On the boundary of (un)decidability: decidable model checking for a fragment of resource agent logic

On the Boundary of (Un)decidability: Decidable Model-Checking

for a Fragment of Resource Agent Logic

∗

Natasha Alechina

1

_and

_{Nils Bulling}

2

_and

_{Brian Logan}

1

_and

_{Hoang Nga Nguyen}

1 1

_{School of Computer Science, University of Nottingham, UK}

2

_{Delft University of Technology, The Netherlands}

1

_{{nza,bsl,hnn}@cs.nott.ac.uk,}

2

_{[email protected]}

Abstract

The model-checking problem for Resource Agent Logic is known to be undecidable. We review ex-isting (un)decidability results and identify a signif-icant fragment of the logic for which model check-ing is decidable. We discuss aspects which makes model checking decidable and prove undecidabil-ity of two open fragments over a class of models in which agents always have a choice of doing noth-ing.

1

Introduction

There exist several formalisms that extend Alternating Time Temporal Logic (ATL), [Alur et al., 2002] with reasoning about resources available to agents and production and con-sumption of resources by actions, see, for example, [Bulling and Farwer, 2010; Alechinaet al., 2010; Della Monicaet al., 2013; Alechina et al., 2014; Bulling and Goranko, 2013]. When the production of resources is allowed, the model-checking problem for many of these logics is undecidable [Bulling and Farwer, 2010; Bulling and Goranko, 2013]. Re-cently, however, it was shown that some resource logics with production of resources have a decidable model checking problem [Alechinaet al., 2014]. In this paper, we investigate the reasons for decidability or undecidability of the model-checking problem for resource logics. There is a quite be-wildering variety of choices for the syntax and semantics of resource logics, for example, the precise definition of when a joint action is ‘affordable’ by a coalition of agents (can the agents pool their resources, and can they use resources pro-duced by the joint action to offset the costs involved in the action). Many of these choices do not affect the decidability or otherwise of the model-checking problem. In particular, the decidability result of [Alechinaet al., 2014] was proven in the presence of two major restrictions called, using the no-tion of [Bulling and Farwer, 2010],resource flatand propo-nent restricted. The former assumes that agents are always re-equipped with fresh resources when they reconsider their strategies; the latter assumes that only the proponents act un-der resource bounds. In addition to these restrictions, another

∗

Acknowledgements: This work was supported by the Engineering and Physical Sciences Research Council [grant EP/K033905/1].

choice in the semantics seems to be relevant for decidability. This choice, which is also related to the finitary and infinitary semantics of [Bulling and Farwer, 2010], stipulates whether in every model, agents always have a choice of doing noth-ing (executnoth-ing an idle action) that produces and consumes no resources [Alechina et al., 2014]. Apart from the tech-nical convenience for model-checking (intuitively it implies that any strategy to satisfy a next or until formula only needs to ensure the relevant subformula becomes true after finitely many steps, and after that the agents can always choose the idle action which does not increase the ‘cost’ of the strategy), this choice is motivated in [Alechinaet al., 2010] by the prop-erties of the logic, e.g., coalition monotonicity.

In this paper, we investigate the effects of various semantic choices such as idle on the decidability of the model-checking problem. First we show that the resource-flat as well as the proponent-restricted fragment of resource agent logic remain undecidable in the presence of idle actions. We then identify and motivate a significant, non resource-flat fragment that has a decidable model checking property in the presence of idle actions, and is not decidable otherwise. It follows that idle actions can make a difference for the decidability of model checking with respect to the semantics considered in this pa-per.

The paper is organised as follows. In Section 2 we intro-duce our version of resource agent logic, its models and the semantics. Afterwards, we put our setting in context with existing work, discussing the main differences and the main (un)decidability results. Based on this comparison we re-view results shedding light into different semantic choices. We give our first technical undecidability results and iden-tify a new, non resource-flat fragment of resource agent logic. Section 4 presents our second technical result: a decidabil-ity result for the newly identified fragment. We conclude in Section 5.

2

Resource Agent Logic

In this section we define the logic resource agent logic

RAL and resource-bounded models. We essentially fol-low [Bulling and Farwer, 2010], combined with aspects from [Alechina et al., 2014]. We point out the similarities and differences in more detail in Section 3.1.

Syntax.The logic is defined over a set of agents_Agt, a set of resources typesResand a set of propositional symbolsΠ.

Anendowment (function)η : Agt×Res →N∞0 is used to

assign resources to agents;ηa(r) = η(a, r)is the number of

resources agentahas of resource typer. WithEnwe denote the set of all possible endowments. Resource types can rep-resent, for example, money, fuel, and battery power. Special minimal and maximal endowment functions are denoted by¯0 and∞¯, respectively. The former expresses that there are no resources at all, whereas the latter equips all agents with an infinite amounts of resources. The logicRALis defined ac-cording to the grammar ofATL[Aluret al., 2002] where two types of cooperation modalities are available, the meaning of which is explained below.RAL-formulae are defined by:

φ::=p| ¬φ|φ∧φ| hhAii↓_BXϕ| hhAiiη_BXϕ| hhAii↓_BϕUψ| hhAiiη_BϕUψ| hhAii↓_BGϕ| hhAiiη_BGϕ

wherep∈Πis a proposition,A, B⊆Agtare sets of agents, andη is an endowment. We also define hhAii↓ _{and hhAii}η

as abbreviations for hhAii↓_A and hhAiiη_A, respectively. The operatorsX,U, andGdenote the standard temporal opera-tors expressing that some property holds in thenextpoint in time,untilsome other property holds, andnow and alwaysin the future, respectively. Both types of cooperation modality, hhAii↓_BandhhAiiη_B, assume thatallagents inA∪Bconsume and produce resources. The reading ofhhAiiη_Bϕis thatagents

A have a strategy compatible with the endowmentη to en-forceϕ. The formulahhAii↓_Bϕreads similarly but the strategy must be compatible with the resources currently available to the agents. In both cases compatible means that the strategy can be executed given the agents’ resources. For both modal-ities it is necessary to keep track of resource production and consumption during the execution of a strategy. The evalua-tion of a modalityhhAiiη_B, however, (re-)equips all agents with afreshamount of resources: the current resource endowment is overwritten by endowmentη.

