Model Checking the Quantitative mu-Calculus on Linear Hybrid Systems

We study the model-checking problem for a quantitative extension of the modal mu-calculus on a class of hybrid systems. Qualitative model checking has been proved decidable and implemented for several classes of systems, but this is not the case for quantitative questions that arise naturally in this context. Recently, quantitative formalisms that subsume classical temporal logics and allow the measurement of interesting quantitative phenomena were introduced. We show how a powerful quantitative logic, the quantitative mu-calculus, can be model checked with arbitrary precision on initialised linear hybrid systems. To this end, we develop new techniques for the discretisation of continuous state spaces based on a special class of strategies in model-checking games and present a reduction to a class of counter parity games.


Introduction
Modelling discrete-continuous systems by a hybrid of a discrete transition system and continuous variables which evolve according to a set of differential equations is widely accepted in engineering.While model-checking techniques have been applied to verify safety, liveness and other temporal properties of such systems [1,14,15], it is also interesting to infer quantitative values for certain queries.For example, one may not only want to check that a variable of a system does not exceed a given threshold, but also to compute the maximum value of the variable over all runs, checking whether any such threshold exists.
Thus far, quantitative testing of hybrid systems has only been done by simulation, and hence lacks the strong guarantees which can be given by model checking.In recent years, there has been a strong interest in extending classical model-checking techniques and logics to the quantitative setting.Several quantitative temporal logics have been introduced, see e.g.[5,6,7,8,10,11,17], together with model-checking algorithms for simple classes of systems, such as finite transition systems with discounts.Still, none of those systems allowed for dynamically changing continuous variables.We present the first model-checking algorithm for a non-stochastic quantitative temporal logic on a class of hybrid systems.The logic we consider, the quantitative µ-calculus [8], is based on a formalism first introduced in [6].It properly subsumes the standard µ-calculus, cf.[4], and thus also CTL and LTL.Therefore the present result, namely that it is possible to model check quantitative µ-calculus on initialised linear hybrid systems, properly generalises a previous result on model checking LTL on such systems [14,15], which is one of the strongest model-checking results for hybrid systems.
The restriction to initialised linear systems is made because verification of temporal properties over general hybrid systems is undecidable.This holds even for linear systems, thus one must pick an appropriate abstraction of the system.An established and very well-studied way to do this is to first approximate the continuous behaviour of the variables by linear behaviour in a finite number of intervals.This method, applied to a number of functions f 1 (x), . . ., f m (x) that evolve according to a set of arbitrary differential equations D(f 1 , . . ., f m ), generates a set of disjoint intervals I 1 , . . ., I k with I 1 ∪ . . .∪ I k = R and a set of linear coefficients a j i , b j i such that in I j it is approximately true that f i (x) = a j i • x + b j i , i.e. the derivative df i dt = a j i .There are several ways to generate such linear approximations of solutions of differential equations and, depending on the method in question, one can obtain various kinds of error bounds for the respective classes of functions.We do not investigate these issues (or other approximation methods) here, but focus instead on the linear system obtained.
As stated above, even simple qualitative verification problems are undecidable for general hybrid systems.This remains true even after the natural approximation by a linear system.Hence, one more assumption is made, namely that if the speed of evolution of a variable changes between discrete locations then also the variable is reset on that transition.Systems with this property, called initialised linear systems, are -besides o-minimal systems [16,3] and their recent extensions [18] -one of the largest classes of hybrid systems with decidable temporal logic [15].Observe that when an arbitrary hybrid system is approximated by a linear one, one can try to directly obtain an initialised system by computing boundary values [13].This can be done by either assuring that discrete transitions are taken only at the borders of the intervals I j , or by taking a finer subdivision of the intervals to increase the precision of coordination between the discrete and the continuous part of the system.Note that, even though this procedure has been implemented in model-checking programs, it is only a heuristic -it necessarily fails for general systems for which the model-checking problem is undecidable.
The logic we study is quantitative -it allows to express properties involving suprema and infima of values of the considered variables during runs that satisfy various temporal properties, e.g. to answer "what is the maximal temperature on a run during which a safety condition holds?".To model check formulae of the quantitative µ-calculus, we follow the classical parity game-based approach and adapt some of the methods developed in the qualitative case and for timed systems.To our surprise, these methods turned out not to be sufficient and did not easily generalise to the quantitative case.As we will show below, the quantitative systems we study behave in a substantially different way than their qualitative counterparts.We overcome this problem by working directly with a quantitative equivalence relation, roughly similar to the region graph for timed automata, and finally by exploiting a recent result on counter parity games.
Organisation.The organisation of this paper follows the reductions needed to model check a formula ϕ over a hybrid system K.In Section 2, we introduce the necessary notation, the systems and the logic.Then, we present an appropriate game model in Section 3 and show how to construct a model-checking game G for the system and the formula.In Section 4, we transform the interval games constructed for arbitrary initialised linear hybrid systems to flat games, where the linear coefficients are always 1.In Section 5, we show how the strategies can be discretised and still lead to a good approximation of the original game.Finally, in Section 6, we reduce the problem to counter parity games and exploit a recent result to solve them.To sum up, the steps taken are depicted below.

