Playing Safe, Ten Years Later

We consider two-player games over graphs and give tight bounds on the memory size of strategies ensuring safety objectives. More specifically, we show that the minimal number of memory states of a strategy ensuring a safety objective is given by the size of the maximal antichain of left quotients with respect to language inclusion. This result holds for all safety objectives without any regularity assumptions. We give several applications of this general principle. In particular, we characterize the exact memory requirements for the opponent in generalized reachability games, and we prove the existence of positional strategies in games with counters.


Introduction
Graphs games provide a mathematical framework to model reactive systems (we refer to [GTW02] for a survey on the topic, and to [FBB + 23] for a recent textbook).We focus here on the Synthesis Problem to motivate the problem we consider, which is to characterize the amount of memory required in games with safety objectives.
The synthesis problem.The inputs of the synthesis problem are a system and a specification.The expected output is a controller for the system, that ensures the specification.We describe here a classical and well-studied approach to solve the synthesis problem through game theory.We model the system as a graph, whose vertices represent states and edges represent transitions.Its evolution consists in interactions between a controller and an environment, which is turned into a game on the graph between two players, Eve and Adam.If in a given state, the controller can choose the evolution of the system, then the corresponding vertex is controlled by Eve.If the system evolves in an uncertain way, we consider the worst-case scenario, where Adam controls those states.A pebble is initially placed on the vertex representing the initial state of the system, then Eve and Adam move this pebble along the edges.The sequence built describes a run of the system: Eve tries to ensure that it satisfies the specification.So, in order to synthesize a controller, we are interested in whether Eve can ensure this objective and what resources she needs.In particular, the most salient question is: what is the size of a minimal controller satisfying the specification?Since a controller is here given by a strategy for Eve, this is equivalent to Our contribution.In this paper, our goal is to characterize the memory requirements of (arbitrary) safety winning objectives.The reader with a background in game theory may be surprised, as it is well known that "safety games are positionally determined", implying that the quantity above is constant equal to one.The subtlety is that our setting is (much) more general than the classical notion of safety games: in a safety game, the goal is to avoid a set of forbidden edges, while a safety objective defines a set of forbidden prefixes independent of the arena.We show the following general principle: For a safety winning objective W , the minimal number of memory states of a winning strategy is exactly the cardinal of the maximal antichain of left quotients of W .
We refer to Section 4 for the missing definitions.Note that this result holds for all safety winning objectives, without any regularity assumption.The characterisation above holds for graphs with finite degree, however we can state and prove a variant lifting this assumption, but assuming that the set of left quotients is well founded with respect to inclusion.We state our main results in Section 3, and prove them in Section 4. We give several examples and applications in Section 5.For instance, it allows to characterize the memory requirements for the opponent in generalized reachability games, and to prove the existence of positional strategies in games with counters.This journal version additionally discusses related works in Section 6, many of them posterior to the publication of the conference version of this article [CFH14] in 2014.

Definitions
The games we consider are played on an arena A = (V, (V ∃ , V ∀ ), E, c), consisting of a (finite or infinite) graph (V, E), a partition (V ∃ , V ∀ ) of the vertex set V : a vertex in V ∃ belongs to Eve and in V ∀ to Adam, and a coloring function c : E → A mapping edges to a color from a finite alphabet A. When drawing arenas, we will use circles for vertices owned by Eve and squares for those owned by Adam.Throughout this paper, we make the cosmetic assumption that graphs do not have dead-ends: for every vertex v ∈ V , there exists an edge (v, v ′ ) ∈ E.

Game.
A play π is an infinite word of edges e 0 • e 1 • • • that are consecutive: for all i, e i = ( , v) ∈ E and e i+1 = (v, ) ∈ E for some v ∈ V .The prefix of length k of π is denoted π k .A play π induces an infinite sequence of colors c(π), obtaining by applying the coloring function c component-wise.We define winning objectives for a player by giving a set of infinite sequences of colors W ⊆ A ω .As we are interested in zero-sum games, i.e.where the winning objectives of the two players are opposite, if the winning objective for Eve is W , then the winning objective for Adam is A ω \ W .A game is a couple G = (A, W ) where A is an arena and W a winning objective.

