Title: Models and Theory of Computation (MTC) EPFL
1Models and Theory of Computation (MTC)
EPFL
Dirk Beyer, Jasmin Fisher, Nir Piterman
Simon Kramer Logic
for cryptography
Marc Schaub Models for
biological systems
Vasu Singh Software interface
derivation
Gregory Theoduloz Combining model checking
and program analysis Arindam Chakrabarti Web
service interfaces
Krishnendu Chatterjee Stochastic games
Slobodan Matic
Time-triggered programming
Vinayak Prabhu Robust hybrid
systems
2Model Checking
From Graphs to Games
Tom Henzinger
EPFL
3Graph Models of Systems
vertices states edges transitions paths
behaviors
4Game Models of Systems
vertices states edges transitions paths
behaviors players components
5Game Models of Systems
FAIRNESS ?-automaton
?-regular game
INDEPENDENT COMPONENTS game
graph
stochastic game
PROBABILITIES Markov decision process
6Graphs vs. Games
a
a
a
b
b
a
7Game Models enable
-synthesis Church, Rabin, Ramadge/Wonham,
Pnueli/Rosner et al. -receptiveness Dill,
Abadi/Lamport -semantics of interaction
Abramsky -reasoning about adversarial behavior
-interface-based design -modular reasoning
Kupferman/Vardi et al. -early error detection
deAlfaro/H/Mang -model-based testing Gurevich
et al. -scheduling Sifakis et al. -reasoning
about security Raskin et al. -etc.
8Game Models
Always about open systems -players processes
/ components / agents -input vs. output
-demonic vs. angelic nondeterminism
9Game Models
- Always about open systems
- -players processes / components / agents
- -input vs. output
- -demonic vs. angelic nondeterminism
- Output games input demonic (adversarial)
- Input games output demonic
10Output Games
P1 init x 0 loop choice
x x1 mod 2 x 0 end
choice end loop S1 ? ( x y )
P2 init y 0 loop choice
y x y x1 mod 2
end choice end loop S2 ? even(y)
11Graph Questions
8 ? (x y) 9 ? (x y)
12Graph Questions
8 ? (x y) 9 ? (x y)
X
00
01
?
10
11
13Zero-Sum Game Questions
hhP1ii ? (x y) hhP2ii ? even(y)
14Zero-Sum Game Questions
00
00
00
hhP1ii ? (x y) hhP2ii ? even(y)
X
?
10
01
10
01
10
01
11
11
ATL Alur/H/Kupferman
11
15Nonzero-Sum Game Questions
00
hhP1ii ? (x y) ? hhP2ii ? even(y)
00
00
10
01
10
01
10
01
11
11
11
16Nonzero-Sum Game Questions
00
hhP1ii ? (x y) ? hhP2ii ? even(y)
00
00
?
10
01
10
01
10
01
11
Secure equilibrium Chatterjee/H/Jurdzinski
11
11
17Classical Notion of Rationality
- Nash equilibrium none of the players gains by
deviation.
3,1
1,0
(row, column)
4,2
3,2
18Refined Notion of Rationality
- Nash equilibrium none of the players gains by
deviation. - Secure equilibrium none hurts the opponent by
deviation.
3,1
1,0
(row, column)
4,2
3,2
19Secure Equilibrium
- Natural notion of rationality for multi-component
systems - First, a component tries to meet its
specification. - Second, a component may obstruct the other
components. - A secure equilibrium is a contract
- if one player deviates to lower the other
players payoff, then her own payoff
decreases as well, and vice versa.
20Theorem
W00
W01 hhP2ii (S2 Æ S1)
W11
W10 hhP1ii (S1 Æ S2 )
hhP1iiS1 ? hhP2iiS2
21Generalization of Determinacy
Zero-sum games S1 S2
Nonzero-sum games S1, S2
W00
W1
hhP1iiS1
W01
W11
W10
W2
hhP2iiS2
22Game Models
- Always about open systems
- -players processes / components / agents
- -input vs. output
- -demonic vs. angelic nondeterminism
- Output games input demonic (adversarial)
- Input games output demonic
23Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
24Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
25Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
26Input Games
Controller
x!
y!
x!
z!
x?
y?
b?
a?
a?
b?
a!
b!
Ramadge/Wonham et al.
27Input Games
x!
y!
Not input enabling
x!
z!
a?
a?
b?
28Input Games
Environment avoids deadlock Input
assumption
x!
y!
x!
z!
a?
a?
b?
Interface automata deAlfaro/H
29Input Games
x!
y!
x,y?
x!
z!
a?
a?
a!
b?
Legal environment
30Input Games
x!
y!
x,y?
x!
z!
a?
a?
b!
b?
Illegal environment
31Interface Compatibility
File server
open
close
open?
close?
read
read?
data!
data
32Interface Compatibility
Good client
File server
open
open!
close
open?
close?
read!
close!
read
read?
data!
data?
data
33Interface Compatibility
Bad client
File server
open
close
open?
close?
open!
read
read?
data!
open!
data
34Incremental Design
35Incremental Design
36Incremental Design
37Incremental Design
Input assumption
Input assumption
38Incremental Design
Propagated weakest input assumption
39Input Assumption Propagation
a
b
a?
x
y!
x!
a?
b?
a?
b?
y
x!
y!
y!
x!
40Input Assumption Propagation
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
41Input Assumption Propagation
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
42Two interfaces are compatible if they can be used
together in some environment.
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
43The Composite Interface
a
b
a?
x!
y!
b?
a?
y!
y!
x
y
44Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
45Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
46Refinement
x!
y!
x,y?
x!
z!
y!
b?
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
47Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
48Refinement
z!
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
49Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
50Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
51Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
Every environment (i.e., input strategy that
avoids deadlock) for A is an environment for A
Alur/H/Kupferman/Vardi.
52The Principle of Independent Implementability
If A and B is are compatible and A' ? A and B' ?
B, then A and B' are compatible and A'B' ?
AB.
A A A refines / implements A
53The Principle of Independent Implementability
If A and B is are compatible and A' ? A and B' ?
B, then A and B' are compatible and A'B' ?
AB.
A A A refines / implements A
- This is a theorem if
- A, B, A, B are two-player games Input vs.
Output - two games are compatible if player Input has a
winning strategy in the composite game
54Interface-based Design
55Interface-based Design
56Interface-based Design
57Interface-based Design
58Interface-based Design
59Summary
There are many models of computation (e.g.
pushdown, timed, stochastic) and many models of
interaction (e.g. synchronous). Similarly, there
are many variants of games (e.g. concurrent vs.
turn-based moves pure vs. randomized strategies).
60Summary
There are many models of computation (e.g.
pushdown, timed, stochastic) and many models of
interaction (e.g. synchronous). Similarly, there
are many variants of games (e.g. concurrent vs.
turn-based moves pure vs. randomized strategies).
The technical details are different, but to ask
and answer the kind of questions we discussed,
the only important feature of a model is the
presence of multiple players.
61References
Interface Automata de Alfaro, H FSE 2001
Secure
Equilibria Chatterjee, H, Jurdzinski LICS 2004