Your SlideShare is downloading. ×
T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

355
views

Published on

14th European Agent Systems Summer School

14th European Agent Systems Summer School

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
355
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Time Modelling, Verification and Duration: Three times 105 minutes Dates: Thursday, 9:30-11:15, 15-16:45 and Friday 15-16:45, Reasoning in Multi-Agent Systems Nils Bulling and Jürgen Dix Course type Level: advanced EASSS 2012 Prerequisites: knowledge of propositional/predicate logic, basics Valencia, Spain of automata and complexity theory, some universal algebra. 28. May – 1. June 2012 Course website http://www.in.tu-clausthal.de/index.php?id=easss2012N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 1 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 2 Course Overview Reading Material I The course is divided into 6 lectures à 50 minutes: Lec. 1: Linear and Branching Time (D, 60 min) Alur, R., Henzinger, T. A., and Kupferman, O. (2002). SL, FOL, temporal logics: LTL, CTL∗ , CTL, Alternating-time Temporal Logic. Lec. 2: Cooperative Agents (D, 40 min) Journal of the ACM, 49:672–713. Strategic logics: ATL, ATL∗ , effect of memory Baier, C. and Katoen, J.-P. (2008). Lec. 3: Comparing Semantics of ATL (B, 50 min) Principles of Model Checking. Semantic variants of ATL, tree unfolding The MIT Press. Lec. 4: Reasoning and Examples (D, 50 min) Blackburn, P., de Rijke, M., and Venema, Y. (2001). Basic Modal Logic, axiomatizations of LTL, CTL, ATL Modal Logic. viewed as modal logics Number 53 in Cambridge Tracts in Theoretical Computer Science. Lec. 5: Complexity of Veri cation: Model Checking (B, 60 Cambridge University Press, Cambridge, UK. min) Model checking problem and complexity Lec. 6: Complexity of Reasoning: Satis ablity (B, 40 min) Satisfiability checking problem and complexityN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 3 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 4
  • 2. Reading Material II Reading Material III Bulling, N., Dix, J., and Jamroga, W. (2010). Model checking logics of strategic ability: Complexity. In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors, Specification and Verification of Multi-Agent Systems. Springer. Jamroga, W. and Bulling, N. (2011). Comparing variants of strategic ability. Clarke, E., Grumberg, O., and Peled, D. (1999). In Proceedings of the 22nd International Joint Conference on Artificial Model Checking. Intelligence (IJCAI), pages 252–257, Barcelona, Spain. MIT Press. Jürgen Dix and Michael Fisher (2012). Chapter 14: Specification and Verification of Multi-agent Systems. In G. Weiss (Ed.), Multiagent Systems, MIT Press.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 5 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 6 1 Linear and Branching Time Outline 1 Linear and Branching Time 2 Cooperative Agents 1. Linear and Branching Time 3 Comparing Semantics of ATL 4 Reasoning and Examples 1 Linear and Branching Time Sentential Logic 5 Complexity of Verification: Model Checking First-Order Logic 6 Complexity of Reasoning: Satisfiability Linear Time Logic Branching Time Logic 7 Appendix: Automata Theory 8 ReferencesN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 7 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 8
  • 3. 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic Outline We recapitulate very briefly sentential (also called propositional) logic (SL) and first-order logic (FOL), As an example of FOL, we consider FO(≤) monadic FOL of linear order. 1.1 Sentential Logic Then we present LTL, a logic to deal with linear time (no branching). This logic is equivalent to FO(≤). CTL∗ is an extension of LTL to branching time. CTL is an interesting fragment of CTL∗ , incomparable with LTL, but with interesting computational properties. While LTL is defined over path formulae, CTL is defined over state formulae. CTL∗ is defined over both sorts of formulae.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 9 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 10 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.1 Sentential Logic Syntax of SL Semantics (SL) The propositional language is built upon A valuation (or truth assignment) v : Prop → {t, f} for a Propositional symbols: p, q, r, . . . , p1 , p2 , p3 , . . . language LP L (Prop) is a mapping from the set of Logical connectives: ¬ and ∨ propositional constants defined by Prop into the set Grouping symbols: (, ) {t, f}. Often we consider only a finite, nonempty set of Inductively, we define the notion of a formula ϕ being propositional symbols and refer to it as Prop. true or satis ed by v (denoted by v |= ϕ): Propositional language LP L (Prop): v |= p iff v(p) = t and p ∈ Prop, ϕ ::= p | ¬ϕ | ϕ ∨ ϕ v |= ¬ϕ iff not v |= ϕ, v |= ϕ ∨ ψ iff v |= ϕ or v |= ψ Macros: For a set Σ ⊆ LP L we write v |= Σ iff v |= ϕ for all ϕ ∈ Σ. ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ) := p ∨ ¬p) We use v |= ϕ instead of not v |= ϕ. ϕ → ψ := ¬ϕ ∨ ψ ⊥ := ¬ ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 11 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 12
  • 4. 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.1 Sentential Logic Truth Tables Fundamental Semantical Concepts If it is possible to find some valuation v that makes ϕ Truth tables are a conceptually simple way of working true, then we say ϕ is satis able. with PL (invented by Wittgenstein in 1918). If v |= ϕ for all valuations v then we say that ϕ is valid and write |= ϕ . ϕ is also called tautology. p q ¬p p∨q p∧q p→q p↔q A theory is a set of formulae: Φ ⊆ LP L . t t f t t t t A theory Φ is called consistent if there is a valuation v f t t t f t f with v |= Φ. t f f t f f f A theory Φ is called complete if for each formula ϕ in the f f t f f t t language, ϕ ∈ Φ or ¬ϕ ∈ Φ . Two simple examples Consider the two formulae p ∧ ¬b and a ∨ ¬a. Are they satisfiable or valid? Are they both consistent? What if we add b?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 13 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 14 1 Linear and Branching Time 1 Linear and Branching Time 1.1 Sentential Logic 1.2 First-Order Logic Consequences Given a theory Φ we are interested in the following question: Which facts can be derived from Φ? We can distinguish two approaches: 1 semantical consequences, and 1.2 First-Order Logic 2 syntactical inference. Let Φ be a theory and ϕ be a formula. We say that ϕ is a semantical consequence of Φ if for all valuations v: v |= Φ implies v |= ϕ.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 15 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 16
  • 5. 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Predicate logic Functions In addition to the propositional language (on which the modal language is built as well), the rst-order language Definition 1.3 (Function Symbols) (FOL) contains variables, function-, and predicate Let k ∈ N0 . The set of k-ary function symbols is denoted by symbols. Func k . Elements of Func k are given by f1 , f2 . . . . Such a k k Definition 1.1 (Variable) symbol takes k arguments. The set of all function symbols is defined as A variable is a symbol of the set Var . Typically, we denote variables by x0 , x1 , . . .. Func := Func k k Example 1.2 A 0-ary function symbol is called constant. 2 1 1 0 ϕ := ∃x0 ∀x1 (P0 (f0 (x0 ), x1 ) ∧ P2 (f1 ))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 17 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 18 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Predicates Syntax The rst-order language with equality LF OL is built from Definition 1.4 (Predicate Symbols) terms and formulae. Let k ∈ N0 . The set of k-ary predicate symbols (or relation In the following we fix a set of variables, function-, and symbols) is given by Pred k . Elements of Pred k are denoted predicate symbols. k k by P1 , P2 . . . . Such a symbol takes k arguments. The set of predicate symbols is defined as Definition 1.5 (Term) A term over Func and Var is inductively defined as follows: Pred := Pred k k 1 Each variable from Var is a term. If t1 , . . . tk are terms then f k (t1 , . . . , tk ) is a term as well, A 0-ary predicate symbol is called (atomic) proposition. 2 where f k is an k-ary function symbol from Func k .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 19 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 20
