1.
Time Modelling, Veriﬁcation and Duration: Three times 105 minutes Dates: Thursday, 9:30-11:15, 15-16:45 and Friday 15-16:45, Reasoning in Multi-Agent Systems Nils Bulling and Jürgen Dix Course type Level: advanced EASSS 2012 Prerequisites: knowledge of propositional/predicate logic, basics Valencia, Spain of automata and complexity theory, some universal algebra. 28. May – 1. June 2012 Course website http://www.in.tu-clausthal.de/index.php?id=easss2012N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 1 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 2 Course Overview Reading Material I The course is divided into 6 lectures à 50 minutes: Lec. 1: Linear and Branching Time (D, 60 min) Alur, R., Henzinger, T. A., and Kupferman, O. (2002). SL, FOL, temporal logics: LTL, CTL∗ , CTL, Alternating-time Temporal Logic. Lec. 2: Cooperative Agents (D, 40 min) Journal of the ACM, 49:672–713. Strategic logics: ATL, ATL∗ , effect of memory Baier, C. and Katoen, J.-P. (2008). Lec. 3: Comparing Semantics of ATL (B, 50 min) Principles of Model Checking. Semantic variants of ATL, tree unfolding The MIT Press. Lec. 4: Reasoning and Examples (D, 50 min) Blackburn, P., de Rijke, M., and Venema, Y. (2001). Basic Modal Logic, axiomatizations of LTL, CTL, ATL Modal Logic. viewed as modal logics Number 53 in Cambridge Tracts in Theoretical Computer Science. Lec. 5: Complexity of Veri cation: Model Checking (B, 60 Cambridge University Press, Cambridge, UK. min) Model checking problem and complexity Lec. 6: Complexity of Reasoning: Satis ablity (B, 40 min) Satisﬁability checking problem and complexityN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 3 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 4
2.
Reading Material II Reading Material III Bulling, N., Dix, J., and Jamroga, W. (2010). Model checking logics of strategic ability: Complexity. In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors, Speciﬁcation and Veriﬁcation of Multi-Agent Systems. Springer. Jamroga, W. and Bulling, N. (2011). Comparing variants of strategic ability. Clarke, E., Grumberg, O., and Peled, D. (1999). In Proceedings of the 22nd International Joint Conference on Artiﬁcial Model Checking. Intelligence (IJCAI), pages 252–257, Barcelona, Spain. MIT Press. Jürgen Dix and Michael Fisher (2012). Chapter 14: Speciﬁcation and Veriﬁcation of Multi-agent Systems. In G. Weiss (Ed.), Multiagent Systems, MIT Press.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 5 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 6 1 Linear and Branching Time Outline 1 Linear and Branching Time 2 Cooperative Agents 1. Linear and Branching Time 3 Comparing Semantics of ATL 4 Reasoning and Examples 1 Linear and Branching Time Sentential Logic 5 Complexity of Veriﬁcation: Model Checking First-Order Logic 6 Complexity of Reasoning: Satisﬁability Linear Time Logic Branching Time Logic 7 Appendix: Automata Theory 8 ReferencesN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 7 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 8
3.
1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic Outline We recapitulate very brieﬂy sentential (also called propositional) logic (SL) and ﬁrst-order logic (FOL), As an example of FOL, we consider FO(≤) monadic FOL of linear order. 1.1 Sentential Logic Then we present LTL, a logic to deal with linear time (no branching). This logic is equivalent to FO(≤). CTL∗ is an extension of LTL to branching time. CTL is an interesting fragment of CTL∗ , incomparable with LTL, but with interesting computational properties. While LTL is deﬁned over path formulae, CTL is deﬁned over state formulae. CTL∗ is deﬁned over both sorts of formulae.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 9 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 10 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.1 Sentential Logic Syntax of SL Semantics (SL) The propositional language is built upon A valuation (or truth assignment) v : Prop → {t, f} for a Propositional symbols: p, q, r, . . . , p1 , p2 , p3 , . . . language LP L (Prop) is a mapping from the set of Logical connectives: ¬ and ∨ propositional constants deﬁned by Prop into the set Grouping symbols: (, ) {t, f}. Often we consider only a ﬁnite, nonempty set of Inductively, we deﬁne the notion of a formula ϕ being propositional symbols and refer to it as Prop. true or satis ed by v (denoted by v |= ϕ): Propositional language LP L (Prop): v |= p iff v(p) = t and p ∈ Prop, ϕ ::= p | ¬ϕ | ϕ ∨ ϕ v |= ¬ϕ iff not v |= ϕ, v |= ϕ ∨ ψ iff v |= ϕ or v |= ψ Macros: For a set Σ ⊆ LP L we write v |= Σ iff v |= ϕ for all ϕ ∈ Σ. ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ) := p ∨ ¬p) We use v |= ϕ instead of not v |= ϕ. ϕ → ψ := ¬ϕ ∨ ψ ⊥ := ¬ ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 11 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 12
4.
1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.1 Sentential Logic Truth Tables Fundamental Semantical Concepts If it is possible to ﬁnd some valuation v that makes ϕ Truth tables are a conceptually simple way of working true, then we say ϕ is satis able. with PL (invented by Wittgenstein in 1918). If v |= ϕ for all valuations v then we say that ϕ is valid and write |= ϕ . ϕ is also called tautology. p q ¬p p∨q p∧q p→q p↔q A theory is a set of formulae: Φ ⊆ LP L . t t f t t t t A theory Φ is called consistent if there is a valuation v f t t t f t f with v |= Φ. t f f t f f f A theory Φ is called complete if for each formula ϕ in the f f t f f t t language, ϕ ∈ Φ or ¬ϕ ∈ Φ . Two simple examples Consider the two formulae p ∧ ¬b and a ∨ ¬a. Are they satisﬁable or valid? Are they both consistent? What if we add b?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 13 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 14 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.2 First-Order Logic Consequences Given a theory Φ we are interested in the following question: Which facts can be derived from Φ? We can distinguish two approaches: 1 semantical consequences, and 1.2 First-Order Logic 2 syntactical inference. Let Φ be a theory and ϕ be a formula. We say that ϕ is a semantical consequence of Φ if for all valuations v: v |= Φ implies v |= ϕ.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 15 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 16
5.
1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Predicate logic Functions In addition to the propositional language (on which the modal language is built as well), the rst-order language Deﬁnition 1.3 (Function Symbols) (FOL) contains variables, function-, and predicate Let k ∈ N0 . The set of k-ary function symbols is denoted by symbols. Func k . Elements of Func k are given by f1 , f2 . . . . Such a k k Deﬁnition 1.1 (Variable) symbol takes k arguments. The set of all function symbols is deﬁned as A variable is a symbol of the set Var . Typically, we denote variables by x0 , x1 , . . .. Func := Func k k Example 1.2 A 0-ary function symbol is called constant. 2 1 1 0 ϕ := ∃x0 ∀x1 (P0 (f0 (x0 ), x1 ) ∧ P2 (f1 ))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 17 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 18 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Predicates Syntax The rst-order language with equality LF OL is built from Deﬁnition 1.4 (Predicate Symbols) terms and formulae. Let k ∈ N0 . The set of k-ary predicate symbols (or relation In the following we ﬁx a set of variables, function-, and symbols) is given by Pred k . Elements of Pred k are denoted predicate symbols. k k by P1 , P2 . . . . Such a symbol takes k arguments. The set of predicate symbols is deﬁned as Deﬁnition 1.5 (Term) A term over Func and Var is inductively deﬁned as follows: Pred := Pred k k 1 Each variable from Var is a term. If t1 , . . . tk are terms then f k (t1 , . . . , tk ) is a term as well, A 0-ary predicate symbol is called (atomic) proposition. 2 where f k is an k-ary function symbol from Func k .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 19 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 20
6.
1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Deﬁnition 1.7 (Macros) Deﬁnition 1.6 (Language) We deﬁne the following syntactic constructs as macros (P ∈ Pred 0 ): The rst-order language with equality LF OL (Var , Func, Pred ) is deﬁned by the following grammar: ⊥ := P ∧ ¬P . := ¬⊥ ϕ ::= P k (t1 , . . . , tk ) | ¬ϕ | ϕ ∨ ϕ | ∃x(ϕ) | t = r ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ) where P k ∈ Pred k is a k-ary predicate symbol and t1 , . . . , tk ϕ → ψ := ¬ϕ ∨ ψ and t, r are terms over Var and Func. ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ) ∀x(ϕ) := ¬∃x(¬ϕ)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 21 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 22 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Notation Semantics We will often leave out the index k in fik and Pik Deﬁnition 1.8 (Model, Structure) indicating the arity and just write fi and Pi . Variables are also denoted by u, v, w, . . . A model or structure for FOL over Var , Func and Pred is Function symbols are also denoted by f, g, h, . . . given by M = (U, I) where Constants are also denoted by a, b, c, . . . , c0 , c1 , . . . 1 U is a non-empty set of elements, called universe or Predicate symbols are also denoted by P, Q, R, . . . domain and We will use our standard notation p for 0-ary predicate 2 I is called interpretation. It assigns to each function symbols and also call them (atomic) propositions. symbol f k ∈ Func k a function I(f k ) : U k → U , to each predicate symbol P k ∈ Pred k a relation I(P k ) ⊆ U k ; and Attention to each variable x ∈ Var an element I(x) ∈ U . In this course, we only need unary predicates (monadic We write: logic) and we do not need any function symbols at all. So k k 1 M(P ) for I(P ), our terms are exactly the variables. k k 2 M(f ) for I(f ), and 3 M(x) for I(x).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 23 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 24
7.
1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Note that a structure comes with an interpretation I, which is based on functions and predicate symbols and assignments of the variables. But these are also deﬁned in the notion of a language. Thus we assume from now on Deﬁnition 1.10 (Value of a Term) that the structures are compatible with the underlying Let t be a term and M = (U, I) be a model. We deﬁne language: The arities of the functions and predicates must inductively the value of t wrt M, written as M(t), as follows: correspond to the associated symbols. M(x) := I(x) for a variable t = x, Example 1.9 M(t) := I(f k )(M(t1 ), . . . , M(tk )) if t = f k (t1 , . . . , tk ). ϕ := Q(x) ∨ ∀z(P (x, g(z))) ∨ ∃x(∀y(P (f (x), y) ∧ Q(a))) U =R I(a) : {∅} → R, ∅ → π constant functions, I(f ) : I(f ) = sin : R → R and I(g) = cos : R → R, I(P ) = {(r, s) ∈ R2 : r ≤ s} and I(Q) = [3, ∞) ⊆ R, I(x) = π , I(y) = 1 and I(z) = 3. 2N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 25 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 26 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Deﬁnition 1.11 (Semantics) Example: FO(≤) Monadic ﬁrst-order logic of order, denoted by FO(≤), is Let M = (U, I) be a model and ϕ ∈ LF OL . ϕ is said to be ﬁrst-order logic with the only binary symbol ≤ (except true in M, written as M |= ϕ, if the following holds: equality, which is also allowed) and, additionally, any M |= P k (t1 , . . . tk ) iff (M(t1 ), . . . , M(tk )) ∈ M(P k ) number of unary predicates. The theory assumes that ≤ is M |= ¬ϕ iff not M |= ϕ a linear order, but nothing else. M |= ϕ ∨ ψ iff M |= ϕ or M |= ψ A typical model is given by M |= ∃x(ϕ) iff M[x/a] |= ϕ for some a ∈ U where M[x/a] N = N, ≤N , P1 , P2 , . . . Pn N N N denotes the model equal to M but M[x/a] (x) = a. . M |= t = r iff M(t) = M(r) where ≤N is the usual ordering on the natural numbers and PiN ⊆ N. Given a set Σ ⊆ LF OL we write M |= Σ iff M |= ϕ for all ϕ ∈ Σ. The sets PiN determine the timepoints where the property Pi holds.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 27 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 28
8.
1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.3 Linear Time Logic What can we express in FO(≤)? Can we nd formulae that express that a property r is true inﬁnitely often? r is true at all even timepoints and ¬r at all 1.3 Linear Time Logic odd timepoints? whenever r is true, then s is true in the next timepoint?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 29 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 30 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Reasoning about Time Temporal logic was originally developed in order to represent tense in natural language. The accessibility relation represents time. Time: linear vs. branching. Reasoning about a particular computation of a system. Within Computer Science, it has achieved a signiﬁcant role Models: paths (e.g. obtained from Kripke structures) in the formal speciﬁcation and veriﬁcation of concurrent and distributed systems. start Much of this popularity has been achieved because a number of useful concepts can be formally, and concisely, speciﬁed using temporal logics, e.g. start safety properties liveness properties fairness propertiesN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 31 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 32
9.
1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Typical temporal operators Safety Properties “something bad will not happen” Xϕ ϕ is true in the neXt moment in time “something good will always hold” Gϕ ϕ is true Globally: in all future moments Fϕ ϕ is true in Finally: eventually (in the future) Typical examples: ϕU ψ ϕ is true Until at least the moment when ψ becomes true (and this eventually happens) G¬bankrupt Gf uelOK G((¬passport ∨ ¬ticket) → X¬board_f light) and so on . . . send(msg, rcvr) → Freceive(msg, rcvr) Usually: G¬....N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 33 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 34 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Liveness Properties Fairness Properties Combinations of safety and liveness possible: “something good will happen” FG¬dead G(request_taxi → Farrive_taxi) fairness Typical examples: Strong fairness Frich power_on → Fonline “If something is requested then it will be allocated”: and so on . . . G(attempt → Fsuccess), GFattempt → GFsuccess. Usually: F.... Scheduling processes, responding to messages, etc. No process is blocked forever, etc.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 35 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 36
10.
1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Deﬁnition 1.12 (Language LLTL [Pnueli, 1977]) Models of LTL The language LLTL (Prop) is given by all formulae generated The semantics is given over paths, which are inﬁnite by the following grammar, where p ∈ Prop is a proposition: sequences of states from Q, and a standard labelling function π : Q → P(Prop) that determines which ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕ U ϕ | Xϕ. propositions are true at which states. Deﬁnition 1.13 (Path λ = q1 q2 q3 . . .) The additional operators F (eventually in the future) and A path λ over a set of states Q is an inﬁnite sequence G (always from now on) from Qω . We also identify it with a mapping N0 → Q. can be deﬁned as macros : λ[i] denotes the ith position on path λ (starting from i = 0) and Gϕ ≡ Uϕ and Fϕ ≡ ¬G¬ϕ λ[i, ∞] denotes the subpath of λ starting from i (λ[i, ∞] = λ[i]λ[i + 1] . . . ). The standard Boolean connectives , ⊥, ∧, →, and ↔ are deﬁned in their usual way as macros.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 37 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 38 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Other temporal operators λ = q1 q2 q3 . . . ∈ Qω Deﬁnition 1.14 (Semantics of LTL) Let λ be a path and π be a labelling function over Q. The λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ; semantics of LTL, |=LT L , is deﬁned as follows: λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ; λ, π |=LTL p iff p ∈ π(λ[0]) and p ∈ Prop; λ, π |=LTL ¬ϕ iff not λ, π |=LTL ϕ (we will also write λ, π |=LT L ϕ); Exercise λ, π |=LTL ϕ ∨ ψ iff λ, π |=LTL ϕ or λ, π |=LTL ψ; Prove that the semantics does indeed match the λ, π |=LTL Xϕ iff λ[1, ∞], π |=LTL ϕ; and deﬁnitions Fϕ ≡ U ϕ and Gϕ ≡ ¬F¬ϕ. λ, π |=LTL ϕ U ψ iff there is an i ∈ N0 such that λ[i, ∞], π |= ψ and λ[j, ∞], π |=LTL ϕ for all 0 ≤ j < i.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 39 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 40
11.
1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic pos0 pos1 pos2 pos0 pos1 pos2 pos0 pos1 pos2 pos0 pos1 pos2 q0 q1 q2 q0 q1 q2 q0 q1 q2 q0 q1 q2 λ, π |= GFpos1 iff λ, π |= Fpos1 λ[0, ∞], π |= Fpos1 and λ[1, ∞], π |= Fpos1 and λ = λ[1, ∞], π |= pos1 λ[2, ∞], π |= Fpos1 and pos1 ∈ π(λ [0]) ...N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 41 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 42 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Representation of paths Computational vs. bbehavioral structure Paths are in nite entities. System Computational str. They are theoretical constructs. 1 2 pos0 We need a nite representation! q0 pos0 Such a ﬁnite representation is given by a transition system or a pointed Kripke 1 2 pos2 pos1 structure. q2 q1 2 1 pos2 pos1N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 43 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 44
12.
1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Computational str. Behavioral str. Some Exercises q0 Example 1.15 Formalise the following as LTL formulae: q0 pos0 q0 q1 1 r should never occur. 2 r should occur exactly once. q2 q1 q0 q1 q1 q2 3 At least once r should directly be followed by pos2 pos1 s. 4 r is true at exactly all even states. 5 r is true at each even state (the odd states do Important! not matter). Does r ∧ G(r ∧ XXr) work? The behavioral structure is usually in nite! Here, it is an inﬁnite tree. We say it is the q0 -unfolding of the model.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 45 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 46 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Relation to ﬁrst-order logic (1) Relation to ﬁrst-order logic (2) 1 More precisely: an inﬁnite path λ is described as a 1 The monadic ﬁrst-order theory of (linear) ﬁrst-order structure with domain N and predicates Pp order, FO(≤) (see Slide 29) is equivalent to for p ∈ Prop. The predicates stand for the set of timepoints where p is true. So each path λ can be LTL. represented as a structure Nλ = N, ≤N , P1 , P2 , . . . Pn . N N N Then each LTL formula φ translates to a ﬁrst-order 2 There is a translation from sentences of LTL to formula αφ (x) with one free variable s.t. sentences of FO(≤) and vice versa, such that φ is true in λ[n, ∞] iff αφ (n) is true in Nλ . the LTL sentence is true in λ, π iff its translation And conversely: for each ﬁrst-order formula with a free is true in the associated ﬁrst-order structure. variable there is a corresponding LTL formula s.t. the same condition holds.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 47 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 48
13.
