Towards A Tableau for ATL*dongmo/GTLW/atl... · 2012. 4. 19. · realizability, and...

IntroductionATL*

The TableauConclusion

Towards A Tableau for ATL*

Mark Reynolds

Logic and Computation Group,School of Computer Science and Software Engineering,

The University of Western Australia

Game Theory and Logics Workshop,University of Western Sydney,

20 April 2012

Mark Reynolds Tableau for ATL*

IntroductionATL*


Outline

1 IntroductionAbstractIntroduction

2 ATL*Syntax and SematicsExamples of ATL*

3 The TableauPreliminariesA CTL* Tableau ExampleImplementation

4 Conclusion


IntroductionATL*


AbstractIntroduction

Outline




4 Conclusion


IntroductionATL*



Abstract

ATL*, the full alternating-time temporal logic, is abranching-time temporal logic that naturally describescomputations of multi-agent system and multiplayer games. Itis used to reason about properties such as receptiveness,realizability, and controllability.

We describe ongoing research into providing a sound, completeand usable tableau method for deciding valid formulas in ATL*.

It would be the first such tableau.


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



Introduction

specifications for systems are like gameslogics can provide unambiguous specifications of desiredproperties or properties of interestsystems can be checked against properties, we can decideif specifications are at all satisfiable, we can build systemsto satisfy specifications, we can show that properties followfrom specificationsATL* is one of several logics adequate for providingcomplicated statements about whether groups of agents(or components) can enforce extended temporal properties


IntroductionATL*



Games vs Specifications

many desired properties of (open) systems can be posedin terms of a winning condition in a two-player gamebetween the system and the environmentreceptiveness: can every finite safe computation beextended to an infinite live computation regardless of thebehaviour of the environmentrealizability: can a reactive system be built that guaranteesthat its behaviour satisfies a temporal specificationregardless of the environmentcontrollability: controller to choose transitions to keep anFSM in a pre-determined safe set of statesmodule checking: etcgeneralization to a set of components plus environment asthe players.


IntroductionATL*



Specification Example 1

“If there are an infinite number of requests then there will be aninfinite number of grants"

Can be formalised in a propositional linear temporal logic as,eg, GFr → GFg

Very easy to satisfy in a closed system: just stop makingrequests after a while.

But that is not what we mean!

We mean that if the environment generates an infinite numberof requests then the system must provide an infinite number ofgrants. (*note)

(note: still easy to do, as you just need to make a system whichgenerates an infinite number of grants regardless.)


IntroductionATL*



Specification Example 2

From a multiprocess distributed system spec" “a processormust eventually be able to read and it must eventually be ableto write "

Can be formalised in a propositional linear temporal logic as,eg, AG(EFr ∧ EFw)

Very easy to satisfy in a closed system: make sure that theother processors cooperate.

But that is not what we want.

We mean that processor a must eventually be able to read (andwrite) regardless of what the other processors do.


IntroductionATL*


Syntax and SematicsExamples of ATL*

Overview of ATL*

related to the more usual "alternating-time temporal logic"ATL as CTL* is to CTL;a propositional branching time temporal logic similar toCTL*so it has temporal connectives: next X , until U plus pathquantifiers;the individual one step transitions are determined by thecombined choice of a certain fixed number of playerspath quantifiers reflect the ability of coalitions of players toensure temporal properties along paths via their choicesintroduced by Alur, Henzinger and Kupferman [AHK02]applications: in reasoning about games and specificationsfor open reactive systems


IntroductionATL*



Moves

Finite set Σ = {1, ..., k} of players.

At each state q of the game each player a has a certainnumber da(q) ≥ 1 of choices of move.

If da(q) = 1 then a has "no choice": there is just one move thatthey can make. This allows situations such as players takingturns to move (the other players all have no choice).

The choices for player a in state q are {0,1, ...,dq(a)− 1}.

The next state q′ = δ(q, j1, ..., jk ) of the game is determined bythe vector of choices ji of each of the players i ∈ Σ (δ is thegame transition function).


IntroductionATL*



Path Quantifiers

For each subset A ⊆ Σ of players, the quantifier�A� α(applied to formula α) is true at a state (i.e. along all pathsstarting at that state) iff the players in A can together choosemoves (while the game is in this state and ever afterwards) tomake α hold along the path of play from now onwardsregardless of what moves the players in Σ \A make at any step.

