Synthesizing optimally resilient controllers
 55 Downloads
Abstract
Recently, Dallal, Neider, and Tabuada studied a generalization of the classical gametheoretic model used in program synthesis, which additionally accounts for unmodeled intermittent disturbances. In this extended framework, one is interested in computing optimally resilient strategies, i.e., strategies that are resilient against as many disturbances as possible. Dallal, Neider, and Tabuada showed how to compute such strategies for safety specifications. In this work, we compute optimally resilient strategies for a much wider range of winning conditions and show that they do not require more memory than winning strategies in the classical model. Our algorithms only have a polynomial overhead in comparison to the ones computing winning strategies. In particular, for parity conditions, optimally resilient strategies are positional and can be computed in quasipolynomial time.
1 Introduction
Reactive synthesis is an exciting and promising approach to solving a crucial problem, whose importance is everincreasing due to ubiquitous deployment of embedded systems: obtaining correct and verified controllers for safetycritical systems. Instead of an engineer programming a controller by hand and then verifying it against a formal specification, synthesis automatically constructs a correctbyconstruction controller from the given specification (or reports that no such controller exists).
Typically, reactive synthesis is modeled as a twoplayer zerosum game on a finite graph that is played between the system, which seeks to satisfy the specification, and its environment, which seeks to violate it. Although this model is well understood, there are still multiple obstacles to overcome before synthesis can be realistically applied in practice. These obstacles include not only the high computational complexity of the problem, but also more fundamental ones. Among the most prohibitive issues in this regard is the need for a complete model of the interaction between the system and its environment, including an accurate model of the environment, the actions available to both players, as well as the effects of these actions.
This modeling task often places an insurmountable burden on engineers as the environments in which reallife controllers are intended to operate tend to be highly complex or not fully known at design time. Also, when a controller is deployed in the real world, a common source of errors is a mismatch between the controller’s intended result of an action and the actual result. Such situations arise, e.g., in the presence of disturbances, when the effect of an action is not precisely known, or when the intended control action of the controller cannot be executed, e.g., when an actuator malfunctions. By a slight abuse of notation from control theory, such errors are subsumed under the generic term disturbance (cf. [12]).
To obtain controllers that can handle disturbances, one has to yield control over their occurrence to the environment. However, due to the antagonistic setting of the twoplayer zerosum game, this would allow the environment to violate the specification by causing disturbances at will. Overcoming this requires the engineer to develop a realistic disturbance model, which is a highly complex task, as such disturbances are assumed to be rare events. Also, incorporating such a model into the game leads to a severe blowup in the size of the game, which can lead to intractability due to the high computational complexity of synthesis.
To overcome these fundamental difficulties, Dallal et al. [12] proposed a conceptually simple, yet powerful extension of infinite games termed “games with unmodeled intermittent disturbances”. Such games are played similarly to classical infinite games: two players, called Player 0 and Player 1, move a token through a finite graph, whose vertices are partitioned into vertices under the control of Player 0 and Player 1, respectively; the winner is declared based on a condition on the resulting play. In contrast to classical games, however, the graph is augmented with additional disturbance edges that originate in vertices of Player 0 and may lead to any other vertex. Moreover, the mechanics of how Player 0 moves is modified: whenever she moves the token, her move might be overridden, and the token instead moves along a disturbance edge. This change in outcome implicitly models the occurrence of a disturbance—the intended result of the controller and the actual result differ—but it is not considered to be antagonistic. Instead, the occurrence of a disturbance is treated as a rare event without any assumptions on frequency, distribution, etc. This approach very naturally models the kind of disturbances typically occurring in control engineering [12].
As a nontechnical example, consider a scenario with three siblings, Alice, Bob, and Charlie, and their father, Donald. He repeatedly asks Alice to fetch water from a well using a jug made of clay. Alice has three ways to fulfill that task: she may get the water herself or she may delegate it to either Bob or Charlie. In a simple model, the outcome of these strategies is identical: Donald’s request for water is fulfilled. This is, however, unrealistic, as this model ignores the various ways that the execution of the strategies may go wrong. By modeling the situation as a game with disturbances, we obtain a more realistic model.
If Alice gets the jug herself, no disturbance can occur: she controls the outcome completely. If she delegates the task to Bob, the older of her brothers, Donald may get angry with her for not fulfilling her duties herself, which should not happen infinitely often. Finally, if she delegates the task to her younger brother Charlie, he might drop and break the jug, which would be disastrous for Alice.
This nonantagonistic nature of disturbances is different from existing approaches in the literature and causes many interesting phenomena that do not occur in the classical theory of infinite graphbased games. In Fig. 1, we show an example of a parity game with disturbances that already exhibits some of these phenomena. In that parity game, vertices are labeled with nonnegative integers, socalled colors, and Player 0 wins if the highest color seen infinitely often is even. For the sake of readability and conciseness, the parity game in Fig. 1 does not model the example given in natural language above, but is rather constructed to showcase properties of games with disturbances.
Consider, for instance, vertex \(v_2\). In the classical setting without disturbances, Player 0 wins every play reaching \(v_2\) by simply looping in this vertex forever (since the highest color seen infinitely often is even). However, this is no longer true in the presence of disturbances: a disturbance in \(v_2\) causes a play to proceed to vertex \(v_1\), from which Player 0 can no longer win. In vertex \(v_7\), Player 0 is in a similar, yet less severe situation: she wins every play with finitely many disturbances but loses if infinitely many disturbances occur. Finally, vertex \(v_9\) falls into a third category: from this vertex, Player 0 wins every play even if infinitely many disturbances occur. In fact, disturbances partition the set of vertices from which Player 0 can guarantee to win into three disjoint regions (indicated as shaded boxes in Fig. 1): (a) vertices from which she can win if at most a fixed finite number of disturbances occur, (b) vertices from which she can win if any finite number of disturbances occurs but not if infinitely many occur, and (c) vertices from which she can win even if infinitely many disturbances occur.
The observation above gives rise to a question that is both theoretically interesting and practically important: if Player 0 can tolerate different numbers of disturbances from different vertices, how should she play to be resilient^{1} to as many disturbances as possible, i.e., to tolerate as many disturbances as possible but still win? Put slightly differently, disturbances induce an order on the space of winning strategies (“a winning strategy is better if it is more resilient”), and the natural problem is to compute optimally resilient winning strategies, yielding optimally resilient controllers. Note that this is in contrast to the classical theory of infinite games, where the space of winning strategies is unstructured.
Dallal et al. [12] have solved the problem of computing optimally resilient winning strategies for safety games. Their approach exploits the existence of maximally permissive winning strategies in safety games [2], which allows Player 0 to avoid “harmful” disturbance edges during a play. In games with more expressive winning conditions, however, this is no longer possible, as witnessed by vertex \(v_4\) in the example of Fig. 1: although Player 0 can avoid a disturbance edge by looping in \(v_4\) forever, she needs to move to \(v_2\) eventually in order to see an even color (otherwise she loses), thereby risking to lose if a disturbance occurs. In fact, the problem of constructing optimally resilient winning strategies for games other than safety games has been left open by Dallal, Neider, and Tabuada. In this work, we solve this problem for a large class of infinite games, including parity games.
1.1 Our contributions
In Sect. 2, we introduce the concept of resilience, which captures for each vertex how many disturbances need to occur for Player 0 to lose. This generalizes the notion of determinacy and allows us to derive optimally resilient winning strategies.
Our main result is an algorithm for computing the resilience of vertices and optimally resilient winning strategies, which we present in Sect. 3. This algorithm requires the game to have a prefixindependent winning condition, to be determined, and all its subgames to be (classically) solvable. The latter two conditions are necessary, as resilience generalizes determinacy and computing optimally resilient strategies generalizes solving games. We discuss these assumptions in Sect. 4.
The algorithm uses solvers for the underlying game without disturbances as a subroutine, which it invokes a linear number of times on various subgames. For many winning conditions, the time complexity of our algorithm thus falls into the same complexity class as solving the original game without disturbances, e.g., we obtain a quasipolynomial algorithm for parity games with disturbances, which matches the currently best known upper bound for classical parity games. Stated differently, if the three assumptions above are satisfied by a winning condition, then computing the resilience and optimally resilient strategies is not harder than determining winning regions and winning strategies (ignoring a polynomial overhead).
Our algorithm requires the winning condition of the game to be prefixindependent. We also show how to overcome this restriction by generalizing the classical notion of game reductions to the setting of games with disturbances. As a consequence, via reductions, our algorithm can be applied to prefixdependent winning conditions. We discuss details in Sect. 4.
Altogether, we have generalized the original result of Dallal, Neider, and Tabuada from safety games to all games which are algorithmically solvable, in particular all \(\omega \)regular games.
Finally, in Sect. 5, we discuss further phenomena that arise in the presence of disturbances. Amongst others, we illustrate how the additional goal of avoiding disturbances whenever possible affects the memory requirements of strategies. Similarly, we exhibit a tradeoff between resilience and the (semantic) quality of strategies in quantitative games. Moreover, we raise the question of how benevolent disturbances can be leveraged to recover from losing a play. However, an indepth investigation of these phenomena is outside the scope of this paper and left for future work.
2 Preliminaries
For notational convenience, we employ some ordinal notation à la von Neumann: the nonnegative integers are defined inductively as \(0 = \emptyset \) and \(n+1 = n \cup \{ n \}\). Now, the first limit ordinal is \(\omega = \{ 0,1,2, \ldots \}\), the set of the nonnegative integers. The next two successor ordinals are \(\omega +1 = \omega \cup \{ \omega \}\) and \(\omega +2 = \omega +1 \cup \{ \omega +1 \}\). These ordinals are ordered by set inclusion, i.e., we have \(0< 1< 2< \cdots< \omega< \omega +1 < \omega +2\). For convenience of notation, we also denote the cardinality of \(\omega \) by \(\omega \).
2.1 Infinite games with disturbances
An arena (with unmodeled disturbances) \(\mathcal {A}= (V, V_0, V_1, E, D)\) consists of a finite directed graph (V, E), a partition \(\{ V_0, V_1 \}\) of V into the set of vertices \(V_0\) of Player 0 (denoted by circles) and the set of vertices of Player 1 (denoted by squares), and a set \(D \subseteq V_0 \times V\) of disturbance edges (denoted by dashed arrows). Note that only vertices of Player 0 have outgoing disturbance edges. We require that every vertex \(v \in V\) has a successor \(v'\) with \((v,v') \in E\) to avoid finite plays.
A play in \(\mathcal {A}\) is an infinite sequence \( \rho = (v_0, b_0) (v_1, b_1) (v_2, b_2) \cdots \in (V\times \{ 0,1 \})^\omega \) such that \(b_0 = 0\) and for all \(j>0\): \(b_j = 0\) implies \((v_{j1}, v_j) \in E\), and \(b_j = 1\) implies \((v_{j1}, v_j) \in D\). Hence, the additional bits \(b_j\) for \(j > 0\) denote whether a standard or a disturbance edge has been taken to move from \(v_{j1}\) to \(v_j\), while \(b_0\) is always zero. We say \(\rho \) starts in \(v_0\). A play prefix \((v_0, b_0) \cdots (v_j, b_j)\) is defined similarly and ends in \(v_j\). The number of disturbances in a play \(\rho = (v_0, b_0) (v_1, b_1) (v_2, b_2) \cdots \) is \(\#_{d}(\rho ) = \{ j \in \omega \mid b_j = 1 \}\), which is either some \(k \in \omega \) (if there are finitely many disturbances, namely k) or it is equal to \(\omega \) (if there are infinitely many). A play \(\rho \) is disturbancefree, if \(\#_{d}(\rho ) = 0\).
A game (with unmodeled disturbances), denoted by \(\mathcal {G}= (\mathcal {A}, \mathrm {Win})\), consists of an arena \(\mathcal {A}= (V, V_0, V_1, E, D)\) and a winning condition \(\mathrm {Win}\subseteq V^\omega \). A play \(\rho = (v_0, b_0) (v_1, b_1) (v_2, b_2) \cdots \) is winning for Player 0, if \(v_0 v_1 v_2 \cdots \in \mathrm {Win}\), otherwise it is winning for Player 1. Hence, winning is oblivious to occurrences of disturbances. A winning condition \(\mathrm {Win}\) is prefixindependent if for all \(\rho \in V^\omega \) and all \(w \in V^*\) we have \(\rho \in \mathrm {Win}\) if and only if \(w\rho \in \mathrm {Win}\). If \(\mathrm {Win}\) is not prefixindependent, then it is called prefixdependent.
A strategy for Player \(i \in \{ 0,1 \}\) is a function \(\sigma :V^*V_i \rightarrow V\) such that \((v_j, \sigma (v_0 \cdots v_j)) \in E\) holds for every \(v_0 \cdots v_j \in V^*V_i\). A play \((v_0,b_0) (v_1, b_1) (v_2,b_2) \cdots \) is consistent with \(\sigma \), if \(v_{j+1} = \sigma (v_0 \cdots v_j)\) for every j with \(v_j \in V_i\) and \(b_{j+1} = 0\), i.e., if the next vertex is the one prescribed by the strategy unless a disturbance edge is used.
