Permutation Games for the Weakly Aconjunctive \(\mu \)-Calculus

2.1 Limit-Deterministic Automata

We recall the basics of parity automata: A parity automaton is a tuple \(\mathcal {A}=(V,\varSigma ,\delta ,u_0,\alpha )\) where V is a set of states, \(\varSigma \) is an alphabet, \(\delta \subseteq V\times \varSigma \times V\) is a transition relation, \(u_0\in V\) is an initial state, and \(\alpha :\delta \rightarrow \mathbb {N}\) is a priority function that assigns natural numbers to transitions (assigning priorities to transitions rather than states yields a slightly more succinct notion of automata while retaining the computational properties of standard parity automata [22]). For \((v,a)\in V\times \varSigma \), we write \(\delta (v,a)=\{u\mid (v,a,u)\in \delta \}\). The index \(\mathsf {idx}(\mathcal {A})=\max \{\alpha (t)\mid t\in \delta \}\) of a parity automaton \(\mathcal {A}\) is its maximal priority. A run \(\rho =v_0v_1\ldots \) of \(\mathcal {A}\) on an infinite word \(w=a_0 a_1\ldots \in \varSigma ^\omega \) starting at \(v\in V\) is a (possibly infinite) sequence of states \(v_i\) such that \(v_0=v\) and for all \(i\ge 0\), \(v_{i+1}\in \delta (v_i,a_i)\). We see runs \(\rho \) or words w as functions from natural numbers to states \(\rho (i)=v_i\in V\) or letters \(w(i)=a_i\in \varSigma \). For a run \(\rho \) on a word w, we define the according sequence \(\mathsf {trans}(\rho )\) of transitions by \(\mathsf {trans}(\rho )(i)=(\rho (i),w(i),\rho (i+1))\). We denote the set of all runs of \(\mathcal {A}\) on a word w starting at v by \(\mathsf {run}(\mathcal {A},v,w)\), or just by \(\mathsf {run}(\mathcal {A},w)\) if \(v=u_0\). A run \(\rho \) of \(\mathcal {A}\) on a word w is accepting if the highest priority that occurs infinitely often in it (notation: \(\max (\mathsf {Inf}(\alpha \circ \mathsf {trans}(\rho )))\); we generally write \(\mathsf {Inf}(s)\) for the set of elements occurring infinitely often in a sequence s) is even. A parity automaton \(\mathcal {A}\) accepts an infinite word w if \(\mathsf {run}(\mathcal {A},w)\) contains an accepting run, and we denote by \(L(\mathcal {A})\subseteq \varSigma ^\omega \) the set of all words that are accepted by \(\mathcal {A}\).

Given a state \(v\in V\) and a letter \(a\in \varSigma \), we define \(\delta |_{v,a}=\{(v,a,u)\mid u\in \delta (v,a)\}\). Given a set \(\gamma \subseteq \delta \) of transitions, a state \(v\in V\), a set of states \(U\subseteq V\) and a letter \(a\in \varSigma \), we put \(\gamma (U,a)=\bigcup \{\gamma (v,a)\mid v\in U\}\); given a finite word \(w=a_0\ldots a_n\), we then recursively define \(\gamma (v,w)=\gamma (\gamma (v,a_0),a_1\ldots a_n)\), obtaining the set of all states reachable from v when reading w while only using transitions from \(\gamma \). For \(U\subseteq V\), \(\gamma \subseteq \delta \) and \(w\in \varSigma ^*\), we put \(\gamma (U,w)=\bigcup \{\gamma (u,w)\mid u\in U\}\). Furthermore, we define the set of states that are reachable from a node \(v\in V\) using transitions from \(\gamma \) as \(\mathsf {reach}_\gamma (v)=\bigcup \{\gamma (v,w)\mid w\in \varSigma ^*\}\); we extend this notation to sets of nodes, putting \(\mathsf {reach}_{\gamma }(U)=\bigcup \{\mathsf {reach}_{\gamma }(u)\mid u\in U\}\) for \(U\subseteq V\). If \(\gamma =\delta \), then we omit the subscripts. A state \(v\in V\) is said to be deterministic (in \(\gamma \subseteq \delta \)) if it has at most one (\(\gamma \)-)successor for each letter \(a\in \varSigma \). A set \(U\subseteq V\) is deterministic (in \(\gamma \subseteq \delta \)) if every state \(v\in U\) is deterministic (in \(\gamma \)). The automaton \(\mathcal {A}\) is said to be deterministic if V is deterministic; the transition relation in deterministic automata hence is a partial function (since such automata can be transformed to equivalent automata with total transition function, this definition suffices for purposes of determinization). We put \(\alpha (i)=\{t\in \delta \mid \alpha (t)= i\}\) and \(\alpha _\le (i)=\{t\in \delta \mid \alpha (t)\le i\}\).

