Omega-Regular Verification and Control for Distributional Specifications in MDPs

Akshay, S.; Neysari, Ouldouz; Žikelić, Ðorđe

doi:10.4230/LIPIcs.CONCUR.2025.6

Omega-Regular Verification and Control for Distributional Specifications in MDPs

S. Akshay

Dept of CSE, Indian Institute of Technology Bombay, Mumbai, India Ouldouz Neysari

Singapore Management University, Singapore
University of Tehran, Iran Đorđe Žikelić

Singapore Management University, Singapore

Abstract

A classical approach to studying Markov decision processes (MDPs) is to view them as state transformers. However, MDPs can also be viewed as distribution transformers, where an MDP under a strategy generates a sequence of probability distributions over MDP states. This view arises in several applications, even as the probabilistic model checking problem becomes much harder compared to the classical state transformer counterpart. It is known that even distributional reachability and safety problems become computationally intractable (Skolem- and positivity-hard). To address this challenge, recent works focused on sound but possibly incomplete methods for verification and control of MDPs under the distributional view. However, existing automated methods are applicable only to distributional reachability, safety and reach-avoidance specifications.

In this work, we present the first automated method for verification and control of MDPs with respect to distributional omega-regular specifications. To achieve this, we propose a novel notion of distributional certificates, which are sound and complete proof rules for proving that an MDP under a distributionally memoryless strategy satisfies some distributional omega-regular specification. We then use our distributional certificates to design the first fully automated algorithms for verification and control of MDPs with respect to distributional omega-regular specifications. Our algorithms follow a template-based synthesis approach and provide soundness and relative completeness guarantees, while running in PSPACE. Our prototype implementation demonstrates practical applicability of our algorithms to challenging examples collected from the literature.

Keywords and phrases:

MDPs, Distributional objectives,

\omega

-regularity, Certificates

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Verification by model checking

Funding:

This work was supported in part by the Singapore Ministry of Education (MOE) Academic Research Fund (AcRF) Tier 1 grant (Project ID:22-SIS-SMU-100), Google Research Award 2023 and the SBI Foundation Hub for Data Science & Analytics, IIT Bombay.

DOI:

10.4230/LIPIcs.CONCUR.2025.6

Event:

36th International Conference on Concurrency Theory (CONCUR 2025)

Editors:

Patricia Bouyer and Jaco van de Pol

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Markov decision processes (MDPs) are a standard model for reasoning and sequential decision making in the presence of uncertainty. The verification community has long studied MDPs as state transformers, where their semantics are interpreted over cylinder sets of paths (see e.g. [8]). As a result, quantitative verification questions focus on state-based properties, such as the eventual reachability of a state with maximum probability over all MDP strategies. There is a rich body of literature on efficient algorithms for reasoning about state-based properties in MDPs, including model checking over expressive logics such as PCTL* [30].

An orthogonal class of objectives, which forms our focus in this paper, considers properties that are defined over the space of probability distributions over MDP states, rather than the state space of the MDP. This allows one to reason about the movement of the probability mass, for instance, one can say that always in the future the probability mass is equally divided between two bi-stable states. Such objectives, that we call distributional objectives, are simpler to reason about under alternative semantics which view MDPs as distribution transformers. In this view, starting from some initial distribution over MDP states, the MDP under a strategy induces a sequence of distributions over MDP states, generating a new distribution at each time step. One can then specify properties with respect to this sequence of distributions, such as distributional reachability or safety. This view naturally arises in several applications, including multi-agent systems [9, 5] or biochemical reaction networks [29, 28]. However, it turns out that even the simplest distributional properties such as distributional reachability and safety cannot be expressed in PCTL* [10], rendering classical probabilistic model checking algorithms inapplicable to reasoning about distributional specifications. This means that reasoning about distributional properties in MDPs requires new methods. The past decade has seen a rich line of theoretical work on analyzing Markov chains and MDPs as distribution transformers [31, 29, 11, 6, 4, 5, 2, 26]. However, existing automated methods are restricted to distributional reachability, safety, or reach-avoidance specifications.

In this paper, we present the first automated method for strategy verification and synthesis in MDPs with respect to distributional $\omega$ -regular specifications, significantly extending the class of distributional objectives for which automated methods are available. In doing so, we focus on the verification problem for a given MDP strategy, as well as the control problem which asks to synthesize an MDP strategy which ensures that a distributional $\omega$ -regular specification is satisfied. Our strategy verification and synthesis methods are based on the novel notion of distributional certificates which we introduce in this work. Distributional certificates provide a sound and complete proof rule for proving that an MDP under a distributionally memoryless strategy satisfies the distributional $\omega$ -regular specification of interest. We restrict our attention to distributionally memoryless strategies, which make moves based on the current distribution rather than the state, and which are known to be sufficient for reasoning about distributional reachability and safety [4, 5]. Our distributional certificates build on the ideas from program verification and certificates such as ranking function [22], invariants [21] or Büchi ranking functions [17], and bring these ideas to the setting of reasoning about distributional $\omega$ -regular specifications in MDPs.

We then present our automated algorithms for strategy verification and synthesis in MDPs with respect to distributional $\omega$ -regular specifications. In the setting of distributional objectives, it is known that safety and reachability are already hard, or more precisely, positivity and Skolem-hard [3]. The decidability of both are long-standing open problems in linear dynamical systems [32]. As a result, rather than aiming for sound and complete algorithms that would inherently be computationally expensive/infeasible, we adopt a template-based synthesis approach and instead design algorithms that can more efficiently search for distributional certificates and distributionally memoryless strategies that can be expressed in affine arithmetic. By fixing symbolic affine templates for the certificate and the strategy and by using existing methods for solving quantified formulas over real arithmetic, one is able to reduce the strategy verification and synthesis problems to satisfiability checking in existential theory of the reals, therefore obtaining sound algorithms that run in PSPACE. Furthermore, our algorithms also provide relative completeness guarantees for computing an affine distributional certificate and a memoryless strategy, whenever they exist.

We implement our approach and consider standard benchmarks and examples from the literature, while focusing on several distributional $\omega$ -regular specifications for our evaluation. Our results show the practicality of the approach and the potential for future applications.

Related work.

In addition to the work already mentioned, we discuss a (non-exhaustive list of) few others. Our distributional certificates draw insights from classical certificates for program verification and template-based synthesis algorithms for their computation. Notable examples include ranking functions for proving termination in programs [22, 13] and invariants for proving safety in programs [21, 14]. Our distributional certificates draw insights from Büchi ranking functions of [17] for proving LTL properties in programs. However, there are several important differences. First, we leverage and lift the idea of Büchi ranking to the setting of probability distributions over MDP states. Second, our distributional certificates and algorithms for their computation also need to reason about strategies in MDPs. This is reflected in the following key difference. Our certificates provide soundness and completeness guarantees for all distributional $\omega$ -regular specifications and distributionally memoryless strategies, and proving this requires reasoning about reachability under a strategy (see the proof of Theorem 9). The certificate of [17], on the other hand, is complete only for specifications that can be represented via deterministic Büchi automata, if the specification needs to be satisfied from a set of initial states (see Corollary 2 in [17]).

In the distributional setting, the probabilistic logics defined in [10, 11, 2] are all orthogonal to the classical semantics, and the model checking techniques developed are not template-based. To the best of our knowledge, none of these works have been automated. The works [4, 5] propose certificates for distributional reachability, safety and reach-avoidance and design template-based synthesis algorithms for their computation. Our paper follows this line of work and introduces distributional certificates and template-based algorithms for distributional $\omega$ -regular specifications, hence significantly generalizing the class of distributional properties that we can automatically reason about.

Certificates were also used for reasoning about infinite-state probabilistic models such as probabilistic programs under the state-based view. In particular, supermartingale certificates were proposed for qualitative reachability [12, 15], quantitative reachability, safety and reach-avoidance [33, 19, 34, 18, 35], and most recently for qualitative $\omega$ -regular specifications [1]. However, these certificates are not, a priori, applicable to the distributional setting.

2 Preliminaries

In this section, we recall the basics of probabilistic systems and Markov decision processes. A probability distribution over a countable set $X$ is a map $\mu:X\rightarrow[0,1]$ such that $\sum_{x\in X}\mu(x)=1$ . The support of $X$ is defined via $\mathrm{supp}(\mu)=\{x\in X\mid\mu(x)>0\}$ . We use $\Delta(X)$ to denote the set of all probability distributions over $X$ .

MDPs.

A Markov decision process (MDP) is a tuple $\mathcal{M}=(S,\mathit{Act},P)$ . We use $S$ to denote a finite set of states and $\mathit{Act}$ to denote a finite set of actions. Slightly overloading the notation, for each state $s\in S$ , we write $\mathit{Act}(s)\subseteq\mathit{Act}$ to denote the set of available actions at $s$ . Finally, $P:S\times\mathit{Act}\rightarrow\Delta(S)$ is a transition function, assigning to each state $s$ and available action $a\in\mathit{Act}(s)$ a probability distribution over the succcessor states. When $|\mathit{Act}(s)|=1$ for each state $s$ , we say that $\mathcal{M}$ is a Markov chain.

An infinite path in an MDP is a sequence $\rho=s_{1},a_{1},s_{2},a_{2},\dots\in(S\times\mathit{Act})^{\omega}$ , such that $a_{i}\in\mathit{Act}(s_{i})$ and $P(s_{i},a_{i})(s_{i+1})>0$ for all $i\in\mathbb{N}$ . A finite path $\varrho$ in an MDP is a finite prefix of an infinite path that ends in a state. We use $\rho_{i}$ and $\varrho_{i}$ to denote the $i$ -th state along an (in)finite path. We use $\mathsf{IPaths}_{\mathcal{M}}$ and $\mathsf{FPaths}_{\mathcal{M}}$ to denote the sets of all infinite and finite paths in the MDP $\mathcal{M}$ , respectively.

Semantics of MDPs.

The semantics of MDPs are formalized in terms of strategies. A strategy (or policy) in an MDP $\mathcal{M}$ is a function $\pi:\mathsf{FPaths}_{\mathcal{M}}\rightarrow\Delta(\mathit{Act})$ which to each finite path (called a history) assigns a probability distribution over the action to be taken next. We require that, if a finite path $\varrho\in\mathsf{FPaths}_{\mathcal{M}}$ ends in a state $s$ , then $\mathrm{supp}(\pi(\varrho))\subseteq\mathit{Act}(s)$ . A strategy is said to be memoryless if the probability distribution over actions depends only on the last state of the finite path and not on the whole history, i.e. if $\pi(\varrho)=\pi(\varrho^{\prime})$ whenever $\varrho$ and $\varrho^{\prime}$ end in the same state. For every initial state distribution $\mu_{0}\in\Delta(S)$ , an MDP $\mathcal{M}$ and a strategy $\pi$ together give rise to a probability space over the set of all infinite paths in the MDP [8]. We denote by $\mathbb{P}^{\pi}_{\mu_{0}}$ the probability measure and by $\mathbb{E}^{\pi}_{\mu_{0}}$ the expectation operators in this probability space, omitting the MDP $\mathcal{M}$ from the notation when clear from the context.

MDPs as distribution transformers.

MDPs are typically regarded as random generators of infinite paths, giving rise to a probability space over the set of all infinite paths in the MDP. Classical probabilistic model checking problems then explore the expected behaviour of these randomly generated infinite paths, giving rise to path properties [8]. However, one can also view MDPs as (deterministic) transformers of distributions.

Consider an MDP $\mathcal{M}$ , a strategy $\pi$ , and an initial state distribution $\mu_{0}\in\Delta(S)$ . For each $i\in\mathbb{N}$ and state $s$ , define $\mu_{i}(s)=\mathbb{P}^{\pi}_{\mu_{0}}[\rho\in\mathsf{IPaths}_{\mathcal{M}}\mid% \rho_{i}=s]$ , i.e. the probability that the $i$ -th state of a randomly generated infinite path is $s$ . We write $\mu_{i}=\mathcal{M}^{\pi}(\mu_{0},i)$ for the induced probability distribution of the $i$ -th state of a randomly generated infinite path. Hence, the MDP $\mathcal{M}$ , a strategy $\pi$ , and an initial state distribution $\mu_{0}\in\Delta(S)$ together give rise to a sequence of probability distributions over the MDP states

\mu_{0},\quad\mu_{1}=\mathcal{M}^{\pi}(\mu_{0},1),\quad\mu_{2}=\mathcal{M}^{% \pi}(\mu_{0},2),\quad\mu_{3}=\mathcal{M}^{\pi}(\mu_{0},3),\quad\dots

One can then study properties of this sequence of distributions. Some examples are distributional reachability and distributional safety, which ask if the induced sequence of distributions contains or does not contain an element of some specified set of distributions [4, 5].