1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic The formulae GFp, FGp Some Remarks 1 A particular logic LTL is determined by the 1 What are their counterparts in FO(≤)? number n of propositional variables. Strictly 2 We will see later that FGp does not belong to speaking, this number should be a parameter CTL, but to CTL∗ . It is not even equivalent to a of the logic. This also applies to the logics CTL CTL formula. and ATL. 3 However, GFp is equivalent to a CTL formula: 2 While both F and G can be expressed using U , AGAFp the converse is not true: U can not be expressed by F and G.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 49 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 50 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Satisﬁability of LTL formulae Satisﬁability of LTL formulae (cont.) A formula is satisﬁable, if there is a path where it is true. Can Theorem 1.16 (Periodic model theorem we restrict the structure of such paths? I.e. can we restrict [Sistla and Clarke, 1985]) to simple paths, for example paths that are periodic? A formula ϕ ∈ LLTL is satis able iff there is a path λ which is If this is the case, then we might be able to construct ultimately periodic, and the period starts within 21+|ϕ| steps counterexamples more easily, as we need only check and has a length which is ≤ 41+|ϕ| . very speciﬁc paths. It would be also useful to know how large the period is and within which initial segment of the path it starts, depending on the length of the formula ϕ. 2O(n) 4O(n)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 51 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 52
14.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Branching Time CTL, CTL∗ : Computation Tree Logics. Reasoning about possible computations of a system. 1.4 Branching Time Logic Time is branching: We want all possible computations included! Models: states (time points, situations), transitions (changes). ( Kripke models). Paths: courses of action, computations. ( LTL)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 53 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 54 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example 1.17 (Branching Time) Path quanti ers: A (for all paths), E (there is a path); p q0 Temporal operators: X (nexttime), F (ﬁnally), p G (globally) and U (until); q q1 q2 CTL: each temporal operator must be immediately preceded by exactly one path q3 q4 q quantiﬁer; CTL∗ : no syntactic restrictions. In this structure, whenever p holds at some timepoint, then there is a path where q holds in the next step and there is (another) path where ¬q holds in the next step. And this holds along all paths (there are three inﬁnite paths).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 55 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 56
15.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Deﬁnition 1.18 (LCTL∗ [Emerson and Halpern, 1986]) The LCTL∗ -formula EFϕ, for instance, ensures that there is at least one path on which ϕ holds at some (future) The language LCTL∗ (Prop) is given by all formulae generated time moment. by the following grammar: The formula AFGϕ states that ϕ holds almost ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | Eγ everywhere . More precisely, on all paths it always holds from some future time moment. where LCTL∗ -formulae do not only talk about temporal patterns γ ::= ϕ | ¬γ | γ ∨ γ | γ U γ | Xγ on a given path, they also quantify (existentially or and p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp. universally) over such paths. path) formulae. The logic is complex! For practical purposes, a fragment with better computational properties is often We use the same abbreviations as for LLTL : sufﬁcient. λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ; λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ;N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 57 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 58 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Deﬁnition 1.19 (LCTL [Clarke and Emerson, 1981]) For example, AGEXp is a LCTL -formula whereas AGFp is not. The language LCTL (Prop) is given by all formulae generated Example 1.20 (CTL∗ or CTL?) by the following grammar, where p ∈ Prop is a proposition: Are the following CTL∗ or CTL formulae? What do they ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | E(ϕ U ϕ) | EXϕ | EGϕ. express? 1 EFAXshutdown 2 EFXshutdown We introduce the following macros: 3 AGFrain Fϕ ≡ U ϕ, 4 AGAFrain (Is it different from (3)?) AXϕ ≡ ¬EX¬ϕ, 5 EFGbroken AGϕ ≡ ¬EF¬ϕ, and 6 AG(p → (EXq ∧ EX¬q)) Aϕ U ψ ≡ . . . Exercise!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 59 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 60
16.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic The precise deﬁnition of Kripke structures is given in Section 4. To understand the following deﬁnitions it sufﬁces Deﬁnition 1.21 (Semantics |=CTL ) ∗ to note that: Given a set of states Q (each is a propositional model), a Let M be a Kripke model, q ∈ Q and λ ∈ Λ. The semantics Kripke model M is simply a tuple (Q, R) where of LCTL∗ - and LCTL -formulae is given by the satisfaction relation |=CTL for state formulae by ∗ R ⊆ Q × Q is a binary relation. ∗ q1 Rq2 (also written (q1 , q2 ) ∈ R or R(q1 , q2 )) means that M, q |=CTL p iff λ[0] ∈ π(p) and p ∈ Prop; ∗ ∗ state q2 is reachable from state q1 (by executing M, q |=CTL ¬ϕ iff M, q |=CTL ϕ; ∗ ∗ ∗ certain actions). M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ; The relation R is serial: for all q there is a q such that M, q |=CTL Eϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ qRq . This ensures that our paths are inﬁnite. M, λ |=CTL ϕ; Given a state q in a Kripke model, by Λ(q) we mean the set of all paths determined by the relation R starting in q: q, q1 , q2 , . . . , qi , . . . where qRq1 , . . . qi Rqi+1 , . . .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 61 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 62 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic State-based semantics for CTL and for path formulae by: M, q |=CTL p iff q ∈ π(p); ∗ ∗ M, λ |=CTL ϕ iff M, λ[0] |=CTL ϕ; M, q |=CTL ¬ϕ iff M, q |=CTL ϕ; ∗ ∗ M, λ |=CTL ¬γ iff M, λ |=CTL γ; M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ; M, q |=CTL EXϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ ∗ M, λ |=CTL γ ∨ δ iff M, λ |=CTL γ or M, λ |=CTL δ; ∗ ∗ M, λ |=CTL Xγ iff λ[1, ∞], π |=CTL γ; and M, λ[1] |=CTL ϕ; ∗ M, λ |=CTL γ U δ iff there is an i ∈ N0 such that M, q |=CTL EGϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ M, λ[i, ∞] |=CTL δ and M, λ[j, ∞] |=CTL γ for all M, λ[i] |=CTL ϕ for every i ≥ 0; 0 ≤ j < i. M, q |=CTL Eϕ U ψ iff there is a path λ ∈ Λ(q) such that M, λ[i] |=CTL ψ for some i ≥ 0, and M, λ[j] |=CTL ϕ for all Is this complicated semantics over paths necessary for CTL? 0 ≤ j < i.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 63 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 64
17.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic LTL as subset of CTL∗ Application of Clarke and Draghiescu LTL is interpreted over inﬁnite chains (inﬁnite words), but We consider the LTL formula GFp. Viewed as a CTL∗ formula not over (serial) Kripke structures (which are branching). it becomes AGFp. But this is equivalent (in CTL∗ ) to AGAFp, To consider LTL as a subset of CTL∗ , one can just add a CTL formula. the quantiﬁer A in front of a LTL formula and use the Now we consider the CTL formula EGEFp. It is not semantics of CTL∗ . For inﬁnite chains, this semantics equivalent to any LTL formula. This is because coincides with the LTL semantics. The theorem of Clarke und Draghiescu gives a nice EGEFp and AGFp characterization of those CTL∗ formulae that are are not equivalent in CTL∗ : equivalent to LTL formulae. Given a CTL∗ formula ϕ, we construct ϕ by just forgetting all path operators. p q0 q1 q2 Then ϕ is equivalent to a LTL formula iff ϕ and Aϕ are equivalent under the semantics of CTL∗ . The ﬁrst formula holds, the second does not.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 65 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 66 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic LTL as subset of CTL∗ (2) Example 1.22 (Robots and Carriage) How do LTL and CTL compare? Two robots push a carriage from 1 2 The CTL formula AG(p → (EXq ∧ EX¬q)) describes pos opposite sides. 0 Kripke structures of the form in Example 1.17. No LTL Carriage can move clockwise or formula can describe this class of Kripke structures. anticlockwise, or it can remain in the The LTL formula AF(p ∧ Xp) can not be expressed by a same place. 1 2 pos 1 CTL formula. Check why neither AF(p ∧ AXp) nor pos 2 3 positions of the carriage. AF(p ∧ EXp) are equivalent. Similarly, the LTL formula 2 1 We label the states with propositions AFGp can not be expressed by a CTL formula. pos0 , pos1 , pos2 , respectively, to allow There is a syntactic characterisation of formulae for referring to the current position Figure 1 : Two expressible in both CTL and LTL. Model checking in this robots and a carriage. of the carriage in the object class can be done more efﬁciently. We refer to language. [Maidl, 2000].N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 67 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 68
18.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic 1 2 pos0 M0 , q0 |=CT L EFpos1 : In state q0 , q0 pos0 there is a path such that the q0 pos0 carriage will reach position 1 sometime in the future. The same is not true for all paths, 1 2 pos2 pos1 q2 q1 so we also have: q2 q1 M0 , q0 |=CT L AFpos1 . pos2 pos1 2 1 pos2 pos1 It becomes more interesting if abilities of agents are Figure 2 : Two robots and a carriage: A schematic view (left) and a considered ATL. transition system M0 that models the scenario (right).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 69 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 70 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example: Rocket and Cargo Example: Rocket and Cargo A rocket and a cargo. roL roL 2 roP roP The rocket can be moved between London (proposition 1 nofuel caL fuelOK caL nofuel caL 3 fuelOK caL 4 roL) and Paris (proposition roP ). roL → E♦roP The cargo can be in London (caL), Paris (caP ), or inside 5 roL 6 the rocket (caR). roL nofuel fuelOK roP nofuel roP fuelOK caR caR 7 caR caR 8 AG(roL ∨ roP ) The rocket can be moved only if it has its fuel tank full (f uelOK). roL → AX(roP → nof uel) roL roL roP roP When it moves, it consumes fuel, and nof uel holds after nofuel fuelOK nofuel fuelOK 9 caP 10 caP caP 11 caP 12 each ﬂight.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 71 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 72
19.
1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example: Rocket and Cargo In our logics, we assumed a serial accessibility relation: no deadlocks are possible. One can also allow states with no outgoing transitions. roL roL 2 roP roP nofuel fuelOK nofuel fuelOK In that case, in the semantical deﬁnition of E on Slide 65 1 caL one has to replace “there is a path” by there is an caL caL 3 caL 4 in nite path or one which can not be extended . Similar modiﬁcations are needed in the deﬁnition of 5 roL roL 6 roP roP nofuel fuelOK nofuel fuelOK E♦caP CTL. caR caR 7 caR caR 8 One can also add to each state with no outgoing transitions a special transition leading to a new state that loops into itself. roL roL roP roP nofuel fuelOK nofuel fuelOK 9 caP 10 caP caP 11 caP 12 How to express that there is no possibility of a deadlock? AGX ( CTL∗ ) AGEX ( CTL)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 73 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 74 1 Linear and Branching Time 2 Cooperative Agents 1.4 Branching Time Logic A Venn diagram showing typical formulae in the respective areas. 2. Cooperative Agents 2 Cooperative Agents Alternating-Time Temporal Logics Imperfect InformationN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 75 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 76
20.
2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics Outline We introduce ATL, Alternating Time Temporal Logic: a blend of temporal logic and game theory. Like CTL, ATL comes in two variants: ATL and ATL∗ . 2.1 Alternating-Time Temporal Appropriate models for ATL are concurrent game structures. Logics We introduce four variants of ATL along two different axis: perfect vs imperfect information, and perfect vs imperfect recall.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 77 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 78 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics The picture so far. Alternating-time Temporal Logics What kind of logics did we introduce so far? ATL, ATL∗ [Alur et al. 1997] Linear-time temporal logic (LTL) Temporal logic meets game theory Branching-time logics (CTL and CTL∗ ) Modeling abilities of multiple agents In the temporal case each transition modelled a time step. Main idea: cooperation modalities We considered only one single “actor”. Now: Modelling abilities of multiple agents: CTL can be viewed as the single actor restriction of ATL. A ϕ: coalition A has a collective strategy to enforce ϕ Agents can execute actions and cooperate. Action pro les Enforcement is understood in the game-theoretical sense: determine the behaviour of the system. There is a winning strategy.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 79 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 80
21.
2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics The syntax is given as for the computation-tree logics. The language LATL restricts LATL∗ in the same way as LCTL restricts LCTL∗ : Each temporal operator must be directly Deﬁnition 2.1 (Language LATL∗ [Alur et al., 1997]) preceded by a cooperation modality. The language LATL∗ is given by all formulae generated by the Deﬁnition 2.2 (Language LATL [Alur et al., 1997]) following grammar: The language LATL is given by all formulae generated by the ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A γ where following grammar: γ ::= ϕ | ¬γ | γ ∨ γ | γ U γ | γ, ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A ϕ| A ϕ | A ϕU ϕ A ⊆ Agt, and p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp. path) formulae. where A ⊆ Agt and p ∈ Prop. Note that we are using now the symbol “ ” instead of “X” Note that we are using now the symbol “ ” instead of “G” as it is more custom when dealing with ATL. as it is more custom when dealing with ATL.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 81 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 82 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics ATL Models: Concurrent Game Structures The language LATL+ restricts LATL∗ but extends LATL . It allows Agents, actions, transitions, atomic propositions for Boolean combinations of path formulae. Atomic propositions + interpretation Actions are abstract Deﬁnition 2.3 (Language LATL+ ) wait,wait The language LATL+ is given by all formulae generated by 1 2 push,push the following grammar: pos0 q0 pos0 pu ait ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A γ, γ ::= ¬γ | γ ∨ γ | ϕ | ϕ U ϕ. sh, sh wa ,w ,pu wa sh it ,pu pu it it where A ⊆ Agt and p ∈ Prop. wait,wait wa 1 2 sh pos1 pos2 push,push wait,wait push,push q2 wait,push q1 2 1 pos2 push,wait pos1N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 83 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 84
22.
2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Deﬁnition 2.4 (Concurrent Game Structure) Recall and information A strategy of agent a is a conditional plan that speciﬁes what a is A concurrent game structure is a tuple going to do in each situation. M = Agt, Q, π, Act, d, o , where: Agt: a ﬁnite set of all agents; Two types of “situations”: Decisions are based on Q: a set of states; the current state only ( memoryless strategies) π : Q → P(Prop): a valuation of propositions; sa : Q → Act. Act: a ﬁnite set of (atomic) actions; on the whole history of events that have happened d : Agt × Q → P(Act) deﬁnes actions available to an ( perfect recall strategies) agent in a state; sa : Q+ → Act. o: a deterministic transition function that assigns outcome states q = o(q, α1 , . . . , αk ) to states and tuples of actions. We also distinguish between agents with perfect information (all states are distinguishable). imperfect information (some state are indistinguishable).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 85 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 86 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Perfect Information Strategies Some Notation The following holds for all kind of strategies: Deﬁnition 2.5 (IR- and Ir-strategies) A collective strategy for a group of agents A perfect information perfect recall strategy for A = {a1 , . . . , ar } ⊆ Agt is a set agent a (IR-strategy for short) is a function sA = {sa | a ∈ A} sa : Q+ → Act such that sa (q0 q1 . . . qn ) ∈ da (qn ). of strategies, one per agent from A. The set of such strategies is denoted by ΣIR . a sA |a , we denote agent as part of the collective strategy sA , sA |a = sA ∩ Σa . A perfect information memoryless strategy for agent s∅ = ∅ denotes the strategy of the empty coalition. a (Ir-strategy for short) is given by a function ΣA denotes the set of all collective strategies of A. sa : Q → Act where sa (q) ∈ da (q). Σ = ΣAgt The set of such strategies is denoted by ΣIr . a i (resp. I) stands for imperfect (resp. perfect) information and r (resp. R) for imperfect (resp. perfect) recall. [Schobbens, 2004]N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 87 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 88
23.
2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Outcome of a strategy Deﬁnition 2.7 (Perfect information semantics) out(q, sA )= set of all paths that may occur M, q |=Ix p iff p is in π(q); when agents A execute sA from state q onward. M, q |=Ix ϕ ∨ ψ iff M, q |=Ix ϕ or M, q |=Ix ψ; Deﬁnition 2.6 (Outcome) M, q |=Ix A Φ iff there is a collective Ix-strategy sA λ = q0 q1 . . . ∈ Q ∈ out(q, sA ) ⊆ Qω iff such that, for each path λ ∈ out(q, sA ), we have M, λ |=Ix Φ. 1 q0 = q i−1 i−1 M, λ |=Ix ϕ iff M, λ[1, ∞] |=Ix ϕ; 2 for each i = 1, . . . there is a tuple (α1 , . . . , αk ) ∈ Actk M, λ |=Ix ♦ϕ iff M, λ[i, ∞] |=Ix ϕ for some i ≥ 0; such that M, λ |=Ix ϕ iff M, λ[i, ∞] |=Ix ϕ for all i ≥ 0; αa ∈ da (qi−1 ) for each a ∈ Agt, i−1 i−1 αa = sA |a (q0 q1 . . . qi−1 ) for each a ∈ A, and M, λ |=Ix ϕ U ψ iff M, λ[i, ∞] |=Ix ψ for some i ≥ 0, and i−1 i−1 o(qi−1 , α1 , . . . , αk ) = qi . M, λ[j, ∞] |=Ix ϕ forall 0 ≤ j ≤ i. For an Ir-strategy replace “sA |a (q0 q1 . . . qi−1 )” by Note that temporal formulae and the Boolean connectives “sA |a (qi−1 )”. are handled as before.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 89 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 90 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Example: Robots and Carriage Deﬁnition 2.8 (ATLIx , ATL+ , ATL∗ , ATL, ATL∗ ) Ix Ix wait,wait push,push def:atl-R-defs We deﬁne ATLIx , ATL+ , and ATL∗ as Ix Ix q0 pos0 the logics (LATL , |=Ix ), (LATL+ , |=Ix ) and (LATL∗ , |=Ix ) where x ∈ {r, R}, respectively. pu ait sh, sh wa ,w pos0 → 1 ¬pos1 Moreover, we use ATL (resp. ATL∗ ) as an ,pu wa sh it,p pu it it us wait,wait wa wait,wait abbreviation for ATLIR (resp. ATL∗ ). h push,push push,push IR q2 wait,push q1 pos2 push,wait pos1 Intuitively, a logic is given by the set of all valid formulae.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 91 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 92
24.
2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Theorem 2.9 Example: Robots and Carriage (2) For LATL , the perfect recall semantics is equivalent to the wait,wait memoryless semantics under perfect information , i.e., push,push pos0 halt halt,push q0 qh 1 2 1 2 halt,wait M, q |=IR ϕ iff M, q |=Ir ϕ. Both semantics are different for pos0 halt LATL∗ . That is pu ait wait,wait sh, h wa h,w us wa it,p it,p s ATL = ATLIr = ATLIR . pu it 1 us wait,wait 2 wa pos1 pos2 wait,wait h push,push push,push q2 q1 2 1 wait,push Proof idea. push,wait pos2 pos1 The ﬁrst “non-looping part” of each path has to satisfy a formula. Exercise What about 1, 2 (♦pos1 ∧ ♦halt)? The property has been ﬁrst observed in [Schobbens, 2004] M, q0 |= IR 1, 2 (♦pos1 ∧ ♦halt) but it follows from [Alur et al., 2002] in a straightforward M, q0 |= Ir 1, 2 (♦pos1 ∧ ♦halt) way.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 93 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 94 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Imperfect information How can we reason about agents/extensive games with imperfect information? We combine ATL∗ and epistemic logic. 2.2 Imperfect Information We extend CGS S with indistinguishability relations ∼a ⊆ Q × Q, one per agent. The relations are assumed to be equivalence relations. We interpret A epistemically ( |=iR and |=ir )N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 95 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 96
25.
2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Example: Robots and Carriage Deﬁnition 2.10 (CEGS) A concurrent epistemic game structure (CEGS) 1 2 is a tuple pos0 wait,wait push,push M = (Agt, Q, Π, π, Act, d, o, {∼a | a ∈ Agt}) q0 pos0 pu ait sh, h,w with h wa wa us 1 2 s 2 wa 1 it,p pos1 it,p pu it pos2 wait,wait us (Agt, Q, Π, π, Act, d, o) a CGS and push,push wait,wait h push,push q2 q1 2 1 wait,push ∼a ⊆ Q × Q equivalence relations push,wait pos2 pos1 (indistinguishability relations). What about Agt pos1 in q0 ? M, q0 |= Ir Agt pos1 M, q0 |= ir Agt pos1N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 97 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 98 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Deﬁnition 2.11 (Uniform strategy) Problem: Strategy sa is uniform iff it speciﬁes the same choices for Strategic and epistemic abilities are not independent! indistinguishable situations : Memoryless strategies: A Φ = A can enforce Φ if q ∼a q then sa (q) = sa (q ). It should at least mean that A are able to identify and Perfect recall: execute the right strategy! if λ ≈a λ then ⇒ sa (λ) = sa (λ ), where λ ≈a λ iff λ[i] ∼a λ [i] for every i. Executable strategies = uniform strategies A collective strategy is uniform iff it consists only of uniform individual strategies.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 99 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 100
26.