A Büchi automaton is a parity automaton with only the priorities 1 and 2; the set of accepting transitions then is \(F=\alpha (2)\) and a run is accepting if it passes infinitely many accepting transitions. For Büchi automata, we assume w.l.o.g. that every transition \(t\in F\) is part of a cycle. We use the abbreviations (N/D)PA, (N/D)BA to denote the different types of automata.

Our notion of limit-determinism of automata is defined as a semantic property:

If \(\mathcal {A}\) is a BA, then we have \(\max (\mathsf {Inf}(\alpha \circ \mathsf {trans}(\rho )))=2\) for every accepting run \(\rho \); as \(\alpha _\le (2)=\delta \), the above definition instantiates to requiring the existence of a number i such that for all \(j\ge i\), \(\delta (\rho (j),w(j))=\{\rho (j+1)\}\).

Note that the union of all l-compartments is \(\mathsf {reach}_{\alpha _\le (l)}(\pi _3[\alpha (l)])\). Compartments allow for a syntactic characterization of limit-determinism:

Lemma 3 specializes to BA as follows: we have \(\alpha (0)=\emptyset \), \(\alpha _\le (2)=\delta \) and \(\alpha (2)=F\), so that the union of all 0-compartments is empty and that of all 2-compartments is \(\mathsf {reach}(\pi _3[F])\); thus a BA is limit-deterministic if and only if \(\mathsf {reach}(\pi _3[F])\) is deterministic. Such Büchi automata are also called semi-deterministic [3].

2.2 Determinizing Limit-Deterministic Büchi Automata

The Safra/Piterman construction [19, 20] determinizes Büchi automata by means of so-called Safra trees, i.e. trees whose nodes are labelled with sets of states of the input automaton such that the label of a node is a proper superset of the union of all its children’s labels. Additionally, the nodes are ordered by their age and upon each transition between Safra trees, the ages of the oldest nodes that are active and/or removed during this transition determine the priority of the new Safra tree. In its original formulation, the Safra/Piterman construction adds new child nodes to the graph that are labelled with the accepting states in their parent’s label. We observe that this step can be modified slightly – without affecting the correctness of the construction – by letting every accepting state from the parent’s label receive its own separate child node; then the labels of newly created nodes are always singletons. Limit-determinism of the input automaton then implies that the node labels also remain singletons. Since singleton nodes do not have children in Safra trees, this leads to the collapse of their tree structure; the resulting data structure is essentially a partial permutation, i.e. a non-repetitive list, of states (ordered by their age). The arising modified Safra/Piterman construction for the limit-deterministic case boils down to the following method, which (a) has a relatively short presentation and a simpler correctness proof than the full Safra/Piterman construction, and (b) results in asymptotically smaller automata; the underlying idea of the construction has first been described in the context of controller synthesis for LTL [6].

Example 9

Consider the limit-deterministic BA \(\mathcal {A}\) depicted below and the determinized DPA \(\mathcal {B}\) that is constructed from it by applying the method. We see by Lemma 3 that \(\mathcal {A}\) is really limit-deterministic: we have \(F=\{(1,b,3)\}\), i.e. the b-transition from state 1 to state 3 (depicted with a boxed transition label) is the only accepting transition; thus we have \(Q=\mathsf {reach}(\pi _3[F])=\{1,3\}\) (so \(\overline{Q}=\{0,2\}\)), and the states 1 and 3 are deterministic. Moreover, \(L(\mathcal {A})=L(\mathcal {B})=a(a|b)^+(a^+ b)^\omega \).

