Synthesizing Dominant Strategies for Liveness Full Version
2025-05-02
0
0
805.55KB
33 页
10玖币
侵权投诉
Synthesizing Dominant Strategies for Liveness
(Full Version)
Bernd Finkbeiner !
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Noemi Passing !
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Abstract
Reactive synthesis automatically derives a strategy that satisfies a given specification. However,
requiring a strategy to meet the specification in every situation is, in many cases, too hard of a
requirement. Particularly in compositional synthesis of distributed systems, individual winning
strategies for the processes often do not exist. Remorsefree dominance, a weaker notion than winning,
accounts for such situations: dominant strategies are only required to be as good as any alternative
strategy, i.e., they are allowed to violate the specification if no other strategy would have satisfied it
in the same situation. The composition of dominant strategies is only guaranteed to be dominant
for safety properties, though; preventing the use of dominance in compositional synthesis for liveness
specifications. Yet, safety properties are often not expressive enough. In this paper, we thus introduce
a new winning condition for strategies, called delay-dominance, that overcomes this weakness of
remorsefree dominance: we show that it is compositional for many safety and liveness specifications,
enabling a compositional synthesis algorithm based on delay-dominance for general specifications.
Furthermore, we introduce an automaton construction for recognizing delay-dominant strategies and
prove its soundness and completeness. The resulting automaton is of single-exponential size in the
squared length of the specification and can immediately be used for safraless synthesis procedures.
Thus, synthesis of delay-dominant strategies is, as synthesis of winning strategies, in 2EXPTIME.
2012 ACM Subject Classification Theory of computation
Keywords and phrases Dominant Strategies, Compositional Synthesis, Reactive Synthesis
Related Version A conference version of this paper is available at [19].
Funding
This work was supported by DFG grant 389792660 as part of TRR 248 (CPEC) and
by ERC grant 683300 (OSARES). N. Passing is a PhD candidate at Saarland University, Germany.
1 Introduction
Reactive synthesis is the task of automatically deriving a strategy that satisfies a formal
specification, e.g., given in LTL [
32
], in every situation. Such strategies are called winning.
In many cases, however, requiring the strategy to satisfy the specification in every situation is
too hard of a requirement. A prominent example is the compositional synthesis of distributed
systems consisting of several processes. Compositional approaches for distributed synthesis [
27
,
13
,
14
,
15
,
18
] break down the synthesis task for the whole system into several smaller ones for
the individual processes. This is necessary due to the general undecidability [
34
] of distributed
synthesis and the non-elementary complexity [
20
] for decidable cases: non-compositional
distributed synthesis approaches [
22
,
21
] suffer from a severe state space explosion problem
and are thus not feasible for larger systems. However, winning strategies rarely exist when
considering the processes individually in the smaller subtasks of compositional synthesis since
usually the processes need to collaborate in order to achieve the overall system’s correctness.
For instance, a particular input sequence may prevent the satisfaction of the specification
no matter how a single process reacts, yet, the other processes of the system ensure in the
interplay of the whole system that this input sequence will never be produced.
arXiv:2210.01660v2 [cs.LO] 14 Feb 2023
2 Synthesizing Dominant Strategies for Liveness (Full Version)
Remorsefree dominance [
9
], a weaker notion than winning, accounts for such situations.
A dominant strategy is allowed to violate the specification as long as no other strategy would
have satisfied it in the same situation. Hence, a dominant strategy is a best-effort strategy
as we do not blame it for violating the specification if the violation is not its fault. Searching
for dominant strategies rather than winning ones allows us to find strategies that do not
necessarily satisfy the specification in all situations but in all that are realistic in the sense
that they occur in the interplay of the processes if all of them play best-effort strategies.
The parallel composition of dominant strategies, however, is only guaranteed to be domi-
nant for safety properties [
10
]. For liveness specifications, in contrast, dominance is not a
compositional notion and thus not suitable for compositional synthesis. Consider, for example,
a system with two processes
p1
and
p2
sending messages to each other, denoted by atomic
propositions
m1
and
m2
, respectively. Both processes are required to send their message
eventually, i.e.,
ϕ
=
m1∧m2
. For
pi
, it is dominant to wait for the other process to send
the message
m3−i
before sending its own message
mi
: if
p3−i
sends its message eventually,
pi
does so as well, satisfying
ϕ
. If
p3−i
never sends its message,
ϕ
is violated, no matter how
pi
reacts, and thus the violation of
ϕ
is not
pi
’s fault. Combining these strategies for
p1
and
p2
,
however, yields a system that never sends any message since both processes wait indefinitely
for each other, while there clearly exist strategies for the whole system that satisfy ϕ.
