,χ[a 7→?],ρ,n = ϕ
G,χ,ρ,n = Aψ if for all π ∈ Out(χ,ρ), G,χ,π,ρ − 1,n = ϕ
G,χ,ρ,n = A≤Nψ if {π ∈ Out(ρ,χ)  G,χ,π,ρ − 1,n 6= ψ} ≤ n
G,χ,ρ,n = ∃Nϕ if there exists n0 ∈ N such that G,χ,ρ,n0 = ϕ
G,χ,π,i,n = ϕ if G,χ,π≤i,n = ϕ
G,χ,π,i,n = ¬ψ if G,χ,π,i,n 6= ψ
G,χ,π,i,n = ψ ∨ ψ0 if G,χ,π,i,n = ψ or G,χ,π,i,n = ψ0
G,χ,π,i,n = Xψ if G,χ,π,i + 1,n = ψ
G,χ,π,i,n = ψUψ0 if ∃j ≥ i s.t. G,χ,π,j,n = ψ0
and ∀k s.t. i ≤ k < j, G,χ,π,k,n = ψ
A.2 BoundQCTL* semantics
Given two trees t,t0 and an atomic proposition p, we write t ≡p t0 if they have the same
domain τ and for all p0 in AP such that p0 6= p, for all u in τ, we have p0 ∈ `(u) iff p0 ∈ `0(u);
I Definition 7. The semantics t,u,n = ϕ and t,λ,n = ψ are defined inductively, where ϕ
is a BoundQCTL∗ state formula, ψ is a BoundQCTL∗ path formula, t = (τ,`) is a tree, u
is a node, λ is a branch in t, and n in N a bound:
t,u,n = p if p ∈ `(u)
t,u,n = ¬ϕ if t,u,n 6= ϕ
t,u,n = ϕ ∨ ϕ0 if t,u,n = ϕ or t,u,n = ϕ0
t,u,n = Aψ if ∀λ ∈ Branches(t,u) we have t,λ,n = ψ
t,u,n = A≤Nψ if Card({λ ∈ Branches(t,u) : t,λ,n 6= ψ}) ≤ n
t,u,n = ∃pϕ if ∃t0 ≡p t such that t0,u,n = ϕ
t,u,n = ∃Nϕ if ∃n0 ∈ N such that t,u,n0 = ϕ,
t,λ,n = ϕ if t,λ0,n = ϕ
t,λ,n = ¬ψ if t,λ,n 6= ψ
t,λ,n = ψ ∨ ψ0 if t,λ,n = ψ or t,λ,n = ψ0
t,λ,n = Xψ if t,λ≥1,n = ψ
t,λ,n = ψUψ0 if ∃j ≥ 0 such that t,λ≥j,n = ψ0
and ∀k such that 0 ≤ k < j, t,λ≥k,n = ψ
t,λ,n = F≤Nψ if ∃j such that 0 ≤ j ≤ n and t,λ≥j,n = ψ
Proof of Theorem 21
I Theorem 21. Let A be a historydeterministic distanceautomaton over infinite words.
One can construct a distanceautomaton recognising the function over trees
f : t 7→ inf {max(n, sup {JAKd(λ) : λ ∈/ B}) : n ∈ N, B ⊆ Branches(t), Card(B) ≤ n} .
To prove Theorem 21 we combine A with the automaton defined in the proof of Lemma 17.
Proof. We write A = (Q, q0, δ, c) for the historydeterministic distanceautomaton over
infinite words, and let us say that the set of labels is {1, . . . , d} × { , i} with d even.
We construct a distanceautomaton B for f as follows. The set of states is Q ×
{p0, , p0,i, p1}, where the semantics of p0, and p0,i is “some path will be skipped” and p1
means “no path will be skipped”. The initial state is (q0, p0, ). The first component simulates
the automaton A on all branches, while the second acts as follows, with p0 = {p0, , p0,i}.
(p0, , a, h) if h contains at most one p0
δ = (p0,i, a, h) if h contains at least two p0
(p1, a, h) if h contains only p1
The labelling function c0 is
c0(q, p0, )
c0(q, p0,i)
c0(q, p1)
=
=
=
(d, a)
(d, i)
c(q)
where c(q) = (o, a)
where c(q) = (o, a)
The proof of correctness is the same as for Lemma 17, substantiating the following claims:
if f (t) ≤ n, then JBKd(t) ≤ n,
if JBKd(t) ≤ n, then f (t) ≤ Card(S)n. J
A.4
Semantics of nested W automata
I Definition 22. A nested W automaton with k slaves over (Σ, S)trees is given by
a master automaton A, which is a W automaton over (2k, S)trees, and
k slave automata (Ai)i∈[k], which are W automata over (Σ, S)trees.