$\omega$ -regular specifications.

In this work we will consider $\omega$ -regular specifications, which subsume a broad class of specifications such as those belonging to linear temporal logic (LTL) or computation tree logic (CTL) [8]. An $\omega$ -regular specification over a finite set $\mathsf{AP}$ of atomic propositions is defined by a non-deterministic Büchi automaton (NBA) $N=(Q,\Sigma,\delta,q_{0},F)$ , where $Q$ is a finite set of states, $\Sigma=2^{\mathsf{AP}}$ is a finite set of letters, $\delta:Q\times\Sigma\rightarrow 2^{Q}$ is a (non-deterministic) transition function, $q_{0}\in Q$ is the initial state and $F\subseteq Q$ are accepting states. An infinite word of letters $\sigma_{1},\sigma_{2},\dots\in\Sigma^{\omega}$ is said to be accepting, if it gives rise to at least one accepting run in $N$ , i.e. if there exists a run $q_{0},q_{1},q_{2},\dots$ such that $q_{i+1}\in\delta(q_{i},\sigma_{i})$ for each $i$ and such that $q_{i}\in F$ for infinitely many $i$ . Note that given an LTL formula $\varphi$ , it can be converted to an equivalent NBA $N^{\varphi}$ in exponential time (see e.g., [8]). In what follows, we will often write examples and benchmarks in LTL as it will be easier and often more intuitive. But for our analysis, we will convert them to their equivalent NBA and reason only about these NBA as the $\omega$ -regular specification.

Transition systems.

In order to reason about the synchronous evolution of a sequence of distributions over the MDP states and a run in the NBA, we will later introduce the notion of product distributional transition systems in Section 4. Hence, we here recall the notion of transition systems, which are commonly used to model imperative numerical programs.

An (infinite-state) transition system is a tuple $\mathcal{T}=(L,V,l_{\text{init}},\theta_{\text{init}},\mapsto)$ , where

$\blacksquare$

$L$ is a finite set of locations,
$\blacksquare$

$V$ is a finite set of real-valued variables,
$\blacksquare$

$l_{\text{init}}\in L$ is the initial location,
$\blacksquare$

$\theta_{\text{init}}\subseteq\mathbb{R}^{|V|}$ is the set of initial variable valuations, and
$\blacksquare$

$\mapsto$ is a finite set of transitions of the form $\tau=(l_{\tau},l^{\prime}_{\tau},G_{\tau},U_{\tau})$ with $l_{\tau}$ a source location, $l^{\prime}_{\tau}$ a target location, $G_{\tau}$ a guard which is a boolean predicate over the variables in $V$ , and $U_{\tau}:\mathbb{R}^{n}\rightarrow\mathbb{R}^{n}$ an update function.

A state in the transition system is a tuple $(l,x)\in L\times\mathbb{R}^{|V|}$ consisting of a location in $L$ and a valuation of variables in $V$ . A transition $\tau=(l_{\tau},l^{\prime}_{\tau},G_{\tau},U_{\tau})$ is said to be enabled at a state $(l,x)$ if $l=l_{\tau}$ and $x\models G_{\tau}$ . An infinite path (or a run) in the transition system is a sequence of states $(l_{0},x_{0}),(l_{1},x_{1}),\dots$ with $l_{0}=l_{\text{init}}$ , $x_{0}\in\mathsf{Init}$ , and where for each $i\in\mathbb{N}_{0}$ there exists a transition $\tau_{i}=(l_{i},l_{i+1},G_{\tau},U_{\tau})$ enabled at $(l_{i},x_{i})$ such that $x_{i+1}=U_{\tau}(x_{i})$ . A state $(l,x)$ is said to be reachable, if there exists an infinite path that contains $(l,x)$ .

3 Problem Statement

We now formally define the problems that we consider in this work. Our goal is to design fully automated algorithms for formal verification and control in MDPs with respect to distributional $\omega$ -regular specifications. Hence, we first need to formalize the notion of distributional $\omega$ -regular specifications. In what follows, let $\mathcal{M}=(S,\mathit{Act},P)$ be an MDP.

Distributional $\omega$ -regular specifications.

Similarly to the classical $\omega$ -regular specification setting, we first need to specify a finite set of atomic propositions $\mathsf{AP}$ . We are interested in reasoning about a sequence of distributions induced by an MDP under a strategy. Hence, we let the set $\mathsf{AP}$ consist of finitely many logical formulas of the form $\mathsf{exp}(\mu(s_{1}),\dots,\mu(s_{|S|}))\geq 0$ . Here, $\mathsf{exp}:\mathbb{R}^{|S|}\rightarrow\mathbb{R}$ is an arithmetic expression over the probabilities $\mu(s_{1}),\dots,\mu(s_{|S|})$ of being in each state of the MDP, where $s_{1},\dots,s_{|S|}$ is an arbitrary (but throughout fixed) enumeration of MDP states. In practice, we let $\mathsf{AP}$ contain exactly those atomic propositions that appear in the property that we want to reason about. A distributional $\omega$ -regular specification $\varphi$ is then defined by an NBA $N^{\varphi}=(Q,\Sigma,\delta,q_{0},F)$ with $\Sigma=2^{\mathsf{AP}}$ .

We now define the semantics of distributional $\omega$ -regular specifications. Consider a finite set of atomic propositions $\mathsf{AP}$ , a distributional $\omega$ -regular specification $\varphi$ , a strategy $\pi$ and an initial distribution $\mu_{0}\in\Delta(S)$ in the MDP $\mathcal{M}$ . The MDP $\mathcal{M}$ under strategy $\pi$ from the initial distribution $\mu_{0}$ induces an infinite word $\sigma_{0},\sigma_{1},\sigma_{2},\dots$ in the language $2^{\mathsf{AP}}$ as follows. As defined in Section 2, an MDP $\mathcal{M}$ under strategy $\pi$ from the initial distribution $\mu_{0}$ induces a sequence $\mu_{0},\mu_{1},\mu_{2},\dots$ of distributions over MDP states. Then, for each $i\in\mathbb{N}_{0}$ , we define the letter $\sigma_{i}$ as the set of all atomic propositions in $\mathsf{AP}$ that are satisfied at the distribution $\mu_{i}$ , i.e. $\sigma_{i}=\{p\in\mathsf{AP}\mid\mu_{i}\models p\}$ , where we use $\models$ to denote proposition satisfaction. We say that the MDP $\mathcal{M}$ satisfies distributional $\omega$ -regular specification $\varphi$ under strategy $\pi$ from initial distribution $\mu_{0}\in\Delta(S)$ , if this infinite word $\sigma_{0},\sigma_{1},\sigma_{2},\dots$ is accepted by the NBA $N^{\varphi}$ .

Distributionally memoryless strategies.

We restrict our attention to a class of strategies called distributionally memoryless strategies. A strategy $\pi:\mathsf{FPaths}_{\mathcal{M}}\rightarrow\Delta(\mathit{Act})$ is said to be distributionally memoryless if the probability distribution over actions prescribed by the strategy depends only on the current distribution over the MDP states and not on the whole history. Formally, we require that for any initial distribution $\mu_{0}\in\mathsf{Init}$ and for any two finite runs $\rho=s_{0},a_{0},s_{1},a_{1},\dots,s_{n}$ and $\rho^{\prime}=s_{0}^{\prime},a_{0}^{\prime},s_{1}^{\prime},a_{1}^{\prime},% \dots,s_{n}^{\prime}$ that induce the sequences of probability distributions $\mu_{0},\mu_{1},\dots,\mu_{n}$ and $\mu_{0}^{\prime},\mu_{1}^{\prime},\dots,\mu_{n}^{\prime}$ with $\mu_{n}=\mu_{n}^{\prime}$ , we have $\pi(\rho)=\pi(\rho^{\prime})$ . When the strategy $\pi$ is distributionally memoryless, we write $\mathcal{M}^{\pi}(\mu)=\mathcal{M}^{\pi}(\mu,1)$ to denote an application of a single-step distribution transformer operator.

It was shown in [4, 5] that distributionally memoryless strategies are sufficient for reasoning about distributional reachability, safety and reach-avoid specifications. That is, for each of these distributional specifications, there exists a strategy in the MDP under which the specification is satisfied if and only if there exists a distributionally memoryless strategy in the MDP under which the specification is satisfied. While this result need not necessarily hold for distributional $\omega$ -regular specifications, the restriction will be needed for enabling automated verification and synthesis as they can be represented in a more compact form.

Problem statement.

We are now ready to define our strategy verification and synthesis problems. Consider an MDP $\mathcal{M}$ , a set of initial distributions $\mathsf{Init}\subseteq\Delta(S)$ , and a distributional $\omega$ -regular specification $\varphi$ :

1.

Strategy verification problem. Given a distributionally memoryless strategy $\pi$ , verify that the MDP $\mathcal{M}$ satisfies $\varphi$ under $\pi$ from every initial distribution $\mu_{0}\in\mathsf{Init}$ .
2.

Strategy synthesis problem. Compute a distributionally memoryless strategy $\pi$ , such that the MDP $\mathcal{M}$ satisfies $\varphi$ under $\pi$ from every initial distribution $\mu_{0}\in\mathsf{Init}$ .

Figure 1: An MDP which will serve as our running example. The MDP contains three states

S=\{A,B,C\}

, two actions

\mathit{Act}=\{a,b\}

with

\mathit{Act}(A)=\{a,b\}

,

\mathit{Act}(B)=\{a\}

,

\mathit{Act}(C)=\{a\}

, and its transition function is defined via

P(A,a)(A)=1

,

P(A,b)(B)=1

,

P(B,a)(C)=1

,

P(C,a)(C)=P(C,a)(A)=0.5

. We consider a singleton initial distribution set

\mathsf{Init}=\{(A:\tfrac{1}{3},\;B:\tfrac{1}{3},\;C:\tfrac{1}{3})\}

.

Example 1 (Running example).

The MDP shown in Fig. 1 was considered in [4] for studying distributional safety specifications and it will serve as our running example. We consider the strategy synthesis and verification problems with respect to the distributional $\omega$ -regular specification $\varphi=\mathbf{G}\,\mathbf{F}\,(p(B)\geq 0.249$ ). For readability, we specify $\varphi$ as an LTL formula over the set of atomic propositions $\mathsf{AP}=\{(\mu(B)\geq 0.249)\}$ . This is an example of a distributional persistence specification, which specifies that the sequence of distributions $\mu_{0},\mu_{1},\dots$ should contain infinitely many distributions $\mu_{i}$ with $\mu_{i}(B)\geq 0.249$ . The goal of strategy synthesis is to compute a strategy under which $\varphi$ is satisfied. An example of such a strategy is a (distributionally) memoryless strategy $\pi$ which in state $A$ takes action $b$ with probability $1$ . The goal of strategy verification is to verify this claim.

$\blacktriangleright$ Remark 2 (Problem hardness).

The problem of determining if an MDP $\mathcal{M}$ under a distributionally memoryless strategy $\pi$ satisfies a distributional $\omega$ -regular specification $\varphi$ is computationally hard. It was shown to be Skolem-hard already in the very restricted setting when $\mathcal{M}$ is a Markov chain (so the strategy $\pi$ is trivial) and $\varphi$ is a distributional reachability specification for an affine set of goal distributions $\{\mu\in\Delta(S)\mid\mu(s_{1})=0.25\}$ [3].

$\blacktriangleright$ Remark 3 (Universal and existential satisfaction problems).

