Volume8,Number1,pp.113. http://www.spe.org ©2007SWPS
SPECIFICATION ANDVERIFICATION OFAGENT INTERACTION PROTOCOLS IN A
LOGIC-BASED SYSTEM
∗
MARCO ALBERTI, FEDERICO CHESANI, DAVIDE DAOLIO, MARCO GAVANELLI, EVELINA LAMMA, PAOLA
MELLO AND PAOLO TORRONI
Abstrat.
Anumberof informationsystemsanbedesribedas aset of interating entities, whihmustfollow interation protools.
Theseprotoolsdeterminethebehaviourandthepropertiesoftheoverallsystem,heneitisoftheuttermostimportanethatthe
entitiesbehaveinaonformantmanner.
Atypialaseisthat ofmulti-agentsystems,omposedof a plurality ofagents withouta entralized ontrol. Compliane
toprotoolsanbehardwired inagent programs; however, thisrequires thatonlyertied agents interat. Inopensystems,
omposedofautonomous andheterogeneous entitieswhose internal strutureis,ingeneral, notaessible(openagentsoieties
being,again,aprominentexample)interationprotoolsshouldbespeiedintermsoftheobservablebehaviour,andompliane
shouldbeveriedbyanexternalentity.
In thispaper, we propose a Java-Prolog-CHR system for veriation of ompliane of omputational entities to protools
speiedinalogi-basedformalism(SoialIntegrityConstraints). Wealsoshowtheappliationoftheformalismandthesystem
to the speiation and veriation of three dierent senarios: two speiations show the feasibilityof our approah inthe
ontextofMultiAgentSystems(FIPAContrat-NetProtoolandSemi-Opensoieties),whileathirdspeiationappliestothe
speiationofalowerlevelprotool(Open-ConnetionphaseoftheTCPprotool).
1. Introdution. Manyinformationsystemsanbedesribedasasetofmutuallyindependent,interating
entities. Atypialexampleisthat ofmulti-agentsystems. Insuhasenariotheinteration isusually subjet
tosomekindofinterationprotools,whihtheagentsshouldrespetwheninterating. Thisraisestheobvious
problemofverifyingthat interationprotoolsareatuallyfollowed.
It is possible to design agents so that they will spontaneously omply to protools, and, if possible,
formallyverifythat at designtime. For instane, in [13℄, Endrisset al. proposean approahwhere protools
areimported into individualagentpoliies.
However,thisapproahisnotviableinopen 1
agentsoieties,whereinteratingagentsareautonomousand
heterogeneousand,ingeneral,theirinternalstrutureannotbeaessed. Inthisase,agentsshouldbeheked
foromplianetointerationprotoolsbasedontheirobservable behaviour,byatrustedexternalentity.
In previous work [5℄, we proposed a omputational logi-based formalism (based upon Soial Integrity
Constraints,SICs)tospeifyinterationprotools. SoialIntegrityConstraintsaremeanttoonstraintheagent
observablebehaviourratherthanagents'internal(mental)stateorpoliies. Inotherwords,thisapproahdoes
notrestritanagent'saesstosoietiesbasedonitsinternalstruture;regardlessofitspoliies,anyagentan
suessfullyinteratin asoietyruledbySICs,aslongasits behaviourisompliant. Theformalsemantisof
SoialIntegrityConstraints[4℄isbasedonabdutivelogiprogramming[18℄.
Thepurposeofthispaperisto demonstratetheviabilityofSoialIntegrityConstraintsasaformalismto
speify interationbetweenomputationalentities,inluding, but notlimitedto, agentsin open soieties. We
willuseamodiedversionofSoialIntegrityConstraints,whihbettertsourneedsintermsofbothsimpliity
ofpresentation,andexpressiveness.
Thepaperisstruturedasfollows. InSet.2,weintroduetheversionofSoialIntegrityConstraintsused
inthiswork,givingtheirsyntaxandaninformalexplanationoftheirsemantis.
InSet.3wespeifyintermsofSICs aontratnet-basedprotoolforresourealloationandnegotiation
inmulti-agentsystems,alledFIPACNP,andinSet.4wespeifyaprotoolforenteringsemi-opensoieties,
i.e.,virtualenvironmentsharaterizedbythepreseneofagatekeeperagentandaprotoolthatgovernsthe
agents'aessto thesoiety. InSet.5wedemonstratetheusageofSICsto speifyanetworkommuniation
protool,namelythethree-wayhandshakeopeningoftheTCPInternetProtool.
Theartileendswiththepresentationoftheomplianeveriationsystem(Set.6),andsomenotesabout
itsJava+Prologimplementation.
∗
ThisartileisanextendedversionoftheonebyAlberti,Daolio,Gavanelli,Lamma,Mello,andTorroni,publishedinHaddad,
Omiini,andWainwright, eds.,Proeedings of the19th ACMSymposium onApplied Computing, SAC2004, Speial Trak on
Agents,Interations,Mobility,andSystems(AIMS).Niosa,Cyprus,Marh14-17,2004. pp.72-78. ACMPress(2004).
1
We intend openness insoietiesof agents asArtikis, Pitt andSergot [7℄, where agents anbeheterogeneous and possibly
2. SoialIntegrityConstraints. Wedistinguishbetweenatualbehaviour(happenedevents)anddesired
behaviour(expetations),sinein non-ideal situationstheydo notalwaysoinide. Inthis setion, weletthe
readergetaquaintedwithourrepresentationofeventsandweintrodueSoialIntegrityConstraints(SICs)as
aformalismusedtoexpresswhihexpetations aregenerated asonsequeneofhappenedevents.
HappenedEventsandExpetations. Happenedeventsarein theform
H
(Description,
Time)
where Desription is a term (as intended in logi programming, see [20℄) representing the event that has
happened,andTime isanintegernumberrepresentingthetimeatwhihtheeventhashappened. Forexample,
H
(
request(
ai
,
aj
,
give(10$),
d1
),
7)
represents the fat that agent a
i
requested agent aj
to give 10$, in the ontext of interationd
1
(dialogueidentier)attime
7
.All happened events form the history of a soiety. Given the historyof a soietyat a given time, some
eventswillhavetohappeninorderforinterationprotoolstobesatised: werepresentsuheventsbymeans
ofexpetations,whihanbepositive ornegative. Positiveexpetationsareoftheform
E
(Description,
Time)
and representan event that is expeted to happen (typially, an ation that an agent is expeted to take).