Semantics. We define the models of RALas in [Bulling and Farwer, 2010]. Following [Alechinaet al., 2014] we also define a special case of these models in which agents have anidle actionin their repertoire which neither consumes nor produces resources.

Definition 1 (RBM,iRBM). A resource-bounded model (RBM) is given by M = (Agt, Q,Π, π, Act, d, o, Res, t) whereAgt = {1, . . . , k} is a set of agents; π : Q → ℘Π is a valuation of propositions;Actis a finite set of actions; and the functiond : Agt×Q → ℘Act\{∅} indicates the actions available to agent a ∈ Agt in state q ∈ Q. We write da(q) instead of d(a, q), and use d(q) to denote the

setd1(q)×. . .×dk(q)of action profiles in state q.

Simi-larly,dA(q)denotes the action tuples available toAinq. o

is a serial transition function which maps each stateq ∈ Q

and action profileα = hσ1, . . . , σki ∈ d(q) (specifying a

move for each agent) to another stateq0 =o(q, α). Finally, the functiont :Act×Res → Zmodels the resources con-sumed and produced by actions. We define prod(σ, r) := max{0, t(σ, r)}(resp.cons(σ, r) := min{0, t(σ, r)}) as the amount of resourcer produced (resp. consumed) by action

σ. Forα =hσ, . . . , σki, we useαAto denote the sub-tuple

consisting of the actions of agentsA⊆Agt.

AnRBMwith idle actions,iRBMfor short, is anRBM

Msuch that for all agentsa, all statesq, and all resource typesrinM, there is an actionσ∈da(q)witht(σ, r) = 0.

We refer to this action (or to one of them if there is more than one) as theidle actionofaand denote it byidle.

Apathλ∈ Qω_{is an infinite sequence of states such that}

there is a transition between two adjacent states. A resource-extendedpathλ ∈ (Q×En)ω _{is an infinite sequence over} Q×Ensuch that the restriction to states (the first compo-nent), denoted by λ|Q, is a path in the underlying model.

The projection of λto the second component of each ele-ment in the sequence is denoted by λ|En. We define λ[i]

to be the i+ 1-th state of λ, and λ[i,∞] to be the suffix

λ[i]λ[i+ 1]. . .. A strategy for a coalition A ⊆ Agt is a functionsA : Q+ → ActA such thatsA(λq) ∈ dA(q)for λq ∈ Q+_{. Such a strategy gives rise to a set of}

(resource-extended) paths that can emerge if agents follow their strate-gies. A (η, sA, B)-pathis a resource-extended path λsuch

that for all i = 0,1, . . .withλ[i] := (qi, ηi)there is an

ac-tion profileα∈d(λ|Q[i])such that: (1)η0=η(ηdescribes

the initial resource distribution), (2)sA(λ|Q[0, i]) = αA (A

follow their strategy), (3)λ|Q[i+ 1] = o(λ|Q[i], α)

(transi-tion according toα), (4) for all a ∈ A∪B andr ∈ Res:

ηi

a(r) ≥ cons(αa, r) (each agent has enough resources to

perform its action), (5) for alla ∈ A∪B and r ∈ Res:

ηi+1

a (r) =ηai(r) +prod(αa, r)−cons(αa, r)(resources are

updated). (6) for alla ∈ _Agt\ (A ∪B) andr ∈ Res:

ηi+1

a (r) = ηai(r) (resources remain unchanged for agents

not inA∪B). The(η, B)-outcomeof a strategy sA inq,

out(q, η, sA, B), is defined as the set of all(η, sA, B)-paths

starting inq. Truth is defined over an RBM M, a state

q ∈ QM, and an endowmentη. Thesemanticsis given by

the satisfaction relation|=where the cases for propositions, negation and conjunction are standard and omitted:

M, q, η|=hhAii↓_Bϕ iff there is a strategysAforAsuch that

for allλ∈out(q, η, sA, B),M, λ, η|=ϕ

M, q, η|=hhAiiζ_Bϕ iff there is a strategysAforAsuch that

for allλ∈out(q, ζ, sA, B),M, λ, ζ|=ϕ

M, λ, η|=Xϕ iffM, λ|Q[1], λ|En[1]|=ϕ

M, q, η|=ϕUψ iff there exists i with i ≥ 0 and M, λ|Q[i], λ|En[i] |= ϕand for all j with 0 ≤ j < i

M, λ|Q[j], λ|En[j]|=ψ

M, q, η|=Gϕ iff for alli≥0,M, λ|Q[i], λ|En[i]|=ϕ

The model checking problem is stated as follows: does M, q, η |= ϕ hold? When the context is clear, we simply writeq, η|=ϕ; ifϕis only a propositional formula, we might also ignoreη.

Observe that the standard ATL modalitieshhAiican be de-fined ashhAii∞¯

Agt, so the logic is a proper extension of ATL. Remark 1. We refer to the semantics introduced above as infinitary semantics. In [Bulling and Farwer, 2010] the main semantics also allows for finite (maximal) paths. We refer to that semantics asfinitary semantics. We note that both semantics coincide overiRBMs, as is is always possible to extend a path due to the idle actions.

resource-flat fragment,rfRAL, only allows cooperation modalities of typehhAiiη_B: agents are always (re-)equipped with a fresh set of resources whenever they re-consider their strategies. The proponent restricted fragment,prRAL, only allows coopera-tion modalities of typeshhAii↓ _andhhAiiη_{: only the}

propo-nents are assumed to make use of resources. The fragment combining both restrictions is denoted byrfprRAL.

