1. 3-Valued Abstractions of Games: Uncertainty, but with Precision Luca de Alfaro UC Santa Cruz Patrice Godefroid Bell Labs, Lucent. Radha Jagadeesan DePaul University

2. Context of talk Abstractions for open systems

3. Foundations for closed systems Model: Transition systems Property spec: Temporal/modal logics Abstraction: Simulation s simulates t: Every transition from t is matched by a transition from s

4. Foundations for closed systems Model: Transition systems Property spec: Temporal/modal logics Abstraction: Simulation ``Simulation is sound for universal properties’’

5. Open systems

6. Open systems: models Games Transition systems Player 1: Player 2:

7. Open systems: Logics Games Transition systems Alternating-Time Logic Temporal/modal logics Game Logics Coalition Logics We will work with Alternating Mu-calculus [Alur-Henzinger-Kupferman]

8. Open systems: logics Strategy quantifier: At 1-states: existence of a move At 2-states: for all moves

9. Open systems: logics

10. Open systems: Abstraction Games Transition systems Alternating-time logic Temporal/modal logics Alternating simulation Simulation Alternating Simulation Abramsky Alur-Henzinger-Kupferman-Vardi

11. Open systems: alternating simulation Player 1 Player 2 1-simulated by For each 1-strategy, there is a 1-strategy on the right

12. Open systems: Abstraction Games Transition systems Alternating-time logic Temporal/modal logics Alternating simulation Simulation 1-Alternating simulation preserves

13. Question Study of abstraction methods to preserve all properties of the alternating mu-calculus. Why?

14. Question Study of abstraction methods to preserve all properties of the alternating mu-calculus Compositional verification nested strategy quantifiers Thus: need to preserve strategies for all players

15. Question Study of abstraction methods to preserve all properties of the alternating mu-calculus Compositional verification Feasible counter-examples [Pasareanu-Dwyer-Visser00] Counter-example guided refinement [Grumberg-Shoham03]

16. Results

17. Our results: models and logics Definition of abstract games alternating refinement between states of an abstract games

18. Our results: models and logics Definition of abstract games alternating refinement between states of an abstract games s ``alternating-refines’’ t all AMC formulas satisfied by t are satisfied by s Strategies for all players are preserved from t to s

19. Our results: expressiveness Are there useful abstractions captured by framework? Completeness?

20. Our results Any abstract interpretation on data-values Induces an alternating abstraction of games These abstract games are the most precise possible, for the given abstraction. [completeness, in abstract interpretation]

21. Our results: completeness for ``safety’’ If a state s of satisfies a property, there is a finite state abstraction that proves this For transition systems: Safety properties, Maniolis-Treffler01

22. Complexity of refinement and model-checking Linear time, logspace reduction to concrete games

23. Rest of the talk

24. Disjunctive Modal transition systems Larsen-Li 1991 Namjoshi 03, Dams-Namjoshi04, Grumberg-Shoham 2004 Abstract Games and alternating refinement 3-valued semantics of AMC Examples of abstraction

25. Disjunctive modal transition systems

26. Modal transition systems Larsen90, Larsen-Thomsen91 Two kinds of transitions: MAY, MUST transitions. Consistency: All MUST transitions are also MAY transitions. Concrete Systems: MAY = MUST.

27. Refinement of MTS MAY transitions go away or get converted into MUST transitions MUST transitions are preserved A R(efines) A’: A’_{may} simulates A_{may} via R A_{must} simulates A’_{must} via R^{-1}

28. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)] x=3,z=5 x=3,z=4 x=4,z=3

29. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)] x=3, z=4 x=4, z=4

30. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)] x=3, z=5

31. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)],

32. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)], Oops! No must transition : |  x=3, z=4 x=4, z=4

33. Predicate abstraction of x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) refines [Isodd(j), Is(k>0)], Oops! No must transition : | 

34. x=z under [oddx, z>0] oddx not(oddx) z>0 not(z>0) {odd(x), not(oddx)} Must hyperedge: Source [oddx,z>0] Target { [ odd(x), z>0], [not(odd(x)), z >0 ] }

35. Disjunctive Modal transition systems Two kinds of transitions: MAY, MUST transitions. Must transitions are hyperedges s  {t1…, tn} Consistency: At least one of s  ti is a may transition

36. Abstract Game Structures

39. A must transition (to U) achieves an objective in next state only if all states in U achieve it. Consistency: MUST Winning  MAY winning

40. Three-valued determinacy for linear objectives For a linear objective W: 1 has a winning must strategy for W 2 has a winning must strategy for not(W) Both 1 and 2 have winning MAY strategies for their objectives

41. Refinement

42. Refinement [Transitions] s refines s’: a. May transitions ``decrease’’ from s’ to s

43. Refinement s refines s’: a. b. Must transitions ``increase’’ from s’ to s.

44. Refinement s refines s’: a. b. Must transitions ``increase’’ from s’ to s.

45. Refinement Symmetric in both players 1- Alternating simulation: Player 2 has only MAY moves. Player 1 has only MUST moves. a. b. Must transitions ``increase’’ from s’ to s.

46. 3-valued AMC

47. 3-valued semantics of AMC x (OR) y true, if either is true, false, if both are false and bottom, otherwise.

49. s is a player 2 state s is a player 1 state

50. s is a player 2 state s is a player 1 state

51. Soundness and completeness of AMC for refinement s refines s’ IFOF Going from s’ to s makes values more definite

52. Abstraction: an example

53. Predicate Abstraction [P1,..,Pn] Abstract states are bivectors of length n s satisfies [b1..bn] where:  bi =1 iff s satisfies Pi.

54. Transitions MAY Transition ([b1..bn], [b’1..b’n]) if EXISTS s such that s satisfies [b1..bn] EXISTS s’ satisfies [b’1..b’n] AND (s,s’)

55. Transitions MUST Transition ([b1..bn], { [c11..c1n]….. [cm1,..,cmn])} if FORALL s such that s satisfies [b1..bn], EXISTS s’ EXISTS j s’ satisfies [cj1..cjn] AND (s,s’)

56. x=z under [oddx, z>0] oddx not(oddx) oddx not(oddx) {odd(x), not(oddx)} Must transition from [oddx,z>0] to { [ odd(x), z>0], [not(odd(x)), z >0 ] }

57. A useful abstraction

58. Summary

59. Our results: models and logics Definition of abstract games alternating refinement between states s ``alternating-refines’’ t a. all AMC formulas satisfied by t are satisfied by s b. strategies for all players are preserved from t to s

60. Our results: expressiveness 0. Any abstract interpretation on data-values Induces an alternating abstraction of games 1. These abstract games are the most precise possible, for the given abstraction. 2. Compositionality of abstraction 3. Finite state abstractions for proving ``safety’’ properties.

61. Questions