Decidable model checking for a resource logic with production of resources

Decidable Model-Checking for a Resource Logic with

Production of Resources

Natasha Alechina

and

Brian Logan

and

Hoang Nga Nguyen

and

Franco Raimondi

Abstract. Several logics for expressing coalitional ability under resource bounds have been proposed and studied in the literature. Previous work has shown that if only consumption of resources is considered or the total amount of resources produced or consumed on any path in the system is bounded, then the model-checking prob-lem for several standard logics, such as Resource-Bounded Coali-tion Logic (RB-CL) and Resource-Bounded Alternating-Time Tem-poral Logic (RB-ATL) is decidable. However, for coalition logics with unbounded resource production and consumption, only some undecidability results are known. In this paper, we show that the model-checking problem for RB-ATL with unbounded production and consumption of resources is decidable.

1

INTRODUCTION

Alternating Time Temporal Logic (ATL) [2] is widely used in verifi-cation of multi-agent systems. ATL can express properties related to coalitional ability, for example one can state that a group of agentsA has a strategy (a choice of actions) such that whatever the actions by the agents outside the coalition, any computation of the system gen-erated by the strategy satisfies some temporal property. A number of variations on the semantics of ATL exist: agents may have perfect re-call or be memoryless, and they may have full or partial observabil-ity. In the case of fully observable models and memoryless agents, the model checking problem for ATL is polynomial in the size of the model and the formula, while it is undecidable for partially ob-servable models where agents have perfect recall [3]. Additionally, even in the simple case of fully observable models and memoryless agents, the complexity increases substantially if the model checking problem takes into account models withcompact(implicit) represen-tations [3].

In this paper, we consider an extension of perfect recall, fully ob-servable ATL where agents produce and consume resources. The properties we are interested in are related to coalitional ability un-der resource bounds. Instead of asking whether a group of agents has a strategy to enforce a certain temporal property, we are ask-ing whether the group has a strategy which can be executed under a certain resource bound (e.g., if the agents have at mostb₁units of re-sourcer1andb2units of resourcer2). Clearly, some actions may no longer be used as part of the strategy if their cost exceeds the bound. There are several ways in which the precise notion of the cost of a strategy can be defined. For example, one can define it as the max-imal cost of any path (computation of the system) generated by the

1 _{School of Computer Science, University of Nottingham, UK email:} {nza,bsl,hnn}@cs.nott.ac.uk

2 _{Department of Computer Science, Middlesex University, UK, email:}

[email protected]

strategy, where the cost of a path is the sum of resources produced and consumed by actions on the path. We have chosen a different def-inition which says that a strategy has a cost at mostbif for every path generated by the strategy, everyprefixof the path has cost at mostb. This means that a strategy cannot, for example, start with executing an action that consumes more thanbresources, and then ‘make up’ for this by executing actions that produce enough resources to bring the total cost of the path underb. It is however possible to first pro-duce enough resources, and then execute an action that costs more thanb, ensuring the cost of the path is less thanb.

There are also many choices for the precise syntax of the logic and the truth definitions of the formulas. For example, in [4] sev-eral versions are given, intuitively corresponding to considering re-source bounds both on the coalitionAand the rest of the agents in the system, considering a fixed resource endowment ofAin the ini-tial state which affects their endowment after executing some actions, etc. Our logic is closest (but not identical) toLRALwith perfect

re-call, resource-flat, only proponents resource-restricted, and with fini-tary semantics defined in [4]. Decidability of the model-checking problem for this version ofLRAL was stated as an open problem in [4]. In [6, 7] a different syntax and semantics are considered, in-volving resource endowment of the whole system when evaluating a statement concerning a group of agentsA. As observed in [4], sub-tle differences in truth conditions for resource logics result in the difference between decidability and undecidabiliity of the model-checking problem. In [4], undecidability for several versions of the logics is proved. The only decidable cases considered in [4] are an extension of Computation Tree Logic (CTL) [5] with resources (es-sentially one-agent ATL) and the version where on every path only a fixed finite amount of resources can be produced. Similarly, [6] gives a decidable logic PRB-ATL (Priced Resource-Bounded ATL) where the total amount of resources in the system has a fixed bound. The model-checking algorithm for PRB-ATL runs in time polynomial in the size of the model and exponential in the number of resources and the resource bound on the system. In [7] an EXPTIME lower bound in the number resources is shown.