The transition relation of the master is δ ⊆ Q × 2k × QS . We describe the modus operandi
of a nested automaton informally. Let t be a tree and u a node in t, labelled with state
q. To take the next transition the master automaton interrogates its slaves: the transition
(q, v, h) ∈ δ is allowed if for all i ∈ v, the subtree tu is accepted by Ai.
To define the semantics of nested W automata, we define the corresponding acceptance
games. Given a nested W automaton B = (A, (Ai)i∈[k]) and a tree t, we define the acceptance
W game GB,t as follows. Let A = (Q, q0, δ, c).
The set of vertices is (Q × t) ∪ (Q × t × QS ). The vertices of the form (q, u) are controlled
by Eve, those of the form (q, u, h) by Adam.
The initial vertex is (q0, r), where r is the root of t.
The transition relation E is defined as follows
((q, u) E (q, u, h)
(q, u, h) E (h(s), u · s).
if (q, `(u), h) ∈ δ and ∀i ∈ v, tu is accepted by Ai, .
The labelling function maps (q, u) to c(q), the other vertices are not labelled.
We say that t is accepted by B if Eve wins the acceptance W game GB,t.
Proof of Theorem 25
I Theorem 25. Let Φ be a sentence of BoundQCTL∗. We construct a nondeterministic
parity automaton AΦ over (Σ, S)trees such that for every Kripke structure S over the set of
states S, we have S = Φ if, and only if, AΦ accepts the unfolding tS .
Proof. Let Φ be a sentence and S a finite set of states. Throughout this proof, by trees we
mean regular trees, so in particular ≈ is understood over such trees.
For each subformula ϕ of Φ, we construct by induction on ϕ the following automata:
1. if ϕ is positive, a distanceautomaton Aϕ such that JAϕKd ≈ JϕKinf,
2. if ϕ is negative, a distanceautomaton Aϕ such that JAϕKd ≈ JϕKsup.
Here are the constructions or proofs of correctness not present in the body of the paper.
ϕ = p :
The formula ϕ is both positive and negative. Seeing it a positive formula, we define a
distanceautomaton Ap with one state q0 and transition function defined as follows:
δ(q0, a) =
(
> if p ∈ a
⊥ otherwise.
Seeing ϕ as a negative formula, we define a distanceautomaton Ap in exactly the same
way.
ϕ = ¬ϕ0 :
If ϕ is negative, then ϕ0 is positive. By definition,
JϕKsup(t) = sup {n ∈ N : t, r, n = ϕ} = inf {n ∈ N : t, r, n = ϕ0} − 1 = Jϕ0Kinf(t) − 1.
In particular, JϕKsup ≈ Jϕ0Kinf. By induction hypothesis, there exists a
distanceautomaton Aϕ0 such that JAϕ0 Kd ≈ Jϕ0Kinf. Thanks to Theorem 23, there exists a
distanceautomaton Aϕ such that JAϕKd ≈ JAϕ0 Kd. It follows that JAϕKd ≈ JϕKsup.
If ϕ is positive, then ϕ0 is negative, and a similar reasoning applies, using Theorem 23 to
turn a distanceautomaton into an equivalent distanceautomaton.
ϕ = ϕ1 ∨ ϕ2 :
If ϕ is positive, then both ϕ1 and ϕ2 are positive. By induction hypothesis, there exist
two distanceautomata Aϕ1 and Aϕ2 such that JAϕ1 Kd ≈ Jϕ1Kinf and JAϕ2 Kd ≈ Jϕ2Kinf.
We construct Aϕ by taking the disjoint union of Aϕ1 and Aϕ2 and adding a new initial
state that nondeterministically chooses which of Aϕ1 or Aϕ2 to execute on the input tree,
so that JAϕKd = min {JAϕ1 Kd, JAϕ2 Kd} ≈ min {Jϕ1Kinf, Jϕ2Kinf} = JϕKinf.