Bounded dominance [
10
] is a variant of remorsefree dominance that ensures composition-
ality of general properties. Intuitively, it reduces every specification
ϕ
to a safety property
by introducing a measure of the strategy’s progress with respect to
ϕ
, and by bounding
the number of non-progress steps, i.e., steps in which no progress is made. Yet, bounded
dominance has two major disadvantages: (i) it requires a concrete bound on the number of
non-progress steps, and (ii) not every bounded dominant strategy is dominant: if the bound
n
is chosen too small, every strategy, also a non-dominant one, is trivially n-dominant.
In this paper, we introduce a new winning condition for strategies, called delay-dominance,
that builds upon the ideas of bounded dominance but circumvents the aforementioned
weaknesses. Similar to bounded dominance, it introduces a progress measure on strategies.
However, it does not require a concrete bound on the number of non-progress steps but
relates such steps in the potentially delay-dominant strategy
s
to non-progress steps in an
alternative strategy
t
: intuitively,
s
delay-dominates
t
if, whenever
s
makes a non-progress
step,
t
makes a non-progress step eventually as well. A strategy
s
is then delay-dominant if it
delay-dominates every other strategy
t
. In this way, we ensure that a delay-dominant strategy
satisfies the specification “faster” than all other strategies in all situations in which the
specification can be satisfied. Delay-dominance considers specifications given as alternating
co-Büchi automata. Non-progress steps with respect to the automaton are those that enforce
a visit of a rejecting state in all run trees. We introduce a two-player game, the so-called
delay-dominance game, which is vaguely leaned on the delayed simulation game for alternating
Büchi automata [
24
], to formally define delay-dominance: the winner of the game determines
whether or not a strategy sdelay-dominates a strategy ton a given input sequence.
We (i) show that every delay-dominant strategy is also remorsefree dominant, and (ii) in-
troduce a criterion for automata such that, if the criterion is satisfied, compositionality of
delay-dominance is guaranteed. The criterion is satisfied for many automata; both ones
describing safety properties and ones describing liveness properties. Thus, delay-dominance
overcomes the weaknesses of both remorsefree and bounded dominance. Note that since
delay-dominance relies, as bounded dominance, on the automaton structure, there are realiz-
able specifications for which no delay-dominant strategy exists. Yet, we experienced that
this rarely occurs in practice when constructing the automaton from an LTL formula with
standard algorithms. Moreover, if a delay-dominant strategy exists, it is guaranteed to be
winning if the specification is realizable. Hence, the parallel composition of delay-dominant
B. Finkbeiner and N. Passing 3
strategies for all processes in a distributed system is winning for the whole system as long
as the specification is realizable and as long as the compositionality criterion is satisfied.
Therefore, delay-dominance is a suitable notion for compositional synthesis.
We thus introduce a synthesis approach for delay-dominant strategies that immediately
enables a compositional synthesis algorithm for distributed systems, namely synthesizing
delay-dominant strategies for the processes separately. We present the construction of a
universal co-Büchi automaton
Add
Aϕ
from an LTL formula
ϕ
that recognizes delay-dominant
strategies.
Add
Aϕ
can immediately be used for safraless synthesis [
28
] approaches such as
bounded synthesis [
22
] to synthesize delay-dominant strategies. We show that the size of
Add
Aϕ
is single-exponential in the squared length of
ϕ
. Thus, synthesis of delay-dominant strategies
is, similar to synthesis of winning or remorsefree dominant strategies, in 2EXPTIME.
Related Work.
Remorsefree dominance has first been introduced for reactive synthesis in [
9
].
Dominant strategies have been utilized for compositional synthesis of safety properties [10].
Building up on this work, a compositional synthesis algorithm, that finds solutions in more
cases by incrementally synthesizing individual dominant strategies, has been developed [
16
].