Negativeexpetationsareoftheform
EN
(Description
,
Time
)
andrepresentthefat thataneventisexpetednot tohappen.
Expetationsmay(and,typially,will)ontainvariables,to reetthefat thattheexpetedeventisnot
fullyspeied;however,CLP[17℄onstraintsanbeimposedonvariablestorestrittheirdomain. Forinstane,
E
(
aept(
ak
,
aj
,
give(M
), d
2
), T
a
) :
M
≥
10, T
a
≤
15
(2.1)represents the expetation for agent a
k
to aept givingagent aj
an amountM
of money, in the ontext ofinteration
d
2
attimeT
a
;moreover,M
isexpetedtobeat least10$,andT
a
tobeatmost15
.SineweimposenorestritionsontheDesriptiontermofanexpetation,expetationsanregardanykind
ofeventthatanbeexpressedbyaProlog-liketerm. However,expetationsonlyregardpoint-timeevents;thus
itisnotpossibletoexpressoniselythatsomeproposition isexpetedtobetruealongagiventimeinterval.
Sinewemakenoassumptionsabouttheagents'internalstrutureorpoliies,theirbehaviourmayormay
notsatisfyexpetations. Werepresentthesetwoasesbymeansofthenotionsoffulllment andviolation. We
saythataneventmathes anexpetationifandonlyif:
•
theirontentsunify(àlaProlog);•
allrelevantCLPonstraintsonvariables(if any)aresatised.Apositiveexpetationangetfullled byamathingevent,whereasanegativeexpetationangetviolated by
amathing event.
Forinstane,event
H
(
aept(
ak
,
aj
,
give(20), d
2
),
15)
fulllsexpetation(2.1);thesameeventwould,instead,violateanegativeexpetationswiththesameontent
andCLPonstraints.
Ifweassumeat somepointthatnomoreeventswilleverour,wesaythat thehistoryis losed. In that
ase, all positive expetations that are not fullled are violated, and all negative expetations that are not
Table2.1
BNFsyntaxofSoialIntegrityConstraints
SIC::=
χ
→
φ
χ
::=EventLiteral[∧
EventLiteral℄∗
[:CList℄
φ
::=PriorityLevel[⇒
PriorityLevel℄∗
PriorityLevel::=HeadDisjunt[
∨
HeadDisjunt℄∗
,P
EventLiteral::=H(Term,T)
HeadDisjunt::=Expetation[
∧
Expetation℄∗
[:CList℄
Expetation::=E(Term,T)
|
EN(Term,T)Soial Integrity Constraints. The way expetations are generated, given a (partial) history of a soiety,
is speied by Soial Integrity Constraints (SICs). In this artile, we adopt a modied versionof the SICs
introdued in[2℄(wedisuss andmotivatesuhmodiationsinSet. 7).
Table2.1reportstheBNFsyntaxofSICs. Term isalogiprogrammingterm[20℄,Pisanintegernumber
andTisavariablesymbolorintegernumber. CListisaonjuntionofCLP onstraintsonvariables.
SICsare akindof forwardrules,statingwhat expetations should begenerated onthebasisofhappened
events. Bymeansof SICs,itis possibleto expressthat onjuntions ofexpetations (HeadDisjunts inTable
2.1)arealternative,anditisalsopossibletoassignapriority,representedbyanintegernumber,toeahlistof
alternatives(PriorityLevels inTable2.1).
Forinstane,thefollowingSIC:
H
(e
0
, T
0
)
∧
H
(e
1
, T
1
) :
T
0
< T
1
→
E
(e
2
, T
2
) :
T
2
< T
1
∨
EN
(e
3
, T
3
) :
T
3
< T
0
,
1
⇒
E
(e
4
, T
4
) :
T
4
< T
0
,
2
(2.2)
meansthat,if
e
0
happensbeforee
1
,theneitherofthetwoasesbelowhold:•
e
2
should havehappenedbeforee
1
ore
3
should nothavehappenedbeforee
0
,•
e
4
should havehappenedbeforee
0
;and therst asehashigher prioritythan (or is preferredto) theseond one. Intuitively, aSIC meansthat,
when a set of events mathing its body happens, then at least one of the priority levels in its onlusion
shouldbesatised(thehigherthepriority,thebetter). Inthisase,wesaythattheSICisfullled;otherwise,
it isviolated. Whileprioritieshave noeet uponthe fulllment status of thesoiety, theyould insteadbe
usedbyapossibleomputationalentityrepresentingthesoietytoguideitsmembers'behaviourtowardssome
preferredstate. This an be useful when expetations are aountedfor by agents deliberatingaboutfuture
ations. At eah point in time there are in generalseveral equallyfullled sets of expetations. But ifsome
aremorepreferredtoothers,animaginarysoialreasonerwhihproduesexpetationsbasedoneventsould
thenevaluateandhoosewhihsets ofexpetations bettert itsgoals,and transmitonlythem tothesoiety
members. If suh members takeexpetations into aount, thewhole soietyould evolvetowardspreferred
states.
Theexpetations in SIC (2.2) regardeventsthat should have(or have not) happenedbefore the time of
theevent that raisesthem: weall thiskind of expetations bakward. Expetations that regardeventsthat
are expeted to happen (or not to happen) after theevent that raises them are named forward. We restrit
the possible SICs by requiring that they ontain only either bakwardexpetations orforwardexpetations:
in the rst ase, we will all the SIC bakward, in the seond ase forward. We disuss this restrition in
Set.7.