Remark 1
A strategy \(\sigma \) does not have access to the bits indicating whether a disturbance occurred or not. However, this is not a restriction for Player 0: let \((v_0,b_0) (v_1, b_1) (v_2,b_2) \cdots \) be a play with \(b_j = 1\) for some \(j > 0\). We say that this disturbance is consequential (w.r.t. \(\sigma \)), if \(v_j \ne \sigma (v_0 \cdots v_{j1})\), i.e., if the disturbance transition \((v_{j1}, v_j)\) traversed by the play did not lead to the vertex the strategy prescribed. Such consequential disturbances can be detected by comparing the actual vertex \(v_j\) to \(\sigma \)’s output \(\sigma (v_0 \cdots v_{j1})\). Hence, the bits \(b_j\) denoting consequential disturbances (w.r.t. \(\sigma \)) can be reconstructed by observing the sequence of vertices and by having access to the strategy \(\sigma \).
On the other hand, inconsequential disturbances can just be ignored. In particular, the number of consequential disturbances is always at most the number of disturbances during each play.
2.2 Positional and finitestate strategies
Fix a game \((\mathcal {A}, \mathrm {Win})\) with \(\mathcal {A}= (V, V_0, V_1, E, D)\). A strategy \(\sigma \) for Player i is positional, if \(\sigma (v_0 \cdots v_j) = \sigma (v_j)\) for all \(v_0 \cdots v_j \in V^*V_i\), i.e., the output of \(\sigma \) only depends on the last vertex.
A memory structure for \(\mathcal {A}\) is a triple \(\mathcal {M}= (M, \mathrm {Init}, \mathrm {Upd})\) where M is a finite set of memory states, \(\mathrm {Init}:V \rightarrow M\) is the initialization function, and \(\mathrm {Upd}:M \times V \rightarrow M\) is the memory update function.
The update function can be extended to finite play prefixes: \(\mathrm {Upd}^+(v) = \mathrm {Init}(v)\) and \(\mathrm {Upd}^+(wv) = \mathrm {Upd}(\mathrm {Upd}^+(w), v)\) for \(w \in V^+\) and \(v \in V\). A nextmove function \(\mathrm {Nxt}:V_i \times M \rightarrow V\) for Player i has to satisfy \((v, \mathrm {Nxt}(v, m)) \in E\) for all \(v \in V_i\) and all \(m \in M\). It induces a strategy \(\sigma \) for Player i with memory \(\mathcal {M}\) via \(\sigma (v_0\cdots v_j) = \mathrm {Nxt}(v_j, \mathrm {Upd}^+(v_0 \cdots v_j))\).
We say that a strategy \(\sigma \) is implementable by a memory structure \(\mathcal {M}\), if there is a nextmove function \(\mathrm {Nxt}\) such that \(\mathcal {M}\) and \(\mathrm {Nxt}\) induce \(\sigma \). If \(\sigma \) is implementable by some memory structure, then we call \(\sigma \) finitestate.
2.3 Infinite games without disturbances
We can characterize the classical notion of infinite games, i.e., those without disturbances, (see, e.g., [18]) as a special case of games with disturbances. Let \(\mathcal {G}\) be a game with vertex set V. A strategy \(\sigma \) for Player i in \(\mathcal {G}\) is a winning strategy for her from \(v \in V\), if every disturbancefree play that starts in v and that is consistent with \(\sigma \) is winning for Player i.
The winning region \(\mathcal {W}_i(\mathcal {G})\) of Player i in \(\mathcal {G}\) contains those vertices \(v \in V\) from which Player i has a winning strategy. Thus, the winning regions of \(\mathcal {G}\) are independent of the disturbance edges, i.e., we obtain the classical notion of infinite games. We say that Player i wins \(\mathcal {G}\) from v, if \(v \in \mathcal {W}_i(\mathcal {G})\). Solving a game amounts to determining its winning regions. Note that every game has disjoint winning regions. In contrast, a game is determined, if every vertex is in either winning region.
2.4 Resilient strategies
Let \(\mathcal {G}\) be a game with vertex set V and let \(\alpha \in \omega +2\). A strategy \(\sigma \) for Player 0 in \(\mathcal {G}\) is \(\alpha \)resilient from \(v \in V\) if every play \(\rho \) that starts in v, that is consistent with \(\sigma \), and with \(\#_{d}(\rho ) < \alpha \), is winning for Player 0. Thus, a kresilient strategy with \(k \in \omega \) is winning even under at most \(k1\) disturbances, an \(\omega \)resilient strategy is winning even under any finite number of disturbances, and an \((\omega +1)\)resilient strategy is winning even under infinitely many disturbances.
Remark 2
 1.
Let \(\alpha , \alpha ' \in \omega +2\) with \(\alpha > \alpha '\). If a strategy is \(\alpha \)resilient from v, then it is also \(\alpha '\)resilient from v.
 2.
Every strategy is 0resilient from v.
 3.
A strategy is 1resilient from v if and only if it is winning for Player 0 from v.
Lemma 1
 1.
\(r_\mathcal {G}(v) > 0\) if and only if \(v \in \mathcal {W}_0(\mathcal {G})\).
 2.
If \(\mathcal {G}\) is determined, then \(r_\mathcal {G}(v) = 0\) if and only if \(v \in \mathcal {W}_1(\mathcal {G})\).
Proof
(1) The resilience of v is greater than zero if and only if Player 0 has a 1resilient strategy from v due to Item 2 of Remark 2. The latter condition is equivalent to Player 0 having a winning strategy for \(\mathcal {G}\) from v, i.e., to \(v \in \mathcal {W}_0(\mathcal {G})\), due to Item 3 of Remark 2.
(2) Due to Items 1 and 3 of Remark 2, the resilience of v is zero if and only if Player 0 has no winning strategy for \(\mathcal {G}\) from v, i.e., \(v \notin \mathcal {W}_0(\mathcal {G})\). Due to determinacy, this is equivalent to \(v \in \mathcal {W}_1(\mathcal {G})\).\(\square \)
Note that determinacy is a necessary condition for Item 2. In an undetermined game, the vertices that are in neither winning region have resilience zero, due to Item 1, but are in particular not in \(\mathcal {W}_1(\mathcal {G})\).
A strategy \(\sigma \) is optimally resilient, if it is \(r_\mathcal {G}(v)\)resilient from every vertex v. Every such strategy is a uniform winning strategy for Player 0, i.e., a strategy that is winning from every vertex in her winning region. Hence, positional optimally resilient strategies can only exist in games which have uniform positional winning strategies for Player 0.
Our goal is to determine the mapping \(r_\mathcal {G}\) and to compute an optimally resilient strategy.
3 Computing optimally resilient strategies
To compute optimally resilient strategies, we first characterize the vertices of finite resilience in Sect. 3.1. All other vertices either have resilience \(\omega \) or \(\omega +1\). To distinguish between these possibilities, we show how to determine the vertices with resilience \(\omega +1\) in Sect. 3.2. In Sect. 3.3, we show how to compute optimally resilient strategies using the results of the first two sections. We only consider prefixindependent winning conditions in Sects. 3.1 and 3.3. In Sect. 4, we show how to overcome this restriction.
3.1 Characterizing vertices of finite resilience
Our goal in this section is to characterize vertices with finite resilience in a game with prefixindependent winning condition, i.e., those vertices from which Player 0 can win even under \(k1\) disturbances, but not under k disturbances, for some \(k \in \omega \).
To illustrate our approach, consider the parity game in Fig. 1, which is determined and has a prefixindependent winning condition. The winning region of Player 1 only contains the vertex \(v_1\). Thus, by Lemma 1, \(v_1\) is the only vertex with resilience zero, every other vertex has a larger resilience.
Now, consider the vertex \(v_2\), which has a disturbance edge leading into the winning region of Player 1. Due to this edge, \(v_2\) has resilience at most one. This implies, as argued above, that \(v_2\) has resilience precisely one. The unique disturbancefree play starting in \(v_1\) is consistent with every strategy for Player 0 and violates the winning condition. Due to prefixindependence, prepending the disturbance edge does not change the winner and consistency with every strategy for Player 0. Hence, this play witnesses that \(v_2\) has resilience at most one, while \(v_2\) being in Player 0’s winning region yields the matching lower bound. However, \(v_2\) is the only vertex to which this reasoning applies. Now, consider \(v_3\): from here, Player 1 can force a play to visit \(v_2\) using a standard edge. Thus, \(v_3\) has resilience one as well. Again, this is the only vertex to which this reasoning is applicable.
In particular, from \(v_4\), Player 0 can avoid reaching the vertices for which we have already determined the resilience by using the self loop. However, this comes at a steep price for her: doing so results in a losing play, as the color of \(v_4\) is odd. Thus, if she wants to have a chance at winning, she has to take a risk by moving to \(v_2\), from which she has a 1resilient strategy, i.e., one that is winning if no more disturbances occur. For this reason, \(v_4\) has resilience one as well. The same reasoning applies to \(v_6\): Player 1 can force the play to \(v_4\) and from there Player 0 has to take a risk by moving to \(v_2\).
The vertices \(v_3\), \(v_4\), and \(v_6\) share the property that Player 1 can either enforce a play violating the winning condition or reach a vertex with already determined finite resilience. These three vertices are the only ones currently satisfying this property. They all have resilience one since Player 1 can enforce to reach a vertex of resilience one, but he cannot enforce reaching a vertex of resilience zero. Now, we can also determine the resilience of \(v_5\): the disturbance edge from \(v_5\) to \(v_3\) witnesses it being two.
Afterwards, these two arguments no longer apply to new vertices: no disturbance edge leads from a vertex \(v \in \{ v_7, \ldots , v_{10} \} \) to some vertex whose resilience is already determined and Player 0 has a winning strategy from each such v that additionally avoids vertices whose resilience is already determined. Thus, our reasoning cannot determine their resilience. This is consistent with our goal, as all four vertices have nonfinite resilience: \(v_7\) and \(v_8\) have resilience \(\omega \) and \(v_9\) and \(v_{10}\) have resilience \(\omega +1\). Our reasoning here cannot distinguish these two values. We solve this problem in Sect. 3.2.
We now formalize the reasoning sketched above: starting from the vertices in Player 1’s winning region having resilience zero, we use a socalled disturbance update and a risk update to determine all vertices of finite resilience. A disturbance update computes the resilience of vertices having a disturbance edge to a vertex whose resilience is already known (such as vertices \(v_2\) and \(v_5\) in the example of Fig. 1). A risk update, on the other hand, determines the resilience of vertices from which either Player 1 can force a visit to a vertex with known resilience (such as vertices \(v_3\) and \(v_6\)) or Player 0 needs to move to such a vertex in order to avoid losing (e.g., vertex \(v_4\)). To simplify our proofs, we describe both as monotone operators updating partial rankings mapping vertices to \(\omega \), which might update already defined values. We show that applying these updates in alternation eventually yields a stable ranking that indeed characterizes the vertices of finite resilience.
Throughout this section, we fix a game \(\mathcal {G}= (\mathcal {A}, \mathrm {Win})\) with \(\mathcal {A}= (V, V_0, V_1, E, D)\) and prefixindependent \(\mathrm {Win}\subseteq V^\omega \) satisfying the following condition: the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(U))\) is determined for every \(U \subseteq V\). We discuss this requirement in Sect. 4.
A ranking for \(\mathcal {G}\) is a partial mapping \(r :V \dashrightarrow \omega \). The domain of r is denoted by \(\mathrm {dom}(r)\), its image by \(\mathrm {im}(r)\). Let r and \(r'\) be two rankings. We say that \(r'\) refines r if \(\mathrm {dom}(r') \supseteq \mathrm {dom}(r)\) and if \(r'(v) \le r(v)\) for all \(v \in \mathrm {dom}(r)\). A ranking r is sound, if we have \(r(v) = 0\) if and only if \(v \in \mathcal {W}_1(\mathcal {G})\) (cf. Lemma 1).
Lemma 2
The disturbance update \(r'\) of a sound ranking r is sound and refines r.
Proof
As the minimization defining \(r'(v)\) ranges over a superset of \(\{ r(v) \}\), we have \(r'(v) \le r(v)\) for every \(v \in \mathrm {dom}(r)\). This immediately implies refinement. From this inequality, we also obtain \(r'(v) = 0\) for every \(v \in \mathcal {W}_1(\mathcal {G})\), due to soundness of r. Finally, consider some \(v \in \mathcal {W}_0(\mathcal {G})\). Then, \(r(v) >0\) by soundness of r. Thus, \(r'(v) > 0\) as well, as both r(v) and each \(r(v') + 1\) are greater than zero. Altogether, \(r'\) is sound as well. \(\square \)
Lemma 3
The risk update \(r'\) of a sound ranking r is sound and refines r.
Proof
We show \(r'(v) \le r(v)\) for every \(v \in \mathrm {dom}(r)\), which implies both refinement and \(r'(v) = 0\) for every \(v \in \mathcal {W}_1(\mathcal {G})\), as argued in the proof of Lemma 2.
Thus, let \(v \in \mathrm {dom}(r)\). Trivially, \(v \in \{ v' \in \mathrm {dom}(r) \mid r(v') \le r(v) \}\). Thus, Player 1 wins the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(\{ v' \in \mathrm {dom}(r) \mid r(v') \le r(v) \}))\) from v by violating the safety condition right away. Hence, \(v \in A_{r(v)}\) and thus \(r'(v) \le r(v)\).
To complete the proof of soundness of \(r'\), we just have to show \(r'(v) > 0\) for every \(v \in \mathcal {W}_0(\mathcal {G})\). Towards a contradiction, assume \(r'(v) = 0\), i.e., \(v \in A_0\). Thus, Player 1 has a strategy \(\tau \) from v that ensures that either the winning condition is violated or that a vertex \(v'\) with \(r(v') = 0\) is reached, i.e., \(v' \in \mathcal {W}_1(\mathcal {G})\) by soundness of r. Hence, Player 1 has a winning strategy \(\tau _{v'}\) for \(\mathcal {G}\) from every such \(v'\). This implies that he also has a winning strategy from v: play according to \(\tau \) until a vertex \(v'\) with \(r(v')=0\) is reached. From there, mimic \(\tau _{v'}\) when starting from \(v'\). Every resulting disturbancefree play has a suffix that violates the winning condition \(\mathrm {Win}\). Thus, by prefixindependence, the whole play violates \(\mathrm {Win}\) as well, i.e., it is winning for Player 1. Thus, \(v \in \mathcal {W}_1(\mathcal {G})\), which yields the desired contradiction, as winning regions are always disjoint.\(\square \)
Let \(r_0\) be the unique sound ranking with domain \(\mathcal {W}_1(\mathcal {G})\), i.e., \(r_0\) maps exactly the vertices in Player 1’s winning region to zero, all others are undefined. Starting with \(r_0\), we inductively define a sequence of rankings \((r_j)_{j \in \omega }\) such that \(r_{j}\) for an odd (even) \(j >0\) is the disturbance (risk) update of \(r_{j1}\), i.e., we alternate between disturbance and risk updates.
Due to refinement, the \(r_j\) eventually stabilize, i.e., there is some \(j_0\) such that \(r_j = r_{j_0}\) for all \(j \ge j_0\). Define \(r^* = r_{j_0}\). Due to \(r_0\) being sound and by Lemmas 2 and 3, each \(r_j\), and \(r^*\) in particular, is sound. If \(v \in \mathrm {dom}(r^*)\), let \(j_v\) be the minimal j with \(v \in \mathrm {dom}(r_j)\); otherwise, \(j_v\) is undefined.
Lemma 4
If \(v \in \mathrm {dom}(r^*)\), then \(r_{j_v}(v) = r_j(v)\) for all \(j \ge j_v\).
Proof

