Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de - - PowerPoint PPT Presentation

Generating and Solving Symbolic Parity Games

Gijs Kant Jaco van de Pol

Formal Methods & Tools University of Twente The Netherlands

Games 2012, Napoli, Italia

1 / 26

Motivation

◮ Application: formal verification of process algebraic

specifications

◮ Process algebra mCRL2: behaviour of a system P ◮ First-order modal µ-calculus formula ϕ: desired property of the

system

◮ P |

= ϕ is translated to a first-order boolean equation system

◮ An appropriate way to solve such a system is by instantiation

to a parity game

◮ These parity games, however, can become rather large

2 / 26

Contents

Practical solving of first-order boolean equation systems using symbolic data structures.

◮ Translation from process algebra and µ-calculus to first-order

boolean equations

◮ Instantiation from first-order boolean equation system to a

parity game . . . using LTSmin: symbolic generation (using MDDs)

◮ Symbolic solving using spgsolver. ◮ Two case studies

3 / 26

mCRL2

◮ mCRL2 language (mcrl2.org):

algebraic data types, parallel composition, etc.

◮ Several analysis techniques: simulation, visualisation, model

checking.

◮ Linear Process Specification (LPS) format: summands of the

form

• d:D

guard → action . recursion

Example

proc Buffer(q : List(D)) =

• d:D

(#q < 2) → read(d) . Buffer(q ⊳ d) + (q = []) → send(head(q)) . Buffer(tail(q)); init Buffer([]);

4 / 26

First-order Boolean Equation System

Definition

A first-order boolean equation system (or parameterised boolean equation system) is a system of equations with boolean variables that can have data parameters and has boolean expressions that can have quantifiers and operators over arbitrary data types.

5 / 26

lps2pbes

proc Buffer(q : List(D)) =

• d:D

(#q < 2) → read(d) . Buffer(q ⊳ d) + (q = []) → send(head(q)) . Buffer(tail(q)); init Buffer([]); Deadlock freedom: infinitely often after any action ([⊤] X), always some action is enabled (⊤ ⊤): νX . ⊤ ⊤ ∧ [⊤] X translates for the simple buffer to: pbes νX(q : List(D)) = (q = []) ∨ (#q < 2) ∧ ∀d∈D . (#q < 2) ⇒ X(q ⊳ d); ∧ (q = []) ⇒ X(tail(q)) init X([]);

6 / 26

Instantiation

pbes νX(q : List(D)) = (q = []) ∨ (#q < 2) ∧ ∀d∈D . (#q < 2) ⇒ X(q ⊳ d); ∧ (q = []) ⇒ X(tail(q)) init X([]); This system of equations instantiates to: µX([]) = true ∧ X([d1]) ∧ X([d2]) µX([d1]) = true ∧ X([d1, d1]) ∧ X([d1, d2]) ∧ X([]) µX([d2]) = . . . µX([d1, d1]) = . . . µX([d1, d2]) = . . . which can be seen as a two-player game.

7 / 26

Parity Games

Definition (Parity Game)

A parity game is a graph G = V , E, V0, V1, vI, Ω, with

◮ V the finite set of vertices (or places or states); ◮ E : V × V the set of transitions; ◮ V0 ⊆ V the set of places owned by player 0; ◮ V1 ⊆ V the set of places owned by player 1; ◮ vI ∈ V the initial state of the game; ◮ Ω : V → N assigns a priority Ω(v) to each vertex v ∈ V ;

ν blocks Even priorities (0, 2, 4, . . . ) µ blocks Odd priorities (1, 3, 5, . . . ) ∨, ∃, Player 0, ∃loise, Even, Prover ∧, ∀, [] Player 1, ∀belard, Odd, Refuter