  • 6. 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Definition 1.7 (Macros) Definition 1.6 (Language) We define the following syntactic constructs as macros (P ∈ Pred 0 ): The rst-order language with equality LF OL (Var , Func, Pred ) is defined by the following grammar: ⊥ := P ∧ ¬P . := ¬⊥ ϕ ::= P k (t1 , . . . , tk ) | ¬ϕ | ϕ ∨ ϕ | ∃x(ϕ) | t = r ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ) where P k ∈ Pred k is a k-ary predicate symbol and t1 , . . . , tk ϕ → ψ := ¬ϕ ∨ ψ and t, r are terms over Var and Func. ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ) ∀x(ϕ) := ¬∃x(¬ϕ)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 21 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 22 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Notation Semantics We will often leave out the index k in fik and Pik Definition 1.8 (Model, Structure) indicating the arity and just write fi and Pi . Variables are also denoted by u, v, w, . . . A model or structure for FOL over Var , Func and Pred is Function symbols are also denoted by f, g, h, . . . given by M = (U, I) where Constants are also denoted by a, b, c, . . . , c0 , c1 , . . . 1 U is a non-empty set of elements, called universe or Predicate symbols are also denoted by P, Q, R, . . . domain and We will use our standard notation p for 0-ary predicate 2 I is called interpretation. It assigns to each function symbols and also call them (atomic) propositions. symbol f k ∈ Func k a function I(f k ) : U k → U , to each predicate symbol P k ∈ Pred k a relation I(P k ) ⊆ U k ; and Attention to each variable x ∈ Var an element I(x) ∈ U . In this course, we only need unary predicates (monadic We write: logic) and we do not need any function symbols at all. So k k 1 M(P ) for I(P ), our terms are exactly the variables. k k 2 M(f ) for I(f ), and 3 M(x) for I(x).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 23 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 24
  • 7. 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Note that a structure comes with an interpretation I, which is based on functions and predicate symbols and assignments of the variables. But these are also defined in the notion of a language. Thus we assume from now on Definition 1.10 (Value of a Term) that the structures are compatible with the underlying Let t be a term and M = (U, I) be a model. We define language: The arities of the functions and predicates must inductively the value of t wrt M, written as M(t), as follows: correspond to the associated symbols. M(x) := I(x) for a variable t = x, Example 1.9 M(t) := I(f k )(M(t1 ), . . . , M(tk )) if t = f k (t1 , . . . , tk ). ϕ := Q(x) ∨ ∀z(P (x, g(z))) ∨ ∃x(∀y(P (f (x), y) ∧ Q(a))) U =R I(a) : {∅} → R, ∅ → π constant functions, I(f ) : I(f ) = sin : R → R and I(g) = cos : R → R, I(P ) = {(r, s) ∈ R2 : r ≤ s} and I(Q) = [3, ∞) ⊆ R, I(x) = π , I(y) = 1 and I(z) = 3. 2N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 25 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 26 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.2 First-Order Logic Definition 1.11 (Semantics) Example: FO(≤) Monadic first-order logic of order, denoted by FO(≤), is Let M = (U, I) be a model and ϕ ∈ LF OL . ϕ is said to be first-order logic with the only binary symbol ≤ (except true in M, written as M |= ϕ, if the following holds: equality, which is also allowed) and, additionally, any M |= P k (t1 , . . . tk ) iff (M(t1 ), . . . , M(tk )) ∈ M(P k ) number of unary predicates. The theory assumes that ≤ is M |= ¬ϕ iff not M |= ϕ a linear order, but nothing else. M |= ϕ ∨ ψ iff M |= ϕ or M |= ψ A typical model is given by M |= ∃x(ϕ) iff M[x/a] |= ϕ for some a ∈ U where M[x/a] N = N, ≤N , P1 , P2 , . . . Pn N N N denotes the model equal to M but M[x/a] (x) = a. . M |= t = r iff M(t) = M(r) where ≤N is the usual ordering on the natural numbers and PiN ⊆ N. Given a set Σ ⊆ LF OL we write M |= Σ iff M |= ϕ for all ϕ ∈ Σ. The sets PiN determine the timepoints where the property Pi holds.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 27 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 28
  • 8. 1 Linear and Branching Time 1 Linear and Branching Time 1.2 First-Order Logic 1.3 Linear Time Logic What can we express in FO(≤)? Can we nd formulae that express that a property r is true infinitely often? r is true at all even timepoints and ¬r at all 1.3 Linear Time Logic odd timepoints? whenever r is true, then s is true in the next timepoint?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 29 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 30 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Reasoning about Time Temporal logic was originally developed in order to represent tense in natural language. The accessibility relation represents time. Time: linear vs. branching. Reasoning about a particular computation of a system. Within Computer Science, it has achieved a significant role Models: paths (e.g. obtained from Kripke structures) in the formal specification and verification of concurrent and distributed systems. start Much of this popularity has been achieved because a number of useful concepts can be formally, and concisely, specified using temporal logics, e.g. start safety properties liveness properties fairness propertiesN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 31 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 32
  • 9. 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Typical temporal operators Safety Properties “something bad will not happen” Xϕ ϕ is true in the neXt moment in time “something good will always hold” Gϕ ϕ is true Globally: in all future moments Fϕ ϕ is true in Finally: eventually (in the future) Typical examples: ϕU ψ ϕ is true Until at least the moment when ψ becomes true (and this eventually happens) G¬bankrupt Gf uelOK G((¬passport ∨ ¬ticket) → X¬board_f light) and so on . . . send(msg, rcvr) → Freceive(msg, rcvr) Usually: G¬....N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 33 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 34 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Liveness Properties Fairness Properties Combinations of safety and liveness possible: “something good will happen” FG¬dead G(request_taxi → Farrive_taxi) fairness Typical examples: Strong fairness Frich power_on → Fonline “If something is requested then it will be allocated”: and so on . . . G(attempt → Fsuccess), GFattempt → GFsuccess. Usually: F.... Scheduling processes, responding to messages, etc. No process is blocked forever, etc.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 35 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 36
  • 10. 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Definition 1.12 (Language LLTL [Pnueli, 1977]) Models of LTL The language LLTL (Prop) is given by all formulae generated The semantics is given over paths, which are infinite by the following grammar, where p ∈ Prop is a proposition: sequences of states from Q, and a standard labelling function π : Q → P(Prop) that determines which ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕ U ϕ | Xϕ. propositions are true at which states. Definition 1.13 (Path λ = q1 q2 q3 . . .) The additional operators F (eventually in the future) and A path λ over a set of states Q is an infinite sequence G (always from now on) from Qω . We also identify it with a mapping N0 → Q. can be defined as macros : λ[i] denotes the ith position on path λ (starting from i = 0) and Gϕ ≡ Uϕ and Fϕ ≡ ¬G¬ϕ λ[i, ∞] denotes the subpath of λ starting from i (λ[i, ∞] = λ[i]λ[i + 1] . . . ). The standard Boolean connectives , ⊥, ∧, →, and ↔ are defined in their usual way as macros.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 37 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 38 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Other temporal operators λ = q1 q2 q3 . . . ∈ Qω Definition 1.14 (Semantics of LTL) Let λ be a path and π be a labelling function over Q. The λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ; semantics of LTL, |=LT L , is defined as follows: λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ; λ, π |=LTL p iff p ∈ π(λ[0]) and p ∈ Prop; λ, π |=LTL ¬ϕ iff not λ, π |=LTL ϕ (we will also write λ, π |=LT L ϕ); Exercise λ, π |=LTL ϕ ∨ ψ iff λ, π |=LTL ϕ or λ, π |=LTL ψ; Prove that the semantics does indeed match the λ, π |=LTL Xϕ iff λ[1, ∞], π |=LTL ϕ; and definitions Fϕ ≡ U ϕ and Gϕ ≡ ¬F¬ϕ. λ, π |=LTL ϕ U ψ iff there is an i ∈ N0 such that λ[i, ∞], π |= ψ and λ[j, ∞], π |=LTL ϕ for all 0 ≤ j < i.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 39 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 40
  • 11. 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic pos0 pos1 pos2 pos0 pos1 pos2 pos0 pos1 pos2 pos0 pos1 pos2 q0 q1 q2 q0 q1 q2 q0 q1 q2 q0 q1 q2 λ, π |= GFpos1 iff λ, π |= Fpos1 λ[0, ∞], π |= Fpos1 and λ[1, ∞], π |= Fpos1 and λ = λ[1, ∞], π |= pos1 λ[2, ∞], π |= Fpos1 and pos1 ∈ π(λ [0]) ...N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 41 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 42 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Representation of paths Computational vs. bbehavioral structure Paths are in nite entities. System Computational str. They are theoretical constructs. 1 2 pos0 We need a nite representation! q0 pos0 Such a finite representation is given by a transition system or a pointed Kripke 1 2 pos2 pos1 structure. q2 q1 2 1 pos2 pos1N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 43 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 44