Hybrid Systems and Quantitative Logics
We denote the real and rational numbers and integers extended with both ∞ and −∞ by R ∞ , Q ∞ and Z ∞ respectively.We write Definition 2.1.A linear hybrid system over M variables, K = (V, E, {P i } i∈J , λ, δ), is based on a directed graph (V, E), consisting of a set of locations V and transitions E ⊆ V ×V .The labelling function λ : E → P fin (L M ) assigns to each transition a finite set of labels.The set L M of transition labels consists of triples l = (I, C, R), where the vector represents the constraints each of the variables needs to satisfy for the transition to be allowed, the interval I ∈ I(R ≥0 ∞ ) represents the possible period of time that elapses before the transition is taken, and the reset set R contains the indices of the variables that are reset during the transition, i.e. i ∈ R means that y i is set to zero.For each i of the finite index set J, the function P i : V → R ∞ assigns to each location the value of the static quantitative predicate P i .The function δ : V → R M assigns to each location and variable y i the coefficient a i such that the variable evolves in this location according to the equation dy i dt = a i .Please note that although we do not explicitly have any invariants (or constraints) in locations, we can simulate them by choosing either the time intervals or variable constraints on the outgoing transitions accordingly.If the values of predicates and labels range over Q ∞ or Z ∞ instead of R ∞ , we talk about linear hybrid systems over Q and Z, respectively.
The state of a linear hybrid system K is a location combined with a valuation of all M variables, A run of a linear hybrid system starting from location v 0 is a sequence of states s 0 , s 1 , . . .such that s 0 = (v 0 , 0, . . ., 0) and s i+1 ∈ succ(s i ) for all i.Given two states s and s ′ ∈ succ(s) and a reset set R = {1, . . ., M } we denote by s ′ − R s the increase of the non-reset variables that occurred during the transition, i.e.
Definition 2.2.A linear hybrid system K is initialised if for each (v, w) ∈ E and each variable y i it holds that if Intuitively, an initialised system cannot store the value of a variable whose evolution rate changes from one location to another.
Figure 1: Leaking gas burner LHS L = (V, E, P, λ, δ) (not initialised) Example 2.3.To clarify the notions we use, we consider a variant of a standard example for a linear hybrid system, the leaking gas burner.
Our version is depicted in Figure 1.This system represents a gas valve that can leak gas to a burner, so it has two states: v 0 , where the valve is open (and leaking gas) and v 1 where it is closed.This is also indicated by a qualitative predicate P that has the value ∞ if the gas is leaking (in location v 0 ) and −∞ otherwise.The system has two variables.The first variable, y 0 , is a clock measuring the time spent in each location, and is reset on each transition, i.e. after each discrete system change.The variable y 1 is a stop watch and measures the total time spent in the leaking location.Thus, this system is not initialised.The time intervals on the transitions control the behaviour of the system.On the transition (v 0 , v 1 ) there are no restrictions on the variables, but we are only allowed to choose a time unit from [0, 1], i.e. we can stay a maximum of one time unit in location v 0 .On the transition (v 1 , v 0 ) there is a restriction on the value of y 0 , it has to have a value between 30 and 40 for this transition to be allowed, while there is no restriction on the choice for the time unit (of course, this could also be modelled the other way around).Intuitively, the time intervals indicate that the gas valve will leak gas for a time interval between 0 and 1 seconds and then be stopped and that it can only leak again after at least 30 time units.
In Figure 2, we show an initialised version of the leaking gas burner.The only difference is that y 1 is not a stop watch anymore but a normal clock.Since now both variables are just clocks (which means that their evolution rates are one everywhere), the system is trivially initialised.
2.1.Quantitative µ-Calculus.In this section, we present a version of the quantitative µ-calculus first introduced in [8].The version we use here is additive and includes variables.It is evaluated on linear hybrid systems.Definition 2.4.Given sets of fixpoint variables X , system variables {y 1 , . . ., y M } and predicates {P i } i∈J , the formulae of the quantitative µ-calculus (Qµ) with variables are given by the EBNF grammar: where X j ∈ X , y k ∈ {y 1 , . . ., y M }, and in the cases µX j .ϕand νX j .ϕ, the variable X j must appear positively in ϕ, i.e. under an even number of negations.
Let F = {f : S → R ∞ }.Given an interpretation I : X → F, a variable X ∈ X , and a function f ∈ F, we denote by I[X ← f ] the interpretation I ′ , such that I ′ (X) = f and I ′ (X ′ ) = I(X ′ ) for all X ′ = X.Definition 2.5.Given a linear hybrid system K = (V, E, λ, {P i } i∈J , δ) and an interpretation I, a Qµ-formula yields a valuation function ϕ K I : S → R ∞ defined in the following standard way for a state s = (v s , y s 1 , . . ., y s M ).
For formulae without free variables we write ϕ K rather than ϕ K I .Please note that the inclusion of variables does not fundamentally change the semantics of quantitative µ-calculus.The quantitative µ-calculus in [8] is evaluated on quantitative transition systems.Here, a formula is evaluated on the state graph of a linear hybrid system, rather than the system itself.Intuitively, a linear hybrid system is a compact representation of an infinite quantitative transition system (its state graph).Thus, many properties of the quantitative µ-calculus from [8] remain true.For example, to embed the classical µ-calculus in quantitative µ-calculus one must interpret true as +∞ and false as −∞.
Example 2.6.The formula µX.(♦X ∨ y 1 ) evaluates to the supremum of the values of y 1 on all runs from some initial state: e.g. to ∞ if evaluated on the simple initialised leaking gas burner model.To determine the longest period of time during which the gas is leaking we use the formula µX.(♦X ∨ (y 0 ∧ P )), which evaluates to 1 on the initial state (v 0 , 0) in our example.
The remainder of this paper is dedicated to the proof of our following main result which shows that ϕ K can be approximated with arbitrary precision on initialised linear hybrid systems.