(Formalised via strategy functions: and strategies may allowunbounded memory).


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



Structures

Formulas of ATL* are evaluated in...

DefinitionA concurrent game structure is a tuple M = (k ,Q,Π, π,d , δ) s.t.:{1, ..., k} is the set of players k ≥ 1;Q is the non-empty finite set of statesΠ is a set of propositions;π is the labeling of states, π(q) ⊆ Π;da(q) ≥ 1 is number of moves available to player a at state qδ(q, j1, ..., jk ) ∈ Q is the next state if each player i = 1, ..., kchooses move ji in state q.

Formulas are defined along fullpaths in (S,R): an infinitesequence 〈q0,q1,q2, ...〉 of states such that for each i , qi+1 is apossible next state after qi .


IntroductionATL*



Syntax

The formulas of ATL* are built from the atomic propositions in Πrecursively using classical connectives ¬ and ∧ as well as thetemporal connectives X , U and a path quantifier�A� foreach A ⊆ Σ: if α and β are formulas then so are Xα, αUβ and�A� α.

As well as the standard classical abbreviations, true, ∨,→,↔,we have linear time abbreviations Fα ≡ trueUα andGα ≡ ¬F¬α.


IntroductionATL*



Validity

α is valid in ATL* iff for all game structures M, for all fullpaths σin M, we have M, σ |= α.

α is satisfiable iff 6|= ¬α.


IntroductionATL*



ATL* basics

Often write�{a, ...,b}� as�a, ...,b�.Write�� α =�{∅}� α.Note: �� α means every fullpath from here satisfies α.(Like Aα in CTL*).If Σ = {1,2, ..., k}, the set of all players, then�Σ� αmeans there is some fullpath from here satisying α. (LikeEα in CTL*).Can show�Σ� α iff ¬ �� ¬α.


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



ATL* variations

ATL is a syntactic restriction (as CTL is of CTL*), i.e.temporal operators X , U, F , G only immediately under�A�;(weaker still) the non-temporal Coalition Logic of [Pau02]stronger languages such as various strategy logics eg[WvdHW07] "ATL with explicit strategies".


IntroductionATL*



ATL* Examples (most not in ATL)

�a� (GFr → GFg)

�� G(�a� Fr∧ �a� Fw)

�1� Xp ∧ ¬ �1,2� Xq∧ �3� X¬q∧ �2� Xq

�� G(p →�1� Fp)→ (p →�1� GFp)

�1��2� Xp →�1,2� Xp


IntroductionATL*



ATL* Reasoning

Validity decidable [Sch08] (ATL is: in [GvD06]).Complexity of checking satisfiability? ATL* is2EXPTIME-complete [Sch08] (as CTL* [EJ88, VS85], CTLand ATL are EXPTIME-complete [FL79], [GvD06])Hilbert-style axiomatization for CTL* in [Rey01], of ATL in[GvD06]. None for ATL*.ATL* model-checking is double exponential [AHK02].But still there is interest in finding approaches which aremore straightforward, or more traditional, or moreamenable to human understanding, or yield meaningfulintermediate steps, etc ...


IntroductionATL*


PreliminariesA CTL* Tableau ExampleImplementation

Tableaux

Tableaux popularsubstantial amount of work on applying them to temporallogics: see [Gor99] and [RD05].can be presented in an intuitive way; often suitable forautomated reasoning; often not hard to prove complexityresults for their use; often can quickly build models ofsatisfiable formulas even though the worst caseperformance is bad;first used for modal logics in [HC68] and [Fit83] and therehas been much work since on tableaux for temporal logics[Wol85, EC82, EH85, Sch98].For CTL* has been a long standing open problem but nowappearing in [Rey09], [Rey11] and [FLL10].


IntroductionATL*



Why a Tableau?

(and despite double exponential lower bound on thecomplexity)experienced tableau practitioners use techniques topractically useful implementationsbasis for searching for more practical sublanguagesassisting human-guided derivations on bigger tasks.basis of proofs of correctness for alternative reasoningtechniques like resolution or rewrite systems.may assist with model-checking and program synthesistasks.may be extended to predicate reasoning.


