Bounded Game-Theoretic Semantics for Modal Mu-Calculus and Some Variants
JJ.-F. Raskin and D. Bresolin (Eds.): 11th International Symposiumon Games, Automata, Logics, and Formal Verification (GandALF’20).EPTCS 326, 2020, pp. 82–96, doi:10.4204/EPTCS.326.6 c (cid:13)
Lauri Hella, Antti Kuusisto & Raine R¨onnholmThis work is licensed under theCreative Commons Attribution License.
Bounded Game-Theoretic Semantics for Modal Mu-Calculusand Some Variants
Lauri Hella
Tampere UniversityFinland [email protected]
Antti Kuusisto
University of Helsinki and Tampere UniversityFinland [email protected]
Raine R¨onnholm
ENS Paris-SaclayFrance [email protected]
We introduce a new game-theoretic semantics (GTS) for the modal mu-calculus. Our so-calledbounded GTS replaces parity games with alternative evaluation games where only finite paths arise;infinite paths are not needed even when the considered transition system is infinite. The novel gamesoffer alternative approaches to various constructions in the framework of the mu-calculus. For exam-ple, they have already been successfully used as a basis for an approach leading to a natural formulasize game for the logic. While our main focus is introducing the new GTS, we also consider someapplications to demonstrate its uses. For example, we consider a natural model transformation pro-cedure that reduces model checking games to checking a single, fixed formula in the constructedmodels, and we also use the GTS to identify new alternative variants of the mu-calculus with PTimemodel checking.
The modal µ -calculus [17] is a well-known formalism that plays a central role in, e.g., program veri-fication. The standard semantics of the µ -calculus is based on fixed points, but the system has also awell-known game theoretic semantics ( GTS ) that makes use of parity games. The related games gener-ally involve infinite plays, and the parity condition is used for determining the winner (see, e.g., [5] forfurther details and a general introduction to the µ -calclus). The agenda and contributions of this article.
In this article we present an alternative game-theoreticsemantics for the modal µ -calculus. Our so-called bounded GTS is based on games that resemble thestandard semantic games for the µ -calculus, but there is an extra feature that ensures that the playswithin the novel framework always end after a finite number of rounds. Thereby only finite paths arisein related evaluation games even when investigating infinite transition systems . Thus there is no needto keep track of the parity condition, so in that sense the games we present in this article simplify thestandard framework. Furthermore, they offer an alternative perspective on the µ -calculus, as we showthat our semantics is equivalent to the standard one.In the novel games, the evaluation of a fixed point formula begins by one of the players declaringan ordinal number; the verifying player declares ordinals for µ -formulae and the falsifying player for ν -formulae. The declared ordinal is then lowered as the game proceeds, and since ordinals are well-founded, the game will indeed end in finite time, i.e., after a finite number of game steps. In general,infinite ordinals are needed in the games, but finite ordinals suffice in finite models.While the bounded GTS provides a new perspective on the standard modal µ -calculus, our approachalso leads naturally to a range of alternative semantic systems that are not equivalent to the standardsemantics. Indeed, we divide the framework of bounded semantics into subsystems dubbed Γ -boundedsemantics for different ordinals Γ . Here Γ provides a strict upper limit for the ordinals that can be usedauri Hella,Antti Kuusisto &Raine R¨onnholm 83during the game play. For each Γ -bounded semantics, we define also a compositional semantics andprove the game-theoretic and compositional versions equivalent.If only finite ordinals are allowed, meaning Γ = ω , we obtain the finitely bounded GTS , which isan interesting system itself. While this semantics is equivalent to the standard case in finite models,the general expressive powers differ. Indeed, we will show that the µ -calculus under finitely bounded GTS does not have the finite model property. Furthermore, we observe that the set of validities of the µ -calculus under finitely bounded semantics is strictly contained in the set of standard validities.We then introduce yet another class of variants of the bounded GTS consisting of the systems of f -bounded semantics . In the Γ -bounded semantics, each µ and ν -formula is associated with an ordinalof its own, while in the f -bounded semantics this scheme is relaxed and only two ordinals are used, onefor all µ -formulae and another one for all ν -formulae. The particular ordinals fixed in the beginningof the game depend on the particular variant of f -bounded semantics. We prove PTime-completenessof the model checking problem of a range of simple yet expressive systems of f -semantics. The resultconcerns both data and combined complexity. In addition to semantic studies, we use GTS to identify acanonical reduction of µ -calculus model checking instances to checking a single, uniform formula in themodel obtained by the reduction. Further motivation of the study.
While the formal results listed above are an important part of ourstudy, the focus of our article is mainly on the conceptual development of the theory of the µ -calculus andrelated systems, not so much the more technical directions. While some of the technical results we obtainhave straightforward and obvious implicit similarities to existing notions, such as finite approximants offixed points, we believe the systematic, formal and conceptual study initiated in this article is justified.Indeed, we believe the bounded GTS in general can be a fruitful framework for various furtherdevelopments. The setting provides an alternative perspective to parity games, replacing infinite playswith games based on finitely many rounds only, thereby leading to a conceptually interesting territoryto be explored further. The fragments with PTime-model checking we identify serve as an exampleof the various possibilities. Furthermore, it is worth noting here, e.g., that the difference between thestandard and bounded
GTS for the µ -calculus is analogous to the relationship between while-loops andfor-loops; while-loops are iterated possibly infinitely long, whereas for-loops run for k ∈ N rounds, where k can generally be an input to the loop. Finally, we argue that the new semantics can quite often makeformulae easier to read; we will illustrate this in Examples 3.3 and 3.7. Notes on related work.