Theorem 2.7.Given an initialised linear hybrid system K, a quantitative µ-calculus formula ϕ and an integer n > 0, it is decidable whether n .In other words, for every ε we can approximate ϕ K within ε.We formulated the theorem above using n because it makes the representation of ε precise, so we can provide a complexity bound: Given on input the system K, the formula ϕ and n, we will show how to compute the number r (or output ±∞) in 8EXPTIME.

Interval Games
In this section, we define a variant of quantitative parity games suited for model checking Qµ on linear hybrid systems.As mentioned above, a linear hybrid system can be seen as a compact representation of an infinite quantitative transition system.Similarly, a parity game that is played on a linear hybrid system can be viewed as a compact, finite description of an infinite quantitative parity game, as defined in [8].
assigns to each position the index of a variable and a multiplicative and additive factor, which are used to calculate the payoff if a play ends in this position.The priority function Ω : V → {0, . . ., d} assigns a priority to every position.
Please note that interval parity games are played on linear hybrid systems without any quantitative predicates, i.e. the set of of predicates is empty and therefore omitted.
A state s = (v, y) ∈ V × R M ∞ of an interval game is a position in the game graph together with a variable assignment for all M variables.A state s ′ is a successor of s if it is a successor in the underlying LHS, i.e. if s ′ ∈ succ(s).We use the functions loc(s) = v and var(s) = y, var i (s) = y i to access the components of a state.For a real number r, we denote by r • s = (v, r • var 0 (s), . . .r • var M (s)) and r + s = (v, r + var 0 (s), . . .r + var M (s)).We call S i the state set {s = (v, y) : v ∈ V i } where player i has to move and S = S 0 ∪ S 1 .
How to play.Every play starts at some position v ∈ V with all variables set to 0, i.e. the starting state is s 0 = (v, 0, . . ., 0).For every state s = (v, y) ∈ S i , player i chooses an allowed successor state s ′ ∈ succ(s) and the play proceeds from s ′ .If the play reaches a state s such that succ(s) = ∅ it ends, otherwise the play is infinite.
Intuitively, the players choose the time period they want to spend in a location before taking a specified transition.Note that in this game every position could possibly be a terminal position.This is the case if it is not possible to choose a time period from the given intervals in such a way that the respective constraints on all variables are fulfilled.
Payoffs.The outcome p(s 0 ...s k ) of a finite play ending in s k = (v, y 1 ,..., y M ) where To improve readability, from now on we will simply write ι(v) = a • y i + b in this case.The outcome of an infinite play depends only on the lowest priority seen infinitely often in positions of the play.We will assign the value −∞ to every infinite play, where the lowest priority seen infinitely often is odd, and ∞ to those where it is even.
Goals.The two players have opposing objectives regarding the outcome of the play.Player 0 wants to maximise the outcome, while Player 1 wants to minimise it.
Strategies.A strategy for player i ∈ 0, 1 is a function σ : S * S i → S with σ(s) ∈ succ(s).A play π = s 0 s 1 . . . is consistent with a strategy σ for player i, if s n+1 = σ(s 0 . . .s n ) for every n such that s n ∈ S i .For strategies σ, ρ for the two players, we denote by π(σ, ρ, s) the unique play starting in state s which is consistent with both σ and ρ.
Determinacy.A game is determined if, for each state s, the highest outcome Player 0 can assure from this state and the lowest outcome Player 1 can assure coincide, where Γ 0 , Γ 1 are the sets of all possible strategies for Player 0, Player 1 and the achieved outcome is called the value of G at s.
We say that the interval game is over Q or Z if both the underlying LHS and all constants in ι(v) are of the respective kind.Please note that this does not mean that the players have to choose their values from Q or Z, just that the endpoints of the intervals and constants in the payoffs are in those sets.
Intuitively, in a play of an interval parity game, the players choose successors of the current state as long as possible.
Example 3.2.In Figure 3, we show a simple example of an interval parity game.Positions of Player 0 are depicted as circles and positions of Player 1 as boxes.To keep things simple, there is just one clock variable, y 0 , all constraints are trivially true and the reset sets are empty, so we label the transitions only with the time intervals that the players can choose from.The priorities are depicted next to the nodes for non-terminal positions and the evaluation function above the terminal position (in general, also positions with outgoing edges could be terminal, however in this example this is not possible as there are no constraints on the variable).
A play of this system starting at node v 0 could end after two moves in position v 2 , if Player 1 decided to move there (he also has the choice to move down).The payoff of this play would then depend only on the choice that Player 0 made in the first move, for example 1  3 ∈ [0, 1  2 ].Then the payoff would be 3 (as in this play, the second time interval only permits the choice 2).
If Player 1 would move down instead of ending the play and the play would loop infinitely often in the cycle v 3 , v 4 , v 5 at the bottom, the least priority that occurs infinitely often would determine the outcome of the play; in this case it would be 0 at v 3 and therefore the payoff would be ∞.We already mentioned that an interval parity game can be seen as a representation of a quantitative parity game, now we want to describe this formally.We use the notion from [8] and define, for an IPG with M variables G = (V 0 , V 1 , E, λ, δ, ι, Ω), the corresponding infinite quantitative parity game without discounts The notions of plays, strategies, values and determinacy for the IPG G are defined exactly as the ones for the quantitative parity game G * in [8].In particular, it follows from the determinacy of quantitative parity games that also interval parity games are determined.
3.1.Model-Checking Games for Qµ.A game (G, v) is a model-checking game for a formula ϕ and a system K, v ′ , if the value of the game starting from v is exactly the value of the formula evaluated on K at v ′ .In the qualitative case, that means, that ϕ holds in K, v ′ if Player 0 wins in G from v. For a linear hybrid system K and a Qµ-formula ϕ, we construct an IPG MC[K, ϕ] which is the model-checking game for ϕ on K.
