MCMAS-P takes PISPL descriptions as input. PISLP extends ISPL, the MCMAS input language, by closely following the framework of PIIS described in section 3.2. In particular, a PISPL file provides the agent and environment templates, their local states, their asynchronous, agent-environment, role-synchronous, global synchronous, and multi-role actions, their pro- tocols, and their evolution functions. Figure7.1shows the PISPL encoding of the Train-Gate- Controller.
Figure 7.2 presents the key steps carried out by the checker. Given a PIIS S = (T , E, V) 165
Template Environment V a r s : s t a t e : {PG , NG, R } ; end V a r s I n i t S t a t e s t a t e = PG ; end I n i t S t a t e P r o t o c o l : s t a t e = PG : { n_lock , p _ e n t e r } ; s t a t e = NG : { p_lock , n _ e n t e r } ; s t a t e = R : { p _ e x i t , n _ e x i t } ; end P r o t o c o l E v o l u t i o n : s t a t e = PG i f A c t i o n = p _ l o c k or A c t i o n = p _ e x i t ; s t a t e = NG i f A c t i o n = n _ l o c k or A c t i o n = n _ e x i t ; s t a t e = R i f A c t i o n = p _ e n t e r or A c t i o n = n _ e n t e r ; end E v o l u t i o n end Template Template P T r a i n V a r s : s t a t e : {W, T , A , TL } ; end V a r s I n i t S t a t e s t a t e = W; end I n i t S t a t e A c t i o n s Asynchronous = { p_approach } ; AgentEnvironment = { p _ e n t e r , p _ e x i t } ;
Glob alSync hrono us = { p_lock , n _ l o c k } ; end A c t i o n s P r o t o c o l : s t a t e = W : { p _ e n t e r } ; s t a t e = T : { p _ e x i t } ; s t a t e = A : { p_approach , n _ l o c k } ; s t a t e = TL : { p _ l o c k } ; end P r o t o c o l E v o l u t i o n s t a t e = W i f A c t i o n = p_approach ; s t a t e = T i f A c t i o n = p _ e n t e r ; s t a t e = A i f A c t i o n = p _ e x i t or A c t i o n = p _ l o c k ; s t a t e = TL i f A c t i o n = n _ l o c k ; end E v o l u t i o n end Template
Template NTrain . . . end Template E v a l u a t i o n p t i f P T r a i n . s t a t e = T ; n t i f NTrain . s t a t e = T ; end E v a l u a t i o n Formulae ( P T r a i n : { u , v } , T r a i n : { x , y } ) AG( p t ( u ) −> K( P T r a i n ( u ) , ! p t ( v ) and ! n t ( x ) ) and n t ( x ) −> K( NTrain ( x ) , ! n t ( y ) and ! p t ( u ) ) ) ; end Formulae
Figure 7.1: The PISPL encoding of the Train-Gate-Controller.
specified in PISPL and a set Λ of m-indexed ACTLK\X formulae, the steps 2-6 are performed automatically by the checker. In the following, we describe these steps.
• In step 2, the PISPL input file is parsed. The declarations of the agent templates and the environment template are stored in temporary structures to be used in the following steps.
• In step 3, the checker determines the appropriate procedure to be invoked. The SFE pro- cedure is used to verify the subclass SFE of PIIS, generated by agent templates defined only on asynchronous and global-synchronous actions. The SGS procedure is used to ver- ify the subclass SGS of PIIS, generated by agent templates defined only on asynchronous, agent-environment, and global-synchronous actions. The SMR procedure is used to verify the subclass SMR of PIIS, generated by agent templates defined only on asynchronous, agent-environment, and multi-role actions. Finally, the PIIS procedure can be used to verify the subclass of PIIS that can always succeed in globally synchronising, as described
7.1. Implementation details 167
1. Specify a PIIS in PISPL
2. Parse the input
3. Determine procedure
4. Compute the cutoff
5. Build concrete system
6. Verify formulas
False in the PIIS True in the PIIS
Repeat up to ¯c
Figure 7.2: MCMAS-P architecture. in chapter5.
While the SFE procedure implements a complete cutoff technique, the other procedures implement incomplete cutoff techniques, since they insist on the compliance of certain conditions by the given PIIS. The condition of agent-environment simulation enforced by the SGS and SMR techniques is strictly stronger than the condition of gs-simulation en- forced by the PIIS technique, i.e, every detectable cutoff by the SGS and SMR techniques is detectable by the PIIS technique. However, the SGS and SMR procedures terminate after performing a polynomial test whereas the PIIS procedure may never terminate. Therefore, the checker first invokes the SFE procedure if S ∈ SFE. Otherwise, it per- forms the agent-environment simulation test if S ∈ SGS or S ∈ SMR. With a successful simulation test, the SGS and SMR procedures are called, respectively, for the cutoff cal- culation. Otherwise, if either the agent-environment simulation test is not successful or S /∈ SGS ∪ SMR, the PIIS procedure is initiated.