  • 12. 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Computational str. Behavioral str. Some Exercises q0 Example 1.15 Formalise the following as LTL formulae: q0 pos0 q0 q1 1 r should never occur. 2 r should occur exactly once. q2 q1 q0 q1 q1 q2 3 At least once r should directly be followed by pos2 pos1 s. 4 r is true at exactly all even states. 5 r is true at each even state (the odd states do Important! not matter). Does r ∧ G(r ∧ XXr) work? The behavioral structure is usually in nite! Here, it is an infinite tree. We say it is the q0 -unfolding of the model.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 45 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 46 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Relation to first-order logic (1) Relation to first-order logic (2) 1 More precisely: an infinite path λ is described as a 1 The monadic first-order theory of (linear) first-order structure with domain N and predicates Pp order, FO(≤) (see Slide 29) is equivalent to for p ∈ Prop. The predicates stand for the set of timepoints where p is true. So each path λ can be LTL. represented as a structure Nλ = N, ≤N , P1 , P2 , . . . Pn . N N N Then each LTL formula φ translates to a first-order 2 There is a translation from sentences of LTL to formula αφ (x) with one free variable s.t. sentences of FO(≤) and vice versa, such that φ is true in λ[n, ∞] iff αφ (n) is true in Nλ . the LTL sentence is true in λ, π iff its translation And conversely: for each first-order formula with a free is true in the associated first-order structure. variable there is a corresponding LTL formula s.t. the same condition holds.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 47 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 48
  • 13. 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic The formulae GFp, FGp Some Remarks 1 A particular logic LTL is determined by the 1 What are their counterparts in FO(≤)? number n of propositional variables. Strictly 2 We will see later that FGp does not belong to speaking, this number should be a parameter CTL, but to CTL∗ . It is not even equivalent to a of the logic. This also applies to the logics CTL CTL formula. and ATL. 3 However, GFp is equivalent to a CTL formula: 2 While both F and G can be expressed using U , AGAFp the converse is not true: U can not be expressed by F and G.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 49 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 50 1 Linear and Branching Time 1 Linear and Branching Time 1.3 Linear Time Logic 1.3 Linear Time Logic Satisfiability of LTL formulae Satisfiability of LTL formulae (cont.) A formula is satisfiable, if there is a path where it is true. Can Theorem 1.16 (Periodic model theorem we restrict the structure of such paths? I.e. can we restrict [Sistla and Clarke, 1985]) to simple paths, for example paths that are periodic? A formula ϕ ∈ LLTL is satis able iff there is a path λ which is If this is the case, then we might be able to construct ultimately periodic, and the period starts within 21+|ϕ| steps counterexamples more easily, as we need only check and has a length which is ≤ 41+|ϕ| . very specific paths. It would be also useful to know how large the period is and within which initial segment of the path it starts, depending on the length of the formula ϕ.  2O(n)  4O(n)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 51 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 52
  • 14. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Branching Time CTL, CTL∗ : Computation Tree Logics. Reasoning about possible computations of a system. 1.4 Branching Time Logic Time is branching: We want all possible computations included! Models: states (time points, situations), transitions (changes). ( Kripke models). Paths: courses of action, computations. ( LTL)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 53 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 54 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example 1.17 (Branching Time) Path quanti ers: A (for all paths), E (there is a path); p q0 Temporal operators: X (nexttime), F (finally), p G (globally) and U (until); q q1 q2 CTL: each temporal operator must be immediately preceded by exactly one path q3 q4 q quantifier; CTL∗ : no syntactic restrictions. In this structure, whenever p holds at some timepoint, then there is a path where q holds in the next step and there is (another) path where ¬q holds in the next step. And this holds along all paths (there are three infinite paths).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 55 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 56
  • 15. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Definition 1.18 (LCTL∗ [Emerson and Halpern, 1986]) The LCTL∗ -formula EFϕ, for instance, ensures that there is at least one path on which ϕ holds at some (future) The language LCTL∗ (Prop) is given by all formulae generated time moment. by the following grammar: The formula AFGϕ states that ϕ holds almost ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | Eγ everywhere . More precisely, on all paths it always holds from some future time moment. where LCTL∗ -formulae do not only talk about temporal patterns γ ::= ϕ | ¬γ | γ ∨ γ | γ U γ | Xγ on a given path, they also quantify (existentially or and p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp. universally) over such paths. path) formulae. The logic is complex! For practical purposes, a fragment with better computational properties is often We use the same abbreviations as for LLTL : sufficient. λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ; λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ;N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 57 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 58 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Definition 1.19 (LCTL [Clarke and Emerson, 1981]) For example, AGEXp is a LCTL -formula whereas AGFp is not. The language LCTL (Prop) is given by all formulae generated Example 1.20 (CTL∗ or CTL?) by the following grammar, where p ∈ Prop is a proposition: Are the following CTL∗ or CTL formulae? What do they ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | E(ϕ U ϕ) | EXϕ | EGϕ. express? 1 EFAXshutdown 2 EFXshutdown We introduce the following macros: 3 AGFrain Fϕ ≡ U ϕ, 4 AGAFrain (Is it different from (3)?) AXϕ ≡ ¬EX¬ϕ, 5 EFGbroken AGϕ ≡ ¬EF¬ϕ, and 6 AG(p → (EXq ∧ EX¬q)) Aϕ U ψ ≡ . . . Exercise!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 59 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 60
  • 16. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic The precise definition of Kripke structures is given in Section 4. To understand the following definitions it suffices Definition 1.21 (Semantics |=CTL ) ∗ to note that: Given a set of states Q (each is a propositional model), a Let M be a Kripke model, q ∈ Q and λ ∈ Λ. The semantics Kripke model M is simply a tuple (Q, R) where of LCTL∗ - and LCTL -formulae is given by the satisfaction relation |=CTL for state formulae by ∗ R ⊆ Q × Q is a binary relation. ∗ q1 Rq2 (also written (q1 , q2 ) ∈ R or R(q1 , q2 )) means that M, q |=CTL p iff λ[0] ∈ π(p) and p ∈ Prop; ∗ ∗ state q2 is reachable from state q1 (by executing M, q |=CTL ¬ϕ iff M, q |=CTL ϕ; ∗ ∗ ∗ certain actions). M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ; The relation R is serial: for all q there is a q such that M, q |=CTL Eϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ qRq . This ensures that our paths are infinite. M, λ |=CTL ϕ; Given a state q in a Kripke model, by Λ(q) we mean the set of all paths determined by the relation R starting in q: q, q1 , q2 , . . . , qi , . . . where qRq1 , . . . qi Rqi+1 , . . .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 61 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 62 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic State-based semantics for CTL and for path formulae by: M, q |=CTL p iff q ∈ π(p); ∗ ∗ M, λ |=CTL ϕ iff M, λ[0] |=CTL ϕ; M, q |=CTL ¬ϕ iff M, q |=CTL ϕ; ∗ ∗ M, λ |=CTL ¬γ iff M, λ |=CTL γ; M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ; M, q |=CTL EXϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ ∗ M, λ |=CTL γ ∨ δ iff M, λ |=CTL γ or M, λ |=CTL δ; ∗ ∗ M, λ |=CTL Xγ iff λ[1, ∞], π |=CTL γ; and M, λ[1] |=CTL ϕ; ∗ M, λ |=CTL γ U δ iff there is an i ∈ N0 such that M, q |=CTL EGϕ iff there is a path λ ∈ Λ(q) such that ∗ ∗ M, λ[i, ∞] |=CTL δ and M, λ[j, ∞] |=CTL γ for all M, λ[i] |=CTL ϕ for every i ≥ 0; 0 ≤ j < i. M, q |=CTL Eϕ U ψ iff there is a path λ ∈ Λ(q) such that M, λ[i] |=CTL ψ for some i ≥ 0, and M, λ[j] |=CTL ϕ for all Is this complicated semantics over paths necessary for CTL? 0 ≤ j < i.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 63 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 64