2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Imperfect Information Strategies Imperfect Information Semantics The imperfect information semantics is deﬁned as before, only the clause for Deﬁnition 2.12 (IR- and Ir-strategies) A imperfect information perfect recall strategy for M, q |=Ix A ϕ iff there is a collective Ix-strategy sA such agent a (iR-strategy for short) is a uniform IR-strategy. that, for each path λ ∈ out(q, sA ), we have M, λ |=Ix ϕ. A imperfect information memoryless strategy for is replaced by agent a (ir-strategy for short) is a uniform Ir-strategy. M, q |=ix A ϕ iff there is a uniform ix-strategy The outcome is deﬁned as before. sA such that, for each path λ ∈ q :q∼A q out(q , sA ), we have M, λ |=ix ϕ where x ∈ {r, R} and ∼A := ∪a∈A ∼a . Remark 2.13 This deﬁnition models that “everybody in A knows that ϕ”.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 101 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 102 2 Cooperative Agents 3 Comparing Semantics of ATL 2.2 Imperfect Information The ﬁxed-point characterisation does not hold anymore! 3. Comparing Semantics of ATL Theorem 2.14 The following formulae are not valid for ATLir : 3 Comparing Semantics of ATL A ϕ ↔ ϕ∧ A A ϕ Semantics Settings Perfect vs. Imperfect Information A ϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ A A ϕ1 U ϕ2 ). Perfect Recall and Tree Unfoldings Perfect vs. Imperfect Recall Proof. Between Subjective and Objective Ability : Exercise. ConclusionsN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 103 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 104
27.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings Outline We consider the relationship between standard variants of the alternating-time temporal logics. perfect recall / no memory perfect / imperfect information objective / subjective ability 3.1 Semantics Settings Focus is on the logics; i.e., on the level of valid sentences. Validities capture general properties of games. Same logics induce same kind of ability in games. The following section is based on [Jamroga and Bulling, 2011].N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 105 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 106 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings We have considered various semantics for ATL and its variants: Does memory matter? In Theorem 2.9 we have already seen the memoryless strategies; following: perfect recall strategies; perfect information; and Cf. Theorem 2.9 imperfect information. For LATL , the perfect recall semantics is equivalent to the In this section we systematically analyze how these setting give memoryless semantics under perfect information , i.e., rise to different logics. M, q |=IR ϕ iff M, q |=Ir ϕ. For the perfect information case we deﬁne the following sets of validities: That is Cf. Deﬁnition 2.8 ATL = ATLIr = ATLIR . We deﬁne the following logics: Both semantics are different for LATL∗ ; that is, ATL∗ = ATL∗ . Ir IR ATLIx is the set of valid sentences over (LATL , |=Ix ) ATL∗ is the set of valid sentences over (LATL∗ , |=Ix ) Ix where x ∈ {r, R}, respectively.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 107 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 108
28.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Example 3.1 (ATL∗ = ATL∗ ) Objective vs. subjective ability IR Ir There are two more characteristics of ability under imperfect information: 1 1 Subjective ability (is ): All paths from all indistinguishable states are taken into account. q1 q2 Objective ability (io ): Only paths from the (real) current p 2 state are considered. subjective objective ϕ= a ( p∧ ¬p) q1 q2N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 109 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 110 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Remark 3.3 (Strategies and semantics) Deﬁnition 3.2 (Subjective epistemic outcome, xy-outcome) In order to ensure a uniform notation, we introduce xy-strategies for x ∈ {is , io , I} and y ∈ {r, R} as follows: (a) The (subjective) epistemic outcome outs (q, sA ) is deﬁned as IR: sa : Q+ → Act such that sa (q0 . . . qn ) ∈ d(a, qn ) for all outs (q, sA ) = out(q , sA ). q0 , . . . , q n ; q∼A q Ir: as IR with the additional constraint s(hq) = s(h q) for (b) Let x ∈ {is , io , I} and y ∈ {r, R} The xy-outcome outxy (q, s A) all histories h (or, alternatively, sa : Q+ → Act such is deﬁned as follows: that sa (q) ∈ d(a, q) for all q); outs (q, sA ) if x = is ; io r, is r: like Ir, with the additional constraint that q ∼a q outxy (q, sA ) = implies sa (hq) = sa (hq ) for all histories h; out(q, sA ) else. io R, is R: like IR, with the additional constraint that h ≈a h implies sa (h) = sa (h ).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 111 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 112
29.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Deﬁnition 3.4 (Imperfect information semantics) How does the picture look? ? M, q |=xy A ϕ iff objective subjective there is a collective xy-strategy sA such that, for each path λ ∈ outxy (q , sA ), we have M, λ |=xy ϕ ATL⇤o R i ATL⇤s R i language perfect recall where x ∈ {io , is }, y ∈ {r, R} and ∼A := ∪a∈A ∼a . ATLio R ATL⇤ 6= ATL⇤ Ir IR ATLis R Analogously to Deﬁnition 3.5, we deﬁne the following sets: ATLIR = ATLIr ATL⇤o r i ATL⇤s r i Deﬁnition 3.5 (ATLis x , ATL∗s x , ATLio x , ATL∗o x ) i i memoryless ATLio r ATLis r We deﬁne the following logics: ATLyx is the set of valid sentences over (LATL , |=yx ) ATL∗ is the set of valid sentences over (LATL∗ , |=yx ) yx where y ∈ {is , io } and x ∈ {r, R}, respectively.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 113 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 114 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Comparing Validities Remark 3.6 (Important Validities and Invalidities) Recall our motivation: a ♦p ↔ p ∨ a a ♦p Relationship between standard variants of ATL∗ on the level of valid sentences Invalid in all variants with imperfect information. Valid for perfect information. Logic = set of validities Validities capture general properties of games under a (♦p1 ∧ ♦p2 ) ↔ a ♦((p1 ∧ a ♦p2 ) ∨ (p2 ∧ a ♦p1 )) consideration Invalid for imperfect information If two logics over LATL∗ generate the same valid sentences Valid for perfect information and perfect recall then the underlying notions of ability induce the same kind of games First step towards devising algorithms for satis ability ¬ ∅ ♦¬p ↔ Agt p checking Invalid for subjective ability under imperfect infotmation Valid for perfect information.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 115 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 116
30.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.2 Perfect vs. Imperfect Information Comparing ATLir vs. ATLIr Subjective incomplete information vs. perfect information. Proposition 3.7 ATLis r ATLIr 3.2 Perfect vs. Imperfect Inclusion: Every CGS can be seen as a special CEGS Information M, q0 |=is r (shot ∨ a a ♦shot) → a ♦shot q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 117 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 118 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.2 Perfect vs. Imperfect Information Objective incomplete information vs. perfect information. Comparing ATLiR vs. ATLIR Proposition 3.8 ATLio r ATLIr Objective incomplete information vs. perfect information under perfect recall. M, q0 |=io r (shot ∨ a a ♦shot) → a ♦shot By the same reasoning as above: q0 q1 Corollary 3.9 a pu tL ATLio R ATLIR −, shootL , − shootL , − sh oo q0 ut R tR −, p ,− ,− otR s ho q2 q3 shotN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 119 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 120
31.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.3 Perfect Recall and Tree Unfoldings Subjective ability and incomplete information vs. perfect information. Proposition 3.10 ATLis R ATLIR 3.3 Perfect Recall and Tree M, q4 |=is R a ♦shot → (shot ∨ a a ♦shot) Unfoldings q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 121 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 122 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings IR-Tree Unfolding Suppose (M, q) IR-satisﬁes ϕ. Then, we show that there is a Interesting is the comparison between memory and no pointed model (M , q) which satisﬁes the same formulae and memory. in which memoryless and perfect-recall strategies coincide. Can Agents really achieve more (in terms of validities) if they Which properties must M have such that both kind of have memory available? strategies have the same expressive power? Suppose we want to show that ATL∗ ⊆ ATL∗ ; i.e., more Ir IR Deﬁnition 3.11 (Tree-like CGS) properties of games are valid if perfect recall strategies are considered. Let M be a CGS. M is called tree-like iff there is a state q0 (the For this purpose, we show that every IR-satisﬁable formula is root) such that for every q there is a unique history leading from q0 also Ir-satisﬁable. to q. Then, the claim follows: Suppose ϕ ∈ ATLIr and ϕ ∈ ATLIR . By the latter, ¬ϕ is IR-satisﬁable hence also Ir-satisﬁable. Proposition 3.12 (Recall invariance for tree-like CGS) Contradiction! For every tree-like CGS M, state q in M, and ATL∗ -formula ϕ, we How can we show that IR-satisﬁability implies Ir-satisﬁability? have: M, q |= Ir ϕ iff M, q |= IR ϕ. Can we always obtain such a tree-like “version” of a model?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 123 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 124
32.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings For each model, we can construct an equivalent tree-like model: Deﬁnition 3.13 (Perfect information tree unfolding) Fix a state and unfold the model to an in nite tree. Let M = (Agt, Q, Π, π, Act, d, o) be a CGS and q be a state in it. Tree unravelling The (perfect information) tree unfolding of the pointed model q1 (M, q) denoted T (M, q) is deﬁned as (Agt, Q , Prop, π , Act, d , o ) where (α, α) q1 q2 (β, α) (α, α) Q := Λf in (q), M q1 q2 (α, β) d (a, h) := d(a, last(h)), q1 q2 q1 q2 o (h, α) := h ◦ o(last(h), α), and π (h) := π(last(h)). The node q in the unfolding is called root of T (M, q). Theorem 3.14 Note: states correspond to ﬁnite histories. For every CGS M, state q in M, and ATL∗ -formula ϕ we have: M, q |= IR ϕ iff T (M, q), q |= IR ϕ iff T (M, q), q |= Ir ϕ.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 125 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 126 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings io R-Tree Unfolding is R-Tree Unfolding The case of incomplete information we only have to take into The tree unfolding for the is -semantics is more sophisticated. account epistemic relations in the tree: Consider the following model and the formula a a a shot. How can a is R-tree unfolding look like. iff T (M,q) h ∼a io R h h ≈M h a q4 q5 Theorem 3.15 loo q0 a q1 k k loo For every CEGS M, state q in M, and ATL∗ -formula ϕ we have: sh shootL shootL oo tR tR oo sh M, q |= io R ϕ iff To (M, q), q |= io R ϕ iff To (M, q), q |= io r ϕ. q2 q3 shotN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 127 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 128
33.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings A ﬁrst naive approach could be a set of io R-tree unfoldings 0 ⇠a 1 To (M1 , q1 ) To (M1 , q0 ) interconnected with epistemic links. 02 03 04 15 12 13 ⇠a ⇠a . . . . . 040 . . 151 . . . . . To (M1 , q0 ) 0 1 To (M1 , q1 ) 0402 0403 0404 1512 1513 1515 02 03 04 15 12 13 . . . . . . . . . . . . . . . . . . . . . . 040 . . . . 151 . . . . 040ˆ0 a 040ˆ1 a To (M1 , q0 ) 0402 0403 0404 1512 1513 1515 To (M1 , q1 ) 040ˆ02 040ˆ03 040ˆ04 a a a 040ˆ15 040ˆ12 040ˆ13 a a a . . . . . . . . . . . . . . . . . . . . 040ˆ040 a 040ˆ151 a . . . . . . . . . . 040ˆ0402 040ˆ0403 040ˆ0404 a a a 040ˆ1512 040ˆ1513 040ˆ1515 a a a . . . . . . . . . . . . . . . . . . Figure 3 : Two io R-tree unfoldings connected by an epistemic link. We To (M1 , q0 ) 151ˆ0 a 151ˆ1 a To (M1 , q1 ) use number i1 i2 . . . to refer to the history qi1 qi2 . . . . 151ˆ02 151ˆ03 151ˆ04 a a a 151ˆ15 151ˆ12 151ˆ13 a a a . . . . . . . . . . 151ˆ040 a 151ˆ151 a . . What about the formula a a a shot? 151ˆ0402 151ˆ0403 151ˆ0404 a a a To (M1 , q1 ) 151ˆ1512 151ˆ1513 151ˆ1515 a a a The is R-tree unfoldings is shown on the next slide. . . . . . . . . . . . . . . . . . .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 129 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 130 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.4 Perfect vs. Imperfect Recall Now we can state our main result for is R-tree unfoldings. Theorem 3.16 For every CEGS M, state q in M, and ATL∗ -formula ϕ, it holds that M, q |= is R ϕ iff Ts (M, q), q |= is R ϕ iff Ts (M, q), q |= is r ϕ. 3.4 Perfect vs. Imperfect Recall Summary If a formula is IR-, io R- or is R-satisﬁable then it also is Ir-, io r- or is r-satisﬁable, respectively.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 131 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 132
34.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.4 Perfect vs. Imperfect Recall 3.4 Perfect vs. Imperfect Recall We now compare perfect vs. imperfect memory. Objective ability: no memory vs. perfect recall. Proposition 3.17 Proposition 3.18 ATL∗ Ir ATL∗ IR (Even: ATL+ Ir ATL+ ) IR ATLio r ATLio R . Membership: If |=Ir ϕ then Treemodels |=Ir ϕ then Recall: ¬ ∅ ♦¬p ↔ Agt p for perfect recall. Treemodels |=IR ϕ then |=IR ϕ M, q0 |=io r ¬ ∅ ♦¬(¬suspicious ∨ ¬angry) → Strict inclusion: a (¬suspicious ∨ ¬angry) M, q0 |=Ir a (♦p1 ∧ ♦p2 ) ↔ a ♦((p1 ∧ a ♦p2 ) ∨ (p2 ∧ a ♦p1 )). kiss no t-k p1 = clean iss q0 a q1 p2 = delivered not-kiss kiss n q0 de liv a cle er q2 q3 q1 q2 angry suspicious clean deliveredN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 133 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 134 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.4 Perfect vs. Imperfect Recall 3.5 Between Subjective and Objective Ability Proposition 3.19 ATLis r ATLis R Inclusion: |=is r ϕ then Treemodels |=is r ϕ then Treemodels |=is R ϕ then |=is R ϕ Strict inclusion: 3.5 Between Subjective and M, q0 |=is r a a ♦p → a ♦p. Objective Ability q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 135 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 136
35.
3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.5 Between Subjective and Objective Ability 3.5 Between Subjective and Objective Ability Proposition 3.20 Proposition 3.21 ATLio x ⊆ ATLis y for x, y ∈ {r, R}. ATLis x ⊆ ATLio y for x, y ∈ {r, R}. Formula Φ2 ≡ a ♦p → p ∨ a a ♦p is valid in ATLio x but Φ6 ≡ a N c a p → a, c ♦p is valid in ATLis x but invalid in ATLis y . Invalid in ATLio y where N (“now”) as Nϕ ≡ ϕ U ϕ. M, q0 |=io R a N c a p → a, c ♦p M, q4 |=is R a ♦shot → shot ∨ a a ♦shot q0 a q1 utL ,p shootL , − shootL , − q4 q5 − sh oot q0 a q1 q0 −, put R R ,− ,− sh tR oo shootL shootL oo tR sh tR oo q2 q3 sh shot q2 q3 (Plus an agent c with no choices.) shot So: ATLis y and ATLio z are incomparable for every y, z ∈ {R, r}.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 137 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 138 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.6 Conclusions 3.6 Conclusions Overview of the Results “All” semantic variants are different on the level of ATL⇤ IR general properties; before ( ( our study, it was by no 3.6 Conclusions means obvious. ATL⇤ Ir Strong pattern of subsumption (memory and ATLIR = ATLIr information) ( ( Very natural when you see it (not obvious before). ATLis R ATLio R ( ( In particular: non-validities incomparable are interesting. ATLis r ATLio rN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 139 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 140
36.
4 Reasoning and Examples 4 Reasoning and Examples Outline 4. Reasoning and Examples We present basic modal logic based on the operator as a suitable framework for temporal and other logics. 4 Reasoning and Examples We introduce Kripke models, based on a general Basic Modal Logic accessibility relation, as underlying structures. Special Axiomatic Systems instances are models of LTL, CTL, and ATL considered Correspondence Theory earlier. Epistemic Logic We consider semantic consequences in modal logic and Axioms for LTL the basics of correspondence theory: axioms involving Axioms for CTL correspond exactly to properties of the accessibility Axioms for ATL relation. We very brieﬂy look at epistemic interpretations of : belief as opposed to knowledge. We end by giving sound and complete axiomatic systems for LTL, CTL, and ATL.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 141 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 142 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic What is a Logic? We present a framework for thinking about logics as: languages for describing a problem, ways of talking about relational structures and 4.1 Basic Modal Logic models. Two key components in the way we will approach logic: 1 Language: fairly simple, precisely deﬁned, formal languages. 2 Model (or relational structure): simple “world” that the logic talks about.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 143 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 144
37.
4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Relational Structures The Basic Modal Language A relational structure is given by (W, {R1 , . . . , Rn }) and Propositional logic can be seen as a one-point relational consists of: structure. A non-empty set W , the elements of which are our But relational structures can describe much more. We objects of interest. They are called points, states, can talk about points, lines etc. nodes, worlds, times, instants or situations. Therefore, we introduce the basic modal language on A non-empty set {R1 , . . . , Rn } of relations, top of the propositional language by extending Ri ⊆ W × W . LP L (Prop) with two new operators: An important special case is when the Ri are equivalence Possibility and necessity relations. They could represent which of the worlds are considered indistinguishable for agent i. ♦ϕ: ϕ is possible (We see one or more states where ϕ holds.) So we can model the situation where different agents have different views about the world. ϕ: ϕ is necessary (In all reachable states ϕ holds.)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 145 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 146 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic A Language for Relational Structures We can talk about attributes by adding labels to nodes (e.g. painting them in a particular color). Deﬁnition 4.1 (Basic modal language LBML ) Example 4.2 (Colored graph I) Let Prop be a set of propositions. The basic modal language LBML (Prop) consists of all formulae deﬁned by the following Imagine standing in a node of a colored graph. What can grammar: we see? ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕ ♦ blue where p ∈ Prop. Boolean macros are deﬁned in the standard way. Additionally, we have the dual ♦ (called “diamond”) of : ♦ϕ := ¬ ¬ϕ ♦ blueN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 147 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 148
38.
4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Example 4.3 (Colored graph II) Colored graph II We imagine standing in a node of a colored graph. What Example 4.4 can we see? ♦(black ∧ red) ∧ ♦♦green blue → black yellow → ♦yellow green → blackN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 149 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 150 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Deﬁnition 4.5 (Kripke frame) A Kripke frame is given by F = (W, R) where Example 4.7 W is a non-empty set, called set of domains or worlds, Consider the frame F = ({w1 , w2 , w3 , w4 , w5 }, R) where R ⊆ W × W is a binary relation. Rwi wj iff j = i + 1 and V (p) = {w2 , w3 }, Frames are mainly used to talk about validities: They stand V (q) = {w1 , w2 , w3 , w4 , w5 }, V (r) = ∅. for a whole set of models. q q, p q, p q q Deﬁnition 4.6 (Kripke model) w1 w2 w3 w4 w5 A Kripke model is given by M = (W, R, V ) where (W, R) is a Kripke frame, V : Prop → P(W ) is called labelling function or valuation. We also use V : W → P(Prop). Kripke frames (resp. models) are simply relational structures (resp. with labels)!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 151 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 152
39.
4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Frames vs. Models? Formal semantics of LML . Frames Deﬁnition 4.8 (Semantics M, w |= ϕ) Mathematical pictures of ontologies that we ﬁnd Let M be a Kripke model, w ∈ WM , and ϕ ∈ LML . ϕ is said to interesting. That is, frames deﬁne the fundamental be locally true or satis ed in M and world w (called structure of the domain of interest. pointed Kripke model, written as M, w |= ϕ , if the following For example, we model time as a collection of points holds: ordered by a strict partial order. M, w |= p iff w ∈ VM (p) and p ∈ Prop, M, w |= ¬ϕ iff not M, w |= ϕ Models M, w |= ϕ ∨ ψ iff M, w |= ϕ or M, w |= ψ Frames are extended by contingent information. That is, M, w |= ϕ iff for all worlds w ∈ W such that wRw we models extend the mathematical structure provided by have M, w |= ϕ frames by additional information. For Σ ⊆ LML we write M, w |= Σ iff M, w |= ϕ for all ϕ ∈ Σ . Can Kripke models be used to interpret the propositional language? What about ♦ϕ?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 153 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 154 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Internal and Local Some Examples Satisfaction of formulae is internal and local! Example 4.9 F = ({w1 , w2 , w3 , w4 , w5 }, R) where Rwi wj iff j = i + 1 and Internal: Formulae are evaluated inside models at some V (p) = {w2 , w3 }, V (q) = {w1 , w2 , w3 , w4 , w5 }, V (r) = ∅. given world. q q, p q, p q q w1 w2 w3 w4 w5 Local: Given a world it is only possible to refer to direct sucessors of this world. 1 M, w1 |= ♦ p How does rst-order logic compare to that? 2 M, w1 |= ♦ p → p 3 M, w2 |= ♦(p ∧ ¬r) 4 M, w1 |= q ∧ ♦(q ∧ ♦(q ∧ ♦(q ∧ ♦q)))) 5 M |= qN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 155 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 156
40.