Both algorithms suffer from the non-compositionality of dominant strategies for liveness
properties. Bounded dominance [
10
], a variant of dominance that introduces a bound on the
number of steps in which a strategy does not make progress with respect to the specification,
solves this problem. However, it requires a concrete bound on the number of non-progress
steps. Moreover, a bounded dominant strategy is not necessarily dominant.
Good-enough synthesis [
1
,
29
] follows a similar idea as dominance. It is thus not composi-
tional for liveness properties either. In good-enough synthesis, conjuncts of the specification
can be marked as strong. If the specification is unrealizable, a good-enough strategy needs
to satisfy the strong conjuncts while it may violate the other ones. Thus, dominance can
be seen as the special case of good-enough synthesis in which no conjuncts are marked as
strong. Good-enough synthesis can be extended to a multi-valued correctness notion [1].
Synthesis under environment assumptions is a well-studied problem that also aims at
relaxing the requirements on a strategy. There, explicit assumptions on the environment are
added to the specification. These assumptions can be LTL formulas restricting the possible
input sequences (see, e.g., [
7
,
5
]) or environment strategies (see, e.g., [
2
,
3
,
17
,
18
]). The
assumptions can also be conceptual such as assuming that the environment is rational (see,
e.g., [
23
,
26
,
6
,
8
]). Synthesis under environment assumptions is orthogonal to the synthesis
of dominant strategies and good-enough synthesis since it requires an explicit assumption on
the environment, while the latter two approaches rely on implicit assumptions.
2 Preliminaries
Notation.
Given an infinite word
σ
=
σ0σ1. . . ∈
(2
Σ
)
ω
, we denote the prefix of length
t
+ 1
of
σ
with
σ|t
:=
σ0. . . σt
. For
σ
and a set
X⊆
Σ, let
σ∩X
:= (
σ0∩X
)(
σ1∩X
)
. . . ∈
(2
X
)
ω
.
For
σ∈
(2
Σ
)
ω
,
σ0∈
(2
Σ0
)
ω
with Σ
∩
Σ
0
=
∅
, we define
σ∪σ0
:= (
σ0∪σ0
0
)(
σ1∪σ0
1
)
. . . ∈
(2
Σ∪Σ0
)
ω
.
For a
k
-tuple
a
, we denote the
j
-th component of
a
with
j
(
a
). We represent a Boolean formula
WiVjci,j in disjunctive normal form (DNF) also in its set notation Si{Sj{ci,j }}.
LTL.
Linear-time temporal logic (LTL) [
32
] is a standard specification language for linear-
time properties. Let Σbe a finite set of atomic propositions and let
a∈
Σ. The syntax
of LTL is given by
ϕ, ψ
::=
a| ¬ϕ|ϕ∨ψ|ϕ∧ψ|ϕ|ϕUψ
. We define
true
=
a∨ ¬a
,
false
=
¬true
,
ϕ
=
true Uϕ
, and
ϕ
=
¬ ¬ϕ
as usual. We use the standard semantics.
The language L(ϕ)of an LTL formula ϕis the set of infinite words that satisfy ϕ.
4 Synthesizing Dominant Strategies for Liveness (Full Version)
Non-Alternating ω-Automata.
Given a finite alphabet Σ, a Büchi (resp. co-Büchi) au-
tomaton
A
= (
Q, Q0, δ, F
)over Σconsists of a finite set of states
Q
, an initial state
q0∈Q
,
a transition relation
δ
:
Q×
2
Σ×Q
, and a set of accepting (resp. rejecting) states
F⊆Q
.
For an infinite word
σ
=
σ0σ1. . . ∈
(2
Σ
)
ω
, a run of
A
induced by
σ
is an infinite sequence
q0q1. . . ∈Qω
of states with (
qi, σi, qi+1
)
∈δ
for all
i≥
0. A run is accepting if it contains
infinitely many accepting states (resp. only finitely many rejecting states). A nondeterministic
(resp. universal) automaton
A
accepts a word
σ
if some run is accepting (resp. all runs
are accepting). The language
L
(
A
)of
A
is the set of all accepted words. We consider
nondeterministic Büchi automata (NBAs) and universal co-Büchi automata (UCAs).