Strategy.
A strategy for a player is a function that prescribes, given a finite history of the play, the next move.Formally, a strategy for Eve is a function σ : Strategies for Adam are defined similarly, and usually denoted τ .Once a game G = (A, W ), a starting vertex v 0 and strategies σ for Eve and τ for Adam are fixed, there is a unique play π(v 0 , σ, τ ), which is said winning for Eve if its image by c belongs to W .
A strategy σ for Eve is winning if for all strategies τ for Adam, π(q 0 , σ, τ ) is winning.We say that Eve wins the game G from v 0 if she has a winning strategy from v 0 , and denote W E (G) the set of vertices from where Eve wins; we often say that v ∈ W E (G) is winning.We define similarly W A (G) for Adam to be the set of vertices from where Adam wins.
Memory.A memory structure is a deterministic state machine that reads the sequence of edges and abstracts its relevant informations into a memory state.Formally, a memory structure M = (M, m 0 , µ) for an arena consists of a set M of memory states, an initial memory state m 0 ∈ M and an update function µ : M × E → M .The update function takes as input the current memory state and the chosen edge to compute the next memory state.It can be extended to a function µ * : E * → M by defining µ * (ε) = m 0 and µ * (π•e) = µ(µ * (π), e).Given a memory structure M and a next-move function ν : V ∃ × M → E, we can define a strategy σ for Eve by σ(π • v) = ν(v, µ * (π • v)).A strategy with memory structure M has finite memory if M is a finite set, and we write |M| for the size of M .It is memoryless, or positional if M is a singleton: it only depends on the current vertex.Hence a memoryless strategy can be described as a function σ : V ∃ → E.
An arena and a memory structure induce an expanded arena where the current memory state is computed online.Formally, the arena A = (V, (V ∃ , V ∀ ), E, c), the memory structure M for A and a new coloring function c From a memoryless strategy in A × M, we can build a strategy in A using M as memory structure, which behaves as the original strategy.This key observation will be used several times in the paper.

Statements of the Results
In this section, we consider a safety objective 1 W and compute the following quantity: 1 To be defined in this section.
Memory is necessary for safety objectives: to avoid seeing both a and b, Eve must choose the same letter as Adam did in the first move, which requires two memory states.
In words, mem(W ) is the necessary and sufficient number of memory states for constructing a winning strategy in games with objective W . Equivalently: • upper bound: for all games G = (A, W ), if Eve has a winning strategy from an initial vertex v 0 , then she has a winning strategy using at most mem(W ) memory states, • lower bound: there exists a game G = (A, W ) and an initial vertex v 0 where Eve has a winning strategy, but no winning strategy using less than mem(W ) memory states.Note that we place no restrictions on the size of the games involved: they may be infinite.We explain now why our study of games with safety objectives is (much) more general than the classical notion of safety games.
Consider an arena A: a safety condition is given by a subset B ⊆ E of forbidden edges, inducing the winning condition Let A a set of colours.A safety objective is given by a subset P ⊆ A * of forbidden prefixes of colors, inducing the winning objective For each arena A equipped with a colouring function c : E → A, this induces the winning condition In other words, a condition is defined directly on an arena, while an objective is defined independently of the arena on the sequence of colours and induces a condition for each arena equipped with a colouring function.As an example, consider the safety objective Safe(P ) over the colours A = {a, b, c} where specifies that a and b cannot be both seen along a play.This cannot be expressed by a safety condition, and mem(Safe(P )) ≥ 2, as shown in Figure 1.Lemma 3.1 (Folklore).Let G be a game with a safety condition, and v 0 an initial vertex.If Eve has a winning strategy, then she has a positional winning strategy.
Safety objectives form a very expressive class of objectives, as we will demonstrate in Section 5.The notion of safety objective originates from topological studies of the set of infinite words: the safety objectives are the closed sets for the Cantor topology, denoted Σ 1 in the corresponding Borel hierarchy.
Let us fix a safety objective W = Safe(P ) induced by P ⊆ A * .Let w ∈ A * , define its left quotient as: We denote Res(W ) the set of left quotients of W .We mention some special left quotients: the initial one, ε −1 W (equal to W ), and the empty one, obtained as w −1 W for any w ∈ P .As a small abuse of notations, from now on by "left quotient" we mean "non-empty left quotient of W ". From a left quotient w −1 W and a letter a ∈ A, we define (w −1 W ) • a as (w • a) −1 W : it is easy to check that this is well defined (independent of the representant w chosen).Recall that Res(W ) is finite if and only if W is regular, and in such case it can be used to describe the set of states of the minimal deterministic automaton recognizing W .
Before stating our main results, we need some order-theoretic definitions.The width of a partially ordered set (X, ≤) is the cardinal of a maximal antichain of X with respect to ≤, i.e. the cardinal of a maximal set of pairwise incomparable elements.Recall that an antichan is a subset of X such that any two distinct elements are incomparable, and a chain is a subset of X such that any two elements are comparable.We say that (X, ≤) is well founded if every chain contains a minimal element.
We write mem fin-deg (W ) for the quantity defined as mem(W ) but restricting to arenas of finite degree: for every vertex, there are finitely many outgoing edges.
Theorem 3.2.For all safety objectives W , We present in 5 an example, called the outbidding games, showing that the well-founded assumption is necessary.
An objective W is half-positional if mem(W ) = 1.In the case of safety objectives, we obtain the following characterization: Corollary 3.3.For all safety objectives W , W is half-positional over arenas of finite degree if and only if the inclusion is a linear order over Res(W ).
If furthermore (Res(W ), ⊆) is well-founded, then W is half-positional (over all arenas) if and only if the inclusion is a linear order over Res(W ).