2

SYNTAX AND SEMANTICS OF RB

±

ATL

The logic RB-ATL was introduced in [1]. Here we generalise the definitions from [1] to allow for production as well as consumption of resources. To avoid confusion with the consumption-only version of the logic from [1], we refer to RB-ATL with production and con-sumption of resources as RB±ATL.

Let Agt = {a₁, . . . , an} be a set of n agents and Res = {res₁, . . . , resr}be a set ofrresources,Πdenote a set of

propo-sitions andB=Nr_∞denote a set of resource bounds whereN∞ =

N∪ {∞}. T. Schaub et al. (Eds.)

© 2014 The Authors and IOS Press.

This article is published online with Open Access by IOS Press and distributed under the terms of the Creative Commons Attribution Non-Commercial License.

Formulas of RB±ATL are defined by the following syntax

ϕ::=p| ¬ϕ|ϕ∨ψ| Abϕ| Ab2ϕ| AbϕUψ

wherep ∈ Πis a proposition,A ⊆ Agt, andb∈ Bis a resource bound. Here,Abϕmeans that a coalitionAcan ensure that the next state satisfiesϕunder resource boundb.Ab2ϕmeans that Ahas a strategy to make sure thatϕis always true, and the cost of this strategy is at mostb. Similarly,AbϕUψmeans thatAhas a strategy to enforceψwhile maintaining the truth ofϕ, and the cost of this strategy is at mostb.

We extend the definition of concurrent game structure with re-source consumption and production.

Definition 1. A resource-bounded concurrent game structure (RB-CGS) is a tupleM= (Agt, Res, S,Π, π, Act, d, c, δ)where:

• Agtis a non-empty set ofnagents,Resis a non-empty set ofr resources andSis a non-empty set of states;

• Πis a finite set of propositional variables andπ: Π→℘(S)is a truth assignment which associates each proposition inΠwith a subset of states where it is true;

• Actis a non-empty set of actions which includesidle, and d : S ×Agt → ℘(Act)\ {∅}is a function which assigns to eachs ∈ S a non-empty set of actions available to each agent a ∈ Agt. For everys ∈ S anda ∈ Agt,idle ∈ d(s, a). We denote joint actions by all agents inAgtavailable atsbyD(s) = d(s, a₁)× · · · ×d(s, an);

• c : S ×Agt×Act → Zr is a partial function which maps a states, and agenta and an action α ∈ d(s, a) to a vector of integers where the integer in positioniindicates consumption or production of resourceresiby the action (positive value for consumption and negative value for production). We stipulate that c(s, a, idle) = ¯0for alls∈Sanda∈Agtwhere¯0 = 0r. • δ: (s, σ)→Sis a function that for everys∈Sand joint action

σ∈D(s)gives the state resulting from executingσins.

Given a RB-CGSM, we denote the set of all infinite sequences of states (computations) bySωand the set of non-empty finite se-quences of states byS+. For a computationλ=s₀s₁. . .∈Sω, we use the notationλ[i] =siandλ[i, j] =si. . . sj∀j≥i≥0.

Given a RB-CGSMand a states∈S, ajoint action by a coalition A⊆Agtis a tupleσA = (σa)a∈Asuch thatσa∈d(s, a). The set of all joint actions forAat statesis denoted byDA(s). Given a joint

action by the grand coalitionσ∈D(s),σAdenotes the joint action executed byA:σA= (σa)a∈A. The set of all possible outcomes of a joint actionσA∈DA(s)at statesis:

out(s, σA) ={s∈S | ∃σ∈D(s) :σA=σA∧s=δ(s, σ)}

The cost of a joint actionσA∈DA(s)is defined ascost(s, σA) =

a∈Ac(s, a, σa).

Given a RB-CGSM, astrategy for a coalitionA ⊆ Agtis a mappingFA:S+→Actsuch that, for everyλs∈S+,FA(λs)∈ DA(s). A computation λ ∈ Sω is consistent with a strategyFA

iff, for alli ≥0,λ[i+ 1] ∈ out(λ[i], FA(λ[0, i])). We denote by out(s, FA)the set of all consistent computationsλofFAthat start

froms.