In the terminology of [5] which considered distributional reachability and safety specifications, our problem corresponds to the universal satisfaction setting, where the specification needs to be satisfied from every initial distribution $\mu_{0}\in\mathsf{Init}$ . Dually, one can also consider the existential satisfaction setting, where the specification needs to be satisfied from at least one initial distribution $\mu_{0}\in\mathsf{Init}$ . While we will focus on the universal satisfaction setting for ease of presentation, we also show that all our results straightforwardly extend to the existential satisfaction setting as well.

$\blacktriangleright$ Remark 4 (Memoryless vs distributionally memoryless strategies).

Note that distributionally memoryless strategies are not necessarily memoryless (in the “classical” state-based sense). This fact was already shown in [4] for distributional safety specifications, where one may require infinite memory as well as randomized strategies in order to satisfy the specification. This is in stark contrast with the state-based view, where deterministic memoryless strategies are sufficient for specifications such as reachability and safety [8].

4 Certificate for Distributional $\omega$ -regular Specifications

We now present our sound and complete certificate for proving that an MDP under a distributionally memoryless strategy satisfies some distributional $\omega$ -regular specification, which is the main theoretical contribution of this work. In Section 5, we will present our algorithms for automated synthesis and verification of strategies in MDPs with respect to distributional $\omega$ -regular specifications, where the certificate will play a central role.

In what follows, we fix an MDP $\mathcal{M}=(S,\mathit{Act},P)$ , a set of initial distributions $\mathsf{Init}$ , a distributionally memoryless strategy $\pi$ , and a distributional $\omega$ -regular specification $\varphi$ defined over atomic propositions $\mathsf{AP}$ with an NBA $N^{\varphi}=(Q,\Sigma,\delta,q_{0},F)$ where $\Sigma=2^{\mathsf{AP}}$ .

4.1 Product Distributional Transition System

Recall from Section 2 that, for each initial distribution in $\mathsf{Init}$ , the MDP $\mathcal{M}$ and the strategy $\pi$ induce a sequence of distributions over the MDP states. This sequence gives rise to an infinite word in the language $2^{\mathsf{AP}}$ and a run in the NBA $N^{\varphi}$ . In what follows, we introduce product distributional transition systems (PDTS), which will allow us to synchronously reason about the distribution sequence and the NBA run.

Definition 5 (Product distributional transition system).

Let $\mathcal{M}=(S,\mathit{Act},P)$ be an MDP, $\mathsf{Init}$ be a set of initial distributions, $\pi$ be a distributionally memoryless strategy, and $N^{\varphi}=(Q,2^{\mathsf{AP}},\delta,q_{0},F)$ be an NBA for some distributional $\omega$ -regular specification $\varphi$ defined over atomic propositions $\mathsf{AP}$ . A product distributional transition system (PDTS) is a transition system $\mathcal{T}^{\times}=(L^{\times},V^{\times},l_{\text{init}}^{\times},\theta_{% \text{init}}^{\times},\mapsto^{\times})$ , where

$\blacksquare$

$L^{\times}=Q$ is the set of states of $N^{\varphi}$ ;
$\blacksquare$

$V^{\times}=\{\mu_{1},\dots,\mu_{|S|}\}$ is a finite state of real-valued variables, with each variable $\mu_{i}$ corresponding to the probability of being in an MDP state $s_{i}$ ;
$\blacksquare$

$l_{\text{init}}^{\times}=q_{0}$ is the initial state of $N^{\varphi}$ ;
$\blacksquare$

$\theta_{\text{init}}^{\times}=\mathsf{Init}$ is the set of initial distributions in $\mathcal{M}$ ; and
$\blacksquare$

$\mapsto^{\times}=\{(q,q^{\prime},G(\sigma),\mathcal{M}^{\pi})\mid q,q^{\prime}% \in Q,\sigma\in 2^{\mathsf{AP}},q^{\prime}\in\delta(q,\sigma)\}$ , where $G(\sigma)=(\land_{p\in\sigma}p)\land(\land_{p\in\mathsf{AP}\backslash\sigma}% \neg p)$ is the predicate defined by atomic propositions contained in $\sigma$ , and $\mathcal{M}^{\pi}$ is the linear function defined by the single-step distribution transformer operator of $\mathcal{M}$ and $\pi$ .

Example 6.

Fig. 2 left shows the NBA for the distributional specification $\varphi=\mathbf{G}\,\mathbf{F}\,(p(B)\geq 0.249)$ considered in Example 1. Fig. 2 right then shows the PDTS of our running example MDP in Fig. 1 and the NBA. The PDTS has the same set of locations $L^{\times}=\{q_{0},q_{1}\}$ as the NBA and the set of variables $V^{\times}=\{\mu_{1},\mu_{2},\mu_{3}\}$ corresponding to the probabilities of being in MDP states $A, B, C$ . The initial location is $l_{\text{init}}=q_{0}$ and the set of initial distributions is $\mathsf{Init}=\{(A:\tfrac{1}{3},\;B:\tfrac{1}{3},\;C:\tfrac{1}{3})\}$ . Finally, the three PDTS transitions are shown in Fig. 2.

Note that PDTS indeed models a synchronous execution of a sequence of distributions over MDP states and a run in the NBA. Each infinite path $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ in the PDTS starts from a state $(q_{0},\mu_{0})\in\{q_{0}\}\times\mathsf{Init}$ . Then, for each state $(q_{i},\mu_{i})$ along the infinite path, the next state is obtained by applying some enabled transition $(q_{i},q_{i+1},G(\sigma_{i}),\mathcal{M}^{\pi})$ . For the transition to be enabled, we must have $\sigma_{i}=\{p\in\mathsf{AP}\mid\mu_{i}\models p\}$ be the unique letter defined by all atomic propositions satisfied in $\mu_{i}$ . The PDTS then moves to a state $(q_{i+1},\mu_{i+1})$ , where $\mu_{i+1}=\mathcal{M}^{\pi}(\mu_{i})$ is indeed the next distribution in the sequence and $q_{i+1}\in\delta(q_{i},\sigma_{i})$ is indeed a successor state in the NBA.

Figure 2: The figure on the left shows the NBA for distributional specification

\varphi=\mathrm{GF}(p(b)\geq 0.249)

. The figure on the right then shows the PDTS of the MDP in Fig. 1 with the strategy that in state

A

takes action

b

with probability

1

, and the NBA on the left. Each PDTS transition is labeled with its guard (top line) and its update function (bottom line). We write

\mu^{\prime}=\mathcal{M}^{\pi}(\mu)

as a shorthand notation for

\mu^{\prime}=\{A:0.5\cdot\mu(C),B:\mu(A),C:\mu(B)+0.5\cdot\mu(C)\}

.

An infinite path $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ in the PDTS is accepting if $(q_{i},\mu_{i})\in F\times\Delta(S)$ for infinitely many $i\in\mathbb{N}_{0}$ , i.e. if it visits states with locations belonging to the accepting set of the NBA infinitely often. The following proposition formalizes the relationship between the satisfaction of a distributional $\omega$ -regular specification in the MDP and the existence of an accepting infinite path in the PDTS. We state the proposition for a single initial distribution $\mu_{0}\in\mathsf{Init}$ , so that it is applicable both in the universal and the existential satisfaction problem settings (see Remark 3).

Proposition 7.

An MDP $\mathcal{M}$ with an initial distribution $\mu_{0}\in\Delta(S)$ satisfies a distributional $\omega$ -regular specification $\varphi$ under a distributionally memoryless strategy $\pi$ if and only if there exists an accepting infinite path in the PDTS $\mathcal{T}^{\times}=(L^{\times},V^{\times},l_{\text{init}}^{\times},\theta_{% \text{init}}^{\times},\mapsto^{\times})$ .

Proof.

Suppose that MDP $\mathcal{M}$ with initial distribution $\mu_{0}$ satisfies distributional $\omega$ -regular specification $\varphi$ under distributionally memoryless strategy $\pi$ . Let $\mu_{0},\mu_{1},\dots$ be the sequence of distributions induced by the MDP $\mathcal{M}$ under strategy $\pi$ , and let $\sigma_{0},\sigma_{1},\dots$ be the induced infinite word from the initial distribution $\mu_{0}$ . By the definition of satisfiability of distributional $\omega$ -regular specifications in Section 3, the infinite word $\sigma_{0},\sigma_{1},\dots$ is accepted by the NBA $N^{\varphi}$ . Hence, there exists a run $q_{0},q_{1},\dots$ in $N^{\varphi}$ such that $q_{i+1}\in\delta(q_{i},\sigma_{i})$ for each $i\in\mathbb{N}$ . But this also means that $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ is an accepting path in the PDTS $\mathcal{T}^{\times}=(L^{\times},V^{\times},l_{\text{init}}^{\times},\theta_{% \text{init}}^{\times},\mapsto^{\times})$ , which proves one direction of the proposition.

Conversely, suppose that there exists an accepting infinite path $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ in the PDTS $\mathcal{T}^{\times}=(L^{\times},V^{\times},l_{\text{init}}^{\times},\theta_{% \text{init}}^{\times},\mapsto^{\times})$ . Then, by the definition of transition update functions in the PDTS, we know that $\mu_{0},\mu_{1},\dots$ is the sequence of distributions induced by the MDP $\mathcal{M}$ under strategy $\pi$ . Moreover, by the definition of transition guards in the PDTS, we know that $q_{i+1}\in\delta(q_{i},\sigma_{i})$ for each $i\in\mathbb{N}$ with $\sigma_{i}$ being the unique letter defined by atomic propositions in $\mathsf{AP}$ satisfied in $\mu_{i}$ . Hence, $q_{0},q_{1},\dots$ is an infinite run in the NBA $N^{\varphi}$ induced by the infinite word $\sigma_{0},\sigma_{1},\dots$ . But from the fact that $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ is an accepting run in the PDTS, it follows that $q_{i}\in F$ for infinitely many $i\in\mathbb{N}$ and so the infinite word $\sigma_{0},\sigma_{1},\dots$ is accepted by the NBA $N^{\varphi}$ . By the definition of satisfiability of distributional $\omega$ -regular specifications in Section 3, this implies that MDP $\mathcal{M}$ with initial distribution $\mu_{0}$ satisfies specification $\varphi$ under strategy $\pi$ , which concludes our proof. $\hfill\blacktriangleleft$

4.2 Distributional Certificates

We are now ready to define our notion of distributional certificates. A distributional certificate is a pair $(\mathcal{C},I)$ that consists of two components – a distributional Büchi ranking function $\mathcal{C}$ and a distributional invariant $I$ . The distributional Büchi ranking function $\mathcal{C}:Q\times\Delta(S)\rightarrow\mathbb{R}$ is a function that to each state of the PDTS assigns a real value, which is required to satisfy two conditions. First, the Initial condition requires the value of $\mathcal{C}$ to be non-negative at all initial states of the PDTS. Second, the Büchi ranking condition requires that, for every reachable state in the PDTS at which the value of $\mathcal{C}$ is non-negative, there exists at least one successor state at which non-negativity is preserved. Furthermore, the value of $\mathcal{C}$ decreases by at least $1$ if the state is not contained in the accepting set of the PDTS. We prove in Theorem 9 below that these two conditions are necessary and sufficient to ensure that, for every initial state $(q_{0},\mu_{0})$ in the PDTS, there exists an accepting infinite path in the PDTS.

Note that the Büchi ranking condition needs to be satisfied only at reachable states of the PDTS. However, the problem of determining the exact set of reachable states is not feasible. Hence, with later automation in mind, we append our certificate with a distributional invariant $I\subseteq Q\times\Delta(S)$ , which is a set that over-approximates the set of reachables states in the PDTS. This is ensured by extending the Initial condition to require that all initial states of the PDTS are contained in the invariant $I$ , and by extending the Büchi ranking condition to require that the successor state described above is also contained in the invariant $I$ .

The following definition formalizes this intuition. In what follows, for each letter $\sigma\in 2^{\mathsf{AP}}$ and distribution $\mu\in\Delta(S)$ , we write $\mu\models G(\sigma)$ as a shorthand for $\mu\models(\land_{p\in\sigma}p)\land(\land_{p\in\mathsf{AP}\backslash\sigma}% \neg p)$ .