If ϕ is negative, both ϕ1 and ϕ2 are negative. The same construction yields an automaton
Aϕ such that JAϕKd = max JAϕ1 Kd, JAϕ2 Kd ≈ max {Jϕ1Ksup, Jϕ2Ksup} = JϕKsup.
ϕ = Aψ : The idea is similar to the automata construction for branchingtime logic [33]:
intuitively, treat ψ as an LTL formula over maximal state subformulas, run a deterministic
automaton for ψ on all branches of the tree, and launch automata for the maximal state
subformulas of ψ when needed. In our case, we will construct a nested automaton to do this,
and in place of a deterministic parity automaton for ψ we will use a historydeterministic
distanceautomaton. Finally, we will convert the nested distanceautomaton into a
distanceautomaton.
So, suppose that ϕ is positive (the case that ϕ is negative is treated dually). Then also ψ
is positive. We will construct a nested distanceautomaton B such that JBKd ≈ JϕKinf.
Let ϕ1, . . . , ϕk be the maximal state subformulas of the path formula ψ. We see these
formulas as atomic propositions, so that the formula ψ can be seen as a PromptLTL
formula on infinite words over the alphabet 2k. Apply Theorem 24 to ψ to get a
historydeterministic distanceautomaton Aψ over infinite words such that JAψKd ≈ JψKinf.
Then, apply Theorem 20 to Aψ to get a distanceautomaton A such that JAKd(t) =
sup {JAψKd(λ) : λ ∈ Branches(t)}. The master of B is A.
Since ψ is positive, the formulas ϕ1, . . . , ϕk are either positive or negative. By the
induction hypothesis, for every i, if ϕi is positive we construct a distanceautomaton
Ai such that JAiKd ≈ JϕiKinf; and if ϕi is negative, we construct a distanceautomaton
A0i such that JA0iKd ≈ JϕiKsup. In the latter case, thanks to Theorem 23 we construct a
distanceautomaton Ai such that JAiKd ≈ JϕiKsup. The slaves of B are A1, . . . , Ak.
This completes the construction of B. We now prove that JBKd ≈ JϕKinf. For the sake of
simplicity, we assume that JAψKd = JψKd and JAiKd = JϕiK for every i, i.e. we replace ≈
by equality. This simplification does not affect the arguments and makes the proof easier
to read.
We prove that JϕKinf ≤ JBKd. It is sufficient to show that JBKd(t) ≤ n implies
JϕKinf(t) ≤ n. A run of B on t witnessing that JBKd(t) ≤ n yields for each branch λ
a run of Aψ such that JAψKd(λ) ≤ n. The slave automata diligently check that the
atomic propositions ϕ1, . . . , ϕk have been correctly used, so indeed t, λ, n = ψ, thus
JϕKinf(t) ≤ n.
We prove that JBKd ≤ JϕKinf. It is sufficient to show that JϕKinf(t) ≤ n implies
JBKd(t) ≤ n. By the semantics of ϕ for all branches λ of t we have t, λ, n = ψ. This
yields a run of B on t witnessing that JBKd(t) ≤ n.
Finally, applying Theorem 23 to the nested distanceautomaton B we get a
distanceautomaton Aϕ such that JAϕKd ≈ JBKd.
ϕ = ∃p ϕ0 :
If ϕ is positive, then ϕ0 is positive. In this case unravelling the definitions we have
JϕKinf(t) = inf {Jϕ0Kinf(t0) : t0 ≡p t} .
By the induction hypothesis, there exists a distanceautomaton Aϕ0 such that JAϕ0 Kd ≈
Jϕ0Kinf. We obtain a distanceautomaton Aϕ by performing the usual projection
operation. Everything remains the same, but the transition relation: (q, a, h) is in the new
transition relation if there exists a0 such that a0 ≡p a and (q, a0, h) is in δ, where a0 ≡p a
if for all p0 in AP such that p0 6= p, we have p0 ∈ a0 if, and only if, p ∈ a.
If ϕ is negative, then ϕ0 is negative. The same reasoning and construction applies in this
case, with
JϕKsup(t) = sup {Jϕ0Ksup(t0) : t0 ≡p t} .
