Game Theory in Formal Verification
Scribe Notes for Lecture 7
Friedrich Slivovsky
[email protected]
Fairness Games
Let G = ((S, E), (S1 , S2 )) be a game graph, along with a set P = {(Ri , Gi )} (1 ≤ i ≤ d, Ri ⊆
S, Gi ⊆ S). Each pair of sets (Ri , Gi ) represents a request and its corresponding grant.
Fairness and Co-Fairness Objectives
We define the following objectives:
• Streett(P ) = {π ∈ Π | ∀i, 1 ≤ i ≤ d : Inf(π) ∩ Ri 6= ∅ ⇒ Inf(π) ∩ Gi 6= ∅}
• Rabin(P ) = {π ∈ Π | ∃i, 1 ≤ i ≤ d : Inf(π) ∩ Ri 6= ∅ ∧ Inf(π) ⊆ (S \ Gi )}
Streett objectives capture a fairness condition: whenever a request is made infinitely often, it must
be granted infinitely often. For Rabin objectives, this condition is violated: some request is made
infinitely often, but granted only finitely often.
Note that Streett objectives generalize parity objectives. Defining P such that
G1 ⊂ R1 ⊂ G2 ⊂ R2 ... Gd ⊂ Rd
p(s) for s ∈ G1 = 0
R1 \ G1 = 1
G2 \ R1 = 2
R2 \ G2 = 3
..
.
we get Streett(P ) = Parity(p).
Conversely, it is possible to reduce a fairness game on a graph G with n states, m edges, and
d request-grant pairs to a parity game on a graph G0 with n0 nodes, m0 edges, and d0 priorities,
where n0 = O(n ∗ d0 ∗ d2 ), m0 = O(m ∗ d0 ∗ d2 ), and d0 = O(d). (However, solving Streett games in
this manner is not optimal.)
In general, winning strategies for Streett games require memory. Figure 1 depicts a simple
fairness game in which player 1 clearly needs memory to win.
R1 , R2
G1
G2
Figure 1: Streett Games require memory
1
l
s
r
Figure 2: Induction step
Memoryless Determinacy (of Rabin Games)
We begin by showing that, on assumption of determinacy, we can prove memoryless determinacy.
In doing that, we will make use of the following property:
Property 1. Let ϕ be an objective. ϕ satisfies property 1 iff the following holds: for all plays
ρ1 , ρ2 , ρ, s.t. Inf(ρ) = Inf(ρ1 ) ∪ Inf(ρ2 ), if ρ1 ∈
/ ϕ ∧ ρ2 ∈
/ ϕ, then ρ ∈
/ ϕ.
Example 1: Streett Objectives. Streett objectives do not satisfy this property.
Let P = {(R1 , G1 ), (R2 , G2 )}, and Inf(ρ1 ) = {R1 , G2 }, Inf(ρ2 ) = {R2 , G1 }. We have ρ1 , ρ2 ∈
/ ϕ,
but, since Inf(ρ) = {R1 , R2 , G1 , G2 }, ρ ∈ ϕ.
Example 2: Rabin Objectives. Rabin objectives, on the other hand, do satisfy this property.
Assume ρ1 , ρ2 , ρ, s.t. Inf(ρ) = Inf(ρ1 ) ∪ Inf(ρ2 ). Further,
ρ1 ∈
/ Rabin(P ) ⇒ ∀i infinitely often Ri implies infinitely often Gi , and
ρ2 ∈
/ Rabin(P ) ⇒ ∀i infinitely often Ri implies infinitely often Gi .
Let Ri ∩ Inf(ρ) 6= ∅. Then Ri is visited infinitely often in either ρ1 or ρ2 . As a consequence
Gi ∩ Inf(ρ1 ) 6= ∅ or Gi ∩ Inf(ρ2 ) 6= ∅. Hence Gi ∩ (Inf(ρ1 ) ∪ Inf(ρ2 )) = Gi ∩ Inf(ρ) 6= ∅, i.e. ρ ∈
/ ϕ.
Lemma. For any objective ϕ that is determined and satisfies property 1, ϕ is memorylessly determined.
Proof. Without loss of generality, we will consider only game graphs where every node has at
most two outgoing edges (one can always introduce auxiliary nodes to meet this requirement). We
proceed by induction on the number k of player 1 nodes with two outgoing edges.
• For k = 0, player 1 has only one strategy, which is memoryless.
• Assume the lemma holds for game graphs with ≤ k player 1 states with two outgoing edges.
Take any game graph G with k + 1 such states, and let s be one of them. The situation is
portrayed in figure 2. We have to consider two cases:
– Player 1 wins in one the subgames GL or GR that result from removing r or l, respectively: wlog, assume she wins in GL . By the induction hypothesis, she has a memoryless
winning strategy for GL , which can be extended to G by always choosing the left edge
at s.