Proofs
A First Upper Bound.Lemma 4.1.For all safety objectives W = Safe(P ), for all games G = (A, W ), if Eve has a winning strategy from an initial vertex v 0 , then she has a winning strategy using at most |Res(W )| memory states. Consequently, Proof.We construct a memory structure M, as follows: M = (Res(W ), W, ν), where ν(w −1 W, a) = (w −1 W ) • a.At any point in the game, the memory state computed by M is the current left quotient.Let A be an arena.We construct the expanded arena A × M equipped with the coloring function c ′ : E × Res(W ) → {0, 1} defined by: We attach to A × M the safety condition induced by B = {0}, giving rise to the game G × M = (A × M, Safe(B)).First observe that by construction, the plays in A × M are of the form (e 0 , c(e It follows that a winning strategy for Eve in G from v 0 induces a winning strategy in G × M from (v 0 , W ). Now, thanks to Lemma 3.1, since Eve wins in G × M, she has a positional winning strategy.This induces a winning strategy in G using M as memory structure, concluding the proof of Lemma 4.1.
The game G × M defined above will be an important tool in the proofs to follow.We will also rely on the following remark: assume we want to prove that a strategy σ is winning.Then it is enough to show that for all plays π consistent with σ, for all k, c(π k ) −1 W ̸ = ∅, where π k is the prefix of π of length k.This simple observation follows from the definition of safety objectives.
A Tighter Upper Bound.The memory structure M is not optimal.A first remark is that the empty left quotient (which exists if W ̸ = A ω ) can be removed from the memory states as the game is lost.This is why by "left quotient" we mean "non-empty left quotient of W ".
The second remark is the following: let L 1 and L 2 two left quotients of W , such that L 1 ⊆ L 2 .With the same notations as above, consider a vertex v in the arena A. If Eve wins from (v, L 1 ) in G × M, then she also wins from (v, L 2 ): indeed, she can play as she would have played from (v, L 1 ).Since this ensures from v that all plays are winning for L 1 , then a fortiori they are winning for L 2 .
This suggests to restrict the memory states only to minimally winning left quotients with respect to inclusion.Two issues arise: • which left quotients are winning depends on the current vertex, so the semantics of a memory state can no longer be one left quotient, but rather a left quotient for each possible vertex, • there may not exist minimally winning left quotients.
For the sake of presentation, we first show how to deal with the first issue, assuming the second issue does not appear.Specifically, in the following lemma, we assume that Res(W ) is finite (i.e.W is regular), implying the existence of minimally winning left quotients.We will later drop this assumption.Lemma 4.2 (Upper bound in the regular case).Let W a safety objective, we assume that Res(W ) is finite.
For all games G = (A, W ), if Eve has a winning strategy from an initial vertex v 0 , then she has a winning strategy using at most K memory states, where K is the width of (Res(W ), ⊆).