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



Traditional but not Standard

Most work on temporal tableaux moves away fromtraditional tree-shaped tableaustandard for temporal logics is to start with a graph andrepeatedly prune away nodes, according to certain removalrules, until there is nothing more to remove (success) orsome failure condition is detected ([Wol85, EH85]).return to tree shape for CTL* and ATL*.


IntroductionATL*



The Decision Procedure

want to decide validity of formulastart with φ and determine whether φ is satisfiable in ATL*or not.To decide validity we will simply determine satisfiabilty ofthe negation.non-deterministically build a tree from root to successorsand backtrack on our choices if there is no way to continuebuilding.conditions for a successful termination.but nodes labelled with sets of sets of formulas


IntroductionATL*



A Tableau Under Construction

Figure: A Tableau Under Construction


IntroductionATL*



Hues and Colours

From the closure set for φ, which is just the subformulasand their negations,we will define a certain set of subsets of the closure setcalled the hues of φ.The colours of φ will be certain sets of hues of φ.The nodes in our tableau tree will each be labelled withone colour.Whether a given colour can label a successor node will bedetermined by certain conditions on the formulas in thehues in the label colours on the successor and the parent.


IntroductionATL*



Closure Set

Fix φ

Definition (closure set)

The closure set for φ is clφ = {ψ,¬ψ|ψ ≤ φ}: its subformulasand their negations.


IntroductionATL*



One Node

Figure: Close Up of One Node


IntroductionATL*



Example Node

Figure: Example of One Node


IntroductionATL*



Life-cycle of a Node

Figure: Life Cycle


IntroductionATL*



Temporal and Boolean Decompositions

Formulas in hues are broken down. Iterate.

α and ¬α in a hue means that the tableau process hasmade a bad choice. Backtrack!¬¬α in a hue means put α in too.α ∧ β in a hue means α and β should also go in.¬(α ∧ β) in a hue means either ¬α or ¬β should also go in.Make a choice. (When backtracking make the otherchoice).Leave Xα and ¬Xα: nothing to do at this stageαUβ in a hue means we choose to put β in or put α in¬(αUβ) in a hue means put ¬β and choose to put α in ornot


IntroductionATL*



The Path Split

Rough description (Based on an idea from Goranko).

Count and enumerate the total number n of positiveπj =�A� α and proper negative πj = ¬ �A� α (A notempty) path quantified formulas in the state.

Each player gets n moves so there are kn “hues".

A vector will support α according to πj =�A� α iff all theplayers in A choose j .A vector will support ¬α according to πj = ¬ �A� α iff all theplayers not in A choose j .

This determines content of the nk hues. (Consolidate)Mark Reynolds Tableau for ATL*

IntroductionATL*



Eg, Path Quantifier Split Step

Eg, split�1� Xq,¬ �1� Gq,�1,2� Xp.Three moves each player. Nine hues.0 0 Xq0 1 Xq,¬Gq0 2 Xq1 01 1 ¬Gq1 22 02 1 ¬Gq2 2 Xp


IntroductionATL*



ATL* complications on the split step

After a hue split step for ATL*, we may need to iterate thetemporal, boolean and path split steps.

Will it end?


IntroductionATL*



State formula Rules

Node development requires state formulas to be shared acrosshues.

State formulas are atoms and�A� α and their booleancombinations.If an atom or its negation appear in one hue then they mustbe copied to all other hues.Similarly any formula of the form�A� α or a negation.This causes need for iteration of splitting. (Not sure howthat will work exactly)


IntroductionATL*



The temporal step

When a node is ready to have children, choose a new childnode for each hue. Give each new node one empty hue.

Xα in a hue means α goes in the successor hue.¬Xα in a hue means ¬α goes in the successor hue.αUβ but not β in a hue means αUβ goes in the successor.¬(αUβ) and α in a hue means ¬(αUβ) goes in thesuccessor.


IntroductionATL*



Example Tableau

n0

n1

h37

b

h28

n3

h30

b

h34

n6

h35

b

h35

b

h36

n2

h38

n4

h37

b

h28

n7

h30

b

h34

n10

h35

b

h35

b

h36

n5

h38

n8

h37

n9

h38

Figure: Start of a Tableau for θ−12


IntroductionATL*



Tableau Construction

Tableaux can be built node by node.

Work within a hue, the path split, and the temporal one stephave been discussed.

Another challenge faced for ATL* as for CTL* is to do withlooping and repetition.