In the sequel, we use the usual point-wise notation for vector com-parison and addition. In particular,(b1, . . . , br) ≤(d1, . . . , dr)iff bi ≤ di ∀i ∈ {1, . . . , r}, and (b1, . . . , br) + (d1, . . . , dr) =

(b1+d1, . . . , br+dr).

Given a bound b ∈ B, a computation λ ∈ out(s, FA) is b

-consistent withFAiff, for everyi≥0,

i

j=0

cost(λ[j], FA(λ[0, j]))≤b

Note that this definition implies that the cost of every prefix of the computation is belowb.

The set of allb-consistent computations ofFAstarting from state sis denoted byout(s, FA, b).FAis ab-strategy iffout(s, FA) = out(s, FA, b)for any states.

Given a RB-CGSM, a statesofM, the truth of a RB±ATL for-mulaϕwith respect toM andsis defined inductively on the struc-ture ofϕas follows (the atomic case and the Boolean connectives are defined in the standard way):

• M, s |= Ab φ iff ∃b-strategy FA such that for allλ ∈ out(s, FA):M, λ[1]|=φ;

• M, s |= Ab2φ iff ∃ b-strategy FA such that for all λ ∈ out(s, FA)andi≥0:M, λ[i]|=φ; and

• M, s |= AbφUψ iff∃b-strategyFA such that for allλ ∈ out(s, FA),∃i≥0:M, λ[i]|=ψandM, λ[j]|=φfor allj∈ {0, . . . , i−1}.

Since the infinite resource bound version of RB±ATL modalities correspond to the standard ATL modalities, we will writeA∞¯φ, A∞¯φUψ,A∞¯2φasAφ,AφUψ,A2φ, respec-tively. When the context is clear, we will sometimes writes |= φ instead ofM, s|=φ.

Note that although we only consider infinite paths, the condition that theidleaction of cost¯0is always available makes the model-checking problem easier (we only need to find a strategy with a finite prefix under boundbto satisfy formulas of the formAbφand AbφUψ, and then the strategy can make theidlechoice forever). This makes our logic closer to the finitary semantics in [4].

As an example of the expressivity of the logic, consider the model in Figure 1 with two agentsa1 anda2 and two resourcesr1and r₂. Let us assume thatc(sI, a1, α) = −2,1(actionαproduces 2 units ofr1and consumes one unit ofr2),c(s, a2, β) = 1,−1 andc(s, a₁, γ) = 5,0. Then agenta₁on its own has a strategy to enforce a state satisfyingpunder recource bound of3units of r₁ and1unit ofr₂ (M, sI |= {a1}3,1 Up): a₁ has to se-lect actionαinsIwhich requires it to consume one unit ofr2but

produces two units of r₁, and then action γ ins that requires 5 units ofr₁which is now within the resource bound since the pre-vious action has produced 2units. All outcomes of this strategy lead tos wherepholds. After this, a₁has to selectidleforever, which does not require any resources. Any smaller resource bound is not sufficient. However, both agents have a strategy to enforce the same outcome under a smaller resource bound of just one unit ofr2

(M, sI |= {a1, a2}0,1 Up): agenta2needs to selectβins

until the agents have gone through the loop betweensI andsfour times and accummulated enough of resourcer₁to enable agenta₁to performγins.

3

MODEL CHECKING RB

±

ATL

The model-checking problem for RB±ATL is the question whether for a given RB-CGS structureM, a statesinM and an RB±ATL formulaφ,M, s|= φ. In this section we prove the following theo-rem:

sI s s'

p

⟨idle, idle⟩

⟨idle, idle⟩ ⟨idle, idle⟩

⟨α, idle⟩

⟨idle, β⟩

⟨γ, idle⟩

Figure 1. An example with consumption and production of resources.

To prove decidability, we give an algorithm which, given a struc-tureM = (Agt, Res, S,Π, π, Act, d, c, δ)and a formulaφ, returns the set of states[φ]M satisfyingφ:[φ]M = {s|M, s |= φ}(see Algorithm 1).