3

The Quest for Decidability

We first discuss differences and similarities to the original re-source agent logics. We present the main idea underlying the undecidability of model-checking results from [Bulling and Farwer, 2010] and investigate the reasons for the (un)decidability. We present new undecidability results, and motivate a new fragment ofRAL.

3.1

Two Related Logics

The logic presented here is based on the resource bounded logics of [Bulling and Farwer, 2010] and [Alechina et al., 2014]. The authors of the former paper introduce a very gen-eral framework. Sevgen-eral interesting special cases are identi-fied, and the (un)decidability of their model checking prob-lems investigated. In the interests of readability, we refer to the setting of [Bulling and Farwer, 2010] byS1 and to that

of [Alechina et al., 2014] by S2. The language ofRAL is

almost identical to the setting ofS1, except that we do not

allow the release operator. Essentially, S2 corresponds to

the resource-flat and proponent-restricted fragment ofRAL.

RBMs serve as models of S1, where S2 uses iRBMs.

There are negligible differences in how the production and consumption of resources are handled. InS2both are

consid-ered at the same time; here, actions first consume resources and afterwards produce them. However this is just a mod-elling issue. Most results of S1 are given in terms of the

finitary semantics (cf. Remark 1). Finally, inS1agents

be-longing to the same group—either to the proponents or the opponents—are allowed to share their resources, whereas in our setting each agent has its own resource balance. This change does not affect the (un)decidability results given here, but eases the presentation.

3.2

Investigating the Boundary of (Un)Decidability

In [Bulling and Farwer, 2010] it was shown that many— actually most—fragments of their resource agent logic are undecidable. However, an interesting case remained open: the resource-flat, proponent-restricted fragment. Just re-cently, this open problem has been shown to be decidable in [Alechinaet al., 2014; Alechinaet al., 2015]:

Observation 1. rfprRALis decidable overiRBMs.

A natural question arises: Could we extend the decidabil-ity to more expressive fragments? We first show that propo-nent restrictedness is essential for decidability, including over

iRBMs.

The Non-Proponent Restricted Fragment

In [Bulling and Farwer, 2010] it was shown that model checking formulae of typehh1ii¯0

AgtFhaltis undecidable over

RBMs. However the decidability of this fragment was open

overiRBMs. In Theorem 1, we show that undecidability continues to hold. Before we sketch the proof we present the basic idea underlying the reductions of [Bulling and Farwer, 2010].

The undecidability of the model checking problems is shown by reducing the halting problem fortwo counter ma-chines(also called Minsky machines) [Hopcroft and Ullman, 1979]. A two-counter machine is essentially a pushdown au-tomaton with two stacks. The stacks are represented as two counters over natural numbers. Each of the two counters (1

and2) can be incremented, decremented (if non-zero), and tested for zero. The behaviour of such an automaton is speci-fied by a transition relation(s, E1, E2)∆(s0, C1, C2)with the

following meaning: a transition from automaton state sto

s0 isenabled if counteri ∈ {1,2} satisfies conditionEi ∈ {zero,non-zero} (with the obvious meaning). If the transi-tion istakenthe automaton changes its control state fromsto

s0_{, and counteriis updated by addingC}

i ∈ {−1,0,+1}. It

is said that the automaton halts on empty input iff thehalting stateof the automaton is reached by subsequently taking en-abled transitions. The main idea of the reduction of the halt-ing problem is to encode the transition table of the automaton as anRBM. The two counters are simulated by two resource types. The model consists of two agents: thesimulatoragent

1and thespoileragent2. Agent1is supposed to select tran-sitions of the automaton where agent2is used to ensure that only enabled transitions are selected by agent1. The basic modelling of a single transitions(s, E1, E2)∆(s0, C1, C2)is

shown in Figure 1. The first action(E1, E2)of agent 1 is

used to (partially) check whether a transition of the automa-ton is enabled. That is, ifEi = non-empty, agent1 must

have a resource of typeito execute the action. If such an action is taken, the system enters a “test state”sE1E2_{. The} purpose of the test state is to check whether a transition with

Ei=empy is only selected by agent1if counteriis indeed

zero, i.e. ensures a correct simulation. Note that, in general, nothing prevents agent1from executing such an action if it has resources available, although it should only be executed if no resources are available. Essentially, the problem is that it is not possible to directlytest for zeroin the model.1 The workaround proposed in [Bulling and Farwer, 2010] is to use the spoiler agent 2 to perform the “zero test”. The idea is that in test statesE1E2_{, agent 2 must not be able to reach} thefail stateqe. Reaching the fail state is only possible if

resources are available when there should not be any. This is encoded by actiontE1

E2in the model. For example, if counter1 should be empty,E1=empty, the actiontEE12can only be ex-ecuted if resources of type1are available. However, this also requires that agent 2 correctly mirrors agent1’s resource bal-ance, i.e.2also simulates the counter values. This is achieved by making the model turn-based. Once agent1has executed an action(s0, C1, C2)an intermediate state is introduced in

which agent2 has a single choice with the same effect on the resources as agent1’s previous action (dotted rectangle in Fig. 1). Based on this encoding it is shown (using the finitary

1

fail

(E1, E2)

sE1E2

s

tE1

E2

s

0

q

e

next transition previous

transition

transition only available if a counter should

be zero, i.e. check required action requires a resource

of type i if counter i is empty

action

of ag. 1 _{of ag. 1}action

handling to ensure that ag. 2 mirrors

ag. 1’s resource balance (cf. Fig. 2)