4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Kripke models as LTL and CTL structures Kripke models as ATL structures Kripke models can be seen as labelled directed graphs. Such In contrast to LTL and CTL, the logic ATL uses additional models were used for LTL, CTL, CTL∗ and ATL, but with several modal operators, namely indexed by coalitions. So we modal operators (multi-modal). have again a multi-modal version where CTL can be LTL: Here we consider Kripke models where the seen as a one player fragment of it. accessibility relation is a discrete, linear order with a The semantics of ATL is based on concurrent game smallest element. We also require that the structures, as described in the last chapter. These are accessibility relation is serial: for each state there is a labelled transition systems and can be seen as an successor state (not necessarily a new one). instance of Kripke models. We call these Kripke models LTL Kripke models. An axiomatization of ATL is thus a system that allows to CTL: Here we consider Kripke models that are trees (i.e. derive all formulae that are true in all possible acyclic, and each node has at most one predecessor, concurrent game structures. and there is one unique root node) and each path is We call these models ATL models. inﬁnite (serial accessibility relation). We call these Kripke models CTL Kripke models. CTL∗ : Here we consider arbitrary graphs.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 157 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 158 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Sound and complete axiom system for propositional logic There is a ﬁnitistic notion of proof, that allows to derive new formulae from given ones: Φ φ: there is a proof of φ from Φ. 4.2 Axiomatic Systems It is based on a ﬁnite system of axioms and (MP) as the only inference rule: From ϕ and ϕ → ψ infer ψ. The axiom system has the following property for arbitrary sets Φ (inﬁnite or not): Φ φ iff Φ |= φ The direction from left to right is called soundness, the other direction is called completeness.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 159 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 160
41.
4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems A general notion of a certain sort of calculi. Deﬁnition 4.10 (Sound-, Completeness for a calculus) Deﬁnition 4.11 (Hilbert-Type Calculi) Given an arbitrary calculus (which deﬁnes a notion ) and a semantics based on certain models (which deﬁnes a A Hilbert-Type calculus over a language L is a pair relation |=), we say that Ax, Inf where Soundness: The calculus is sound (also called correct) with Ax: is a subset of F mlL , the set of well-formed respect to the semantics, if the following holds: formulae in L: they are called axioms, Φ φ implies Φ |= φ. Inf: is a set of pairs written in the form φ1 , φ2 , . . . , φn Completeness: The calculus is complete with respect to the semantics, if the following holds: ψ Φ |= φ implies Φ φ. where φ1 , φ2 , . . . , φn , ψ are L-formulae: they are called inference rules. Intuitively, one can assume all axioms as “true formulae” (tautologies) and then use the inference rules to derive even more new formulae.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 161 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 162 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Deﬁnition 4.12 (Calculus for Sentential Logic SL) We deﬁne HilbertSL = AxSL , {MP} , the Hilbert-Type Deﬁnition (continued) L L calculus: L ⊆ LSL with the wellformed formulae F mlL . The only inference rule in SL is modus ponens: Axioms in SL (AxSL ) are the following formulae: L M P : F ml × F ml → F ml : (ϕ, ϕ → ψ) → ψ. 1 φ → , ⊥ → φ, ¬ → ⊥, ⊥ → ¬ , 2 (φ → ψ) → ((φ → (ψ → χ)) → (φ → χ)), or short 3 (φ ∧ ψ) → φ, (φ ∧ ψ) → ψ, ϕ, ϕ → ψ (MP) . 4 φ → (φ ∨ ψ), ψ → (φ ∨ ψ), ψ 5 ¬¬φ → φ, (φ → ψ) → ((φ → ¬ψ) → ¬φ), (ϕ, ψ are arbitrarily complex formulae). 6 φ → (ψ → φ), φ → (ψ → (φ ∧ ψ)). 7 (φ → χ) → ((ψ → χ) → (φ ∨ ψ → χ)). φ, ψ, χ stand for arbitrarily complex formulae (not just constants). They represent schemata, rather than formulae in the language.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 163 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 164
42.
4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Validity in Modal Logic Theorem 4.13 (Correct-, Completeness for HilbertSL ) L We take on a global point of view. A formula follows semantically from a theory Φ if and only if it can be derived: Given a speci cation like ϕ := ¬crash. In which states should it be true? Φ |= ϕ if and only if Φ ϕ Deﬁnition 4.14 (Validity) A similar result holds for ﬁrst-order logic: there is also a A formula ϕ is called valid or globally true in a model M iff Hilbert-Type calculus that is sound and complete. M, w |= ϕ for all w ∈ WM . We write M |= ϕ. However, ﬁrst-order logic is in general undecidable: the ϕ is satis able in M if M, w |= ϕ for some w ∈ WM . set of valid formulae is recursively enumerable, but it is Analogously, we say that a set Σ of formulae is valid (resp. not recursive. satis able) in M iff all formulae in Σ are valid (resp. satisﬁable) in The same is true for many (propositional) modal logics. M. Validity and satisﬁability are dual concepts!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 165 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 166 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Example 4.15 Modal Consequence Relation Up to now we veriﬁed formulae in a given model and state. In which models is the following formula true? Often, it is interesting to know whether a property follows from a (p → q) → ( p → q) given set of formulae. M, w |= (p → q) Deﬁnition 4.16 (Local Consequence Relation) iff ∀w (wRw ⇒ M, w |= p → q) Let M be a class of models, Σ be a set of formulae and ϕ be a iff ∀w (wRw ⇒ (M, w |= p ⇒ M, w |= q)) formula. implies ∀w (wRw ⇒ M, w |= p) ⇒ ϕ is a (local) semantic consequence of Σ over M, written ∀w (wRw ⇒ M, w |= q) Σ |=M ϕ , if for all M ∈ M and all w ∈ WM it holds that M, w |= Σ implies M, w |= ϕ . iff M, w |= p ⇒ M, w |= q If M is the class of all models we just say that ϕ is a (local) iff M, w |= p→ q consequence of Σ and write Σ |= ϕ . The formula is true in any frame and hence in any model. It corresponds to a tautology in propositional logic.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 167 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 168
43.
4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Frames and Validity In Example 4.15 we have seen that a formula can be true/false for Lemma 4.18 (Distribution Axioms) all valuations. We can speak about structural properties The two formulae ignoring contingent information. ♦(p ∨ q) → (♦p ∨ ♦q) Deﬁnition 4.17 (Frame Validity: F |= ϕ) (p → q) → ( p → q) Let F be a frame and ϕ ∈ LBML . are both valid in all Kripke frames F. The last formula is also called 1 ϕ is valid in F and w ∈ WF , written F, w |= ϕ , if M, w |= ϕ for axiom K. all models M = (F, π) based on F. 2 ϕ is valid in F , written F |= ϕ, if F, w |= ϕ for all w ∈ WF . Proof. 3 Let F be class of frames. ϕ is said to be valid in F, if ϕ is valid Exercise and Example 4.15. in each frame F ∈ F .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 169 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 170 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Example 4.19 Is ♦ valid in all frames? In which class is the formula valid? Example 4.21 w1 w2 w1 w2 Let M be the class of transitive models. Then: 1 ♦♦p |=M ♦p, What about ? 2 p |=M p, but 3 p |=M p does not hold. Example 4.20 In fact, there is a class of models M for which ♦♦p |=M ♦p holds, Is ♦♦p → ♦p true in w1 ? but no model in M is transitive. p p p w1 w2 w3 w1 w2 w3 Is there a class of frames in which formula is valid?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 171 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 172
44.
4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Correspondence Theory We have learnt that some formulae are valid in particular frames. E.g. ♦♦ϕ → ♦ϕ is valid in all transitive frames. Here, we consider such correspondences systematically. Deﬁnition 4.22 (KDT45) 4.3 Correspondence Theory We deﬁne the following formulae, that will play an important role for deﬁning various modal logics. K (p → q) → ( p → q) D ¬ (p ∧ ¬p) T p→p 4 p→ p 5 ¬ p→ ¬ p In epistemic logic, e.g., these formulae will have intuitive epistemic properties.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 173 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 174 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Properties of Frame (1) Example 4.24 We consider properties of the accessibility relations R of frames: We have Serial: For all w there is a w with wRw . Reﬂexive: For all w: wRw. F |= p → p iff F is reﬂexive. Transitive: For all w, w , w : wRw and w Rw implies wRw . Let F be a frame satisfying p → p. That is, Euclidean: For all w, w , w : wRw and wRw implies w Rw . Symmetric: For all w, w : wRw implies w Rw. for all w ∈ W , F, w |= p → p. Deﬁnition 4.23 (Frame property) This is the case, if for all models M over F and We say a frame F = (W, R) has property X if its relation R has for all w ∈ W , M, w |= p → p. property X. Which properties must R satisfy? Suppose R is not reﬂexive. Remember Slide 173 where we discussed transitive frames . Then, there is a state w with not w Rw . Make p true at all states of W {w }. Then, M, w |= p → p and hence F |= p → p. Contradiction!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 175 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 176
45.
4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Validity in Several Frames (3) Now suppose we are given a reﬂexive frame F and suppose Lemma 4.25 (Appropriate Frames) F |= p → p. Let (W, R) be a Kripke frame. Then the following holds: Then, there is a model M = (F, π) and a state w, M, w |= p → p. K: (W, R) |= (p → q) → ( p → q). That is, M, w |= p and M, w |= p. D: (W, R) |= ¬ (p ∧ ¬p) iff R is serial. By reﬂexivity we have wRw. T: (W, R) |= p → p iff R is re exive. But then, from M, w |= p it follows that M, w |= p. 4: (W, R) |= p→ p iff R is transitive. Contradiction! 5: (W, R) |= ¬ p → ¬ p iff R is Euclidean. We must have F |= p → p. B: (W, R) |= p → ♦p iff R is symmetric. In other words, axiom T characterises reﬂexive frames. Proof. : Exercise.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 177 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 178 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Axiomatic Systems Proposition 4.27 As in classical logic, one can ask about a complete axiom system. Axiom K is equivalent to (ϕ → ψ) → ( ϕ → ψ). Is there a calculus that allows to derive all sentences true in all Kripke models? Theorem 4.28 (Sound-/completeness of K) Deﬁnition 4.26 (System K) System K is sound and complete with respect to arbitrary Kripke The system K is an extension of the propositional calculus by the models. axiom K ( ϕ ∧ (ϕ → ψ)) → ψ Note that we have not assumed any properties of the accessibility relation R: It is just any binary relation. ϕ and the inference rule ϕ (Necessitation). Assuming that R is an equivalence relation, what additional statements (axioms) are true in all such Kripke models? Note, ϕ and ψ can be substituted by any formula.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 179 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 180
46.
4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.4 Epistemic Logic Theorem 4.29 (Sound/complete subsystems) Let X be any subset of {D, T, 4, 5} and let X be the subset of {serial, reﬂexive, transitive, euclidean} corresponding to X. Then system K extended with axioms X is sound and complete with respect to Kripke frames which satisfy properties X . 4.4 Epistemic Logic For example, we have the following important instance: Corollary 4.30 (KT45) System KT45 is sound and complete with respect to Kripke frames with an accessibility relation which is an equivalence relation.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 181 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 182 4 Reasoning and Examples 4 Reasoning and Examples 4.4 Epistemic Logic 4.4 Epistemic Logic Interpreting i as knowledge Let us now assume we have several agents i and we interpret iϕ What other properties should hold when interpreting as as agent i knows that ϕ. In that case one often writes knowledge? Ki ϕ instead of i ϕ. K K(p → q) → (Kp → Kq) D ¬K⊥ consistency Accessibility relation T Kp → p truth 4 Kp → KKp positive introspection What does the equivalence relation encode? Incomplete 5 ¬Kp → K¬Kp negative introspection information: wRw The agent cannot distinguish w and w . Both states provide the same information. Knowledge = Truth in all indistinguishable statesN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 183 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 184
47.
4 Reasoning and Examples 4 Reasoning and Examples 4.4 Epistemic Logic 4.5 Axioms for LTL Interpreting as belief Up to now we were thinking of i as agent i knows that ϕ. What if we interpret the operator as belief? Under such an interpretation axiom T is usually not assumed to hold. But all other axioms make sense. 4.5 Axioms for LTL Deﬁnition 4.31 (System KD45) Axiom system KD45 is called the standard logic of beliefs. Axiom K is called logical omniscience, axiom D is called consistency, axiom 4 (resp. axiom 5) is called positive (resp. negative) introspection.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 185 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 186 4 Reasoning and Examples 4 Reasoning and Examples 4.5 Axioms for LTL 4.5 Axioms for LTL Weakly Completeness Like many modal logics, LTL is only weakly complete, i.e. Note that Φ |= ψ implies Φ ψ we have “¬”, “∨”, as basic propositional is only true for ﬁnite sets Φ, not for inﬁnite sets. operators (all the others are macros), and The set {r → s, r → Xs, r → XXs, . . .} “· U ·”, and “ ·” as basic LTL operators, serves as a counterexample. It certainly implies r → Gs, but All other operators are deﬁned as usual. this can not be inferred using any sound axiom system (the reason is that no ﬁnite subset of the above set implies this formula).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 187 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 188
48.
4 Reasoning and Examples 4 Reasoning and Examples 4.5 Axioms for LTL 4.6 Axioms for CTL Theorem 4.32 (Axiomatization of LTL) The system consisting of HilbertSL and the following L (A1 ) G(ϕ → Xϕ) → (ϕ → Gϕ) (A2 ) (ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ X(ϕ U ψ))) (A3 ) (ϕ U ψ) → Fψ 4.6 Axioms for CTL (Fun) ¬Xϕ ↔ X¬ϕ ϕ (KX ) X(ϕ → ϕ ) → (Xϕ → Xϕ )) (NX ) Xϕ ϕ (KG ) G (ϕ → ϕ ) → G (Gϕ → Gϕ ) (NG ) Gϕ is sound and weakly complete with respect to LTL Kripke models.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 189 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 190 4 Reasoning and Examples 4 Reasoning and Examples 4.6 Axioms for CTL 4.6 Axioms for CTL Theorem 4.33 (Axiomatization of CTL) The system consisting of HilbertSL and the following Note that L we have “¬”, “∨”, as basic propositional (A1 ) EFϕ ↔ E( U ϕ) (A1 ) AFϕ ↔ A( U ϕ) (A2 ) AGϕ ↔ ¬EF¬ϕ (A2 ) EGϕ ↔ ¬AF¬ϕ operators (all the others are macros), and (A3 ) EX(ϕ ∨ ψ) ↔ (EXϕ ∨ EXψ) (A4 ) AXϕ ↔ ¬EX¬ϕ ϕ “E · U ·”, “E ·”, and “EG·”, as basic CTL (A5 ) EX ∧ AX (R) AGϕ operators, (A6 ) E(ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ EXE(ϕ U ψ))) (A6 ) A(ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ AXA(ϕ U ψ))) All other operators are deﬁned as usual. (A7 ) AG(ρ → (¬ψ ∧ EXρ)) → (ρ → ¬A(ϕ U ψ)) (A8 ) AG(ρ → (¬ψ ∧ EXρ))) → (ρ → ¬AFψ) (A9 ) AG(ρ → (¬ψ ∧ (ϕ → AXρ))) → (ρ → ¬E(ϕ U ψ)) (A10 ) AG(ρ → (¬ψ ∧ AXρ))) → (ρ → ¬EFψ) (A11 ) AG(ϕ → ψ) → (EXϕ → EXψ) is sound and weakly complete with respect to CTL Kripke models.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 191 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 192
49.