Algorithm 1Labellingφ

functionRB±ATL-LABEL(M, φ) forφ∈Sub(φ)do

caseφ=p, ¬ψ, ψ1∧ψ2,

Aψ,Aψ₁Uψ₂,A2ψ standard, see [2]

caseφ=Abψ [φ]M ←P reb(A,[ψ]M)

caseφ=Abψ1Uψ2

[φ]M ← {s|s∈S∧

UNTIL-STRATEGY(node0(s, b),AbφUψ)} caseφ=Ab2ψ

[φ]M ← {s|s∈S∧

BOX-STRATEGY(node0(s, b),Ab2φ)} return[φ]M

Givenφ, we produce a set of subformulas ofφ Sub(φ)in the usual way, however in addition ifAbγ ∈ Sub(φ), its infinite resource versionAγis added toSub(φ).Sub(φ)is ordered in increasing order of complexity, in addition infinite resource versions of modal formulas come before bounded versions. Note that if a statesis not annotated withAγ thens cannot satisfy the bounded resource versionAbγ.

We then proceed by cases. For all formulas inSub(φ)apart from Abφ,Abφ₁Uφ₂andAb2ψwe essentially run the stan-dard ATL model-checking algorithm [2].

Labelling states with Ab φ makes use of a function P reb(A, ρ)which, given a coalitionA, a setρ ⊆ S and a bound b, returns a set of statess in whichA has a joint actionσA with cost(s, σA) ≤ bsuch thatout(s, σA) ⊆ ρ. Labelling states with

AbφUψ andAb2φ is more complex, and in the interests of readability we provide separate functions:UNTIL-STRATEGYfor AbφUψformulas is shown in Algorithm 2, andBOX-STRATEGY

forAb2φformulas is shown in Algorithm 3.

Both algorithms proceed by depth-first and-or search ofM. We record information about the state of the search in a search tree of nodes. Anodeis a structure which consists of a state ofM, the re-sources available to the agentsAin that state (if any), and a finite path of nodes leading to this node from the root node. Edges in the tree correspond to joint actions by all agents. Note that the resources available to the agents in a state on a path constrain the edges from the corresponding node to be those actionsσA wherecost(s, σA)

is less than or equal to the available resources. For each nodenin the tree, we have a functions(n)which returns its state,p(n)which returns the nodes on the path andei(n)which returns the resource availability on thei-th resource ins(n)as a result of followingp(n). The functionnode0(s, b)returns the root node, i.e., a noden0such

thats(n₀) = s,p(n₀) = [ ]andei(n0) = bi for all resourcesi. The functionnode(n, a, s)returns a node n wheres(n) = s, p(n) = [p(n)·n]and for all resourcesi,ei(n) =ei(n)−ci(a). Algorithm 2LabellingAbφUψ

functionUNTIL-STRATEGY(n,AbφUψ) ifs(n)|=AφUψthen

returnfalse

if∃n∈p(n) :s(n) =s(n)∧(∀j:ej(n)≥ej(n))then returnfalse

if∃n ∈ p(n) : s(n) = s(n)∧(∀j : ej(n) ≤ ej(n))∧ ei(n)< ei(n)then

ei(n)← ∞

ifs(n)|=ψthen returntrue

ife(n) = ¯∞then returntrue

Act← {a∈Act(A, s(n))|c(a)≤e(n)} fora∈Actdo

O←states reachable bya

strat←true

fors∈Odo

strat←strat∧

UNTIL-STRATEGY(node(n, a, s),AbφUψ)

ifstratthen

returntrue

returnfalse

Algorithm 3LabellingAb2φ

functionBOX-STRATEGY(n,Ab2φ) ifs(n)|=A2φthen

returnfalse

if∃n∈p(n) :s(n) =s(n)∧(∀j:ej(n)> ej(n))then returnfalse

if∃n∈p(n) :s(n) =s(n)∧(∀j:ej(n)≤ej(n))then returntrue

Act← {a∈Act(A, s(n))|c(a)≤e(n)} fora∈Actdo

O←states reachable bya

strat←true

fors∈Odo

strat←strat∧

BOX-STRATEGY(node(n, a, s),Ab2φ)

ifstratthen

returntrue

returnfalse

Lemma 1. Algorithm 1 terminates.