…

[image:4.612.57.296.53.140.2]

(s0_{, C1, C2)}

Figure 1: The reduction used wrt.RBMs is without dashed loops, whereas for the reduction wrt. iRBMs (cf. Cor. 1) dashed loops have to be taken into account.

fail

sE1E2

s

sC10C20

j

s

j

((E1, E2), nop)

halt

((s0, C1, C2), nop) (nop,(s

0_{, C} 1, C2))

ag. 1 does

idle

auxiliary halting state (will satisfy formula)

q

i

q

e

fail state (will falsify formula)

ag. 1 does

idle ag. 1 does

idle

ag 2. does

t

E1 E2

or ag. 1 does

idle

only ag. 2 does

idle

only ag. 2 does idle

only ag. 2 does idle only ag. 2

does idle

action only available if a counter should be

zero, i.e. check r equir

ed

ag.1 chooses first part

of transition

ag.1 chooses effect of a transition

ag.2 mirrors ag. 1’s action (unique action or idle)

Figure 2: The reduction used wrt.iRBMs forrfRAL.

semantics) that the automatonAhalts on the empty input if, and only if,M(A), qinit,¯0 |=hh{1}ii

¯ 0

{1,2}FhaltwhereM(A)

is theRBM constructed fromA. The state corresponding to the automaton’s accepting state is labelledhalt. In order for the reduction to work overiRBMs the main difficulty is the correct mirroring of1’s resources by agent2in the pres-ence of idle actions. The modified encoding of a transition

(s, E1, E2)∆(s0, C1, C2)is illustrated in Figure 2.

Theorem 1. Model checking rfRAL over the class of

iRBMs is undecidable, even for two agents and formulae of typehh1ii¯0

{1,2}Fp.

Proof sketch. We argue that the automaton A halts on the empty input iff M(A), qinit,¯0 |= hh1ii

¯ 0

{1,2}Fhalt, where M

is the encoding of the automaton following the idea shown in Figure 2. First, we observe that the execution of an idle action by agent 1 would immediately falsify the formula, as stateqewould be reached. Similarly, if agent 2 does idle and

agent 1 does not, the formula will be true. As we are look-ing for a winnlook-ing strategy of1againstallstrategies of2we can neglect the cases where any of the agents performs the idle action. Again, the encoding describes the modelling of a transition(s, E1, E2)∆(s0, C1, C2). In this modelling the

simulation of agent1’s resources by agent2is made explicit.

In states sC01C20

j , agent 2 can only perform the same action

(apart from the idle action) as the one selected by agent1in statesE1E2 _{with the same resource consumption and} produc-tion. We briefly sketch the correctness of the reducproduc-tion. (i)

Ahalts. Then, agent 1 simulates the transitions of the au-tomaton’s accepting run. Agent 2 will never be able to reach the fail stateqe. Moreover, either agent 2’s resources

cor-rectly simulate1’s resources, or agent2does the idle action. In both cases either the halting state or the auxiliary halting stateqi, both labelledhalt, are reached. The formula is true. (ii)Let the formula be true. Agent1must have a strategy that guarantees reaching a state labelledhaltagainst all strategies of 2, including 2’s strategy in which 2 never performs the idle action. This strategy of2correctly mirrors1’s resources and ensures that1’s strategy only selects enabled transitions. Thus, the strategy of1encodes an accepting run of the au-tomaton.

The Proponent Restricted Fragment

Theorem 1 shows that the restriction of resource-flatness is not enough to obtain a decidable model checking property. We turn to the proponent-restricted fragment. Below we show, by adopting the undecidability proof of [Bulling and Farwer, 2010] forprRALto work overiRBM’s, thatprRAL

is also undecidable overiRBMs. This is a negative result; however, in contrast to Theorem 1, the formula used in the re-duction is more complex, and leaves room for restricting the temporal structure of the language. Indeed, this is the moti-vation for the decidable fragment ofprRALthat we introduce in Section 3.3.

Corollary 1 (of [Bulling and Farwer, 2010]). Model

check-ingprRALover the class ofiRBMs is undecidable even in

the case of a single agent.

Proof sketch. The undecidability proof for prRAL over

RBMs of [Bulling and Farwer, 2010] essentially follows the encoding shown in Figure 1. The difference is that the second agent is removed (as well as the dotted box, implementing the resource mirroring behaviour), and agent

1 itself is used to perform the “zero test”. This requires a slightly more sophisticated formula: the automaton A halts on the empty input if, and only if, M(A), qinit,¯0 |=

hh{1}ii¯0_((¬hh{1}ii↓_{Xfail)Uhalt). The main idea is that in} test state sE1E2_{, agent1 must not be able to reach the fail} stateqe, which is expressed by¬hh{1}ii↓Xfail. Now, in order

to extend the reduction to work overiRBMs, we add reflex-ive loops (dashed in the figure) which represent agent1’s idle actions. It is easy to see that the reduction still works. The agent would not be able to reach the halting state (labelled

halt) if it had taken an idle loop forever, nor would it help the agent, in its role as opponent, to reach the fail state.

3.3

A Decidable Fragment of

RAL

Following the observation made in the previous section, we define a proponent-restricted but not resource-flat fragment of RAL that has a decidable model checking property. Let us first introduce thepositive fragmentofRALas the set of allRAL-formulae where no cooperation modality is under the scope of a negation symbol, and let theU-restrictedfragment of RALrestrict the use of the until operatorUsuch that the formulaeϕ1on the left-hand-side ofϕ1Uϕ2is purely

[image:4.612.56.290.187.349.2]

Definition 2 (The fragmentprRALr_{). The logic prRAL}r _is defined as the proponent-restricted, positive andU-restricted fragment ofRAL.