The full definition of MC[K, ϕ] closely follows the construction presented in [8] and is presented below.
Intuitively, the positions are pairs consisting of a subformula of ϕ and a location of K. Which player moves at which position depends on the outermost operator of the subformula.At disjunctions Player 0 moves to a position corresponding to one of the disjuncts and from (♦ϕ, v) to (ϕ, w) where (v, w) ∈ E K , and Player 1 makes analogous moves for conjunctions and .From fixed-point variables the play moves back to the defining formula and the priorities of positions depends on the alternation level of fixed points, assigning odd priorities to least fixed points and even priorities to greatest fixed points.Definition 3.3.For a linear hybrid system K = (V, E, {P i } i∈J , λ, δ) and a Qµ-formula ϕ in negation normal form, the interval game which we call the model-checking game for K and ϕ, is constructed in the following way, similar to the standard construction of model-checking games for the µ-calculus (c.f.[8]).
Positions.The positions of the game are pairs (ψ, v), where ψ is a subformula of ϕ, and v ∈ V is a location in the LHS K. Positions (ψ, v) where the top operator of ψ is , ∧, or ν belong to Player 1 and all other positions belong to Player 0. A state in the game is denoted by s = (p, y), where p = (ψ, v) is the position and y is the variable assignment of the location v in the underlying linear hybrid system K.
Moves.Positions of the form (P i , v) and (y i , v) are terminal positions.From positions of the form (ψ ∧ θ, v), resp.(ψ ∨ θ, v), one can move to (ψ, v) or to (θ, v).Positions of the form (♦ψ, v) have either a single successor (−∞) in case v is a terminal location in K, or one successor (ψ, v ′ ) for every v ′ ∈ vE.Analogously, positions of the form ( ψ, v) have a single successor (∞) if vE = ∅, or one successor (ψ, v ′ ) for every v ′ ∈ vE otherwise.The moves corresponding to system moves (v, v ′ ) are labelled accordingly with λ((v, v ′ )), all other moves are labelled with the empty label ([0, 0], (−∞, ∞) M , ∅) which indicates that no time passes, there are no constraints on the variables and no variable is reset.Fixedpoint positions (µX.ψ, v), resp.(νX.ψ, v) have a single successor (ψ, v).Whenever one encounters a position where the fixed-point variable stands alone, i.e. (X, v ′ ), the play goes back to the corresponding definition, to (ψ, v ′ ).
Payoffs.The function ι assigns P i (v) to all positions (P i , v), ±∞ to all positions (±∞) and y i to positions (y i , v).To discourage the players from ending the game at any other position than a terminal one, ι assigns all other positions outcome −∞ for Player 0's µX.(♦X∨(y0∧P )),v0 positions or ∞ for Player 1's positions.The payoff p(π) of a play π is calculated using ι and the priorities as stated before.
Priorities.The priority function Ω is defined as in the classical case using the alternation level of the fixed-point variables, see e.g.[12].Positions (X, v) get a lower priority than positions (X ′ , v ′ ) if X has a lower alternation level than X ′ .The priorities are then adjusted to have the right parity, such that an even value is assigned to all positions (X, v) where X is a ν-variable and an odd value to those where X is a µ-variable.The maximum priority, equal to the alternation depth of the formula, is assigned to all other positions.Example 3.4.We continue our example of the leaking gas burner and present in Figure 4 the model-checking game for the previously introduced system and formula.In this interval parity game, ellipses depict positions of Player 0 and rectangles those of Player 1.In this game, all priorities are odd (and therefore omitted), i.e. infinite plays are bad for Player 0. There is only one position with a constraints on variable y 0 and in only two positions a choice about the time that passes can be made.Both of these positions belong to Player 0 in this example and are labelled with the corresponding intervals below (and in both y 0 is also reset).In terminal nodes, either the variable y 0 or the predicate P is evaluated for the payoff (this choice can be made by Player 1 in this example).The value of the game is 1, as is the value of the formula on the system starting from either node, and an optimal strategy for Player 0 is picking 1 from [0, 1] and then leaving the cycle where Player 1 is forced to choose between the evaluation of y 0 or P at v 1 .Since he is minimising, he will choose to evaluate y 0 .
It has been shown in [8] that quantitative parity games of any size are determined and that they are model-checking games for Qµ.These results translate to interval parity games and we can conclude the following.Theorem 3.5.Every interval parity game is determined and for every formula ϕ in Qµ, linear hybrid system K, and a location v of K, it holds that Proof.Determinacy of an interval parity game G follows directly from the determinacy of the infinite QPG G * used to define G.
Let ϕ be a Qµ-formula and K a linear hybrid system.Let S(K) = (S, E S ) be the state graph of K, where S is the set of all states, and (s, s ′ ) ∈ E S iff s ′ ∈ succ(s) in K. Let K * = (S, E S , P y 0 . . .P y M ) be the quantitative transition system with predicates P y i where P y i (v, a) = a i .Let us also rewrite the formula ϕ into a formula without variables, ϕ * , by replacing each occurrence of y i by the corresponding P y i .
Applying the model-checking Theorem 12 from [8] we conclude that for all v ∈ K * it holds valMC[K, ϕ] * (ϕ, v) = ϕ * K * (v), i.e. that MC[K, ϕ] * is the model-checking game for K * and ϕ * .Finally, by definition of IPGs on the one hand and the semantics of Qµ on the other, it follows that for all x

Basic Properties of Interval Games
In this section, we first give a brief example that illustrates the difference between interval games and timed games.Then, we show how to transform an initialised interval game over Q ∞ into an easier game over Z ∞ in which the all evolution rates are one.