Alternating ω-Automata.
An alternating Büchi (resp. co-Büchi) automaton (ABA resp.
ACA)
A
= (
Q, q0, δ, F
)over a finite alphabet Σconsists of a finite set of states
Q
, an initial
state q0⊆Q, a transition function δ:Q×2Σ→B+(Q), where B+(Q)is the set of positive
Boolean formulas over
Q
, and a set of accepting (resp. rejecting) states
F⊆Q
. We assume
that the elements of
B+
(
Q
)are given in DNF. Runs of
A
are
Q
-labeled trees: a tree
T
is a
prefix-closed subset of N∗
. The children of a node x∈ T are c(x) = {x·d∈ T | d∈N}. An
X
-labeled tree (
T, `
)consists of a tree
T
and a labeling function
`
:
T → X
. A branch of
(
T, `
)is a maximal sequence
`
(
x0
)
`
(
x1
)
. . .
with
x0
=
ε
and
xi+1 ∈c
(
xi
)for
i≥
0. A run
tree of
A
induced by
σ∈
(2
Σ
)
ω
is a
Q
-labeled tree (
T, `
)with
`
(
ε
) =
q0
and, for all
x∈ T
,
{`
(
x0
)
|x0∈c
(
x
)
} ∈ δ
(
`
(
x
)
, σ|x|
). A run tree is accepting if every infinite branch contains
infinitely many accepting states (resp. only finitely many rejecting states).
A
accepts
σ
if
there is some accepting run tree. The language L(A)of Ais the set of all accepted words.
Two-Player Games.
An arena is a tuple
A
= (
V, V0, V1, v0, E
), where
V
,
V0
,
V1
are finite
sets of positions with
V
=
V0∪V1
and
V0∩V1
=
∅
,
v0∈V
is the initial position,
E⊆V×V
is a set of edges such that
∀v∈V. ∃v0∈V.
(
v, v0
)
∈E
. Player
i
controls positions in
Vi
. A
game
G
= (
A, W
)consists of an arena
A
and a winning condition
W⊆Vω
. A play is an
infinite sequence
ρ∈Vω
such that (
ρi, ρi+1
)
∈E
for all
i∈N
. The player owning a position
chooses the edge on which the play is continued. A play
ρ
is initial if
ρ0
=
v0
holds. It is
winning for Player 0 if
ρ∈W
and winning for Player 1 otherwise. A strategy for Player
i
is a
function
τ
:
V∗Vi→V
such that (
v, v0
)
∈E
whenever
τ
(
w, v
) =
v0
for some
w∈V∗
,
v∈Vi
.
A play
ρ
is consistent with a strategy
τ
if, for all
j∈N
,
ρj∈Vi
implies
ρj+1
=
τ
(
ρ|j
). A
strategy for Player iis winning if all initial and consistent plays are winning for Player i.
System Architectures.
An architecture is a tuple
A
= (
P,
Σ
,inp,out
), where
P
is a set of
processes consisting of the environment
env
and a set
P−
=
P\{env}
of
n
system processes, Σ
is a set of Boolean variables,
inp
=
hI1, . . . , Ini
assigns a set
Ij⊆
Σof input variables to
each
pj∈P−
, and
out
=
hOenv, O1,...Oni
assigns a set
Oj⊆
Σof output variables to each
pj∈P
. For all
pj, pk∈P−
with
j6
=
k
,
Ij∩Oj
=
∅
and
Oj∩Ok
=
∅
hold. The variables
Σj
of
pj∈P−
are given by
Σj
=
Ij∪Oj
. The inputs
I
, outputs
O
, and variables Σof the whole
system are defined by
X
=
Spj∈P−Xj
for
X∈ {I, O,
Σ
}
.
A
is called distributed if
|P−
| ≥
2.
In the remainder of this paper, we assume that a distributed architecture is given.
Process Strategies.