– Player 1 loses in both GL and GR . Then player 2 has winning strategies τL and τR for
GL and GR , respectively. Take any player 1 strategy σ for G. Consider the player 2
strategy τ that behaves like τL if player 1 last chose l at s and τR if player 1 last chose
r. We claim that the play π(s, σ, τ ) is losing for player 1. To prove this, we need to look
at three possible cases:
(a) l is chosen only finitely often. In that case, after some time, we are in GR , and
player 2 wins by playing τR (via τ ).
(b) r is picked only finitely often by player 1. That is, the game is eventually equivalent
to GL , which is won by player 2 using τL (via τ ).
(c) both l and r are chosen infinitely often. The play π then looks as in figure 3
(assuming that player 1 decides to go left in the first move). π can be decomposed
into plays ρL and ρR in GL and GR , respectively. As a consequence, Inf(π) =
Inf(ρ1 ) ∪ Inf(ρ2 ). From ρ1 ∈
/ ϕ and ρ2 ∈
/ ϕ, along with property 1, we can conclude
that π ∈
/ ϕ.
2
ρL
ρR
ρL
ρR
GL
GR
GL
GR
...
Figure 3: the play corresponding to case (c)
NP-Completeness of Rabin-Games
Given a game graph G and a set of request-grant pairs P , the problem of deciding whether s ∈
hh1iiRabin(P ) is NP-complete:
(a) If s ∈ W1 , a polynomial witness is given in the form of a memoryless strategy.
(b) Checking whether a given strategy is a witness can be done in polynomial time (see homework
3, problem 2).
(c) There is a polynomial reduction of 3-SAT to Rabin-Games: given a conjunction Φ of m clauses
over n propositional variables x1 , ..., xn , i.e. Φ = C1 ∧ C2 ∧ ... ∧ Cm , Ci = (ξi1 ∨ ξi2 ∨ ξi3 ),
where each literal ξij ∈ {xk , x¯k | 1 ≤ k ≤ n} is either a variable or the negation of a variable,
we construct a game graph G(Φ) as follows. For every literal and clause we introduce a player
1 state, along with a player 2 state s0 . s0 has an outgoing edge to every node ci representing
a clause. Every state ci has edges to the 3 literals ξij it contains. Finally, every literal has
an outgoing edge to s0 . Figure 3 provides a sketch of the resulting game graph. Obviously,
G(Φ)’s size is polynomial in the size of Φ.
As the objective we have Rabin(P ) for P = {({xi }, {x̄i }), ({x̄i }, {xi }) | 1 ≤ i ≤ n}, i.e. paths
π satisfying
n
_
[(xi ∈ Inf(π) ∧ x̄i ∈
/ Inf(π)) ∨ (xi ∈
/ Inf(π) ∧ x̄i ∈ Inf(π))]
i=1
Φ is satisfiable if and only if player 1 has a winning strategy in G(Φ) (at s0 ).
Proof. (⇒) Assume Φ is satisfiable, and let V be a satisfying assignment. Then every clause
Ci must contain a literal ξij such that V (ξij ) = 1. By setting σ(ci ) = ξij , one obtains a
winning strategy for player 1: if V (xk ) = 1 for some k, then x¯k is never visited, and vice
versa.
(⇐) Suppose player 1 has a winning strategy σ. We define a satisfying assignment V for Φ as
follows:
(
1 if σ(ci ) = xj for some i,
V (xj ) =
0 otherwise.
Note that it cannot be the case that σ(cj ) = xk and σ(ci ) = x¯k . Otherwise, player 2
could win against σ by alternating visits between cj and ci . Further, because σ defines
some outgoing edge for every (clause-)node, V evaluates every clause Ci to 1.
Determinacy of Streett/Rabin-Games
Finally, we will prove determinacy of Streett/Rabin-Games and provide an algorithm for computing
the winning set for player 1.
Theorem. Let G = ((S, E), (S1 , S2 )) be a game graph and P = {(Ri , Gi )} (1 ≤ i ≤ d, Ri ⊆
S, Gi ⊆ S). Then hh1iiStreett(P ) = S \ hh2iiRabin(P ).
Proof. We proceed by induction on d:
3
x1
c1
x¯1
x2
c2
x¯2
s0
..
.
..
.
xn
cm
x¯n
Figure 4: Reduction of 3-SAT to a Rabin-Game
• For d = 1, player 1 wins iff Inf(R1 ) ⇒ Inf(G1 ). This is equivalent to a parity game on G
with parity function p defined as


0 if s ∈ G1 ,
p(s) = 1 if s ∈ R1 \ G1 ,


2 otherwise.
Determinacy follows from determinacy of parity games.