  • 17. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic LTL as subset of CTL∗ Application of Clarke and Draghiescu LTL is interpreted over infinite chains (infinite words), but We consider the LTL formula GFp. Viewed as a CTL∗ formula not over (serial) Kripke structures (which are branching). it becomes AGFp. But this is equivalent (in CTL∗ ) to AGAFp, To consider LTL as a subset of CTL∗ , one can just add a CTL formula. the quantifier A in front of a LTL formula and use the Now we consider the CTL formula EGEFp. It is not semantics of CTL∗ . For infinite chains, this semantics equivalent to any LTL formula. This is because coincides with the LTL semantics. The theorem of Clarke und Draghiescu gives a nice EGEFp and AGFp characterization of those CTL∗ formulae that are are not equivalent in CTL∗ : equivalent to LTL formulae. Given a CTL∗ formula ϕ, we construct ϕ by just forgetting all path operators. p q0 q1 q2 Then ϕ is equivalent to a LTL formula iff ϕ and Aϕ are equivalent under the semantics of CTL∗ . The first formula holds, the second does not.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 65 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 66 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic LTL as subset of CTL∗ (2) Example 1.22 (Robots and Carriage) How do LTL and CTL compare? Two robots push a carriage from 1 2 The CTL formula AG(p → (EXq ∧ EX¬q)) describes pos opposite sides. 0 Kripke structures of the form in Example 1.17. No LTL Carriage can move clockwise or formula can describe this class of Kripke structures. anticlockwise, or it can remain in the The LTL formula AF(p ∧ Xp) can not be expressed by a same place. 1 2 pos 1 CTL formula. Check why neither AF(p ∧ AXp) nor pos 2 3 positions of the carriage. AF(p ∧ EXp) are equivalent. Similarly, the LTL formula 2 1 We label the states with propositions AFGp can not be expressed by a CTL formula. pos0 , pos1 , pos2 , respectively, to allow There is a syntactic characterisation of formulae for referring to the current position Figure 1 : Two expressible in both CTL and LTL. Model checking in this robots and a carriage. of the carriage in the object class can be done more efficiently. We refer to language. [Maidl, 2000].N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 67 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 68
  • 18. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic 1 2 pos0 M0 , q0 |=CT L EFpos1 : In state q0 , q0 pos0 there is a path such that the q0 pos0 carriage will reach position 1 sometime in the future. The same is not true for all paths, 1 2 pos2 pos1 q2 q1 so we also have: q2 q1 M0 , q0 |=CT L AFpos1 . pos2 pos1 2 1 pos2 pos1 It becomes more interesting if abilities of agents are Figure 2 : Two robots and a carriage: A schematic view (left) and a considered ATL. transition system M0 that models the scenario (right).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 69 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 70 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example: Rocket and Cargo Example: Rocket and Cargo A rocket and a cargo. roL roL 2 roP roP The rocket can be moved between London (proposition 1 nofuel caL fuelOK caL nofuel caL 3 fuelOK caL 4 roL) and Paris (proposition roP ). roL → E♦roP The cargo can be in London (caL), Paris (caP ), or inside 5 roL 6 the rocket (caR). roL nofuel fuelOK roP nofuel roP fuelOK caR caR 7 caR caR 8 AG(roL ∨ roP ) The rocket can be moved only if it has its fuel tank full (f uelOK). roL → AX(roP → nof uel) roL roL roP roP When it moves, it consumes fuel, and nof uel holds after nofuel fuelOK nofuel fuelOK 9 caP 10 caP caP 11 caP 12 each flight.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 71 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 72
  • 19. 1 Linear and Branching Time 1 Linear and Branching Time 1.4 Branching Time Logic 1.4 Branching Time Logic Example: Rocket and Cargo In our logics, we assumed a serial accessibility relation: no deadlocks are possible. One can also allow states with no outgoing transitions. roL roL 2 roP roP nofuel fuelOK nofuel fuelOK In that case, in the semantical definition of E on Slide 65 1 caL one has to replace “there is a path” by there is an caL caL 3 caL 4 in nite path or one which can not be extended . Similar modifications are needed in the definition of 5 roL roL 6 roP roP nofuel fuelOK nofuel fuelOK E♦caP CTL. caR caR 7 caR caR 8 One can also add to each state with no outgoing transitions a special transition leading to a new state that loops into itself. roL roL roP roP nofuel fuelOK nofuel fuelOK 9 caP 10 caP caP 11 caP 12 How to express that there is no possibility of a deadlock? AGX ( CTL∗ ) AGEX ( CTL)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 73 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 74 1 Linear and Branching Time 2 Cooperative Agents 1.4 Branching Time Logic A Venn diagram showing typical formulae in the respective areas. 2. Cooperative Agents 2 Cooperative Agents Alternating-Time Temporal Logics Imperfect InformationN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 75 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 76
  • 20. 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics Outline We introduce ATL, Alternating Time Temporal Logic: a blend of temporal logic and game theory. Like CTL, ATL comes in two variants: ATL and ATL∗ . 2.1 Alternating-Time Temporal Appropriate models for ATL are concurrent game structures. Logics We introduce four variants of ATL along two different axis: perfect vs imperfect information, and perfect vs imperfect recall.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 77 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 78 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics The picture so far. Alternating-time Temporal Logics What kind of logics did we introduce so far? ATL, ATL∗ [Alur et al. 1997] Linear-time temporal logic (LTL) Temporal logic meets game theory Branching-time logics (CTL and CTL∗ ) Modeling abilities of multiple agents In the temporal case each transition modelled a time step. Main idea: cooperation modalities We considered only one single “actor”. Now: Modelling abilities of multiple agents: CTL can be viewed as the single actor restriction of ATL. A ϕ: coalition A has a collective strategy to enforce ϕ Agents can execute actions and cooperate. Action pro les Enforcement is understood in the game-theoretical sense: determine the behaviour of the system. There is a winning strategy.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 79 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 80
  • 21. 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics The syntax is given as for the computation-tree logics. The language LATL restricts LATL∗ in the same way as LCTL restricts LCTL∗ : Each temporal operator must be directly Definition 2.1 (Language LATL∗ [Alur et al., 1997]) preceded by a cooperation modality. The language LATL∗ is given by all formulae generated by the Definition 2.2 (Language LATL [Alur et al., 1997]) following grammar: The language LATL is given by all formulae generated by the ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A γ where following grammar: γ ::= ϕ | ¬γ | γ ∨ γ | γ U γ | γ, ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A ϕ| A ϕ | A ϕU ϕ A ⊆ Agt, and p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp. path) formulae. where A ⊆ Agt and p ∈ Prop. Note that we are using now the symbol “ ” instead of “X” Note that we are using now the symbol “ ” instead of “G” as it is more custom when dealing with ATL. as it is more custom when dealing with ATL.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 81 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 82 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics ATL Models: Concurrent Game Structures The language LATL+ restricts LATL∗ but extends LATL . It allows Agents, actions, transitions, atomic propositions for Boolean combinations of path formulae. Atomic propositions + interpretation Actions are abstract Definition 2.3 (Language LATL+ ) wait,wait The language LATL+ is given by all formulae generated by 1 2 push,push the following grammar: pos0 q0 pos0 pu ait ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | A γ, γ ::= ¬γ | γ ∨ γ | ϕ | ϕ U ϕ. sh, sh wa ,w ,pu wa sh it ,pu pu it it where A ⊆ Agt and p ∈ Prop. wait,wait wa 1 2 sh pos1 pos2 push,push wait,wait push,push q2 wait,push q1 2 1 pos2 push,wait pos1N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 83 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 84
  • 22. 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Definition 2.4 (Concurrent Game Structure) Recall and information A strategy of agent a is a conditional plan that specifies what a is A concurrent game structure is a tuple going to do in each situation. M = Agt, Q, π, Act, d, o , where: Agt: a finite set of all agents; Two types of “situations”: Decisions are based on Q: a set of states; the current state only ( memoryless strategies) π : Q → P(Prop): a valuation of propositions; sa : Q → Act. Act: a finite set of (atomic) actions; on the whole history of events that have happened d : Agt × Q → P(Act) defines actions available to an ( perfect recall strategies) agent in a state; sa : Q+ → Act. o: a deterministic transition function that assigns outcome states q = o(q, α1 , . . . , αk ) to states and tuples of actions. We also distinguish between agents with perfect information (all states are distinguishable). imperfect information (some state are indistinguishable).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 85 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 86 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Perfect Information Strategies Some Notation The following holds for all kind of strategies: Definition 2.5 (IR- and Ir-strategies) A collective strategy for a group of agents A perfect information perfect recall strategy for A = {a1 , . . . , ar } ⊆ Agt is a set agent a (IR-strategy for short) is a function sA = {sa | a ∈ A} sa : Q+ → Act such that sa (q0 q1 . . . qn ) ∈ da (qn ). of strategies, one per agent from A. The set of such strategies is denoted by ΣIR . a sA |a , we denote agent as part of the collective strategy sA , sA |a = sA ∩ Σa . A perfect information memoryless strategy for agent s∅ = ∅ denotes the strategy of the empty coalition. a (Ir-strategy for short) is given by a function ΣA denotes the set of all collective strategies of A. sa : Q → Act where sa (q) ∈ da (q). Σ = ΣAgt The set of such strategies is denoted by ΣIr . a i (resp. I) stands for imperfect (resp. perfect) information and r (resp. R) for imperfect (resp. perfect) recall. [Schobbens, 2004]N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 87 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 88