Open image in new window

Notice that in \(\mathcal {B}\), there is a b-transition with priority 1 from the initial state to the sink state \((\emptyset ,[\,])\) and an a-transition to \((\{0,2\},[1])\); as \(1\in Q\) but \(1\notin F\), this transition has priority 1. A further b-transition leads from 1 to 3 in \(\mathcal {A}\); in \(\mathcal {B}\), we have a b-transition from \((\{0,2\},[1])\) to \((\{2\},[3])\) and since \((1,b,3)\in F\), the first position in the permutation component is active during this transition so that the transition has priority 4. Yet another b-transition loops from \((\{2\},[3])\) to \((\{2\},[3])\). Since there is no b-transition starting at state 3, the first element in the permutation is removed in Step 1. of the construction. Since there is a b-transition from 2 to 3, it is added to the permutation again in Step 4. of the construction. Crucially, however, the priority of the transition is 5, since the first item of the permutation has been (temporarily) removed. The intuition is that the trace of 3 ends when the letter b is read; even though a new trace of 3 immediately starts, we do not consider it to be the same trace as the previous one. Thus the transition obtains priority 5 so that it may be used only finitely often in an accepting run of \(\mathcal {B}\), i.e. accepting runs contain an uninterrupted trace that visits state 3 infinitely often. Thus two or more consecutive b’s can only occur finitely often in any accepted word.

2.3 Determinizing Limit-Deterministic Parity Automata

To determinize limit-deterministic PA, it suffices to transform them to equivalent limit-deterministic BA and determinize the BA. This transformation from PA to BA is achieved by a construction which is inspired by Theorems 2 and 3 in [14]; we add the observation that the construction preserves limit-determinism.

By Theorem 7, \(\mathcal {D}\) can be determinized to a DPA \(\mathcal {E}\) of size at most (nk)!e, with at most \(nk+2\) priorities and with \(L(\mathcal {D})=L(\mathcal {E})\).

3.1 The \(\mu \)-Calculus

Formulas are evaluated over Kripke structures \(\mathcal {K}=(W,(R_a)_{a\in A},\pi )\), consisting of a set W of states, a family \((R_a)_{a\in A}\) of relations \(R_a\subseteq W\times W\), and a valuation \(\pi :P\rightarrow \mathcal {P}(W)\) of the propositions. Given an interpretation \(i:\mathfrak {V}\rightarrow \mathcal {P}(W)\) of the fixpoint variables, define \({[\![\psi ]\!]}_i\subseteq W\) by the obvious clauses for Boolean operators and propositions, \([\![X]\!]_i=i(X)\), \([\![\langle a\rangle \psi ]\!]_i=\{v\in W\mid \exists w\in R_a(v).w\in [\![\psi ]\!]_i\}\), \([\![[a]\psi ]\!]_i=\{v\in W\mid \forall w\in R_a(v).w\in [\![\psi ]\!]_i\}\), \([\![\mu X.\,\psi ]\!]_i =\mu [\![\psi ]\!]^X_i\) and \([\![\nu X.\,\psi ]\!]_i =\nu [\![\psi ]\!]^X_i\), where \(R_a(v)=\{w\in W\mid (v,w)\in R_a\}\), \([\![\psi ]\!]^X_i(G) = [\![\psi ]\!]_{i[X\mapsto G]}\), and \(\mu \), \(\nu \) take least and greatest fixpoints of monotone functions, respectively. If \(\psi \) is closed, then \([\![\psi ]\!]_i\) does not depend on i, so we just write \([\![\psi ]\!]\). We denote the Fischer-Ladner closure [16] of a formula \(\phi \) by \(\mathbf {F}(\phi )\), or just by \(\mathbf {F}\), if no confusion arises; intuitively, \(\mathbf {F}\) is the set of formulas that can arise as subformulas when unfolding each fixpoint operator in \(\phi \) at most once. We note \(\mathbf {F}\le |\phi |\) [16].