The prRALr_{-fragment allows us to express properties of}

coalitions of agents which re-consider their strategies with-out being re-equiped with fresh resources. An example of a property expressible in prRALr _{(but not in a}

resource-flat fragment) is, for example, “given their initial battery charge, rescue robots A can safely get to a position from which they can perform rescue while in visual contact with the base”. Formally, this can be specified by the formula hhAiiηinit_(safeU(hhAii↓_{(visualUrescue))). Intuitively, this}

re-flects the constraint that the robots cannot recharge their bat-teries after reaching the position where they can perform res-cue while in visual contact with the base. Another example is given by the formulahh1,2iiηinit_{F(rob∧ hh1ii}↓_Fescape)

ex-pressing that the coalition{1,2}can cooperate to eventually rob a bank and then agent1can ensure to escape on its own using only its remaining resources.

Before we show the decidability ofprRALr_overiRBMs

in the next section, we make the following observation which follows from [Bulling and Farwer, 2010, Theorem 6]: Observation 2. Model checkingprRALr_{overRBMs is} un-decidable.

4

Model-checking

prRAL

r

In this section we introduce a model-checking algorithm for

prRALr_{and prove its correctness. In what follows, we assume}

that the functionatl(φ)that returns the formula where each hhAii↓andhhAiiζ_{inφis replaced byhhAii.}

Theorem 2. The model-checking problem for prRALr _over iRBMs is decidable.

To prove decidability, we give an algorithm which requires as inputM,q,η,φand returns true or false. We prove ter-mination and correctness of the algorithm in Lemmas 1 and 2 below. Given φ, we produce a set of subformulas of φ,

Sub(φ), in the usual way, except thathhAii↓_andhhAiiζ

modal-ities are replaced by standard ATL modalmodal-itieshhAii.Sub(φ)is ordered in increasing order of complexity. Note that if a state

sis not annotated with the standard ATL modalityhhAii, then it cannot satisfyhhAii↓ orhhAiiζ_{. Algorithm 1 simply labels}

the subformulas ofφusing the standard ATL labelling algo-rithm [Aluret al., 2002]. It then calls the functionSTRATEGY to label states withφ. (Note that we do not label states with subformulas ofφinvolvinghhAii↓_orhhAiiζ _{modalities as in}

[Alechinaet al., 2014].)

Algorithm 1Labellingφ

procedureLABEL(M, φ, η) forφ0∈Sub(φ)do

[φ0_{]M ← {q|q∈Q∧ATL-LABEL(M, φ}0_)} [φ]M← {q|q∈Q∧STRATEGY(node0(q, η), φ)}

STRATEGYproceeds by depth-first and-or search, process-ing each coalition modality in turn startprocess-ing from the out-ermost modality. Each temporal operator is handled by a

Algorithm 2Strategy

functionSTRATEGY(n, φ) caseφis propositional

returns(n)|=φ

caseφ=ψ1∧ψ2

returnSTRATEGY(node0(s(n), e(n)), ψ1)∧

STRATEGY(node0(s(n), e(n)), ψ2)

caseφ=ψ1∨ψ2

returnSTRATEGY(node0(s(n), e(n)), ψ1)∨

STRATEGY(node0(s(n), e(n)), ψ2)

caseφ=hhAii↓Xψ

returnX-STRATEGY(node0(s(n), e(n)), φ)

caseφ=hhAiiζ_Xψ

returnX-STRATEGY(node0(s(n), ζ), φ)

caseφ=hhAii↓ψ1Uψ2

returnU-STRATEGY(node0(s(n), e(n)), φ)

caseφ=hhAiiζ_ψ

1Uψ2

returnU-STRATEGY(node0(s(n), ζ), φ)

caseφ=hhAii↓_Gφ

returnG-STRATEGY(node0(s(n), e(n)), φ)

caseφ=hhAiiζ_Gφ

returnG-STRATEGY(node0(s(n), ζ), φ)

separate function: X-STRATEGY for Xψ, U-STRATEGY for

ψ1Uψ2, and G-STRATEGYfor Gψ. We record information

about the state of the search in a search tree of nodes. Anode is a structure which consists of a state of M, the resources available to the agentsAin that state (if any), and a finite path of nodes leading to this node from the root node. Edges in the tree correspond to joint actions by all agents. Note that the re-sources available to the agents in a state on a path constrain the edges from the corresponding node to be those actions

αwhere for all proponent agentsa,cons(α)is less than or equal to the available resources of agenta. We compare vec-tors of resources in a usual way, for exampleζa ≥cons(αa)

stands for ζa(r) ≥ cons(αa, r) for all resourcesr. For an

action tupleσbyA⊆_Agt, we writecons(σ)to refer to the tuple(cons(σa))a∈A. For each nodenin the tree, we have a

functions(n)which returns its state,p(n)which returns the nodes on the path ande(n)which returns the resource avail-ability for all agents as a result of followingp(n). The func-tion node0(s, η)returns the root node, i.e., a node n0 such

that s(n0) = s,p(n0) = [ ]ande(n0) = η. The function

node(n, s0_{, α, A,∗)whereA⊆}

Agtis the current set of

pro-ponents and∗ ∈ {↓, ζ}returns a noden0 wheres(n0) =s0,

p(n0_{) = [p(n)·n]and}

ea(n0) =

( _ζ

a if∗=ζ

ea(n) if∗=↓anda6∈A ea(n)+prod(α)−cons(α) if∗=↓anda∈A

X-STRATEGY for hhAii↓Xψ and hhAiiζ_{Xψ formulas is}

Algorithm 3X strategy (both types of modalities)