• In step 4, MCMAS-P calculates the cutoff c as in Algorithms2,3,4, and5. In the case of PIIS, the cutoff is identified by searching for a gs-simulation between a concrete system and the abstract system. The SMR procedure computes the cutoff from the action
dependency sets and the cardinality of the sets of variables in the specifications to check. The SGS and SFE techniques calculate the cutoff only in terms of the latter.
• In step 5, the concrete system S(m) is built and encoded symbolically using the structures obtained in step 2. In step 6, the specification formulae Λ are reduced to their trivial instantiations Λ[trivial ] as in Lemma3.1. MCMAS is then called to verify S(m) against Λ[trivial ]. These steps are repeated for each concrete system up to the cutoff system S(c).
Following the above calculations the user can conclude whether or not a specification holds for any number of agents in the system. In the former case, all systems up to the cutoff system satisfy the specification and MCMAS-P returns true. In the latter case, at least one system up to the cutoff system does not satisfy the specification and MCMAS-P returns false.
7.1.1 Agent-environment simulation test
Instead of explicitly traversing the template transition relations, the agent-environment simu- lation test is more efficiently performed by utilising the OBDD representation of the templates. In particular, the test for an agent-environment simulation between the agent template Ti and
the environment template is performed by checking the system composed of the two templates against a set of formulae expressing that whenever an AEi action, or a GS action, or an MRi
action is enabled for the agent, the action is also enabled for the environment. This section describes this procedure.
The procedure is based on the assumption that the agent-environment actions, the global- synchronous actions, and the multi-role actions are enabled at exactly one state for the envi- ronment template. This allows us to check for an agent-environment simulation between an agent template Ti = (Li, ιi, Acti, Pi, ti)and the environment template E = (LE, ιE, ActE, PE, tE)
by model checking the interleaved interpreted system Siagainst the set of formulae ∆i, where
Si and ∆iare defined as follows.
• Si = (Ti, E , Vi)is the interleaved interpreted system composed of the agent template Ti
7.1. Implementation details 169
atomic propositions by the valuation function Vi : Li × LE → P(AP ), where AP =
{ai, aE | a ∈ AEi∪ GS ∪ MRi}, defined as ai∈ Vi((l, lE))iff a ∈ Pi(l)and aE ∈ Vi((l, lE))
iff a ∈ PE(lE). In other words, a global state g ∈ Gi is labelled with ai (aE, respectively)
if the action a is enabled for the agent template (the environment template, respectively) at g.
• ∆i= {AG(ai → aE) : a ∈ AEi∪ GS ∪ MRi}.
Si satisfies the formulae in ∆i iff there is an agent-environment simulation between Tiand E.
Lemma 7.1. Ti≤aesE iff ∀δ ∈ ∆i. Si |= δ.
Proof.
⇒ Suppose that Ti ≤aes E. We show that ∀δ ∈ ∆i. Si |= δ. Let δ ∈ ∆i. So, δ = AG(ai →
aE) for some a ∈ AEi ∪ GS ∪ MRi. Let π be an arbitrary path in Si. Suppose that
π(i) |= ai for some i ≥ 1. Since Ti ≤aes E, there is an i0 ≤ i with π(i0) →Ai∗ π(i)
and lsi(π(i0)) ∼aes lsE(π(i0)). Therefore, a ∈ PE(π(i0)), as otherwise we would have
lsi(π(i0)) aes lsE(π(i0)). So, π(i0) |= aE, and therefore, π(i) |= aE. As i was arbitrary,
π |= AG(ai→ aE)follows. As π was arbitrary, Si |= δ. Therefore, ∀δ ∈ ∆i. Si |= δ.
⇐ Suppose that ∀δ ∈ ∆i. Si |= δ. We show that Ti ≤aes E. Let ∼aes= Gi. We show
that ∼aes is an agent-environment simulation between Ti and E. Clearly, ιi ∼aes ιE.
Let g = (l, lE) ∈∼aes be arbitrary and suppose that l 99KAi∗ l
1 99K
a l2 for some a ∈
AEi∪GS ∪MRi. We need to show that lE 99Kal1Efor some lE1 with (l2, lE1) ∈∼aes. As l1is
reachable from l through asynchronous actions, there is a global state g1reachable from
gwith lsi(g1) = l1 and lsE(g1) = lE. Since a ∈ P (l1) and Si |= AG(ai → aE), a ∈ PE(lE)
follows. As the action a is enabled at g1, we obtain (l2, l1
E) ∈∼aes for l1E = tE(lE, a).
Therefore, Ti≤aesE as required.
So, T ∼aesE iff Sisatisfies the formulae in ∆i, for every agent template Ti. This has consider-
Scenario Procedure Cutoff Cutoff (s) Reachable states ACTLK\X(s)
Train-Gate-Controller SGS (2,2) 0 64 0
Alpha algorithm PIIS 3 507 177243 532
Robot foraging SMR (2,3) 0 648 0
Autonomous robot SFE (2,2) 0 15 0
MSI PIIS N/A N/A 108 1
MESI PIIS N/A N/A 173 2
MOESI PIIS N/A N/A 216 6
Table 7.1: Verification results for parameterised model checking.