There already exist several works where simple variants of the bounded se-mantics have been considered in the context of temporal logics with a significantly simpler recursionmechanisms than that of the µ -calculus. The papers [8], [11] consider a bounded semantics for theAlternating-time temporal logic ATL , and [10], [7] extend the related study to the extension
ATL + of ATL . See also [9], [12]. Part of the original motivation behind the studies in [8], [11], [10], [7] (aswell as the current article) relates to work with the direct aim of understanding variants and fragmentsof the general, expressively Turing-complete logic presented in [19]. It is also worth mentioning that thework in the present article has already been made essential use of in constructing a canonical formulasize game for the µ -calculus in [15]. The first short draft of the current submission appeared in 2017 asthe arXiv manuscript [13]. It contained only the game-theoretic semantics presented below; the currentarticle is the extended, full conference version of that short draft. The extended preprint of the currentarticle is also available as the arXiv manuscript [14], containing full technical details.There is a whole range of earlier but closely related logical studies that make use of notions with4 Bounded Game-Theoretic Semantics for Modal Mu-Calculus and SomeVariantssimilar intuitions to the ones behind the bounded semantics of this paper. Indeed, for logics with timebounds, see, e.g., the paper [1] on finitary fairness and the article [18] relating to promptness in Lineartemporal logic LTL . We also mention here the work related to bounded model checking , see, e.g., [4],[21] and [23]. The article [6] is one example of an early work that uses explicit ‘clocking’ of fixed pointformulae in (a variant of) the µ -calculus, thereby involving some ideas that bear a similarity to somefeatures used also in the present paper. However, the approach and goals of [6] are different, e.g., thepaper limits to finite models only and does not discuss game-theoretic semantics at all. Let Φ be a set of proposition symbols and Λ a set of label symbols . Formulae of the modal µ -calculusare generated by the grammar ϕ :: = p | ¬ p | X | ϕ ∨ ϕ | ϕ ∧ ϕ | ♦ ϕ | (cid:3) ϕ | µ X ϕ | ν X ϕ , where p ∈ Φ and X ∈ Λ .Let ϕ be a formula of the µ -calculus. The set of nodes in the syntax tree of ϕ is denoted by Sf ( ϕ ) .All of these nodes correspond to some subformula of ϕ , but the same subformula may have severaloccurrences in the syntax tree of ϕ , as for example in the case of p ∨ p . We always distinguish betweendifferent occurrences of the same subformula, and thus we always assume that the position in the syntaxtree of ϕ is known for any given subformula of ϕ . We also use the following notation:Sf µν ( ϕ ) : = { θ ∈ Sf ( ϕ ) | θ = µ X ψ or θ = ν X ψ for some ψ ∈ Sf ( ϕ ) and X ∈ Λ } . A Kripke model M is a tuple ( W , R , V ) , where W is a nonempty set, R a binary relation over W and V : Φ → P ( W ) a valuation for proposition symbols in Φ . An assignment s : Λ → P ( W ) for M mapslabel symbols X to subsets of W . Definition 2.1.
Let M = ( W , R , V ) be a Kripke model, w ∈ W . Let ϕ be a formula of the µ -calculus. Truth of ϕ in M and w under assignment s , denoted by M , w (cid:15) s ϕ , is defined as in standard modal logicfor p , ¬ p , ∨ , ∧ , ♦ , (cid:3) . The truth condition for label symbols is defined with respect to the assignment s : • M , w (cid:15) s X iff w ∈ s ( X ) .To deal with µ and ν , we define an operator b ϕ X , s : P ( W ) → P ( W ) such that b ϕ X , s ( A ) = { w ∈ W | M , w (cid:15) s [ A / X ] ϕ } , where s [ A / X ] is the assignment that sends X to A and treats other label symbols thesame way as s . The operators b ϕ X , s are always monotone and thereby have least and greatest fixed points.The semantics for the operators µ X and ν X is as follows: • M , w (cid:15) s µ X ψ iff w is in the least fixed point of the operator b ψ X , s . • M , w (cid:15) s ν X ψ iff w is in the greatest fixed point of the operator b ψ X , s .A label symbol X is said to occur free in a formula ϕ if it occurs in ϕ but is not a subformula ofany subformula of ϕ of the form µ X ψ or ν X ψ . A formula ϕ is called a sentence if it does not containany free label symbols. Truth of a sentence ϕ is independent of assignments s , so we may simply write M , w (cid:15) ϕ instead of M , w (cid:15) s ϕ .auri Hella,Antti Kuusisto &Raine R¨onnholm 85 The alternating reachability game problem, which is well known to be PTime-complete (see, e.g., [16]),is defined as follows. The input to the problem is a finite pointed model ( M , w ) , i.e., M is Kripkemodel and w a state in it. We assume the vocabulary of M contains the proposition symbols p B and q B . The game is played by two players, A and B , starting from the state w . In each round, one of theplayers moves (if possible) to some state that can be directly reached in one step from the current statevia the accessibility relation; if q B holds in the current state, then B moves, and otherwise A moves. Ifthe players reach a state where p B holds, then the game ends and B wins. If a player cannot make therequired move in some state (meaning the state is a dead end), then the game ends and that player losesand the other player wins. If the game does not end in a finite number of moves, then A wins. Thealternating reachability game problem yields the answer yes on the input ( M , w ) iff B has a winningstrategy in the game. We let AR denote the class of all positive instances of the alternating reachabilitygame problem. The following observation is well known. Proposition 2.2.
Let M be a Kripke model with propositional vocabulary { p B , q B } and let w be a statein M . Then ( M , w ) ∈ AR if and only if M , w (cid:15) χ , where χ = µ X (cid:0) p B ∨ ( q B ∧ ♦ X ) ∨ ( ¬ q B ∧ (cid:3) X ) (cid:1) . The general idea of game-theoretic semantics (
GTS ) is that truth of a formula ϕ is checked in a model M via playing a game where a proponent player (Eloise) attempts to show that ϕ holds in M whilean opponent player (Abelard) tries to establish the opposite—that ϕ is false. In this section we definea bounded game-theoretic semantics for the µ -calculus, or bounded GTS . The semantics shares somefeatures with a similar
GTS for the
Alternating-time temporal logic ( ATL ) defined in [8] (see also [10]).
Let ϕ be a sentence of the µ -calculus and X ∈ Sf ( ϕ ) . The reference formula of X , denoted Rf ( X ) , isthe unique subformula of ϕ that binds X . That is, Rf ( X ) is of the form µ X ψ or ν X ψ and there is noother operator µ X or ν X in the syntax tree on the path from Rf ( X ) to X . Since ϕ is a sentence, everylabel symbol has a reference formula (and the reference formula is by definition unique for each labelsymbol). Example 3.1.
Consider the sentence ϕ ∗ : = ν X (cid:3) µ Y (cid:0) ♦ Y ∨ ( p ∧ X ) (cid:1) . Here we have Rf ( X ) = ϕ ∗ andRf ( Y ) = µ Y ( ♦ Y ∨ ( p ∧ X )) . Definition 3.2.