At first sight, interval games seem to be very similar to timed games.Simple timed games are solved by playing on the region graph and can thus be discretised.To stress that quantitative payoffs indeed make a difference, we present in Figure 5 an initialised interval parity game with the interesting property that it is not optimal to play integer values, even though the underlying system is over Z ∞ .This simple game contains only one variable (a clock) and has no constraints on this variable in any of the transitions, so only the time intervals are shown.Also, as infinite plays are not possible, the priorities are omitted, as well as the indices of non-terminal positions (they are chosen to be unfavourable for the current player such that she has to continue playing).The payoff rule specifies the outcome of a play π ending in v 2 as p(π) = y 0 − 1 and in v 3 as p(π) = −y 0 .This game illustrates that it may not be optimal to play integer values since choosing time 1  2 in the first move is optimal for Player 0. This move guarantees an outcome of − 1 2 which is equal to the value of the game.In this section, we show that for initialised games it is sufficient to look at easier games where all rates are one, similar to timed games but with more complex payoff rules.We call these games flat and show that for every initialised IPG we can construct a flat IPG with the same value.To do so, we have to consider the regions where the coefficients do not change and rescale the constraints and payoffs accordingly.
For an interval I = [i 1 , i 2 ], we denote by q • I and q + I the intervals [q • i 1 , q • i 2 ] and [q + i 1 , q + i 2 ] respectively, and do analogously for open intervals.
For each initialised interval parity game G there exists a flat game G ′ with the same value.
Proof.Let G = (V 0 , V 1 , E, λ, δ, ι, Ω) be an initialised interval parity game.We construct a corresponding flat game we have in the corresponding flat game: Note that we only change the functions δ, λ and ι.We will show that for every play π from a starting state s consistent with σ and ρ, we can construct strategies σ ′ , ρ ′ , such that π ′ (σ ′ , ρ ′ , s ′ ) visits the same locations as π and p(π) = p(π ′ ).Before we proceed with the proof, notice that it is essential that G is an initialised game.Intuitively, the value of y i in G ′ is the value of y i in G divided by the coefficient a i of the current position.When the position changes, it is thus crucial that a i does not change, except if y i is reset -exactly what is required from an initialised game.
The proof proceeds by induction on the length of the plays.First, if s 0 = (v 0 , 0) is a state belonging to Player 0 and σ(s ).Since (s 0 , s 1 ) is allowed in G, this means that for all y i ∈ R ∈ λ(v 0 , v 1 ), we have a i for all y i ∈ R and therefore (s ′ 0 , s ′ 1 ) is allowed in G ′ .Also p(s 1 ) = ι(v 1 ) = a • y i + b and therefore the payoff is equal to p(s ′ 1 ) = ι ′ (v ′ 1 ) = a i • a • y i a i + b.Let s 0 . . .s k and s ′ 0 . . .s ′ k be finite histories in G and G ′ , such that they visit the same locations and p(π) = p(π ′ ).Then, if s k = (v k , y) is a state belonging to Player 0 and σ(s k ) = s k+1 = (v k+1 , y) and s , where s ′ k+1 = (v k , w), such that w i = t where t i = y i a i for any The cases for Player 1 are analogous.Note that, for infinite plays, we also have the same payoff, since for the payoff of infinite games only the locations (and their priorities) matter.Since we can construct, for each pair of strategies in G, the corresponding strategies in G ′ , and those yield a play with the same payoff, the values of the two games are equal.
Consequently, from now on we only consider flat interval parity games and therefore omit the coefficients, as they are all equal to one.

Multiplying Interval Games.
Definition 4.3.For a flat IPG G = (V 0 , V 1 , E, λ, ι, Ω) and a value q ∈ Q, we denote by Intuitively, this means that all endpoints in the time intervals (open and closed), and the constraints, and all additive values in the payoff function ι are multiplied by q.The values of q • G are also equal to the values of G multiplied by q.Lemma 4.4.For every IPG G over Q ∞ and q ∈ Q, q = 0 it holds in all states s that q • valG(s) = val q • G(q • s).
Proof.We denote by q • σ the strategy with q • σ(q • h) = q • s ′ iff σ(h) = s ′ .The mapping of G with strategies for both players σ and ρ to q • G with q • σ and q • ρ is a bijection (in the reverse direction take 1 q ).We also have q for all finite plays π.Therefore, we know that inf ρ q • p(π(σ, ρ, s) = inf q•ρ p(π(q • σ, q • ρ, q • s) and the same holds for the supremum and thus we get the desired result.
Note that all multiplicative factors in ι are the same in G and in q • G.Moreover, if we multiply all constants in ι in a game G (both the multiplicative and the additive ones) by a positive value r, then the value of G will be multiplied by r, by an analogous argument as above.Thus, if we first take r as the least common multiple of all denominators of multiplicative factors in ι and multiply all ι constants as above, and then take q as the least common multiple of all denominators of endpoints in the intervals and additive factors in the resulting game G and build q • G, we can conclude the following.Corollary 4.5.For every finite IPG G over Q ∞ , there exists an IPG G ′ over Z ∞ and q, r ∈ Z such that valG(s) = valG ′ (q•s) q•r .
From now on we assume that every IPG we investigate is a flat game over Z ∞ when not explicitly stated otherwise.

Discrete Strategies
Our goal in this section is to show that it suffices to use a simple kind of (almost) discrete strategies to approximate the value of flat interval parity games over Z ∞ .To this end, we define an equivalence relation between states whose variables belong to the same Z intervals.This equivalence, resembling the standard methods used to build the region graph from timed automata, is a technical tool needed to compare the values of the game in similar states.