8 / 26

Example: Tic tac toe

Example

sort Player = struct X | O | −; Board = List(List(Player)); pbes µZ(b : Board, p : Player) = (p = X ∧ ∃x,y∈Pos . (x ≤ 3 ∧ y ≤ 3) ∧ (b[x][y] = −) ∧Z(Put(b, p, x, y), Opponent(p))) ∨(p = O ∧ ∀x,y∈Pos . (x ≤ 3 ∧ y ≤ 3) ∧ (b[x][y] = −) ∧Z(Put(b, p, x, y), Opponent(p))) ∨(some winning conditions for X); init Z([[−, −, −], [−, −, −], [−, −, −]], X);

9 / 26

Instantiation

◮ A state Z([[−, −, −], [−, −, −], [−, −, −]], X) is explored by

substituting the concrete parameters for the data parameters in the formula associated with equation Z and rewriting the formula.

◮ This yields either a conjunction or disjunction of new states

and possibly the boolean values true or false.

◮ For the example, rewriting the formula will yield

Z([[X, −, −], [−, −, −], [−, −, −]], O) ∨Z([[−, X, −], [−, −, −], [−, −, −]], O) ∨Z([[−, −, X], [−, −, −], [−, −, −]], O) ∨ . . .

10 / 26

X X O X O X X O X O

X O X O X

⊤

X O X O X O X O

. . . . . . . . . . . .

X O X X O O O X X

⊥ . . . . . .

X

. . .

X

. . .

X

. . . . . . ∃ ∀ ∃ ∀ ∃

11 / 26

Instantiation

◮ Instantiating is generating a large graph and is much like

state-space generation for LTSs.

◮ LTSmin:

◮ High performance verification tool. ◮ Supports multiple modelling languages. ◮ Explicit sequential, multicore and distributed generation with

transition caching

◮ Symbolic generation 12 / 26

LTSmin

LTSmins view on the world:

◮ States are vectors of integers x0, x1, · · · , xM (other value

types are stored in a database).

◮ A Next function is available that computes successor states

for a state.

◮ For all kinds op optimisations, we split both state vector and

next state function:

◮ the elements xi of the vector are called parts (the data

parameters).

◮ the parts of the equations are called transition groups (the

conjuncts/disjuncts).

◮ Independence (related to locality):

a group g is dependent on part i if the variable that is stored in slot i is read or changed by the expression of group g.

13 / 26

Dependency matrix

Example

pbes µZ(b1,1, b1,2, b1,3, b2,1, . . . , p : Player) = (b1,1 = −) ∧ Z(p, b1,2, b1,3, b2,1, . . . , Opponent(p)) ∨((b1,2 = −) ∧ Z(b1,1, p, b1,3, b2,1, . . . , Opponent(p))) ∨((b1,3 = −) ∧ Z(b1,1, b1,2, p, b2,1, . . . , Opponent(p))) . . . init Z(−, −, −, −, −, −, −, −, −, X); The matrix would then look like: g Var b1,1 b1,2 b1,3 . . . p 1 r + – – + 2 r – + – + 3 r – – + + 4

14 / 26

Transition Groups

Is a state is encoded as 0, 0, 0, 0, 1, 1, 0, 1, 0, 1 and has successor 0, 0, 0, 0, 1, 1, 0, 1, 1, 1 for group g, which is dependent only on vector slots 8 and 9 (the last two), i.e., in row g only cells 8 and 9 have a ‘+’ or an ‘r’. we store the computed transition as 0, 1 , 1, 1 This transition will be applied to any state matching 0, 1 in slots 8 and 9 (we use projection of the state vector) without calling the formula rewriter.

15 / 26

Symbolic Generation

Sets and relations are stored as Multivalue Decision Diagrams (MDDs), which are graph representations of a function f : Intn → Bool E.g.,

1 3 4 1 2 3 1 1 4 ⊤ 1 2 2 3

16 / 26

Solving Parity Games

◮ Player 0 is the winner of a play π if min(Inf(Ω(π))), the

minimum of the priorities that occur infinitely often in π, is even.