4 Reasoning and Examples 4 Reasoning and Examples 4.6 Axioms for CTL 4.7 Axioms for ATL A (very complicated) sound and complete (with respect to the appropriate Kripke models) axiomatization of CTL∗ has been deﬁned in 4.7 Axioms for ATL [Reynolds, 2001].N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 193 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 194 4 Reasoning and Examples 4 Reasoning and Examples 4.7 Axioms for ATL 4.7 Axioms for ATL Note that Theorem 4.34 (Axiomatization of ATL) The system consisting of HilbertSL and the following (where A, A1 , A2 are we have “¬”, “∨”, as basic propositional L subsets of Agt are A1 , A2 are disjoint): operators (all the others are macros), and ϕ1 →ϕ1 (⊥) ¬ A ⊥ (Mon) A ϕ2 → A ϕ1 “ A ·”, “ A ·”, “ A · U ·”, as basic CTL ( ) A (Nec) ∅ ϕ ϕ operators, (Agt) ¬ ∅ ¬ϕ → Agt ϕ (S) ( A1 ϕ1 ∧ A2 ϕ2 ) → ( A1 ∪ A2 (ϕ1 ∧ ϕ2 )) all other operators are deﬁned as usual, and (FP ) A ϕ ↔ (ϕ ∧ A A ϕ) (GFP ) ∅ (θ → (ϕ ∧ A θ)) → ∅ (θ → A ϕ) we only consider the version of ATL based on (FP U ) A ϕ1 U ϕ2 ↔ (ϕ2 ∨ (ϕ1 ∧ A A ϕ1 U ϕ2 )) perfect information and perfect recall: ATLIR (LFP U ) ∅ ((ϕ2 ∨ (ϕ1 ∧ A θ)) → θ) → ( ∅ ϕ1 U ϕ2 → θ) (=ATLIr ). is sound and weakly complete with respect to ATL models (concurrent game structures). This axiomatization is from [Goranko and van Drimmelen, 2006a]. Nothing is known for ATL∗ , ATL+ , ATL+ or ATL+ . ir iRN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 195 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 196
50.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking Outline 5. Complexity of Veriﬁcation: Model Checking We introduce the model checking method which can be used for the veriﬁcation of systems. 5 Complexity of Veriﬁcation: Model Checking What is Model Checking? We show how automata on inﬁnite words can be used to Model Checking Temporal Logic solve the model checking problem for LTL. LTL: Automaton Aϕ and Proof of Theorem (skipped) We present polynomial time algorithms for CTL and ATL. Model Checking MAS with Perfect Information and Recall We determine the model checking complexities of CTL∗ using Model Checking MAS with Imperfect Information or No the results for LTL. Recall We identify the complexities of the remaining strategic logics. Summary of Complexity ResultsN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 197 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 198 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Why do we need veriﬁcation methods? AT&T Telephone Network Outage (1990) Problem in New York City: 9 hour outage of large parts of US telephone network. 5.1 What is Model Checking? Costs: several 100 million $. Source: wrong interpretation of a break statement in C. “. . . Virtually the entire AT&T network of 4ESS toll tandems switches went in and out of service over and over again on Jan. 15, 1990 . . . . A software bug was found.” [Wikipedia] Acknowledgment: The following presentation is partly based on the book “Principles of Model Checking” by Christel Baier and Joost-Pieter Katoen.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 199 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 200
51.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Ariane 5 Desaster (1996) Pentium FDIV BUG (1994) Crash of Ariane 5-missle. (FDIV: Floating point division unit) Costs: > 500 million $. Incorrect results. Source: Costs: 500 million $ and image loss. “. . . a data conversion from a 64-bit ﬂoating point to 16-bit Source: signed integer value caused a hardware exception. . . ” “. . . Certain ﬂoating point division operations performed [Wikipedia] with these processors would produce incorrect results.” [Wikipedia] What are the lessons learned? Veri cation may pay off! In such cases the extra costs and efforts put into proper veriﬁcation techniques may be cheaper as the results of an error.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 201 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 202 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Software becomes larger. Use in safety-critical systems, important domains. Testing and reviewing ( non-formal methods) Increasing need for reliable software. Deductive methods (Hoare Calculus), code integration ( Errors can be costly and fatal (Ariane-5 launch, stock market undecidable, expertise during programming necessary) systems,...). Model checking ( how is the correct model obtained?) Mass production of products (errors are expensive, computer chips,...).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 203 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 204
52.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Model Checking Technique informal problem Errors are expensive: Ariane 5 missile crash,. . . system requirement Model checking provides means to detect such erros! formalization Formal model wait,wait formal model formal speciﬁcation push,push q0 pos0 pu ait sh, ush wa ,w model checker wa sh it,p it,p pu it ush wa wait,wait wait,wait push,push M |= hh{1, 2}ii⇤ g push,push q2 wait,push q1 Problem pos2 push,wait pos1 ? model checking true (e.g. mobile phone) + > algorithm (Safety) Property (e.g. deadlock free) Lets model ckeck... false = hh{1, 2}ii⇤ g Computational > Complexity? counterexample Logical (formal) speciﬁcation ﬂaw in systemN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 205 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 206 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Model checking refers to the problem to determine whether a given formula ϕ is satisﬁed in a state q of model M . Global model checking: Determine all states in which ϕ is true. Local model checking is the decision problem that determines membership in the set Here: The complexities of local and global model checking MC(L, Struc, |=) := {(M, q, ϕ) ∈ Struc × L | M, q |= ϕ} , coincide. where We are interested in the decidability and the computational L is a logical language, Struc is a class of (pointed) models for L (i.e. a tuple complexity of determining whether an input instance consisting of a model and a state), and (M, q, ϕ) belongs to MC(. . . ). |= is a semantic satisfaction relation compatible with L and Struc.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 207 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 208
53.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Input size Input size Important Size of the model (|M|): number of (states and) transitions The complexity is always relative to the size of the input! in the M Size of the formula (|ϕ|): given by its length (i.e., the number That is, the size of the representation of the model and the of elements it is composed of, apart from parentheses). representation of the formula that we use. In order to establish the complexity, it is necessary to ﬁx how For example, the formula A (pos0 ∨ pos1 ) has length 5. we represent the input and how we measure its size. Be careful... Remark 5.1 ...if numbers are involved! Sometimes it makes sense to only consider the size of the model or of the formula. In this course, we always consider the size of the model and of the formula .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 209 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 210 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Representation of Paths Let M be a Kripke model and q be a state in the model. Model checking a LCTL /LCTL∗ -formula ϕ in M, q means to determine whether M, q |= ϕ, i.e., whether ϕ holds in M, q. 5.2 Model Checking Temporal Consider the path λ = qi1 qi2 . . . with i1 .i2 i3 i4 · · · = 3.14159265 . . . . How can we represent such a path? We need a nite Logic representation. For LTL, checking M, q |= ϕ means that we check whether ϕ holds on all the paths in M which start from q. That is, it is equivalent to CTL∗ model checking of a formula Aϕ in M, q.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 211 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 212
54.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking CTL Remark 5.2 (Representation of paths) We determine all states in which ϕ holds: ϕ = p: Return all states in in which p holds Paths are in nite entities. ϕ = ¬ψ: Suppose ψ holds in Q1 . Return QQ1 . They are theoretical constructs. ϕ = ψ1 ∧ ψ2 : Suppose ψi holds in Qi . Return Q1 ∩ Q2 ϕ = E ψ: Suppose ψ holds in Q1 . Return all states Q which We need a nite representation! lead to some state in Q1 . Q is the preimage of Q1 . We consider paths in a Kripke structure. Preimage Q1 We use a (pointed) Kripke model M, q and consider the problem pre(Q1 ) Formally: Given a set of states whether an LLTL -formula holds on all paths of M starting in q. Q ⊆ Q the preimage of Q , pre(Q ), consists of all states q such that there is a state q ∈ Q with (q , q ) ∈ R.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 213 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 214 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic ϕ = E ψ: Suppose ψ holds in Q1 and that Q is returned. ϕ = E ψ: Similarly, we have Then, we make the following observations: Q ⊆ Q1 E♦ϕ ↔ ϕ ∨ E E♦ϕ, For all states q ∈ Q there is a state q with qRq and hence we return the smallest xed-point: q ∈ Q ⊆ Q1 . µX.[ϕ]M ∪ pre(X) Hence, we are looking for the greatest set Q with these Eϕ1 U ϕ2 : Similarly, we have properties. Actually, this observation corresponds to the following xed-point formula: Eϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ E Eϕ1 U ϕ2 ) E ϕ ↔ ϕ ∧ E E ϕ, hence we return the smallest xed-point: The formula allows to compute a satisfying path µX.[ϕ2 ]M ∪ ([ϕ1 ]M ∩ pre(X)) step-by-step by computing the greatest xed-point: Note, that the three (associated) functions are monotonically νX.[ϕ]M ∩ pre(X) decreasing and increasing hence by Knaster/Tarski the greatest where [ϕ]M denotes the set of states in which ϕ holds. and smallest ﬁxed-points exist.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 215 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 216
55.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model checking E ψ Theorem 5.3 (CTL [Clarke et al., 1986, Schnoebelen, 2003]) Q = Q1 ¬ Model checking CTL is P-complete, and can be done in time Q2 = Q3 O(|M| · |ϕ|), where |M| is given by the number of transitions. Proof The algorithm determining the states in a model at which a given formula holds is presented in Figure 4 on Slide 221. The lower bound (P-hardness) can be for instance proven by a Q = Q1 ¬ reduction of the Circuit-Value-Problem [Schnoebelen, 2003]. Q3 Q2 := Q3 pre(Q1 )N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 217 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 218 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic function mcheck(M, ϕ). Büchi automata case ϕ ≡ p : return {q ∈ Q | p ∈ π(q)} We are mainly interested in the complexity class (and an case ϕ ≡ ¬ψ : return Q mcheck(M, ψ) abstract algorithm) of the model checking problem. case ϕ ≡ ψ1 ∧ ψ2 : return mcheck(M, ψ1 ) ∩ mcheck(M, ψ2 ) case ϕ ≡ E ψ : return pre(mcheck(M, ψ)) Is there a more convenient way to determine the complexity case ϕ ≡ E ψ : Q1 := Q; Q2 := Q3 := mcheck(M, ψ); without working out the algorithm? while Q1 ⊆ Q2 do Q1 := Q1 ∩ Q2 ; Q2 := pre(Q1 ) ∩ Q3 od; return Q1 Automata-theory to build algorithms. case ϕ ≡ Eψ1 U ψ2 : Q1 := ∅; Q2 := mcheck(M, ψ2 ); Q3 := mcheck(M, ψ1 ); Uniﬁed approach. while Q2 ⊆ Q1 do Q1 := Q1 ∪ Q2 ; Q2 := pre(Q1 ) ∩ Q3 od; Automata are well studied. return Q1 end case Simpliﬁes complexity analysis. Usually, one is only interested in a complexity class. It is very Figure 4 : CTL-model checking algorithm time-demanding to come up with a good algorithm.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 219 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 220
56.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Automata and Model Checking Deﬁnition 5.5 (Büchi-automaton) How can we use ω-automata for the model checking problem? An ω-automaton is a tuple The basic idea is the following: A = (Q, Σ, ∆, qI , F ) 1 We build an automaton AM,q0 accepting the paths of model where M, q0 . 1 Q is a ﬁnite set of states; 2 We build an automaton Aϕ accepting all paths satisfying ϕ. 2 Σ is a nite alphabet; 3 Then, we have: 3 ∆ ⊆ Q × Σ × Q a transition relation ; M |= ϕ iff L(AM,q0 ) ⊆ L(Aϕ ). 4 qI is the initial state; and 5 F ⊆ Q is the acceptance component (which is specialised in the following). Remark 5.4 A more detailed presentation of Büchi automata can be found in Section 9 (cf. pages 353).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 221 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 222 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic We deﬁne Inf (ρ) as the set of all states that occur in nitely Deﬁnition 5.6 (Run) often on ρ; that is, A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1 w2 · · · ∈ Σω is Inf (ρ) = {q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)} an inﬁnite sequence of states of A such that: Deﬁnition 5.7 (Acceptance) 1 ρ(0) =qI 2 ρ(i) ∈ ∆(ρ(i − 1), wi ) for i ≥ 1. A Büchi automaton A accepts w ∈ Σω if, and only if, there is a run ρ of A such that Inf (ρ) ∩ F = ∅. How could we accept the following language? L = {w ∈ {a, b}ω | w contains inﬁnitely many a and only ﬁnitely The language accepted by A, L(A), consists of all words accepted many b }. by A. That is, L(A) = {w ∈ Σω | A accepts w}. Is it sufﬁcient to reach a nal state once? Thus, such an automaton accepts all words such that some state from F is visited inﬁnitely often on a corresponding run. Other acceptance conditions yield different automata types: Rabin automata, Muller automata.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 223 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 224
57.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Example 5.8 Example 5.9 Is there a Büchi Automaton that accepts the following language L over Σ = {a, b, c}? Is there a Büchi Automaton that accepts the following language L over Σ = {a, b}? L = {w ∈ Σω | w contains inﬁnitely many a or b and only ﬁnitely many c } L = {w ∈ Σω | w ends with aω or (ab)ω } blackboardN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 225 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 226 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking LTL LTL Semantics Revisited Büchi Automata and Kripke Models The truth of λ, π |= ϕ does only depend on the propositions true at states. We can relate a Kripke model M = (Q, R, π) and a state q0 ∈ Q to a Büchi automaton AM,q0 = (Σ, Q, q0 , ∆, Q) where Clearly, for path λ, λ we have the following: If for all i ∈ N0 Σ = P(Prop): Each input symbol is a set of propositions, π(λ[i]) = π(λ [i]) then λ, π |= ϕ iff λ , π |= ϕ. q ∈ ∆(q, w) iff ((q, q ) ∈ R and w = π(q)), Hence, we can also use the inﬁnite word all states being accepting states (i.e. each in nite run of the automaton is accepting). λπ := π(λ[0])π(λ[1])π(λ[2]) · · · ∈ P(Prop)ω {r, s} {p} to give truth to LTL-formulae. q0 q1 {r, s} Now, we can simply replace λ, π by λπ everywhere and q0 q1 modify the clause for propositions as follows: r, s p λπ |=LT L p iff p ∈ λπ [0]. Note: The automaton accepts words over P(Prop) but paths are sequences of states! What now?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 227 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 228
58.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic The Automaton Aϕ We can state the relation between ΛM , M, q and AM,q precisely. In the following we deﬁne the automaton Aϕ accepting exactly Proposition 5.10 those inﬁnite words w over P(Prop) such that w |= ϕ. Then, we have: Let M = (Q, R, π) and q0 ∈ Q. The automaton AM,q0 accepts the language M, q |= ϕ iff L(AM,q ) ⊆ L(Aϕ ) iff L(AM,q ) ∩ L(Aϕ ) = ∅. {λπ | λ ∈ ΛM (q0 )}. How can we avoid the complementation of the Büchi automaton (this operation is expensive)? We have: Proof. L(AM,q ) ∩ L(Aϕ ) = ∅ iff L(AM,q ) ∩ L(A¬ϕ ) = ∅. Exercise! So: model checking is reduced to emptiness checking Büchi automata.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 229 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 230 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Example 5.11 (Automaton for ♦green) Example 5.12 (Automaton for ♦ green) Construct a Büchi automaton which accepts all path satisfying Construct a Büchi automaton which accepts all path satisfying ♦green over Prop = {green}. Thus, the autmaton can read ∅ or ♦ green over Prop = {green}. {green}. {green} ∅ {green} ∅ {green} ∅ {green} {green} {green} ∅ q0 q1 q2 q0 q1 ∅ The automaton accepts e.g. Note, that this automaton is non-deterministic. ∅∅∅({green})ω = ˆ q0 q0 q0 (q1 )ω (∅{green})ω = (q0 q1 )ω ˆN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 231 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 232
59.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic In the following we describe how the automaton Aϕ can be Main ideas underlying automaton construction constructed systematically. States are built from subformulae of ϕ. Theorem 5.13 ([Sistla and Clarke, 1985, Each state is labelled with propositionally consistent sets. Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986]) The transition relation reﬂects the semantics of LTL; e.g. if a For a given LLTL -formula ϕ a Büchi Automaton Aϕ = (S, Σ, ∆, S0 , F ) state contains p then, all related states contain p. accepting exactly the words satisfying ϕ can be constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)) . Initial states are states which contain ϕ. Runs of the automaton correspond to ω-paths. The proof of this Theorem is given in Section 3. It needs to be ensured that all eventualities are fulﬁlled.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 233 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 234 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic ˆ Deﬁnition 5.14 (Aϕ ) The generalized Büchi automaton for ϕ over Prop is deﬁned as ˆ Aϕ = (Σ, S, ∆, S0 , F ) where Let ϕ1 U ψ1 , . . . , ϕn U ψn be all eventualities occurring in cl(ϕ). 1 Σ = P(Prop) Then, we deﬁne F = {F1 , . . . , Fn } with 2 S = EL(ϕ) (cf. Def. 5.23) Fi = {s ∈ S | {ϕi U ψi , ψi } ⊆ s or ϕi U ψi ∈ s}. 3 S0 = {s ∈ S | ϕ ∈ s} That is, 4 F see below 5 (s, a, t) ∈ ∆ iff F = {{s ∈ Q | ϕ1 U ϕ2 ∈ s or ϕ2 ∈ s} | ϕ1 U ϕ2 ∈ cl(ϕ)}. 1 s ∩ Prop = a 2 ∀ ψ ∈ cl(ϕ) : ψ ∈ s iff ψ ∈ t 3 ∀ϕ1 U ϕ2 ∈ cl(ϕ) : ϕ1 U ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1 U ϕ2 ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 235 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 236
60.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic rU s rU s r, s r, s {r} ¬(r U s) ¬(r U s) {r} ¬r, ¬s ¬r, ¬s rU s A reads {r} rU s A reads {s} {r} {s} r, ¬s r, ¬s {s} A reads {s} {s} A reads {r, s} {r} ¬(r U s) ¬(r U s) r, ¬s r, ¬s rU s rU s {s} ¬r, s ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 237 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 238 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic {r, s} rU s ∅ rU s r, s r, s {r, s} {r, s} ∅ ¬(r U s) ¬(r U s) ¬r, ¬s ¬r, ¬s ∅ {r, s} A reads {r, s} rU s ∅ A reads ∅ rU s {r, s} r, ¬s r, ¬s ∅ A reads ∅ ¬(r U s) ¬(r U s) r, ¬s r, ¬s rU s rU s ¬r, s ¬r, s (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 239 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 240
61.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic {r, s} rU s ∅ r, s {r, s} {r} {r, s} ¬(r U s) Theorem 5.15 (LTL [Sistla and Clarke, 1985, ∅ {r} ¬r, ¬s Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986]) ∅ rU s {r, s} {r, s} The complete Model checking LTL is PSPACE-complete, and can be done in {s} {r} ∅ r, ¬s {s} automaton time 2O(|ϕ|) O(|M|), where |M| is given by the number of transitions. {r} {s} ∅ ¬(r U s) r, ¬s rU s {s} ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 241 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 242 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Proof: Upper Bound Proof: In PSPACE . Given an LLTL -formula ϕ. We consider the automaton A := AM,q × Aϕ where Aϕ is a GBA accepting paths satisfying ϕ (cf. Def. 7.11). We guess an accepting 1 Construct Büchi automaton A¬ϕ of size 2O(|ϕ|) accepting run as follows: exactly the words satisfying ¬ϕ. Non-deterministically guess a run u0 . . . un−1 (un . . . un+m−1 )ω 2 Kripke model M, q can directly be interpreted as a Büchi where each ui = (qi , Bi ). automaton AM,q of size O(|M|) accepting all possible words in the Kripke model starting in q. Check whether it is a valid run (this can be done “locally”.). 3 The model checking problem reduces to the emptiness In particular, all eventualities between un and un+m−1 must check of L(AM,q ) ∩ L(A¬ϕ ) which can be done in polynomial be satisﬁed. time wrt the size of the automaton (cf.pp. 377). That is, in time O(|M|) · 2O(|ϕ|) by constructing the product automaton. Implementation: Guess state un and only the next state in the sequence. Keep a counter that counts the number of steps. At most O(|M| · exp(|ϕ|)) steps are necessary (binary encoding).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 243 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 244
62.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Proof: Lower Bound Proof: Lower Bound Simulate nk -space bounded deterministic Turing machine A path will be related to a sequence of instantaneous A = (S, Σ, δ, s0 , Sf ). descriptions. 1 Use nk -operators to describe an ID. Tape Cell 1 Tape Cell 2 Tape Cell n^k 2 ψw : Encodes the input w. A conﬁguration (Instant Description) ID-End 3 ψvalid : Checks whether an ID is valid. ID-Start 4 ψnext : Ensures that each successive ID follows from the current one. 5 ψaccept : Describes the halting con gurations. Content of one cell Let ψ := ψw ∧ ψvalid ∧ ψnext ∧ ψaccept . Then, we have M, q0 |= ¬ψ iff ∃λ ∈ Λ(q0 ) : λ, π |= ψ iff A accepts w. Prop = (S × Σ) ∪ Σ ∪ {ID − Start, ID − End}N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 245 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 246 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking CTL∗ Proof. Theorem 5.16 Upper bound: Combine CTL and LTL model checking. (CTL∗ [Clarke et al., 1986, Emerson and Lei, 1987]) Consider LCTL∗ -formula ϕ containing Eψ where ψ is a pure Model checking CTL∗ is PSPACE-complete. LLTL -formula. Determine all states which satisfy Eψ (these are all states q Example 5.17 (LTL mchecking for CTL∗ mchecking) with M, q |=LTL ¬ψ), Complexity: PSPACE. In which states does ϕ = E♦ A ♦¬r hold? How to use LTL Label them by a fresh proposition, say p, and replace Eψ in ϕ p2 model checking? by p: E (r ∧ E♦s ) E (p2 ∧ p1 ) r p1 q2 Applying this procedure recursively yields a pure LCTL -formula q1 q4 which can be veriﬁed in polynomial time. Complexity: PPSPACE = PSPACE q3 Hardness: immediate from Theorem 5.15 as LLTL “can be seen” as a fragment of LCTL∗ .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 247 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 248 This is a standard approach often used!