Proof. All the cases in Algorithm 1 apart from AbφUψ and Ab2φ can be computed in time polynomial in |M| and |φ|. The cases forAbφUψandAb2φinvolve calling theUNTIL

state inS. We want to show that there is no infinite sequence of calls toUNTIL-STRATEGYorBOX-STRATEGY. Assume to the con-trary thatn₁, n₂, . . .is an infinite sequence of nodes in an infinite se-quence of recursive calls toUNTIL-STRATEGYorBOX-STRATEGY. Then, since the set of states is finite, there is an infinite subsequence ni₁, ni₂, . . .ofn₁, n₂, . . .such thats(nij) =s(nik). We show that

there is an infinite subsequencen₁, n₂, . . .ofni₁, ni₂, . . .such that

fork < j e(nk)≤e(nj). Note that sincenkandnjhave the same

state, bothUNTIL-STRATEGYorBOX-STRATEGYwill return innj:

a contradiction. The proof is very similar to the proof of Lemma f in [8, p.70] and proceeds by induction on the number of resources r. Forr = 1, sincee(n)is always positive, the claim is immediate. Assume the lemma holds forrand let us show it forr+1. Then there is an infinite subsequencem₁, m₂, . . .ofni₁, ni₂, . . .where for all resourcesi∈ {1, . . . , r}ei(mk)≤ei(mj)fork < j. Clearly if we

takem₁for the first element in the sequence of nodes with increasing resource availability we are constructing, there is a nodemjin the sequencem₁, m₂, . . .whereer+1(m₁) ≤ er+1(mj). We takemj

to ben₂and repeat.

Before we prove correctness of UNTIL-STRATEGY and BOX

-STRATEGY, we need some auxiliary notions. Letnbe a node where one of the procedures returns true. We will refer totree(n)as the tree representing the successful call to the procedure. In particular, if the procedure returns true before any recursive calls are made, then tree(n) =n. Otherwise the procedure returns true because there is an actionα∈Actsuch that for alls ∈out(s(n), α)the procedure returns true inn=node(n, α, s). In this case,tree(n)hasnas its root and treestree(n)are the children ofn. We refer to the action αasnact(the action that generates the children ofn). For the sake

of uniformity, iftree(n) = nthen we setnactto beidle. Such a tree corresponds to a strategyF where for each pathn· · ·mfrom the rootnto a nodemintree(n),F(s(n)· · ·s(m)) =mact.

A strategy F for satisfying AbφUψ is U-economical for a nodenif, intuitively, no path generated by it contains a loop that does not increase any resource. A strategy is2-economical for a noden if, intuitively, no path generated by it contains a loop that decreases some resources and does not increase any other resources. Formally, a strategyFisU-economical fornif

• FsatisfiesAe(n)φUψats(n), i.e.,∀λ∈out(s(n), F),∃i≥ 0 :λ[i]|=ψandλ[j]|=φfor allj∈ {0, . . . , i}

• The pathp(n)·nis already economical; i.e.,∀n∈p(n)·n, n∈ p(n) :s(n) =s(n)⇒e(n)≥e(n);

• Every state is reached byF economically; i.e.,∀s₀s₁. . . sk. . .∈ out(s(n), F)wherek≤iandiis the first index ins0s1. . . sk. . . to satisfyψ,∀j < k :sj =sk ⇒ cost(sj. . . sk) ≥¯0where cost(sj. . . sk) =_{l=j,...,k−1}cost(λ[l], F(λ[0, l])); and • Every state is reached by F economically with respect to the

pathp(n); i.e.,∀s0s1. . . sk. . . ∈ out(s(n), F),∀n ∈ p(n) : s(n) =sk⇒e(n)≥e(n)−cost(s0. . . sk)

A strategyFis2-economical if:

• F satisfiesAe(n)2φats(n), i.e.,∀λ ∈ out(s(n), F),∀i ≥ 0 :λ[i]|=φ;

• The pathp(n)·nis already economical; i.e.,∀n∈p(n)·n, n∈ p(n) :s(n) =s(n)⇒e(n)> e(n);

• Every state is reached byF economically; i.e.,∀s₀s₁. . . sk. . .∈ out(s(n), F)∀j < k:sj=sk⇒cost(sj. . . sk)>¯0; • Every state is reached by F economically with respect to the

pathp(n); i.e.,∀s0s1. . . sk. . . ∈ out(s(n), F),∀n ∈ p(n) : s(n) =sk⇒e(n)> e(n)−cost(s0. . . sk).