Definition 8 (Distributional certificate).

A distributional certificate for an MDP $\mathcal{M}$ with a set of initial distributions $\mathsf{Init}$ , a distributionally memoryless strategy $\pi$ , and a distributional $\omega$ -regular specification $\varphi$ with NBA $N^{\varphi}$ , is a tuple $(\mathcal{C},I)$ consisting of a function $\mathcal{C}:Q\times\Delta(S)\rightarrow\mathbb{R}$ and a set $I\subseteq Q\times\Delta(S)$ , such that the following conditions hold:

$\blacksquare$

Initial condition. For all $\mu_{0}\in\mathsf{Init}$ , we have $\mathcal{C}(q_{0},\mu_{0})\geq 0$ and $(q_{0},\mu_{0})\in I$ .
$\blacksquare$
Büchi ranking condition. We have the following:
- –
  
  Non-negativity at accepting states. For all NBA states $q\in F$ and letters $\sigma\in 2^{\mathsf{AP}}$ ,
  
  $\begin{split}\forall\mu\in\mathbb{R}^{|S|}.\,\bigvee_{q^{\prime}\in\delta(q,% \sigma)}&\mu\in\Delta(S)\,\land\,\mu\models G(\sigma)\,\land\,\mathcal{C}(q,% \mu)\geq 0\,\land\,(q,\mu)\in I\\ &\Longrightarrow\mathcal{C}(q^{\prime},\mathcal{M}^{\pi}(\mu))\geq 0\,\land\,(% q^{\prime},\mathcal{M}^{\pi}(\mu))\in I.\end{split}$ (1)
- –
  
  Strict decrease and non-negativity at non-accepting states. For all NBA states $q\not\in F$ and letters $\sigma\in 2^{\mathsf{AP}}$ ,
  
  $\begin{split}\forall\mu\in\mathbb{R}^{|S|}.\,\bigvee_{q^{\prime}\in\delta(q,% \sigma)}&\mu\in\Delta(S)\,\land\,\mu\models G(\sigma)\,\land\,\mathcal{C}(q,% \mu)\geq 0\,\land\,(q,\mu)\in I\\ &\Longrightarrow\mathcal{C}(q,\mu)-1\geq\mathcal{C}(q^{\prime},\mathcal{M}^{% \pi}(\mu))\geq 0\,\land\,(q^{\prime},\mathcal{M}^{\pi}(\mu))\in I.\end{split}$ (2)

The following theorem establishes that distributional certificates provide a sound and complete proof rule for proving that an MDP under a distributionally memoryless strategy satisfies a distributional $\omega$ -regular specification.

Theorem 9 (Soundness and completeness).

An MDP $\mathcal{M}$ with a set of initial distributions $\mathsf{Init}$ under a distributionally memoryless strategy $\pi$ satisfies a distributional $\omega$ -regular specification $\varphi$ if and only if there exists a distributional certificate for $\mathcal{M}$ , $\mathsf{Init}$ , $\pi$ and $\varphi$ .

Proof.

Soundness.

Suppose that there exists a distributional certificate $(\mathcal{C},I)$ for $\mathcal{M}$ , $\mathsf{Init}$ , $\pi$ and $\varphi$ . To show that $\varphi$ is satisfied, by Proposition 7 it suffices to show that the PDTS $\mathcal{T}^{\times}$ admits an accepting infinite path for every initial state in $\{q_{0}\}\times\mathsf{Init}$ .

Fix an initial state $(q_{0},\mu_{0})\in\{q_{0}\}\times\mathsf{Init}$ . By the Initial condition in Definition 8, we know that $\mathcal{C}(q_{0},\mu_{0})\geq 0$ and $(q_{0},\mu_{0})\in I$ . Hence, by the Büchi ranking condition in Definition 8, we can repeadly select successor states in order to obtain an infinite path $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ in $\mathcal{T}^{\times}$ such that, for each $i\in\mathbb{N}_{0}$ , we have

$\blacksquare$

$\mathcal{C}(q_{i},\mu_{i})\geq 0$ and $(q_{i},\mu_{i})\in I$ , and
$\blacksquare$

whenever $q_{i}\not\in F$ is not an accepting state in $N^{\varphi}$ , we have $\mathcal{C}(q_{i},\mu_{i})-1\geq\mathcal{C}(q_{i+1},\mu_{i+1})$ .

We claim that $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ is an accepting infinite path in $\mathcal{T}^{\times}$ . To prove this, note that for every $(q_{i},\mu_{i})$ with $q_{i}\not\in F$ , the value of $\mathcal{C}$ needs to keep decreasing by at least $1$ in each subsequent step while also remaining non-negative. Hence, in at most $\lceil\mathcal{C}(q_{i},\mu_{i})\rceil$ steps, the path must again reach an accepting state. Thus, the infinite path $(q_{0},\mu_{0}),(q_{1},\mu_{1}),\dots$ reaches accepting states in $F\times\Delta(S)$ infinitely many times and is an accepting infinite path. Since the initial state $(q_{0},\mu_{0})\in\{q_{0}\}\times\mathsf{Init}$ was arbitrary, this concludes the proof.

Completeness.

Conversely, suppose that $\mathcal{M}$ with a set of initial distributions $\mathsf{Init}$ under distributionally memoryless strategy $\pi$ satisfies distributional $\omega$ -regular specification $\varphi$ . We construct an instance $(\mathcal{C},I)$ of a distributional certificate for $\mathcal{M}$ , $\mathsf{Init}$ , $\pi$ and $\varphi$ as follows.

Consider an arbitrary but throughout fixed enumeration $q_{1},\dots,q_{|Q|}$ of NBA states. We define an operator $\textsc{Next}:Q\times\Delta(S)\rightarrow Q\times\Delta(S)$ via

$\blacksquare$

$\textsc{Next}(q,\mu)=(q_{i},\mathcal{M}^{\pi}(\mu))$ with $i$ being the smallest index such that $(q,\mu),(q_{i},\mathcal{M}^{\pi}(\mu))$ are successor states along some accepting infinite path in the PDTS, if such an accepting infinite path exists, or
$\blacksquare$

$\textsc{Next}(q,\mu)=(q,\mu)$ , otherwise.

In other words, $\textsc{Next}(q,\mu)$ fixes a successor state of $(q,\mu)$ along some accepting infinite path in the PDTS if such a path exists, or halts the sequence at the state $(q,\mu)$ otherwise. Therefore, the transitive closure of the operator $\textsc{Next}(q,\mu)$ from the set of initial PDTS states $\{q_{0}\}\times\mathsf{Init}$ allows us to consistently fix a unique accepting infinite path for each state $(q,\mu)$ that is contained along some accepting infinite path.

We can now define our distributional certificate $(\mathcal{C},I)$ . Let distributional invariant $I\subseteq Q\times\Delta(S)$ be the set of all states in the PDTS that are reachable from $\{q_{0}\}\times\mathsf{Init}$ under the transitive closure of the Next operator. Moreover, for each PDTS state $(q,\mu)\in I$ , let $d_{\text{accept}}(q,\mu)$ denote the number of steps when applying the Next operator until an accepting state in $F\times\Delta(S)$ is reached, with $d_{\text{accept}}(q,\mu)=0$ if $(q,\mu)\in F\times\Delta(S)$ is an accepting state. Finally, let the distributional Büchi ranking function $\mathcal{C}$ be defined via

\mathcal{C}(q,\mu)=\begin{cases}d_{\text{accept}}(q,\mu),&\text{if }(q,\mu)\in I% ,\\ -1,&\text{otherwise}.\end{cases}

We claim that $(\mathcal{C},I)$ is an instance of a distributional certificate. The Initial condition in Definition 8 is satisfied since the MDP $\mathcal{M}$ under strategy $\mu$ satisfies $\varphi$ , therefore every initial state $(q_{0},\mu)\in\{q_{0}\}\times\mathsf{Init}$ belongs to some accepting infinite path in the PDTS and so $(q_{0},\mu)\in I$ and $d_{\text{accept}}(q_{0},\mu)\geq 0$ . On the other hand, by the definition of the Next operator and $I$ , for each $(q,\mu)\in I$ we have that also $\textsc{Next}(q,\mu)\in I$ . Moreover, $\textsc{Next}(q,\mu)=d_{\text{accept}}(q,\mu)-1\geq 0$ if $q\not\in F$ and $\textsc{Next}(q,\mu)\geq 0$ id $q\in F$ . Hence, the Büchi ranking condition in Definition 8 is also satisfied, and $(\mathcal{C},I)$ is a distributional certificate. $\hfill\blacktriangleleft$

Example 10.

Consider again the MDP in Fig. 1. As in Example 1, consider the strategy $\pi$ which in state $A$ takes action $b$ with probability $1$ , and the distributional specification $\varphi=\mathbf{G}\,\mathbf{F}\,(p(B)\geq 0.249)$ . An NBA for $\varphi$ and the resulting PDTS are shown in Fig. 2. The following is an example of a distributional certificate $(\mathcal{C},I)$ for $\mathcal{M}$ , $\mathsf{Init}$ , $\pi$ and $\varphi$ :

\mathcal{C}(q,\mu)=\begin{cases}1+250\cdot\mu(A)+750\cdot\mu(C),&\text{if }q=q% _{0},\\ 1.25-1.25\cdot\mu(C),&\text{if }q=q_{1},\end{cases}

and $I=\{(q_{0},\mu)\mid 1.25+\mu(A)+1\cdot\mu(B)-\mu(C)\geq 0\}\cup\{(q_{1},\mu)% \mid\mu(A)+0.25\cdot\mu(B)\}$ .

One can verify by inspection that the Initial condition and the Büchi ranking condition in Definition 8 are satisfied. We note that the above distributional certificate $(\mathcal{C},I)$ is the certificate computed by our prototype implementation in Section 6.

$\blacktriangleright$ Remark 11 (Distributional certificates for the existential problem).

As discussed in Section 2 and Remark 3, our distributional certificate in Definition 4.2 and our soundness and completeness result in Theorem 9 consider the universal satisfaction setting. However, their extension to the existential setting is immediate. The only required change in the definition of distributional certificates is to require the Initial condition in Definition 4.2 to hold for some initial distribution $\mu_{0}\in\mathsf{Init}$ . On the other hand, the soundness and completeness proof proceeds analogously as in the proof of Theorem 9, with the difference in the completeness proof being that the distributional invariant $I$ is defined as the transitive closure of the Next operator with the singleton initial set $\{(q_{0},\mu_{0})\}$ , rather than the initial set $\{q_{0}\}\times\mathsf{Init}$ .

5 Template-based Strategy Verification and Synthesis with Certificates

We now present our algorithms for the strategy verification and synthesis problems for distributional $\omega$ -regular specifications. The core of the verification algorithm is to synthesize an affine distributional certificate in the PDTS of the input MDP and the specification, which proves that the specification is satisfied. When we move from strategy verification to strategy synthesis, we also synthesize an affine distributionally memoryless strategy.

The restriction to affine distributional certificates and affine distributionally memoryless strategies is needed to ensure tractability. While Theorem 9 establishes soundness and completeness of our distributional certificates, in combination with Remark 2 it also implies that giving a sound and complete algorithm for synthesizing distributional certificates is Skolem-hard. Hence, in this section, we instead focus on designing sound and relatively complete algorithms for synthesizing an affine distributional certificate together with an affine distributionally memoryless strategy (the latter for the synthesis problem), when they exist.

Affine distributional certificates and strategies.