3. Speiation of the FIPA Contrat-Net. FIPA-CNP [1℄ is a protool based on FIPA-ACL [14℄
denedforregulatingtransationsbetweenentitiesbynegotiation. Theprotoolow,representedasanAUML
[21℄ diagram in Fig. 3.1, starts with an Initiator whih issues arequest for a resoure(fp, standing forall
for proposals) tootherPartiipants. ThePartiipantsanreplybyproposing apriethatsatises therequest
(propose),orbyrefusing therequest altogether(refuse). TheInitiatormustaept(aept-proposal) orrejet
(rejet-proposal) the reeived proposals. A Partiipant whose proposal has been aepted must, by a given
deadline,informtheInitiatorthatithasprovidedtheresoure(bysendinganinform-donemessage,oramore
Fig.3.1.FIPA-Contrat-NetInterationProtool(AUMLDiagram)
3.1. Denition by Soial Integrity Constraints. The whole set of SICs used to dene FIPA-CN is
omposed of 14bakwardSICs and3forwardSICs. Thishoieof SICs isobviouslynottheonly possibility.
WeareurrentlyinvestigatingageneralmappingofAUMLprotooldiagramsandother graphialformalisms
toSICs,soastoallowforanautomatitranslation. SomeprogressinthissensehasbeendonewiththeGOSpel
graphilanguage[10℄ inthehealthareappliationdomain.
IntheSICs intheremainderofthissetion,
I
willrepresenttheinitiator,P
apartiipant,R
theresoure,Q
the prie,D
the dialogue identier,S
theexplanation ofaresult, andT, T
1
, . . .
thetime. Wewill notuseprioritylevels.
BakwardSICs. BakwardSICsareusedtoexpressthatanationisonlyallowedifsomeothereventshave
(not)ourredbefore.
SICs(3.1)and(3.2)statethat proposeandrefuseareonlyallowedinreplytoafp .
H
(
tell(P, I,
propose(R, Q), D), T
)
→
E
(
tell(I, P,
fp(R), D), T
1
) :
T
1
< T
(3.1)
H
(
tell(P, I,
refuse(R), D), T
)
→
E
(
tell(I, P,
fp(R), D), T
1
) :
T
1
< T
(3.2)
SICs(3.3)and(3.4)expressmutualexlusionbetweenproposeandrefuse.
H
(
tell(P, I,
propose(R, Q), D), T
)
→
EN
(
tell(P, I,
refuse(R), D), T
1
) :
T
1
≤
T
H
(
tell(P, I,
refuse(R), D), T
)
→
EN
(
tell(P, I,
propose(R, Q), D), T
1
) :
T
1
≤
T
(3.4)
SICs(3.5)and(3.6)statethat aept-proposalandrejet-proposalareonlyallowedin replyto apropose.
H
(
tell(I, P,
aept-proposal(R, Q), D), T
)
→
E
(
tell(P, I,
propose(R, Q), D), T
1
) :
T
1
< T
(3.5)
H
(
tell(I, P,
rejet-proposal(R, Q), D), T
)
→
E
(
tell(P, I,
propose(R, Q), D), T
1
) :
T
1
< T
(3.6)
SICs(3.7)and(3.8)expressmutualexlusionbetweenaept-proposalandrejet-proposal.
H
(
tell(I, P,
aept-proposal(R, Q), D), T
)
→
EN
(
tell(I, P,
rejet-proposal(R, Q), D), T
1
) :
T
1
≤
T
(3.7)
H
(
tell(I, P,
rejet-proposal(R, Q), D), T
)
→
EN
(
tell(I, P,
aept-proposal(R, Q), D), T
1
) :
T
1
≤
T
(3.8)
SICs (3.9), (3.10) and (3.11) say that inform-done , inform-result and failure are only allowed in reply to an
aept-proposal.
H
(
tell(P, I,
inform-done(R), D), T
)
→
E
(
tell(I, P,
aept-proposal(R, Q), D), T
1
) :
T
1
< T
(3.9)
H
(
tell(P, I,
inform-result(R, S), D), T
)
→
E
(
tell(I, P,
aept-proposal(R, Q), D), T
1
) :
T
1
< T
(3.10)
H
(
tell(P, I,
failure(R), D), T
)
→
E
(
tell(I, P,
aept-proposal(R, Q), D), T
1
) :
T
1
< T
(3.11)
SICs(3.12), (3.13)and(3.14)expressmutualexlusionbetweeninform-done ,inform-resultandfailure .
H
(
tell(P, I,
inform-done(R), D), T
)
→
EN
(
tell(P, I,
failure(R), D), T
1
) :
T
1
≤
T
∧
EN
(
tell(P, I,
inform-result(R, S), D), T
1
) :
T
1
≤
T
(3.12)
H
(
tell(P, I,
inform-result(R, S), D), T
)
→
EN
(
tell(P, I,
failure(R), D), T
1
) :
T
1
≤
T
∧
EN
(
tell(P, I,
inform-done(R), D), T
1
) :
T
1
≤
T
(3.13)
H
(
tell(P, I,
failure(R), D), T
)
→
EN
(
tell(P, I,
inform-done(R), D), T
1
) :
T
1
≤
T
∧
EN
(
tell(P, I,
inform-result(R, S), D), T
1
) :
T
1
≤
T
ForwardSICs. SIC(3.15)saysthat,afterreeivingafp ,aPartiipantis expetedtoissueaproposeora
refuseby200timeunits. 2
H
(
tell(I, P,
fp(R), D), T
)
→
E
(
tell(P, I,
propose(R, Q), D), T
1
) :
T
1
< T
+ 200
∨
E
(
tell(P, I,
refuse(R), D), T
2
) :
T
2
< T
+ 200
(3.15)
SIC(3.16)statesthattheInitiatorisexpetedtoreplytoaproposewithanaept-proposal orarejet-proposal
by200loktiks.
H
(
tell(P, I,
propose(R, Q), D), T
)
→
E
(
tell(I, P,
aept-proposal(R, Q), D), T
1
) :
T
1
< T
+ 200
∨
E
(
tell(I, P,
rejet-proposal(R, Q), D), T
2
) :
T
2
< T
+ 200
(3.16)
SIC (3.17) states that a Partiipant is expeted to reply to an aept-proposal with an inform-done , an
inform-resultorafailureby200loktiks.