PLAYING SAFE, TEN YEARS LATER 10:7
The key intuition to have is the following: our goal is to construct a strategy σ such that for a vertex v, we associate to every memory state i a left quotient L i (v) ensuring that in a play π consistent with σ, then L i (v) is an under-approximation of c(π Proof.We use the same notations as for the proof of Lemma 4.1, and construct a smaller memory structure together with a winning strategy using this memory structure.In this proof, by winning we mean winning in the game G × M. Let K be the cardinal of the maximal antichain of left quotients of W .We construct a memory structure M * = ({1, . . ., K}, 1, µ), and a strategy σ induced by the next-move function ν.
Let v be a vertex in A. We consider the set of minimal left quotients L such that (v, L) is winning.(Here we use the finiteness of Res(W ) to guarantee the existence of such left quotients.)This is an antichain, so there are at most K of them, we denote them by L 1 (v), . . ., L p (v), for some p ≤ K.The key property is that for every left quotient L such that (v, L) is winning, there exists i such that L i (v) ⊆ L. Furthermore, we choose L 1 (v 0 ) such that L 1 (v 0 ) ⊆ W . (Indeed, by assumption (v 0 , W ) is winning.) We define the update function: is winning, and we will prove that this will always be the case when playing the strategy σ.
We define the next-move function ν (inducing σ).Let v ∈ V ∃ , and consider (v, L i (v)): since Eve wins from there, there exists an edge We show that the strategy σ is winning.Consider a play π = (v 0 , v 1 ) • (v 1 , v 2 ) • • • consistent with σ, and i 0 • i 1 • • • the sequence of memory states assumed along this play.Denote π k the prefix of π of length k, we prove that for all k, L i We proceed by induction.For k = 0, it follows from ) is winning.It follows that the update function is well defined, and , which together with the induction hypothesis implies is winning, and the same reasoning concludes.
It follows that the strategy σ is winning, concluding the proof of Lemma 4.2.
We now get rid of the regularity assumption.This means that for a vertex v, there may not be a minimal left quotient L such that (v, L) is winning.We present two ways to get around this difficulty: either an assumption on W , or an assumption on the games.Lemma 4.3 (Upper bound -well founded assumption).Let W a safety objective, we assume that (Res(W ), ⊆) is well-founded.
For all games G = (A, W ), if Eve has a winning strategy from an initial vertex v 0 , then she has a winning strategy using at most K memory states, where K is the width of (Res(W ), ⊆).
Consequently, mem(W ) is smaller than or equal to the width of (Res(W ), ⊆).We first show that Eve has a winning strategy from v 0 , using K memory states.It consists in choosing the i th option whenever Adam chooses the word w i : whatever Adam chooses at the third step, w i • u i,j ∈ W .
We now show that there exists no winning strategy using less than K memory states.Indeed, such a strategy will not comply with the above strategy and for some i ̸ = j, choose the j th option if Adam chooses w i .Then Adam wins by playing u j,i , since Theorem 3.2 easily follows from combining the upper bound and lower bound lemmas.

Examples and Applications
In this section, we instantiate Theorem 3.2 on different examples.We chose four examples: • The outbidding objective shows the difference between graphs with finite degree and graphs with infinite degree; in particular, it gives a counter example to Lemma 4.4 when dropping the finite degree assumption, • The energy objective is a non-regular half-positional safety objective, • The generalized safety objective is a regular safety objective for which the partially ordered set of left quotients has a nice well-known combinatorial structure, • The boundedness objective is a central piece in the theory of regular cost functions.
When representing the partial order (Res(W ), ⊆) for a given W , we use the following convention: a black edge from L to L ′ means that L ⊆ L ′ , and a dotted edge labeled a from L to L ′ means that L ′ = L • a, so the dotted structure is the minimal (although possibly infinite) deterministic automaton recognizing W .