We first formalize the notions of affine distributional certificates and distributionally memoryless strategies:

$\blacksquare$

Affine distributional certificates. A distributional certificate $(\mathcal{C},I)$ is said to be affine if both the distributional Büchi ranking function $\mathcal{C}$ and the distributional invariant $I$ can be expressed in terms of affine expressions and inequalities over the space $\Delta(S)$ of probability distributions over MDP states. We require $\mathcal{C}$ to be of the form

$\mathcal{C}(q,\mu)=\sum_{i=1}^{|S|}a^{q}_{i}\cdot\mu(s_{i})+b^{q},$ (3)

where $a^{q}_{1},\dots,a^{q}_{|S|},b^{q}$ are some real valued coefficients for each NBA state $q\in Q$ . That is, for each NBA state $q$ , the function $\mathcal{C}(q,\cdot)$ is an affine function over the probabilities of being in each MDP state, with $\mu(s_{1}),\dots,\mu(s_{|V|})$ being the variables that capture probabilities of being in each MDP state and $a^{q}_{1},\dots,a^{q}_{|S|},b^{q}$ being the coefficients of the affine function. Similarly, we require $I$ to be a set defined by a conjunction of $N_{I}$ affine inequalities over the probabilities of being in each MDP state, i.e. to be of the form

$I=\Big{\{}(\mu,q)\in\Delta(S)\times Q\mid\land_{k=1}^{N_{I}}I^{k}(q,\mu)\geq 0% \Big{\}},$ (4)

where each $I^{k}(q,\mu)=\sum_{i=1}^{|S|}c^{k,q}_{i}\cdot\mu(s_{i})+d^{k,q}\geq 0$ and $c^{k,q}_{1},\dots,c^{k,q}_{|S|},d^{k,q}$ are some real valued coefficients for each NBA state $q\in Q$ and each $k\in\{1,\dots,N_{I}\}$ . The number $N_{I}$ is referred to as the size of the invariant and will be an algorithm parameter.
$\blacksquare$

Affine distributionally memoryless strategies. A distributionally memoryless strategy $\pi:\Delta(S)\rightarrow\Delta(Act)$ is said to be affine, if for each state $s\in S$ , action $a\in\mathit{Act}$ and state distribution $\mu\in\Delta(S)$ , the probability of taking action $a$ in state $s$ given the current distribution over states $\mu$ is of the form

$\pi(s,a)(\mu)=\frac{\sum_{i=1}^{|S|}e^{\pi}_{i,s,a}\cdot\mu(s_{i})+f^{\pi}_{s,% a}}{\sum_{i=1}^{|S|}g^{\pi}_{i,s}\cdot\mu(s_{i})+h^{\pi}_{s}},$ (5)

where $e^{\pi}_{1,s,a},\dots,e^{\pi}_{|S|,s,a},f^{\pi}_{s,a}$ and $g^{\pi}_{1,s},\dots,g^{\pi}_{|S|,s},h^{\pi}_{s}$ are real valued constants. The denominator is used in order to normalize the probabilities such that the sum of probabilities of all actions being taken at a state $s$ is $1$ .

Algorithm input.

Both our verification and synthesis algorithms take as input an MDP $\mathcal{M}=(S,\mathit{Act},P)$ , a set of initial distributions $\mathsf{Init}$ , and a distributional $\omega$ -regular specification $\varphi$ defined over atomic propositions $\mathsf{AP}$ . We assume that the distributional $\omega$ -regular specification is provided via an NBA $N^{\varphi}=(Q,\Sigma,\delta,q_{0},F)$ with letters $\Sigma=2^{\mathsf{AP}}$ , which accepts the same set of infinite words over $2^{\mathsf{AP}}$ as $\varphi$ . Finally, the algorithms also take as input the size of the invariant $N_{I}$ that needs to be synthesized. The verification algorithm in addition takes as input an affine distributionally memoryless strategy $\pi$ .

Algorithm overview.

Both verification and synthesis algorithms follow a template-based synthesis approach and proceed in four steps. In the first step, the PDTS of the input MDP and the distributional specification is constructed. In the second step, the algorithms fix a symbolic template for the affine distributional certificate, i.e. symbolic variables for each real valued coefficient in affine expressions that define the certificate. The synthesis algorithm also fixes a symbolic template for the affine distributionally memoryless strategy. In the third step, the algorithms collect a system of constraints over the symbolic template variables, that together encode all defining conditions of distributional certificates in Definition 8 as well as conditions for the strategy template to define a valid distributionally memoryless strategy (the latter for the synthesis algorithm). Finally, in the fourth step, the collected system of constraints is solved by using an SMT-solver, to get a concrete valuation of the symbolic template variables which in turn gives rise to a distributional certificate and a distributionally memoryless strategy. In what follows, we detail each of these four steps.

Step 1: Constructing the PDTS.

In this step, the PDTS $\mathcal{T}^{\times}=(L^{\times},V^{\times},l_{\text{init}}^{\times},\theta_{% \text{init}}^{\times},\mapsto^{\times})$ is constructed from the given MDP $\mathcal{M}$ and the NBA $N^{\varphi}$ , as explained in Section 4.1.

Step 2: Fixing templates.

The algorithms fix a template for the affine distributional certificate $(\mathcal{C},I)$ , while the synthesis algorithm also fixes a template for the affine distributionally memoryless strategy $\pi$ . The novelty, compared to prior work on verification and synthesis for distributional reachability and safety specifications [4, 5], lies in a more complex template design for the distributional certificate, which is now defined with respect to the PDTS:

$\blacksquare$

Template for $\mathcal{C}$ . Recall that an affine distributional Büchi ranking function is of the form $\mathcal{C}(q,\mu)=\sum_{i=1}^{|S|}a^{q}_{i}\cdot\mu(s_{i})+b^{q}$ as in eq. (3). Hence, the template for $\mathcal{C}$ is defined by introducing a set of symbolic template variables $a^{q}_{1},\dots,a^{q}_{|S|},b^{q}$ for each NBA state $q\in Q$ .
$\blacksquare$

Template for $I$ . Similarly, the template for an affine distributional invariant $I$ is of the form as in eq. (4). Hence, the template for $I$ is defined by introducing a set of symbolic template variables $c^{k,q}_{1},\dots,c^{k,q}_{|S|},d^{k,q}$ for each NBA state $q\in Q$ and each $k\in\{1,\dots,N_{I}\}$ , where $N_{I}$ is the algorithm parameter that specifies the size of the invariant.
$\blacksquare$

Template for $\pi$ (synthesis algorithm). The template for an affine distributionally memoryless strategy $\pi$ is of the form as in eq. (5), hence it is defined by introducing symbolic template variables $e^{\pi}_{1,s,a},\dots,e^{\pi}_{|S|,s,a},f^{\pi}_{s,a}$ and $g^{\pi}_{1,s},\dots,g^{\pi}_{|S|,s},h^{\pi}_{s}$ for each state $s\in S$ and action $a\in\mathit{Act}$ . Note that, in the special case when we are interested in synthesizing memoryless strategies instead of distributionally memoryless strategies, the strategy template becomes simpler. Instead of the template as in eq. (5), we introduce a single symbolic template variable $p_{s,a}^{\pi}$ for each state-action pair $s\in S$ and $a\in\mathit{Act}$ , to encode the probability of taking action $a$ in state $s$ .

Step 3: Collecting constraints.

In this step, the algorithms collect a system of constraints over the symbolic template variables that together encode that $\mathcal{C}$ and $\mathcal{I}$ indeed define a valid distributional certificate. For the synthesis algorithm, we also collect a system of constraints that encode that $\pi$ defines a valid distributionally memoryless strategy. In each of the following constraints, each appearance of $\mathcal{C}$ , $\mathcal{I}$ and $\pi$ is replaced by the symbolic template introduced in Step 2, in the form as in eq. (3), (4) and (5). Moreover, we write $\mu\in\Delta(S)$ for the conjunction of affine inequalities $\land_{i=1}^{|S|}(\mu_{i}\geq 0)\land(\mu_{1}+\dots+\mu_{|S|}=1)$ .

$\blacksquare$

Initial condition. We define

$\Phi_{\text{init}}\equiv\forall\mu\in\mathbb{R}^{|S|}.\,\mu\in\Delta(S)\,\land% \,\mu\in\mathsf{Init}\Longrightarrow\mathcal{C}(q_{0},\mu)\geq 0\,\land\,% \bigwedge_{k=1}^{N_{I}}I^{k}(q_{0},\mu)\geq 0.$

\blacksquare

Büchi ranking condition for accepting states. For each accepting state $q\in F$ and letter $\sigma\in 2^{\mathsf{AP}}$ in the NBA, we define

\begin{split}\Phi_{\text{B\"{u}chi},q,\sigma}\equiv\forall\mu\in\mathbb{R}^{|S% |}.\,&\bigvee_{q^{\prime}\in\delta(q,\sigma)}\mu\in\Delta(S)\,\land\,\mu% \models G(\sigma)\,\land\,\mathcal{C}(q,\mu)\geq 0\,\land\,\bigwedge_{k=1}^{N_% {I}}I^{k}(q,\mu)\geq 0\\ &\Longrightarrow\mathcal{C}(q^{\prime},\mathcal{M}^{\pi}(\mu))\geq 0\,\land\,% \bigwedge_{k=1}^{N_{I}}I^{k}(\mathcal{M}^{\pi}(q^{\prime},\mu))\geq 0.\end{split}

\blacksquare

Büchi ranking condition for nonaccepting states. For each non-accepting state $q\in Q\backslash F$ and letter $\sigma\in 2^{\mathsf{AP}}$ in the NBA in the NBA, we define

\begin{split}\Phi_{\text{B\"{u}chi},q,\sigma}\equiv\forall\mu\in\mathbb{R}^{|S% |}.\,&\bigvee_{q^{\prime}\in\delta(q,\sigma)}\mu\in\Delta(S)\,\land\,\mu% \models G(\sigma)\,\land\,\mathcal{C}(q,\mu)\geq 0\,\land\,\bigwedge_{k=1}^{N_% {I}}I^{k}(q,\mu)\geq 0\\ &\Longrightarrow\mathcal{C}(\mu,q)-1\geq\mathcal{C}(\mathcal{M}^{\pi}(\mu),q^{% \prime})\geq 0\,\land\,\bigwedge_{k=1}^{N_{I}}I^{k}(\mathcal{M}^{\pi}(q^{% \prime},\mu))\geq 0.\end{split}

$\blacksquare$

Strategy conditions (synthesis algorithm). For the strategy template to indeed define a valid affine distributionally memoryless strategy, we require that:

$\Phi_{\pi}\equiv\bigwedge_{s\in S}\Big{(}\sum_{a\in Act}\pi(s,a)(\mu)=1\land% \bigwedge_{a\in Act}(\pi(s,a)(\mu)\geq 0)\Big{)}.$

In the above definitions, note that $\mathcal{M}^{\pi}(\mu)$ is the one-step successor from distribution $\mu$ when policy $\pi$ is applied in the MDP, computed as: $\sum_{s\in S,a\in Act(s)}\pi(s,a)(\mu)\cdot P(s,a)$ .

Step 4: Constraint solving.

The strategy condition constraint $\Phi_{\pi}$ is a purely existentially quantified Boolean combination of affine inequalities over the symbolic template variables. However, constraints $\Phi_{\text{init}}$ and $\Phi_{\text{B\"{u}chi},q,\sigma}$ are all of the form

\forall\mu\in\mathbb{R}^{|S|}.\,\bigvee_{i=1}^{m}\bigwedge_{j=1}^{n}\text{aff-% expr}_{i,j}(t,\mu)\geq 0\geq\bigwedge_{l=1}^{k}\text{poly-expr}_{k}(t,\mu)\geq 0,

where $t$ is the vector of all symbolic template variables, $\text{aff-expr}_{i,j}(t,\mu)$ ’s are some affine functions and $\text{poly-expr}_{k}$ ’s are some polynomial functions over the vectors of variables $t$ and $\mu$ . Polynomial expressions on the right hand side arise due to the quotients of affine expressions that define affine distributionally memoryless strategies, see eq. (5). Hence, multiplying both sides of the inequality by the affine expressions appearing in denominators results in polynomial expressions over variables in $t$ and $\mu$ .

The problem of synthesizing affine distributional certificates and affine distributionally memoryless strategies then reduces to solving a system of constraints that contain quantifier alternation $\exists t.\,\forall\mu$ . Such quantifier alternation over real-valued variables is generally hard to handle directly and can lead to inefficiency in solvers. In order to allow for a more efficient constraint solving, before passing our system of constraints to an SMT-solver, we first apply Handelman’s theorem [27] to translate $\Phi_{\text{init}}$ and $\Phi_{\text{B\"{u}chi},q,\sigma}$ into a purely existentially quantified system of polynomial constraints over the symbolic template variables in $t$ and auxiliary variables introduced by the translation, whose satisfiability implies satisfiability of the original constraints. This translation is common in template-based program analysis, see [7] for details. This step allows for more efficient constraint solving as well as better bound on the algorithm complexity. Finally, the resulting purely existentially quantified system of polynomial constraints over real-valued variables is solved via an SMT solver.