H
(
tell(I, P,
aept-proposal(R, Q), D), T
)
→
E
(
tell(P, I,
inform-done(R), D), T
1
) :
T
1
< T
+ 200
∨
E
(
tell(P, I,
inform-result(R, S
), D), T
2
) :
T
2
< T
+ 200
∨
E
(
tell(P, I,
failure(R), D), T
2
) :
T
2
< T
+ 200
(3.17)
Notethat,inallthethreeases,bakwardSICs makethealternativeexpetationsmutuallyexlusive.
4. Speiationofasemi-opensoietyaessprotool. Aordingto[11℄,soietiesanbelassied
into4groups,eahharaterizedbyadierentdegreeofopenness. Inthefollowing,wegiveanexampleofhow
ourframeworkanmodelasemi-opensoiety,i.e.,asoietythatanbejoinedbyanagentexeutinganaess
protool. Inthisexampleweimaginethat aspeialgatekeeper agentis inhargeofreeivingjoining requests,
anditrequestsagentswillingtoenterto llin someregistrationform.
Theaessprotoolisdened bythefollowingSICs,in whih
C
representsthenameofanagentwillingtojoin in:
H
(
tell(C, gatekeeper, ask(register), D), T
)
→
E
(
tell(gatekeeper, C, ask(
form), D), T
1
) :
T
1
< T
+ 10
(4.1)
H
(
tell(C, gatekeeper, ask(register), D), T
)
∧
H
(
tell(gatekeeper, C, ask(
form), D), T
1
)
∧
T < T
1
→
E
(
tell(C, gatekeeper, send(
form, F
), D), T
2
) :
T
2
< T
1
+ 10
(4.2)
H
(
tell(gatekeeper, C, ask(
form), D), T
1
)
∧
H
(
tell(C, gatekeeper, send(
form, F
), D), T
2
)
∧
T
1
< T
2
→
E
(
tell(gatekeeper, C, accept(register), D), T
3
) :
T
3
< T
2
+ 10
∨
E
(
tell(gatekeeper, C, reject(register), D), T
3
) :
T
3
< T
2
+ 10
(4.3)
SIC (4.1) says: if
C
asksgatekeeper
to join the soiety (register
), then thegatekeeper
should ask foraregistration
f orm
; SIC (4.2) imposes that, after the rst twomessages, the agent should provide thef orm
;andSIC(4.3)saysthat,afterreeivingtheform,the
gatekeeper
shouldeitheraccept
orreject
theregistrationrequest.
2
Timeunitisan abstratonept, whose instantiationatually dependson the appliation. Atimeunitmayrepresent for
Forthesakeofsimpliity,in thesequelweassumethatmemberagentsdonotleavethesoiety. Then,the
preseneinthehistoryofaneventoftype:
H
(tell(gatekeeper, C, accept(register), D), T
)
anberegardedas
C
'sformalatofmembership,anditanbeusedinSICsasaonditionforgeneratingexpetations.
Forinstane, SIC(3.15) from theFIPA-CNP (Set. 3.1)ouldbemodiedasfollowsto takemembership
intoaount:
H
(
tell(gatekeeper, I, accept(register), D), T
I
)
∧
H
(
tell(I, P,
fp(R), D), T
)
→
E
(
tell(P, I,
propose(R, Q), D), T
1
) :
T
1
< T
+ 200
∨
E
(
tell(P, I,
refuse(R), D), T
2
) :
T
2
< T
+ 200
(4.4)
5. SpeiationoftheTCPprotoolopeningphase. Inthissetion,wepresentaspeiationofthe
open-onnetionphaseof theTCPprotool. Wewillfousonthewellknownthree-wayhandshakeopening,
summarizedbelow:
1. apeer
A
sendsto anotherpeerB
asynsegment; 32.
B
repliesbyaknowledging(withanak segment)A
'ssyn segment,andby sendingasynsegmentinturn;
3.
A
aknowledgesB
'ssynsegmentwithaaksegment,andstartssendingdata.Thefollowingtwointegrityonstraintsdesribesuh aprotool:
H
(
tell(A, B,
tp(
syn,
null, N SynA, AckN umber), D), T
1)
→
E
(
tell(B, A,
tp(
syn,
ak, N SynB, N SynAAck), D), T
2) :
N SynAAck
=
N SynA
+ 1
∧
T
2
> T
1.
(5.1)
SIC5.1saysthatif
A
sendstoB
asynsegment,whosesequenenumberisN SynA
,thenB
isexpetedtosendto
A
anaksegment,whoseaknowledgmentnumberisN SynA
+ 1
,at alatertime.H
(
tell(A, B,
tp(
syn,
null, N SynA, AckN umber), D), T
1)
∧
H
(
tell(B, A,
tp(
syn,
ak, N SynB, N SynAAck), D), T
2) :
T
2
> T
1
∧
N SynAAck
=
N SynA
+ 1
→
E
(
tell(A, B,
tp(
null,
ak, N SynAAck, N SynBAck), D), T
3) :
T
3
> T
2
∧
N SynBAck
=
N SynB
+ 1.
(5.2)
SIC 5.2saysthat,iftheprevioustwomessageshavebeenexhanged,then
A
isexpeted tosend toB
anaksegmentaknowledging
B
'ssynsegment,andwithaknowledgementnumberisN SynB
+ 1
,whereN SynB
isthesequenenumberof
B
'ssyn.Athirdintegrityonstrainthasbeenadded,toverifytheinterationbetweenpeerswithdierentresponse
time. Afasterpeerinfatouldnotwaitenoughfortheaknowledgemessage,andtrytoresendasynmessage
toaslowerpeer. This situation anleadto severalproblems in theslowerpeer, whosequeueof theinoming
messagesouldeasilygetsaturatedbyrequests.
H
(
tell(A, B,
tp(
syn,
null, N SynA, AN Y
), D), T
1)
∧
ta(T A)
→
EN
(
tell(A, B,
tp(
syn,
null, N SynA, AN Y
), D), T
2) :
T
2
< T
1
∧
T2
> T
1
−
T A.