We use the standard meaning of ⌊r⌋ and ⌈r⌉, and denote by {r} the number r − ⌊r⌋ and by [r] the pair (⌊r⌋, ⌈r⌉).Hence, when writing [r] = [s], we mean that r and s lie in between the same integers.Note that if r ∈ Z then [r] = [s] implies that r = s.Definition 5.1.We say that two states s and t in an IPG are equivalent, s ∼ t, if they are in the same location, loc(s) = loc(t), and for all i, j ∈ {1, . . ., K}: Intuitively, all variables lie in the same integer intervals and the order of fractional parts is preserved.In particular, it follows that all integer variables are equal.The following technical lemma allows for the shifting of moves between ∼-states.Lemma 5.2.Let s and s ′ be two states in a flat IPG over Z such that s ∼ s ′ .If a move from s to t is allowed by a label l = (I, C, R), then there exists a state t ′ , the move to which from s ′ is allowed by the same label l and t ′ ∼ t.
Proof.If R = {1, . . ., K} then let t ′ = t.As s ∼ s ′ , the same constraints are satisfied by s and s ′ and thus the move from s ′ to t ′ = t is allowed by the same label.
If R = {1, . . ., K} then let w = t − R s ∈ I be the increment chosen during the move.If w ∈ Z we let t ′ = s ′ + w, the conditions follow from the assumption that s ∼ s ′ again.
If w ∈ Z, let i be the index of a non-reset variable with the smallest fractional part in t, i.e. {var i (t)} ≤ {var j (t)} for all j ∈ R. To construct t ′ , we must choose w ′ with [w ′ ] = [w] which makes var i (s ′ + w ′ ) the one with smallest fractional part.
Case 1 : {var i (t)} ≥ {w}.In this case, for all non-reset variables j, holds {var j (t)} ≥ {w}, intuitively meaning that no variable "jumped" above an integer due to {w}.Let l be the variable with maximum fractional part in s ′ (and thus, by definition of ∼, also in s and in this case in t).Set Clearly [w ′ ] = [w] and indeed, we preserved the order of fractional parts and integer intervals, thus ∼ is preserved.
Case 2 : {var i (t)} < {w} and for all j ∈ R {var j (s ′ )} ≥ {var i (s ′ )}.In this case, for all non-reset variables j, holds {var j (t)} ≤ {w}, intuitively meaning that all variables "jumped" above an integer due to {w}.Let l be the variable with maximum fractional part in s ′ (and thus also in s).Let δ = 0.9 • min {var i (s ′ )}, ⌈var l (s ′ )⌉ − var l (s ′ ) be a number smaller than both {var i (s ′ )} and ⌈var l (s ′ )⌉ − var l (s ′ ).We set By the first assumption on δ we have [w ′ ] = [w] and both the order of fractional parts and integer bounds in t ′ are the same as in t, since ⌈var l (t ′ )⌉ = ⌈var l (s ′ + w ′ )⌉ ≤ ⌈var l (s ′ ) + ⌊w⌋ + 1 + δ⌉ = ⌈var l (t)⌉ by the second assumption on δ.The inequality in the other direction holds as well, and we get that t ′ ∼ t as required.
Case 3 : {var i (t)} < {w} and there exists j ∈ R with {var j (s ′ )} < {var i (s ′ )}.In this case let l be the variable with maximum fractional part in t, i.e. the last one which did not "jump" above an integer due to {w}.The variable with next bigger fractional part in s (and by ∼ also in s ′ ) is var i (s), as depicted in Figure 8.
To transfer the move to s ′ , consider these two variables in s ′ as depicted in Figure 9 and let δ = {var i (s ′ )} − {var l (s ′ )}.We set w ′ = ⌊w⌋ + ⌈var i (s ′ )⌉ − var i (s ′ ) + 0.9 • δ.Again [w ′ ] = [w] and clearly i is the variable with smallest fractional part in t ′ by construction.As s ∼ s ′ , the order of fractional parts in t and in t ′ is the same, and the integer bounds as well, thus t ∼ t ′ .5.1.Choosing Discrete Moves.Knowing that we can shift a single move and preserve ∼-equivalence, we proceed to show that for IPGs over Z ∞ , fully general strategies are not necessary.In fact, we can restrict ourselves to discrete strategies and, using this, reduce the games to discrete systems.Intuitively, a discrete strategy keeps the maximal distance of all variable valuations to the closest integer small.However, for the purposes of constructing an inductive proof of existence of a good discrete strategy, it is not convenient to work, for a state s, simply with the maximal distance The reason is that for some moves it is impossible to keep this distance small for each variable and to go to an equivalent state as illustrated in Figure 10.In the depicted situation, if we move y 1 within ε-neighbourhood of Z (below z and z − 1 depict integers), then y 0 leaves it.To give a more suitable notion of distance for a state, let us, for r ∈ R, define This function gives the distance to the closest integer, except that it is negative if the closest integer is greater than r, i.e. if the fractional part of r is > 1 2 .as depicted in Figure 11.Also, we observe that For a state s, we use the abbreviation d i (s) = d(var i (s)).We denote by d l (s) = min i=1...k {d i (s)} and d r (s) = max i=1...k {d i (s)} the smallest and biggest of all values d i (s), and additionally we define the total distance as follows This is illustrated in Figure 12, where k stands for an integer and y 0 to y 2 stand for the fractional parts of the values of the respective variables.In this example, y 0 has the smallest fractional part, i.e. the biggest one bigger than 1  2 and y 2 has the biggest fractional part (less than 1  2 ).First, we will prove that we can always correct a strategy that makes one step which is not ε-discrete.By doing so, we will guarantee that we reach a state with the same location that is allowed by the labelling and that the values of the variables only change within the same intervals.4 and t be a successor of s, where (s, t) is allowed by l = (I, C, R).Then, for every 0 ≤ ε < d * (s), there exists a successor t ′ + of s such that ) is allowed by l, and We assume that d * (t) > d * (s) + ε, otherwise we can take t ′ + = t.Let w ∈ I be the increase in the (non-reset) values from s to t, i.e. w = t − R s.We make a case distinction regarding the computation of d * (t).If d(w) > 0, we also conclude w ′ ≤ ⌈w⌉, since c − ε < 1 2 .Next, we have to show, that all variables that are not reset stay in the same interval.We consider the case, where all values of the variables are increased, therefore we know that var i (t ′ + ) ≥ ⌊var i (t)⌋ for all i ∈ R. We now have to show that also var i (t ′ + ) ≤ ⌈var i (t)⌉.Let j be the index of the variable which is the closest to the integers (in this case), i.e. j, such that d(var j (t)) = d r (t).