In the special case when we are interested in synthesizing memoryless strategies rather than distributionally memoryless strategies, we may use Farkas’ lemma [25] rather than Handelman’s theorem. This yields a sound and complete translation into an equisatisfiable purely existentially satisfied system of constraints.

Soundness, relative completeness, complexity.

Soundness of our algorithms follows from the soundness of all four steps above, including soundness of the transformations via Handelman’s theorem and Farkas’ lemma [7]. Since the Farkas’ lemma transformation leads to an equisatisfiable system of constraints, it also follows that our algorithm is relatively complete – it is guaranteed to synthesize an affine distributional certificate and memoryless strategy whenever they exist. Finally, our algorithms provide a PSPACE complexity upper bound as they reduce the synthesis and verification problems to solving a sentence in the existential first-order theory of the reals. The following theorem summarizes these results.

Theorem 12.

Soundness:: If the algorithm returns an affine distributional certificate $(\mathcal{C},I)$ and an affine distributionally memoryless strategy $\pi$ (for the synthesis algorithm), then the MDP $\mathcal{M}$ with initial distributions $\mathsf{Init}$ under strategy $\pi$ satisfies specification $\varphi$ .
Relative completeness:: If there exist an affine distributional certificate $(\mathcal{C},I)$ and a memoryless strategy $\pi$ , then there exists an invariant size $N_{I}\in\mathbb{N}$ such that $(\mathcal{C},I)$ and $\pi$ are computed by the algorithm.
Complexity:: The runtime of the algorithm is in PSPACE in the size of the encoding of the MDP, NBA $N^{\varphi}$ , startegy $\pi$ (for the verification algorithm) and invariant size $N_{I}\in\mathbb{N}$ .

6 Experimental Evaluation

We implemented a prototype of our method in Python 3 and experimentally evaluated it on a number of challenging verification and synthesis tasks collected from the literature on distributional specifications in MDPs. Our prototype takes as input an MDP (in the Prism [30] input format) and an LTL specification. The LTL specification is then translated into an NBA via Spot [24]. For the constraint solving step in our algorithms, we use PolyQEnt [16] which provides a tooling support for quantifier elimination via Farkas’ lemma and Handelman’s theorem. PolyQEnt uses Z3 [23] and MathSAT5 [20] as backend SMT solvers for the final system of purely existentially quantified constraints. We set the invariant size parameter to $N_{I}=1$ , which was sufficient for all our experiments. Our experiments were conducted on consumer-grade hardware (AMD Ryzen 5 5625U CPU, 8GB RAM).

Benchmarks.

We evaluated our method on several examples collected from the literature:

$\blacksquare$

GridWorld (synthesis). Motivated by [5], these benchmarks model robot swarms in gridworld environments. Initially, all robots are placed in the top-left corner of the gridworld environment. Some of the cells are covered by walls whereas some are slippery and with certain probability may lead to moving in an undesired direction. Hence, each environment induces an MDP. As shown in [5], the evolution of a robot swarm can be analyzed by taking the distribution transformer view of MDPs and considering how the robots are distributed across the gridworld cells at each time step. In Table 1, we consider $5$ gridworld benchmarks of varying sizes and consider two distributional specifications: (1) at least 90% of robots should be in some slippery target cell infinitely often, and (2) in addition, at most 50% of robots should occupy some narrow passage at any point in time.
$\blacksquare$

PageRank (verification). We consider a Markov chain representation of the PageRank algorithm taken from [2]. Given the context, we consider various verification tasks, which are of the form: always if the probability mass at some vertex/page is above a threshold, then eventually, it must be above a threhold in another page.
$\blacksquare$

Pharamakocinetics (verification) We also consider a 6 state Markov chain from [2] which is adapted from a Pharmacokinetics example in [11]. We use the two queries that were listed in [2] as the motivating examples to obtain our specifications.
$\blacksquare$

Benchmarks from [4] (verification and synthesis). Finally, we collect $3$ pairs of verification and synthesis tasks from [4]. In the verification task a strategy is fixed, whereas in the synthesis task one also needs to compute the strategy. While [4] considered distributional safety specifications, we design more complex $\omega$ -regular specifications.

Results.

Our experimental results are shown in Table 1. Our results demonstrate that our prototype is able to solve a number of challenging verification and synthesis tasks for distributional $\omega$ -regular specifications in MDPs, that were beyond the reach of all existing methods. This is achieved at runtimes that are comparable or even lower than those reported by earlier methods for distributional reachability and safety specifications in [4, 5] on benchmarks of similar size. Hence, even though we consider a significantly more general class of distributional $\omega$ -regular specifications, our algorithms do not lead to a significant computational overhead. Moreover, for all our strategy synthesis tasks, our prototype was able to compute memoryless strategies that lead to distributional specification satisfaction. This demonstrates the generality of relative completeness guarantees provided by our algorithms.

We also make some observations. First, as can be seen from runtimes reported in Table 1, the final SMT-solving step is computationally the most expensive step of our algorithms. Constraint generation took at most a few seconds in all cases. Second, we observe that strategy synthesis tasks are generally computationally more expensive, which is expected given that they require synthesizing both the strategy and the distributional certificate. However, in some cases the synthesis problems can also be solved more efficiently. This is demonstrated by the last $6$ experiments (CAV’23 in Table 1), where synthesis is achieved at lower runtimes due to our prototype being able to compute a simple memoryless strategy that was easier to verify, compared to the strategy considered in the verification task.

Finally, regarding the invariant size parameter, we used $N_{I}=1$ because it was sufficient for all our benchmarks. We also ran our prototype tool with $N_{I}=2$ on $12$ of the benchmarks and $8$ of them were solved within the timeout of 5 minutes. The timeouts are likely due to the larger size of the final system of constraints. Indeed, given more time, we expect our method can be effectively applied with larger template sizes as well.

Table 1: For each experiment we report, from left to right, the benchmark, specification, task (verification or synthesis), the number of coefficients, the number of constraints, the number of coefficients in PolyQEnt generated file (i.e. after application of Farkas’ lemma), the number of constraints in PolyQEnt generated file, SMT-solving time, and the total runtime.

Model	Specification	Task	Coeff #	Const #	PQ Coeff #	Query #	SMT time	Total time
GW (3*3)	G F “V5>=0.9”	Synth	$62$	$41$	$171$	$34$	$<2s$	$6s$
GW (3*3)	G F “V5>=0.9” & G “V4<=0.5”	Synth	$80$	$45$	$277$	$49$	$<5s$	$<5s$
GW (4*4)	G F “V11>=0.9”	Synth	$121$	$79$	$286$	$81$	$<10s$	$10s$
GW (4*4)	G F “V11>=0.9” & G “V9<=0.5”	Synth	$153$	$83$	$448$	$87$	$12s$	$13s$
GW (5*5)	G F “V19>=0.9”	Synth	$198$	$129$	$435$	$131$	$302s$	$303s$
PageRank	F G “V2>0.2”	Verify	$60$	$13$	$400$	$35$	$63s$	$64s$
PageRank	G ( “0.2<=V0” → F “0.2<=V2”)	Verify	$48$	$13$	$253$	$22$	$17s$	$18s$
PageRank	G ( “0.2<=V2” → F “0.2<=V2”)	Verify	$48$	$13$	$253$	$22$	$8s$	$8s$
PageRank	G ( “0.2<=V3” → F “0.2<=V2”)	Verify	$48$	$13$	$253$	$22$	$44s$	$45s$
PageRank	G ( “0.2<=V4” → F “0.2<=V2”)	Verify	$48$	$13$	$253$	$22$	$5s$	$6s$
PageRank	G “V0>=0.2” \| “V1>=0.2” \| “V2>=0.2”	Verify	$60$	$19$	$569$	$44$	$136s$	$137s$
	\| “V3>=0.2” \| “V4>=0.2” → F “V2=1”
PageRank	F “V2=1”→ G “V1<=0.2”	Verify	$144$	$35$	$630$	$46$	$6s$	$6s$
Pharmacokinetics	F “V4=1”	Verify	$42$	$9$	$176$	$14$	$<1s$	$<1s$
Pharmacokinetics	G (“0.13<=V3<=0.2” \| “0<=V3<0.13”)	Verify	$56$	$11$	$365$	$28$	$102s$	$102s$
CAV23 [4]	G F “V1>=0.249”	Verify	$16$	$7$	$85$	$13$	$<2s$	$<2s$
CAV23 [4]	G F “V1>=0.249”	Synth	$20$	$14$	$108$	$16$	$7s$	$<2s$
CAV23 [4]	“V1>= 0.249” U “V2 >= 0.25”	Verify	$32$	$13$	$185$	$22$	$<5s$	$7s$
CAV23 [4]	“V1>= 0.249” U “V2 >= 0.25”	Synth	$36$	$20$	$189$	$25$	$7s$	$5s$
CAV23 [4]	“0.334>=V1>=0.332” U “V0=0.25”	Verify	$32$	$17$	$229$	$24$	$<4s$	$4s$
CAV23 [4]	“0.334>=V1>=0.332” U “V0=0.25”	Synth	$36$	$20$	$233$	$28$	$<1s$	$<1s$

7 Conclusion

In this paper, we considered distributional $\omega$ -regular specifications in MDPs and addressed the problems of strategy verification and synthesis. We developed new notions of product distributional transition systems between an MDP and an NBA. We then introduced distributional certificates, using which we provided template-based synthesis algorithms for strategy verification and synthesis. Our experiments demonstrate the benefits and promise of our approach. As future work, we would like to go beyond MDPs and consider partially observable MDPs. Moreover, it would be interesting to lift the objectives from NBA to Rabin automata, where even the notion of distributional certificates is unclear.