If \(j_v\) is odd, then \(r_j(v) = \frac{j_v+1}{2}\) for every \(j \ge j_v\).

If \(j_v\) is even, then \(r_j(v) = \frac{j_v}{2}\) for every \(j \ge j_v\).
We say that a vertex v is updated to \(k \in \omega \) in \(r_j\) if \(r_j(v) = k\) and either \(v \notin \mathrm {dom}(r_{j1})\) or both \(v \in \mathrm {dom}(r_{j1})\) and \(r_{j1}(v) \ne k\) (here, \(r_{1}\) is the unique ranking with empty domain). Note that as part of the proof, we have to show that the second case never occurs.

If j is odd, then no v is updated in \(r_j\) to some \(k < \frac{j+1}{2}\).

If j is even, then no v is updated in \(r_j\) to some \(k < \frac{j}{2}\).
Now, let \(j > 2\) and first consider the case where j is odd. Towards a contradiction, assume that \(v \in V\) is updated in \(r_j\) to some value less than \(\frac{j+1}{2}\). Since j is odd, \(r_j\) is the disturbance update of \(r_{j1}\). Further, as v is updated in \(r_j\), there exists some disturbance edge \((v, v') \in D\) such that \(r_j(v) = r_{j1}(v') + 1\). Thus, \(r_{j1}(v')< r_j(v) < \frac{j+1}{2}\), i.e., \(r_{j1}(v') \le \frac{j+1}{2}  2 = \frac{j3}{2}\). First, we show \(r_{j3}(v') = r_{j2}(v') = r_{j1}(v')\), i.e., the rank of \(v'\) is stable during the last two updates.
First assume towards a contradiction \(r_{j2}(v') \ne r_{j1}(v')\). Then, \(v'\) is updated in \(r_{j1}\) to some rank of at most \(\frac{j3}{2}\), which is in turn smaller than \(\frac{j1}{2}\), violating the induction hypothesis for \(j1\). Hence, \(r_{j2}(v') = r_{j1}(v')\). The same reasoning yields a contradiction to the assumption \(r_{j3}(v') \ne r_{j2}(v')\). Thus, we indeed obtain \(r_{j3}(v') = r_{j2}(v') = r_{j1}(v')\).
Since \(r_{j2}\) is the disturbance update of \(r_{j3}\), we obtain \(r_{j2}(v) \le r_{j3}(v') + 1 = r_{j1}(v') + 1 = r_j(v)\). Due to refinement, we obtain \(r_{j2}(v) \ge r_{j}(v)\), i.e., altogether \(r_{j2}(v) = r_{j1}(v) = r_{j}(v)\). The latter equality contradicts our initial assumption, namely v being updated in \(r_j\) to \(r_j(v)\).
Now, consider the case where j is even. Again, assume towards a contradiction that \(v \in V\) is updated in \(r_j\) to some value less than \(\frac{j}{2}\). Since j is even, \(r_j\) is the risk update of \(r_{j1}\). Further, as v is updated in \(r_j\), Player 1 wins the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(U))\) from v, where \(U = \{ v' \in \mathrm {dom}(r_{j1}) \mid r_{j1}(v') \le r_j(v) \}\). Hence, he has a strategy \(\tau \) such that every play starting in v and consistent with \(\tau \) either violates \(\mathrm {Win}\) or eventually visits some vertex \(v'\) with \(r_{j1}(v') \le r_j(v)\). We claim \(r_{j2}(v') = r_{j1}(v')\) for all \(v' \in U\).
Towards a contradiction, assume \(r_{j2}(v') \ne r_{j1}(v')\) for some \(v' \in U\). Note that we have \(r_{j1}(v') \le r_j(v) < \frac{j}{2}\). Thus, \(v'\) is updated in \(r_{j1}\) to some value strictly less than \(\frac{j}{2}\), which contradicts the induction hypothesis for \(j1\). Hence, we indeed obtain \(r_{j2}(v') = r_{j1}(v')\) for all \(v' \in U\).
Thus, there are two types of vertices \(v'\) in U: those for which \(r_{j3}(v')\) is defined, which implies \(r_{j3}(v') = r_{j1}(v')\) due to the induction hypothesis and refinement, and those where \(r_{j3}(v')\) is undefined, which implies \(r_{j2}(v') = r_{j1}(v')\) due to the claim above.
We claim that Player 1 wins \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(\{ v'' \in \mathrm {dom}(r_{j3}) \mid r_{j3}(v'') \le r_j(v) \}))\) from v, which implies \(r_{j2}(v) = r_j(v)\). This contradicts v being updated in \(r_j\), our initial assumption.
To this end, we construct a strategy \(\tau '\) from v that either violates \(\mathrm {Win}\) or reaches a vertex \(v''\) with \(r_{j3}(v'')\le r_j(v)\) as follows. From v, \(\tau '\) mimics \(\tau \) until a vertex \(v'\) in U is reached (if it is at all). If \(v'\) is of the first type, then we have \(r_{j3}(v') = r_{j1}(v') \le r_j(v)\). If \(v'\) is of the second type, then \(v'\) is updated in \(r_{j2}\) to some rank \(r_{j2}(v') = r_{j1}(v') \le r_j(v)\). As \(r_{j2}\) is the risk update of \(r_{j3}\), Player 1 has a strategy \(\tau _{v'}\) from \(v'\) that either violates \(\mathrm {Win}\) or reaches a vertex \(v''\) with \(r_{j3}(v'') \le r_{j2}(v') \le r_j(v)\). Thus, starting in \(v'\), \(\tau '\) mimics \(\tau _{v'}\) from \(v'\) until such a vertex is reached (if it is reached at all). Thus, every play that starts in v and is consistent with \(\tau '\) either violates \(\mathrm {Win}\) (as it has a suffix that does) or reaches a vertex \(v''\) with \(r_{j3}(v'') \le r_j(v)\), which proves our claim.\(\square \)
Lemma 4 implies that an algorithm computing the \(r_j\) does not need to implement the definition of the two updates as presented above, but can be optimized by taking into account that a rank is never updated once set. However, for the proofs below, the definition presented above is more expedient, as it gives stronger preconditions to rely on, e.g., Lemmas 2 and 3 only hold for the definition presented above.
Also, from the proof of Lemma 4, we obtain an upper bound on the maximal rank of \(r^*\). This in turn implies that the \(r_j\) stabilize quickly, as \(r_j = r_{j+1} = r_{j+2}\) implies \(r_j = r^*\).
Corollary 1
We have \(\mathrm {im}(r^*) = \{ 0, 1, \ldots , n \}\) for some \(n < V\) and \(r^* = r_{2V}\).
The main result of this section shows that \(r^*\) characterizes the resilience of vertices of finite resilience.
Lemma 5
 1.
If \(v \in \mathrm {dom}(r^*)\), then \(r_\mathcal {G}(v) = r^*(v)\).
 2.
If \(v \notin \mathrm {dom}(r^*)\), then \(r_\mathcal {G}(v) \in \{ \omega , \omega +1 \}\).
Proof
(1) We show \(r_\mathcal {G}(v) \le r^*(v)\) and \(r_\mathcal {G}(v) \ge r^*(v)\).
We define a play with the desired properties by constructing longer and longer finite prefixes before finally appending an infinite suffix. During the construction, we ensure that each such prefix ends in \(\mathrm {dom}(r^*)\) in order to be able to proceed with our construction.
The first prefix just contains the starting vertex (v, 0), i.e., the prefix does indeed end in \(\mathrm {dom}(r^*)\). Now, assume we have produced a prefix \(w(v',b')\) ending in some vertex \(v' \in \mathrm {dom}(r^*)\), which implies that \(j_{v'}\) is defined. We consider three cases:
If \(j_{v'} = 0\), then \(v' \in \mathcal {W}_1(\mathcal {G})\) by definition of \(r_0\), i.e., Player 1 has a winning strategy \(\tau \) from v. Thus, we extend \(w(v',b')\) by the unique disturbancefree play that starts in \(v'\) and is consistent with \(\sigma \) and \(\tau \), without its first vertex. In that case, the construction of the infinite play is complete.
Second, if \(j_{v'} > 0\) is odd, then \(v'\) received its rank \(r^*(v')\) during a disturbance update. Hence, there is some \(v''\) such that \((v',v'') \in D\) with \(r^*(v') 1 = r^*(v'') \). In this case, we extend \(w(v',b')\) by such a vertex \(v''\) to obtain the new prefix \(w(v',b')(v'',1)\), which satisfies the invariant, as \(v''\) is in \(\mathrm {dom}(r^*)\). Further, we have \(j_{v''} < j_{v'}\) as the rank of \(v''\) had to be defined in order to be considered during the disturbance update assigning a rank to \(v'\).
Finally, if \(j_{v'} > 0\) is even, then \(v'\) received its rank \(r^*(v')\) during a risk update. We claim that Player 1 has a strategy \(\tau _{v'}\) that guarantees one of the following outcomes from \(v'\): either the resulting play violates \(\mathrm {Win}\) or it encounters a vertex \(v''\) that satisfies \(r^*(v'') \le r^*(v')\) and \(j_{v''} < j_{v'}\) (which implies \(v'' \ne v'\)).
In that case, consider the unique disturbancefree play \(\rho '\) that starts in \(v'\) and is consistent with \(\sigma \) and the strategy \(\tau _{v'}\) as above. If \(\rho '\) violates \(\mathrm {Win}\), then we extend \(w(v',b')\) by \(\rho '\) without its first vertex. In that case, the construction of the infinite play is complete.