We correct w in the following way: Next, we have to show, that all variables that are not reset stay in the same interval.We consider the case, where all values of the variables are increased, therefore we know that var i (t ′ + ) ≥ ⌊var i (t)⌋ for all i ∈ R. We now have to show that also var i (t ′ + ) ≤ ⌈var i (t)⌉.Let j be the index of the variable which is the closest to the integers (in this case), i.e. j, such    Next, we have to show, that all variables that are not reset stay in the same interval.We consider the case, where all values of the variables are increased, therefore we know that var i (t ′ + ) ≥ ⌊var i (t)⌋ for all i ∈ R. We now have to show that also var i (t ′ + ) ≤ ⌈var i (t)⌉.Let j be the index of the variable with d(var j (t)) = d l (t).Knowing that, in one step, the move can always preserve small total distance, we can finally define discrete strategies.Definition 5.4.We call a strategy σ ε-discrete if for every Example 5.5.To see that decreasing ε in each step is sometimes crucial, consider the game with one variable depicted in Figure 16.In each move Player 0 has to choose a positive value in (0, 1).Player 1 can then decide to continue the play or leave the cycle and end the play with the negative accumulated value, i.e. −y 0 , as payoff.He cannot infinitely often decide to stay in the cycle as then the payoff would be ∞ as the priority is 0.An ε-optimal strategy for Player 0 as the maximising player is thus to start with ε 2 and decrease in each step.Please note that the value of the game is 0. We now extend the previous lemma to one that allows for the shifting of a whole move.
Lemma 5.6.Let s be a state and t a successor of s, where (s, t) is allowed by l.Let s ′ be a state with d * (s ′ ) ≤ 1 4 , such that s ∼ s ′ .Then, for every ε > 0, there exists a successor t ′ of s ′ allowed by l such that Proof.Since s ∼ s ′ and t ∈ succ(s) is allowed by l, we know, by Lemma 5.2, that there exists a state t ′ ∈ succ(s ′ ) allowed by the same label l, such that t ′ ∼ t.We also know from Lemma 5.3 that, for every choice of ε, there exists t + ∈ succ(s ′ ) such that d * (t + ) ≤ d * (s ′ )+ε and t ′ ∼ t + .Since t ′ ∼ t, this also means that t + ∼ t, hence t + fulfils the requirements above.
We can conclude that discrete strategies allow for the approximation of game values.Lemma 5.7.Fix an ε-discrete strategy ρ d of Player 1 − i in G, ε < 1 4 .For every strategy σ of Player i there exists an ε-discrete strategy σ d , such that, for every starting state s 0 with d Proof.We only prove this lemma for Player 0, the case of Player 1 is analogous.We define σ d inductively.Let s 0 be the starting state.If σ(s 0 ) = s 1 , then by Lemma 5.6 there is a s . .s ′ k be finite play histories such that h is a prefix of π(σ, ρ d , s 0 ) and h ′ is consistent with ρ d and σ d as defined thus far.Note that s 0 = s ′ 0 and by inductive assumption p(π(σ, ρ, s)).
In the next section, we show that restricting to discrete strategies corresponds to playing a counter-reset game, and since these are again determined games, we get that sup Therefore we can rewrite the assumption of this case as inf Then there exists a strategy Fix a strategy σ sup ∈ Γ 0 , for which From Lemma 5.7, we know, that there again is a discrete strategy σ sup d ∈ ∆ 0 which is a discrete version of σ sup against ρ d .From the above, it follows that p(π(σ sup , ρ d , s)) − p(π(σ sup d , ρ d , s)) > m, which again contradicts that all states in these two plays are equivalent.