A strategy for process
pi
is a function
si
: (2
Ii
)
∗→
2
Oi
mapping a
history of inputs to outputs. We model sias a Moore machine Mi= (T, t0, τ, o)consisting
of a finite set of states
T
, an initial state
t0∈T
, a transition function
τ
:
T×
2
Ii→T
,
and a labeling function
o
:
T→
2
Oi
. For a sequence
γ
=
γ0γ1. . . ∈
(2
Ii
)
ω
,
Mi
produces a
path (
t0, γ0∪o
(
t0
))(
t1, γ1∪o
(
t1
))
. . . ∈
(
T×
2
Ii∪Oi
)
ω
, where
τ
(
tj, γj
) =
tj+1
. The projection
B. Finkbeiner and N. Passing 5
of a path to the variables is called a trace. The trace produced by
Mi
on
γ∈
(2
Ii
)
ω
is
called the computation of
si
on
γ
, denoted
comp
(
si, γ
). We say that
si
is winning for an
LTL formula
ϕ
, denoted
si|
=
ϕ
, if
comp
(
si, γ
)
|
=
ϕ
holds for all input sequences
γ∈
(2
Ii
)
ω
.
Overloading notation with two-player games, we call a process strategy simply a strategy
whenever the context is clear. The parallel composition
Mi|| Mj
of two Moore machines
Mi
= (
Ti, ti
0, τi, oi
),
Mj
= (
Tj, tj
0, τj, oj
)for
pi, pj∈P−
is the Moore machine (
T, t0, τ, o
)
with inputs (
Ii∪Ij
)
\
(
Oi∪Oj
)and outputs
Oi∪Oj
as well as
T
=
Ti×Tj
,
t0
= (
ti
0, tj
0
),
τ((t, t0), ι)=(τi(t, (ι∪oj(t0)) ∩Ii), τj(t0,(ι∪oi(t)) ∩Ij)), and o((t, t0)) = oi(t)∪oj(t0).
Synthesis.
Given a specification
ϕ
, synthesis derives strategies
s1, . . . , sn
for the system
processes such that
s1|| · · · || sn|
=
ϕ
, i.e., such that the parallel composition of the strategies
satisfies
ϕ
for all input sequences generated by the environment. If such strategies exist,
ϕ
is
called realizable. Bounded synthesis [
22
] additionally bounds the size of the strategies. The
search for strategies is encoded into a constraint system that is satisfiable if, and only if,
ϕ
is
realizable for the size bound. There are SMT, SAT, QBF, and DQBF encodings [
22
,
11
,
4
].
We consider a compositional synthesis approach that synthesizes strategies for the processes
separately. Thus, outputs produced by the other system processes are treated similar to
the environment outputs, namely as part of the input sequence of the considered process.
Nevertheless, compositional synthesis derives strategies such that
s1|| · · · || sn|
=
ϕ
holds.
3 Dominant Strategies and Liveness Properties
Given a specification
ϕ
, the naïve compositional synthesis approach is to synthesize strategies
s1, . . . , sn
for the system processes such that
si|
=
ϕ
holds for all
pi∈P−
. Then, it follows
immediately that
s1|| · · · || sn|
=
ϕ
holds as well. However, since winning strategies are
required to satisfy
ϕ
for every input sequence, usually no such individual winning strategies
exist due to complex interconnections in the system. Therefore, the naïve approach fails in
many cases. The notion of remorsefree dominance [
9
], in contrast, has been successfully used
in compositional synthesis [
10
,
16
]. The main idea is to synthesize dominant strategies for
the system processes separately instead of winning ones. Dominant strategies are, in contrast
to winning strategies, allowed to violate the specification for some input sequence if no other
strategy would have satisfied it in the same situation. Thus, remorsefree dominance is a
weaker requirement than winning and therefore individual dominant strategies exist for more
systems. Formally, remorsefree dominant strategies are defined as follows:
IDefinition 1
(Dominant Strategy [
10
])
.
Let
ϕ
be an LTL formula. Let
s
and
t
be strategies
for process
pi
. Then,
t
is dominated by
s
, denoted
ts
, if for all input sequences
γ∈
(2
Ii
)
ω
either
comp
(
s, γ
)
|
=
ϕ
or
comp
(
t, γ
)
6|
=
ϕ
holds. Strategy
s
is called dominant for
ϕ
if
ts
holds for all strategies tfor process pi.