If \(\rho '\) does not violate \(\mathrm {Win}\), then we extend \(w(v',b')\) by the prefix of \(\rho '\) without its first vertex and up to (and including) the first occurrence of a vertex \(v''\) in \(\rho '\) satisfying the properties described above. Note that this again satisfies the invariant.
Note that only in two cases, we extend the prefix to an infinite play. In the other two cases, we just extend the prefix to a longer finite one. Thus, we first show that this construction always results in an infinite play. To this end, let \(w_0(v_0,b_0)\) and \(w_1 (v_1,b_1)\) be two of the prefixes constructed above such that \(w_1(v_1,b_1)\) is an extension of \(w_0(v_0,b_0)\). A simple induction proves \(j_{v_1} < j_{v_0}\). Hence, as the value can only decrease finitely often, at some point an infinite suffix is added. Thus, we indeed construct an infinite play.
Finally, we have to show that the resulting play has the desired properties: by construction, the play starts in v and is consistent with \(\sigma \). Furthermore, by construction, it has a disturbancefree suffix that violates \(\mathrm {Win}\). Thus, by prefixindependence, the whole play also violates \(\mathrm {Win}\). It remains to show that it has at most \(r^*(v)\) disturbances. To this end, let \(w_0(v_0,b_0)\) and \(w_1 (v_1,b_1)\) be two of the prefixes such that \(w_1 (v_1,b_1)\) is obtained by extending \(w_0(v_0,b_0)\) once. If the extension consists of taking the disturbance edge \((v_0, v_1) \in D\), then we have \(r^*(v_1) = r^*(v_0)+1\). The only other possibility is the extension consisting of a finite play prefix that is consistent with the strategy \(\tau _{v_0}\). Then, by construction, we obtain \(r^*(v_1) \le r^*(v_0)\). So, there are at most \(r^*(v)\) many disturbances in the play, as the current rank decreases with every disturbance edge and does not increase with the other type of extension, but is always nonnegative.
“\(\mathbf r _{\varvec{\mathcal {G}}}(\mathbf v ) \varvec{\ge } \mathbf r ^{\varvec{*}}(\mathbf v )\)”: Here, we construct a strategy \(\sigma _{\!f}\) for Player 0 that is \(r^*(v)\)resilient from every \(v \in \mathrm {dom}(r^*)\), i.e., from v, \(\sigma _{\!f}\) has to be winning even under \(r^*(v)1\) disturbances. As every strategy is 0resilient, we only have to consider those v with \(r^*(v) >0\).
The proof is based on the fact that \(r^*\) is both stable under the disturbance and under the risk update, i.e., the disturbance update and the risk update of \(r^*\) are \(r^*\), which yields the following properties. Let \((v,v') \in D\) be a disturbance edge such that \(r^*(v) > 0\). Then, we have \(r^*(v') \ge r^*(v) 1\). Also, for every \(v \in \mathrm {dom}(r^*)\) with \(r^*(v) > 0\), Player 0 has a winning strategy \(\sigma _v\) from v for the game \(\mathcal {G}_v = (\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(\{ v' \in \mathrm {dom}(r^*) \mid r^*(v') < r^*(v) \}))\) (note the strict inequality). Here, we apply determinacy of \(\mathcal {G}_v\), as the risk update is formulated in terms of Player 1’s winning region.
Now, we define \(\sigma _{\!f}\) to always mimic a strategy \(\sigma _{v_{\mathrm {cur}}}\) for some \(v_\mathrm {cur}\in \mathrm {dom}(r^*)\), which is initialized by the starting vertex. The strategy \(\sigma _{v_{\mathrm {cur}}}\) is mimicked until a consequential (w.r.t. \(\sigma _{v_\mathrm {cur}}\)) disturbance edge is taken, say by reaching \(v'\). In that case, the strategy \(\sigma _{\!f}\) discards the history of the play constructed so far, updates \(v_\mathrm {cur}\) to \(v'\), and begins mimicking \(\sigma _{v'}\). This is repeated ad infinitum.
Now, consider a play that starts in \(\mathrm {dom}(r^*)\), is consistent with \(\sigma _{\!f}\), and has less than \(r^*(v)\) disturbances. The part up to the first consequential disturbance edge (if it exists at all) is consistent with \(\sigma _v\). Now, let \((v_0, v_0')\) be the corresponding disturbance edge. Then, we have \(r^*(v_0) \ge r^*(v)\), as \(\sigma _v\) being a winning strategy for the safety condition never visits vertices with a rank smaller than \(r^*(v)\). Thus, we conclude \(r^*(v_0') \ge r^*(v_0) 1 \ge r^*(v) 1\). Similarly, the part between the first and the second consequential disturbance edge (if it exists at all) is consistent with \(\sigma _{v_0'}\). Again, if \((v_1, v_1')\) is the corresponding disturbance edge, then we have \(r^*(v_1') \ge r^*(v_1) 1 \ge r^*(v)  2\). Continuing this reasoning shows that less than \(r^*(v)\) (consequential) disturbance edges lead to a vertex \(v'\) with \(r^*(v') > 0\), as the rank is decreased by at most one for every disturbance edge. The suffix starting in this vertex is disturbancefree and consistent with \(\sigma _{v'}\). Hence, the suffix satisfies \(\mathrm {Win}\), i.e., by prefixindependence, the whole play satisfies \(\mathrm {Win}\) as well. Thus, \(\sigma _{\!f}\) is indeed \(r^*(v)\)resilient from every \(v \in \mathrm {dom}(r^*)\).
(2) Let \(X = V {\setminus } \mathrm {dom}(r^*)\). The disturbance update of \(r^*\) being \(r^*\) implies that every disturbance edge starting in X leads back to X. Similarly, the risk update of \(r^*\) being \(r^*\) implies \(X = \mathcal {W}_0(\mathcal {G}_X)\) for \(\mathcal {G}_X = (\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(V {\setminus } X))\). Thus, from every \(v \in X\), Player 0 has a strategy \(\sigma _v\) such that every disturbancefree play that starts in v and is consistent with \(\sigma _v\) satisfies the winning condition \(\mathrm {Win}\) and never leaves X. Using these properties, we construct a strategy \(\sigma _{\!\omega }\) that is \(\omega \)resilient from each \(v \in X\). Thus, \(r_\mathcal {G}(v) \in \{ \omega , \omega +1 \}\).
The definition of the strategy \(\sigma _{\!\omega }\) here is similar to the one above yielding the lower bound on the resilience. Again, \(\sigma _{\!\omega }\) always mimics a strategy \(\sigma _{v_{\mathrm {cur}}}\) for some \(v_\mathrm {cur}\in X\), which is initialized by the starting vertex. The strategy \(\sigma _{v_{\mathrm {cur}}}\) is mimicked until a consequential (w.r.t. \(\sigma _{v_\mathrm {cur}}\)) disturbance edge is taken, say by reaching the vertex \(v'\). In that case, the strategy \(\sigma _{\!\omega }\) discards the history of the play constructed so far, updates \(v_\mathrm {cur}\) to \(v'\), and begins mimicking \(\sigma _{v'}\). This is repeated ad infinitum.
Due to the properties of the disturbance edges and the strategies \(\sigma _v\), such a play never leaves X, even if disturbances occur. Furthermore, if only finitely many disturbances occur, then the resulting play has a disturbancefree suffix that starts in some \(v' \in X\) and is consistent with \(\sigma _{v'}\). As \(\sigma _{v'}\) is winning from \(v'\) in \(\mathcal {G}_X\), this suffix satisfies \(\mathrm {Win}\). Hence, by prefixindependence of \(\mathrm {Win}\), the whole play also satisfies \(\mathrm {Win}\). Thus, \(\sigma _{\!\omega }\) is indeed an \(\omega \)resilient strategy from every \(v \in X\). \(\square \)
Combining Corollary 1 and Lemma 5, we obtain an upper bound on the resilience of vertices with finite resilience.
Corollary 2
We have \(r_\mathcal {G}(V) \cap \omega = \{ 0, 1, \ldots , n \}\) for some \(n < V\).
3.2 Characterizing vertices of resilience \(\omega +1\)
Our goal in this section is to determine the vertices of resilience \(\omega +1\), i.e., those from which Player 0 can win even under an infinite number of disturbances. Intuitively, in this setting, we give Player 1 control over the disturbance edges, as he cannot execute more than infinitely many disturbances during a play.
In the following, we prove this intuition to be correct. To this end, we transform the arena of the game so that at a vertex of Player 0, first Player 1 gets to chose whether he wants to take one of the disturbance edges and, if not, gives control to Player 0, who is then able to use a standard edge.