References

[1] Alessandro Abate, Mirco Giacobbe, and Diptarko Roy. Stochastic omega-regular verification and control with supermartingales. In Arie Gurfinkel and Vijay Ganesh, editors, Computer Aided Verification - 36th International Conference, CAV 2024, Montreal, QC, Canada, July 24-27, 2024, Proceedings, Part III, volume 14683 of Lecture Notes in Computer Science, pages 395–419. Springer, 2024. doi:10.1007/978-3-031-65633-0_18.
[2] Manindra Agrawal, S. Akshay, Blaise Genest, and P. S. Thiagarajan. Approximate verification of the symbolic dynamics of Markov chains. J. ACM, 62(1):2:1–2:34, 2015. doi:10.1145/2629417.
[3] S. Akshay, Timos Antonopoulos, Joël Ouaknine, and James Worrell. Reachability problems for Markov chains. Inf. Process. Lett., 115(2):155–158, 2015. doi:10.1016/J.IPL.2014.08.013.
[4] S. Akshay, Krishnendu Chatterjee, Tobias Meggendorfer, and Dorde Zikelic. MDPs as distribution transformers: Affine invariant synthesis for safety objectives. In Constantin Enea and Akash Lal, editors, Computer Aided Verification - 35th International Conference, CAV 2023, Paris, France, July 17-22, 2023, Proceedings, Part III, volume 13966 of Lecture Notes in Computer Science, pages 86–112. Springer, 2023. doi:10.1007/978-3-031-37709-9_5.
[5] S. Akshay, Krishnendu Chatterjee, Tobias Meggendorfer, and Dorde Zikelic. Certified policy verification and synthesis for MDPs under distributional reach-avoidance properties. In Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, IJCAI 2024, Jeju, South Korea, August 3-9, 2024, pages 3–12. ijcai.org, 2024. URL: https://www.ijcai.org/proceedings/2024/1.
[6] S. Akshay, Blaise Genest, and Nikhil Vyas. Distribution-based objectives for Markov decision processes. In Anuj Dawar and Erich Grädel, editors, Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, pages 36–45. ACM, 2018. doi:10.1145/3209108.3209185.
[7] Ali Asadi, Krishnendu Chatterjee, Hongfei Fu, Amir Kafshdar Goharshady, and Mohammad Mahdavi. Polynomial reachability witnesses via stellensätze. In Stephen N. Freund and Eran Yahav, editors, PLDI ’21: 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation, Virtual Event, Canada, June 20-25, 2021, pages 772–787. ACM, 2021. doi:10.1145/3453483.3454076.
[8] Christel Baier and Joost-Pieter Katoen. Principles of model checking. MIT Press, 2008.
[9] Roberto Baldoni, François Bonnet, Alessia Milani, and Michel Raynal. On the solvability of anonymous partial grids exploration by mobile robots. In Theodore P. Baker, Alain Bui, and Sébastien Tixeuil, editors, Principles of Distributed Systems, 12th International Conference, OPODIS 2008, Luxor, Egypt, December 15-18, 2008. Proceedings, volume 5401 of Lecture Notes in Computer Science, pages 428–445. Springer, 2008. doi:10.1007/978-3-540-92221-6_27.
[10] Danièle Beauquier, Alexander Moshe Rabinovich, and Anatol Slissenko. A logic of probability with decidable model checking. J. Log. Comput., 16(4):461–487, 2006. doi:10.1093/logcom/exl004.
[11] Rohit Chadha, Vijay Anand Korthikanti, Mahesh Viswanathan, Gul Agha, and YoungMin Kwon. Model checking MDPs with a unique compact invariant set of distributions. In Eighth International Conference on Quantitative Evaluation of Systems, QEST 2011, Aachen, Germany, 5-8 September, 2011, pages 121–130. IEEE Computer Society, 2011. doi:10.1109/QEST.2011.22.
[12] Aleksandar Chakarov and Sriram Sankaranarayanan. Probabilistic program analysis with martingales. In Natasha Sharygina and Helmut Veith, editors, Computer Aided Verification - 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, volume 8044 of Lecture Notes in Computer Science, pages 511–526. Springer, 2013. doi:10.1007/978-3-642-39799-8_34.
[13] Krishnendu Chatterjee, Hongfei Fu, and Amir Kafshdar Goharshady. Termination analysis of probabilistic programs through positivstellensatz’s. In CAV (1), volume 9779 of Lecture Notes in Computer Science, pages 3–22. Springer, 2016. doi:10.1007/978-3-319-41528-4_1.
[14] Krishnendu Chatterjee, Hongfei Fu, Amir Kafshdar Goharshady, and Ehsan Kafshdar Goharshady. Polynomial invariant generation for non-deterministic recursive programs. In Alastair F. Donaldson and Emina Torlak, editors, Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, pages 672–687. ACM, 2020. doi:10.1145/3385412.3385969.
[15] Krishnendu Chatterjee, Hongfei Fu, Petr Novotný, and Rouzbeh Hasheminezhad. Algorithmic analysis of qualitative and quantitative termination problems for affine probabilistic programs. TOPLAS, 40(2):7:1–7:45, 2018. doi:10.1145/3174800.
[16] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Ehsan Kafshdar Goharshady, Mehrdad Karrabi, Milad Saadat, Maximilian Seeliger, and Đorđe Žikelić. Polyqent: A polynomial quantified entailment solver, 2025. arXiv:2408.03796.
[17] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Ehsan Kafshdar Goharshady, Mehrdad Karrabi, and Dorde Zikelic. Sound and complete witnesses for template-based verification of LTL properties on polynomial programs. In André Platzer, Kristin Yvonne Rozier, Matteo Pradella, and Matteo Rossi, editors, Formal Methods - 26th International Symposium, FM 2024, Milan, Italy, September 9-13, 2024, Proceedings, Part I, volume 14933 of Lecture Notes in Computer Science, pages 600–619. Springer, 2024. doi:10.1007/978-3-031-71162-6_31.
[18] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Tobias Meggendorfer, and Dorde Zikelic. Sound and complete certificates for quantitative termination analysis of probabilistic programs. In CAV (1), volume 13371 of Lecture Notes in Computer Science, pages 55–78. Springer, 2022. doi:10.1007/978-3-031-13185-1_4.
[19] Krishnendu Chatterjee, Petr Novotný, and Đorđe Žikelić. Stochastic invariants for probabilistic termination. In POPL, pages 145–160, 2017. doi:10.1145/3009837.3009873.
[20] Alessandro Cimatti, Alberto Griggio, Bastiaan Schaafsma, and Roberto Sebastiani. The MathSAT5 SMT Solver. In Nir Piterman and Scott Smolka, editors, Proceedings of TACAS, volume 7795 of LNCS. Springer, 2013. doi:10.1007/978-3-642-36742-7_7.
[21] Michael Colón, Sriram Sankaranarayanan, and Henny Sipma. Linear invariant generation using non-linear constraint solving. In Warren A. Hunt Jr. and Fabio Somenzi, editors, Computer Aided Verification, 15th International Conference, CAV 2003, Boulder, CO, USA, July 8-12, 2003, Proceedings, volume 2725 of Lecture Notes in Computer Science, pages 420–432. Springer, 2003. doi:10.1007/978-3-540-45069-6_39.
[22] Michael Colón and Henny Sipma. Synthesis of linear ranking functions. In Tiziana Margaria and Wang Yi, editors, Tools and Algorithms for the Construction and Analysis of Systems, 7th International Conference, TACAS 2001 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings, volume 2031 of Lecture Notes in Computer Science, pages 67–81. Springer, 2001. doi:10.1007/3-540-45319-9_6.
[23] Leonardo Mendonça de Moura and Nikolaj S. Bjørner. Z3: an efficient SMT solver. In TACAS, volume 4963 of Lecture Notes in Computer Science, pages 337–340. Springer, 2008. doi:10.1007/978-3-540-78800-3_24.
[24] Alexandre Duret-Lutz, Etienne Renault, Maximilien Colange, Florian Renkin, Alexandre Gbaguidi Aisse, Philipp Schlehuber-Caissier, Thomas Medioni, Antoine Martin, Jérôme Dubois, Clément Gillard, et al. From spot 2.0 to spot 2.10: What’s new? In International Conference on Computer Aided Verification, pages 174–187. Springer, 2022.
[25] Julius Farkas. Theorie der einfachen ungleichungen. Journal für die reine und angewandte Mathematik (Crelles Journal), 1902(124):1–27, 1902.
[26] Yulong Gao, Alessandro Abate, Lihua Xie, and Karl Henrik Johansson. Distributional reachability for Markov decision processes: Theory and applications. IEEE Trans. Autom. Control., 69(7):4598–4613, 2024. doi:10.1109/TAC.2023.3341282.
[27] David Handelman. Representing polynomials by positive linear functions on compact convex polyhedra. Pacific Journal of Mathematics, 132(1):35–62, 1988.
[28] Thomas A. Henzinger, Maria Mateescu, and Verena Wolf. Sliding window abstraction for infinite Markov chains. In Ahmed Bouajjani and Oded Maler, editors, Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26 - July 2, 2009. Proceedings, volume 5643 of Lecture Notes in Computer Science, pages 337–352. Springer, 2009. doi:10.1007/978-3-642-02658-4_27.
[29] Vijay Anand Korthikanti, Mahesh Viswanathan, Gul Agha, and YoungMin Kwon. Reasoning about MDPs as transformers of probability distributions. In QEST 2010, Seventh International Conference on the Quantitative Evaluation of Systems, Williamsburg, Virginia, USA, 15-18 September 2010, pages 199–208. IEEE Computer Society, 2010. doi:10.1109/QEST.2010.35.
[30] Marta Z. Kwiatkowska, Gethin Norman, and David Parker. PRISM 4.0: Verification of probabilistic real-time systems. In CAV, volume 6806 of Lecture Notes in Computer Science, pages 585–591. Springer, 2011. doi:10.1007/978-3-642-22110-1_47.
[31] YoungMin Kwon and Gul A. Agha. Verifying the evolution of probability distributions governed by a DTMC. IEEE Trans. Software Eng., 37(1):126–141, 2011. doi:10.1109/TSE.2010.80.
[32] Joël Ouaknine and James Worrell. Decision problems for linear recurrence sequences. In Alain Finkel, Jérôme Leroux, and Igor Potapov, editors, Reachability Problems - 6th International Workshop, RP 2012, Bordeaux, France, September 17-19, 2012. Proceedings, volume 7550 of Lecture Notes in Computer Science, pages 21–28. Springer, 2012. doi:10.1007/978-3-642-33512-9_3.
[33] Stephen Prajna, Ali Jadbabaie, and George J. Pappas. A framework for worst-case and stochastic safety verification using barrier certificates. IEEE Trans. Autom. Control., 52(8):1415–1428, 2007. doi:10.1109/TAC.2007.902736.
[34] Toru Takisaka, Yuichiro Oyabu, Natsuki Urabe, and Ichiro Hasuo. Ranking and repulsing supermartingales for reachability in randomized programs. ACM Trans. Program. Lang. Syst., 43(2):5:1–5:46, 2021. doi:10.1145/3450967.
[35] Dorde Zikelic, Mathias Lechner, Thomas A. Henzinger, and Krishnendu Chatterjee. Learning control policies for stochastic systems with reach-avoid guarantees. In Brian Williams, Yiling Chen, and Jennifer Neville, editors, Thirty-Seventh AAAI Conference on Artificial Intelligence, AAAI 2023, Thirty-Fifth Conference on Innovative Applications of Artificial Intelligence, IAAI 2023, Thirteenth Symposium on Educational Advances in Artificial Intelligence, EAAI 2023, Washington, DC, USA, February 7-14, 2023, pages 11926–11935. AAAI Press, 2023. doi:10.1609/AAAI.V37I10.26407.

[bib.bib1] [1] Alessandro Abate, Mirco Giacobbe, and Diptarko Roy. Stochastic omega-regular verification and control with supermartingales. In Arie Gurfinkel and Vijay Ganesh, editors, Computer Aided Verification - 36th International Conference, CAV 2024, Montreal, QC, Canada, July 24-27, 2024, Proceedings, Part III, volume 14683 of Lecture Notes in Computer Science, pages 395–419. Springer, 2024. doi:10.1007/978-3-031-65633-0_18.

[bib.bib2] [2] Manindra Agrawal, S. Akshay, Blaise Genest, and P. S. Thiagarajan. Approximate verification of the symbolic dynamics of Markov chains. J. ACM, 62(1):2:1–2:34, 2015. doi:10.1145/2629417.

[bib.bib3] [3] S. Akshay, Timos Antonopoulos, Joël Ouaknine, and James Worrell. Reachability problems for Markov chains. Inf. Process. Lett., 115(2):155–158, 2015. doi:10.1016/J.IPL.2014.08.013.

[bib.bib4] [4] S. Akshay, Krishnendu Chatterjee, Tobias Meggendorfer, and Dorde Zikelic. MDPs as distribution transformers: Affine invariant synthesis for safety objectives. In Constantin Enea and Akash Lal, editors, Computer Aided Verification - 35th International Conference, CAV 2023, Paris, France, July 17-22, 2023, Proceedings, Part III, volume 13966 of Lecture Notes in Computer Science, pages 86–112. Springer, 2023. doi:10.1007/978-3-031-37709-9_5.

[bib.bib5] [5] S. Akshay, Krishnendu Chatterjee, Tobias Meggendorfer, and Dorde Zikelic. Certified policy verification and synthesis for MDPs under distributional reach-avoidance properties. In Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, IJCAI 2024, Jeju, South Korea, August 3-9, 2024, pages 3–12. ijcai.org, 2024. URL: https://www.ijcai.org/proceedings/2024/1.

[bib.bib6] [6] S. Akshay, Blaise Genest, and Nikhil Vyas. Distribution-based objectives for Markov decision processes. In Anuj Dawar and Erich Grädel, editors, Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, pages 36–45. ACM, 2018. doi:10.1145/3209108.3209185.