63.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.2 Model Checking Temporal Logic 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Summary Model checking CTL is P-complete. Model checking LTL is PSPACE-complete. The algorithm 5.3 LTL: Automaton Aϕ and Proof has been constructed from Büchi automata. of Theorem (skipped) Model checking CTL∗ is also PSPACE-complete. The algorithm is obtained by combining the one for CTL and LTL.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 249 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 250 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) How does the automaton look like? States will consist of subformulae of ϕ (or their negations). Deﬁnition 5.18 (Closure cl(ϕ)) A run ρ = S1 S2 . . . of the automaton is an inﬁnite sequence of The closure cl(ϕ) is deﬁned as follows: such sets ofsubformulae. 1 ϕ ∈ cl(ϕ), Given a word λπ = w1 w2 . . . with λπ |= ϕ we would like to enrich each (propositional) wi with subformulae to Si such that 2 φ ∧ ψ ∈ cl(ϕ) implies φ, ψ ∈ cl(ϕ), 3 ¬ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ), λπ [i, ∞] |= ψ iff ψ ∈ Si 4 ψ ∈ cl(ϕ) and ψ = ¬φ implies ¬ψ ∈ cl(ϕ), for all subformulae ψ of ϕ. 5 ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ), Intuitively, each Si encodes the formulae which should be true at 6 ψ U φ ∈ cl(ϕ) implies ψ, φ ∈ cl(ϕ). this moment. Note, that it holds that |cl(ϕ)| ≤ 2|ϕ|. The basic idea is that a run of the automaton simulates the LTL semantics.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 251 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 252
64.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Example 5.19 (Closure) Deﬁnition 5.20 (Logically consistent) How does the closure for ϕ = r U (s ∨ t) look like? We call B ⊆ cl(ϕ) propositionally consistent iff for all The closure cl(ϕ) consists of the following formulae: ϕ1 ∧ ϕ2 , ψ ∈ cl(ϕ): 1 ϕ 1 ϕ1 ∧ ϕ2 ∈ B iff ϕ1 ∈ B and ϕ2 ∈ B, 2 s∨t 2 ψ ∈ B implies ¬ψ ∈ B, 3 r 3 ∈ cl(ϕ) implies ∈ B. 4 s We identify ¬¬ϕ with ϕ. 5 t Deﬁnition 5.21 (Locally consistent) and their negations! We call B ⊆ cl(ϕ) locally consistent iff for all ϕ1 U ϕ2 ∈ cl(ϕ): What other properties should such sets fulﬁll? Note, that we are 1 ϕ2 ∈ B implies ϕ1 U ϕ2 ∈ B. interested in a correspondence to runs. 2 ϕ1 U ϕ2 ∈ B and ϕ2 ∈ B implies ϕ1 ∈ B.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 253 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 254 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Deﬁnition 5.22 (Maximal consistent) The closure of ϕ = r U s is given by {ϕ, ¬ϕ, r, s, ¬r, ¬s}. Which of the following sets are elementary? We call B ⊆ cl(ϕ) maximal iff for all ψ ∈ cl(ϕ) 1 ∅ ψ∈B implies ¬ψ ∈ B. 2 {r U s, r, s} 3 {r U s, r} We identify ¬¬ϕ with ϕ. 4 {r U s, ¬r, ¬s} Deﬁnition 5.23 (Elementary, EL(ϕ)) 5 {r U s, ¬r, s} We call B ⊆ cl(ϕ) elementary iff B is propositionally and locally 6 {r U s, r, ¬s} consistent and maximal. 7 {r U s, r, ¬r, ¬s} We deﬁne EL(ϕ) as the set of all elementary subsets of cl(ϕ). 8 {¬(r U s), r, ¬s} In the following we construct inﬁnite words over EL(ϕ) that 9 {¬(r U s), ¬r, ¬s} corresponds to accepting paths.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 255 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 256
65.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Example 5.24 (Elementary sets) Constructing the Automaton for r U s The closure of ϕ = r U s is given by rU s r, s cl(ϕ) = {ϕ, ¬ϕ, r, s, ¬r, ¬s} The following list contains all elementary sets of ϕ: ¬(r U s) Initial states? ¬r, ¬s {s ∈ S | ϕ ∈ s} 1 E1 = {r U s, r, s} rU s 2 E2 = {r U s, ¬r, s} r, ¬s Accepting states? 3 E3 = {r U s, r, ¬s} If ϕ1 U ϕ2 ∈ cl(ϕ) then ¬(r U s) ϕ1 U ϕ2 ∈ s or 4 E4 = {¬r U s, r, ¬s} r, ¬s 5 E5 = {¬r U s, ¬r, ¬s} ϕ2 ∈ s rU s In the following, we construct the Büchi automaton Aϕ for ¬r, s ϕ = r U s.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 257 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 258 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) rU s rU s r, s r, s Initial states? {r} ¬(r U s) ¬(r U s) ¬r, ¬s {s ∈ S | ϕ ∈ s} {r} ¬r, ¬s Accepting states? A reads {r} rU s rU s r, ¬s If ϕ1 U ϕ2 ∈ cl(ϕ) then r, ¬s {r} ϕ1 U ϕ2 ∈ s or A reads {s} ¬(r U s) ϕ2 ∈ s {r} ¬(r U s) r, ¬s r, ¬s rU s A reads {r} rU s ¬r, s ¬r, s {r} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 259 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 260
66.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) {r, s} rU s r, s rU s r, s {r, s} ¬(r U s) {r, s} ¬r, ¬s ¬(r U s) ¬r, ¬s rU s A reads {s} {r, s} A reads {r, s} r, ¬s {s} rU s {r, s} {s} A reads {r, s} r, ¬s {s} A reads ∅ ¬(r U s) r, ¬s ¬(r U s) r, ¬s rU s {s} ¬r, s rU s ¬r, s {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 261 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 262 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) {r, s} rU s ∅ r, s rU s ∅ r, s {r, s} ∅ ¬(r U s) {r} {r, s} ∅ ¬(r U s) ¬r, ¬s {r} ¬r, ¬s ∅ {r, s} ∅ rU s ∅ A reads ∅ {r, s} rU s The complete r, ¬s {s} {r} ∅ r, ¬s {s} automaton ∅ ¬(r U s) {r} {s} ∅ ¬(r U s) r, ¬s r, ¬s rU s rU s {s} ¬r, s ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 263 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 264
67.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Encoding as Generalised Büchi Automaton Remark 5.25 (Acceptance states) We need to ensure that eventualities become actually fulﬁlled. The basic idea of the encoding is the following: So, once a state containing an eventuality ϕ1 U ϕ2 is visited Semantics of propositional logic? states sometime in the future a state containing ϕ2 must be visited. -operator? transition relation We require that states containing U -operator? states plus transition relation plus acceptance condition (ϕ2 and ϕ1 U ϕ2 ) or ¬ϕ1 U ϕ2 ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ ϕ1 U ϕ2 ) occur in nitely often. But what if there is more than one eventuality in cl(ϕ)? We need to fulﬁll all of them.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 265 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 266 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) ˆ Deﬁnition 5.26 (Aϕ ) We use generalized Büchi automata (cf. pp. 365). They The generalized Büchi automaton for ϕ over Prop is deﬁned as ˆ Aϕ = (Σ, S, ∆, S0 , F ) where allow sets of sets of ﬁnal states. We associate each eventuality formula with one of these sets: the Büchi acceptance set 1 Σ = P(Prop) F ⊆ Q is replaced by F ⊆ P(Q): 2 S = EL(ϕ) A accepts w ∈ Σω if, and only if, there is a run ρ of A such 3 S0 = {s ∈ S | ϕ ∈ s} that for each Fi ∈ F 4 F see below Inf (ρ) ∩ Fi = ∅. 5 (s, a, t) ∈ ∆ iff For each generalised Büchi automaton one can construct an 1 s ∩ Prop = a equivalent Büchi automaton (cf. Theorem 7.12). 2 ∀ ψ ∈ cl(ϕ) : ψ ∈ s iff ψ ∈ t 3 ∀ϕ1 U ϕ2 ∈ cl(ϕ) : ϕ1 U ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1 U ϕ2 ∈ t))N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 267 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 268
68.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Proof of the Theorem In the following we introduce notation necessary for the proof. Let ϕ1 U ψ1 , . . . , ϕn U ψn be all eventualities occurring in cl(ϕ). Then, we deﬁne F = {F1 , . . . , Fn } with It is easily seen that we have the following xed-point equivalence Fi = {s ∈ S | {ϕi U ψi , ψi } ⊆ s or ϕi U ψi ∈ s}. ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ ϕ1 U ϕ2 ). That is, We construct a path over EL(ϕ) which “respect” the semantics of LTL. Recall that we would like to have: F = {{s ∈ Q | ϕ1 U ϕ2 ∈ s or ϕ2 ∈ s} | ϕ1 U ϕ2 ∈ cl(ϕ)}. λπ [i, ∞] |= ψ iff ψ ∈ SiN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 269 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 270 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Deﬁnition 5.27 (ϕ-closure-labelling) Given a word λπ a closure labelling corresponding to λπ should A ϕ-closure-labelling is a function agree with the propositional symbols. τ : N0 → EL(ϕ) Deﬁnition 5.28 (λπ -valid) such that: A ϕ-closure-labelling τ is said to be λπ -valid iff for all p ∈ Prop it holds that (C1) ϕ ∈ τ (i) iff ϕ ∈ τ (i + 1), (C2) ϕ1 U ϕ2 ∈ τ (i) iff 1 p ∈ τ (i) implies p ∈ λπ [i], and ϕ2 ∈ τ (i) or (ϕ1 ∈ τ (i) and ϕ1 U ϕ2 ∈ τ (i + 1)), 2 ¬p ∈ τ (i) implies p ∈ λπ [i]. (C3) ϕ1 U ϕ2 ∈ τ (i) implies ∃j(j ≥ i and ϕ2 ∈ τ (j)).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 271 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 272
69.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Lemma 5.29 (Soundness Lemma) From these lemmata we obtain the following theorem. Let ϕ ∈ LLTL (Prop) and τ be a λπ -valid closure labelling. Then, for Theorem 5.31 all ϕ ∈ cl(ϕ) and all i ≥ 0 it holds that Let ϕ ∈ LLTL (Prop). Then, λπ |= ϕ iff there is a λπ -valid ϕ-closure ϕ ∈ τ (i) iff λπ [i, ∞] |= ϕ . labelling τ such that ϕ ∈ τ (0). The proof is done by structural induction on ϕ . Exercise! Now we proceed with the proof of Theorem 5.13. Lemma 5.30 (Existence Lemma) Let ϕ ∈ LLTL (Prop). If λπ |= ϕ. Then, there is a λπ -valid ϕ-closure For a given LLTL -formula ϕ a Büchi Automaton labelling τ such that ϕ ∈ τ (0). Aϕ = (S, Σ, ∆, S0 , F ) accepting exactly the words satisfying ϕ can be constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)) . Prof: The labelling is constructed from subformulae true at each point of λπ . Exercise!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 273 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 274 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Proof of Theorem 5.13. Using Theorem 5.31 we build a generalised Büchi automaton accepting all the in nite words λπ that correspond to a λπ -valid λ = q0 q1 q2 . . . ϕ-closure-labelling. Idea: λ, π |= ϕ iﬀ λπ |= ϕ 1 The automaton reads λπ . 2 Each set of propositions causes a state change, states are λπ = π(q0 )π(q1 )π(q2 ) . . . elementary sets. λπ |= ϕ iﬀ 3 Runs ρ of the automaton correspond to ϕ-closure labellings. τ is λπ -valid ϕ-closure labelling iﬀ 4 ρ is accepting iff it is λπ -valid and satisﬁes ϕ. τ accepted by the automaton τ = B0 B1 B2 . . . run of the automaton given λπN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 275 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 276
70.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.4 Model Checking MAS with Perfect Information and Recall Correctness: In line with Theorem 5.31 we have to show that A accepts λπ iff there is an accepting run ρ with ϕ ∈ ρ(0) and which is an λπ -valid ϕ-closure labelling. This is immediate by construction. 5.4 Model Checking MAS with Finally, we convert the generalised Büchi automaton to a Büchi Perfect Information and Recall automaton (cf. Proposition 7.12). The number of states of the automaton is exponential in the length of the formula.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 277 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 278 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall Example 5.32 The ATL model checking algorithm employs the well-known xpoint characterisations : Which formulae are true in the model? A ϕ ↔ ϕ∧ A A ϕ, 1 M, q1 |= 1 r A ϕ1 U ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ A A ϕ1 U ϕ2 . 2 M, q1 |= 1 s 3 M, q1 |= 1 1 r Do these characterisations also hold for incomplete information? r r (1, 1) q2 q4 (1, 1) r No! A choice of an action at a state q has non-local consequences: q1 (2, 1) It automatically ﬁxes choices at all states q indistinguishable from (1, 1) q for the coalition A. (2, 1) q3 q5 (1, 2) Again, crucial for model checking is the notion of preimage. s sN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 279 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 280
71.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall function pre(M, A, Q). Example 5.33 (Preimage operator for ATL) Auxiliary function; returns the exact set of states Q such that, when the system is in a state q ∈ Q , agents A can cooperate and 1 What is the preimage of {q2 , q3 }? enforce the next state to be in Q. 2 What is the preimage of {q2 }? return {q | ∃αA ∀αAgtA o(q, αA , αAgtA ) ∈ Q} These questions are not well deﬁned. The preimage depends on a The function follows the same idea as the pre-image function of group of agents which try to reach a given region. CTL model checking. 1 What is the preimage of {q2 , q3 } wrt. any group A? Q1 2 What is the preimage of {q2 } wrt. {1} and {2}? r r (1, 1) q2 q4 (1, 1) r (2, 1) q1 pre(A, Q1 ) (1, 1) (2, 1) q3 q5 (1, 2) s sN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 281 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 282 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall Besides the new deﬁnition of the preimage function the algorithm is the same as for CTL: Note that: ATL = ATLIr = ATLIR (cf. Theorem 2.9) function mcheck(M, ϕ). Returns states q with M, q |= ϕ. Theorem 5.34 (ATLIr and ATLIR [Alur et al., 2002]) case ϕ ∈ Π : return π(p) case ϕ = ¬ψ : return Q mcheck(M, ψ) Model checking ATLIr and ATLIR is P-complete, and can be done in case ϕ = ψ1 ∨ ψ2 : return mcheck(M, ψ1 ) ∪ mcheck(M, ψ2 ) time O(|M| · |ϕ|), where |M| is given by the number of transitions in case ϕ = A ψ : return pre(M, A, mcheck(M, ψ)) case ϕ = A ψ : M. Q1 := Q; Q2 := mcheck(M, ψ); Q3 := Q2 ; while Q1 ⊆ Q2 Note, that the size of M is exponential in the number of states do Q1 := Q2 ; Q2 := pre(M, A, Q1 ) ∩ Q3 od; and agents! return Q1 case ϕ = A ψ1 U ψ2 : Q1 := ∅; Q2 := mcheck(M, ψ1 ); Q3 := mcheck(M, ψ2 ); while Q3 ⊆ Q1 do Q1 := Q1 ∪ Q3 ; Q3 := pre(M, A, Q1 ) ∩ Q2 od; return Q1 end case Multi-agent extension of CTL model checking.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 283 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 284
72.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall And-Or-Graph Reachability For the lower bound, we reduce reachability in and-or-graphs. Proof: Lower Bound Hardness is shown by a reduction of reachability in An and-or graph [Immerman, 1981] And-Or-Graphs: is a tuple (E, V, l) such that G = (E, V ) is a directed acyclic graph and l : V → {∧, ∨} a labeling function. Transform and-or-graph to a CGS; Player 1 owns or-states; Let x1 , . . . , xn denote all successor nodes of u. v is said to be reachable from u iff Player 2 owns and-states; u = v; or v reachable from a iff M, a |= 1 ♦lv . 1 2 l(u) = ∧, n ≥ 1, and v is reachable from all xi ’s; or, 3 l(u) = ∨, n ≥ 1, and v is reachable from some xi . Theorem 5.35 ([Immerman, 1981]) The and-or-graph reachability problem is P-complete.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 285 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 286 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall ATL∗ with perfect recall Execution trees For perfect recall, we cannot simply guess a strategy Q+ → Act. (α, α) (β, α) (α, α) For model checking an automata theoretic approach is used. q1 q2 Consider the formula A ψ where ψ ∈ LLTL and CGS M and a (α, β) state q. Tree unravelling (q1 , {1})-execution tree 1 A tree automaton AM,q,A is used to accept all possible executions in M which can be enforced by A following q1 q1 some strategy. (Note: A ψ says that there is some “tree” such that ψ holds q1 q2 q2 along all branches). 2 A tree automaton Aψ is constructed to accept all (tree-like) models satisfying the LCTL∗ -formula Aψ. 3 We have: M, q |= A ψ iff L(AM,q,A ) ∩ L(Aψ ) = ∅. q1 q2 q1 q2 q1 q2N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 287 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 288
73.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.5 Model Checking MAS with Imperfect Information or No Recall An (q, A)-execution tree is induced by out(q, sA ) for some strategy sA of A. Intuitively, the transition relation of AM,q,A in a state q0 is constructed from the different choices which A can enforce at q0 . 5.5 Model Checking MAS with (1, 1) (2, 1) q0 q0 q1 q0 (2, 2) q3 q1 q2 q3 q4 q5 Imperfect Information or No Recall q4 (2, 3) q2 (1, 2) q5 Theorem 5.36 (ATL∗ [Alur et al., 2002]) IR Model checking ATL∗ is 2EXPTIME-complete in the number of IR transitions in the model and the length of the formula. Complexity: Size of the automata and checking emptiness.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 289 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 290 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Complexity Classes Complexity Classes ΣP , ∆P , ∆P 2 2 3 Deterministic Turing machine (DTM) ΣP : problems solvable in polynomial time by a i inﬁnite (readable and writable) tape non-deterministic Turing machine making adaptive queries to ﬁnitely many states a ΣP oracle; i.e. by ΣP -oracle polynomial time NTMs. i−1 i−1 deterministic moves ΣP = NPNP : problems solvable in polynomial time by a 2 non-deterministic Turing machine making adaptive queries to Non-deterministic Turing machine (NTM) an NP oracle. Like a DTM but non-deterministic moves are allowed. ∆P = PNP : A problem is in ∆P = PNP if it can be solved in 2 2 deterministic polynomial time with subcalls to an NP-oracle. Orcale Machine (OTM) NP We also have ∆P := P[NP ] and ∆P = P. 3 1 Let A be a language . An A-oracle machine is a DTM or NTM with a subroutine which allows to decide in one step whether We have: w ∈ A for some word w. For a complexity class C a C-oracle machine is a A-oracle P = ∆P ⊆ ΣP = NP ⊆ ∆P ⊆ ΣP ⊆ · · · ⊆ PH ⊆ PSPACE. 1 1 2 2 machine for any A ∈ C.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 291 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 292
74.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Number of Strategies Assume we are looking for a good Ir-strategy wrt some We have introduced four types of strategies: property P . How complex is this task? (Upper bound) 1 ir-strategies; 2 Ir-strategies; It is in NP, provided P ∈ P! 3 IR-strategies; 1 Guess sA ; 4 iR-strategies. 2 check whether sA satisﬁes P . How many strategies are there for each type? And the case for good ir-strategies? 1 exponentially many; 2 exponentially many; It is also in NP, provided P ∈ P! Why? What about uniformity? 3 inﬁnitely many; 4 inﬁnitely many. 1 Guess Ir-strategy sA ; 2 check whether it is an ir-strategy, i.e. for uniformity (Q is Exponentially many wrt the size of the input! ≈ |Act||Agt|·|Q| ﬁnite!); 3 check whether sA satisﬁes P .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 293 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 294 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Imperfect Information What if P is veriﬁable in C for an arbitrary complexity class C? Agent’s ability to identify a strategy as winning also varies throughout the game in an arbitrary way (agents can learn as well as forget). This suggests that winning strategies cannot be Finding ir- and Ir-strategies is in NPC . synthesized incrementally.Indeed the xpoint characterisations do not hold! : A ϕ ↔ ϕ∧ A A ϕ, What about perfect recall strategies? A ϕ1 U ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ A A ϕ1 U ϕ2 . How to model check a formula M, q |= A γ where γ includes no There are inﬁnitely many: So there is no general method! nested cooperation modalities ? Theorem 5.37 (ATLir ) Model checking ATLir is ∆P -complete. 2 The lower bound is proven by a reduction of SNSAT1 .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 295 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 296
75.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Recall: ∆P = PNP 2 ATL and CTL: Pruning Proof: Upper Bound (β, α) Let A γ be given where γ includes no nested cooperation (α, α) (α, α) modalities. (β, α) 1 Guess a strategy sA of A. (α, β) (α, α) (α, β) (α, α) (α, α) (α, α) 2 “ Prune” M to M|sA ; i.e. remove transitions that cannot occur according to sA . (β, α) 3 Remove labels from M|sA and interpret it as Kripke structure M |sA (α, α) (α, α) (α, β) (α, α) 4 Then, Guess the strategy s1 in which 1 always plays α . M, q |= A γ iff M |sA , q |=CTL Aγ 1 ♦γ guess s1 , check A♦γ in the pruned model The basic idea is to guess a strategy and apply CTL model checking.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 297 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 298 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Model Checking ATL∗ with memoryless Pruning the model strategies We can reduce model checking to model checking CTL∗ : (β, α) To solve the model checking problem for ATL∗ we make use of Ir CTL∗ model checking. (α, α) (α, α) The basic idea for model checking A ψ is as follows: (β, α) (α, α) (α, β) (α, α) (α, α) (α, β) (α, α) 1 Guess a strategy sA : Q → Act|A| (in NP). (β, α) 2 Prune the model; i.e. remove transitions which cannot occur. (α, α) (α, α) (α, β) (α, α) 3 CTL∗ model check Aψ in the resulting model. Guess the strategy s1 in which 1 always plays α . 1 ♦γ guess s1 , check A ♦γ in the pruned model s1 : agent 1 plays α in all states.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 299 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 300
76.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Proof: Upper Bound Let A ψ where ψ is an LLTL -formula. Theorem 5.38 (ATL∗ and ATL∗ [Schobbens, 2004]) ir Ir 1 Guess an Ir-strategy (resp. ir-strategy) sA of A. Model checking ATL∗ and ATL∗ is PSPACE-complete in the ir Ir 2 “Prune” M to M|sA ; i.e. remove transitions that cannot occur number of transitions in the model and the length of the formula. according to sA . 3 Remove transition labels from M|sA and interpret it as Proof: Lower Bound Kripke structure M |sA LTL model checking is a special case of LATL∗ model checking: 4 Then, PSPACE-hard. iff ∗ M, q |= A γ M |sA , q |=CTL Aγ This procedure can be performed in NPPSPACE , which renders the complexity of the whole language to be in PSPACE PNP = PSPACE.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 301 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 302 5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.6 Summary of Complexity Results Imperfect Information and Perfect Recall Conjecture 1 (ATLiR ) Model checking ATLiR is undecidable. Recently, a proof has been proposed by Dima and Tiplea (June 2010). 5.6 Summary of Complexity Conjecture 2 (ATL∗ ) Results iR Model checking ATL∗ is undecidable. iR Conjecture 3 (ATL+ ) iR Model checking ATL+ is undecidable. iRN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 303 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 304
77.