Let M be a model, w ∈ W , ϕ a sentence and Γ > Γ -boundedevaluation game G = ( M , w , ϕ , Γ ) as follows. The game has two players, Abelard and
Eloise . The positions of the game are of the form ( w , ϕ , c ) , where w ∈ W , ϕ ∈ Sf ( ϕ ) and c : Sf µν ( ϕ ) → { γ | γ ≤ Γ } is a clock mapping . We call the value c ( θ ) the clock value of θ (for θ ∈ Sf µν ( ϕ ) ).The game begins from the initial position ( w , ϕ , c ) , where c ( θ ) = Γ for every θ ∈ Sf µν ( ϕ ) . Thegame is then played according to the following rules: • In a position ( w , p , c ) for some p ∈ Φ , Eloise wins if w ∈ V ( p ) . Otherwise Abelard wins. • In a position ( w , ¬ p , c ) for some p ∈ Φ , Eloise wins if w / ∈ V ( p ) . Otherwise Abelard wins.6 Bounded Game-Theoretic Semantics for Modal Mu-Calculus and SomeVariants • In a position ( w , ψ ∨ θ , c ) , Eloise selects whether the next position is ( w , ψ , c ) or ( w , θ , c ) . • In a position ( w , ψ ∧ θ , c ) , Abelard selects whether the next position is ( w , ψ , c ) or ( w , θ , c ) . • In a position ( w , ♦ ψ , c ) , Eloise selects some v ∈ W such that wRv and the next position is ( v , ψ , c ) .If there is no such v , then Abelard wins. • In a position ( w , (cid:3) ψ , c ) , Abelard selects some v ∈ W such that wRv and the next position is ( v , ψ , c ) .If there is no such v , then Eloise wins. • In a position ( w , µ X ψ , c ) , Eloise chooses an ordinal γ < Γ . Then the game continues from theposition ( w , ψ , c [ γ / µ X ψ ]) . Here c [ γ / µ X ψ ] is the clock mapping that sends µ X ψ to γ and treatsother formulae as c . • In a position ( w , ν X ψ , c ) , Abelard chooses an ordinal γ < Γ . Then the game continues from theposition ( w , ψ , c [ γ / ν X ψ ]) . • Suppose that the game is in a position ( w , X , c ) and let c ( Rf ( X )) = γ .1. Suppose that Rf ( X ) = µ X ψ for some ψ . – If γ =
0, then Abelard wins. – Else, Eloise must select some γ ′ < γ , and then the game continues from the position ( w , ψ , c ′ ) , where ∗ c ′ ( µ X ψ ) = γ ′ , ∗ c ′ ( θ ) = Γ for all θ ∈ Sf µν ( ϕ ) s.t. θ ∈ Sf ( ψ ) , ∗ c ′ ( θ ) = c ( θ ) for all other θ ∈ Sf µν ( ϕ ) .2. Suppose that Rf ( X ) = ν X ψ for some ψ . – If γ =
0, then Eloise wins. – Else, Abelard must select some γ ′ < γ , and then the game continues from the position ( w , ψ , c ′ ) , where ∗ c ′ ( ν X ψ ) = γ ′ , ∗ c ′ ( θ ) = Γ for all θ ∈ Sf µν ( ϕ ) s.t. θ ∈ Sf ( ψ ) , ∗ c ′ ( θ ) = c ( θ ) for all other θ ∈ Sf µν ( ϕ ) .The positions where one of the players wins the game are called ending positions . The execution of therules related to a position of the game constitutes one round of the game. The number of rounds in a playof the game is called the length of the play . We call the ordinals γ < Γ clock values and the ordinal Γ the clock value bound . (We note that only rounds with formulae of type µ X ψ , ν X ψ and X affect clockvalues.)We observe that in evaluation games we do not need assignments s . A label symbol in X ∈ Λ issimply a marker that points to a node (that node being the formula Rf ( X ) ) in the syntax tree of thesentence ϕ . Hence label symbols are conceptually quite different in GTS and compositional semantics.Indeed, the operators µ X (respectively ν X ) can be given a natural reading relating to self-reference . Inthe formula µ X ψ , the operator µ X is naming the formula ψ with the name X . The atoms X inside ψ are, in turn, claiming that ψ holds, i.e., referring back to the formula ψ . The difference between µ and ν is that µ X ψ relates to verifying the formula ψ while ν X ψ is associated with preventing the falsificationof ψ , i.e., defending ψ . Therefore, if N ( ψ ) denotes a natural language reading of ψ , then the naturallanguage reading of µ X ψ states that “ we can verify the claim named X which asserts that N ( ψ ) ”. Ananalogous reading can be given to ν X ψ . This scheme of reading recursive formulae via self-reference isfrom [19], [20].auri Hella,Antti Kuusisto &Raine R¨onnholm 87 Example 3.3.
Consider the Kripke model M ∗ = ( W , R , V ) , where we have W = { w i | i ∈ N } , R = { ( w , w i ) | i ≥ } ∪ { ( w i + , w i ) | i ≥ } and V ( p ) = { w } . M ∗ : p . . .. . . w w w w w Recall the sentence ϕ ∗ = ν X (cid:3) µ Y ( ♦ Y ∨ ( p ∧ X )) from Example 3.1 and consider the evaluation game G ∗ = ( M ∗ , w , ϕ ∗ , ω ) . In G ∗ , Abelard first announces a clock value n < ω for Rf ( X ) and then makesa jump from the intial state w (with a (cid:3) -move). Next Eloise announces some clock value m < ω forRf ( Y ) . Then she can, by repeated ∨ -moves, jump in the model (making a ♦ -move) and loop back tothe formula Rf ( Y ) ; each time she loops back, she needs to lower the value of m . If Eloise at some pointchooses the right disjunct, Abelard can either check if p true in the current state or loop back to Rf ( X ) . Inthe latter case, the value of n is lowered, but the value of m is reset back to ω (allowing Eloise to choosea fresh value m next time).The game eventually ends when (1) the clock value of Rf ( X ) goes to zero, whence Abelard loses;when (2) the clock value of Rf ( Y ) goes to zero, whence Eloise loses; or when (3) Abelard chooses theleft conjunct, whence Eloise wins if and only if p is true at the current state. We will return to this gamein Example 3.7. Proposition 3.4.