D: Player 1 uses a disturbance edge.

\( \{ (v ,\overline{v}) \mid v \in V_0 \} \): Player 1 does not use a disturbance edge and yields control to Player 0.

\(\{ (\overline{v},v') \mid (v,v') \in E \text { and } v\in V_0 \}\): Player 0 has control and picks a standard edge.

\( \{ (v ,v') \mid (v,v') \in E \text { and } v\in V_1 \} \): Player 1 takes a standard edge.
Figure 2 illustrates the construction of a rigged game for the example game of Fig. 1 (note that the rigged game is also a parity game in this example). And indeed, the winning region of Player 0 corresponds to the vertices of resilience \(\omega + 1\) in the game of Fig. 1.
The following lemma formalizes the observation that \(\mathcal {W}_0({\mathcal {G}_{\mathrm {rig}}})\) characterizes the vertices of resilience \(\omega +1\) in \(\mathcal {G}\). Note that we have no assumptions on \(\mathcal {G}\) here.
Lemma 6
Let v be a vertex of the game \(\mathcal {G}\). Then, \(v \in \mathcal {W}_0({\mathcal {G}_{\mathrm {rig}}})\) if and only if \(r_\mathcal {G}(v) = \omega +1\).
Proof
The proof consists of constructing mappings between play prefixes and plays in both games, which are then used to transfer strategies between the games. This is conceptually straightforward, but technical due to the presence of the bits indicating whether a disturbance occurred or not. These have to be reconstructed to obtain proper mappings.
“\(\varvec{\Rightarrow }\)”: Let Player 0 win \({\mathcal {G}_{\mathrm {rig}}}\) from v, say with winning strategy \(\sigma '\). We inductively translate play prefixes w in \(\mathcal {G}\) into play prefixes \(t'(w)\) in \({\mathcal {G}_{\mathrm {rig}}}\) that satisfy the following invariant: \(t'((v_0, b_0) \cdots (v_j, b_j))\) starts in \(v_0 \) and ends in \(v_j \).
 If \(b_{j+1} =1\), then \((v_j, v_{j+1}) \in D\), i.e., the play traverses the disturbance edge \((v_j,v_{j+1})\). This move is mimicked by defining$$\begin{aligned}t'((v_0, b_0) \cdots (v_j, b_j)(v_{j+1}, b_{j+1})) = t'((v_0, b_0) \cdots (v_j, b_j)) \cdot (v_{j+1},0).\end{aligned}$$
 If \(b_{j+1} =0\), i.e., \((v_j, v_{j+1}) \in E\), and \(v_{j} \in V_0\), then the play did not traverse a disturbance edge and instead allowed Player 0 to pick a standard edge \((v_j,v_{j+1})\) to traverse. This move is mimicked by defining$$\begin{aligned} t'((v_0, b_0) \cdots (v_j, b_j)(v_{j+1}, b_{j+1})) = t'((v_0, b_0) \cdots (v_j, b_j)) \cdot (\overline{v_j},0) \cdot (v_{j+1},0). \end{aligned}$$
 If \(b_{j+1} =0\), i.e., \((v_j, v_{j+1}) \in E\), and \(v_{j} \in V_1\), then the play traversed the standard edge \((v_j,v_{j+1})\). This move is mimicked by defining$$\begin{aligned}t'((v_0, b_0) \cdots (v_j, b_j)(v_{j+1}, b_{j+1})) = t'((v_0, b_0) \cdots (v_j, b_j)) \cdot (v_{j+1},0). \end{aligned}$$
 First, assume we have a prefix of the form \( (v_0,0) \cdots (v_j, 0) (v_{j+1},0) \) for some \(v_j \in V_0\), i.e., Player 1’s move simulates the disturbance edge \((v_j, v_{j+1}) \in D\). Then, we define$$\begin{aligned} \quad \quad t((v_0,0) \cdots (v_j, 0) (v_{j+1},0)) = t((v_0,0) \cdots (v_j,0) )\cdot (v_{j+1},1). \end{aligned}$$
 Next, assume we have a prefix of the form \( (v_0,0) \cdots (v_j,0) (v_{j+1},0) \) for some \(v_j \in V_1\), i.e., Player 1’s move simulates the standard edge \((v_j, v_{j+1}) \in E\). Then, we define$$\begin{aligned} \quad \quad t((v_0,0) \cdots (v_j,0) (v_{j+1},0)) = t((v_0,0) \cdots (v_j,0) )\cdot (v_{j+1},0). \end{aligned}$$
 Finally, the last case is a prefix of the form \( (v_0,0) \cdots (v_j,0) (\overline{v_j}, 0) (v_{j+1},0) \) for some \(v_j \in V_0\), i.e., Player 0’s move simulates the standard edge \((v_j, v_{j+1}) \in E\). Then, we define$$\begin{aligned} \quad \quad t((v_0,0) \cdots (v_j,0) (\overline{v_j},0) (v_{j+1},0)) = t((v_0,0) \cdots (v_j,0) )\cdot (v_{j+1},0). \end{aligned}$$
With an adaption of the rigged game, one can also directly characterize the vertices with resilience \(\omega \). However, since our algorithm and the rigged game already provide an indirect characterization, we do not present this construction here.
Furthermore, the proof of Lemma 6 also yields the preservation of positional and finitestate strategies. To this end, consider the first implication proved above. If \(\sigma \) is positional (finitestate), then \(\sigma '\) is positional (finitestate) as well. Thus, applying both implications yields the following corollary.
Corollary 3
 1.
Assume Player 0 has a positional winning strategy for \({\mathcal {G}_{\mathrm {rig}}}\) from v. Then, Player 0 has an \((\omega +1)\)resilient positional strategy for \(\mathcal {G}\) from v.
 2.
Assume Player 0 has a finitestate winning strategy for \({\mathcal {G}_{\mathrm {rig}}}\) from v. Then, Player 0 has an \((\omega +1)\)resilient finitestate strategy (of the same size) for \(\mathcal {G}\) from v.
3.3 Computing optimally resilient strategies
This section is concerned with computing the resilience and optimally resilient strategies. Here, we focus on positional and finitestate strategies, which are sufficient for the majority of winning conditions in the literature. Nevertheless, it is easy to see that our framework is also applicable to infinitestate strategies.
In the proof of Lemma 5, we construct strategies \(\sigma _{\!f}\) and \(\sigma _{\!\omega }\) such that \(\sigma _{\!f}\) is \(r_\mathcal {G}(v)\)resilient from every v with \(r_\mathcal {G}(v) \in \omega \) and such that \(\sigma _{\!\omega }\) is \(\omega \)resilient from every v with \(r_\mathcal {G}(v) \ge \omega \). Both strategies are obtained by combining winning strategies for some game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(U))\). However, even if these winning strategies are positional, the strategies \(\sigma _{\!f}\) and \(\sigma _{\!\omega }\) are in general not positional. Nonetheless, we show in the proof of Theorem 1 that such positional winning strategies and a positional one for \(\mathcal {G}_\mathrm {rig}\) can be combined into a single positional optimally resilient strategy.
Recall the requirements from Sect. 3.1 for a game \((\mathcal {A}, \mathrm {Win})\): \(\mathrm {Win}\) is prefixindependent and the game \(\mathcal {G}_U\) is determined for every \(U \subseteq V\), where we write \(\mathcal {G}_U\) for the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(U))\) for some \(U \subseteq V\). To prove the results of this section, we need to impose some additional effectiveness requirements: we require that each game \(\mathcal {G}_U\) and the rigged game \({\mathcal {G}_{\mathrm {rig}}}\) can be effectively solved. Also, we first assume that Player 0 has positional winning strategies for each of these games, which have to be effectively computable as well. We discuss the severity of these requirements in Sect. 4.
Theorem 1
Let \(\mathcal {G}\) satisfy all the above requirements. Then, the resilience of \(\mathcal {G}\)’s vertices and a positional optimally resilient strategy can be effectively computed.
To prove this result, we refine the following standard technique that combines positional winning strategies for games with prefixindependent winning conditions.
Assume we have a positional strategy \(\sigma _v\) for every vertex v in some set \(W \subseteq V\) such that \(\sigma _v\) is winning from v. Furthermore, let \(R_v\) be the set of vertices visited by plays that start in v and are consistent with \(\sigma _v\). Also, let \(m(v) = \min _\prec \{ v' \in V \mid v \in R_{v'} \}\) for some strict total ordering \(\prec \) of W. Then, the positional strategy \(\sigma \) defined by \(\sigma (v) = \sigma _{m(v)}(v)\) is winning from each \(v \in W\), as along every play that starts in some \(v \in W\) and is consistent with \(\sigma \), the value of the function m cannot increase. Thus, after it has stabilized, the remaining suffix is consistent with some strategy \(\sigma _{v'}\). Hence, the suffix is winning for Player 0 and prefixindependence implies that the whole play is winning for her as well.
Here, we have to adapt this reasoning to respect the resilience of the vertices and to handle disturbance edges. Also, we have to pay attention to vertices of resilience \(\omega +1\), as plays starting in such vertices have to be winning under infinitely many disturbances.
Proof of Theorem 1
The effective computability of the resilience follows from the effectiveness requirements on \(\mathcal {G}\): to compute the ranking \(r^*\), it suffices to compute the disturbance and risk updates. The former are trivially effective while the effectiveness of the latter ones follows from our assumption. Lemma 5 shows that \(r^*\) correctly determines the resilience of all vertices with finite resilience. Finally, by solving the rigged game, we also determine the resilience of the remaining vertices (Lemma 6). Again, this game can be solved due to our assumption.