The aconjunctive fragment [15] of the \(\mu \)-calculus is obtained by requiring that for all conjunctions that occur as a subformula, at most one of the conjuncts contains an active \(\mu \)-variable. In the weakly aconjunctive fragment [24], this requirement is loosened to the constraint that all conjunctions that occur as a subformula and contain an active \(\mu \)-variable are of the shape \(\psi \wedge \Diamond \psi _1\wedge \ldots \wedge \Diamond \psi _n\wedge \Box (\psi _1\vee \ldots \vee \psi _n)\), where \(\psi \) does not contain active \(\mu \)-variables. For instance, for all n, the formula \(\eta X_n\ldots \mu X_1. \nu X_0. \bigvee _{0\le i\le n} (q_i\wedge \Diamond X_i)\) is aconjunctive (and equivalent to the weakly aconjunctive formula obtained by replacing \(\Diamond X_i\) with \(\Diamond X_i\wedge \Diamond \top \wedge \Box (X_i\vee \top )\)). The permutation satisfiability games that we introduce work for the more expressive weakly aconjunctive fragment.

To track fixpoint formulas through pre-tableaux, we will use deferrals, that is, the decomposed form of formulas that are obtained by unfolding fixpoint literals.

E.g. the substitution \(\sigma =[Y\mapsto \mu Y.\,(\Box X\wedge \Diamond \Diamond Y)];[X\mapsto \theta ]\) sequentially unfolds the irreducible closed formula \(\theta =\nu X.\,\mu Y.\,(\Box X\wedge \Diamond \Diamond Y)\), and \((\Diamond Y)\sigma =\Diamond \mu Y.\,(\Box \theta \wedge \Diamond \Diamond Y)\) is a \(\theta \)-deferral. A fixpoint literal is irreducible if it is not an unfolding \(\psi [X\mapsto \eta X.\,\psi ]\) of a fixpoint literal \(\eta X.\,\psi \); in particular, every clean irredundant fixpoint literal is irreducible.

As a technical tool, we define a measure for the depth of alternation at which a deferral resides inside the fixpoint to which it belongs:

3.2 Limit-Deterministic Tracking Automata

As a first step towards deciding the satisfiability of a weakly aconjunctive \(\mu \)-calculus formula \(\phi \), we now construct a tracking automaton that takes branches of (that is, infinite paths through) standard pre-tableaux for \(\phi \) as input and accepts a branch if and only if it contains a least fixpoint formula whose satisfaction is deferred indefinitely on that branch. To this end, we import the following notions of threads and tableaux from [10]:

We import from [10] the well-known fact that the existence of tableaux in the sense defined above characterizes satisfiability. In [10], the result is shown for the more general unguarded \(\mu \)-calculus; we note that the restriction to guarded formulas does not invalidate the theorem.

Given a formula \(\phi \), we define the alphabet \(\varSigma _{\phi }\) to consist of letters that each identify a rule \(R\in \mathcal {R}\), a principal formula from \(\mathbf {F}\) and one of the conclusions of R. E.g. the letter \(((\vee ),0,p\vee \Diamond q)\) identifies the application of the disjunction rule to a principal formula \(p\vee \Diamond q\) and the choice of the left conclusion; thus this letter identifies the transition from \(p\vee \Diamond q\) to p by use of rule \((\vee )\). We note \(|\varSigma _{\phi }|\in \mathcal {O}(|\phi |)\). Further, we denote the set of all words that encode some branch and some bad branch in some pre-tableau for \(\phi \) by \(\mathsf {Branch}(\phi )\) and \(\mathsf {BadBranch}(\phi )\), respectively.

As a crucial result, we now show that limit-deterministic automata are expressive enough to exactly recognize the bad branches in pre-tableaux for weakly aconjunctive formulas.

Example 18

We consider the aconjunctive formula

$$\begin{aligned} \phi =\mu X.(\;p\wedge \nu Y.\;(\Diamond (Y\wedge p)\vee \Diamond X)) \end{aligned}$$

which expresses the existence of a finite or infinite path on which p holds everywhere. We have the \(\phi \)-deferrals \(\phi \epsilon \), \(\psi :=(p\wedge \nu Y.\;(\Diamond (Y\wedge p)\vee \Diamond X))\sigma _1\), \(\theta :=(\nu Y.\;(\Diamond (Y\wedge p)\vee \Diamond X))\sigma _1\), \(\chi :=(\Diamond (Y\wedge p)\vee \Diamond X)\sigma _2\), \((\Diamond (Y\wedge p))\sigma _2\), \(\tau :=(Y\wedge p)\sigma _2\), \(Y\sigma _2\), \(\Diamond X\sigma _2\) and \(X\sigma _2\), where \(\sigma _1=[X\mapsto \phi ]\) and \(\sigma _2=[Y\mapsto \psi ];\sigma _1\). We consider a pre-tableau \(P_\phi \) for \(\phi \) and like in the proof of Lemma 17, we construct the limit-deterministic tracking automaton \(\mathcal {A}_\phi \), depicted below:

Open image in new window

The priorities in \(\mathcal {A}_\phi \) are derived as follows: As \(\mathsf {ad}(\phi )=2\) is even, we put \(k=\mathsf {ad}(\phi )+1=3\); since \(\mathsf {al}(\phi )=\mathsf {al}(\psi )=1\), \(\alpha (\phi ,(\mu ),\psi )=\alpha (\Diamond \phi ,(\Diamond ),\phi )=k-\mathsf {al}(\phi )=2\) and since \(\mathsf {al}(p)=0\), \(\alpha (\psi ,(\wedge ),p)=\alpha (\varsigma ,(\wedge ),p)=k-\mathsf {al}(\phi )=3\). All other formulas have alternation level 2 and transitions to them obtain priority 1. The tracking automaton accepts exactly those branches in \(P_\phi \) that start at node 1 and take the loop through node 9 infinitely often; in these branches, \(\phi \) can be tracked forever and evolves to \(\phi \) infinitely often, i.e. their dominating formula is the least fixpoint formula \(\phi \). All other branches loop through node 7 without passing node 9 from some point on; their dominating fixpoint formula is \(\theta \), a greatest fixpoint formula. We observe that due to the aconjunctivity of \(\phi \), \(\mathcal {A}_\phi \) is limit-deterministic since the only two nondeterministic states \(\psi \) and \(\varsigma \) each have only one outgoing \((\wedge )\)-transition with priority less than \(k=3\).

Given a weakly aconjunctive formula \(\phi \), we use Lemma 17 to construct a limit-deterministic tracking automaton \(\mathcal {A}_\phi \) with \(L(\mathcal {A}_\phi )\cap \mathsf {Branch}(\phi )=\mathsf {BadBranch}(\phi )\). Then we put Lemma 11 to use to obtain an equivalent BA in which all states from \(Q=\mathsf {reach}(\pi _3[F])\) are levelled deferrals, i.e. pairs \((\psi ,q)\) consisting of a deferral \(\psi \) and a number \(q\le \lceil \frac{k}{2}\rceil \), the level of the pair \((\psi ,q)\); the level q encodes the odd alternation level \(2q-1\). A levelled deferral \((\psi ,q)\) is active if \(\mathsf {al}(\psi )=2q-1\) and the automaton accepts branches which contain a levelled deferral that is active infinitely often without being finished. The set \(\overline{Q}\) is just a subset of \(\mathbf {F}\). Next we use Theorem 7 to transform this BA to a DPA \(\mathcal {B}_\phi \) with \(L(\mathcal {A}_\phi )=L(\mathcal {B}_\phi )\). We complement \(\mathcal {B}_\phi \) to a DPA \(\mathcal {C}_\phi =(W,\varSigma _{\phi },\delta ,\phi ,\alpha )\) by decreasing the priority of each state in \(\mathcal {B}_\phi \) by one; we have \(L(\mathcal {C}_\phi )=\overline{L(\mathcal {B}_\phi )}\), that is, \(\mathcal {C}_\phi \) accepts exactly those words that encode only ‘good’ branches, if they encode some branch in some pre-tableau for \(\phi \). By construction, \(|W|\in \mathcal {O}((nk)!)\) and \(\mathcal {C}_\phi \) has at most \(nk+1\) priorities, and (recalling Definitions 6 and 10) the states in the carrier W of \(\mathcal {C}_\phi \) are of the shape (U, l), where U is a subset of \(\mathbf {F}\) and l is a partial permutation of levelled deferrals. For a transition \(t=((U,l),r,(V,l'))\) with \((U,l),(V,l')\in W\), \(r\in \varSigma _{\phi }\), if \(\alpha (t)=2(n-a)+1\), then a is the lowest number such that \(\mathsf {al}(\phi )=2q-1\), where \(l'(a)=(\phi ,q)\) and the a-th element of l is not removed by the transition t (i.e. \(\alpha (t)\) references the oldest levelled deferral in \(l'\) that is active but not removed by the transition t) and if \(\alpha (t)=2(n-r)+2\), then \(\alpha (t)\) is the index of the oldest levelled deferral \((\phi ,2q-1)\) that is finished (i.e. removed from l) in the transition t of the automaton \(\mathcal {C}_\phi \), which means that the according r-transition in \(\mathcal {A}_\phi \) makes \(\phi \) leave its \(2q-1\)-compartment. For a state \(v=(U,l)\), we define the label \(\Gamma (v)\) of v as \(\Gamma (v)=U\).