Let G = ( M , w , ϕ , Γ ) be a bounded evaluation game. Every play of G ends in a finitenumber of rounds.Proof. For each positive integer k , let ≺ k denote the “canonical lexicographic order” of k -tuples ofordinals. That is, ( γ , . . . , γ k ) ≺ k ( γ ′ , . . . , γ ′ k ) if and only if there exists some i ≤ k such that γ i < γ ′ i and γ j = γ ′ j for all j < i .Consider a branch in the syntax tree of ϕ . Let ψ , . . . , ψ k ∈ Sf µν ( ϕ ) be the µν -formulae occurringon this branch in this order (starting from the root). In each round of the game, each such sequence ( ψ , . . . , ψ k ) is associated with the k -tuple ( c ( ψ ) , . . . , c ( ψ k )) of clock values (that are ordinals less orequal to Γ ). It is easy to see that if c and c ′ are clock mappings such that c ′ occurs later than c in thegame, then we have ( c ′ ( ψ ) , . . . , c ′ ( ψ k )) (cid:22) k ( c ( ψ ) , . . . , c ( ψ k )) . Also, every time a transition from somelabel X to the reference formula Rf ( X ) is made, there is at least one branch where the k -tuple (for therelevant k ) of clock values becomes strictly lowered (in relation to ≺ k ). As ordinals are well-founded, itis thus clear that the game must end after finitely many rounds.Each evaluation game G can naturally be associated with a game tree T ( G ) = ( P G , E G ) , where P G isthe set of positions ( v , ψ , c ) of G and E G is the successor position relation. T ( G ) is formed by beginningfrom the initial position and adding transitions to all possible successor positions. This procedure isthen repeated from the successor positions until an ending position is reached. In the game tree, theinitial position is of course the root and ending positions are leafs. Complete branches correspond topossible plays of the game. Due to Proposition 3.4, the game tree of any bounded evaluation game iswell-founded, i.e., it does not contain infinite branches. However, if the clock value bound Γ or the model M is infinite, then the out-degree of some of the nodes of the game tree can be infinite.8 Bounded Game-Theoretic Semantics for Modal Mu-Calculus and SomeVariants Definition 3.5.
Let G = ( M , w , ϕ , Γ ) be an evaluation game. A strategy σ for Eloise in G is a partialmapping on the set of those positions ( w , ϕ , c ) of the game where Eloise needs to make a move such that: σ ( w , ψ ∨ θ , c ) ∈ { ψ , θ } , σ ( w , ♦ ψ , c ) ∈ { v ∈ W | wRv } , σ ( w , µ X ψ , c ) ∈ { γ | γ < Γ } , and σ ( w , X , c ) ∈{ γ | γ < c ( Rf ( X )) } where Rf ( X ) is of the form µ X ψ . We say that Eloise plays according to σ if shemakes all her choices according to σ and that σ is a winning strategy if Eloise always wins when playingaccording to σ . Definition 3.6.
Let M = ( W , R , V ) be a model, w ∈ W , ϕ a sentence and Γ > ϕ in M and w according to Γ -bounded game theoretic semantics , M , w (cid:13) Γ ϕ , as follows: M , w (cid:13) Γ ϕ iff Eloise has a winning strategy in ( M , w , ϕ , Γ ) . Example 3.7.
Recall the game G ∗ from Example 3.3. We define a strategy for Eloise as follows. AfterAbelard has made a transition to some state w j , Eloise chooses j for the clock value of Rf ( Y ) and jumpsin the model until reaching again w . She then chooses the right disjunct at w , whence she either wins(since w ∈ V ( p ) ) or Abelard needs to lower the clock value of Rf ( X ) and the clock value of Rf ( Y ) getsreset back to ω . Clearly this is a winning strategy for Eloise and thus M ∗ , w (cid:13) ω ϕ ∗ .From the structure of the evaluation games for ϕ ∗ we find an interpretation for the meaning of ϕ ∗ :“we can infinitely repeat the process where first (1) an arbitrary transition is made, and then (2) we canreach a state where p is true and the process can be continued from (1)”. Hence the clock value chosenfor Rf ( Y ) is intuitively a “commitment” on how many rounds at most it will take to reach a state wherep holds . The clock value for Rf ( X ) , on the other hand, is a “challenge” on how many times p must bereached . Indeed, in models where p can be reached only finitely many—say n —times from the initialstate, Abelard can win by choosing n + ( X ) . In this section we define a compositinal semantics based on ordinal approximants of fixed point oper-ators. Let M = ( W , R , V ) be a Kripke model, F : P ( W ) → P ( W ) an operator and γ an ordinal. Wedefine the sets F γµ and F γν recursively as follows: F µ : = /0 and F ν : = W . F γµ : = F (cid:0) F γ − µ (cid:1) and F γν : = F (cid:0) F γ − ν (cid:1) , if γ is a successor ordinal . F γµ : = [ δ < γ F δµ and F γν : = \ δ < γ F δν , if γ is a limit ordinal . Definition 4.1.
Consider a model M with a state w and a related assignment s . We obtain Γ -boundedcompositional semantics for the modal µ -calculus by defining truth of p , ¬ p , ∨ , ∧ , ♦ , (cid:3) and X recur-sively as in the standard compositional semantics and treating the µ and ν -operators as follows: • M , w (cid:15) Γ s µ X ψ iff w ∈ ( b ψ X , s , Γ ) Γµ , • M , w (cid:15) Γ s ν X ψ iff w ∈ ( b ψ X , s , Γ ) Γν ,where the operator b ϕ X , s , Γ : P ( W ) → P ( W ) is defined such that b ϕ X , s , Γ ( A ) = { w ∈ W | M , w (cid:15) Γ s [ A / X ] ϕ } . auri Hella,Antti Kuusisto &Raine R¨onnholm 89The semantics of the µ and ν -operators can be equivalently given as follows: • M , w (cid:15) Γ s µ X ψ iff there exists some γ < Γ s.t. w ∈ ( b ψ X , s , Γ ) γ + µ . • M , w (cid:15) Γ s ν X ψ iff w ∈ ( b ψ X , s , Γ ) γ + ν for every γ < Γ .If Γ is a limit ordinal, we can replace the superscripts γ + γ .We say that a formula is in normal form if each label symbol in Λ occurs in the formula at most oncein the µ - ν -operators (but may occur several times on the atomic level). We let ϕ ′ denote a normal formvariant of ϕ obtained simply by renaming label symbols where appropriate. It is easy to show that ϕ isequivalent to ϕ ′ with respect to both Γ -bounded compositional semantics ( (cid:15) Γ ) and Γ -bounded GTS ( (cid:13) Γ ).Therefore, when proving the equivalence of these two semantics, it suffices that we consider sentencesthat are in normal form. Indeed, henceforth we assume that all formulae are in this normal form. Theorem 4.2.