For every \(v \in V\) with \(r_\mathcal {G}(v) \in \omega {\setminus } \{ 0 \}\), the strategy \(\sigma _v\) is winning for Player 0 from v for the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(\{ v' \in V \mid r_\mathcal {G}(v') < r_\mathcal {G}(v) \}))\). We have shown the existence of such a strategy in the proof of Item 1 of Lemma 5.

For every \(v \in V\) with \(r_\mathcal {G}(v)=\omega \), the strategy \(\sigma _v\) is winning for Player 0 from v for the game \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(\{ v' \in V \mid r_\mathcal {G}(v') \in \omega \}))\). We have shown the existence of such a strategy in the proof of Item 2 of Lemma 5.

For every \(v \in V\) with \(r_\mathcal {G}(v) = \omega +1\), the strategy \(\sigma _v\) is \((\omega +1)\)resilient from v. The existence of such a strategy follows from Item 1 of Corollary 3, as we assume Player 0 to win \(\mathcal {G}_\mathrm {rig}\) with positional strategies.

For every \(v \in V\) with \(r_\mathcal {G}(v) = 0\), we fix an arbitrary positional strategy \(\sigma _v\) for Player 0.
We claim \(R_v \subseteq \{ v' \in V \mid r_\mathcal {G}(v') \ge r_\mathcal {G}(v) \}\) for every \(v \in V\) (\(*\)). For v with \(r_\mathcal {G}(v) \ne \omega +1\) this follows immediately from the choice of \(\sigma _v\). Thus, let v with \(r_\mathcal {G}(v) = \omega +1\). Assume \(\sigma _v\) reaches a vertex \(v'\) of resilience \(r_\mathcal {G}(v') \ne \omega +1\). Then, there exists a play \(\rho '\) starting in \(v'\) that is consistent with \(\sigma _v\), has less than \(\omega +1\) many disturbances and is losing for Player 0. Thus, the play obtained by first taking the play prefix to \(v'\) and then appending \(\rho '\) without its first vertex yields a play starting in v, consistent with \(\sigma _v\), but losing for Player 0. This play witnesses that \(\sigma _v\) is not \((\omega +1)\)resilient from v, which contradicts our assumption and thus concludes the proof of the claim for the case \(r_\mathcal {G}(v) = \omega + 1\).
Let \(m :V \rightarrow V\) be given as \(m(v) = \min _\prec \{ v' \in V \mid v \in R_{v'} \}\) and define the positional strategy \(\sigma \) as \(\sigma (v) = \sigma _{m(v)}(v)\). By our assumptions, \(\sigma \) can be effectively computed. It remains to show that it is optimally resilient.
 1.
If \((v,v') \in E\), then we have \(r_\mathcal {G}(v) \le r_\mathcal {G}(v')\) and \(m(v) \ge m(v')\). The first property follows from minimality of m(v) and (\(*\)) while the second follows from the definition of \(R_v\).
 2.If \((v,v') \in D\), then we distinguish several subcases, which all follow immediately from the definition of resilience:

If \(r_\mathcal {G}(v) \in \omega \), then \(r_\mathcal {G}(v') \ge r_\mathcal {G}(v) 1\).

If \(r_\mathcal {G}(v) = \omega \), then \(r_\mathcal {G}(v') = \omega \), and

If \(r_\mathcal {G}(v) = \omega + 1\), then \(r_\mathcal {G}(v') = \omega + 1\) and \(m(v) \ge m(v')\) (here, the second property follows from the definition of \(R_v\) for v with \(r_\mathcal {G}(v) = \omega + 1\), which takes disturbance edges into account).