functionX-STRATEGY(n,hhAii∗_Xψ) ifs(n)6|=atl(hhAii∗Xψ)then

returnfalse

ActA← {σ∈dA(s(n))|cons(σ)≤eA(n)} forσ∈ActAdo

Act={α∈d(s(n))|αA=σ}

strat ←true forα∈Actdo

s0 ←out(s(n), α)

strat ←strat∧

STRATEGY(node(n, s0, α, A,∗), ψ) ifstratthen

returntrue

returnfalse

in Algorithm 5. Again we check if the search should be ter-minated with false, either because the standard ATL modal-ity doesn’t hold, or because the current path terminates in a resource consuming cycle, or if the current endowment re-sults inφbeing false. We then check the path for productive loops, and update the endowment if we find one. arb de-notes an arbitrary finite value that can be decremented, i.e., wherearb−k <arb(unlike for infinity).e(n)(a, r) =arb indicates that the pathp(n)terminates in a ‘productive loop’, which can be traversed multiple times to generate an arbitrary amount of resourcerfor agenta.2 _{If the current path}

termi-nates in a nondecreasing loop, we return true. Otherwise we continue the search for a nondecreasing loop. U-STRATEGY forhhAii↓_ψ

1Uψ2andhhAiiζψ1Uψ2formulas is shown in

Al-gorithm 4, and is similar toG-STRATEGY. FirstU-STRATEGY checks whether false should be returned because the ATL ver-sion of the formula is false, or the current path has an unpro-ductive loop. We then check the path for prounpro-ductive loops, and update the endowment if we find one. If the ATL version ofψ2is true, we try to find a strategy to enforceψ2), and if

we are successfulU-STRATEGY returns true. Otherwise the search continues, because the node whereSTRATEGY(n, ψ2)

returns true may be found later on the path. Note that if all resources are updated to arb and a repeated call to STRAT-EGY(n, ψ2)returns false, the algorithm will return false

be-cause of the first check for unproductive loops.

Lemma 1. Algorithm 2 terminates.

Proof. (sketch). The proof is by induction on the length of the formula. Calls for propositional formulas clearly termi-nate. For the inductive step, we need to show that a call for any connective terminates provided calls for lower complex-ity formulas terminate. Conjunction and disjunction are obvi-ous.X-STRATEGYmakes a recursive call to aSTRATEGYof a smaller complexity formula after one step. ForU-STRATEGY andG-STRATEGY, the recursion calls are infinite iff endow-ments (considered as a vector of size|_Agt| × |Res|) are never comparable. However, it can be shown that they are always

2

In what follows, we denote byarbA :A×Res→ {∞,arb}

anarbor infinite endowment for agents inA⊆Agt.

Algorithm 4U strategy

functionU-STRATEGY(n,hhAii∗ψ1Uψ2)

ifs(n)6|=atl(hhAii∗_ψ

1Uψ2)then

returnfalse

if∃n0_{∈p(n) :s(n}0_{) =s(n)∧e}

A(n0)≥eA(n))then

returnfalse

for(a, r)∈ {a∈A, r∈Res| ∃n0∈p(n) :

s(n0_{) =s(n)∧e}

A(n0)≤eA(n)∧ e(n0)(a, r)< e(n)(a, r)}do

e(n)(a, r)←arb ifs(n)|=atl(ψ2)then

strat ←STRATEGY(n, ψ2)

ifstratthen

returntrue

else

ActA← {σ∈dA(s(n))|cons(σ)≤eA(n)} forσ∈ActAdo

Act={α∈d(s(n))|αA=σ}

strat←true forα∈Actdo

s0_{←out(s(n), α)} strat ←strat∧

U-STRATEGY(node(n, s0_{, α, A,∗),} hhAii∗ψ1Uψ2)

ifstratthen

returntrue

returnfalse

Algorithm 5G strategy

functionG-STRATEGY(n,hhAii∗_Gψ) ifs(n)6|=hhAii∗Gψthen

returnfalse

if∃n0 ∈p(n) :s(n0) =s(n)∧(∀r:er(n0)≥er(n))∧

(∃j:ej(n0)> ej(n))or¬STRATEGY(n, ψ)then

returnfalse

for(a, r)∈ {a∈A, r∈Res| ∃n0∈p(n) :

s(n0_{) =s(n)∧e}

A(n0)≤eA(n)∧ e(n0)(a, r)< e(n)(a, r)}do

e(n)(a, r)←arb

if∃n0_{∈p(n) :s(n}0_{) =s(n)∧e}

A(n0)≤eA(n))then

returntrue

ActA← {σ∈dA(s(n))|cons(σ)≤eA(n)} forσ∈ActAdo

Act={α∈d(s(n))|αA=σ}

strat ←true forα∈Actdo

s0_{←out(s(n), α)} strat←strat∧

G-STRATEGY(node(n, s0_{, α, A,∗),hhAii}∗_Gψ) ifstrat then

returntrue

going to become comparable after finitely many steps, us-ing the technique in [Alechinaet al., 2014] or [Reisig, 1985, p.70].

Lemma 2. Algorithm 2 is correct, that is,STRATEGY(n, φ) returns true iffs(n), e(n)|=φ.

Proof. (sketch). The proof is by induction on the modal depth of the formula. The base case (propositional for-mulas) is immediate. For the inductive step, we assume that the lemma holds for modal depth k, and show it for modal depth k + 1. The proof of the inductive step is by cases on the main connective of φ. The most diffi-cult case is when φ = hhAii↓ψ0Uψ. We need to show that U-STRATEGY(node0(s(n), e(n)), φ) returns true iff iff

s(n), e(n)|=hhAii↓ψ0Uψ.

