We construct the automata representingkTests using a DFS as shown in Figure3.4on page37. The equivalence classes of sets of system states (§3.6.4) are represented symbolically byBoolean
decision diagrams(BDDs), which we discussed in §2.3.2. These provide canonical representa-
tions of Boolean functions, allowing the equality of two equivalence classes to be tested inO(1) time. This is potentially more efficient than the ordered lists we used throughout §3.7provided the BDDs are of tractable size.
The DFS also requires us to track the equivalence classes we have visited, and also to provide finite maps that represent the automata under construction. We do this explicitly as there is no obvious way to maintain sets of sets of system states symbolically without using exponentially many more BDD variables. We use the BDD handles (addresses) as keys in our automaton maps, and use a sparse representation – an association list – for the automata being constructed.
The pipeline for the construction process is shown in Figure6.1. The circuit translation for Kesterel was discussed in §5.5, and the constructivity analysis in §5.4.3. We add the generated
Constructivity Kesterel ADHOC M KBP Construction Bisimulation
STAMINA
Checking Model Analysis Circuit Reduction Translation Add toM A M0graphviz
Figure 6.1: The pipeline for constructing implementations of KBPs. The symbolic modelMis derived from an ADHOC or Kesterel description, and the automataAconstructed using the algorithms of §6.2. The modelM0is their composition. The minimisation steps are optional.
automata to the model by numbering their states and encoding their transition relations as BDDs, which we combine with the system’s transition relation using a standard synchronous parallel composition (Clarke et al. 1999). This has the effect of defining thekTestBDD variables mentioned in §6.1.
The following sections describe the specific algorithms for constructing implementations of KBPs for each of the cases of §3.7. We continue the discussion we began in §3.8about reducing the generated automata in §6.2.4, and conclude the chapter with a series of examples.
6.2.1 The Clock case
Intuitively the algorithm for the clock semantics of §3.7.1can replace a pure depth-first search with a breadth-first search that proceeds by temporal slices.
Concretely we maintain the set of states reachable at timenand, for each agenta, partition these undera’s observation function. We add states to the automaton forafor the new equivalence classes. For each new equivalence classec, we add edges fromallof the states in the previous temporal slice toec, labelling them with the observation thatamakes onec. We can see that the resulting automaton is behaviourally equivalent (§3.6.2) to the one constructed by the algorithm in §3.7.1; we have simply added superfluous transitions.
After each equivalence class of the temporal slice has been processed, we construct the next slice using the standard idiom for BDDs; the evaluation function of §3.7.1for knowledge formulas is easily adapted to use a symbolic representation.
This approach potentially saves time but not space as we compute the set of states commonly known to be possible only once per temporal slice.
6.2.2 The Single-Agent Perfect Recall case
The algorithm discussed in §3.7.3for a single agent is readily translated into the present setting. We apply the implementation to the robot example in §6.3.
6.2.3 The Multi-Agent Broadcast Perfect Recall cases
The broadcast settings of §3.7assume that the agents make common observations of the shared state, while allowing them to maintain their own private states. Therefore we introduce the
ArrowBroadcastclass so that we can capture this common observation and ensure that all
communication between the agents is by broadcast:
classArrowBroadcast( )iobs cobswhere broadcast :: Cardsize
⇒ SizedListsize(AgentID,ienv iobs, (iobs,cobs) action)
→ (env ienv)
→ (env cobs)
→ (env SizedListsize action)
Herecobsis the type of the common observation,iobsthat of the agents’ initial observations, and
ienvthe type of the initial environment from which the initial observations are made. (The initial environment allows computations to be shared.) The agents are presented as aSizedList(§5.3) of tuples, consisting of the agent’s name, their initial observation and their recurring behaviour.
Thebroadcastcombinator returns an Arrow that maps the environment to aSizedListof actions,
one per agent. This communicates to the environment’s protocol that the number of actions is equal to the number of agents.
The instance ofArrowBroadcastfor the constructivity analysis ArrowCArrowof §5.4.3is similar to that for theagentconstruct we discussed in §6.1. The only subtlety is that we must provide the initial observation only in the initial instant; in particular we cannot give the agents’ access to the output of the Arrow that generates this observation (the second in their defining tuple) at later instants.
Again the algorithms of §3.7translate readily to this symbolic setting. We note that the repre- sentation of relations between the initial and present-state variables used in §3.7.4and §3.7.5 involves another set of pairs of BDD variables in addition to the omnipresent past- and current- state ones that the previous algorithms have used.