  • 23. 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Outcome of a strategy Definition 2.7 (Perfect information semantics) out(q, sA )= set of all paths that may occur M, q |=Ix p iff p is in π(q); when agents A execute sA from state q onward. M, q |=Ix ϕ ∨ ψ iff M, q |=Ix ϕ or M, q |=Ix ψ; Definition 2.6 (Outcome) M, q |=Ix A Φ iff there is a collective Ix-strategy sA λ = q0 q1 . . . ∈ Q ∈ out(q, sA ) ⊆ Qω iff such that, for each path λ ∈ out(q, sA ), we have M, λ |=Ix Φ. 1 q0 = q i−1 i−1 M, λ |=Ix ϕ iff M, λ[1, ∞] |=Ix ϕ; 2 for each i = 1, . . . there is a tuple (α1 , . . . , αk ) ∈ Actk M, λ |=Ix ♦ϕ iff M, λ[i, ∞] |=Ix ϕ for some i ≥ 0; such that M, λ |=Ix ϕ iff M, λ[i, ∞] |=Ix ϕ for all i ≥ 0; αa ∈ da (qi−1 ) for each a ∈ Agt, i−1 i−1 αa = sA |a (q0 q1 . . . qi−1 ) for each a ∈ A, and M, λ |=Ix ϕ U ψ iff M, λ[i, ∞] |=Ix ψ for some i ≥ 0, and i−1 i−1 o(qi−1 , α1 , . . . , αk ) = qi . M, λ[j, ∞] |=Ix ϕ forall 0 ≤ j ≤ i. For an Ir-strategy replace “sA |a (q0 q1 . . . qi−1 )” by Note that temporal formulae and the Boolean connectives “sA |a (qi−1 )”. are handled as before.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 89 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 90 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Example: Robots and Carriage Definition 2.8 (ATLIx , ATL+ , ATL∗ , ATL, ATL∗ ) Ix Ix wait,wait push,push def:atl-R-defs We define ATLIx , ATL+ , and ATL∗ as Ix Ix q0 pos0 the logics (LATL , |=Ix ), (LATL+ , |=Ix ) and (LATL∗ , |=Ix ) where x ∈ {r, R}, respectively. pu ait sh, sh wa ,w pos0 → 1 ¬pos1 Moreover, we use ATL (resp. ATL∗ ) as an ,pu wa sh it,p pu it it us wait,wait wa wait,wait abbreviation for ATLIR (resp. ATL∗ ). h push,push push,push IR q2 wait,push q1 pos2 push,wait pos1 Intuitively, a logic is given by the set of all valid formulae.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 91 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 92
  • 24. 2 Cooperative Agents 2 Cooperative Agents 2.1 Alternating-Time Temporal Logics 2.1 Alternating-Time Temporal Logics Theorem 2.9 Example: Robots and Carriage (2) For LATL , the perfect recall semantics is equivalent to the wait,wait memoryless semantics under perfect information , i.e., push,push pos0 halt halt,push q0 qh 1 2 1 2 halt,wait M, q |=IR ϕ iff M, q |=Ir ϕ. Both semantics are different for pos0 halt LATL∗ . That is pu ait wait,wait sh, h wa h,w us wa it,p it,p s ATL = ATLIr = ATLIR . pu it 1 us wait,wait 2 wa pos1 pos2 wait,wait h push,push push,push q2 q1 2 1 wait,push Proof idea. push,wait pos2 pos1 The first “non-looping part” of each path has to satisfy a formula. Exercise What about 1, 2 (♦pos1 ∧ ♦halt)? The property has been first observed in [Schobbens, 2004] M, q0 |= IR 1, 2 (♦pos1 ∧ ♦halt) but it follows from [Alur et al., 2002] in a straightforward M, q0 |= Ir 1, 2 (♦pos1 ∧ ♦halt) way.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 93 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 94 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Imperfect information How can we reason about agents/extensive games with imperfect information? We combine ATL∗ and epistemic logic. 2.2 Imperfect Information We extend CGS S with indistinguishability relations ∼a ⊆ Q × Q, one per agent. The relations are assumed to be equivalence relations. We interpret A epistemically ( |=iR and |=ir )N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 95 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 96
  • 25. 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Example: Robots and Carriage Definition 2.10 (CEGS) A concurrent epistemic game structure (CEGS) 1 2 is a tuple pos0 wait,wait push,push M = (Agt, Q, Π, π, Act, d, o, {∼a | a ∈ Agt}) q0 pos0 pu ait sh, h,w with h wa wa us 1 2 s 2 wa 1 it,p pos1 it,p pu it pos2 wait,wait us (Agt, Q, Π, π, Act, d, o) a CGS and push,push wait,wait h push,push q2 q1 2 1 wait,push ∼a ⊆ Q × Q equivalence relations push,wait pos2 pos1 (indistinguishability relations). What about Agt pos1 in q0 ? M, q0 |= Ir Agt pos1 M, q0 |= ir Agt pos1N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 97 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 98 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Definition 2.11 (Uniform strategy) Problem: Strategy sa is uniform iff it specifies the same choices for Strategic and epistemic abilities are not independent! indistinguishable situations : Memoryless strategies: A Φ = A can enforce Φ if q ∼a q then sa (q) = sa (q ). It should at least mean that A are able to identify and Perfect recall: execute the right strategy! if λ ≈a λ then ⇒ sa (λ) = sa (λ ), where λ ≈a λ iff λ[i] ∼a λ [i] for every i. Executable strategies = uniform strategies A collective strategy is uniform iff it consists only of uniform individual strategies.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 99 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 100
  • 26. 2 Cooperative Agents 2 Cooperative Agents 2.2 Imperfect Information 2.2 Imperfect Information Imperfect Information Strategies Imperfect Information Semantics The imperfect information semantics is defined as before, only the clause for Definition 2.12 (IR- and Ir-strategies) A imperfect information perfect recall strategy for M, q |=Ix A ϕ iff there is a collective Ix-strategy sA such agent a (iR-strategy for short) is a uniform IR-strategy. that, for each path λ ∈ out(q, sA ), we have M, λ |=Ix ϕ. A imperfect information memoryless strategy for is replaced by agent a (ir-strategy for short) is a uniform Ir-strategy. M, q |=ix A ϕ iff there is a uniform ix-strategy The outcome is defined as before. sA such that, for each path λ ∈ q :q∼A q out(q , sA ), we have M, λ |=ix ϕ where x ∈ {r, R} and ∼A := ∪a∈A ∼a . Remark 2.13 This definition models that “everybody in A knows that ϕ”.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 101 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 102 2 Cooperative Agents 3 Comparing Semantics of ATL 2.2 Imperfect Information The fixed-point characterisation does not hold anymore! 3. Comparing Semantics of ATL Theorem 2.14 The following formulae are not valid for ATLir : 3 Comparing Semantics of ATL A ϕ ↔ ϕ∧ A A ϕ Semantics Settings Perfect vs. Imperfect Information A ϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ A A ϕ1 U ϕ2 ). Perfect Recall and Tree Unfoldings Perfect vs. Imperfect Recall Proof. Between Subjective and Objective Ability : Exercise. ConclusionsN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 103 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 104
  • 27. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings Outline We consider the relationship between standard variants of the alternating-time temporal logics. perfect recall / no memory perfect / imperfect information objective / subjective ability 3.1 Semantics Settings Focus is on the logics; i.e., on the level of valid sentences. Validities capture general properties of games. Same logics induce same kind of ability in games. The following section is based on [Jamroga and Bulling, 2011].N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 105 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 106 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings We have considered various semantics for ATL and its variants: Does memory matter? In Theorem 2.9 we have already seen the memoryless strategies; following: perfect recall strategies; perfect information; and Cf. Theorem 2.9 imperfect information. For LATL , the perfect recall semantics is equivalent to the In this section we systematically analyze how these setting give memoryless semantics under perfect information , i.e., rise to different logics. M, q |=IR ϕ iff M, q |=Ir ϕ. For the perfect information case we define the following sets of validities: That is Cf. Definition 2.8 ATL = ATLIr = ATLIR . We define the following logics: Both semantics are different for LATL∗ ; that is, ATL∗ = ATL∗ . Ir IR ATLIx is the set of valid sentences over (LATL , |=Ix ) ATL∗ is the set of valid sentences over (LATL∗ , |=Ix ) Ix where x ∈ {r, R}, respectively.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 107 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 108