In our tableaux there will be “good looping" and “bad looping".


IntroductionATL*



Good Looping

...an ancestor of a node can serve as the successor of thatnode.

Our tableaux not strictly tree-shaped: allowed to loop up fromnodes to their ancestors.

way of making a finite model which has infinite fullpaths.

subtle conditions determine when we are alowed to loop up


IntroductionATL*



Bad Looping

... we determine that we have extended a branch in a certainway which exhibits too much repetition with no allowed loopsback up, and so no prospect of terminating this development ina successful and finite way.

there will be subtle rules to determine when we have suchrepetition.

allows us to stop constructing a branch and backtrack to aprevious choice, or fail in a finite way.


IntroductionATL*



Tree-ish Shape

The tableaux we construct will be roughly tree-shaped albeit thetraditional upside down tree with a root at the top: predecessorsand ancestors above, successors and descendants below.

However, we will allow up-links from a node to one of itsancestors.

Each node will be labelled with a colour, with the hues orderedand, unless it is a leaf, it will have one (ordered) successor foreach hue.


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



Eg from CTL* θ−12

Consider the exampleθ−12 = ¬θ12 = ¬(AG(p → EXp)→ (p → EGp)).

not satisfiable

The formula has length 30

it has 39 hues and 258 colours.


IntroductionATL*



CTL* example

Hue Contentsh28 {¬p,¬Xp,EXp,F¬p,A¬Gp, θ12,AG(p → EXp),p → EGp, ...}h30 {¬p,Xp,EXp,F¬p,A¬Gp, θ12,AG(p → EXp),p → EGp, ...}h34 {p,¬Xp,EXp,F¬p,EGp,¬θ12,AG(p → EXp),¬(p → EGp), ...}h35 {p,Xp,EXp,Gp,EGp,¬θ12,AG(p → EXp),¬(p → EGp), ...}h36 {p,Xp,EXp,F¬p,EGp,¬θ12,AG(p → EXp),¬(p → EGp), ...}h37 {p,¬Xp,EXp,F¬p,A¬Gp,¬θ12,AG(p → EXp),¬(p → EGp), ...}h38 {p,Xp,EXp,F¬p,A¬Gp,¬θ12,AG(p → EXp),¬(p → EGp), ...}

Figure: θ−12: some contents of some hues


IntroductionATL*



CTL* example tableau

n0

n1

h37

b

h28

n3

h30

b

h34

n6

h35

b

h35

b

h36

n2

h38

n4

h37

b

h28

n7

h30

b

h34

n10

h35

b

h35

b

h36

n5

h38

n8

h37

n9

h38

Figure: A Partial Tableau for θ−12


IntroductionATL*



Lemma (Soundness)If φ has a successful tableau then it is satisfiable.

Has been proved for CTL* version.

Not yet ATL*.


IntroductionATL*



Completeness sketch

Say (S,R,g), σ0 |= φ

assume WLOG S has at most some finite number of elements.

unwind to infinite tree

replace repeated nodes by up-links

chop out useless lengths on left-most branches

other branches then dealt with similarly


IntroductionATL*



Completeness Lemma Plan

The construction sketched above would allow us to conclude:

LemmaIf an ATL* formula is satisfiable then it has a successful tableau.

Thus any algorithm which systematically searches through allpossible φ-tableaux for a successful one will thus eventuallyfind one for φ.

The CTL* version is proved but the search could be better.


IntroductionATL*



Outline




4 Conclusion


IntroductionATL*



CTL* Implementation

Implementation of a CTL* tableau search is relativelystraightforward

Java prototype implementation shows that for many interesting,albeit relatively small formulas, results can be obtained quicklydespite the double exponential theoretical bounds.

Some preliminary results reported in [Rey11].


IntroductionATL*


Summary

a sound and complete tableau system for CTL* exists (firstsuch)not hard to implementstill needs some polishingATL* just needs additional mechanism to handle one step


IntroductionATL*


Reminder: Uses of Tableau

uses of new tableaux systems for CTL*:

extract counter-models and formal proofs from tableaux.base for developing, or proving correctness of, othertechniques such as resolution or term rewriting.give indications of simpler more reasonablesub-languages.help manual proofs of validity.extend to help with reasoning in the predicate case, forexample for software verification.