Note that any strategyF satisfyingAe(n)φUψ(Ae(n)2φ) ats(n)can be converted to an economical one by eliminating unpro-ductive loops.

Next we prove correctness ofUNTIL-STRATEGY. The next lemma essentially shows that replacing a resource value with∞in Algo-rithm 2 is harmless. For the inductive proof, we need the following notion. Given a treetree(n)we call the result of removing all chil-dren of some nodesm1, . . . , mkthat have only leaves as children in tree(n),(tree(n), prune(m₁, . . . , mk))(or a pruning oftree(n)).

Lemma 2. Letn=node₀(s, b)be a node whereUNTIL-STRATEGY

returns true. Letf be a function that for each leafn oftree(n) returnsf(n)∈Nrsuch thatfi(n) =ei(n)ifei(n)=∞. Then

there is a strategyFwhich eventually generates at leastf(n)for all leavesnoftree(n).

Proof. (sketch) By induction on the structure oftree(n).

Base Case: Lettree(n)contain only its root. The proof is obvious for any strategy.

Inductive Step: Let us consider a pruningToftree(n). By the in-duction hypothesis, any treeTthat has a less complex structure thanThas a strategy to generate at leastf(n)∈Nr≤e(n)for all leavesnofT.

m₁ m₂

m n

wr_{1 (}m₁₎

wr_{2 (}m₁₎

T

Figure 2. TreeTandT= (T, prune(m)).

Letm(m₁, . . . , mk) be an arbitrary depth-1 sub-tree ofT (see Figure 2). By removing m(m₁, . . . , mk) from T, we obtain a

pruningTofT.

Letn· · ·m·mibe a path inTfrom the rootnto one of the leaves mi. For each resourcer the availability of which turns to∞at mi, there must be a nodewr(mi)in the pathn· · ·m·miwhich

is used to turn the availability ofrto∞atmi. We may repeat the path fromwr(mi) tomi several times to generate enough

resource availability forr. We call the path fromwr(mi)tomi

together with all the immediate child nodes of those along the path the column graph fromwr(mi)tomi. Each time, an amount of gr = er(m)−cr(a(m))−er(w(mi))is generated. Then, the

minimal number of times to repeat the path fromw(mi)tomiis hr(mi) =fr(mi)−er(_gm_r)−cr(a(m)).

Note that we need to repeat at eachmi for each resourcerthe path fromwr(mi)tomihrtimes. To record the number of times

the path has been repeated, we attach to eachmia counterˆhrfor eachrand write the new node ofmiasmhˆ(mi)

i .

Initially,ˆhr = 0for allr. A step (see Figure 3) of the repetition is done as follows: letmˆh(mi)

i be some node such thatˆhr(mi)<

hr(mi). Letmhˆ(mj)

mˆh1,ˆh2 1

mhˆ1+1,ˆh2 1

mhˆ1+1,ˆh2+1 1

mh₂ˆ

mh₂ˆ

mˆh₂ m

Figure 3. Repeating steps to generate resources.

frommˆhi the column-tree fromwr(mi)tomi; each newmj(j= i) is annotated withhˆ(mj)(same as before) and the newmi is annotated withˆh(mi)except thathˆr(mi)is increased by 1. We

repeat the above step until no further step can be made (it must terminate due to the fact thathr(mi)<∞for allrandmi).

At the end, we obtain a tree where all leavesmˆhi haveˆhr = hr(mi)for allr, hence the availability ofr is at least fr. Let E(m)be the extended tree fromm.

LetFT be the generated strategy fromT. We extendFT with E(m)for every occurrence ofminFTand denote this extended strategyFTE. For all leavesminE(m)which are other thanmi,

letE(m)be some sub-tree ofTwhich starts fromm. Then, we extendFTEwithE(m)for every occurrence ofminE(m). We finally obtain a treeFTwhich satisfies the condition that all leaves lhave resource availability of at leastf(l).

Corollary 1. If UNTIL-STRATEGY(node₀(s, b),AbφUψ) re-turns true thens|=AbφUψ.

Lemma 3. If UNTIL-STRATEGY(n,AbφUψ) returns false, then there is no U-economical strategy from s(n) satisfying Ae(n)φUψ.