  • 28. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Example 3.1 (ATL∗ = ATL∗ ) Objective vs. subjective ability IR Ir There are two more characteristics of ability under imperfect information: 1 1 Subjective ability (is ): All paths from all indistinguishable states are taken into account. q1 q2 Objective ability (io ): Only paths from the (real) current p 2 state are considered. subjective objective ϕ= a ( p∧ ¬p) q1 q2N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 109 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 110 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Remark 3.3 (Strategies and semantics) Definition 3.2 (Subjective epistemic outcome, xy-outcome) In order to ensure a uniform notation, we introduce xy-strategies for x ∈ {is , io , I} and y ∈ {r, R} as follows: (a) The (subjective) epistemic outcome outs (q, sA ) is defined as IR: sa : Q+ → Act such that sa (q0 . . . qn ) ∈ d(a, qn ) for all outs (q, sA ) = out(q , sA ). q0 , . . . , q n ; q∼A q Ir: as IR with the additional constraint s(hq) = s(h q) for (b) Let x ∈ {is , io , I} and y ∈ {r, R} The xy-outcome outxy (q, s A) all histories h (or, alternatively, sa : Q+ → Act such is defined as follows: that sa (q) ∈ d(a, q) for all q); outs (q, sA ) if x = is ; io r, is r: like Ir, with the additional constraint that q ∼a q outxy (q, sA ) = implies sa (hq) = sa (hq ) for all histories h; out(q, sA ) else. io R, is R: like IR, with the additional constraint that h ≈a h implies sa (h) = sa (h ).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 111 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 112
  • 29. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Definition 3.4 (Imperfect information semantics) How does the picture look? ? M, q |=xy A ϕ iff objective subjective there is a collective xy-strategy sA such that, for each path λ ∈ outxy (q , sA ), we have M, λ |=xy ϕ ATL⇤o R i ATL⇤s R i language perfect recall where x ∈ {io , is }, y ∈ {r, R} and ∼A := ∪a∈A ∼a . ATLio R ATL⇤ 6= ATL⇤ Ir IR ATLis R Analogously to Definition 3.5, we define the following sets: ATLIR = ATLIr ATL⇤o r i ATL⇤s r i Definition 3.5 (ATLis x , ATL∗s x , ATLio x , ATL∗o x ) i i memoryless ATLio r ATLis r We define the following logics: ATLyx is the set of valid sentences over (LATL , |=yx ) ATL∗ is the set of valid sentences over (LATL∗ , |=yx ) yx where y ∈ {is , io } and x ∈ {r, R}, respectively.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 113 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 114 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.1 Semantics Settings 3.1 Semantics Settings Comparing Validities Remark 3.6 (Important Validities and Invalidities) Recall our motivation: a ♦p ↔ p ∨ a a ♦p Relationship between standard variants of ATL∗ on the level of valid sentences Invalid in all variants with imperfect information. Valid for perfect information. Logic = set of validities Validities capture general properties of games under a (♦p1 ∧ ♦p2 ) ↔ a ♦((p1 ∧ a ♦p2 ) ∨ (p2 ∧ a ♦p1 )) consideration Invalid for imperfect information If two logics over LATL∗ generate the same valid sentences Valid for perfect information and perfect recall then the underlying notions of ability induce the same kind of games First step towards devising algorithms for satis ability ¬ ∅ ♦¬p ↔ Agt p checking Invalid for subjective ability under imperfect infotmation Valid for perfect information.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 115 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 116
  • 30. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.2 Perfect vs. Imperfect Information Comparing ATLir vs. ATLIr Subjective incomplete information vs. perfect information. Proposition 3.7 ATLis r ATLIr 3.2 Perfect vs. Imperfect Inclusion: Every CGS can be seen as a special CEGS Information M, q0 |=is r (shot ∨ a a ♦shot) → a ♦shot q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 117 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 118 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.2 Perfect vs. Imperfect Information Objective incomplete information vs. perfect information. Comparing ATLiR vs. ATLIR Proposition 3.8 ATLio r ATLIr Objective incomplete information vs. perfect information under perfect recall. M, q0 |=io r (shot ∨ a a ♦shot) → a ♦shot By the same reasoning as above: q0 q1 Corollary 3.9 a pu tL ATLio R ATLIR −, shootL , − shootL , − sh oo q0 ut R tR −, p ,− ,− otR s ho q2 q3 shotN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 119 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 120
  • 31. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.2 Perfect vs. Imperfect Information 3.3 Perfect Recall and Tree Unfoldings Subjective ability and incomplete information vs. perfect information. Proposition 3.10 ATLis R ATLIR 3.3 Perfect Recall and Tree M, q4 |=is R a ♦shot → (shot ∨ a a ♦shot) Unfoldings q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 121 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 122 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings IR-Tree Unfolding Suppose (M, q) IR-satisfies ϕ. Then, we show that there is a Interesting is the comparison between memory and no pointed model (M , q) which satisfies the same formulae and memory. in which memoryless and perfect-recall strategies coincide. Can Agents really achieve more (in terms of validities) if they Which properties must M have such that both kind of have memory available? strategies have the same expressive power? Suppose we want to show that ATL∗ ⊆ ATL∗ ; i.e., more Ir IR Definition 3.11 (Tree-like CGS) properties of games are valid if perfect recall strategies are considered. Let M be a CGS. M is called tree-like iff there is a state q0 (the For this purpose, we show that every IR-satisfiable formula is root) such that for every q there is a unique history leading from q0 also Ir-satisfiable. to q. Then, the claim follows: Suppose ϕ ∈ ATLIr and ϕ ∈ ATLIR . By the latter, ¬ϕ is IR-satisfiable hence also Ir-satisfiable. Proposition 3.12 (Recall invariance for tree-like CGS) Contradiction! For every tree-like CGS M, state q in M, and ATL∗ -formula ϕ, we How can we show that IR-satisfiability implies Ir-satisfiability? have: M, q |= Ir ϕ iff M, q |= IR ϕ. Can we always obtain such a tree-like “version” of a model?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 123 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 124
  • 32. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings For each model, we can construct an equivalent tree-like model: Definition 3.13 (Perfect information tree unfolding) Fix a state and unfold the model to an in nite tree. Let M = (Agt, Q, Π, π, Act, d, o) be a CGS and q be a state in it. Tree unravelling The (perfect information) tree unfolding of the pointed model q1 (M, q) denoted T (M, q) is defined as (Agt, Q , Prop, π , Act, d , o ) where (α, α) q1 q2 (β, α) (α, α) Q := Λf in (q), M q1 q2 (α, β) d (a, h) := d(a, last(h)), q1 q2 q1 q2 o (h, α) := h ◦ o(last(h), α), and π (h) := π(last(h)). The node q in the unfolding is called root of T (M, q). Theorem 3.14 Note: states correspond to finite histories. For every CGS M, state q in M, and ATL∗ -formula ϕ we have: M, q |= IR ϕ iff T (M, q), q |= IR ϕ iff T (M, q), q |= Ir ϕ.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 125 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 126 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings io R-Tree Unfolding is R-Tree Unfolding The case of incomplete information we only have to take into The tree unfolding for the is -semantics is more sophisticated. account epistemic relations in the tree: Consider the following model and the formula a a a shot. How can a is R-tree unfolding look like. iff T (M,q) h ∼a io R h h ≈M h a q4 q5 Theorem 3.15 loo q0 a q1 k k loo For every CEGS M, state q in M, and ATL∗ -formula ϕ we have: sh shootL shootL oo tR tR oo sh M, q |= io R ϕ iff To (M, q), q |= io R ϕ iff To (M, q), q |= io r ϕ. q2 q3 shotN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 127 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 128
  • 33. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.3 Perfect Recall and Tree Unfoldings A first naive approach could be a set of io R-tree unfoldings 0 ⇠a 1 To (M1 , q1 ) To (M1 , q0 ) interconnected with epistemic links. 02 03 04 15 12 13 ⇠a ⇠a . . . . . 040 . . 151 . . . . . To (M1 , q0 ) 0 1 To (M1 , q1 ) 0402 0403 0404 1512 1513 1515 02 03 04 15 12 13 . . . . . . . . . . . . . . . . . . . . . . 040 . . . . 151 . . . . 040ˆ0 a 040ˆ1 a To (M1 , q0 ) 0402 0403 0404 1512 1513 1515 To (M1 , q1 ) 040ˆ02 040ˆ03 040ˆ04 a a a 040ˆ15 040ˆ12 040ˆ13 a a a . . . . . . . . . . . . . . . . . . . . 040ˆ040 a 040ˆ151 a . . . . . . . . . . 040ˆ0402 040ˆ0403 040ˆ0404 a a a 040ˆ1512 040ˆ1513 040ˆ1515 a a a . . . . . . . . . . . . . . . . . . Figure 3 : Two io R-tree unfoldings connected by an epistemic link. We To (M1 , q0 ) 151ˆ0 a 151ˆ1 a To (M1 , q1 ) use number i1 i2 . . . to refer to the history qi1 qi2 . . . . 151ˆ02 151ˆ03 151ˆ04 a a a 151ˆ15 151ˆ12 151ˆ13 a a a . . . . . . . . . . 151ˆ040 a 151ˆ151 a . . What about the formula a a a shot? 151ˆ0402 151ˆ0403 151ˆ0404 a a a To (M1 , q1 ) 151ˆ1512 151ˆ1513 151ˆ1515 a a a The is R-tree unfoldings is shown on the next slide. . . . . . . . . . . . . . . . . . .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 129 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 130 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.3 Perfect Recall and Tree Unfoldings 3.4 Perfect vs. Imperfect Recall Now we can state our main result for is R-tree unfoldings. Theorem 3.16 For every CEGS M, state q in M, and ATL∗ -formula ϕ, it holds that M, q |= is R ϕ iff Ts (M, q), q |= is R ϕ iff Ts (M, q), q |= is r ϕ. 3.4 Perfect vs. Imperfect Recall Summary If a formula is IR-, io R- or is R-satisfiable then it also is Ir-, io r- or is r-satisfiable, respectively.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 131 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 132
