Finite game semantics for Propositional Program Logics⋆ (extended abstract) H. Eo, S.-H. O, N.V. Shilov⋆⋆ Korean Advanced Institute of Science and Technology Kusong-dong Yusong-gu 373-1 Taejon 305-701, Korea [email protected], [email protected], [email protected] [email protected],

It is well-known that various propositional program logics (like Computational Tree Logic CTL [1]) are easy to encode into propositional µ-Calculus of D. Kozen µC [3] due to its expressive power. It implies that any model checker for µC can be used for checking these logics. But there is also interest to use of model checking engines for simple temporal properties for model checking more complicated temporal and fixpoint properties [4, 5]. Paper [4] has presented a practical model checking method for progress properties via model checking safety properties. Paper [5] has demonstrated how (in principle) to use a model checker that can solve finite games for model checking of µC and second order propositional program logic 2M of C. Stirling [7]. For it paper [5] has defined a finite Hintika-like [2] gametheoretic semantics for a very expressive Second-Order Elementary Propositional Dynamic Logic (SOEPDL). Unfortunately, this semantics is extremely inefficient. In the present paper we sug⋆

⋆⋆

This work is supported by Brain Korea 21 Project, The school of information technology, KAIST in 0000. While on leave from A.P. Ershov Institute of Informatics Systems, Lavren’ev av., 6, Novosibirsk 630090, Russia, [email protected]

gest and utilize more efficient game semantics. We adapt definitions of µC, SOEPDL and their models from [5]. Let M = (DM , IM ) be a model and ξ be a normal formula of SOEPDL (i.e. negation can occur in literals only). For every subformula θ of ξ let F (θ) be set of propositional variables that have free instances in θ. Semantic game G(M, ξ) of two players Spoiler and Duplicator is defined as follows. Positions are (s, ψ, S) where s ∈ DM is a state, ψ is a subformula of ξ, and S : F (ψ) → 2DM is a total function1 that maps each free variable of ψ to S(x) ⊆ D. Spoiler and Duplicator have moves of 4 kinds (table 1) related conjunctive and disjunctive subformulae respectively, and win in positions of 5 kinds (table 2). Implications of this new game-theoretic semantics follow. More complete treatise on this topic can be found in our forthcoming paper [6]. 1

Here we use the following notation for functions. First, the emptyset ∅ is a total function ∅ : ∅ → B for every set B. Next for every two elements a and b let (a 7→ b) : {a} → {b} be a total function such that maps a to b. Then assume F : A → B is a total function, C ⊂ A, and d 6∈ A and b ∈ B; let F |C : C → B be a restriction of F to C and Fb/d : {d} ∪ A → B be an extension of F by Fb/d (d) = b.

Spoiler (s, (ψ1 ∧ ψ2 ), S) → (s, ψi , S|F (ψi ) ) (s, ([a]ψ), S) → (t, ψ, S) (s, (ψ), S) → (t, ψ, S) (s, (∀y.ψ), S) → (s, ψ, ST /y ) Duplicator (s, (ψ1 ∨ ψ2 ), S) → (s, ψi , S|F (ψi ) ) (s, (haiψ), S) → (t, ψ, S) (s, (♦ψ), S) → (t, ψ, S) (s, (∃y.ψ), S) → (s, ψ, ST /y ) Table 1. Moves

– µC, 2M, and SOEPDL with upper time bound f 2 × exp(d × n); – CTL with upper time bound f 2 × exp(d). (Here d stays for number of states in a model, f – for size of a formula, n – for maximal number of variables that have simultaneous free instances in any subformula.)

References Spoiler (s, f alse, ∅) (s, p, ∅) where s 6∈ IM (p) (s, ¬p, ∅) where s ∈ IM (p) (s, x, (x 7→ T )) where s 6∈ T (s, ¬x, (x 7→ T )), where s ∈ T Duplicator (s, true, ∅) (s, p, ∅) where s ∈ IM (p) (s, ¬p, ∅) where s 6∈ IM (p) (s, x, (x 7→ T )) where s ∈ T (s, ¬x, (x 7→ T )), where s 6∈ T Table 2. Winning positions

1. Emerson E.A. Temporal and Modal Logic. Handbook of Theoretical Computer Science, v.B, Elsevier and The MIT Press, 1990, 995-1072. 2. Hintika J., Sandu G. Game-Theoretical Semantics. Handbook of Logic and Language, 1997. 3. Kozen D. Results on the Propositional Mu-Calculus. Theoretical Computer Science, v.27, n.3, 1983, p.333354. 4. Schuppan V. and Biere A. Efficient reduction of finite state model checking to reachability analysis. , International Journal on Software Tools for Technology Transfer (STTT), v.5(2-3), p.185204, 2004. Theorem 1. Let MC be a model check- 5. Shilov N.V., Yi K. On Expressive and er for the following µC-formula µ x. (p∨ Model Checking Power of Propositional haix ∨ (hbitrue ∧ [b]x)) that can solve it Program Logics. Lecture Notes In Comin linear time in size of finite model. puter Science, v.2244, p.39-46, 2001. Then MC can be reused for checking in 6. Shilov N.V., K. Yi, H. Eo, S. O, K.-M. Choe. Proofs about folklore: why model all finite models all formulae of checking = reachability? Manuscript. – µC, 2M, and SOEPDL with upper 7. Stirling C. Games and Modal Mutime bound f × exp(d × n); Calculus. Lecture Notes in Computer Science, v.1055, 1996, p.298-312. – CTL with upper time bound f ×

exp(d). Theorem 2. Let MC be a model checker that can solve AF- and EF-queries in linear time in size of finite model. Then MC can be reused for checking in all finite models all formulae of