◮ Player 0 is the winner of the game iff there exists a winning

strategy for player 0, i.e., from the initial state every play conforming to the strategy will be won by player 0.

◮ Verification: player 0 is the winner of the game iff the property

holds for the system.

17 / 26

Recursive algorithm (Zielonka)

SolveRecursive (G)

1: if V = ∅ then 2:

return ∅, ∅

3: m := min {Ω(v) | v ∈ V }; p := m mod 2 4: U := {v ∈ V | Ω(v) = m} 5: A := Attrp(G, U) 6: X0, X1 := SolveRecursive(G \ A) 7: if X1−p = ∅ then 8:

Wp := A ∪ Xp

9:

W1−p := ∅

10: else 11:

B := Attr1−p(G, X1−p)

12:

Y0, Y1 := SolveRecursive(G \ B)

13:

Wp := Yp

14:

W1−p := B ∪ Y1−p

15: return W0, W1

18 / 26

Attractor Set Computation

Attrp(G, U)

1: A := U {Result set} 2: L := U {Set of nodes added in a level} 3: while not L = ∅ do 4:

A′ := Prev(L) {A′ contains the predecessor nodes of L}

5:

L := Vp ∩ A′

6:

B := Next(A′) \ A

7:

B′ := Prev(B) {B′ contains the predecessor nodes of B, i.e., the nodes from which the other player can choose to move to a node that is not in A.}

8:

L := L ∪ (V1−p ∩ (A′ \ B′))

9:

L := L \ A

10:

A := A ∪ L

11: return A

19 / 26

Successor sets

Next(V ) =

• 0≤g<M

Nextg(V )

20 / 26

Experiments

◮ Tools are available in the development versions of mCRL2 and

LTSmin.

◮ Several options for choosing the partitioning into transition

groups:

◮ simple: only one group per equation ◮ split: split into conjuncts/disjuncts ◮ structured: preserve the structure of the mCRL2 model 21 / 26

Connect Four

7 × 6 board ∼ 4.5 trillion states. Whether player Yellow has a winning strategy: µX . [Wins(Red)] false ∧ Move (Wins(Yellow) true ∨ [Move] X)

22 / 26

Experiments – Connect Four

Generating Solving pbes2lts-sym spgsolver Equation system # states # nodes time mem time mem four.5x4 pbes2bool 1.8 · 106 118 s, 1.7 GB four.5x4 simple 1.28 · 107 5.4 · 105 1156 s 215 MB 181 s 298 MB four.5x4 split 2.12 · 107 8.5 · 104 17 s 52 MB 88 s 118 MB four.5x4 struct 1.25 · 107 4.5 · 104 9.8 s 49 MB 38 s 76 MB four.6x5 split 4.62 · 1010 1.8 · 106 949 s 328 MB four.6x5 struct 2.56 · 1010 1.6 · 106 600 s 324 MB four.7x6 struct 2 · 1014 29 h 15 GB

23 / 26

24 / 26

Experiments – CERN

Generating Solving pbes2spg spgsolver Equation system # states # nodes time mem time mem cern struct 1.47 · 107 6.6 · 105 205 s 115 MB 64 s 118 MB cern split 4.9 · 106 7.8 · 105 3.48 h 574 MB 236 s 479 MB

25 / 26

Conclusions

◮ mCRL2 and µ-calculus are a nice combination for specifying

games

◮ Choosing the right paritioning of the transition relation is

important

◮ When having a good partition, using LTSmin and dependency

matrix for instantiation gives us

◮ good time performance ◮ low memory usage

◮ Symbolic solving with low alternation depth is for the

demonstrated examples faster than generation.

Future work

◮ Improve symbolic generation and solving of parity games

◮ E.g., also allow intersection of relations. ◮ Use parallelised BDD/MDD operations

◮ On-the-fly solving / reduction ◮ Solve Connect Four 7 × 6

26 / 26