(⇒) : Let T denote the search tree rooted at n0 =

node0(s, η)whenU-STRATEGY(node0(q, η), φ) returns true.

Each node n in T is additionally annotated with the ac-tual 3 _{endowment e}0_{(n) :}

Agt×Res → Z∪ {∞} where (e0(n0))i=ηi+P_n0_∈p(n)t(ai(n0)). LetsTdenote the

strat-egy forAwhere for each noden∈ T withp(n) =n1. . . n

sT(s(n1). . . s(n)) = (a(n))Afor alln∈T andn1. . . n=

p(n). Note that,(e0(n))i(r)can be negative forrandiwhich

meanssT is not a valid strategy. Then, there must be nodes n0_{, n}00 _{∈ p(n)such that (e(n}0₎₎

r(i) = arb because of

en-dowment inn00. Letn0=stopr(n)andn00=startr(n). Let T(n)denote the subtree ofTstarting fromn. For a resource

r, if there is a node nwith(e0(n))i(r) < 0 for someiwe

extendT such that(e0_(n))

i(r) ≥0by repeating the branch

betweenstartr(n)andendr(n)finitely many times. Case 1: n is the only node in T(startr(n)) with

(e0(n))r(a)<0as depicted by Figure 3a.

n0

start

r(n)

n stop

r(n)

n0

start

r(n)

n stop

r(n) n

n

n

n (a)

[image:7.612.333.539.178.300.2]

(b)

Figure 3:nis only node with(e0(n))r(a)<0inT(startr(n))

Assume that the path fromstartr(n)toendr(n)increases rbyg. Then, it is necessary to repeat this pathd|(e0(n))r(a)|

g e

times, as depicted in Figure 3b.

Case 2: n is not the only node in T(startr(n)) with

(e0_(n))

r(a) < 0. Other nodes n0 are either in the

sub-treeT(stopr(n))(as depicted by Figures 4a) or in the

sub-tree of T(startr(n)) but not T(stopr(n)) (as depicted by

Figures 4b). Without loss of generality, we assume that

startr(n)is the ancestor ofstartr(n0)for any of suchn0.

Again, assume that the path from startr(n) to endr(n)

increasesrbyg. Then, it is necessary to repeat this pathk=

d|(e0(n))r(a)|

g etimes, as depicted in Figure 5a. Note that this

repetition will also repeat nodesn0which are in the subtree of

3

i.e., not containingarb.

start r (n)

stop r(n)

n

start

r(n)

stop

r(n)

n' start

r(n)

stop r (n)

n

start

r(n')

stop

r(n')

n'

(a) (b)

Figure 4:T(startr(n))also haven0with(e0(n0))r(a)<0.

T(startr(n))but notT(stopr(n))and have(e0(n0))r(a)<

0asn0

1, . . . , n0kdepicted in Figure 5b.

start r (n)

stop r (n)

n

start

r

(n')

stop

r(n') n' n

n n'k-1

n nk' nk

nk-1 n1 n

stop

r(n)

n n' n

n' n

n' n

n' n

n' n

n' n

n'

start r (n)

nk nk-1 n1

(a)

[image:7.612.70.286.422.509.2]

(b)

Figure 5: RepeatingT(startr(n)).

LetT1be the obtained tree. Then, the number of nodesn00

inT1(nk−1)with(e0(n00))i(r) < 0is strictly less than that

inT(startr(n)). Therefore, we can reapply the above

con-struction to obtain a treeT2where all nodesn00inT2(nk−1)

have(e0(n00))i(r) ≥ 0. These include noden0 as depicted

in Figure 5a and n0

k as depicted in Figure 5b. Then, we

further apply step by step the above construction for nodes

n0

k−1, . . . , n01 andn0 in Figure 5b. Finally, we obtain a tree

T3where all nodesn00have(e0(n00))i(r)≥0. This

construc-tion can be repeated for other resourcesr0 6= rand agents

i0 _{6=i. Finally, we obtain a treeT}

4where for all nodesnin

T4,(e0(n))i(r)≥0for allrandi.

(⇐) : As q, η |= hhAii↓_ψ0_{Uψ, there exists a strategy s}

A

such that for allλ ∈ out(q, η, sA, A) : ∃0 ≤ iλ < |λ| : λ|Q[iλ] |= ψ and ∀0 ≤ j < iλ : λ|Q[j], λ|En[j] |= ψ0. Let T = (V, E) be the tree induced by all runs

λ[0, iλ] for λ ∈ out(q, η, sA, A), i.e., V = {λ[0, i] | λ ∈ out(q, η, sA, A), i ≤ iλ} andE = {(λ[0, i], λ0[0, i+

1]) | λ, λ0 _{∈ out(s, η, s}

A, A), λ[0, i] = λ0[0, i], i < iλ}.

We shall cut T into a search tree which shows that U-STRATEGY(node0(q, η), φ) returns true. Note thatTmust be

finite and each edge inE corresponds to a join action of all agents.

Initially, letT0 =T, thenTl+1is constructed from Tl as

follows.

• If there is a nodeλ[0, i]inTlsuch that∃0 ≤j < k ≤ i : λ|Q[j] = λ|Q[k]∧λ|En[j] ≥ λ|En[k], thenTl+1 is

constructed fromTlby replacing the subtreeTl[λ[j]]by Tl[λ[k]].

• If there is a nodeλ[0, i] such that (λ|En[i])A = arbA,

thenTl+1is constructed fromTlby replacing the subtree Tl[λ[i]]by the only nodeλ[i].

thenTl+1is constructed fromTlby replacing the

endow-mentη0_{of all nodes(q}0_{, η}00_{)in the subtreeT}

l[λ[k]]byη00

where

η00a(r) =

ηa0(r) if(λ|En[j])a(r) =λ|En[k]a(r)

arb if(λ|En[j])a(r)< λ|En[k]a(r) • Otherwise,Tl+1=Tl, i.e., no more change.

