Concluding Remarks

starting at the world w1from Figure 4.1. While this sub-tree contains 13 nodes, the full

product automaton contains 31 nodes and has been omitted for brevity.

w1, AX A f alseUC (K2(p)) 
w1, A f alseUC (K2(p))  ∧ w1, f alse ∨ AX A f alseUC (K2(p)) 
∨ w1, AX A f alse UC(K2(p)) 
w1, A f alse UC(K2(p))  w1, f alse ⊥ w1,C (K2(p)) w1, K2(p) ∧C (K2(p)) ∧ w1,C (K2(p)) w1, K2(p) w1, p ∧ K2(p) ∧ w1, K2(p) w>1, p

Fig. 4.3. A sub-tree of the automatonAP,ϕ

Branches that reach a recurring node (e.g., the node “w1, K2(p)” that occur twice

in Figure 4.3) are underlined. The nodes that appear between the first and second occurrence of a recurring node make a path in the tree that is subsequently checked against the acceptance condition. For example, the set of states that occur infinitely often between the first and second occurrence of the node “w1, K2(p)” are “w1, K2(p)”

and “w1, p ∧ K2(p)”. This path is accepted as the intersection of this path and accepting

states F =ϕ ,C_{1,2}K2p, K2p of the formula ϕ is non-empty.

Furthermore, by the weakness partition of AP,ϕ, we have that w1, K2(p) ∈ S × F

and therefore it follows that the node w1, K2(p) is accepting.

4.6 Concluding Remarks

In this chapter we have presented an automata-theoretic methodology for verifying multi- agent systems against specifications in temporal-epistemic logic. Although automata form the underlying building blocks of considerable work in model checking for reactive systems, surprisingly they have not been employed for epistemic specifications yet.

To achieve this, we extended the relevant notions of automata and provided a sound translation from the logic CTLK into automata, thereby providing a model checking algorithm.

The translation from CTLK to alternating automata as presented in this chapter is an extension of the alternating automata framework as proposed by Kupferman et al. [Kupferman et al., 2000]. The extension here was in supporting multiple directions and therefore being able to support multi-modal logics (such as CTLK).

The automata-theoretic approach proposed here is not a golden bullet in the verifica- tion of multi-agent systems. For the so-called existential fragment of CTLK [Penczek and Lomuscio, 2003a], the approach presented could provide a fruitful avenue for on- the-fly model checking [Gerth et al., 1996]. Under such a framework, only the parts of the system necessary to demonstrate the satisfaction of the formula are explored; space savings could be made by avoiding parts of the model unnecessary for demonstrating the validity of the formula.

In this chapter, we presented the first approach for model checking multi-agent sys- tems against branching-time temporal-epistemic properties using automata. Unlike the well-established approaches for the linear-time temporal-only formulae, our approach uses tree automata rather than word automata. We demonstrated how it is possible to unwind an interpreted system into a tree, such that the language of this tree is accepted by a tree automata for the formula iff the original interpreted system satisfies the formula. Later, in Chapter 6, we demonstrate an implementation of this technique on standard examples from the literature.

In the next chapter (Chapter 5) we suitably extend the framework presented so far to support a method of modular reasoning for multi-agent systems.

Chapter 5

Compositional Verification for Multi-Agent

Systems

In this chapter, we demonstrate that new and potentially efficient verification approaches can have a fundamental underpinning in the automata-theoretic approach that Chapter 4 introduced. We introduce a method for verifying an agent in isolation against an agent-local formula, without considering the composition of the agent with the rest of the system. By encoding information about the rest of the system into a linear-time formula, the automata-theoretic approach can then disregard paths in the abstract composi- tion using an extended acceptance condition. Later, in Chapter 6, we present an implementation of the technique, and compare its efficiency against the state-of-the-art in MAS-based model checking (mcmas-1.0[Lomuscio et

al., 2009], Section 3.5.3.2) and an implementation of the approach from Chapter 4.

5.1 Introduction

The family of techniques classed as “compositional reasoning” allow for the verification of a system in a “divide-and-conquer” manner, avoiding the construction of the system’s full composition. One such compositional technique is assume-guarantee reasoning [de Roever et al., 1998]. With this paradigm, components are verified against a specification (the “guarantee”) under the premise that the rest of the system satisfies another property (the “assumption”). As of yet, little work has been done to apply either compositional methods or assume-guarantee reasoning to the verification of multi-agent systems.