It is well-known that various propositional program logics (like Computational Tree Logic CTL [1]) are easy to encode into propositional µ-Calculus of D. Kozen µC [3] due to its expressive power. It implies that any model checker for µC can be used for checking these logics. But there is also interest to use of model checking engines for simple temporal properties for model checking more complicated temporal and fixpoint properties [4, 5]. Paper [4] has presented a practical model checking method for progress properties via model checking safety properties. Paper [5] has demonstrated how (in principle) to use a model checker that can solve finite games for model checking of µC and second order propositional program logic 2M of C. Stirling [7]. For it paper [5] has defined a finite Hintika-like [2] gametheoretic semantics for a very expressive Second-Order Elementary Propositional Dynamic Logic (SOEPDL). Unfortunately, this semantics is extremely inefficient. In the present paper we sug⋆

⋆⋆

This work is supported by Brain Korea 21 Project, The school of information technology, KAIST in 0000. While on leave from A.P. Ershov Institute of Informatics Systems, Lavren’ev av., 6, Novosibirsk 630090, Russia, [email protected]

gest and utilize more efficient game semantics. We adapt definitions of µC, SOEPDL and their models from [5]. Let M = (DM , IM ) be a model and ξ be a normal formula of SOEPDL (i.e. negation can occur in literals only). For every subformula θ of ξ let F (θ) be set of propositional variables that have free instances in θ. Semantic game G(M, ξ) of two players Spoiler and Duplicator is defined as follows. Positions are (s, ψ, S) where s ∈ DM is a state, ψ is a subformula of ξ, and S : F (ψ) → 2DM is a total function1 that maps each free variable of ψ to S(x) ⊆ D. Spoiler and Duplicator have moves of 4 kinds (table 1) related conjunctive and disjunctive subformulae respectively, and win in positions of 5 kinds (table 2). Implications of this new game-theoretic semantics follow. More complete treatise on this topic can be found in our forthcoming paper [6]. 1

Here we use the following notation for functions. First, the emptyset ∅ is a total function ∅ : ∅ → B for every set B. Next for every two elements a and b let (a 7→ b) : {a} → {b} be a total function such that maps a to b. Then assume F : A → B is a total function, C ⊂ A, and d 6∈ A and b ∈ B; let F |C : C → B be a restriction of F to C and Fb/d : {d} ∪ A → B be an extension of F by Fb/d (d) = b.

Spoiler (s, (ψ1 ∧ ψ2 ), S) → (s, ψi , S|F (ψi ) ) (s, ([a]ψ), S) → (t, ψ, S) (s, (ψ), S) → (t, ψ, S) (s, (∀y.ψ), S) → (s, ψ, ST /y ) Duplicator (s, (ψ1 ∨ ψ2 ), S) → (s, ψi , S|F (ψi ) ) (s, (haiψ), S) → (t, ψ, S) (s, (♦ψ), S) → (t, ψ, S) (s, (∃y.ψ), S) → (s, ψ, ST /y ) Table 1. Moves

– µC, 2M, and SOEPDL with upper time bound f 2 × exp(d × n); – CTL with upper time bound f 2 × exp(d). (Here d stays for number of states in a model, f – for size of a formula, n – for maximal number of variables that have simultaneous free instances in any subformula.)

References Spoiler (s, f alse, ∅) (s, p, ∅) where s 6∈ IM (p) (s, ¬p, ∅) where s ∈ IM (p) (s, x, (x 7→ T )) where s 6∈ T (s, ¬x, (x 7→ T )), where s ∈ T Duplicator (s, true, ∅) (s, p, ∅) where s ∈ IM (p) (s, ¬p, ∅) where s 6∈ IM (p) (s, x, (x 7→ T )) where s ∈ T (s, ¬x, (x 7→ T )), where s 6∈ T Table 2. Winning positions

1. Emerson E.A. Temporal and Modal Logic. Handbook of Theoretical Computer Science, v.B, Elsevier and The MIT Press, 1990, 995-1072. 2. Hintika J., Sandu G. Game-Theoretical Semantics. Handbook of Logic and Language, 1997. 3. Kozen D. Results on the Propositional Mu-Calculus. Theoretical Computer Science, v.27, n.3, 1983, p.333354. 4. Schuppan V. and Biere A. Efficient reduction of finite state model checking to reachability analysis. , International Journal on Software Tools for Technology Transfer (STTT), v.5(2-3), p.185204, 2004. Theorem 1. Let MC be a model check- 5. Shilov N.V., Yi K. On Expressive and er for the following µC-formula µ x. (p∨ Model Checking Power of Propositional haix ∨ (hbitrue ∧ [b]x)) that can solve it Program Logics. Lecture Notes In Comin linear time in size of finite model. puter Science, v.2244, p.39-46, 2001. Then MC can be reused for checking in 6. Shilov N.V., K. Yi, H. Eo, S. O, K.-M. Choe. Proofs about folklore: why model all finite models all formulae of checking = reachability? Manuscript. – µC, 2M, and SOEPDL with upper 7. Stirling C. Games and Modal Mutime bound f × exp(d × n); Calculus. Lecture Notes in Computer Science, v.1055, 1996, p.298-312. – CTL with upper time bound f ×

exp(d). Theorem 2. Let MC be a model checker that can solve AF- and EF-queries in linear time in size of finite model. Then MC can be reused for checking in all finite models all formulae of