5 Complexity of Veriﬁcation: Model Checking 5 Complexity of Veriﬁcation: Model Checking 5.6 Summary of Complexity Results 5.6 Summary of Complexity Results Nice results: model checking CTL and ATL is tractable. But: the result is relative to the size of the model and the Ir IR ir iR formula Undecidable† LATL P P ∆2 P Well known catch (CTL): size of models is exponential wrt a LATL+ ∆P 3 PSPACE ∆P 3 Undecidable† higher-level description LATL∗ PSPACE 2EXPTIME PSPACE Undecidable† Another problem: transitions are labelled Figure 5 : † These problems are believed to be undecidable. So: the number of transitions can be exponential in the number of agents.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 305 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 306 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability Outline 6. Complexity of Reasoning: Satisﬁability We present tableau procedures for 6 Complexity of Reasoning: Satisﬁability propositional logic, LTL, and Satisﬁability Problem and Tableaux CTL. A Tableau Algorithm for LTL A Tableau Algorithm for CTL We discuss the complexity of the satis ability problems for CTL∗ is 2EXPTIME-complete LTL, CTL, CTL∗ , ATL, and ATL∗ . ATL and ATL*N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 307 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 308
78.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.1 Satisﬁability Problem and Tableaux 6.1 Satisﬁability Problem and Tableaux Satisﬁability Problem The satis ability problem is the following question: Given a formula ϕ (of some logic L) is there a model M 6.1 Satisﬁability Problem and (from a class M of models associated with L) and a state q in M such that M, q |= ϕ? Tableaux More precisely, this is the L-satis abilty problem (over class M ) of models. In the following we consider the class of all Kripke structures for the temporal logics.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 309 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 310 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.1 Satisﬁability Problem and Tableaux 6.1 Satisﬁability Problem and Tableaux To obtain a decision procedure one often proceeds as follows: Tableaux for Propositional Logic Establish a small model theorem for L: That is, if there is a Tableau model for ϕ then there also is a “small model” (in particular nite one). Encodes all models of a given formula Rule-based deﬁnition allows an intuitive presentation Methods of choice: quotient constructions / ltrations (“equivalent states” are identiﬁed). Semantic structures can often be extracted easily easy construction of satisfying models Well-known methods are tableaux procedure: They Often, tight limits on their size which allows a good “encode” all models of a given formula. complexity analysis. Automata-theoretic constructions offer another alternative A tableau is a graph/tree-like structure to visualize attempts (cf. the LTL automata theoretic construction, CTL∗ and ATL∗ to create a model. decision procedures). For building a tableau there are rules to systematically split the input formula into subformulae. Each branch of the tableau represents a way of trying to build a model.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 311 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 312
79.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.1 Satisﬁability Problem and Tableaux 6.1 Satisﬁability Problem and Tableaux Example 6.1 (Tableau for ϕ = (a ∧ c) ∧ (¬a ∨ b)) We assume as basic connectives: ∧ and ¬ (one can also take ϕ ∨ instead of ∧). We use Σ to represent a set of propositional formulae. ϕ, a ∧ c Deﬁnition 6.2 (Propositional logic tableau rules) ϕ, a ∧ c, ¬a ∨ b A tableau rule has the form Σ or Σ Σ . Both rules can be applied Σ |Σ to a node n with label Σ. The effect of the ﬁrst rule is a new node ϕ, a ∧ c, ¬a ∨ b, ¬a ϕ, a ∧ c, ¬a ∨ b, b n with label Σ connected to n, and of the second rule two nodes n and n labeled Σ and Σ , respectively, both connected to n. ϕ, a ∧ c, ¬a ∨ b, ¬a, a ϕ, a ∧ c, ¬a ∨ b, b, a The propositional logic tableau rules are given as follows: Contradiction! Σ∪{ψ,¬ψ} Σ∪{¬¬ψ} Σ∪{ψ∧χ} Σ∪{ψ∨χ} ϕ, a ∧ c, ¬a ∨ b, b, a, c ⊥ Σ∪ψ Σ∪{ψ,χ} Σ∪{ψ}|Σ∪{χ}} All nodes are labelled with subformulae of ϕ or their negation. We call a branch of a tableau closed if it contains ⊥; The last set in the right branch is maximally propositionally otherwise, open. consistent (wrt. the closure of ϕ) and represents a model of ϕ.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 313 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 314 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.1 Satisﬁability Problem and Tableaux 6.2 A Tableau Algorithm for LTL Remark 6.3 Termination can be achieved by marking subformulae already treated. Movement along branches represents adding consequences. Branching represents choices between alternatives. 6.2 A Tableau Algorithm for LTL The tableau can be interpreted as a graph/tree. We call these tableau rules static (as the whole tableaux procedure is about ﬁnding a propositional model). Note also, that the tableau procedure does not require any normal form (what is for instance the case for resolution).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 315 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 316
80.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL We extend the propositional tableaux algorithm such that we can Our ﬁrst proposal to an LTL-tableau procedure is based on new check satisﬁability of LTL formulae. tableau rules capturing the temporal evolution. Later, we will Basic connectives: ¬, ∧, , U . discuss an alternative approach. Recall: ω-models are propositional worlds connected by Deﬁnition 6.5 (LTL-tableau rules) temporal transitions. We introduce two kinds of tableau rules: The LTL-tableau rules extend the propositional ones from static rules: affect the very (propositional) state Deﬁnition 6.2 by the following static rules: transition rules: temporal evolution Σ∪{ψ1 U ψ2 } Σ∪{¬(ψ1 U ψ2 )} As before: nodes are labeled with subsets from cl (ϕ). Σ∪{ψ1 }|Σ∪{ψ2 } Σ∪{¬ψ2 } Deﬁnition 6.4 (Closure) and the following transition rules: Σ∪{¬ψ2 ,ψ1 U ψ2 } Σ∪{ ψ} Σ∪{ψ1 U ψ2 } Σ∪{ψ} Let sub(ϕ) denote the set of subformulae of ϕ. The closure of ϕ is where deﬁned as follows: Σ= {ψ | ψ ∈ Σ} ∪ {¬ψ | ¬ψ ∈ Σ} cl (ϕ) = sub(ϕ) ∪ {¬ψ | ψ ∈ sub(ϕ)} ∪ {ψ1 U ψ2 | ¬ψ2 , ψ1 U ψ2 ∈ Σ} (Note, that cl (ϕ) is not closed under negation. We do identify ∪ {¬(ψ1 U ψ2 ) | ψ1 , ¬(ψ1 U ψ2 ) ∈ Σ} ¬¬ψ with ψ.) ∪ {t | t ∈ Σ}N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 317 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 318 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The tableau rules model In the following we follow an alternative approach and “hide” the propositional reasoning and application of static rules completely and consider sets which are temporal reasoning. maximally propositionally consistent. How to apply these rules? Can we apply them in any order? Deﬁnition 6.7 (Maximally propositionally consistent) Example 6.6 A set Σ ⊆ cl (ϕ) is maximally propositionally consistent wrt. cl (ϕ) Suppose we are given Σ = {p ∧ ¬p, q}. Then, we can obtain a if the following conditions are satisﬁed: label {q}. The corresponding branch of the tableau is open. for all ψ ∈ cl (ϕ): ψ ∈ Σ iff ¬ψ ∈ Σ; However, Σ is not satisﬁable! if ψ1 ∧ ψ2 ∈ cl (ϕ) then ψ1 ∈ Σ and ψ2 ∈ Σ; and Propositional consistency has to be ensured before applying if ¬(ψ1 ∧ ψ2 ) ∈ cl (ϕ) then ¬ψ1 ∈ Σ or ¬ψ2 ∈ Σ. transition rules! The set of all such sets is called PC (ϕ). That is, we are only allowed to apply transition rules if no more static rules can be applied and the branch is open! We note that such sets are not necessarily consistent in general; How to achieve this? Mark subformulae to which no static consider e.g. { p, ¬p}. The tableau takes care about it by a rule can be applied or to which a static rules has been deletion mechanism. applied. Then, do only apply transition rules if all subformulae have been marked and if the branch is open.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 319 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 320
81.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The nodes of the tableau procedure are labelled with sets from Example 6.9 PC (ϕ). How to connect these nodes? Consider the set Σ = { p, p, p} where ψ is deﬁned as We deﬁne a relation R ⊆ PC (ϕ) as follows: ¬♦¬ψ ≡ ¬( U ¬ψ). This set results in a non-terminating, looping Σ1 RΣ2 iff branch. Such branches are declared open. 1 for all ψ ∈ cl (ϕ): ψ ∈ Σ1 iff ψ ∈ σ2 ; and 2 for all ψ1 U ψ2 ∈ cl (ϕ): ψ1 U ψ2 ∈ Σ1 iff (ψ2 ∈ Σ1 or ( ψ1 ∈ Σ1 Deﬁnition 6.10 (Initial tableau) and ψ1 U ψ2 ∈ Σ2 )). Moreover, we add a “dummy” start node which we connect to all We call the graph (PC (ϕ), R) the initial LTL-tableau of ϕ. Σ with ϕ ∈ Σ. If such nodes do not exist, then ϕ is obviously not Clearly, a node with label Σ in the tableau can be considered as a satisﬁable. propositional sate; we simply take Σ ∩ Prop(ϕ) where Prop(ϕ) is Remark 6.8 (Efﬁciency) the set of propositional symbols occurring in ϕ. In the following We note that from a practical point of view, this method is not very we identify nodes and states in this way. efﬁcient as all states from PC (ϕ) have to be constructed! An Now, the question is whether the initial tableau contains an incremental approach does usually perform better on average. LT L-model of ϕ. How to determine this?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 321 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 322 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL There are two possible types of error: Theorem 6.11 1 States may not have successors? (Consider e.g. { p, ¬p}.) The LTL-tableau algorithm terminates and is correct; i.e. 2 There are non-fulﬁlled eventualities. “satisﬁable” is returned on input ϕ iff ϕ is satisﬁable. Moreover, the An eventuality ψ1 U ψ2 is ful lled in a node, if there is a node algorithm runs in exponential time. reachable from the current one which contains ψ2 . Sketch. LTL-Tableau algorithm Termination: PC (ϕ) is a ﬁnite set of ﬁnite sets. The tableau 1 Construct (PC (ϕ), R). algorithm does only remove nodes. Checking fulﬁllment can 2 Remove all nodes from (PC (ϕ), R) which do not have a be done in a depth-ﬁrst manner with marking. successor. Correctness: “⇐”: Suppose ϕ is satisﬁable in λ. We deﬁne 3 Remove all nodes which contain a non-fulﬁlled eventuality. the sets Σi = {ψ ∈ cl (ϕ) | λ[i, ∞] |= ψ} for i ∈ N0 . It is easy to 4 If none of the above steps can be applied and a node which see that none of these sets is removed by the tableau contains ϕ remains return “satisﬁable”; otherwise, algorithm; hence, it returns “satisﬁable”. “unsatisﬁable”.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 323 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 324
82.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL “⇒”: Suppose the algorithm returns “satisﬁable”. Complexity: Let G ⊆ PC (ϕ) be the set of remaining nodes and let ϕ ∈ Σ0 . Each Σ ∈ PC (ϕ) is of size linear in |ϕ| and there are We recursively deﬁne sequences 0 = i0 < i1 < · · · < ω and exponentially many such subsets. Σ0 , Σ1 , . . . . Suppose we have constructed this sequence up to The deletion steps can be done in deterministic time Σi j . polynomial in the size of PC (ϕ). If Σij does not contain any unfulﬁlled eventuality set ij+1 = ij + 1 and chose Σij+1 as some R-successor of Σij . The LTL-tableau algorithm can also be implemented in Otherwise, ﬁnd a path Σij , Σij +1 , . . . , Σij+1 such that all polynomial space by guessing the “right” branch of the tableau. unfulﬁlled eventualities in Σij are fulﬁlled in Σij+1 . However, since a branch can be of exponential length we can not Now it is easy to show that the constructed path satisﬁes all store it explicitly. We make use of the ultimately periodic model eventualities occurring in any state, and also those newly introduced in Σij +1 , . . . , Σij+1 −1 . property of LTL (cf. Theorem 1.16): 2O(n) 4O(n)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 325 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 326 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The idea is the same as for LTL model checking (cf. Theorem 5.15). Theorem 6.12 (LTL is PSPACE-complete [Sistla and Clarke, 1985]) Remark 6.13 Satisﬁability checking LTL is PSPACE-complete. In Section 1.3 (cf. Theorem 5.13) we have constructed an automaton which accepts all models of an LLTL -formula. This directly yields Proof. another decision procedure for LTL-satisﬁability which essentially We use a polynomially space bounded Turing machine: reduces to checking emptiness of the automaton. Given ϕ, guess a path through the tableaux-construction of exponential length (in |ϕ|). Only the current state and the state at which the path loops back, and a counter has to be kept in memory. Hardness: Reduction from polynomial space-bounded Turing machines.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 327 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 328
83.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL In this section we discuss a tableau algorithm for CTL. The idea is the very same as for LTL. Given PC (ϕ) we deﬁne a relation R as follows: Σ1 RΣ2 iff 1 For all A ψ ∈ cl (ϕ): if A ψ ∈ Σ1 then α ∈ Σ2 6.3 A Tableau Algorithm for CTL 2 For all ¬E ψ ∈ cl (ϕ): if ¬E ψ ∈ Σ1 then ¬ψ ∈ Σ2 3 For all Aψ1 U ψ2 ∈ cl (ϕ): if Aψ1 U ψ2 ∈ Σ1 then (ψ2 ∈ Σ1 or (ψ1 ∈ Σ1 and Aψ1 U ψ2 ∈ Σ2 )) 4 For all ¬Eψ1 U ψ2 ∈ cl (ϕ): if ¬Eψ1 U ψ2 ∈ Σ1 then (¬ψ2 ∈ Σ1 and (either ¬ψ1 ∈ Σ1 or ¬Eψ1 U ψ2 ∈ Σ2 )).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 329 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 330 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL CTL-tableau algorithm 1 Construct (PC (ϕ), R). Again, the deletion process consists of two steps: 2 Remove all nodes Σ from (PC (ϕ), R) which do not satisfy the 1 Local pruning: Remove states which do not “agree with” the following conditions: semantics of the subformulae contained in the states. 1 if E ψ ∈ Σ then there is Σ with ΣRΣ and ψ ∈ Σ ; 2 Remove states which contain non-fulﬁllable eventualities. 2 if ¬A ψ ∈ Σ then there is Σ with ΣRΣ and ¬ψ ∈ Σ ; 3 if Eψ1 U ψ2 ∈ Σ then ψ2 ∈ Σ or (ψ1 ∈ Σ and there is Σ with In the case of CTL, eventualities are given by Eψ1 U ψ2 and ΣRΣ such that Eψ1 U ψ2 ∈ Σ ); and Aψ1 U ψ2 . 4 if ¬Aψ1 U ψ2 ∈ Σ then ¬ψ2 ∈ Σ and (either ¬ψ1 ∈ Σ or there is Σ with ΣRΣ such that ¬Aψ1 U ψ2 ∈ Σ ). 3 Remove all nodes which contain an eventuality which is not fulﬁlled. 4 If none of the above steps can be applied and a node which contains ϕ remains return “satisﬁable”; otherwise, “unsatisﬁable”.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 331 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 332
84.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL Theorem 6.14 LTL-satisﬁability revisited The CTL-tableau algorithm terminates and is correct; i.e. Yet another approach to check LTL-satisﬁability is a reduction “satisﬁable” is returned on input ϕ iff ϕ is satisﬁable. Moreover, the to CTL-satisﬁability. algorithm runs in exponential time. Given an LTL-formula, we deﬁne the translation tr : LLTL [pnf ] → LCTL by replacing ♦, , , U , B by A♦, A , Theorem 6.15 (Satisﬁability of CTL) A , A U , A B , respectively. The satisﬁability problem for CTL is EXPTIME-complete The following theorem shows that LTL-satisﬁability can be checked in EXPTIME as well: Proof. Theorem 6.16 (LTL is in EXPTIME) Membership in EXPTIME is proven by the CTL-tableaux Let ϕ ∈ LLTL be in positive normal form. Then, tr(ϕ) ∈ LCTL and ϕ is algorithm (cf. Theorem 6.11). LTL-satis able iff tr(ϕ) is CTL-satis able. Hence, LTL-satisﬁability Hardness can be shown by a reduction alternating polynomial is in EXPTIME. space bounded Turing machines.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 333 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 334 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete Satisﬁability of CTL∗ can be shown by a subtle automata-theoretic construction. The idea is sketched in the following: A normal form for CTL∗ formulae is established. This normal form is essentially built from 3 types of subformulae: Aψ, Eψ, or A Eψ where ψ ∈ LLTL 6.4 CTL∗ is 2EXPTIME-complete It is shown that CTL∗ is satis able iff there is a(n) (inﬁnite) tree-like model with xed branching. A tree automaton accepting these tree-like models is constructed from ω-word automata (cf. LTL model checking), one for each subformula of the aforementioned type of the normal form. In particular, the construction of the automaton for Aψ is costly. Satis ability of ϕ is reduced to checking emptiness of this tree automaton.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 335 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 336
85.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete Theorem 6.17 (Normal form [Emerson and Sistla, 1984]) Theorem 6.19 ([Vardi and Stockmeyer, 1985, Emerson and Sistla, 1984, Emerson and Jutla, 1999]) For each ϕ ∈ LCTL∗ it is possible to construct a formula ϕ ∈ LCTL∗ Satisﬁability checking CTL∗ is 2EXPTIME-complete. with the following properties: 1 ϕ is composed of conjunctions and disjunctions of subformulae Proof. of the form Aψ, Eψ, or A Eψ where ψ ∈ LLTL . Hardness is shown in [Vardi and Stockmeyer, 1985]. 2 The length of ϕ is linear in the length of ϕ. Membership is shown by a subtle automata-theoretic 3 ϕ is satisﬁable iff ϕ is satisﬁable. construction. Let ϕ be a formula in normal form. 4 Any model of ϕ can be used to construct a model of ϕ and vice Theorem 6.18 allows to use tree automata (ﬁxed branching). versa. For a pure LLTL formula let Aψ denote the Büchi word We say that ϕ is a normal form of ϕ. automaton accepting exactly the paths satisfying ψ (cf. Theorem 5.13). Theorem 6.18 ([Emerson and Sistla, 1984]) Any satisﬁable formula ϕ ∈ LCTL∗ in normal form has an in nite tree-like model in which each node has at most |ϕ| outgoing edges and each subformula Eψ of ϕ is satisﬁed along a designated path of the tree-like model.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 337 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 338 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete states O(|ψ|) For each subformula Aψ, Eψ, or A Eψ of ϕ we construct a The resulting deterministic automaton Aψ has 22 tree automaton (build from the aforementioned word and 2O(|ψ|) pairs (cf. Theorem ??). automata Aψ ) accepting those trees satisfying the formula. The tree automaton for Aψ runs Aψ along all path of the We construct a complemented pairs tree automaton for each input tree. It as the same size as Aψ . of these subformulae as follows: All these tree automata are combined to a product automaton Eψ: Run Aψ at the root of any given tree on the designated O(|ϕ|) path. which yields a complemented pairs automaton with 22 A Eψ: Run Aψ at any node and run it down the designated states and 2O(|ϕ|) pairs. path for Eψ. By Theorem ?? non-emptiness can be checked in Both automata have 2O(|ψ|) states and |ψ| pairs. deterministic time (mn)O(n) where m is the number of Aψ: Running Aψ down all paths from the root does not work! Why? states and n the number of pairs. Firstly, we have to transform Aψ into a deterministic Rabin Hence, we have time complexity of automaton. (22 O(|ϕ|) · 2O(|ϕ|) )2 O(|ϕ|) = 22 O(|ϕ|) steps.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 339 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 340
86.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.4 CTL∗ is 2EXPTIME-complete 6.5 ATL and ATL* Summary We have shown (via a tableau algorithm) that the satisﬁability problem for LTL is PSPACE-complete. Alternatively, we have presented an automata-theoretic approach and a reduction to CTL-satisﬁability checking. 6.5 ATL and ATL* We have shown (via a tableau algorithm) that the satisﬁability problem for CTL is EXPTIME-complete. The algorithm for CTL∗ is based on a subtle construction based on tree automata. Non-trivial results from automata theory (Safras construction and non-emptyness checks) were necessary.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 341 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 342 6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.5 ATL and ATL* 6.5 ATL and ATL* In this section we brieﬂy discuss the satisﬁability problems for ATL and ATL∗ . A detailed presentation is out of scope of this tutorial. Firstly, we state the satis ability problem. There are at least four sensible settings: Proposition 6.21 1 Is ϕ satis able over a xed and ﬁnite set Agt of agents? The satisﬁability problems (2) and (4) are polynomially reducible 2 Is ϕ satis able over Agt where Agt(ϕ) ⊆ Agt? to each other. Problem (3) is polynomially reducible to (2). 3 Is there a set Agt of agents with Agt(ϕ) ⊆ Agt such that ϕ is satis able over Agt? Moreover, we have that ϕ is satis able over Agt (with 4 Is ϕ satis able over Agt(ϕ)? Agt(ϕ) ⊆ Agt) iff ϕ is satis able over Agt(ϕ) ∪ {|Agt(ϕ)| + 1}. Agt(ϕ): Agent names occurring in ϕ. Do these settings affect the satisﬁability of formulae? Example 6.20 Is the following formula satisﬁable? ¬ 1 p∧¬ 1 q∧ 1 (p ∨ q)N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 343 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 344
87.