Proof. (sketch) We prove the lemma by induction on the depth of callingUNTIL-STRATEGY(n,AbφUψ).

Base Case: If false is returned by the first if-statement, then s(n)|=AφUψ; this also means there is no strategy satisfying Ae(n)φUψfroms(n).

Iffalseis returned by the second if-statement, then any strategy satisfyingAe(n)φUψfroms(n)is not economical.

Inductive Step: Iffalseis not returned by the first two if-statements, then, for all actions a ∈ Act, there exists s ∈ out(s(n), a) such that UNTIL-STRATEGY(n,AbφUψ) (where n = node(n, a, s)) returns false. By induction hypothesis, there is no economical strategy satisfying Ae(n)φUψ from s(n). As-sume to the contrary that there is an economical strategy satis-fyingAe(n)φUψfroms(n). Leta=F(s(n)), thena∈Act. Obviously, for all s ∈ out(s(n), a), F(λ) = F(s(n)λ) is an economical strategy from n = node(n, a, s). This is a contradiction; hence, there is no economical strategy satisfying Ae(n)φUψfroms(n).

Corollary 2. If UNTIL-STRATEGY(node0(s, b),AbφUψ) re-turns false thens|=AbφUψ.

Now we turn to Algorithm 3 for labelling states withAb2φ. First we show the soundness of Algorithm 3.

Lemma 4. Letn =node0(s, b). IfBOX-STRATEGY(n,Ab2φ) returns true thens(n)|=Ab2ϕ.

Proof. (sketch) In the following, for each nodem intree(n), let T(m) denote the sub-tree of tree(m)rooted atm. For each leaf

n

m

T(w(m)) tree(n) w(m)

Figure 4. w(m)ofmintree(n).

moftree(n), letw(m)denote one of the nodes inp(m)such that s(w(m)) =s(m)ande(w(m))≤e(m)(see Figure 4).

Let us expandtree(n)as follows:

• T0istree(n);

• Ti+1isTiwhere all its leavesmare replaced byT(w(m))(see Figure 5);

m₁

n

T i

T(w(m₁₎₎ m₂

T(w(m₂₎₎

mk

T(w(mk)) T i+1

Figure 5. One step in constructing the strategy.

LetT =T∞, thenTis a strategy forAb2ϕ.

Lemma 5. IfBOX-STRATEGY(n,Ab2φ)returns false, then there is no2-economical strategy satisfyingAe(n)2φats(n).

Proof.(sketch) The proof is done by induction on the depth of callingBOX-STRATEGY(n,Ab2φ).

Base Case: If false is returned by the first if-statement, then s(n) |=A2φ; this also means there is no strategy satisfying Ae(n)2φats(n).

Iffalseis returned by the second if-statement, then any strategy satisfyingAe(n)2φats(n)is not2-economical.

Inductive Step: Iffalseis not returned by the first two if-statements, for all actionsa∈ Act, there existss ∈out(s(n), a)such that

BOX-STRATEGY(n,Ab2φ)(wheren =node(n, a, s)) re-turns false. Assume to the contrary that there is a2-economical strategy satisfyingAe(n)2φ from s(n). Leta = F(s(n)), thena ∈ Act. Obviously, for alls ∈ out(s(n), a),F(λ) = F(s(n)λ)is a2-economical strategy fromn =node(n, a, s). This is a contradiction; hence, there is no2-economical strategy

Corollary 3. If BOX-STRATEGY(node0(s, b),Ab2φ) returns false thens|=Ab2φ.

4

LOWER BOUND

In this section we show that the lower bound for the complexity of the model checking problem for RB±ATL is EXPSPACE, by reducing from the reachability problem of Petri Nets. Note that the exact com-plexity of this problem is still an open question (although it is known to be decidable, [8]), hence the same holds for the exact complexity of the RB±ATL model-checking problem.

A Petri net is a tupleN = (P, T, W, M)where:

• Pis a finite set of places; • T is a finite set of transitions;

• W :P×T∪T×P →Nis a weighting function; and • M :P→Nis an initial marking.

A transitiont∈T is enabled iffW(r, t)≤M(r)for allr ∈P. The result of performingtis a markingMwhereM(r) =M(r)− W(r, t) +W(t, r), denoted asM[tM.