  • 34. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.4 Perfect vs. Imperfect Recall 3.4 Perfect vs. Imperfect Recall We now compare perfect vs. imperfect memory. Objective ability: no memory vs. perfect recall. Proposition 3.17 Proposition 3.18 ATL∗ Ir ATL∗ IR (Even: ATL+ Ir ATL+ ) IR ATLio r ATLio R . Membership: If |=Ir ϕ then Treemodels |=Ir ϕ then Recall: ¬ ∅ ♦¬p ↔ Agt p for perfect recall. Treemodels |=IR ϕ then |=IR ϕ M, q0 |=io r ¬ ∅ ♦¬(¬suspicious ∨ ¬angry) → Strict inclusion: a (¬suspicious ∨ ¬angry) M, q0 |=Ir a (♦p1 ∧ ♦p2 ) ↔ a ♦((p1 ∧ a ♦p2 ) ∨ (p2 ∧ a ♦p1 )). kiss no t-k p1 = clean iss q0 a q1 p2 = delivered not-kiss kiss n q0 de liv a cle er q2 q3 q1 q2 angry suspicious clean deliveredN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 133 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 134 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.4 Perfect vs. Imperfect Recall 3.5 Between Subjective and Objective Ability Proposition 3.19 ATLis r ATLis R Inclusion: |=is r ϕ then Treemodels |=is r ϕ then Treemodels |=is R ϕ then |=is R ϕ Strict inclusion: 3.5 Between Subjective and M, q0 |=is r a a ♦p → a ♦p. Objective Ability q4 q5 q0 a q1 look sh look shootL shootL oo otR tR ho s q2 q3 shotN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 135 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 136
  • 35. 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.5 Between Subjective and Objective Ability 3.5 Between Subjective and Objective Ability Proposition 3.20 Proposition 3.21 ATLio x ⊆ ATLis y for x, y ∈ {r, R}. ATLis x ⊆ ATLio y for x, y ∈ {r, R}. Formula Φ2 ≡ a ♦p → p ∨ a a ♦p is valid in ATLio x but Φ6 ≡ a N c a p → a, c ♦p is valid in ATLis x but invalid in ATLis y . Invalid in ATLio y where N (“now”) as Nϕ ≡ ϕ U ϕ. M, q0 |=io R a N c a p → a, c ♦p M, q4 |=is R a ♦shot → shot ∨ a a ♦shot q0 a q1 utL ,p shootL , − shootL , − q4 q5 − sh oot q0 a q1 q0 −, put R R ,− ,− sh tR oo shootL shootL oo tR sh tR oo q2 q3 sh shot q2 q3 (Plus an agent c with no choices.) shot So: ATLis y and ATLio z are incomparable for every y, z ∈ {R, r}.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 137 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 138 3 Comparing Semantics of ATL 3 Comparing Semantics of ATL 3.6 Conclusions 3.6 Conclusions Overview of the Results “All” semantic variants are different on the level of ATL⇤ IR general properties; before ( ( our study, it was by no 3.6 Conclusions means obvious. ATL⇤ Ir Strong pattern of subsumption (memory and ATLIR = ATLIr information) ( ( Very natural when you see it (not obvious before). ATLis R ATLio R ( ( In particular: non-validities incomparable are interesting. ATLis r ATLio rN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 139 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 140
  • 36. 4 Reasoning and Examples 4 Reasoning and Examples Outline 4. Reasoning and Examples We present basic modal logic based on the operator as a suitable framework for temporal and other logics. 4 Reasoning and Examples We introduce Kripke models, based on a general Basic Modal Logic accessibility relation, as underlying structures. Special Axiomatic Systems instances are models of LTL, CTL, and ATL considered Correspondence Theory earlier. Epistemic Logic We consider semantic consequences in modal logic and Axioms for LTL the basics of correspondence theory: axioms involving Axioms for CTL correspond exactly to properties of the accessibility Axioms for ATL relation. We very briefly look at epistemic interpretations of : belief as opposed to knowledge. We end by giving sound and complete axiomatic systems for LTL, CTL, and ATL.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 141 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 142 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic What is a Logic? We present a framework for thinking about logics as: languages for describing a problem, ways of talking about relational structures and 4.1 Basic Modal Logic models. Two key components in the way we will approach logic: 1 Language: fairly simple, precisely defined, formal languages. 2 Model (or relational structure): simple “world” that the logic talks about.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 143 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 144
  • 37. 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Relational Structures The Basic Modal Language A relational structure is given by (W, {R1 , . . . , Rn }) and Propositional logic can be seen as a one-point relational consists of: structure. A non-empty set W , the elements of which are our But relational structures can describe much more. We objects of interest. They are called points, states, can talk about points, lines etc. nodes, worlds, times, instants or situations. Therefore, we introduce the basic modal language on A non-empty set {R1 , . . . , Rn } of relations, top of the propositional language by extending Ri ⊆ W × W . LP L (Prop) with two new operators: An important special case is when the Ri are equivalence Possibility and necessity relations. They could represent which of the worlds are considered indistinguishable for agent i. ♦ϕ: ϕ is possible (We see one or more states where ϕ holds.) So we can model the situation where different agents have different views about the world. ϕ: ϕ is necessary (In all reachable states ϕ holds.)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 145 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 146 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic A Language for Relational Structures We can talk about attributes by adding labels to nodes (e.g. painting them in a particular color). Definition 4.1 (Basic modal language LBML ) Example 4.2 (Colored graph I) Let Prop be a set of propositions. The basic modal language LBML (Prop) consists of all formulae defined by the following Imagine standing in a node of a colored graph. What can grammar: we see? ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕ ♦ blue where p ∈ Prop. Boolean macros are defined in the standard way. Additionally, we have the dual ♦ (called “diamond”) of : ♦ϕ := ¬ ¬ϕ ♦ blueN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 147 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 148
  • 38. 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Example 4.3 (Colored graph II) Colored graph II We imagine standing in a node of a colored graph. What Example 4.4 can we see? ♦(black ∧ red) ∧ ♦♦green blue → black yellow → ♦yellow green → blackN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 149 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 150 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Definition 4.5 (Kripke frame) A Kripke frame is given by F = (W, R) where Example 4.7 W is a non-empty set, called set of domains or worlds, Consider the frame F = ({w1 , w2 , w3 , w4 , w5 }, R) where R ⊆ W × W is a binary relation. Rwi wj iff j = i + 1 and V (p) = {w2 , w3 }, Frames are mainly used to talk about validities: They stand V (q) = {w1 , w2 , w3 , w4 , w5 }, V (r) = ∅. for a whole set of models. q q, p q, p q q Definition 4.6 (Kripke model) w1 w2 w3 w4 w5 A Kripke model is given by M = (W, R, V ) where (W, R) is a Kripke frame, V : Prop → P(W ) is called labelling function or valuation. We also use V : W → P(Prop). Kripke frames (resp. models) are simply relational structures (resp. with labels)!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 151 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 152