Let Γ be an ordinal, M a Kripke model, w ∈ W and ϕ a sentence of the modal µ -calculus. Now we have M , w (cid:15) Γ ϕ iff M , w (cid:13) Γ ϕ . Proof. (Sketch.) We present here a proof sketch highlighting the main ideas. For a rigorous, fullydetailed proof, please see the appendix of the full arXiv preprint version [14] of the current submission.The key in both directions of the proof is the following condition ( ⋆ ) which is a property satis-fied/unsatisfied by positions ( w , ϕ , c ) in the evaluation game G = ( M , w , ϕ , Γ ) :( ⋆ ) There is an assignment s such that M , w (cid:15) Γ s ϕ , and for each X ∈ Sf ( ϕ ) :1. s ( X ) = ( b ψ X , s , Γ ) γµ if Rf ( X ) = µ X ψ and c ( Rf ( X )) = γ ,2. s ( X ) = ( b ψ X , s , Γ ) γν if Rf ( X ) = ν X ψ and c ( Rf ( X )) = γ .Note that this condition essentially relates the clock values γ of bounded GTS to γ -approximants in thebounded compositional semantics.Proving the left to right implication, we first note that ( ⋆ ) holds in the initial position of G by theassumption M , w (cid:15) Γ ϕ . Then we show that whenever ( ⋆ ) holds for the current position, Eloise eitherwins the game in the current position or she can maintain ( ⋆ ) to the next position. By maintaining ( ⋆ ) ,we obtain a winning strategy since G ends in a finite number of rounds.For the other direction of the equivalence, we suppose that Eloise has a winning strategy σ in G .Since the game tree of G is well-founded, we can use well-founded (backwards) induction on the posi-tions in the tree to prove that: if a position ( w , ϕ , c ) can be reached with σ , then ( ⋆ ) holds for ( w , ϕ , c ) .Hence, in particular, ( ⋆ ) holds in the initial position of G and thus M , w (cid:15) Γ ϕ .Let M be a model. It is well-known that over M , each operator related to a formula of the µ -calculusreaches a fixed point in at most ( card ( M )) + iterations, where ( card ( M )) + is the successor cardinal of card ( M ) . Thus it is easy to see that the standard compositional semantics and ( card ( M )) + -boundedcompositional semantics are equivalent in M . Hence we obtain the following corollary: Corollary 4.3. Γ -bounded GTS is equivalent with the standard compositional semantics of the modal µ -calculus when Γ ≥ ( card ( M )) + . Also note that, in the special case of finite models , it suffices to use finite clock values that are at mostthe cardinality of the model.0 Bounded Game-Theoretic Semantics for Modal Mu-Calculus and SomeVariants
As stated in Corollary 4.3, the bounded semantics becomes equivalent with the standard (unbounded)semantics if we set a sufficiently large clock value bound Γ . However, using smaller values of Γ , weobtain different semantic systems typically nonequivalent to the standard semantics. We can either setsome fixed bound for Γ or use a value that is determined by some parameters—such as the size of thegiven model and the given formula. In this section we consider the former case; systems relating to thelatter case are examined in Section 6.A particularly interesting case with a fixed value of Γ is the so-called finitely bounded semantics ,where we set Γ = ω for all evaluation games. In the corresponding GTS , the players can only announce finite clock values. Finitely bounded semantics will be denoted by
FBS which refers to both game-theoretic and compositional semantics with Γ = ω . In finite models FBS is equivalent to the standardsemantics, but this equivalence breaks over infinite models; see Example 5.1 below.In the example and proofs that follow, we will consider the sentence ϕ AF p : = µ X ( p ∨ (cid:3) X ) which intuitively means that on every path, p can be reached eventually. Note that ϕ AF p corresponds tothe sentence AF p of Computation tree logic
CTL . Example 5.1.
Recall the model M ∗ from Example 3.3. Let M † be the model that is otherwise identicalto M ∗ , but V ( p ) = { w } . Since the state w is eventually reached on every path starting from w , itis easy to see that M † , w | = ϕ AF p . However, M † , w = ω ϕ AF p since from w there is no finite upperbound on how many transitions are needed to reach w . Indeed, Abelard has a winning strategy in ( M † , w , ϕ AF p , ω ) since he can win by choosing a transition to w j + for any clock value j < ω forRf ( X ) —chosen by Eloise.It is worth noting that M † , w | = ω + ϕ AF p since if Eloise can choose ω as the initial clock value forRf ( X ) and then lower it to j − w j . Moreover, we also have M † , w | = ω (cid:3) ϕ AF p since Eloise will know how many transitions it takes to reach w as Abelard has tomake the first transition before Eloise must announce a clock value.In the proofs that follow, we will use negations and implications of formulae of the modal µ -calculus.Such formulae are in general not included in our official syntax (in the current paper), but it is straight-forward to show that they can be translated to equivalent formulae in negation normal form.It is well known that, with standard semantics, the modal µ -calculus has the finite model property ,i.e., every satisfiable sentence is satisfied in some finite model (see, e.g., [5]). However, with finitelybounded semantics, this property is lost. Proposition 5.2.
The modal µ -calculus with FBS does not have the finite model property.Proof.
It is easy to see that (cid:3) ϕ AF p → ϕ AF p is valid with the standard semantics (this follows from the“fixpoint property” AF p ↔ p ∨ AXAF p of CTL ). Therefore (cid:3) ϕ AF p ∧ ¬ ϕ AF p is not satisfiable with thestandard semantics. As the standard semantics is equivalent to FBS in finite models, (cid:3) ϕ AF p ∧ ¬ ϕ AF p cannot be satisfied under FBS in any finite model. However, (cid:3) ϕ AF p ∧ ¬ ϕ AF p is satisfiable with FBS inan infinite model—as demonstrated by the model M † in Example 5.1.Moreover, FBS has the following interesting connection to the standard semantics. Note that the correspondence to for-loops is particularly natural with finitely bounded semantics: iterations can be done upto any finite bound that has to be declared in advance. auri Hella,Antti Kuusisto &Raine R¨onnholm 91
Proposition 5.3.