A markingMis reachable fromM iff there exists a sequence M0[t1M1[t2. . .[tnMn

whereM0=Mandn≥0such thatMn ≥M (whereM ≥M iffM(r)≥M(r)for allr ∈P). It is known that the lower bound for the complexity of this version of the reachability problem (with Mn≥Mrather thanMn=M) is EXPSPACE [8, p.73].

We present a reduction from an instance of the reachability prob-lem of Petri Nets to an instance of the model checking probprob-lem of RB±ATL.

Given a netN = (P, T, W, M)and a markingM, we construct a RB-CGSIN,M = ({1}, P, S,{p}, π, Act, d, c, δ)where:

s₀ t₁

t₂

tk

e

s t+₁

t−₁

t+₂ t−₂

t+_k t−_k idle

idle

idle

idle

good

idle

idle

p

Figure 6. StructureIN,M.

• S={s0} ∪T∪ {s, e}; • π(p) ={s};

• Act={idle, good} ∪ {t−, t+|t∈T}; • d(s₀) ={idle, good} ∪ {t−|t∈T}; • d(s) =d(e) ={idle};

• d(t) ={idle, t+};

• c(idle) = ¯0;c(good) =M; • cr(t−) =W(r, t)for allr∈P;

• cr(t+) =−W(r, i)for allr∈P; • δ(x, idle) =eforx∈ {s₀, t, e};

• δ(s0, good) =s; • δ(s₀, t−) =t; • δ(t, t+) =s0.

The following is straightforward:

Lemma 6. Given a netN= (P, T, W, M)and a markingM,M is reachable fromM iffIN,M, s₀|=1M Up.

Corollary 4. The lower bound for the model checking problem com-plexity of RB±ATL is EXPSPACE.

5

CONCLUSION

The main contribution of this paper is a model-checking algorithm for RB±ATL, a logic withresource production. This is the first de-cidability result for a resource logic of strategic ability (multi-agent rather than single agent) that allows both unbounded production and consumption of resources. The lower bound for the model-checking complexity of RB±ATL is EXPSPACE and the upper bound is still an open problem. In future work, we plan to concentrate on identi-fying computationally tractable cases for RB±ATL model-checking, for example by restricting the class of transition systems to those without ‘mixed’ loops (producing one resource and consuming an-other).

Acknowledgments This work was supported by the Engineering and Physical Sciences Research Council [grants EP/K033905/1 and EP/K033921/1]. We would also like to thank the anonymous ECAI 2014 reviewers whose comments and suggestions helped to improve the paper.

REFERENCES

[1] N. Alechina, B. Logan, H. N. Nguyen, and A. Rakib, ‘Resource-bounded alternating-time temporal logic’, inProceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2010), pp. 481–488. IFAAMAS, (2010).

[2] R. Alur, T. Henzinger, and O. Kupferman, ‘Alternating-time temporal logic’,Journal of the ACM,49(5), 672–713, (2002).

[3] N. Bulling, J. Dix, and W. Jamroga, ‘Model checking logics of strategic ability: Complexity*’, inSpecification and Verification of Multi-agent Systems, 125–159, Springer, (2010).

[4] N. Bulling and B. Farwer, ‘On the (un-)decidability of model checking resource-bounded agents’, inProceedings of the 19th European Confer-ence on Artificial IntelligConfer-ence (ECAI 2010), volume 215 ofFrontiers in Artificial Intelligence and Applications, pp. 567–572. IOS Press, (2010). [5] E. M. Clarke, E. A. Emerson, and A. P. Sistla, ‘Automatic verification of finite-state concurrent systems using temporal logic specifications’,ACM Transactions on Programming Languages and Systems,8(2), 244–263, (1986).

[6] D. Della Monica, M. Napoli, and M. Parente, ‘On a logic for coalitional games with priced-resource agents’,Electr. Notes Theor. Comput. Sci., 278, 215–228, (2011).

[7] D. Della Monica, M. Napoli, and M. Parente, ‘Model checking coali-tional games in shortage resource scenarios’, inProceedings of the 4th International Symposium on Games, Automata, Logics and Formal Ver-ification (GandALF 2013, volume 119 ofEPTCS, pp. 240–255, (2013). [8] W. Reisig,Petri Nets: An Introduction, volume 4 ofEATCS Monographs