THE EXISTENCE OF GR(1) CONTRACTS WITH FULL INFORMATION

10.2 Memoryless contracts

10.2.1 One-sided counterexample

The example shown in Fig. 10.1 has the main feature that leads to inexistence of memoryless GR(1) contracts. The figure shows a game between two play- ers, each player chooses the outgoing edge from nodes of the same shape. The objective is to find a GR(1) contract for the two players, so that together they implement φ ≜ 23s₆. We start by trying to find a (generalized) Streett(1) liveness goal for the disk player that relaxes 23s₆, because 23s₆ is unrealiz- able by the disk player. This turns out to be impossible: for each candidate persistence goal 32P, either

• (32P)∨23s₆ is unrealizable by the disk player, or

• 32P is realizable by the disk player (and, clearly,P contains a cycle that omitss₆—the onlyP that contains a cycle withs₆ includes all nodes, so is equivalent totrue).

In more detail, 23s₆ alone is unrealizable. Any P that does not contain any cycle yields a property (32P)∨23s6 that is equivalent to 23s6 (due to the safety constraints that represent the game graph). The smallest cycles are C₁ ≜{s₀,s₁} and C₂ ≜ {s₂,s₃}. Thus any persistence set P that contains a cycle contains at least one of these two cycles. Thus, whenever (32P)∨23s₆ is weaker than 23s₆ (so possibly realizable), 32P is realizable too, i.e., the disk player can choose to remain forever in C₁ or forever in C₂, instead of repeatedly visiting s₆.

More formally (the below proof sketch and the proof in [65] take a different approach than the outline above)²

2The symbol −^sr▷ is shorthand for (2ρe ∧We) −^sr▷ (2ρs∧Ws) ≜ 2(

(⃝∼2⁻ρe) ⇒ ρs

)∧

G

Attr1(s5∨s6)

Attr₀(G) s₂

s₀ s₁ s₃ s₄ s₅ s₆

s₇

Figure 10.2: Two-sided counter-example where a GR(1) contract does not exist. Compare to Fig. 10.1.

Proposition 3. Assume: Define the transition relations ρ₀, ρ₁ by the game graph of Fig. 10.1, the set of nodes V ≜{s0, . . . ,s7}, and the goal JGK≜{s6} of player 0. Prove: For all sets JPK⊆V , with ψ₁ ≜(2ρ₀)−^sr▷(

2ρ₁∧23P) andψ₀ ≜(

2ρ₁∧23P) _sr

−▷(

2ρ₀∧23G)

, it isJWin(0, ψ₀)K∩JWin(1, ψ₁)K=∅. Proof Sketch: For any P that does not intersect {s0, . . . ,s3}, player 1 cannot win, because player 0 can force, and keep, the play outside of P. For similar reasons,P should intersect each of{s₀,s₁}and {s₂,s₃}. IfP intersects {s₀,s₁} and {s₂,s₃}, then player 1 can win by always moving from s₄ to s₁, when the play comes to s₄. This forces a visit to either both s₀ and s₁, or boths₂ ands₃. So, for noP do both players have a winning strategy. A proof can be found in [65].

10.2.2 General counterexample

Assigning the goal 23s₆ to the box player in Fig. 10.1 reveals that there is a GR(1) contract (32(s₀ ∨s₁ ∨s₂ ∨s₃)∨23s₆ for the box player, and 23(s4∨s5∨s6 ∨s7) for the disk player).

By adding two edges to Fig. 10.1, we obtain the example of Fig. 10.2. There is no safety-preserving GR(1) contract for this example. A proof sketch is as follows. Assume that all recurrence goals of both players have the form23R, where R contains nodes other than {s₆,s₇}. If so, then

̸|= (φ₁∧φ₂)⇒φ

because all the recurrence goals in φ₁ ∧φ₂ are satisfiable by a behavior that cycles through all nodes in {si : i ∈ 0..5}, and forever avoids s6. Similarly, any nontrivial realizable persistence goal omits s₆.

((2ρe∧We)⇒Ws)≡(2ρe)−^sr▷(

2ρs∧(Ws ⇒We)) .

Thus, at least one component specification,φ₁ or φ₂, must include 23s₆ as a conjunct (or the equivalent 23(s₆∨s₇)). So it suffices to reason only about specifications where either one of the players has the goal 23s₆. Additional recurrence goals only strengthen the specifications, and we split cases by real- izability of the persistence goals.

The goal 23s₆ is unrealizable without a relaxation by persistence goals. Each relaxation is either unrealizable, or if realizable, then some nontrivial persis- tence goal is realizable, which avoidss6. The root cause is the same as for the one-sided example. For the box player, getting pasts₅ requires assuming that

“waiting” in a set of nodes that includes s₅ will lead to an eventual response by the disk player. However, such a waiting set (persistence goal) would have to contain {s₂,s₃,s₄}. The box player can remain forever in this set. Similar observations apply to the disk player. Therefore, a GR(1) contract does not exist for this example.

The claims of both the one-sided and the two-sided examples for the goal23s6

assigned to each player have been checked by a machine, using a GR(1) solver (the Python module omega.games.gr1), and multiple parametric persistence goals 32P₁∨32P₂ ∨. . .∨32P₆₄ (the parameters are BDD bits that are not quantified during computations).

10.2.3 What about refinement by realizable parts?

What if we replaced the requirement (φ₁∧φ₂)⇒φwith the corresponding re- alizable parts? A behaviorσsatisfies the realizable partR(φ₁) of the property φ₁ if there exists some implementation of φ₁ that gives rise to this behavior (under some environment behavior). We show below that memoryless GR(1) contracts do not exist even if we relax the requirement in this way, using the example of Fig. 10.2.

Assume that ̸|= (φ₁∧φ₂)⇒φ but

(R(φ₁)∧ R(φ₂))⇒φ

(a contract requires realizability, and thus R(φ₁) and R(φ₂) are not false).

Pick two strategies f,g that realize φ₁ and φ₂, respectively. If either f or g realizes a goal 32P that implies 32¬s₆, then we are done showing that the implication fails.

G s₂

s₀ s₁ s3 s₄ s5 s₆

s₇ loop that never visits node s6

Figure 10.3: Two strategies that violate φ, thus showing that in case ̸|= (φ₁∧ φ₂)⇒φ, conjoining realizable parts does not ensure that φis implemented.

Otherwise φ1 ∧φ2 contains recurrence goals that are satisfied by a behavior that satisfies32¬s6(by the assumption above). Construct two new strategies p,q for each player, by the following procedure:

• Stategy p for the disk player chooses the edge s5 ∧s^′₂ and alternates between s1∧s^′₀ and s1∧s^′₂ on each visit to s1, unless for 100 steps the recurrence goals withinφ₁ are not visited. If so, thenp switches to using f, otherwise it renews counting steps.

• Strategy q for the box player alternates between s4 ∧s^′₅ and s4∧s^′₁ on each visit tos4, and switches to g under similar conditions to p.

The strategies p and q will never switch to f and g, because the recurrence goals in φ1 ∧φ2 are all visited within 100 steps, by visiting all the nodes {s_i : i ∈ 0..5}. Thus

̸|= (R(φ₁)∧ R(φ₂))⇒φ,

which is a contradiction. In other words, if ̸|= (φ₁ ∧φ₂) ⇒ φ, then any two strategies that implement φ₁ and φ₂ can happen to “conspire” so that when assembled, the resulting behavior violates φ, as shown in Fig. 10.3.

10.3 Stateful contracts