The set of validities of the modal µ -calculus with FBS is strictly included in the set ofvalidities with the standard semantics.Proof.
To prove the inclusion, let ϕ be a sentence valid under FBS . Then ¬ ϕ cannot be satisfied under FBS in any finite model. Since the standard semantics and
FBS are equivalent in finite models, it followsthat ¬ ϕ is not satisfied by the standard semantics in any finite model. Due to the finite model propertyof the standard semantics, ¬ ϕ is not satisfied by any model and thus ϕ is valid. The inclusion is strict as (cid:3) ϕ AF p → ϕ AF p is valid under standard semantics but not under FBS (cf. proof of Proposition 5.2).We showed in [9], [12] that the claims of Propositions 5.2, 5.3 hold also for the
FBS defined for
CTL and
ATL . There we also developed a tableau method for showing that the validity problem of
CTL and
ATL with
FBS is decidable and has the same complexity (ExpTime) as with the standard semantics. Itremains to be investigated whether the analogous ExpTime result holds also for the µ -calculus with FBS . The bounded
GTS leads naturally to semantic variants of the µ -calculus that can quite directly be shownto have PTime complete model checking. The main point is to make use of the intimate relationshipbetween alternating Turing machines and semantic games. The novel systems of semantics we considerresemble the Γ -bounded semantics but utilize a simplified way to control how many times µ and ν -formulae can be repeated in semantic games.To present the alternative semantic systems in detail, let f be a map that takes as input a model M ,a point w in the domain W of M and a sentence ϕ , outputting an ordinal. We assume that if g is anisomorphism from M to M ′ , then f ( M , w , ϕ ) = f ( M ′ , g ( w ) , ϕ ) . The function f gives rise to the simple f -bounded GTS defined as follows.
Definition 6.1.
Let M be a Kripke-model, w ∈ W and ϕ a sentence of the µ -calculus. The simple f -bounded evaluation game G f = ( M , w , ϕ ) is played the same way as the Γ -bounded evaluation game G Γ = ( M , w , ϕ , Γ ) , but with the following differences on the way the number of remaining rounds isdetermined: • Eloise is controlling an ordinal γ ∃ and Abelard an ordinal γ ∀ . In the beginning of the game, theseordinals are set to be equal to f ( M , w , ϕ ) . • Every time a transition is made from some label symbol X to the reference formula µ X ψ , Eloisemust lower the current value of γ ∃ . Similarly, when a transition is made from Y to the referenceformula ν Y ψ ′ , then Abelard must lower γ ∀ . (Note that the values of γ ∃ and γ ∀ are never increased.)If γ ∃ = γ ∃ , then Eloise loses the game, andsimilarly, if γ ∀ = γ ∀ , Abelard loses. In positions ( M , w ′ , p ) and ( M , w ′ , ¬ p ) where p is a proposition symbol, winning and losing is defined in the sameway as in Γ -bounded games. We define truth of ϕ in M at w according to the simple f -bounded semantics such that M , w (cid:13) f ϕ iff Eloise has a winning strategy in the game G f = ( M , w , ϕ ) of the simple f -bounded semantics.Henceforth we mostly talk about f -bounded semantics instead of simple f -bounded semantics tokeep the presentation simpler. We note that f is too large to be a set, but this is unproblematic to our study. f -bounded semantics of course depend heavily on thechoice of f . One of the simpler choices is to define f (cid:0) M , w , ϕ (cid:1) = card ( M ) · | ϕ | where | ϕ | is the lengthof ϕ , i.e., the number of symbol occurrences. This semantics has the natural property that in finitemodels, if the players always lower their ordinal by the minimum amount 1, then, if the game ends dueto γ ∃ or γ ∀ being zero, some state-subformula pair must have been repeated. Furthermore, we can nowprove the following result. Proposition 6.2.
The µ -calculus model checking problem is PTime-complete under simple f -boundedsemantics with f ( M , w , ϕ ) = card ( M ) · | ϕ | .Proof. To establish the upper bound, we define a Turing machine running in alternating logarithmicspace that directly simulates the model checking game (i.e., the semantic evaluation game) with anyinput M , w , ϕ . The game positions where Eloise makes a move correspond to existential machine stateswhile Abelard’s positions correspond to universal states. We need some kind of a pointer indicating thecurrent world of the Kripke structure and another pointer for the current subformula (i.e., node in thesyntax tree). Furthermore, we keep binary representations of γ ∃ and γ ∀ in the memory. These binarystrings are necessarily logarithmic in the input due to the choice of f . Thus it is easy to see how therequired alternating Turing machine is constructed.We obtain the lower bound via the alternating reachability game. Recall Proposition 2.2 and theformula χ there. We will show that, as in standard semantics, χ defines the winning set of the alternatingreachability game also under our f -bounded semantics, i.e., χ is true in M at w under our semanticsif and only if the player B has a winning strategy in the corresponding alternating reachability game.Indeed, it is easy to show that when B has a winning strategy in an alternating reachability game, shecan ensure a win so that no state of the game is visited more than once. Thus our choice of f for the f -bounded semantics guarantees that Eloise has a winning strategy in the corresponding the semanticgame. And if Eloise has a winning strategy in a semantic game G f ( M , w , χ ) , then clearly B wins the cor-responding alternating reachability game. Thus, already with the fixed input formula χ , model checkingis PTime-hard.It is worth noting here that in fact all the systems with f ( M , w , ϕ ) = card ( M ) k · | ϕ | (for differentpositive integers k ) have PTime-complete model checking: the proof of Proposition 6.2 goes throughwith trivial modifications.The f -bounded semantics with f ( M , w , ϕ ) = card ( M ) · | ϕ | is obviously very different in spirit fromthe standard semantics, and the f -bounded semantics itself changes as we modify f . Also, severalfurther variants of the semantics immediately suggest themselves, for example the possibility of settingdifferent limits for Eloise and Abelard, including the possibility of no limit at all. Also, letting differentoccurrences of µ and ν -formulae be associated with different clocks similarly to the standard semantics,but without resetting the clocks, is one of many possible interesting scenarios.Concerning the case where we do not set clocks at all but allow the players to play indefinitely long,winning occurs only when an atomic position with a literal (e.g., p or ¬ p ) is reached. Thus the games arenot determined, i.e., it is possible that neither player has a winning strategy (consider, e.g., the formula µ X X ). This free semantics for modal logic results in a system that is essentially directly a fragmentof the general, Turing-complete logic L of [19]. On the other hand, the different “clocking scenarios”described above (and further variants thereof) can be naturally imposed on L , and it would indeed makesense to study related phenomena in that framework. Each proposition symbol p and label X counts as one symbol despite the possible subindices: for example, p is onesymbol, not two symbols. auri Hella,Antti Kuusisto &Raine R¨onnholm 93 In this section we study model checking of the µ -calculus for fixed sentences . We investigate modelchecking separately with respect to the standard semantics and with respect to Γ -bounded semantics.Given a sentence ϕ of the µ -calculus, we use the following notation for the corresponding model check-ing and bounded model checking problems: • MC ( ϕ ) : = { ( M , w ) | M is finite and M , w (cid:15) ϕ } , and • BMC ( ϕ ) : = { ( M , w , Γ ) | M is finite and M , w (cid:15) Γ ϕ } .Recalling the relevant notations from Section 2.3, including the formula χ , we note, in particular, thatthe alternating reachability problem AR is equal to MC ( χ ) . Our aim is to show that AR is a completeproblem for model checking and bounded model checking: Proposition 7.1.