• Suppose determinacy holds for games with d < k. Let d = k. We consider two cases:
(1) For some 1 ≤ i ≤ k, Gi = ∅. Wlog, suppose Gk = ∅. Consider the game graph G0
that results from removing the player 2 attractor A = hh2ii♦Rk from G. Since Gk = ∅,
G0 contains at most k − 1 request-grant pairs, and so by the induction hypothesis, G0
is determined. The situation is sketched on the left hand side of Figure 5. Let W10 be
the winning set for player 1 in G0 : since G0 only restricts player 1’s strategies, W10 is
winning for player 1 in G as well. We remove its attractor hh1ii♦W10 from G, repeating
these steps until W10 is empty. In the entire remaining game G, player 2 wins (Figure
5, right). We fix a strategy τ as follows:
(
τA if s ∈ hh2ii♦Rk ,
τ (s) =
τW if s ∈ S \ hh2ii♦Rk ,
where τA is the attractor strategy for Rk , and τW a winning strategy for S \ hh2ii♦Rk
(by determinacy of G0 and because W10 = ∅, this set is winning for player 2).
Let s ∈ S, and σ an arbitrary strategy for player 1. π(s, σ, τ ) is winning for player 2: if
A is visited infinitely often, Rk is visited infinitely often, and because Gk = ∅, player 2
wins. Otherwise, if A is visited only finitely often, after a finite number of moves, the
game remains in S \ A, and again, player 2 wins (by playing τW ).
(2) For 1 ≤ i ≤ k, Gi 6= ∅. Let Ai1 = hh1ii♦Gi , and Gi be the subgame induced by S \ Ai1 .
Since Gi = ∅ in Gi , it is determined by case (1). Let W2i be player 2’s winning set in Gi .
Attr2 (W2i ) = hh2ii♦W2i is winning for player 2 in the original game, too. We iteratively
remove these player 2 winning regions from G until W2i = ∅. The resulting game graph
G is depicted on the right hand side of Figure 6. In general, G need not be winning
i
i
for player 1. In particular, combining the strategies σW
and σA
does not necessarily
4
W10
Rk
Rk
τW
τA
Figure 5: Step 1
result in a winning strategy, simply because playing the attractor strategy may cause
additional requests (Rj in Figure 6).
Fortunately, we can address this problem by iteratively removing player 2 winning sets
W2i from G for all 1 ≤ i ≤ k. Figure 7 shows the corresponding pseudocode. In the
remaining game graph G0 , player 1 has a winning strategy σ: for 1 ≤ i ≤ d, let Ui
denote the (sub)game as shown on the right hand side of Figure 6. G0 serves as the
game board for all Ui . We define σi as
(
i
σA
if s ∈ (Attr1 (Gi ) \ Gi ),
σi (s) =
i
σW
if s ∈ (S \ Attr1 (Gi )).
The strategy σ(s) behaves like σi (s), using a counter i to keep track of what subgame is
currently played. i is initially set to 1, and incremented (i ← i mod d + 1) every time
σi visits Gi . Take some s ∈ S, and an arbitrary player 2 strategy τ . We show that the
play π(s, σ, τ ) is winning for player 1. There are two possibilities:
(a) From some point on, π remains in the subgame Uj . That is, π stays in Wj , where
j
player 1 wins by playing σW
.
(b) π proceeds through all subgames Ui infinitely often (the blue edges in Figure 8 are
chosen infinitely often). In that case, every set Gi is visited infinitely often, and
player 1 wins.
Memory Requirement and Runtime
An upper bound for the memory required by σ in case of k request-grant pairs is given by the
recursion
M (k) = k ∗ M (k − 1) = k!
Player 1 needs memory for the counter ranging over {1, ..., k}, multiplied by the amount of memory
required for each subgame.
For the runtime of the algorithm in Figure 7, one obtains
T (n, m, d) = n2 ∗ d ∗ T (n, m, d − 1) + O(m ∗ d)
= O(n2d ∗ d! ∗ m).
In the worst case, the outer loop is executed n times (because the algorithm removes at least one
state in each iteration). The inner loop proceeds through all d priorities, and for each one calls n
copies of itself (note the fixpoint computation in case (1)) to solve a subgame with d − 1 priorities.
The attractor computations in line 3 add up to O(m ∗ d). (For comparison, the time required to
solve fairness games by reduction to parity games is (n ∗ d! ∗ d2 )O(d) .)
5
W20
Gi
Gi
i
σW
i
σA
Rj ?
Figure 6: Step 2
repeat
for i = 1 to d do
W2i ← winning set for player 2 in subgame G \ Attr1 (Gi )
if W2i 6= ∅, remove Attr2 (W2i ) from G
end for
until W2i = ∅ for all 1 ≤ i ≤ d
return S
Figure 7: (Partial) Algorithm for hh1iiStreett(P )
1
G1 σA
2 G2
σA
1
σW
2
σW
n
σW
n
σA
Figure 8: Player 1’s winning strategy σ
6
Gn