3.3 Permutation Games

The deterministic parity automaton \(\mathcal {C}_\phi \) can now be combined with applications of tableau rules from \(\mathcal {R}\) to form a satisfiability game for \(\phi \). We proceed to recall the definition of parity games and some ensuing basic notions. A parity game is a graph \(\mathcal {G}=(V,E,\alpha )\) that consists of a set of nodes V, a set of edges \(E\subseteq V\times V\) and a priority function \(\alpha :E\rightarrow \mathbb {N}\), assigning priorities to edges. We assume Open image in new window , that is, every node in V either belongs to player \(\mathsf {Eloise}\) (\(V_\exists \)) or to player \(\mathsf {Abelard}\) (\(V_\forall \)). A play \(\rho \) of \(\mathcal {G}\) is a (possibly infinite) sequence \(v_0v_1\ldots \) such that for all \(i\ge 0\), \(v_i\in V\) and \((v_i,v_{i+1})\in E\). A play \(\rho \) of \(\mathcal {G}\) is won by \(\mathsf {Eloise}\) if and only if \(\rho \) is finite and ends in a node that belongs to \(\mathsf {Abelard}\) or \(\rho \) is infinite and \(\max (\mathsf {Inf}(\alpha \circ \mathsf {trans}(\rho )))\) is even (where \(\mathsf {trans}(\rho )\) is defined by \(\mathsf {trans}(\rho )(i)=(\rho (i),\rho (i+1))\)); \(\mathsf {Abelard}\) wins a play \(\rho \) if and only if \(\mathsf {Eloise}\) does not win \(\rho \). A (memoryless) strategy Open image in new window assigns moves to states. A play \(\rho \) conforms to a strategy s if for all \(\rho (i)\in \mathsf {dom}(s)\), \(\rho (i+1)=s(\rho (i))\). \(\mathsf {Eloise}\) has a winning strategy for a node v if there is a strategy \(s:V_\exists \rightarrow V\) such that every play of \(\mathcal {G}\) that starts at v and conforms to s is won by \(\mathsf {Eloise}\); we have a dual notion of winning strategies for \(\mathsf {Abelard}\). The winning regions \(\mathsf {win}_\exists (\mathcal {G})\) and \(\mathsf {win}_\forall (\mathcal {G})\) are the sets of those nodes for which \(\mathsf {Eloise}\) and \(\mathsf {Abelard}\) have winning strategies, respectively. Solving a parity game \(\mathcal {G}\) (locally) for a particular node \(v\in V\) amounts to computing the winner of v.

Now we are ready to define permutation games for weakly aconjunctive formulas \(\phi \), using the DPA \(\mathcal {C}_\phi =(W,\varSigma _{\phi },\delta ,\phi ,\alpha )\) from the previous section.

Due to the relatively simple structure and the asymptotically smaller size of the determinized automata \(\mathcal {C}_\phi \), the resulting permutation games are somewhat easier to construct and can be solved asymptotically faster than the structures created by standard satisfiability decision procedures for the full \(\mu \)-calculus (e.g. [5, 10]) which employ the full Safra/Piterman-construction; note however, that our method is restricted to the weakly aconjunctive fragment.

The winning strategies for \(\mathsf {Eloise}\) or \(\mathsf {Abelard}\) in these games define models for or refutations of the respective formulas, so that we have