6 Complexity of Reasoning: Satisﬁability 6 Complexity of Reasoning: Satisﬁability 6.5 ATL and ATL* 6.5 ATL and ATL* In [van Drimmelen, 2003] and [Goranko and van Drimmelen, 2006b] an automata theoretic approach is used to show that the satisﬁability problem is Proof of lower bound. EXPTIME-complete for a ﬁxed set of agents (setting 1). Membership follows from the tableau procedure. In [Walther et al., 2006] it is shown that the general setting 4 Hardness: Reduction of global consequence in logic K: Given ψ1 is EXPTIME-complete (over alternating transition sysmtes). and ψ2 . Does M |= ψ1 imply M |= ψ2 for all Kripke models M? The basic idea is similar to the one used in the CTL-tableaux ATL can “encode” logic K: e.g. ♦p=¬ ∅ ˆ ¬p. algorithm. Models are essentially built from A ψ-formulae occurring in ϕ Now we have: ψ2 follows globally from ψ1 iff ∅ ψ1 ∧ ¬ψ2 is ATL-unsatisﬁable over an arbitrary set of agents. In [Goranko and Shkatov, 2009] a generic “incremental” tableaux decision procedure is proposed (over CGS). The approach can be used for the general setting (4). Theorem 6.22 (Complexity: Membership) The satisﬁability problems for ATL are EXPTIME-complete, even for the general setting (4).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 345 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 346 6 Complexity of Reasoning: Satisﬁability 7 Appendix: Automata Theory 6.5 ATL and ATL* Satisﬁability of ATL∗ Membership is shown by an automata-theoretic construction. 7. Appendix: Automata Theory The model is transformed into a special tree like model which is enriched with additional information on witnessing 7 Appendix: Automata Theory strategies. Büchi Automata Hardness is shown by a reduction of satis ability checking Generalized Büchi Automata of CTL∗ . Tree automata Emptiness Checking Theorem 6.23 ( [Schewe, 2008]) Satisﬁability checking ATL∗ is 2EXPTIME-complete.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 347 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 348
88.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Büchi Automata We would like to use nite automata to solve the model checking problem. Finite automata (on ﬁnite words) accept only ﬁnite words but 7.1 Büchi Automata paths are in nite. We need to extend the model to nite automata that accept in nite words. How can we accept in nite words?N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 349 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 350 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Deﬁnition 7.1 (ω-automaton) Deﬁnition 7.2 (Run) An ω-automaton is a tuple A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1 w2 · · · ∈ Σω is A = (Q, Σ, ∆, qI , C) an inﬁnite sequence of states of A such that: 1 ρ(0) =qI where ρ(i) ∈ ∆(ρ(i − 1), wi ) for i ≥ 1. Q is a ﬁnite set of states; 2 1 2 Σ is a nite alphabet; 3 ∆ ⊆ Q × Σ × Q a transition relation ; How could we accept the following language? 4 qI is the initial state; and L = {w ∈ {a, b}ω | w contains inﬁnitely many a and only ﬁnitely 5 C an acceptance component (which is specialised in the many b }. following). Is it sufﬁcient to reach a nal state once? The crucial point is the acceptance component!N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 351 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 352
89.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata We deﬁne Inf (ρ) as the set of all states that occur in nitely Deﬁnition 7.4 (Acceptable language) often on ρ; that is, The language accepted by A, L(A), consists of all words accepted Inf (ρ) = {q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)} by A. That is, Deﬁnition 7.3 (Büchi automaton) L(A) = {w ∈ Σω | A accepts w}. A Büchi automaton is an ω-automaton A language is said to be (Büchi) acceptable if there is a Büchi A = (Q, Σ, ∆, qI , F ) automaton that accepts it. where F ⊆ Q with the following acceptance condition: A accepts w ∈ Σω if, and only if, there is a run ρ of A such that Remark 7.5 (Other automata types) Inf (ρ) ∩ F = ∅. Other acceptance conditions yield different automata types: Rabin automata, Muller automata. Thus, such an automaton accepts all words such that some state from F is visited inﬁnitely often on a corresponding run.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 353 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 354 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Example 7.6 Example 7.7 Is there a Büchi Automaton that accepts the following language L Is there a Büchi Automaton that accepts the following language L over Σ = {a, b, c}? over Σ = {a, b}? L = {w ∈ Σω | w contains inﬁnitely many a or b and only ﬁnitely L = {w ∈ Σω | w ends with aω or (ab)ω } many c } blackboard : Back to model checking LTL, pp. 225.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 355 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 356
90.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Proof sketch Proposition 7.8 (Closure propeties) 1 Union: Nondeterministically guess which automata should be 1 Büchi acceptable languages are closed under union, executed. Exercise intersection, and negation. Intersection: Product automaton yields a generalised Büchi automaton. The acceptance set is given by 2 If A is a regular language with ∈ A, then, Aω is Büchi {F1 × S2 , S1 × F2 }. Exercise acceptable. Complement: This part is non-trivial and cannot be done in the scope of this lecture. 3 If A is a regular language and B is Büchi recognizable, then AB 2 Aω : Connect transitions to ﬁnal states also with the initial is Büchi acceptable. state Exercise 3 AB: Connect transitions to ﬁnal states of the ﬁnite automaton with the initial state of the Büchi automaton. ExerciseN. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 357 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 358 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Theorem 7.9 (Characterization Theorem) A language L is Büchi acceptable if, and only if, there are ﬁnitely Proof of Theorem 7.9 many regular languages U1 , . . . , Un and V1 , . . . , Vn such that “⇒”: Let W(q,q) = {w ∈ Σ∗ | q →w q }. Each language W (q, q ) is regular. Then, L= Ui (Vi )ω i=1,...,n L(A) = W (qI , q)(W (q, q))ω . q∈Qf This shows that any language L = ∅ acceptable by a Büchi “⇐”: Let L = i=1,...,n Ui (Vi )ω where each Ui , Vi is regular. By automaton contains an ultimately periodic word. Proposition 7.8 we have that (Vi )ω and Ui (Vi )ω are Büchi recognizable. Thus also their ﬁnite union. Example 7.10 For the language L = {w ∈ Σω | w ends with aω or (ab)ω } from Example 7.7 we have that L = Σ∗ {a}ω ∪ Σ∗ {ab}ω .N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 359 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 360
91.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata Deﬁnition 7.11 (Generalised Büchi automaton) A generalised Büchi automaton is an ω-automaton A = (Q, Σ, ∆, qI , F ) where F ⊆ P(Q) with the following acceptance condition: A 7.2 Generalized Büchi Automata accepts w ∈ Σω if, and only if, there is a run ρ of A such that for each Fi ∈ F Inf (ρ) ∩ Fi = ∅. Thus, such an automaton accepts all words such that some state from each Fi is visited inﬁnitely often on a corresponding run.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 361 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 362 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata We will use generalised Büchi automata for model checking LTL. Example 7.13 How is the relation between Büchi and generalised Büchi automata? b Proposition 7.12 (Generalised Büchi Büchi) For each generalised Büchi automaton one can construct an a equivalent Büchi automaton. q0 , 1 q1 , 1 F1 F2 a Proof. a a b b Idea: Consider state-tuples: S × {1, . . . , k}. If the GBA moves to b b the next acceptance set a counter is incremented (modulo k). Then, a run visits states from each Fi inﬁnitely often iff states q0 q1 q0 , 2 q1 , 2 from F1 × {1} appear inﬁnitely often. b a We ﬁrst consider an example: a Back to LTL-model checking, pp. 269.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 363 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 364
92.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata Proof ctd. Proof ctd. Let A = (Σ, S, ∆, S0 , {F1 , . . . , Fn }) be a generalised Büchi It remains to prove that both automata accept the same automaton. We construct the Büchi Automaton languages. We present the main ideas. A = (Σ, S , ∆ , S0 , F ): “⇒“: Let A be a GBA that accepts the word w. Then, there is a run ρ such that states from each Fi , i = 1, . . . , k, occur inﬁnitely often S = S × {1, . . . , n}; on ρ. That is, there is an inﬁnite subsequence (q1 . . . qk )ω of ρ such S0 = S0 × {1}; that qi ∈ Fi . Hence, the state (q1 , 1) is visited inﬁnitely often in the ((s, j), a, (t, i)) ∈ ∆ iff automaton A . i=j , if s ∈ Fj ; “⇐“: Let A accept the word w. Then, some state (q1 , 1) with (s, a, t) ∈ ∆ and i = (j + 1) mod k , if s ∈ Fj ; q1 ∈ F1 is visited inﬁnitely often. After it has been visited once the F = F1 × {1}. automaton is in a state (q, 2) and can only return to (q , 1) if some state q ∈ F2 is visited, some from F3 and so on is visited.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 365 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 366 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata As before let Σ be a ﬁnite alphabet and k a natural number. A k-ary Σ-tree t = (dom t , L) is a tree with maximal branching k and in which each node is labelled by an element from Σ. That is L : dom t → Σ 7.3 Tree automata where dom t ⊆ {0, . . . , k − 1}∗ denotes the domain of the tree. It is required that dom t is closed under preﬁxes, i.e. wx ∈ dom t → ∀y(0 ≤ y < x → wy ∈ dom t ). A k-ary ω-tree automaton over the alphabet Σ is an automaton that accepts inﬁnite k-ary Σ-trees.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 367 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 368
93.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata Deﬁnition 7.14 (k-ary ω-tree automaton) Deﬁnition 7.15 (Run, path, successful, accepting) A k-ary ω-tree automaton over the alphabet Σ is given by a tuple A run of a k-ary ω-tree automaton A on an inﬁnite k-ary Σ-tree t = (dom t , Lt ) is an inﬁnite k-ary Q-tree r = (dom r , Lr ) such that A = (Q, qI , ∆, C) 1 dom r = dom t , where 2 Lr (∅) = qI and Q is a set of states, 3 ∀w ∈ dom t : (Lr (w0), . . . , Lr (wi)) ∈ ∆(Lr (w), Lt (w), i) where qI ∈ Q the initial state, i = max{j | wj ∈ dom t }. ∆ : Q × Σ × {1, . . . , k} → P(∪i=1...k Qi ) with ∆(q, a, i) ⊆ Qi a A path of the run r is an inﬁnite linearly ordered subset of dom r transition relation, and (i.e. it denotes a branch in the tree). We say that run r is C an acceptance component (which is speciﬁed in the successful if each path of r satisﬁes the accepting condition C. following). An input tree t is accepted by A if there is a successful run.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 369 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 370 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata Deﬁnition 7.17 (Rabin tree automaton) Deﬁnition 7.16 (Büchi tree automaton) A Rabin tree automaton (or pairs tree automaton) is given by an A Büchi tree automaton is given by an ω-tree automaton ω-tree automaton A = (Q, qI , ∆, Ω) where A = (Q, qI , ∆, F ) where F ⊆ Q is a set of ﬁnal states. A run Ω = {(L1 , U1 ), . . . , (Ln , Un )} r = (dom r , L) is successful if, and only if, for each path p on r there is a state that occurs inﬁnitely often on p; i.e. for all paths p where each pair (Li , Ui ) ⊆ Q × Q is a set of “accepting” pairs of r we have that (these pairs are called Rabin pairs). A run r = (dom r , L) is successful if, and only if, for each path p on r there is an index Inf (L|p ) ∩ F = ∅. i ∈ {1, . . . , n} such that no state (resp. a state) from Li (resp. from L|p denotes the set of states in L which do also appear on p. Ui ) occurs inﬁnitely often on p; i.e. Inf (L|p ) ∩ Li = ∅ and Inf (L|p ) ∩ Ui = ∅ Theorem 7.18 ([Rabin, 1970]) There is a set of trees that is acceptable by a Rabin tree automaton but not by any Büchi tree automaton.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 371 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 372
94.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.4 Emptiness Checking Checking Emptiness For the model checking algorithms we need to check whether the language of a Büchi automaton is empty. Deﬁnition 7.19 (Graph reachability) 7.4 Emptiness Checking Let G = (V, E) be graph. Given two vertices u, v ∈ V the graph-reachability problem is the question whether v is reachable from u. Theorem 7.20 ([Jones, 1977, Jones, 1975]) The graph-reachability problem is NLOGSPACE-complete under logspace-reductions.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 373 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 374 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.4 Emptiness Checking Theorem 7.21 ([Emerson and Lei, 1987]) The emptiness problem for Büchi automata is solvable in linear How does reach(x , y) work? time and in nondeterministic logarithmic space . 1 Chose some x-successor x (non-determinism!). 2 Return “yes”, if x = y else reach(x , y). Proof We check whether there is some ultimately periodic word by Hardness is shown by a reduction of the ﬁnding an accepting state reachable from the initial state and NLOGSPACE-complete problem of graph reachability from from itself. The following algorithm runs in non-deterministic Deﬁnition 7.19. Given G, u, v, transform G to a Büchi automaton logarithmic space: with initial state u and ﬁnal state v and add a loop to v. Then: 1 Guess an accepting state r, and v reachable from u in G iff automaton non-empty. 2 check whether reach(r, r). : Back to LTL model checking, pp. 245.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 375 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 376
95.
7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.5 Determinization Theorem 7.22 ([Rabin, 1970, Vardi and Wolper, 1984]) The emptiness problem for Büchi tree automata is decidable and P-complete under logarithmic space reductions. Theorem 7.23 ([Emerson and Jutla, 1988, Pnueli and Rosner, 1989]) The non-emptiness problem for Rabin tree automata is decidable 7.5 Determinization and complete for NP. Theorem 7.24 ([Emerson and Jutla, 1999]) The non-emptiness problem for pairs tree automata is decidable in deterministic time (mn)O(n) where m is the number of states and n the number of pairs in the automaton.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 377 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 378 7 Appendix: Automata Theory 8 References 7.5 Determinization Determinization of Automata Theorem 7.25 (Safra’s construction [Safra, 1988]) 8. References Let A be a nondeterministic Büchi automaton with n states. Then, there is an equivalent deterministic Rabin automaton with 2O(n log n) 8 References states.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 379 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380
96.
8 References 8 References Alur, R., Henzinger, T. A., and Kupferman, O. (1997). Emerson, E. A. and Jutla, C. S. (1999). Alternating-time Temporal Logic. The complexity of tree automata and logics of programs. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS), pages 100–109. IEEE SIAM J. Comput., 29:132–158. Computer Society Press. Emerson, E. A. and Lei, C.-L. (1987). Alur, R., Henzinger, T. A., and Kupferman, O. (2002). Modalities for model checking: Branching time logic strikes back. Alternating-time Temporal Logic. Science of Computer Programming, 8(3):275–306. Journal of the ACM, 49:672–713. Emerson, E. A. and Sistla, A. P. (1984). Clarke, E. and Emerson, E. (1981). Deciding branching time logic. Design and synthesis of synchronization skeletons using branching time temporal logic. In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 14–24, New York, In Proceedings of Logics of Programs Workshop, volume 131 of Lecture Notes in Computer Science, pages 52–71. NY, USA. ACM. Clarke, E., Emerson, E., and Sistla, A. (1986). Goranko, V. and Shkatov, D. (2009). Automatic veriﬁcation of ﬁnite-state concurrent systems using temporal logic speciﬁcations. Tableau-based decision procedures for logics of strategic ability in multiagent systems. ACM Transactions on Programming Languages and Systems, 8(2):244–263. ACM Trans. Comput. Logic, 11(1):3:1–3:51. Emerson, E. and Halpern, J. (1986). Goranko, V. and van Drimmelen, G. (2006a). Sometimes and not never revisited: On branching versus linear time temporal logic. Complete axiomatization and decidability of alternating-time temporal logic. Journal of the ACM, 33(1):151–178. Theor. Comput. Sci., 353(1-3):93–117. Emerson, E. A. and Jutla, C. S. (1988). Goranko, V. and van Drimmelen, G. (2006b). The complexity of tree automata and logics of programs. Complete axiomatization and decidability of alternating-time temporal logic. In SFCS ’88: Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 328–337, Theor. Comput. Sci., 353:93–117. Washington, DC, USA. IEEE Computer Society. Immerman, N. (1981).N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380 8 References 8 References Number of quantiﬁers is better than number of tape cells. The temporal logic of programs. Journal of Computer and System Sciences, 22(3):384 – 406. In Proceedings of FOCS, pages 46–57. Jamroga, W. and Bulling, N. (2011). Pnueli, A. and Rosner, R. (1989). Comparing variants of strategic ability. On the synthesis of a reactive module. In Proceedings of the 22nd International Joint Conference on Artiﬁcial Intelligence (IJCAI), pages 252–257, Barcelona, In POPL ’89: Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, Spain. pages 179–190, New York, NY, USA. ACM. Jones, N. D. (1975). Rabin, M. (1970). Space-bounded reducibility among combinatorial problems. Weakly deﬁnable relations and special automata. Journal of Computer and System Sciences, 11(1):68 – 85. Mathematical Logic and Foundations of Set Theory, pages 1–23. Jones, N. D. (1977). Reynolds, M. (2001). Corrigendum: Space-bounded reducibility among combinatorial problems. An axiomatization of full computation tree logic. J. Comput. Syst. Sci., 15(2):241. J. Symb. Log., 66(3):1011–1057. Lichtenstein, O. and Pnueli, A. (1985). Safra, S. (1988). Checking that ﬁnite state concurrent programs satisfy their linear speciﬁcation. On the complexity of omega -automata. In POPL ’85: Proceedings of the 12th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, In Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 319–327, Washington, pages 97–107, New York, NY, USA. ACM. DC, USA. IEEE Computer Society. Maidl, M. (2000). Schewe, S. (2008). The common fragment of ctl and ltl. ATL* satisﬁability is 2ExpTime-complete. In FOCS, pages 643–652. IEEE Computer Society. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II (ICALP 2008), 6–13 July, Reykjavik, Iceland, volume 5126 of Lecture Notes in Computer Science, pages 373–385. Pnueli, A. (1977). Springer-Verlag.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380
97.
8 References 8 References Schnoebelen, P. (2003). Vardi, M. Y. and Wolper, P. (1986). The complexity of temporal model checking. An automata-theoretic approach to automatic program veriﬁcation (preliminary report). In Advances in Modal Logics, Proceedings of AiML 2002. World Scientiﬁc. In Proceedings of the First Annual IEEE Symposium on Logic in Computer Science (LICS 1986), pages 332–344. IEEE Computer Society Press. Schobbens, P. Y. (2004). Alternating-time logic with imperfect recall. Walther, D., Lutz, C., Wolter, F., and Wooldridge, M. (2006). Electronic Notes in Theoretical Computer Science, 85(2):82–93. ATL satisﬁability is indeed EXPTIME-complete. Journal of Logic and Computation, 16(6):765–787. Sistla, A. P. and Clarke, E. M. (1985). The complexity of propositional linear temporal logics. J. ACM, 32(3):733–749. van Drimmelen, G. (2003). Satisﬁability in Alternating-time Temporal Logic. In Proceedings of LICS’2003, pages 208–217. IEEE Computer Society Press. Vardi, M. Y. and Stockmeyer, L. (1985). Improved upper and lower bounds for modal logics of programs. In Proceedings of the seventeenth annual ACM symposium on Theory of computing, STOC ’85, pages 240–251, New York, NY, USA. ACM. Vardi, M. Y. and Wolper, P. (1984). Automata theoretic techniques for modal logics of programs: (extended abstract). In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 446–456, New York, NY, USA. ACM.N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Veriﬁcation and Reasoning in Multi-Agent Systems EASSS, 2012 380
Be the first to comment