Outbidding Games. Let
It is a non-regular safety objective, called the outbidding objective.The figure 3 represents the partial order (Res(W ), ⊆).Its width is three: there are two incomparable infinite increasing sequences of left quotients, ((a n ) −1 W ) n∈N and ((b • a n ) −1 W ) n∈N , and c −1 W .
Hence thanks to Theorem 3.2, mem fin-deg (W ) = 3.However, there exists an outbidding game where Eve wins but needs infinite memory.This does not contradict Theorem 3.2, as this game, represented in Figure 4, has a vertex of infinite degree.It goes as follows: first Adam picks a number n, and then Eve takes over: she has to pick a number p, higher than 10:11   or equal to n.A finite memory strategy can only choose from finitely many options, hence cannot win against all strategies of Adam.
Energy Games.The setup for the energy objective is the following: assume we are monitoring a resource.We denote by A the set of actions on this resource, which is any monotonic function f : N → N, as for instance: • consuming one unit of the resource, • reloading by one unit, • emptying the resource, • consuming half of the current energy level.Generalized Safety Games.This example originates from the study of generalized reachability games [FH10,FH13].A generalized reachability objective is a (finite) conjunction of reachability objectives.Here we take the opponent's vantage point: a generalized safety objective is a (finite) disjunction of (internal) safety objectives.Specifically, let A = {⊥, 1, . . ., k}: each letter is a color, and . ., k}, ∀n, w n ̸ = i}, it is satisfied if at least one color is not seen along the play.It is a safety objective.The figure 6 represents the partial order (Res(W ), ⊆) for k = 3.The left quotients are all the strict subsets of {1, . . ., k}.The width of this partial order is k ⌊k/2⌋ , according to the well known Sperner's Lemma from combinatorics.Furthermore, for all k, there exists a generalized safety game with k colors where Eve has a winning strategy using k ⌊k/2⌋ memory states, but none using less memory states.
Games with Counters.This example originates from the theory of regular cost functions [Col13].Let N ∈ N, and define the boundedness objective W N involving a counter as objectives [Ohl21,Ohl22,Ohl23].The proof of the characterisation is indeed very close to the techniques we present here: indeed universal graphs form a generic way of reducing to safety games.The characterisation has then been extended to finite memory by Casares and Ohlmann [CO23].
The subsequent works most related to the present results are by Bouyer, Casares, Randour and Vandenhove [BCRV22], and by Bouyer, Fijalkow, Randour, and Vandenhove [BFRV23].The first give a characterization of half-positional objectives recognized by deterministic Büchi automata, and the second characterizations of chromatic memory requirements for open and closed objectives, as well as complexity-theoretic results about computing these requirements.Both are technically rooted in the very ideas developed in this paper.In particular, Dilworth's theorem and the use of covering chains (developed in Lemma 4.4) is at the heart of the characterization given in [BFRV23].
Technically unrelated but close in spirit, the article [BLT22] establishes the existence of finite-memory optimal strategies from topological properties of objectives.There are major differences with our work: their framework is different (they study concurrent games that are not played on graphs), and their aim is to establish the existence of finite-memory optimal strategies for many objectives, but not to understand precisely the memory requirements of some class of objectives.

Conclusion and Perspectives
We considered general safety objectives and characterized their memory requirements.Specifically, the memory requirements of a safety objective W is the width of the partially ordered set (Res(W ), ⊆).This is the first general result characterizing the memory requirements for some non-regular objectives, based on their topological properties.Back in 2014, we hoped that this would be a stepping stone for obtaining memory requirements characterizations for other classes of objectives.As we have discussed in the related works section this hope has materialised, with many results along this line.We now only hope that there will be more: the long-term goal is indeed to characterise memory requirements for all ω-regular objectives, a research programme started by Kopczyński around 2006 [Kop09] and far from over, and even more active than ever.

Figure 4 .
Figure 4.An outbidding game with infinite degree where Eve needs infinite memory to win.
Define the energy objective by W = {w = w 0 w 1 • • • | the energy level remains always non-negative} .It is a non-regular safety objective.Energy games and several variants have been extensively studied [BFL + 08, CD12, CdAHS03].The Figure 5 represents the partial order (Res(W ), ⊆), with only two actions: a reloads by one unit, and b consumes one unit.In general, if the actions are monotonic, then the left quotients are totally ordered by inclusion, so thanks to Theorem 3.2 we have mem fin-deg (W ) = 1.Corollary 5.1 [BFL + 08].The energy games are half-positional.

Figure 5 .
Figure 5.The energy objective: always more a's than b's.