[bib.bib7] [7] Ali Asadi, Krishnendu Chatterjee, Hongfei Fu, Amir Kafshdar Goharshady, and Mohammad Mahdavi. Polynomial reachability witnesses via stellensätze. In Stephen N. Freund and Eran Yahav, editors, PLDI ’21: 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation, Virtual Event, Canada, June 20-25, 2021, pages 772–787. ACM, 2021. doi:10.1145/3453483.3454076.

[bib.bib8] [8] Christel Baier and Joost-Pieter Katoen. Principles of model checking. MIT Press, 2008.

[bib.bib9] [9] Roberto Baldoni, François Bonnet, Alessia Milani, and Michel Raynal. On the solvability of anonymous partial grids exploration by mobile robots. In Theodore P. Baker, Alain Bui, and Sébastien Tixeuil, editors, Principles of Distributed Systems, 12th International Conference, OPODIS 2008, Luxor, Egypt, December 15-18, 2008. Proceedings, volume 5401 of Lecture Notes in Computer Science, pages 428–445. Springer, 2008. doi:10.1007/978-3-540-92221-6_27.

[bib.bib10] [10] Danièle Beauquier, Alexander Moshe Rabinovich, and Anatol Slissenko. A logic of probability with decidable model checking. J. Log. Comput., 16(4):461–487, 2006. doi:10.1093/logcom/exl004.

[bib.bib11] [11] Rohit Chadha, Vijay Anand Korthikanti, Mahesh Viswanathan, Gul Agha, and YoungMin Kwon. Model checking MDPs with a unique compact invariant set of distributions. In Eighth International Conference on Quantitative Evaluation of Systems, QEST 2011, Aachen, Germany, 5-8 September, 2011, pages 121–130. IEEE Computer Society, 2011. doi:10.1109/QEST.2011.22.

[bib.bib12] [12] Aleksandar Chakarov and Sriram Sankaranarayanan. Probabilistic program analysis with martingales. In Natasha Sharygina and Helmut Veith, editors, Computer Aided Verification - 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, volume 8044 of Lecture Notes in Computer Science, pages 511–526. Springer, 2013. doi:10.1007/978-3-642-39799-8_34.

[bib.bib13] [13] Krishnendu Chatterjee, Hongfei Fu, and Amir Kafshdar Goharshady. Termination analysis of probabilistic programs through positivstellensatz’s. In CAV (1), volume 9779 of Lecture Notes in Computer Science, pages 3–22. Springer, 2016. doi:10.1007/978-3-319-41528-4_1.

[bib.bib14] [14] Krishnendu Chatterjee, Hongfei Fu, Amir Kafshdar Goharshady, and Ehsan Kafshdar Goharshady. Polynomial invariant generation for non-deterministic recursive programs. In Alastair F. Donaldson and Emina Torlak, editors, Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, pages 672–687. ACM, 2020. doi:10.1145/3385412.3385969.

[bib.bib15] [15] Krishnendu Chatterjee, Hongfei Fu, Petr Novotný, and Rouzbeh Hasheminezhad. Algorithmic analysis of qualitative and quantitative termination problems for affine probabilistic programs. TOPLAS, 40(2):7:1–7:45, 2018. doi:10.1145/3174800.

[bib.bib16] [16] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Ehsan Kafshdar Goharshady, Mehrdad Karrabi, Milad Saadat, Maximilian Seeliger, and Đorđe Žikelić. Polyqent: A polynomial quantified entailment solver, 2025. arXiv:2408.03796.

[bib.bib17] [17] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Ehsan Kafshdar Goharshady, Mehrdad Karrabi, and Dorde Zikelic. Sound and complete witnesses for template-based verification of LTL properties on polynomial programs. In André Platzer, Kristin Yvonne Rozier, Matteo Pradella, and Matteo Rossi, editors, Formal Methods - 26th International Symposium, FM 2024, Milan, Italy, September 9-13, 2024, Proceedings, Part I, volume 14933 of Lecture Notes in Computer Science, pages 600–619. Springer, 2024. doi:10.1007/978-3-031-71162-6_31.

[bib.bib18] [18] Krishnendu Chatterjee, Amir Kafshdar Goharshady, Tobias Meggendorfer, and Dorde Zikelic. Sound and complete certificates for quantitative termination analysis of probabilistic programs. In CAV (1), volume 13371 of Lecture Notes in Computer Science, pages 55–78. Springer, 2022. doi:10.1007/978-3-031-13185-1_4.

[bib.bib19] [19] Krishnendu Chatterjee, Petr Novotný, and Đorđe Žikelić. Stochastic invariants for probabilistic termination. In POPL, pages 145–160, 2017. doi:10.1145/3009837.3009873.

[bib.bib20] [20] Alessandro Cimatti, Alberto Griggio, Bastiaan Schaafsma, and Roberto Sebastiani. The MathSAT5 SMT Solver. In Nir Piterman and Scott Smolka, editors, Proceedings of TACAS, volume 7795 of LNCS. Springer, 2013. doi:10.1007/978-3-642-36742-7_7.

[bib.bib21] [21] Michael Colón, Sriram Sankaranarayanan, and Henny Sipma. Linear invariant generation using non-linear constraint solving. In Warren A. Hunt Jr. and Fabio Somenzi, editors, Computer Aided Verification, 15th International Conference, CAV 2003, Boulder, CO, USA, July 8-12, 2003, Proceedings, volume 2725 of Lecture Notes in Computer Science, pages 420–432. Springer, 2003. doi:10.1007/978-3-540-45069-6_39.

[bib.bib22] [22] Michael Colón and Henny Sipma. Synthesis of linear ranking functions. In Tiziana Margaria and Wang Yi, editors, Tools and Algorithms for the Construction and Analysis of Systems, 7th International Conference, TACAS 2001 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings, volume 2031 of Lecture Notes in Computer Science, pages 67–81. Springer, 2001. doi:10.1007/3-540-45319-9_6.

[bib.bib23] [23] Leonardo Mendonça de Moura and Nikolaj S. Bjørner. Z3: an efficient SMT solver. In TACAS, volume 4963 of Lecture Notes in Computer Science, pages 337–340. Springer, 2008. doi:10.1007/978-3-540-78800-3_24.

[bib.bib24] [24] Alexandre Duret-Lutz, Etienne Renault, Maximilien Colange, Florian Renkin, Alexandre Gbaguidi Aisse, Philipp Schlehuber-Caissier, Thomas Medioni, Antoine Martin, Jérôme Dubois, Clément Gillard, et al. From spot 2.0 to spot 2.10: What’s new? In International Conference on Computer Aided Verification, pages 174–187. Springer, 2022.

[bib.bib25] [25] Julius Farkas. Theorie der einfachen ungleichungen. Journal für die reine und angewandte Mathematik (Crelles Journal), 1902(124):1–27, 1902.

[bib.bib26] [26] Yulong Gao, Alessandro Abate, Lihua Xie, and Karl Henrik Johansson. Distributional reachability for Markov decision processes: Theory and applications. IEEE Trans. Autom. Control., 69(7):4598–4613, 2024. doi:10.1109/TAC.2023.3341282.

[bib.bib27] [27] David Handelman. Representing polynomials by positive linear functions on compact convex polyhedra. Pacific Journal of Mathematics, 132(1):35–62, 1988.

[bib.bib28] [28] Thomas A. Henzinger, Maria Mateescu, and Verena Wolf. Sliding window abstraction for infinite Markov chains. In Ahmed Bouajjani and Oded Maler, editors, Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26 - July 2, 2009. Proceedings, volume 5643 of Lecture Notes in Computer Science, pages 337–352. Springer, 2009. doi:10.1007/978-3-642-02658-4_27.

[bib.bib29] [29] Vijay Anand Korthikanti, Mahesh Viswanathan, Gul Agha, and YoungMin Kwon. Reasoning about MDPs as transformers of probability distributions. In QEST 2010, Seventh International Conference on the Quantitative Evaluation of Systems, Williamsburg, Virginia, USA, 15-18 September 2010, pages 199–208. IEEE Computer Society, 2010. doi:10.1109/QEST.2010.35.

[bib.bib30] [30] Marta Z. Kwiatkowska, Gethin Norman, and David Parker. PRISM 4.0: Verification of probabilistic real-time systems. In CAV, volume 6806 of Lecture Notes in Computer Science, pages 585–591. Springer, 2011. doi:10.1007/978-3-642-22110-1_47.

[bib.bib31] [31] YoungMin Kwon and Gul A. Agha. Verifying the evolution of probability distributions governed by a DTMC. IEEE Trans. Software Eng., 37(1):126–141, 2011. doi:10.1109/TSE.2010.80.

[bib.bib32] [32] Joël Ouaknine and James Worrell. Decision problems for linear recurrence sequences. In Alain Finkel, Jérôme Leroux, and Igor Potapov, editors, Reachability Problems - 6th International Workshop, RP 2012, Bordeaux, France, September 17-19, 2012. Proceedings, volume 7550 of Lecture Notes in Computer Science, pages 21–28. Springer, 2012. doi:10.1007/978-3-642-33512-9_3.

[bib.bib33] [33] Stephen Prajna, Ali Jadbabaie, and George J. Pappas. A framework for worst-case and stochastic safety verification using barrier certificates. IEEE Trans. Autom. Control., 52(8):1415–1428, 2007. doi:10.1109/TAC.2007.902736.

[bib.bib34] [34] Toru Takisaka, Yuichiro Oyabu, Natsuki Urabe, and Ichiro Hasuo. Ranking and repulsing supermartingales for reachability in randomized programs. ACM Trans. Program. Lang. Syst., 43(2):5:1–5:46, 2021. doi:10.1145/3450967.

[bib.bib35] [35] Dorde Zikelic, Mathias Lechner, Thomas A. Henzinger, and Krishnendu Chatterjee. Learning control policies for stochastic systems with reach-avoid guarantees. In Brian Williams, Yiling Chen, and Jennifer Neville, editors, Thirty-Seventh AAAI Conference on Artificial Intelligence, AAAI 2023, Thirty-Fifth Conference on Innovative Applications of Artificial Intelligence, IAAI 2023, Thirteenth Symposium on Educational Advances in Artificial Intelligence, EAAI 2023, Washington, DC, USA, February 7-14, 2023, pages 11926–11935. AAAI Press, 2023. doi:10.1609/AAAI.V37I10.26407.

Omega-Regular Verification and Control for Distributional Specifications in MDPs

Abstract

Keywords and phrases:

Copyright and License:

2012 ACM Subject Classification:

Funding:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

Related work.

2 Preliminaries

MDPs.

Semantics of MDPs.

MDPs as distribution transformers.

𝝎-regular specifications.

Transition systems.

3 Problem Statement

Distributional 𝝎-regular specifications.

Distributionally memoryless strategies.

Problem statement.

Example 1 (Running example).

▶ Remark 2 (Problem hardness).

▶ Remark 3 (Universal and existential satisfaction problems).

▶ Remark 4 (Memoryless vs distributionally memoryless strategies).

4 Certificate for Distributional 𝝎-regular Specifications

4.1 Product Distributional Transition System

Definition 5 (Product distributional transition system).

Example 6.

Proposition 7.

Proof.

4.2 Distributional Certificates

Definition 8 (Distributional certificate).

Theorem 9 (Soundness and completeness).

Proof.

Soundness.

Completeness.

Example 10.

▶ Remark 11 (Distributional certificates for the existential problem).

5 Template-based Strategy Verification and Synthesis with Certificates

Affine distributional certificates and strategies.

Algorithm input.

Algorithm overview.

Step 1: Constructing the PDTS.

Step 2: Fixing templates.

Step 3: Collecting constraints.

Step 4: Constraint solving.

Soundness, relative completeness, complexity.

Theorem 12.

6 Experimental Evaluation

Benchmarks.

Results.

7 Conclusion

References

$\omega$ -regular specifications.

Distributional $\omega$ -regular specifications.

$\blacktriangleright$ Remark 2 (Problem hardness).

$\blacktriangleright$ Remark 3 (Universal and existential satisfaction problems).

$\blacktriangleright$ Remark 4 (Memoryless vs distributionally memoryless strategies).

4 Certificate for Distributional $\omega$ -regular Specifications

$\blacktriangleright$ Remark 11 (Distributional certificates for the existential problem).