(5.3)
SIC 5.3saysthat,if
A
hassenttoB
asynsegmentto openaonnetion,thenA
isexpetednottosendanothersyn segmentbefore
T A
time units,whereT A
isan appliation-speionstant, dened bytheta/1
prediate.
Theabovespeiationhasbeenusedto hektheinterationbetweenexperimentalmobilephonesanda
server.
3
Table6.1
Stateofanexpetation
Type Veried Expired State
E
yes fullledE
no no waitE
no yes violatedEN
yes violatedEN
no no waitEN
no yes fullled6. Veriation System. Inthis setion, wedesribea prototypial system that we havedeveloped to
verifytheompliane oftheagentbehaviourtointerationprotoolsspeiedbymeansofSICs.
Thesystemheksforomplianebyaomplishingtwomaintasks:
1. itres(ativates)SICswhoseonditionsbeometrueasrelevanteventsours;
2. itdeideswhether ativated SICsarefullledorviolated.
Thesystemisdesignedtoworkduringtheevolutionofthesoiety,soitwillonlyhave,ateahinstant,apartial
historyavailable,anditmusttakeintoaountthatneweventsmayhappeninthefuture. Forinstane,letus
onsideragainthesampleexpetationin Set.2:
E
(
aept(
ak
,
aj
,
give(M
), d
2
), T
a
) :
M
≥
10, T
a
≤
15.
Letus now supposethat,at time 12, nomathingeventhas yet ourred. So, while thisexpetation has
notbeenfullled,neitherit has(yet) been violated: sineamathing eventouldstill happen at time13, 14
or15. Itwillatuallybeviolatedinstead,inaseamathingeventfailstoourbytime15,beausetheCLP
onstraintonthetimevariablebeomesunsatisableasoftime16.
Moregenerally, it may notbe possible to statewhether a SIC is fullled orviolated at the sametime it
res;thus,weidentifythreepossiblestatesforanativatedSIC:
•
fullled,iftheSICisfullled;•
violated,iftheSICisviolated;•
wait,iftheSICisstillneitherfulllednorviolated.The initialstate foran ativated SIC is wait; happening eventswill eventuallyhangeits stateto fullled or
violated.
Ifweproesseventsintheorretorder in time,in theaseofbakwardSICs,thetransition fromawait
stateto afullled orviolated stateis immediate, beause expetations in abakwardSIC regardevents that
shouldhave(not)happenedinthepastand,thus, theyanbeimmediatelyhekedforfulllment.
6.1. Runtime identiation of the state of a SIC. Inthe following,weexplain howthe stateof a
SIC hangesatruntime.
Theativation of aSIC ausesthereationof aninstane ofits head (organized in prioritylevels,eah
beingadisjuntionofonjuntionofexpetations,asexplainedinSet.2). Afterwards,thestateofeahsingle
expetationis dened,followedbythestateoftheprioritylevels,andnallybythestateoftheSIC.
Stateofanexpetation. Anexpetationisalledveriedifthereexistsamathingeventinthesoiety
his-tory. Thestateofaveriedpositiveexpetationisfullled;thestateofaveriednegativeexpetationisviolated.
An expetation isalled expired ifCLP onstraintsoveritstime variableannot be anylongersatised
(typially,thisistheasewithonstraintsrepresentingdeadlineswhihhaveexpired). Thestateofanexpired
andnotveriedexpetationisviolated iftheexpetationispositiveandfullled iftheexpetationisnegative;
thestateofanotexpiredandnotveriedexpetation isinsteadwait.
Table6.1summarisesalltheseases.
Stateofaonjuntion ofexpetations. Thestateofaonjuntionofexpetationsisdenedbythefollowing
rules:
1. ifthestateof atleastoneexpetationin theonjuntionis violated,thenthestateoftheonjuntion
isviolated;
2. ifthestateofallexpetationsin theonjuntionisfullled,thestateoftheonjuntionis fullled;
State of a priority level. A priority level is adisjuntion of onjuntions of expetations. The stateof a
prioritylevelisthendenedbythefollowingrules:
1. ifthestateofatleastoneof thedisjuntsisfullled,thenthestateof theprioritylevelisfullled;
2. ifthestateofallofthedisjuntsisviolated,thenthestateoftheprioritylevelisviolated;
3. otherwise,thestateiswait.
StateofaSIC. IfalltheprioritylevelsofaSICareviolated,thentheSICisviolated;otherwise,thestate
ofthehighestnon-violatedpriorityleveloftheSICdenesthestateoftheSIC.
6.2. Veriation of Compliane. As shownin Set. 3.1in relation to theFIPA CNP, bakwardSICs
anexpressthateventsareonlyallowedifsomeothereventshave(not)happenedbefore; sinetheirstatean
be immediatelyresolved to fullled orviolated, bakwardSICs anbeused to verifythat an eventis allowed
as soon asit ours. In designing our system, we made a hoie to ignore the events that are not allowed.
However,thesystemaptures theviolation: inarihersoialmodel, weanimaginesomeauthorityto reat
totheviolation.
ThesetofforwardSICsassoiatedwithalegalationisthenusedtogenerateexpetationsaboutthefuture
eventsin thesoiety(i.e.,theheadsofassoiatedforwardSICswill behekedforfulllment).
InordertoverifythefulllmentofSICs,wehavedenedtwodierentphases: theEventDriven phaseand
theClokDriven phase.
Event-driven phase. An event-drivenphasestartseahtime anew eventours. The systemativatesall
bakwardSICsassoiatedwiththeevent;iftheyareallfullled,thentheeventisreognizedtobeallowedand
thus markedaslegal andaddedto thehistoryoftheinteration. IfsomeofthebakwardSICsare violated,
thentheeventismarkedasillegal,sineitisnotallowed,anditisnotreordedinthehistoryofthesoiety.
Iftheeventismarkedlegal,thesystemproessesthenewupdatedhistorybyativatingtheforwardSICs
assoiated withthe newevent. Forward(ativated) SICs dene theexpetedfuture behaviourof thesoiety,
andtheywill behekedforfulllment.