For each formula ϕ of the modal µ -calculus there are LogSpace-computable modeltransformations J ϕ and I ϕ such that for any finite Kripke model M , state w and ordinal Γ we have(1) ( M , w , Γ ) ∈ BMC ( ϕ ) iff J ϕ ( M , w , Γ ) ∈ AR , and(2) ( M , w ) ∈ MC ( ϕ ) iff I ϕ ( M , w ) ∈ AR .Furthermore, neither J ϕ ( M , w , Γ ) nor I ϕ ( M , w ) contain infinite paths.Proof. Recall that the game tree of an evaluation game G = ( M , w , ϕ , Γ ) is the tree T ( G ) = ( P G , E G ) ,where P G is the set of positions ( v , ψ , c ) of G , and E G is the successor position relation. We consider thefollowing Kripke model that is obtained from T ( G ) by adding proposition symbols encoding winningend positions of Eloise and positions in which it is Eloise’s turn to move: T G = ( P G , E G , V G ) , where V G : { p B , q B } → P ( P G ) is the valuation • V G ( p B ) = { ( v , ψ , c ) ∈ P G | ψ is a literal and M , v (cid:15) ψ } , • V G ( q B ) = { ( v , ψ , c ) ∈ P G | ψ is of the form θ ∨ η , ♦ θ , µ X θ , or X with Rf ( ψ ) = µ X θ , or ψ is a literal and M , v ψ } .Let r G = ( w , ϕ , c ) be the initial position of G . Observe now that, letting Eloise play in the role of B andAbelard in the role of A , the alternating reachability game on the Kripke-model T G with starting state r G is essentially identical with the game G : the positions and the rules for moves are the same, and thewinning conditions are equivalent. Thus, defining J ϕ ( M , w , Γ ) : = ( T G , r G ) , and using Theorem 4.2,we obtain the first equivalence (1). Clearly J ϕ ( M , w , Γ ) can be computed from the input ( M , w , Γ ) inLogSpace.The transformation I ϕ can now be defined as follows: we let I ϕ ( M , w ) : = J ϕ ( M , w , ( card ( M )) + ) .Denote Γ ∗ : = ( card ( M )) + below. By Corollary 4.3 and (1) we have ( M , w ) ∈ MC ( ϕ ) iff ( M , w , Γ ∗ ) ∈ BMC ( ϕ ) iff J ϕ ( M , w , Γ ∗ ) ∈ AR , whence (2) holds. Clearly I ϕ is LogSpace-computable.Since game trees of bounded evaluation games are well-founded, it is clear that J ϕ ( M , w , Γ ) and I ϕ ( M , w ) do not contain infinite paths. The complexities of the related problems are commonly referred to as data complexity as opposed to the combined com-plexity of the standard problem where the sentence is not fixed. For example, in a position p = ( v , ψ , c ) with ψ a literal such that M , v ψ , B loses the alternating reachability game since p does not have any E G -successors. µ -calculus can be reduced via I ϕ tochecking the truth of the simple alternation free sentence χ . A related idea was used in [3] for showingthat finite parity games can be reduced to safety games by adding explicit memory M to the states. Theelements of M are essentially the same as our clock values in the finite case, except that they are givenonly for one of the players. This is why the resulting game in [3] is a safety game, and this can lead toinfinite plays—unlike our reachability games in I ϕ ( M , w ) .Proposition 7.1 resembles also the “Measured Collapse Theorem” in [6], which states that checkingthe truth of any sentence ϕ of the µ -calculus can be reduced to checking the truth of an alternation freesentence ϕ ′ . However, unlike in Proposition 7.1, the result of [6] is not a reduction to MC ( ψ ) for a fixedsentence ψ , as ϕ ′ depends on ϕ . Moreover, the sentence ϕ ′ is actually a translation of ϕ to a differentlogic, called µ ♯ -calculus, whose semantics is based on an additional domain of tuples that can be relatedto our clock values.It should be noted that the existence of LogSpace-computable reductions from the model checkingproblems BMC and MC to AR follows directly from the well-known fact that alternating reachabilityis a PTime-complete problem. However, the main point here is that our reductions J ϕ and I ϕ arise ina natural and straightforward way from the bounded evaluation game. Moreover, except for LogSpace-computability, the proof above does not rely on any point on the assumption that the Kripke models arefinite. Thus we see that the reductions J ϕ and I ϕ work on infinite Kripke models as well as on finite ones:for any Kripke model M , state w and ordinal Γ we have • M , w | = Γ ϕ iff J ϕ ( M , w , Γ ) | = χ , and • M , w | = ϕ iff I ϕ ( M , w ) | = χ . Our study has focused on conceptual developments relating to the modal µ -calculus, the main resultbeing the new GTS and its variants. There are many relevant future research directions; we mention heresome of them. Firstly, it would be interesting to understand new clocking patterns in general, in additionto the finitely bounded, the f -bounded and the free semantics discussed above. These investigationscould naturally be pushed to involve more general logics beyond modal logic, possibly containing, e.g.,operators that modify the underlying models, and thereby directly linking to the research on the generallogical framework of [19] and the research program of [19] and [20].More concretely, pinpointing the complexity of the satisfiability problem of the modal µ -calculusunder finitely bounded semantics remains to be done. Also, it would be interesting to investigate whetherthe scheme of using tuples of ordinals for defining our bounded GTS can be modified to work with singleordinals in a natural way. Finally, using ordinals to reduce arbitrary game arenas to well-founded treesis in general an interesting research direction. Relating to this and the work in Section 7, it would beparticularly interesting to better understand reductions of general games to (well-founded) alternatingreachability games. The problem of finding equivalent finite duration games for infinite duration games (on finite arenas) has been studied, e.g.,in [2] with an essentially different kind of method. auri Hella,Antti Kuusisto &Raine R¨onnholm 95
Acknowledgements
Antti Kuusisto was funded by the Academy of Finland project
Theory of Computational Logics , grantnumbers 324435 and 328987. The work of Raine Rnnholm was partially supported by Jenny and AnttiWihuri Foundation. We thank the anonymous referees for comments and additional references.