Despite the lack of attention paid to compositional reasoning for multi-agent systems, they present an ideal setting for divide-and-conquer model checking. Individual agents are often designed to act in an autonomous manner to achieve their design goals by interacting with their environment. Hence the ability to specify properties of a single agent is desirable, e.g., that it meets its individual design goals. However, with current techniques, reasoning about the behaviour of an individual agent requires the costly

calculation of the transition relation and of the reachable states for all of the agents in the system. This leads to the infamous state-space explosion problem, where the number of states in the composed system is exponential in the number of agents. Consequently, the ability to reason about the mentalistic evolution of individual agent in a situated environment is clearly beneficial.

The seminal work of Vardi [Vardi, 1995] advocates that for assume-guarantee rea- soning, as the assumption in an assume-guarantee pair is a specification over all the interactions between a component and its environment, the assumption is naturally expressed as a linear-time formula. Furthermore, Vardi also suggests [Vardi, 1995] that the guarantee should be specified as a universal branching-time formula, in order to state properties of all computations and not the existence of a particular computation.

Most approaches to assume-guarantee reasoning look at components that use vari- ables to communicate, or labelled transition systems that use synchronisation over common actions. This has given rise to two orthogonal approaches to the assume- guarantee problem: those focused on communication variables [Nam and Alur, 2006] and those focused on shared actions [Cobleigh et al., 2003].

However, in agent-based systems it is common to design agents that communicate via the observation of global actions [Fagin et al., 1995] (in the reactive systems literature, this is referred to as “rendezvous communication”, and is a similar communication model as used in networks of automata), while their specifications are usually state- based.

In this setting, each agent can perform a set of actions that may be entirely distinct from every other agent in the system, and there is no notion of forced synchronisation over common actions. As such, synchronisation occurs by agents observing actions that are performed by other members of the system. Consequently, we present a composi- tional approach that relies upon the temporal specification of all valid interactions to determine—without constructing the composition of all of the agents—if a state-based branching-time temporal-epistemic formula is valid for an individual agent. Therefore, in an agent-based setting for assume-guarantee reasoning we use linear-time assump- tions, specified over actions, and branching-time guarantees, specified over state-based propositions.

Our approach can be likened to a hybrid approach between module checking [Kupfer- man et al., 2001; Basu et al., 2007] and assume-guarantee reasoning. Unlike assume- guarantee, module checking allows for the verification properties of open systems. In an open systems interpretation, a component A satisfies a requirement ϕ (written A |=Oϕ ) if it satisfies the requirement when composed with all possible environments. Module checking can be summarised as below [Basu et al., 2007]:

5.1 Introduction 97

where E represents a possible environment that A can be situated in, k denotes syn- chronous composition and |=Ois “open satisfaction”.

In the approach we present, we look at a variant of module checking under guarantees. That is,

A|=ψϕ iff ∀E (E |= ψ implies AkE |= ϕ)

where |=ψϕ denotes the satisfaction of the guarantee ϕ with respect to the assumption

ψ . We can then use inference rules to reason about the satisfaction of each agent’s specifications in a global composition.

To verify an individual agent against a temporal-epistemic guarantee and w.r.t. a linear-time assumption, we extend the automata-theoretic approach of Vardi [Vardi, 1995]. In the approach we present, the validity of the guarantee in a given component is reduced to checking the non-emptiness of a tree automaton representing the product of the assumption (translated to a Rabin automaton), the guarantee (represented as a tree automaton) and the tree unwinding of the agent. The approach is sound: a positive result for the compositional approach is preserved in the full composition.

It is worth observing that the approach proposed does not check the composition of the agent with all possible environments satisfying the assumption. Furthermore, using an extension to the automata-theoretic approach proposed in Chapter 4, we compose the agent with an environment likened to a tableau or maximal model for the formula. To this end, we only verify the agent against one composition, but take the assumption into consideration when performing the verification of the guarantee.

Overall approach.

We now outline the high-level approach:

• The user identifies an action-based specification ϕ that can suitably abstract the environment of a given component

• The user then verifies the environment against this specification

• If the verification succeeds, the user then verifies the component “under test” against its own state-based requirements (e.g., ψ), but in the context of ϕ rather than the environment itself

• Should the verification of the component succeed, it can be inferred that the compo- sition of the component and its environment satisfies both ψ and ϕ

To support this, we introduce a modular framework for individual agents (IDIS, Sec- tion 5.2.1), a method to suitably verify agents in isolation (universal environments, Section 5.3.1) and a way to verify an agent and a specification in the context of an environmental assumption property (property closure environments, Section 5.3.2.1).

The rest of this chapter is structured as follows. In the following section, Section 5.2, we present the necessary preliminaries for our technique; Section 5.3 introduces a method and semantics for verifying assumptions and guarantees; Section 5.4 proposes

a novel approach for verifying assume guarantee rules using alternating automata; Section 5.5 builds on these three sections to introduce our sound approach for reasoning about assume-guarantee rules; and finally, in Section 5.6, we conclude the chapter.