Counter-Reset Games
In this section, we introduce counter-reset games and show, using the discretisation results from the previous section, that approximating the value of an IPG over Z ∞ can be reduced to solving a counter-parity game.We then solve these games using an algorithm from [2].By Proposition 5.8 above, we can restrict both players in a flat IPG to use ε-discrete strategies to approximate the value of a flat interval game up to the maximal multiplicative factor m. Multiplying the game by any number q does not change the multiplicative factors in ι but multiplies the value of the game by q.Thus, to approximate the value of G up to 1  n it suffices to play ε-discrete strategies in n•m•G.When players use only discrete strategies, the chosen values remain close to integers (possibly being up to ε bigger or smaller).Whether the value is bigger, equal or smaller than an integer can be stored in the state, as well as whether the value of a variable is smaller or bigger than any of the (non-infinite) bounds in constraint intervals.This way, we can eliminate both ε's and constraints and are left with the following games.Definition 6.1.A counter-reset game is a flat interval parity game in which in each label l = (I, C, R) the constraints C are trivially true and the interval I is either [0, 0] or [1,1], i.e. either all variables are incremented by 1 or all are left intact.Example 6.2.In Figure 6, we depict a simple counter-reset game.As usual, circles represent positions of Player 0 and boxes those of Player 1. Priorities, payoff functions, intervals and reset sets are also depicted as usual next to the corresponding nodes or above transitions.In this game, we have two variables, y 0 , y 1 and as mentioned above, there are no constraints on these variables in counter-reset games, but they can be reset.The only choice in this game that Player 0 has is to increase all variables ("choose" 1 from [1,1]) and Player 1 can do the same or end the game and get a payoff of −y 0 .Since he wants to minimise, his best strategy is to loop as long as possible but not infinitely long, as the lowest priority on the according cycle is 0. Since he can achieve arbitrary small values this way, the value of this game (starting at v 0 or v 1 ) is −∞.We will now show how to construct the counter-reset game G ′ with value equal to sup σ∈∆ 0 inf ρ∈∆ 1 p(π G ′′ (σ, ρ, s)), i.e. to the value of G ′′ when both players play ε-discrete strategies.
To this end, we first construct the game G ′ 0 which still has constraints, but in which all intervals are [k, k] for some k ∈ N. The game G ′ 0 is constructed from G ′′ by replacing each position v by 3 M positions v i 1 ...i M .The sequence i 1 . . .i M ∈ {−1, 0, 1} M keeps track, for each variable, whether it is currently smaller, greater, or equal to an integer.The interval labels are now converted in the following way.If a move with interval [n, n + k) and resets R is taken from a position v i 1 ...i M in G ′ 0 and would lead to w in G ′′ , then a sequence of moves with labels [l, l] for each n ≤ l ≤ n + k is added, with the l-labelled move leading to w j 1 ...j M such that: • if one j k > i k then all j k > i k for k ∈ {0, . . ., M }, and the same if j k < i k or j k = i k , • if l = n then each j k ≥ i k (interval was downwards-closed), and • if l = k then each j k < i k (interval was upwards-open).
The situation for open, closed, and open-closed intervals is analogous.The plays which use discrete strategies in G ′′ can now be directly transferred to plays in G ′ 0 in which indeed in v i 1 ...i M the sign of the fractional part of y j is equal to i j .The same can be done in the other direction, as the constraints listed above allow to choose a value in the interval which leads to the appropriate change in the sign sequence.Therefore valG ′ 0 = sup σ∈∆ 0 inf ρ∈∆ 1 p(π G ′′ (σ, ρ, s)).
To eliminate the constraints from move labels in G ′ 0 we determine the highest noninfinite bound b which appears in these constraints (both on the left and on the right side of an interval).Then, we construct G ′ as the synchronous product of G ′ 0 with a memory of size (b + 2) M which remembers, for each variable y i , whether y i is greater than b or equal to b, b − 1, . . ., 0. With this memory, we resolve all constraints and remove them from move labels in G ′ .
Counter reset games are another representation of a class of counter parity games, which were recently studied in [2], where an algorithm to solve such games was given, improving our previous decidability result [9].Theorem 6.4 ([2]).For any finite counter parity game G and initial vertex v, the value valG(v) can be computed in 6EXPTIME.When the number of counters is fixed, the value can be computed in 4EXPTIME.

Figure 2 :
Figure 2: Leaking gas burner LHS L = (V, E, P, λ, δ) (initialised) positions of either Player 0 or 1.The transition relation E ⊆ V × V describes possible moves in the game which are labelled by the function λ :

Figure 10 :Figure 11 :
Figure 10: Move where standard distance is necessarily increased.

Figure 12 :
Figure 12: Maximal, minimal and total distances for a state.

Figure 16 :
Figure 16: Game in which the values played must decrease.

Figure 17 :0 inf ρ∈∆ 1 p
Figure 17: Simple counter-reset game and if for each i s ′ i ∼ s i , then σ(s 0 . . .s n ) ∼ σ(s ′ 0 . . .s ′ n ).Observe that it follows directly from the definition that if d * (s 0 ) ≤ ε 2 and both players play discrete strategies, then d * (s n ′′ k+1 equivalent with s k , which exists by Lemma 5.2, and we can pick a discrete one if d * (s ′′ k ) < ε by Lemma 5.6.By construction, the strategy σ d is discrete and if π(σ, ρ d , s 0 ) = s 0 s 1 ...and π(σd , ρ d , s 0 ) = s ′ 0 s ′ 1 ...then s i ∼ s ′ i .Proposition 5.8.Let G be a flat interval parity game.Let Γ i be the set of all strategies for player i and ∆ i the set of all discrete strategies for player i and m be the highest value that occurs as a multiplicative factor in ι.Then it holds, for every starting state s, that From Lemma 5.7, we know, that there is a discrete strategy ρ inf d ∈ ∆ 1 which is a discrete version of ρ inf against σ d .From the above, it follows that p(π(σd , ρ inf d , s)) − p(π(σ d , ρ inf , s)) > m.This is a contradiction, since we know from Lemma 5.7 that all states in both plays are equivalent, so for finite plays also the final states are equivalent, which means that the payoffs cannot differ by more than m as it is the highest occurring multiplicative factor in ι.If both plays are infinite, then, by definition of ∼, the payoffs are equal.