Now, assume \(r_\mathcal {G}(v_0) \in \omega {\setminus }\{ 0 \}\). We have to show that if \(\rho \) has less than \(r_\mathcal {G}(v_0)\) disturbances, then it is winning for Player 0. An inductive application of the above properties shows that in that case the last disturbance edge leads to a vertex of nonzero resilience. Furthermore, as the values \(m(v_j)\) are only decreasing afterwards, they have to stabilize at some later point. Hence, there is some suffix of \(\rho \) that starts in some \(v'\) with nonzero resilience and that is consistent with the strategy \(\sigma _{v'}\). Thus, the suffix is winning for Player 0 by the choice of \(\sigma _{v'}\) and prefixindependence implies that \(\rho \) is winning for her as well.
Next, assume \(r_\mathcal {G}(v_0) = \omega \). We have to show that if \(\rho \) has a finite number of disturbances, then it is winning for Player 0. Again, an inductive application of the above properties shows that in that case the last disturbance edge leads to a vertex of resilience \(\omega \) or \(\omega +1\). Afterwards, the values \(m(v_j)\) stabilize again. Hence, there is some suffix of \(\rho \) that starts in some \(v'\) with nonzero resilience and that is consistent with the strategy \(\sigma _{v'}\). Thus, the suffix is winning for Player 0 by the choice of \(\sigma _{v'}\) and prefixindependence implies that \(\rho \) is winning for her as well.
Finally, assume \(r_\mathcal {G}(v_0) = \omega +1\). Then, the above properties imply that \(\rho \) only visits vertices with resilience \(\omega +1\) and that the values \(m(v_j)\) eventually stabilize. Hence, there is a suffix of \(\rho \) that is consistent with some \((\omega +1)\)resilient strategy \(\sigma _{v'}\), where \(v'\) is the first vertex of the suffix. Hence, the suffix is winning for Player 0, no matter how many disturbances occur. This again implies that \(\rho \) is winning for her as well. \(\square \)
The algorithm determining the vertices’ resilience and a positional optimally resilient strategy first computes \(r^*\) and the winner of the rigged game. This yields the resilience of \(\mathcal {G}\)’s vertices. Furthermore, the strategy is obtained by combining winning strategies for the games \(\mathcal {G}_U\) and for the rigged game as explained above.
Next, we analyze the complexity of the algorithm sketched above in some more detail. The inductive definition of the \(r_j\) can be turned into an algorithm computing \(r^*\) (using the results of Lemma 4 to optimize the naive implementation), which has to solve \(\mathcal {O}(V)\) many games (and compute winning strategies for some of them) with winning condition \(\mathrm {Win}\cap \mathrm {Safety}(U)\). Furthermore, the rigged game, which is of size \(\mathcal {O}(V)\), has to be solved and winning strategies have to be determined. Thus, the overall complexity is in general dominated by the complexity of solving these tasks.
We explicitly state one complexity result for the important case of parity games, using the fact that each of these games is then a parity game as well. Also, we use a quasipolynomial time algorithm for solving parity games [8, 15, 20, 22] to solve the games \(\mathcal {G}_U\) and \({\mathcal {G}_{\mathrm {rig}}}\).
Theorem 2
Optimally resilient strategies in parity games are positional and can be computed in quasipolynomial time.
Using similar arguments, one can also analyze games where positional strategies do not suffice. As above, assume \(\mathcal {G}\) satisfies the same assumptions on determinacy and effectiveness, but only require that Player 0 has finitestate winning strategies for each game with winning condition \((\mathcal {A}, \mathrm {Win}\cap \mathrm {Safety}(U))\) and for the rigged game \({\mathcal {G}_{\mathrm {rig}}}\). Then, one can show that she has a finitestate optimally resilient strategy. In fact, by reusing memory states, one can construct an optimally resilient strategy that it is not larger than any constituent strategy.
4 Discussion
In this section, we discuss the assumptions required to be able to compute positional (finitestate) optimally resilient strategies with the algorithm presented in Sect. 3. Here, we only consider the case of positional strategies. The case of finitestate strategies is analogous.
 1.
The game \(\mathcal {G}_U\) is determined for every \(U \subseteq V\).
 2.
Player 0 has a positional winning strategy from every vertex in her winning regions in the \(\mathcal {G}_U\) and in the game \({\mathcal {G}_{\mathrm {rig}}}\).
 3.
Each \(\mathcal {G}_U\) and the game \({\mathcal {G}_{\mathrm {rig}}}\) can be effectively solved and positional winning strategies can be effectively computed for each such game.
 4.
\(\mathrm {Win}\) is prefixindependent.
The next requirement concerns the existence of positional winning strategies for the games \(\mathcal {G}_U\) and \({\mathcal {G}_{\mathrm {rig}}}\). For the \(\mathcal {G}_U\), this requirement is satisfied if Player 0 has positional winning strategies for all subgames of \(\mathcal {G}\), as argued above. As every positional optimally resilient strategy is also a winning strategy in a certain subgame, this condition is necessary. Now, consider \(\mathcal {G}_\mathrm {rig}\), whose winning condition can be written as \(h^{1}(\mathrm {Win})\) for the homomorphism h from Sect. 3.2. The winning conditions one typically studies, e.g., the Borel ones, are closed w.r.t. such supersequences. If \(\mathcal {G}\) is from a class of winning conditions that allows for positional winning strategies for Player 0, then this class typically also contains \({\mathcal {G}_{\mathrm {rig}}}\). Also, the assumption on the effective solvability and computability of positional strategies is obviously necessary, as we solve a more general problem when determining optimally resilient strategies.
First, consider the family \(\mathcal {G}_k= (\mathcal {A}, \mathrm {Win}_k)\) of games shown in Fig. 3. In \(\mathcal {G}_k\), it is the goal of Player 0 to avoid more than k visits to v. Hence, for all plays \(\rho \) and all play prefixes w we have that \(w\rho \in \mathrm {Win}\) implies \(\rho \in \mathrm {Win}\).
Conversely, consider the game \(\mathcal {G}\) shown in Fig. 4. The winning condition of this game satisfies that, for all play prefixes w and all plays \(\rho \), we have that \(\rho \in \mathrm {Win}\) implies \(w\rho \in \mathrm {Win}\). If we apply the algorithm from Sect. 3, however, the initial ranking \(r_0\) has the domain \(\{ v' \}\) with \(r_0(v') = 0\), due to \(\mathcal {W}_1(\mathcal {G}) = \{ v' \}\). The disturbance update of \(r_0\) then yields the ranking \(r_1\) with \(r_1(v) = 1\) due to the single disturbance edge of \(\mathcal {G}\) and with \(r_1(v') = 0\). At this point, the rankings stabilize and we obtain \(r^* = r_1\).
While we indeed have \(r_{\mathcal {G}}(v') = 0 = r^*(v')\), we furthermore have \(r_{\mathcal {G}}(v) = \omega + 1 \ne r^*(v)\), as every play starting in vertex v satisfies the winning condition. Hence, this example showcases that the implication from left to right from the definition of prefixindependence also does not suffice for the algorithm from Sect. 3 to correctly compute the resilience. Thus, we indeed require full prefixindependence of the winning condition as a precondition for the correctness of that algorithm.
In the following section, we show that one can still leverage our algorithm from Sect. 3 in order to compute the resilience of a wide range of games with prefixdependent winning conditions. To this end, we extend the framework of game reductions to games with disturbances, in such a way that the existence of \(\alpha \)resilient strategies is preserved. Using this framework shows that Player 0 has a finitestate optimally resilient strategy in every game with \(\omega \)regular winning condition.
4.1 Prefixdependent winning conditions
Remark 3
Let \(\rho \) be a play in \(\mathcal {G}\). Then, \(\#_{d}(\rho ) = \#_{d}(\mathrm {ext}(\rho ))\).
A game \(\mathcal {G}= (\mathcal {A}, \mathrm {Win})\) is reducible to \(\mathcal {G}' = (\mathcal {A}', \mathrm {Win}')\) via \(\mathcal {M}\), written \(\mathcal {G}\le _{ \mathcal {M}} \mathcal {G}'\), if \(\mathcal {A}' = \mathcal {A}\times \mathcal {M}\) and every play \(\rho \) in \(\mathcal {G}\) is won by the same player that wins \(\mathrm {ext}(\rho )\) in \(\mathcal {G}'\).
Lemma 7
Let \(\mathcal {G}\le _{ \mathcal {M}} \mathcal {G}'\). Then, \(r_\mathcal {G}(v) = r_{\mathcal {G}'}(v,\mathrm {Init}(v))\) for all vertices v of \(\mathcal {G}\).
Proof
We show that Player 0 has an \(\alpha \)resilient strategy \(\sigma '\) for \(\mathcal {G}'\) from \((v, \mathrm {Init}(v))\) if and only if she has an \(\alpha \)resilient strategy \(\sigma \) for \(\mathcal {G}\) from v, which implies our claim. The translation of the strategies is the same as in the disturbancefree setting (see, e.g., [21]), but here we have to argue about resilience instead of just winning.
“\(\varvec{\Rightarrow }\)”: Given a strategy \(\sigma '\) for \(\mathcal {G}'\), we define \(\sigma \) for \(\mathcal {G}\) via \(\sigma (v_0 \cdots v_j) = v\), if \(\sigma '((v_0, m_0)\cdots (v_j,m_j)) = (v,m)\) for some \(m \in M\), where \(m_{j'} = \mathrm {Upd}^+(v_0 \cdots v_{j'})\).
A straightforward induction shows that a play in \(\mathcal {G}\) is consistent with \(\sigma \) if and only if its extended play in \(\mathcal {G}'\) is consistent with \(\sigma '\). Thus, these plays have the same winner and the same number of disturbances. Thus, again, if \(\sigma '\) is \(\alpha \)resilient from a vertex \((v, \mathrm {Init}(v))\) then \(\sigma \) is \(\alpha \)resilient from v.\(\square \)
As usual for game reductions, we obtain a finitestate strategy for \(\mathcal {G}\) when starting with a positional strategy in \(\mathcal {G}'\). To this end, consider the proof of the second implication above. If \(\sigma \) is positional, then the strategy \(\sigma '\) is implemented by \(\mathcal {M}\) and the nextmove function \(\mathrm {Nxt}\) given by \(\mathrm {Nxt}(v,m) = v'\), if \(\sigma (v,m) = (v',m')\) for some \(m' \in M\).
A similar construction works in case \(\sigma '\) is finitestate, say implemented by \(\mathcal {M}'\). Then, \(\sigma \) is implemented by the product of \(\mathcal {M}\) and \(\mathcal {M}'\), which is defined as expected (we refer to, e.g., [21] for a formal definition). Altogether, we obtain the following result.
Corollary 4
 1.
If Player 0 has an \(\alpha \)resilient positional strategy from \((v, \mathrm {Init}(v))\) in \(\mathcal {G}'\), then she has an \(\alpha \)resilient finitestate strategy from v in \(\mathcal {G}\), which is implemented by \(\mathcal {M}\).
 2.
If Player 0 has an \(\alpha \)resilient finitestate strategy from \((v, \mathrm {Init}(v))\) in \(\mathcal {G}'\), say implemented by \(\mathcal {M}'\), then she has an \(\alpha \)resilient finitestate strategy from v in \(\mathcal {G}\), which is implemented by the product of \(\mathcal {M}\) and \(\mathcal {M}'\).
Now, we can formulate the main theorem of this section, which shows that prefixdependence is not a restriction, as long as the game is reducible to a prefixindependent one. Note that this is in particular true for every \(\omega \)regular winning condition (see, e.g., [18]): every such condition is recognized by a deterministic parity automaton, which can be turned into a memory structure which allows to reduce the original game to a parity game.
Theorem 3
Let \(\mathcal {G}\le _\mathcal {M}\mathcal {G}'\) so that \(\mathcal {G}'\) has a prefixindependent winning condition, can be effectively computed from \(\mathcal {G}\), and satisfies the assumptions from Sect. 3.3 (with finitestate strategies).
Then, the resilience of \(\mathcal {G}\)’s vertices and a finitestate optimally resilient strategy can be effectively computed.
Proof
This is a direct consequence of Lemma 7 and Theorem 1. To obtain an optimally resilient strategy, we apply Corollary 4 for finitestate strategies.\(\square \)
Recall the family of games shown in Fig. 3 in which Player 0 aims to prevent more than k visits to the vertex \(v_1\) for some parameter \(k \in \omega \). Such a game can be reduced to a parity game using a memory structure implementing a counter up to \(k+1\). Such a memory structure has \(k+1\) memory states, and a straightforward pumping argument shows that there is no smaller memory structure.
Thus, we obtain an optimally resilient strategy for Player 0 that is implemented by a memory structure with \(k+1\) states. While this strategy is indeed optimally resilient, it is not of minimal size: in fact, the unique strategy for Player 0 in \(\mathcal {G}_k\) is positional and optimally resilient. Thus, the approach of computing optimally resilient strategies for games with prefixdependent winning conditions via reductions to prefixindependent winning conditions is not optimal in that sense, as it may yield unnecessarily large optimally resilient strategies. In current research, we study how to synthesize minimal optimally resilient strategies for games with prefixdependent winning conditions.
Moreover, in the case of prefixdependent winning conditions, the question arises whether or not optimally resilient strategies may be necessarily larger than winning ones. It is easy to construct a game in which Player 0 has a positional winning strategy, but an optimally resilient one requires an infinite amount of memory. One example is a game with a dedicated vertex v with a selfloop, such that using the selfloop ad infinitum is winning for Player 0. Furthermore, there is a disturbance edge leading from v into a disturbancefree subgame in which Player 0 needs an infinite amount of memory to win.