Clok-drivenphase. Thelok-drivenphasestartswheneveraspeialeventalledlok,orurrenttime,
isregisteredbythesoiety. ThesystemproessesthesetofativatedforwardSICsidentifyingthestateofeah
one. If thestateof aSIC isfullled, theSIC isremovedfrom thelist ofpending (waiting) SICs. If thestate
ofaSIC isviolated,theSIC isremovedbut aviolationisraised. Ifthe stateis wait,theSIC iskeptpending
untilthenextlok-drivenphaseorthenextevent-drivenphase. Note thatthe timeassoiatedto eventsand
theurrenttime eventwhihresalok-drivenphasemustsynhronize.
6.3. Implementation. Theveriationsystem hasbeenimplemented ontop of SICStusProlog's
Con-straintHandlingRules(CHR) library[22℄.
CHR[16℄ are essentiallyaommitted-hoie language onsisting of guardedrules that rewrite onstraints
in a store into simpler ones until they are solved. CHR dene both simpliation (replaing onstraints by
simpleronstraintswhilepreservinglogialequivalene)andpropagation(addingnew,logiallyredundantbut
omputationallyuseful,onstraints)overuser-denedonstraints.
6.3.1. Ativation of SICs. Eah event happened in the system is represented by the CHRonstraint
h/2,where the argumentsare aProloggroundterm representingthehappened eventand anintegernumber
representingthetime.
Positive(resp. negative)expetations arerepresentedbythePrologterme(resp. en). Its argumentsare:
aPrologtermdesribingtheeventexpetedtohappen(resp. nottohappen),thetime(typiallynonground),
andalistofCLP onstraintsoverthevariablesin thedesription.
APriorityLevel isrepresentedbythePrologtermpr,whoseargumentsarethelistofalternative
HeadDis-junts oftheprioritylevelandtheintegernumberrepresentingthepriority(the lowerthenumber,thehigher
thepriority). PrioritylevelsgeneratedbyaSIC areolletedasthelistargumentofaplistterm.
TheargumentoftheCHRonstraintle/1isthelistofallativatedplists(one foreahativatedSIC).
EahSICisrepresentedbyasimpagationCHR.Ingeneral,simpagationruleshavetheform
H
1
, . . . , H
l\
H
l
+1
, . . . , H
i
⇔
G
1
, . . . , G
j|
B
1
, . . . , B
k
(6.1)where
l >
0
,i > l
,j
≥
0
,k
≥
0
and where the multi-headH
1
, . . . , H
i
is a nonempty sequene of CHRonstraints,theguard
G
1
, . . . , G
j
isasequeneofbuilt-inonstraints,andthebodyB
1
, . . . , B
k
isasequeneoftheguardistrue,
H
1
, . . . , H
l
remaininthestore,andH
l
+1
, . . . , H
i
aresubstitutedbyB
1
, . . . , B
k
. Forinstane,thefollowingCHRimplementsSIC(2.2):
h(event0,T0), h(event1,T1) \ le(LExp) <=> T0<T1 &
append(LExp,
[plist([
pr([
and([ e(event2,T2,[min(T2,T1)℄) ℄),
and([ en(event3,T3,[min(T3,T0)℄) ℄)
℄,1),
pr([
and([ e(event4,T4,[min(T4,T0)℄) ℄)
℄,2)
℄,id1)℄, LExp1)
| le(LExp1).
Ifevent0and event1haveourredand arepartof thehistory, thetwoCHRonstraintsh(event0,T)
and h(event1,T1)arein theonstraintstore;if theguardT<T1is true,then theruleis ativated. Thestore
(the LExplist) of the heads of ativated SICs is updatedappending a new plist(), whih ontains the list of
prioritylevels(twointhisexample)intheheadoftheSIC.TheCHRonstraintle/1,whihontainedtheold
LExpbeforetheativationoftherule,isremovedbysimpagationandreplaedbythesameonstraintwiththe
newlistLExp1asargument.
Note that twodierent symbols are used to represent the CLP onstraint
<
: < if its arguments are thetimesoftwohappenedevents 4
,andminiftheyareinsteadthetimesoftwoexpetations.
ThetranslationofaSICintoasimpagationCHRisratherstraightforward,whihmakesiteasytoimplement
newprotools.
Asfurtherexamples,wereportbelowtheCHRimplementationofSIC(3.1)andSIC(3.15):
h(tell(P,I,propose(R,Q),D),T) \
le(LExp) <=>
true &
append(LExp,
[plist([
pr([
and([
e(tell(I,P,fp(R),D),T1,[min(T1,T)℄)
℄)
℄,1)
℄)℄, LExp1) | le(LExp1).
h(tell(I,P,fp(R),D),T) \
le(LEv,LExp) <=>
Td is T+200 &
append(LExp,
[plist([
pr([
and([
e(tell(P,I,propose(R,Q),D),T1,[min(T1,Td)℄)
℄),
and([
e(tell(P,I,refuse(R),D),T2,[min(T2,Td)℄)
℄)
℄,1)
℄)℄,
LExp1) | le(LExp1).
4
historyGeneratorListener
Interface
Class
historyGenerator
Interface
expectationsEngineListener
Interface
timerInterface
Class
expectationsEngine
Interface
messageDispatchListener
Interface
timerListener
Class
messageDispatcher
Interface
eventRecorderInterface
Interface
eventRecorderListener
Fig.6.1. UMLdiagram
6.3.2. Identiationofthestate ofSICs. TheidentiationofthestateofaSICisodedinstandard
Prolog. The system performs all the steps desribed in Set. 6.1. It analyses all its stored plists, thus
implementingtheevent-drivenandlok-drivenphasesdesribedabove.
6.3.3. Interfae to the veriation system. In order to use the system in onrete ase studies, a
Javapakage(using the SICStusProlog's Jasperlibrary[22℄) has been implemented. This pakage hasbeen
developedtobeusedasaJavawrapperfortheveriationsystem.
TheUMLdiagramofthesystemisrepresentedinFig.6.1. Tousethesystemtheusermustreatea
histo-ryGenerator objetgivingasparameterthepathto a(ompiled)Prologleontainingtheprotooldenition
expressed by SICs. TheJava systemimplements the Event Driven phase reeivingmessages from the
even-tReorderListener interfaeandthe lok-driven phasereeivingurrent time eventsfrom thetimerListener
interfae. TherestofthesystemimplementstheJava-Prologinterfae.