6.2.4 Automata Minimisation
The automata generated by these processes contains much redundant structure, and as we wish to comprehend these artifacts we would like to find small behaviourally-equivalent automata (§3.6.2). We consider only schemes for the reduction of deterministic state machines here, and as our automata representations are explicit, we do not discuss symbolic techniques.
In §3.8we used a standard DFA minimisation algorithm (Gries 1973) to reduce the size of our automata. A recent variant of this approach due toValmari(2012) runs inO(nlgn) time wheren
is the number of states, independently of the size of the alphabet (observations in our case), and conveniently works on underspecified automata. However, as we remarked there, this standard reduction under bisimulation does not yield the smallest automata we could hope for as it is overly respectful of the unspecified transitions. In other words a minimal implementation of a KBP need not be bisimulation- or trace-equivalent to the constructed automaton, merely behaviourally-equivalent (§3.6.2).
We now demonstrate that this problem is intractable by showing that the following problem, proven byPfleeger(1973) to be NP-complete, is equivalent to ours:
Given an incompletely specified DFAM=(K,Σ,δ,q0,F) andk>0. (K andΣare finite sets of “states” and “inputs,” respectively;δ, called the “transition function,” is a mapping from a subset ofK×ΣintoK; the “initial state”q0is inK; and the set of “final states”Fis a subset ofK.) Is there a way to assign a state to each unspecified transition so that the resulting complete automaton has at mostk equivalence classes of states?
We can construct a protocol (see §3.6.2) from a DFA (K,Σ,δ,q0,F) by definingpInito =δ(q0,o) for eacho ∈ Σwhereδ(q0,o) is defined, andpTranso s = δ(o,s) for alls ∈ Kando ∈Σwhere
δ(s,o) is defined. LetpActsyield true iffs ∈ F. From a minimal behaviourally-equivalent protocol we can recover a minimal DFA by pruning all states from which we cannot reach a final state, i.e. one wherepActsis non-empty, in linear time. Such a DFA will contain no equivalent states, and so a minimalkis the number of its states.
Conversely a protocolAwith Boolean actions determines a DFA as follows. The state space
K contains a fresh stateq0and the set of states inA, andΣis the set of possible observations together with a fresh labellnot amongst these observations. We defineδ(s,l)=sfor all states
s∈KwherepActAyields true,δ(s,o)=pTranso sfor alls∈K and possible observationso, and similarlyδ(q0,o)=pInito. We setF0=K. (Identifying satisfaction ofkTestf with finality may not be correct when there are statesswherekTestf is false and there is no path fromsto a final state; all states that cannot reach a final state can be discarded in a minimal automaton.)
This problem has been of interest to the electronic design automation (EDA) industry as the automata produced by high-level synthesis are often sub-optimal.Rho, Hachtel, Somenzi, and Jacoby(1994) provide an algorithm for exact solutions, and we use theirSTAMINAtool from the Berkeley Sis toolkit. We have found that it converges more quickly if we reduce the automata under bisimulation first. As this tool has proven adequate for our examples, and this issue is peripheral to the main thread of this work, we do not further discuss the mechanics ofSTAMINA or more recent work in that area. We note that we might also like to minimise the number of transitions, which is beyond the scope ofSTAMINA.
robotA = agent"Robot" (kTest("Robot" ‘knows‘probe"inGoal"))
environment =prochalt →
do recpos ← LdelayAC(fromIntegerA0−≺())
LmuxAC(returnA−≺halt)
(returnA−≺pos) ((returnA−≺pos)
‘nondetFairAC‘ (incA−≺pos))M M
sensor ← (decA−≺pos)
‘nondetAC‘ (returnA −≺pos) ‘nondetAC‘ (incA−≺pos)
returnA−≺(pos,sensor)
robotTop = proc() →
do rechalted ← robotA−≺sensor
(pos,sensor) ← environment −≺halted
inGoal ← ((fromIntegerA2−≺()) ‘leAC‘ (returnA−≺pos))
∧((returnA−≺pos) ‘leAC‘ (fromIntegerA4 −≺()))
probeA"inGoal"−≺inGoal
natA(undefined :: Three)−≺pos
returnA−≺(halted,pos,sensor)
Figure 6.2: The ADHOC model of the Robot of §2.