This completes the proof of the inductive hypothesis. Finally, since Φ is a sentence, AΦ is a
parity automaton. Indeed, in the inductive steps, the boundedness operators introduces a
counter (if there was not one already), the ∃N step removes the counter, and every other
operator applied to arguments that do not have a counter produces an automaton with no
counters. J
A.6
Reductions for PromptSL and BOSL
Models transformation. We first define for every game G a Kripke structure SG and a
bijection ρ 7→ uρ between the set of finite plays starting in the initial vertex and the set of
nodes in tSG . We consider propositions APv = {pv  v ∈ V }, that we assume to be disjoint
from AP. Define the Kripke structure SG = (S, R, s0, `0) where
S = {sv  v ∈ V },
R = {(sv, sv0 )  ∃c ∈ ActAg s.t. Δ(v, c) = v0} ⊆ S2,
s0 = sv0 , and
`0(sv) = `(v) ∪ {pv} ⊆ AP ∪ APv.
For every finite play ρ = v0 . . . vk, define the node uρ = sv0 . . . svk in tSG (which exists, by
definition of SG and of tree unfoldings). Note that the mapping ρ 7→ uρ defines a bijection
between the set of paths from v0 and the set of nodes in tSG .
Formulas translation. Given a game G and a formula ϕ of PromptSL or BOSL, we define
a BoundQCTL∗ formula (ϕ) such that G = ϕ if and only if SG = (ϕ) . More precisely, this
translation is parameterised with a partial function f : Ag * Var which records bindings of
agents to strategy variables. Suppose that Act = {c1, . . . , cl}. We define the two functions
(·)sf and (·)pf by mutual induction on, respectively, state formulas ϕ and path formulas ψ.
Here is the definition of (·)sf for state formulas:
(p)sf = p
(ϕ1 ∨ ϕ2)sf = (ϕ1)sf ∨ (ϕ2)sf
((a, s)ϕ)sf = (ϕ)sf[a7→s]
where
ψout(f ) = G ^
v∈V
and for path formulas:
(ϕ)pf = (ϕ)sf
(ϕ1 ∨ ϕ2)pf = (ϕ1)pf ∨ (ϕ2)pf
(ψUψ0)pf = (ψ)pf U(ψ0)pf
(¬ϕ)sf = ¬(ϕ)sf
(∃sϕ)sf = ∃pcs1 . . . ∃pcsl .ϕstr(s) ∧ (ϕ)sf ,
(Aψ)sf = A(ψout(f ) → (ψ)pf )
c∈ActAg a∈dom(f)
One can prove the following lemma, where ϕ is either a PromptSL or a BOSL formula.
The translation is essentially the same as in [35] and [7], and the cases for the new operators
should be clear from their semantics.
I Lemma 26. Suppose that dom(f ) = dom(χ) ∩ Ag and for all a ∈ dom(f ), f (a) = x implies
χ(a) = χ(x). Then
G, χ, ρ, n = ϕ
if and only if
tSG , uρ, n = (ϕ) f .
Applying this to a sentence Φ, any assignment χ, the initial vertex v0 of G, any bound n
and the empty function ∅, we get that
G = ϕ if and only if tSG = (ϕ) ∅.
Shaull Almagor , Yoram Hirshfeld, and Orna Kupferman . Promptness in ωregular automata . In ATVA, LNCS 6252 , pages 22  36 . Springer, 2010 .
Rajeev Alur , Kousha Etessami, Salvatore La Torre, and Doron Peled . Parametric temporal logic for “model measuring” . ACM Transactions on Computational Logic , 2 ( 3 ): 388  407 , 2001 .
Journal of the ACM , 49 ( 5 ): 672  713 , 2002 . doi: 10 .1145/585265.585270.
Benjamin Aminof , Aniello Murano, Sasha Rubin , and Florian Zuleger . Prompt alternatingtime epistemic logics . In KR , pages 258  267 . AAAI Press, 2016 . URL: http://www.aaai.
org/ocs/index.php/KR/KR16/paper/view/12890.
In POPL , pages 164  176 , 1981 . doi: 10 .1145/567532.567551.
Raphaël Berthon , Bastien Maubert, and Aniello Murano . Decidability results for ATL* with imperfect information and perfect recall . In AAMAS , 2017 .
Strategy logic with imperfect information . In LICS , 2017 .
Alessandro Bianco , Fabio Mogavero, and Aniello Murano . Graded computation tree logic . ACM Transactions on Computational Logic , 13 ( 3 ): 25 : 1  25 : 53 , 2012 . doi: 10 .1145/ 2287718.2287725.