7. Disussionand related work. ThesyntaxofSoialIntegrityConstraintsproposedinthispaperisa
modiedversionof thatproposedin [2℄andin [5℄. Themodiationshavebeenmadein orderto takleboth
expressivenessandimplementationissues. Speially:
•
weaddedprioritylevelstoSICs(seeSet. 2). Thisallowsforamoreexiblespeiationofprotools,enablingtheprotooldesignertodevisealternativeprotoolowswhilebeingabletospeifypreferenes
•
weimposedtherestritionofhavingonlyeitherbakwardorforwardexpetationinaSIC(seeSet.2).Whilethisimproveseieny,onthedownsideitpreventsfromwritingSICssuhas
H
(a, T
a
)
→E
(b, T
b
) :
T
b
< T
a
,
1
⇒E
(c, T
c
) :
T
c
≤
T
a
+
τ,
2
(7.1)
whihonemightwantto usetoexpressthat anevent(
b
)thatdoesnotfulll abakwardexpetationan,withlowerpriority,stillbeallowed,providedthatertainbakup event(
c
)ouratsomepointin thefuture. However, in our experiene, SICs suh as(7.1) are generallynot neessaryto express
protoolsof ommonuse.
In[4℄wehavedened anabdutivesemantis forSICs,in theontextof agentsoieties, andamore
gen-eral framework,in whih the veriation proedure is performed by an abdutiveproofproedure [6℄, whose
implementationhasbeenintegratedintoasoftwareomponent[3℄,interfaedto severalmulti-agentplatforms
suhasJade[8℄, PROSOCS[9℄,andtuProlog[12℄. Other authorshaveproposedalternativeapproahestothe
speiationandin someasesanimationofinterationamongagents. Notably, in[7℄,Artikiset al. presenta
theoretialframeworkforproviding exeutablespeiationsof partiularkindsof multi-agentsystems,alled
openomputationalsoieties,andtheypresentaformalframeworkforspeifyingandanimatingsystemswhere
thebehaviourofthemembersandtheir interationsannotbepreditedin advane,and forreasoningabout
and verifying the properties of suh systems. A noteworthy dierene with [7℄ is that we do not expliitly
representtheinstitutionalpowerofthemembersandtheoneptofvalidation. Permittedareallsoialevents
thatdonotdetermineaviolation,i.e.,alleventsthatarenotexpliitlyforbiddenareallowed.
In[24℄, Yolum and Singhapply avariantof EventCalulus [19℄to ommitment-basedprotool
speia-tion. Thesemantisofmessages(i. e.,theireet onommitments) isdesribedbyasetof operations whose
semantis,in turn, isdesribedby prediates onevents anduents;in addition, ommitmentsanevolve,
in-dependentlyofommuniativeats,inrelationtoevents anduents aspresribedbyasetofpostulates. Suh
awayof speifying protoolsis moreexible thantraditionalapproahesbasedonationsequenesin that it
presribesnoinitialandnalstatesortransitionsexpliitly,butitonlyrestritstheagentinterationinthat,at
theendofaprotoolrun,noommitmentmustbepending. Agentswithreasoningapabilitiesanthemselves
plananexeutionpathsuitablefortheirpurposes(whih,in thatwork,isimplementedbyanabdutiveevent
alulusplanner). Ournotionofexpetationismoregeneralthanthatofommitmentfoundin[24℄orinother
ommitment-basedworks,suhas[15℄: itrepresentstheneessityofa(pastorfuture)event,andisnotbound
tohaveadebtor orareditor,orto bebroughtaboutbyanagent.
8. Conlusions. Wehavepresentedaframeworkforthespeiationandruntimeveriationof
ompli-aneofagentinterationtoprotools. Thespeiationatasoiallevelofinterationprotoolsonstrainsthe
agentobservablebehaviourfromtheoutside,ratherthanitsinternalstateorstruture. Thisisaharateristi
of soialapproahesto agent protool speiation, andit is partiularlysuited forusage in openagent
soi-eties. Protoolspeiationsuseaomputationallogi-basedformalismalledsoialintegrityonstraints. The
system's Java-Prolog-CHRbasedimplementation has been tested on dierent types of protools [23℄. In this
artile,wehavedemonstratedtheusageofSICsinthreeases: theFIPACNP,takenfromtheagentliterature,
amadeupprotoolforjoiningsemi-opensoieties,andthewellknownthree-wayhandshakephaseoftheTCP
IP protool for onnetion establishment. The veriationsystem, implemented in Prolog and CHR, anbe
usedasamoduleinaJava-basedsystem,thankstotheJava-ProloginterfaeofSICStusProlog. Themodular
strutureofthesystemmakesit(hopefully) easytoadaptitto newappliations.
9. Aknowledgments. This researh has been partially supported by the National MIUR PRIN 2005
projetsNo2005-011293,Speiation and veriation of agentinteration protools, 5
, and No2005-015491,
Vinoli e preferenze ome formalismo uniante per l'analisi di sistemi informatii e la soluzione di problemi
reali, 6
and bytheNationalFIRBprojetTOCAI.IT 7
.
5
http://www.rieraitalia na.i t/p rin/ dett agl io_ omp leto _pri n_e n-20 0501 129 3.ht m
6
http://www.si.unih.it/ bis ta/ proj ets /pr in20 06/
7
REFERENCES
[1℄ FIPAContratNetInterationProtool,Teh.ReportSC00029H,FoundationforIntelligentPhysialAgents,2002.Available
athttp://www.fipa.org
[2℄ M.Alberti,A.Ciampolini,M.Gavanelli,E.Lamma,P.Mello,andP.Torroni,AsoialACLsemantisbydeonti
onstraints, inMulti-AgentSystems and Appliations III. Proeedings of the 3rd International Central and Eastern
EuropeanConfereneonMulti-AgentSystems,CEEMAS2003,V.Marík,J.Müller,andM.Pehouek,eds.,vol.2691
ofLetureNotesinArtiialIntelligene,Prague,CzehRepubli,June16182003,Springer-Verlag,pp.204213.