Intuitively, a strategy
s
dominates a strategy
t
if it is at least as good as
t
. It is dominant
for
ϕ
if it is at least as good as every other possible strategy and thus if it is as good as
possible. As an example, reconsider the message sending system. Let
si
be a strategy for
process
pi
that outputs
mi
in the very first step. It satisfies
ϕ
=
m1∧m2
on all input
sequences containing at least one
m3−i
. On all other input sequences, it violates
ϕ
. Let
ti
be some alternative strategy. Since no strategy for
pi
can influence
m3−i
,
ti
satisfies
ϕ
only
on input sequences containing at least one
m3−i
. Yet,
si
satisfies
ϕ
for such sequences as
well. Hence, sidominates tiand since we chose tiarbitrarily, siis dominant for ϕ.
摘要:
展开>>
收起<<
SynthesizingDominantStrategiesforLiveness(FullVersion)BerndFinkbeiner!CISPAHelmholtzCenterforInformationSecurity,Saarbrücken,GermanyNoemiPassing!CISPAHelmholtzCenterforInformationSecurity,Saarbrücken,GermanyAbstractReactivesynthesisautomaticallyderivesastrategythatsatis esagivenspeci cation.However,...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
架构演进:小米的经验分享VIP免费
2025-03-31 5 -
Massive particle interferometry with lattice solitons Piero Naldesi1Juan Polo2Peter D Drummond3Vanja Dunjko4Luigi Amico2Anna Minguzzi5and Maxim Olshanii4 1Université Grenoble-Alpes LPMMC F-38000 Grenoble
2025-05-02 0 -
Averaged Solar Torque Rotational Dynamics for Defunct Satellites Conor J. Bensonand Daniel J. Scheeres
2025-05-02 0 -
Preprint MASS M ULTI -ATTRIBUTE SELECTIVE SUPPRESSION Chun-Fu Richard Chen1 Shaohan Hu1 Zhonghao Shi12 Prateek Gulati13
2025-05-02 0 -
Preprint IN-CONTEXT REINFORCEMENT LEARNING WITH ALGORITHM DISTILLATION
2025-05-02 0 -
Portfolio optimization with discrete simulated annealing Álvaro Rubio-García1Juan José García-Ripoll1and Diego Porras1 1Instituto de Física Fundamental IFF-CSIC Serrano 113 28006 Madrid Spain
2025-05-02 1 -
Polynomial Equations Theory and Practice Simon Telen Abstract Solvingpolynomialequationsisasubtaskofpolynomialoptimization.This
2025-05-02 0 -
Polarization Spectroscopy of High-Order Harmonic Generation in Gallium Arsenide SHATHA KAASSAMANI1 THIERRY AUGUSTE1 NICOLAS
2025-05-02 0 -
Phase diagrams of lattice models on Cayley tree and chandelier network a review
2025-05-02 3 -
Performance of Quantum Preprocessing under Phase Noise Zuhra Amiri Boulat A. Bashy Janis N otzel
2025-05-02 1
分类:图书资源
价格:10玖币
属性:33 页
大小:805.55KB
格式:PDF
时间:2025-05-02
作者详情
相关内容
-
Portfolio optimization with discrete simulated annealing Álvaro Rubio-García1Juan José García-Ripoll1and Diego Porras1 1Instituto de Física Fundamental IFF-CSIC Serrano 113 28006 Madrid Spain
分类:图书资源
时间:2025-05-02
标签:无
格式:PDF
价格:10 玖币
-
Polynomial Equations Theory and Practice Simon Telen Abstract Solvingpolynomialequationsisasubtaskofpolynomialoptimization.This
分类:图书资源
时间:2025-05-02
标签:无
格式:PDF
价格:10 玖币
-
Polarization Spectroscopy of High-Order Harmonic Generation in Gallium Arsenide SHATHA KAASSAMANI1 THIERRY AUGUSTE1 NICOLAS
分类:图书资源
时间:2025-05-02
标签:无
格式:PDF
价格:10 玖币
-
Phase diagrams of lattice models on Cayley tree and chandelier network a review
分类:图书资源
时间:2025-05-02
标签:无
格式:PDF
价格:10 玖币
-
Performance of Quantum Preprocessing under Phase Noise Zuhra Amiri Boulat A. Bashy Janis N otzel
分类:图书资源
时间:2025-05-02
标签:无
格式:PDF
价格:10 玖币
渝公网安备50010702506394