References [1] Rajeev Alur & Thomas A. Henzinger (1998):
Finitary Fairness . ACM Trans. Program. Lang. Syst. 20(6),pp. 1171–1194, doi: .[2] Benjamin Aminof & Sasha Rubin (2017):
First-cycle games . Information and Computation 254, pp. 195–216, doi: .[3] Julien Bernet, David Janin & Igor Walukiewicz (2002):
Permissive strategies: from parity games to safetygames . RAIROTheor.InformaticsAppl. 36(3), pp. 261–275, doi: .[4] Armin Biere, Alessandro Cimatti, Edmund M. Clarke & Yunshan Zhu (1999):
Symbolic Model Checkingwithout BDDs . In Rance Cleaveland, editor: TACAS’99,Proceedings, LNCS 1579, Springer, pp. 193–207,doi: .[5] Julian Bradfield & Colin Stirling (2007):
Modal mu-calculi , pp. 721–756. Elsevier, doi: .[6] Doron Bustan, Orna Kupferman & Moshe Y. Vardi (2004):
A Measured Collapse of the Modal µ -CalculusAlternation Hierarchy . In Volker Diekert & Michel Habib, editors: STACS2004,21stAnnualSymposiumonTheoreticalAspectsof ComputerScience, Proceedings, LNCS 2996, Springer, pp. 522–533, doi: .[7] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm: Game-Theoretic Semantics for ATL+ with Applica-tions to Model Checking . ToappearinInformationandComputation.[8] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm (2016):
Game-Theoretic Semantics for Alternating-Time Temporal Logic . In: Proceedings of the 2016 International Conference on Autonomous Agents &MultiagentSystems,AAMAS, pp. 671–679.[9] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm (2017):
CTL with Finitely Bounded Semantics . In SvenSchewe, Thomas Schneider & Jef Wijsen, editors: 24th InternationalSymposiumon TemporalRepresenta-tion and Reasoning, TIME, LIPIcs 90, Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik, pp. 14:1–14:19,doi: .[10] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm (2017):
Game-Theoretic Semantics for ATL+ withApplications to Model Checking . In: Proceedingsofthe16th ConferenceonAutonomousAgentsand Mul-tiAgentSystems,AAMAS, pp. 1277–1285.[11] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm (2018):
Game-Theoretic Semantics for Alternating-Time Temporal Logic . ACMTrans.Comput.Log. 19(3), pp. 17:1–17:38, doi: .[12] Valentin Goranko, Antti Kuusisto & Raine R¨onnholm (2019):
Alternating-time temporal logic ATL withfinitely bounded semantics . Theor.Comput.Sci. 797, pp. 129–155, doi: .[13] Lauri Hella, Antti Kuusisto & Raine R¨onnholm (2017):
Bounded game-theoretic semantics for modal mu-calculus . CoRR abs/1706.00753. Available at https://arxiv.org/pdf/1706.00753v1.pdf .[14] Lauri Hella, Antti Kuusisto & Raine R¨onnholm (2020):
Bounded game-theoretic semantics for modal mu-calculus . CoRR abs/1706.00753. Available at https://arxiv.org/pdf/1706.00753v2.pdf .[15] Lauri Hella & Miikka Vilander (2019):
Formula size games for modal logic and µ -calculus . J.Log.Comput.29(8), pp. 1311–1344, doi: .[16] Neil Immerman (1999): Descriptive complexity . Graduate texts in computer science, Springer, doi: . [17] Dexter Kozen (1983): Results on the Propositional mu-Calculus . Theor. Comput. Sci. 27, pp. 333–354,doi: .[18] Orna Kupferman, Nir Piterman & Moshe Y. Vardi (2007):
From Liveness to Promptness . In Werner Damm &Holger Hermanns, editors: ComputerAidedVerification,19thInternationalConference,CAV,Proceedings,LNCS 4590, Springer, pp. 406–419, doi: .[19] Antti Kuusisto (2014):
Some Turing-Complete Extensions of First-Order Logic . In Adriano Peron & CarlaPiazza, editors: GandALF2014, EPTCS 161, pp. 4–17, doi: .[20] Antti Kuusisto (2019):
On Games and Computation . CoRR abs/1910.14603.[21] Wojciech Penczek, Bozena Wozna & Andrzej Zbrzezny (2002):
Bounded Model Checking for the UniversalFragment of CTL . Fundam.Inform.51(1-2), pp. 135–156.[22] Robert S. Streett & E. Allen Emerson (1989):
An Automata Theoretic Decision Procedure for the Proposi-tional Mu-Calculus . Inf.Comput. 81(3), pp. 249–264, doi: .[23] Wenhui Zhang (2015):
Bounded semantics . TheoreticalComputerScience 564, pp. 1–29, doi:10.1016/j.tcs.2014.10.026