[3℄ M. Alberti, M. Gavanelli, E. Lamma, F. Chesani, P. Mello, andP. Torroni,Compliane veriation of agent
interation: alogi-based softwaretool.,AppliedArtiialIntelligene,20(2006),pp.133157.
[4℄ M.Alberti,M.Gavanelli,E.Lamma,P.Mello,andP.Torroni,AnAbdutiveInterpretationforOpenSoieties,in
AI*IA2003: AdvanesinArtiialIntelligene,Proeedingsofthe 8thCongressoftheItalianAssoiationforArtiial
Intelligene,Pisa,A.Cappelliand F.Turini,eds.,vol.2829ofLeture NotesinArtiialIntelligene,Springer-Verlag,
Sept.23262003,pp.287299.
[5℄ ,SpeiationandVeriationofAgentInterationsusingSoialIntegrityConstraints,EletroniNotesinTheoretial
ComputerSiene,85(2003).
[6℄ ,The
S
CIFFabdutiveproof-proedure, inProeedingsofthe9thNationalCongressonArtiialIntelligene,AI*IA 2005,vol.3673ofLetureNotesinArtiialIntelligene,Springer-Verlag,2005,pp.135147.[7℄ A. Artikis, J. Pitt, and M. Sergot, Animated speiations of omputational soieties, in Proeedings of the First
InternationalJointConfereneonAutonomousAgentsandMultiagentSystems(AAMAS-2002),PartIII,C.Castelfranhi
andW.LewisJohnson,eds.,Bologna,Italy,July15192002,ACMPress,pp.10531061.
[8℄ F. Bellifemine,F. Bergenti, G. Caire,and A.Poggi, Jade-a javaagent development framework, inMulti-Agent
Programming: Languages,PlatformsandAppliations,R.H.Bordini,M.Dastani,J.Dix,andA.E.Fallah-Seghrouhni,
eds.,vol.15ofMultiagentSystems,ArtiialSoieties,andSimulatedOrganizations,Springer-Verlag,2005,pp.125147.
[9℄ A.Braiali,U.Endriss,N.Demetriou,A.C.Kakas,W.Lu,andK.Stathis,Craftingthemindofprososagents,
AppliedArtiialIntelligene,20(2006),pp.105131.
[10℄ F. Chesani, A.Ciampolini,P. Mello, M. Montali, andS. Storari,Testingguidelinesonformane bytranslating
a graphial language toomputational logi, inECAI 2006 Workshop on AI tehniques inhealthare:evidene based
guidelinesandprotools,RivadelGarda,Italy,August2006. http://www.openlinial. org/ gp2 006 _2.h tml
[11℄ P. Davidsson, Categories of artiial soieties, in Engineering Soieties in the Agents World II, A. Omiini, P. Petta,
and R. Tolksdorf, eds.,vol.2203 ofLeture Notesin ArtiialIntelligene, Springer-Verlag, De. 2001, pp.19. 2nd
InternationalWorkshop(ESAW'01),Prague,CzehRepubli,July7,2001,RevisedPapers.
[12℄ E. Denti, A. Omiini, and A. Rii, Multi-paradigm Java-Prolog integration in tuProlog, Siene of Computer
Programming,57(2005),pp.217250.
[13℄ U. Endriss, N. Maudet, F. Sadri, and F. Toni, Protool onformane for logi-based agents, inProeedings of the
Eighteenth International Joint Conferene on Artiial Intelligene, Aapulo, Mexio (IJCAI-03), G. Gottlob and
T.Walsh,eds.,MorganKaufmannPublishers,Aug.2003.
[14℄ FIPA: FoundationforIntelligentPhysialAgents. HomePage: http://www.fipa.org/
[15℄ N. Fornara and M. Colombetti, Operational speiation of a ommitment-based agent ommuniation language, in
ProeedingsoftheFirstInternationalJointConfereneonAutonomousAgentsandMultiagentSystems(AAMAS-2002),
PartII,C.CastelfranhiandW.LewisJohnson,eds.,Bologna,Italy,July15192002,ACMPress,pp.535542.
[16℄ T.Frühwirth,Theoryandpratieofonstrainthandlingrules,JournalofLogiProgramming,37(1998),pp.95138.
[17℄ J. Jaffar and M. Maher, Constraint logi programming: a survey, Journal of Logi Programming, 19-20 (1994),
pp.503582.
[18℄ A. C. Kakas, R. A. Kowalski, and F. Toni, The role of abdution in logi programming, inHandbook of Logiin
Artiial Intelligene andLogiProgramming, D.M. Gabbay,C.J.Hogger, and J.A.Robinson, eds.,vol.5, Oxford
UniversityPress,1998,pp.235324.
[19℄ R.A.KowalskiandM.Sergot,Alogi-basedalulusofevents,NewGenerationComputing,4(1986),pp.6795.
[20℄ J.W.Lloyd,FoundationsofLogiProgramming,Springer-Verlag,2ndextendeded.,1987.
[21℄ J.MullerandJ.Odell,AgentUML: Aformalismforspeifyingmultiagentsoftware systems,International Journalof
SoftwareEngineeringandKnowledgeEngineering,11(3)(2001),pp.207230.
[22℄ SICStusprologusermanual,release3.11.0,Ot.2003.http://www.sis.se/isl/s is tus/
[23℄ TheSOCSprotoolrepository,2005.Availableat
http://edu59.deis.unibo.i t:8 079/ SOCS Pro too lsRe pos itor y/j sp/i ndex .js p
[24℄ P.YolumandM.Singh,Flexibleprotoolspeiationandexeution:applyingeventalulusplanningusingommitments,
inProeedingsof the FirstInternationalJoint ConfereneonAutonomous AgentsandMultiagentSystems
(AAMAS-2002),PartII,C.CastelfranhiandW.LewisJohnson,eds.,Bologna,Italy,July15192002,ACMPress,pp.527534.
Editedby: MarinPaprzyki,NiranjanSuri
Reeived: Otober1,2006