Patricia Bouyer , Patrick Gardy, and Nicolas Markey . Weighted strategy logic with boolean goals over onecounter games . In FSTTCS 2015 , pages 69  83 , 2015 . doi: 10 .4230/LIPIcs.
FSTTCS. 2015 . 69 .
Arnaud Carayol and Olivier Serre . How good is a strategy in a game with nature? In LICS , pages 609  620 . IEEE Computer Society, 2015 .
Krishnendu Chatterjee and Nathanaël Fijalkow . Infinitestate games with finitary conditions . In CSL , pages 181  196 , 2013 . doi: 10 .4230/LIPIcs.CSL. 2013 . 181 .
Krishnendu Chatterjee , Thomas A Henzinger, and Florian Horn . Finitary winning in ω regular games . ACM Transactions on Computational Logic , 11 ( 1 ): 1 , 2009 .
Krishnendu Chatterjee , Thomas A. Henzinger , and Nir Piterman . Strategy Logic. Information and Computation , 208 ( 6 ): 677  693 , 2010 . doi: 10 .1016/j.ic. 2009 . 07 .004.
Thomas Colcombet . The theory of stabilisation monoids and regular cost functions . In ICALP , 2009 .
Thomas Colcombet . Fonctions régulières de coût. Habilitation Thesis , 2013 .
Thomas Colcombet . Regular cost functions, part I: logic and algebra over words . Logical Methods in Computer Science , 9 ( 3 ), 2013 .
Thomas Colcombet and Nathanaël Fijalkow . The bridge between regular cost functions and ωregular languages . In ICALP , pages 126 : 1  126 : 13 , 2016 . doi: 10 .4230/LIPIcs.ICALP.
Thomas Colcombet and Christof Löding . Regular cost functions over finite trees . In LICS , pages 70  79 , 2010 . doi: 10 .1109/LICS. 2010 . 36 .
E. Allen Emerson and Joseph Y. Halpern . “Sometimes” and “Not Never” revisited: On branching versus linear time . In POPL , pages 127  140 , 1983 . doi: 10 .1145/567067.
Nathanaël Fijalkow , Florian Horn, Denis Kuperberg, and Michał Skrzypczak . Trading bounds for memory in games with counters . In ICALP , pages 197  208 , 2015 . doi:10.
Nathanaël Fijalkow and Martin Zimmermann . CostParity and CostStreet Games . In FSTTCS, volume LIPIcs 18 , pages 124  135 , 2012 .
Orna Kupferman , Giuseppe Perelli, and Moshe Y. Vardi . Synthesis with rational environments . Annals of Mathematics and Artificial Intelligence , 78 ( 1 ): 3  20 , 2016 . doi: 10 .1007/s1047201695088.
Orna Kupferman , Nir Piterman, and Moshe Y Vardi. From liveness to promptness . Formal Methods in System Design , 34 ( 2 ): 83  103 , 2009 .
Orna Kupferman , Moshe Y. Vardi, and Pierre Wolper . An automatatheoretic approach to branchingtime model checking . Journal of the ACM , 47 ( 2 ): 312  360 , 2000 . doi: 10 .1145/ 333979.333987.
LMCS , 10 ( 4 ), 2014 . doi: 10 .2168/LMCS 10 ( 4 :17) 2014 .
François Laroussinie and Nicolas Markey . Augmenting ATL with strategy contexts . Information and Computation , 245 : 98  123 , 2015 .
Fabio Mogavero , Aniello Murano, Giuseppe Perelli, and Moshe Y. Vardi . Reasoning about strategies: On the modelchecking problem . ACM Transactions on Computational Logic , 15 ( 4 ): 34 : 1  34 : 47 , 2014 . doi: 10 .1145/2631917.
Fundamenta Informaticae , 139 ( 3 ): 277  305 , 2015 .
Amir Pnueli . The temporal logic of programs . In FOCS , pages 46  57 , 1977 . doi: 10 .1109/ SFCS. 1977 . 32 .
Amir Pnueli and Roni Rosner . On the synthesis of a reactive module . In POPL , pages 179  190 , 1989 .
PhD thesis , Harvard University, Cambridge, MA, USA, 1983 .
Martin Zimmermann . Optimal bounds in parametric LTL games . Theoretical Computer Science , 493 : 30  45 , 2013 . doi: 10 .1016/j.tcs. 2012 . 07 .039.