Games in system design and verification

Quantified Score

Visualization

Abstract

We review some classical and recent results about graph games,and their applications in the design and verification ofcomponent-based reactive systems.We consider graph games, where a token is moved along theedges of a directed graph in an infinite sequence of moves. Theresult of playing a graph game, or play, is an infinite paththrough the graph. Graph games can serve as models for discretereactive systems: the vertices represent system states; the playersrepresent system components; the moves represent systemtransitions; the plays represent system behaviors; and theobjectives represent system specifications.Graph games come in different flavors depending, for example, onthe number of players, the information that each player hasavailable for choosing a move, the mechanism by which the successorvertex is determined from a given choice of moves, and the type ofobjective for each player. The variety of possible graph gamespermits the modeling of different interaction paradigms forcomponent-based systems. Asynchronous interaction is naturallymodeled using turn-based games: at each vertex, one of theplayers chooses a move, which determines the successor vertex [18].Synchronous interaction, on the other hand, requiresconcurrent games: at each vertex, all players choose movessimultaneously and independently, and the combination of choicesdetermines the successor vertex [7]. In deterministic games,a move or combination of moves determines a unique successorvertex; in stochastic games, a move or combination of movesdetermines a probability distribution over successor vertices [12].Note that deterministic games can model nondeterministic choicethrough a choice of available moves; stochastic games model bothnondeterministic and probabilistic choice.The objectives of the players in a graph game can be qualitativeor quantitative. A qualitative objective is a set of winningplays. For modeling reactive systems, the interesting class ofqualitative objectives are the ω-regular sets, which canexpress common safety and liveness properties [15]. Aquantitative objective requires a labeled graph, where eachvertex (or edge) is labeled with a rational payoff for each player.Then, the goal of a player is to maximize a reward, which is afunction that maps each play to a real number, for instance, thesupremum, limit sum, or limit average of all payoffs along theplay. Payoffs can be used to represent costs, delays, or otherresource values of reactive systems [4].The solution problem for a graph game asks for the valueof each player at each vertex. For turn-based deterministic gameswith qualitative objectives, the value of a player i at avertex q is binary: the valueVi(q) is 1 if player i has astrategy to ensure that, when the game starts from vertex q,the outcome of the game is a play that is winning for playeri; and else Vi(q) = 0. Forother games, values are real numbers. For turn-based deterministicgames with quantitative objectives, the real valueVi(q) indicates the maximal rewardachievable by player i when the game starts from vertexq. For stochastic games or concurrent games with qualitativeobjectives, the real value Vi(q)represents the maximal probability for player i of winningfrom vertex q. While probabilities obviously arise instochastic games, it is worth noting that they enter into theanalysis of concurrent games even in the deterministic case.Consider, for example, a two-player concurrent game that proceedsin an infinite number of rounds: in each round, player 1 chooses abit b1 and player 2 chooses a bitb2, and the successor state is(b1, b2). Suppose that theobjective of player 1 is to visit one of the two states (0,0) and(1,1). An optimal strategy for player 1 is to choose, in eachround, b1 = 0 with probability 1/2, and bl = 1with probability 1/2. This strategy ensures that the set {(0, 0),(1, 1)} is visited with probability 1. However, no pure(i.e., nonrandomized) strategy can achieve the value 1 for player 1is this game.Besides the need for randomization, another important propertyof strategies concerns the amount of memory needed by a strategy: astrategy for player i is a recipe for choosing the moves ofplayer i during a play, and this recipe may, in general,depend on the unbounded history of the play. In some cases ofinterest, however, memoryless optimal strategies exist. Suchstrategies can be implemented by reactive systems without state. Inother cases, the required memory is, at least, finite [13].A setting with two players, one representing a reactive systemand the other representing the environment, gives rise tozero-sum graph games, where the objectives of the twoplayers are complementary. For example, one may ask if the systemhas a strategy to satisfy its specification no matter what theenvironment does; this is called the strategy or controllersynthesis question for reactive systems, which dates back to aproblem formulated by Church [3, 22]. The central result forzero-sum graph games are the determinacy theorems of Martin, whichstate that V1(q) +V2(q) = 1 for all vertices q andall qualitative Borel objectives (i.e., the winning sets are Borelsets in the Cantor topology on infinite sequences of vertices) [16,17]. Special cases of zero-sum games can be solved in NP viaproving the existence of memoryless optimal strategies, and in NP∩ coNP if memoryless strategies suffice for both anobjective and its complement. This is the case, for example, forturn-based deterministic games with ω-regular objectivesin parity form [20, 11]. The question if these games can indeed besolved in P remains, due to its equivalence with μ-calculusmodel checking, one of the major open questions in verificationtheory.A setting with two or more players that represent the componentsof a reactive system, and whose objectives represent componentspecifications, gives rise to nonzero-sum graph games. Inthis case, it is interesting to study notions of rational behaviorfor the individual players as captured by Nash equilibria, an areathat remains largely uninvestigated [5, 6].In this talk we survey some of the known results and openproblems about graph games. We present a convenient notation forconversing about graph games based on ATL (Alternating-timeTemporal Logic) [2]. Then, in addition to controller synthesis [23,21], we discuss some classical and some recent applications ofgraph games in system design and verification, including simulationrelations between reactive systems [19, 14], the realizability ofreactive specifications [10, 1], early counterexample detection inmodel checking [9], and the composition of interface protocols[8].