IntroductionATL*


To do

much work to do to see if this workseven the CTL* version is still being finalisedATL* (just) needs additional mechanism for coping withcoalitions while one step is being made(underway) [Rey11] reasonably general and quite usablerepetition mechanism is proposed and proved correct. Butcould do better!Worst case performance for any such tableau isnecessarily bad (at least double exponential) but there isgreat potential for vast improvements in running times ingeneral or on certain classes of formulas.


IntroductionATL*


Questions

Thank you.

Any questions?


IntroductionATL*


Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman.Alternating-time temporal logic.J. ACM, 49:672–713, 2002.

E. Emerson and E. C. Clarke.Using branching time temporal logic to synthesisesynchronisation skeletons.Sci. of Computer Programming, 2, 1982.

E. Emerson and J. Halpern.Decision procedures and expressiveness in the temporallogic of branching time.J. Comp and Sys. Sci, 30(1):1–24, 1985.

E. Emerson and C. Jutla.Complexity of tree automata and modal logics of programs.


IntroductionATL*


In 29th IEEE Foundations of Computer Science,Proceedings. IEEE, 1988.

M. Fitting.Proof methods for modal and intuitionistic logics.Reidel, 1983.

M. J. Fischer and R. E. Ladner.Propositional modal logic of programs.J. Comput. Syst. Sci., 18:194–211, 1979.

Oliver Friedmann, Markus Latte, and Martin Lange.A decision procedure for ctl* based on tableaux andautomata.In IJCAR’10, pages 331–345, 2010.

R. Goré.Tableau methods for modal and temporal logics.


IntroductionATL*


In M. D’Agostino, D. Gabbay, R. Hähnle, and J. Posegga,editors, Handbook of Tableau Methods, pages 297–396.Kluwer Academic Publishers, 1999.

Valentin Goranko and Govert van Drimmelen.Complete axiomatization and decidability ofalternating-time temporal logic.Theoretical Computer Science, 353:93–117, 2006.

G. Hughes and M. Cresswell.An Introduction to Modal Logic.Methuen, London, 1968.

M. Pauly.A modal logic for coalitional power in games. journal of logicand computa- a modal logic for coalitional power in games.J of Logic and Computation, 12(1):149–166, 2002.


IntroductionATL*


M. Reynolds and C. Dixon.Theorem-proving for discrete temporal logic.In M. Fisher, D. Gabbay, and L. Vila, editors, Handbook ofTemporal Reasoning in Artificial Intelligence, pages279–314. Elsevier, 2005.

M. Reynolds.An axiomatization of full computation tree logic.J. Symbolic Logic, 66(3):1011–1057, 2001.

Mark Reynolds.A tableau for CTL*.In Ana Cavalcanti and Dennis Dams, editors, FM 2009:Formal Methods, Second World Congress, Eindhoven, TheNetherlands, November 2009. Proceedings., volume 5850of Lecture Notes in Computer Science, pages 403–418.Springer LNCS, 2009.


IntroductionATL*


Mark Reynolds.A tableau-based decision procedure for CTL*.Journal of Formal Aspects of Computing, pages 1–41,August 2011.

S. Schwendimann.A new one-pass tableau calculus for PLTL.In Harrie C. M. de Swart, editor, Proceedings ofInternational Conference, TABLEAUX 1998, Oisterwijk,LNAI 1397, pages 277–291. Springer, 1998.

Sven Schewe.Synthesis of Distributed Systems.PhD thesis, Uni Saarlandes, 2008.

M. Vardi and L. Stockmeyer.


IntroductionATL*


Improved upper and lower bounds for modal logics ofprograms.In 17th ACM Symp. on Theory of Computing, Proceedings,pages 240–251. ACM, 1985.

P. Wolper.The tableau method for temporal logic: an overview.Logique et Analyse, 28:110–111, June–Sept 1985.

D. Walther, W. v. d. Hoek, and M. Wooldridge.Alternatingtime alternating-temporal logic with explicitstrategies.In of XIth Conference (Theoretical Aspects of Rationalityand Knowkledge) TARK, pages 269–278, 2007.


Towards A Tableau for ATL*dongmo/GTLW/atl... · 2012. 4. 19. · realizability, and...

Documents

Transcript of Towards A Tableau for ATL*dongmo/GTLW/atl... · 2012. 4. 19. · realizability, and...