3.5 Model Checking
3.5.3 For CTLK
We now present a set-theoretic approach to the verification of multi-agent systems. By Jϕ K we denote the set of all states in the structure satisfying the formula ϕ , that is, for a given interpreted system and its set of global states G:
3.5 Model Checking 73
For the set-based algorithms for the temporal-only fragment, we refer the interested reader to [Huth and Ryan, 2004].
3.5.3.1 Model Checking Epistemic Subformulae
For an epistemic subformula, the set of states satisfying Kiϕ can be calculated using Algorithm 1 [Raimondi and Lomuscio, 2005], shown below. The inner call to the procedure SATCTLKis a recursive call to a high-level procedure that recursively calculates Jϕ K for all subformulae[Huth and Ryan, 2004]. We note that SATKis called by SATCTLK at the top level.
Algorithm 1 SATK(ϕ : FORMULA, i : AGENT) : set of STATE
1: X ← SATCTLK(¬ϕ)
2: Y ← preK(X, i) 3: return G \ Y
Algorithm 1 works on the dual of Ki. It starts by finding all states that satisfy ¬ϕ (i.e.,
the call to SATCTLK). It then constructs the epistemic pre-image of these states for the given agent (i.e., preK(X, i) returns the set of states Y = {g | ∃g0∈ X, g ∼ig0} such that
each state g ∈ Y is epistemically related to at least one state in X). In Algorithm 1, the call to preKcalculates the set of all of the states that are epistemically related to a state where ¬ϕ holds. It follows that if a state is epistemically related to a state satisfying ¬ϕ then it is not possible for that state to satisfy Kiϕ (i.e., if there exists one related state satisfying ¬ϕ, it cannot be the case that all related states satisfy ϕ). By taking the set difference of this set with the set of all reachable states, we then obtain the set of states that are not epistemically related to a state where ¬ϕ holds. As such, this final set is the states where Kiϕ holds (i.e., there is no state in ¬Y that is epistemically related to a
state where ¬ϕ holds).
3.5.3.2 MCMASand ISPL
mcmas [Lomuscio et al., 2009] is a symbolic model checker for multi-agent systems based on BDDs. We note that BDDs are out of the scope of this thesis, and therefore are not covered. We refer the interested reader to [Huth and Ryan, 2004]. Importantly, mcmas supports a syntax for specifying agents in an interpreted system. This language is called ISPL – or interpreted systems programming language.
Agent definition.
Each agent contains a definition of its local state Li, actions Acti, protocol function Ei
and evolution function Pi. Intuitively, they are mapped into the following sections of a
per-agent definition: • Vars
The “vars” section is used to define the local states, or variables, of an agent. This entry takes a list of variable definitions; the types that are supported in ISPL are ranged integers, enumeration types and Booleans.
For example, the following defines the local state of an agent containing an enumer- ated variable state and a ranged integer counter.
1 V a r s:
2 s t a t e : { wait , in , a w a y }; 3 c o u n t e r : 0 . . 1 0 ;
4 end V a r s • Actions
The actions definition is simply a declaration of all possible actions that an agent can perform; given as list.
Below is the definition of an action set for an agent with four actions named accordingly:
1 A c t i o n s = { enter , leave , return , s i g n a l };
• Protocol
The protocol function take a list of pre-condition guards, specified over the agent’s local state, such that if they hold, the corresponding actions can then be performed. Following the definition of the protocol function Pi, the protocol function in ISPL is
non-deterministic, and therefore one guard can have many possible actions.
An example of a protocol block given the two previous definitions can be seen below: 1 P r o t o c o l: 2 s t a t e = w a i t : { signal , e n t e r }; 3 s t a t e = in : { l e a v e }; 4 s t a t e = a w a y : { r e t u r n }; 5 end P r o t o c o l • Evolution
The evolution function takes a list of assignments, along with a set of “triggering conditions”. These triggering conditions can be specified over the current local state
3.5 Model Checking 75
of the agent, and any actions of any other agent in the system. Unlike the protocol function, the evolution function should be deterministic, and to that end, only one line in the protocol function can be enabled at any one instance (i.e., given a unique local state, and a global action, the next local state is uniquely defined by a single protocol line).
The following fragment illustrates how the previous parts can be used to define the evolution function: 1 E v o l u t i o n: 2 s t a t e = in and c o u n t e r = c o u n t e r + 1 if 3 c o u n t e r < 10 and s t a t e = w a i t 4 and A c t i o n = e n t e r 5 and E n v i r o n m e n t .A c t i o n = e n t e r _ 1 ; 6 7 ... 8 9 s t a t e = w a i t if s t a t e = w a i t 10 and (!( E n v i r o n m e n t .A c t i o n = e n t e r _ 1 ) 11 or A c t i o n = s i g n a l ) ; 12 end E v o l u t i o n System-level definition.
Given the definition of an agent as above, the definition of the higher-level interpreted system in ISPL uses the following syntax. We note that the specification of the whole interpreted system needs to support multiple agents, as well as initial states, the valuation function for propositional atoms and the formulae to be evaluated over the system.
• Agent
The set of agents can be given as a list of agents as specified above. Each agent declaration delimited between Agent name and end Agent.
1 A g e n t T r a i n 1
2 ...
3 end A g e n t • InitStates
The initial states of the model are specified as a Boolean expression over the local states of each agent in the system. Multiple initial states can be specified by using disjunction.
1 I n i t S t a t e s
2 T r a i n 1 . s t a t e = a w a y ; 3 end I n i t S t a t e s
Similar to initial states, an evaluation is a Boolean expression stating at which states a propositional formula is satisfied in the model. Any states meeting the Boolean expression of a proposition satisfy that proposition.
1 E v a l u a t i o n
2 t r a i n 1 _ i n _ t u n n e l if T r a i n 1 . s t a t e = in ; 3 end E v a l u a t i o n
• Formulae
The formulae block is used to specify the formulae to be evaluated over the reachable states of the model.
1 F o r m u l a e:
2 AG (! t r a i n 1 _ i n _ t u n n e l or AX ( K ( Train1 , ! t r a i n 1 _ i n _ t u n n e l ) ) ) ; 3 end F o r m u l a e
Chapter 4
Automata-Theoretic Verification for
Temporal-Epistemic Logic
In this chapter, we introduce a technique for automata-theoretic verification of multi-agent systems against specifications in a branching-time temporal- epistemic logic. As we will see, the material presented as part of this chapter will be used as an underpinning for the approach put forward in Chapter 5. We demonstrate the effectiveness of the technique itself in Section 6.2.2 as part of the implementation and evaluation chapter (Chapter 6).