The construction stops when Tl+1 = Tl. Let the resulting

treeTl+1=T0. For each nodeλ[0, i]inT0, we define a node

nλ[0,i]where: s(nλ[0,i]) =λ|Q[i],p(nλ[0,i]) = λ|Q[0, i−1]

ande(nλ[0,i]) =λ|En[i]. In the following, we show by

induc-tion on the length ofT0(λ[0, i])thatU-STRATEGY(nλ[0,i], φ)

returns true.

Base case: Assume that λ[0, i]is a leaf ofT0, then it is ei-ther a leaf fromT or an internal node from T that has an arbAendowment for agents inAby the second cut. Then, the

condition of the firstifstatement inU-STRATEGY(nλ[0,i], φ)

is false, sinceλ|Q[i] |= ψ in the former case andλ|Q[i] |= hhAiiψ0_{Uψin the latter case. The condition in the secondif} statement is also false since otherwiseT0can be cut further. Similarly, the conditions of the third and fourthifstatements are true; therefore,U-STRATEGY(nλ[0,i], φ)returns true.

Induction step: Assume that λ[0, i] is not a leaf of T0. Then the condition of the first if statement is false, since

q |= hhAiiψ0Uψ. The condition of the second if state-ment is also false, since otherwise T0 _{can be cut further.} The condition of the third or fourth if statement is false since otherwiseλ[0, i]must have been a leaf ofT0_. There-fore, the algorithm must enter the second for loop. For

α = sA(λ|Q[0, i]) ∈ DA(λ[i]) we have that, for every s0_∈out(λ|

Q[i], α)withn0 =node(nλ[0,i], s0, α, A,↓), there

must beλ0_{[0, i+ 1]inT}0_{such thatn}0 _=n

λ0[0,i+1]. By the

in-duction hypothesis,U-STRATEGY(nλ0[0,i+1], φ)returns true.

Thus,U-STRATEGY(nλ[0,i], φ)also returns true.

Obviously, U-STRATEGY(node0(q, η), φ) returns true

sincenλ[0]=node0(q, η)for anyλ[0, i]inT0.

The above proof can be adapted to the case φ =

hhAiiζ_ψ0_{Uψby exchanging the role ofη andζ. Finally, for} the caseφ = hhAii∗_{Gψ, we can also apply the above proof} strategy. In particular, if G-STRATEGY(node0(q, η), φ)

re-turns true, we construct a strategy from the search tree T

where each leaf n of T determines a subtree T(n0_{) where}

s(n0) = s(n) and eA(n0) ≤ eA(n) by the third if

state-ment. Then, we can replace all leaves n with T(n0₎ re-peatedly and end up with an infinite tree T0 which induces a strategysT0 to satisfy φ. Conversely, if q, η |= φ, then

φis satisfied by some strategysA, and we can cut the tree

of computations bysA into a search tree which shows that

G-STRATEGY(node0(q, η), φ)returns true.

5

Conclusion

In this paper we investigated the boundary of (un)decidable of logics for verifying resource bounded systems. We proved two undecidability results and identified a significant frag-ment of Resource Agent Logic with a decidable model check-ing property. From these results it also follows that the rather natural property on models — that agents can always decide to do nothing — can make model checking decidable.

References

[Alechinaet al., 2010] N. Alechina, B. Logan, H. N. Nguyen, and A. Rakib. Resource-bounded alternating-time temporal logic. In Proceedings of the 9th Inter-national Conference on Autonomous Agents and Multia-gent Systems (AAMAS 2010), pages 481–488. IFAAMAS, 2010.

[Alechinaet al., 2014] N. Alechina, B. Logan, H. N. Nguyen, and F. Raimondi. Decidable model-checking for a resource logic with production of resources. In Proceed-ings of the 21st European Conference on Artificial Intelli-gence (ECAI-2014), pages 9–14. ECCAI, IOS Press, 2014. [Alechinaet al., 2015] N. Alechina, B. Logan, H.N. Nguyen, and F. Raimondi. Model-checking for Resource-Bounded ATL with production and consumption of resources. Technical report, ArXiv e-prints 1504.06766, 2015.

[Aluret al., 2002] R. Alur, T. Henzinger, and O. Kupferman. Alternating-time temporal logic. Journal of the ACM, 49(5):672–713, 2002.

[Bulling and Farwer, 2010] N. Bulling and B. Farwer. On the (un-)decidability of model checking resource-bounded agents. InProceedings of the 19th European Conference on Artificial Intelligence (ECAI 2010), volume 215, pages 567–572. IOS Press, 2010.

[Bulling and Goranko, 2013] N. Bulling and V. Goranko. How to be both rich and happy: Combining quantita-tive and qualitaquantita-tive strategic reasoning about multi-player games (extended abstract). In Proceedings 1st Interna-tional Workshop on Strategic Reasoning, SR 2013, volume 112 ofEPTCS, pages 33–41, 2013.

[Della Monicaet al., 2013] D. Della Monica, M. Napoli, and M. Parente. Model checking coalitional games in shortage resource scenarios. InProceedings of the 4th International Symposium on Games, Automata, Logics and Formal Ver-ification (GandALF 2013, volume 119 of EPTCS, pages 240–255, 2013.

[Hopcroft and Ullman, 1979] J.E. Hopcroft and J.D. Ull-man. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979.

[Peterson, 1981] J. L. Peterson.Petri net theory and the mod-eling of systems, volume 132. Prentice-hall Englewood Cliffs (NJ), 1981.