However, this example is not very useful, as Player 0 needs infinite memory to win the game from some vertex of her winning region. A more interesting question for further research is whether a result similar to Theorem 1 holds true for prefixdependent games with positional winning strategies, e.g., weak parity games [9] or bounded parity games [11]. However, for both of these conditions, monotonicity arguments allow to transform finitestate optimally resilient strategies into positional ones (similar to the construction in [16, Section 5]). However, these arguments rely on monotonicity properties of the parity condition and are therefore unlikely to be generalizable. On the other hand, we are not aware of an example of a class of winning conditions that always allow for positional winning strategies for Player 0, but require memory to implement optimally resilient strategies. In future work, we investigate whether the blowup introduced by the reduction can be avoided.
5 Outlook
We have developed a finegrained view on the quality of strategies: instead of evaluating whether or not a strategy is winning, we compute its resilience against intermittent disturbances. While this measure of quality allows constructing “better” strategies than the distinction between winning and losing strategies, there remain aspects of optimality that are not captured in our notion of resilience. In this section we discuss these aspects and give examples of games in which there are crucial differences between optimally resilient strategies. In further research, we aim to synthesize optimal strategies with respect to these criteria.
First consider a scenario in which visiting an odd color models the occurrence of some undesirable event, e.g., that a request has not been answered. In this case, Player 0 should aim to prevent visits to \(v'_3\) in \(\mathcal {G}\), the only vertex of odd color. Hence, the strategy \(\sigma \) should be more desirable for her, as it requires two disturbances in direct succession in order to visit \(v'_3\). When playing consistently with \(\sigma '\), however, a single disturbance suffices to visit \(v'_3\).
On the other hand, consider a setting in which Player 0’s goal is to avoid the occurrence of disturbances. In that case, \(\sigma '\) is preferable over \(\sigma \), as it allows for fewer situations in which disturbances may occur, since no disturbances are possible from vertices \(v_2\) and \(v_3\).
Note that the goals of minimizing visits to vertices of odd color and minimizing the occurrence of disturbances are not contradictory: if both events are undesirable, it may be optimal for Player 0 to combine the strategies \(\sigma \) and \(\sigma '\). In general, it is interesting to study how to how to best brace for a finite number of disturbances.
Finally, another important and interesting aspect, which falls outside the scope of this paper, is to provide general guidelines and best practices on how to model synthesis problems by games with disturbances. We will address these problems in future research.
6 Related work
The notion of unmodeled intermittent disturbances in infinite games has recently been formulated by Dallal, Neider, and Tabuada [12]. In that work, the authors also present an algorithm for computing optimally resilient strategies for safety games with disturbances, which is an extension of the classical attractor computation [18]. Due to the relatively simple nature of such games, however, this algorithm cannot easily be extended to handle more expressive winning conditions, and the approach presented in this work relies on fundamentally different ideas.
Resilience is not a novel concept in the context of reactive systems synthesis. It appears, for instance, in the work by Topcu et al. [28] as well as Ehlers and Topcu [14]. A notion of resilience that is very similar to the one considered here has been proposed by Huang et al. [19], where the game graph is augmented with socalled “error edges”. However, this setting differs from the one studied in this work in various aspects. Firstly, Huang et al. work in the framework of concurrent games and model errors as being under the control of Player 1. This contrasts to the setting considered here, in which the players play in alternation and disturbances are seen as rare events rather than antagonistic to Player 0. Secondly, Huang et al. restrict themselves to safety games, whereas we consider a much broader class of infinite games. Finally, Huang et al. compute resilient strategies with respect to a fixed parameter k, thus requiring to repeat the computation for various values of k to find optimally resilient strategies. In contrast, our approach computes an optimal strategy in a single run. Hence, they consider a more general model of interaction, but only a simple winning condition, while the notion of disturbances considered here is incomparable to theirs.
Related to resilience are various notions of fault tolerance [1, 7, 13, 17] and robustness [3, 4, 5, 6, 23, 26, 27].
For instance, Brihaye et al. [7] consider quantitative games under failures, which are a generalization of sabotage games [29]. The main difference to our setting is that Brihaye et al. consider failures—embodied by a saboteur player—as antagonistic, whereas we consider disturbances as nonantagonistic events. Moreover, solving a parity game while maintaining a cost associated with the sabotage semantics below a given threshold is ExpTimecomplete, whereas our approach computes optimally resilient controllers for parity conditions in quasipolynomial time.
Besides fault tolerance, robustness in the area of reactive controller synthesis has also attracted considerable interest in the recent years, typically in settings with specifications of the form \(\varphi \Rightarrow \psi \) stating that the controller needs to fulfill the guarantee \(\psi \) if the environment satisfies the assumption \(\varphi \). A prominent example of such work is that of Bloem et al. [3], in which the authors understand robustness as the property that “if assumptions are violated temporarily, the system is required to recover to normal operation with as few errors as possible” and consider the synthesis of robust controllers for the GR(1) fragment of Linear Temporal Logic [6]. Other examples include quantitative synthesis [4], where robustness is defined in terms of payoffs, and the synthesis of robust controllers for cyberphysical systems [23, 26]. For a more indepth discussion of related notions of resilience and robustness in reactive synthesis, we refer the interested reader to Dallal, Neider, and Tabuada’s section on related work [12, Section I]. Moreover, a survey of a large body of work dealing with robustness in reactive synthesis has been presented by Bloem et al. [5].
Finally, note that for the special case of parity games, we can also characterize vertices of finite resilience (cf. Sect. 3.1) by a reduction to finding optimal strategies in energy parity games [10], which yields the same complexity as our algorithm (though such a reduction would not distinguish between vertices with resilience \(\omega \) and vertices with resilience \(\omega +1\). Also, it is unclear if and how this reduction can be extended to other winning conditions and if custommade solutions would be required for each new class of game. By contrast, our refinementbased approach works for any class of infinite games that satisfies the mild assumptions discussed in Sect. 4.
7 Conclusion
We presented an algorithm for computing optimally resilient strategies in games with disturbances that is applicable to any game that satisfies some mild (and necessary) assumptions. Thereby, we have vastly generalized the work of Dallal, Neider, and Tabuada, who only considered safety games. Furthermore, we showed that optimally resilient strategies are typically of the same size as classical winning strategies. Finally, we have illustrated numerous novel phenomena that appear in the setting with disturbances but not in the classical one. Studying these phenomena is a very promising direction of future work.
As part of future work, we are currently implementing our proposed method on top of the parity game solver Oink [30] and SCOTS [25], a tool for the synthesis of controllers in the context of dynamic and cyberphysical systems. Besides developing an endtoend synthesis tool for controllers of dynamic and cyberphysical systems, a major part of this effort is to evaluate the impact of the polynomial overhead as compared to classical parity game solvers. Preliminary experiments with this prototype implementation suggest that the additional overhead does not impact the overall performance much.
Footnotes
 1.
We have deliberately chosen the term resilience so as to avoid confusion with the already highly ambiguous notions of robustness and fault tolerance.
Notes
Acknowledgements
Funding was provided by Deutsche Forschungsgemeinschaft (Grant Nos. ZI 1516/11, GSC 209).
References
 1.Attie, P.C., Arora, A., Emerson, E.A.: Synthesis of faulttolerant concurrent programs. ACM Trans. Program. Lang. Syst. 26(1), 125–185 (2004)CrossRefGoogle Scholar
 2.Bernet, J., Janin, D., Walukiewicz, I.: Permissive strategies: from parity games to safety games. ITA 36(3), 261–275 (2002)MathSciNetzbMATHGoogle Scholar
 3.Bloem, R., Chatterjee, K., Greimel, K., Henzinger, T.A., Hofferek, G., Jobstmann, B., Könighofer, B., Könighofer, R.: Synthesizing robust systems. Acta Inf. 51(3–4), 193–220 (2014)Google Scholar
 4.Bloem, R., Chatterjee, K., Henzinger, T.A., Jobstmann, B.: Better quality in synthesis through quantitative objectives. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, Volume 5643 of LNCS, pp. 140–156. Springer, Berlin (2009)Google Scholar
 5.Bloem, R., Ehlers, R., Jacobs, S., Könighofer, R.: How to handle assumptions in synthesis. In: Chatterjee, K., Ehlers, R., Jha, D. (eds.) SYNT, Volume 157 of EPTCS, pp. 34–50 (2014)Google Scholar
 6.Bloem, R., Jobstmann, B., Piterman, N., Pnueli, A., Sa’ar, Y.: Synthesis of reactive (1) designs. J. Comput. Syst. Sci. 78(3), 911–938 (2012)MathSciNetCrossRefGoogle Scholar
 7.Brihaye, T., Geeraerts, G., Haddad, A., Monmege, B., Pérez, G.A., Renault, G.: Quantitative games under failures. In: FSTTCS, Volume 45 of LIPIcs. Schloss DagstuhlLeibnizZentrum für Informatik, pp. 293–306 (2015)Google Scholar
 8.Calude, C.S., Jain, S., Khoussainov, B., Li, W., Stephan, F.: Deciding parity games in quasipolynomial time. In: Hatami, H., McKenzie, P., King, V. (eds.) STOC, pp. 252–263. ACM, New york (2017)Google Scholar
 9.Chatterjee, K.: Linear time algorithm for weak parity games. arXiv (2008)
 10.Chatterjee, K., Doyen, L.: Energy parity games. Theor. Comput. Sci. 458, 49–60 (2012)MathSciNetCrossRefGoogle Scholar
 11.Chatterjee, K., Henzinger, T.A., Horn, F.: Finitary winning in \(\omega \)regular games. ACM Trans. Comput. Log. 11(1), 257–271 (2009)Google Scholar
 12.Dallal, E., Neider, D., Tabuada, P.: Synthesis of safety controllers robust to unmodeled intermittent disturbances. In: CDC, pp. 7425–7430. IEEE (2016)Google Scholar
 13.Ebnenasir, A., Kulkarni, S.S., Arora, A.: FTSyn: a framework for automatic synthesis of faulttolerance. STTT 10(5), 455–471 (2008)CrossRefGoogle Scholar
 14.Ehlers, R., Topcu, U.: Resilience to intermittent assumption violations in reactive synthesis. In: Fränzle, M., Lygeros, J. (eds.) HSCC, pp. 203–212. ACM, New york (2014)CrossRefGoogle Scholar
 15.Fearnley, J., Jain, S., Schewe, S., Stephan, F., Wojtczak, D.: An ordered approach to solving parity games in quasi polynomial time and quasi linear space. In: Erdogmus, H., Havelund, K. (eds.) SPIN, pp. 112–121. ACM, New York (2017)Google Scholar
 16.Fijalkow, N., Zimmermann, M.: Parity and Streett games with costs. Log. Methods Comput. Sci. 10(2), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
 17.Girault, A., Rutten, E.: Automating the addition of fault tolerance with discrete controller synthesis. Form. Methods Syst. Des. 35(2), 190–225 (2009)CrossRefGoogle Scholar
 18.Grädel, E., Thomas, W., Wilke, T. (eds.): Automata, Logics, and Infinite Games: A Guide to Current Research, Volume 2500 of LNCS. Springer, Berlin (2002)Google Scholar
 19.Huang, C.H., Peled, D.A., Schewe, S., Wang, F.: A gametheoretic foundation for the maximum software resilience against dense errors. IEEE Trans. Softw. Eng. 42(7), 605–622 (2016)CrossRefGoogle Scholar
 20.Jurdzinski, M., Lazic, R.: Succinct progress measures for solving parity games. In: LICS, pp. 1–9. IEEE Computer Society (2017)Google Scholar
 21.Kaiser, L.: Logic and Games on Automatic Structures: Playing with Quantifiers and Decompositions, Volume 6810 of LNCS. Springer, Berlin (2011)CrossRefGoogle Scholar
 22.Lehtinen, K.: A modal \(\mu \) perspective on solving parity games in quasipolynomial time. In: Dawar, A., Grädel, E. (eds.) LICS, pp. 639–648. ACM, New York (2018)CrossRefGoogle Scholar
 23.Majumdar, R., Render, E., Tabuada, P.: A theory of robust omegaregular software synthesis. ACM Trans. Embed. Comput. Syst. 13(3), 48:1–48:27 (2013)CrossRefGoogle Scholar
 24.Martin, D.A.: Borel determinacy. Ann. Math. 102, 363–371 (1975)MathSciNetCrossRefGoogle Scholar
 25.Rungger, M., Zamani, M.: SCOTS: a tool for the synthesis of symbolic controllers. In: HSCC, pp. 99–104. ACM, New york (2016)Google Scholar
 26.Tabuada, P., Caliskan, S.Y., Rungger, M., Majumdar, R.: Towards robustness for cyberphysical systems. IEEE Trans. Autom. Control 59(12), 3151–3163 (2014)MathSciNetCrossRefGoogle Scholar
 27.Tabuada, P., Neider, D.: Robust linear temporal logic. In: Talbot, J.M., Regnier, L. (eds.) CSL, Volume 62 of LIPIcs. Schloss DagstuhlLeibnizZentrum für Informatik, pp. 10:1–10:21. (2016)Google Scholar
 28.Topcu, U., Ozay, N., Liu, J., Murray, R.M.: On synthesizing robust discrete controllers under modeling uncertainty. In: Dang, T., Mitchell, I.M. (eds.) HSCC, pp. 85–94. ACM, New York (2012)CrossRefGoogle Scholar
 29.van Benthem, J.: An essay on sabotage and obstruction. Mechanizing Mathematical Reasoning, Essays in Honor of Jörg H. Siekmann on the Occasion of His 60th Birthday, Volume 2605 of LNCS, pp. 268–276. Springer, Berlin (2005)CrossRefGoogle Scholar
 30.van Dijk, T.: Oink: an implementation and evaluation of modern parity game solvers. In: TACAS, Volume 10805 of LNCS, pp. 291–308. Springer, Berlin (2018)Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.