  • 39. 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Frames vs. Models? Formal semantics of LML . Frames Definition 4.8 (Semantics M, w |= ϕ) Mathematical pictures of ontologies that we find Let M be a Kripke model, w ∈ WM , and ϕ ∈ LML . ϕ is said to interesting. That is, frames define the fundamental be locally true or satis ed in M and world w (called structure of the domain of interest. pointed Kripke model, written as M, w |= ϕ , if the following For example, we model time as a collection of points holds: ordered by a strict partial order. M, w |= p iff w ∈ VM (p) and p ∈ Prop, M, w |= ¬ϕ iff not M, w |= ϕ Models M, w |= ϕ ∨ ψ iff M, w |= ϕ or M, w |= ψ Frames are extended by contingent information. That is, M, w |= ϕ iff for all worlds w ∈ W such that wRw we models extend the mathematical structure provided by have M, w |= ϕ frames by additional information. For Σ ⊆ LML we write M, w |= Σ iff M, w |= ϕ for all ϕ ∈ Σ . Can Kripke models be used to interpret the propositional language? What about ♦ϕ?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 153 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 154 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Internal and Local Some Examples Satisfaction of formulae is internal and local! Example 4.9 F = ({w1 , w2 , w3 , w4 , w5 }, R) where Rwi wj iff j = i + 1 and Internal: Formulae are evaluated inside models at some V (p) = {w2 , w3 }, V (q) = {w1 , w2 , w3 , w4 , w5 }, V (r) = ∅. given world. q q, p q, p q q w1 w2 w3 w4 w5 Local: Given a world it is only possible to refer to direct sucessors of this world. 1 M, w1 |= ♦ p How does rst-order logic compare to that? 2 M, w1 |= ♦ p → p 3 M, w2 |= ♦(p ∧ ¬r) 4 M, w1 |= q ∧ ♦(q ∧ ♦(q ∧ ♦(q ∧ ♦q)))) 5 M |= qN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 155 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 156
  • 40. 4 Reasoning and Examples 4 Reasoning and Examples 4.1 Basic Modal Logic 4.1 Basic Modal Logic Kripke models as LTL and CTL structures Kripke models as ATL structures Kripke models can be seen as labelled directed graphs. Such In contrast to LTL and CTL, the logic ATL uses additional models were used for LTL, CTL, CTL∗ and ATL, but with several modal operators, namely indexed by coalitions. So we modal operators (multi-modal). have again a multi-modal version where CTL can be LTL: Here we consider Kripke models where the seen as a one player fragment of it. accessibility relation is a discrete, linear order with a The semantics of ATL is based on concurrent game smallest element. We also require that the structures, as described in the last chapter. These are accessibility relation is serial: for each state there is a labelled transition systems and can be seen as an successor state (not necessarily a new one). instance of Kripke models. We call these Kripke models LTL Kripke models. An axiomatization of ATL is thus a system that allows to CTL: Here we consider Kripke models that are trees (i.e. derive all formulae that are true in all possible acyclic, and each node has at most one predecessor, concurrent game structures. and there is one unique root node) and each path is We call these models ATL models. infinite (serial accessibility relation). We call these Kripke models CTL Kripke models. CTL∗ : Here we consider arbitrary graphs.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 157 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 158 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Sound and complete axiom system for propositional logic There is a finitistic notion of proof, that allows to derive new formulae from given ones: Φ φ: there is a proof of φ from Φ. 4.2 Axiomatic Systems It is based on a finite system of axioms and (MP) as the only inference rule: From ϕ and ϕ → ψ infer ψ. The axiom system has the following property for arbitrary sets Φ (infinite or not): Φ φ iff Φ |= φ The direction from left to right is called soundness, the other direction is called completeness.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 159 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 160
  • 41. 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems A general notion of a certain sort of calculi. Definition 4.10 (Sound-, Completeness for a calculus) Definition 4.11 (Hilbert-Type Calculi) Given an arbitrary calculus (which defines a notion ) and a semantics based on certain models (which defines a A Hilbert-Type calculus over a language L is a pair relation |=), we say that Ax, Inf where Soundness: The calculus is sound (also called correct) with Ax: is a subset of F mlL , the set of well-formed respect to the semantics, if the following holds: formulae in L: they are called axioms, Φ φ implies Φ |= φ. Inf: is a set of pairs written in the form φ1 , φ2 , . . . , φn Completeness: The calculus is complete with respect to the semantics, if the following holds: ψ Φ |= φ implies Φ φ. where φ1 , φ2 , . . . , φn , ψ are L-formulae: they are called inference rules. Intuitively, one can assume all axioms as “true formulae” (tautologies) and then use the inference rules to derive even more new formulae.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 161 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 162 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Definition 4.12 (Calculus for Sentential Logic SL) We define HilbertSL = AxSL , {MP} , the Hilbert-Type Definition (continued) L L calculus: L ⊆ LSL with the wellformed formulae F mlL . The only inference rule in SL is modus ponens: Axioms in SL (AxSL ) are the following formulae: L M P : F ml × F ml → F ml : (ϕ, ϕ → ψ) → ψ. 1 φ → , ⊥ → φ, ¬ → ⊥, ⊥ → ¬ , 2 (φ → ψ) → ((φ → (ψ → χ)) → (φ → χ)), or short 3 (φ ∧ ψ) → φ, (φ ∧ ψ) → ψ, ϕ, ϕ → ψ (MP) . 4 φ → (φ ∨ ψ), ψ → (φ ∨ ψ), ψ 5 ¬¬φ → φ, (φ → ψ) → ((φ → ¬ψ) → ¬φ), (ϕ, ψ are arbitrarily complex formulae). 6 φ → (ψ → φ), φ → (ψ → (φ ∧ ψ)). 7 (φ → χ) → ((ψ → χ) → (φ ∨ ψ → χ)). φ, ψ, χ stand for arbitrarily complex formulae (not just constants). They represent schemata, rather than formulae in the language.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 163 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 164
  • 42. 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Validity in Modal Logic Theorem 4.13 (Correct-, Completeness for HilbertSL ) L We take on a global point of view. A formula follows semantically from a theory Φ if and only if it can be derived: Given a speci cation like ϕ := ¬crash. In which states should it be true? Φ |= ϕ if and only if Φ ϕ Definition 4.14 (Validity) A similar result holds for first-order logic: there is also a A formula ϕ is called valid or globally true in a model M iff Hilbert-Type calculus that is sound and complete. M, w |= ϕ for all w ∈ WM . We write M |= ϕ. However, first-order logic is in general undecidable: the ϕ is satis able in M if M, w |= ϕ for some w ∈ WM . set of valid formulae is recursively enumerable, but it is Analogously, we say that a set Σ of formulae is valid (resp. not recursive. satis able) in M iff all formulae in Σ are valid (resp. satisfiable) in The same is true for many (propositional) modal logics. M. Validity and satisfiability are dual concepts!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 165 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 166 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Example 4.15 Modal Consequence Relation Up to now we verified formulae in a given model and state. In which models is the following formula true? Often, it is interesting to know whether a property follows from a (p → q) → ( p → q) given set of formulae. M, w |= (p → q) Definition 4.16 (Local Consequence Relation) iff ∀w (wRw ⇒ M, w |= p → q) Let M be a class of models, Σ be a set of formulae and ϕ be a iff ∀w (wRw ⇒ (M, w |= p ⇒ M, w |= q)) formula. implies ∀w (wRw ⇒ M, w |= p) ⇒ ϕ is a (local) semantic consequence of Σ over M, written ∀w (wRw ⇒ M, w |= q) Σ |=M ϕ , if for all M ∈ M and all w ∈ WM it holds that M, w |= Σ implies M, w |= ϕ . iff M, w |= p ⇒ M, w |= q If M is the class of all models we just say that ϕ is a (local) iff M, w |= p→ q consequence of Σ and write Σ |= ϕ . The formula is true in any frame and hence in any model. It corresponds to a tautology in propositional logic.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 167 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 168
  • 43. 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Frames and Validity In Example 4.15 we have seen that a formula can be true/false for Lemma 4.18 (Distribution Axioms) all valuations. We can speak about structural properties The two formulae ignoring contingent information. ♦(p ∨ q) → (♦p ∨ ♦q) Definition 4.17 (Frame Validity: F |= ϕ) (p → q) → ( p → q) Let F be a frame and ϕ ∈ LBML . are both valid in all Kripke frames F. The last formula is also called 1 ϕ is valid in F and w ∈ WF , written F, w |= ϕ , if M, w |= ϕ for axiom K. all models M = (F, π) based on F. 2 ϕ is valid in F , written F |= ϕ, if F, w |= ϕ for all w ∈ WF . Proof. 3 Let F be class of frames. ϕ is said to be valid in F, if ϕ is valid Exercise and Example 4.15. in each frame F ∈ F .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 169 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 170 4 Reasoning and Examples 4 Reasoning and Examples 4.2 Axiomatic Systems 4.2 Axiomatic Systems Example 4.19 Is ♦ valid in all frames? In which class is the formula valid? Example 4.21 w1 w2 w1 w2 Let M be the class of transitive models. Then: 1 ♦♦p |=M ♦p, What about ? 2 p |=M p, but 3 p |=M p does not hold. Example 4.20 In fact, there is a class of models M for which ♦♦p |=M ♦p holds, Is ♦♦p → ♦p true in w1 ? but no model in M is transitive. p p p w1 w2 w3 w1 w2 w3 Is there a class of frames in which formula is valid?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 171 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 172
  • 44. 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Correspondence Theory We have learnt that some formulae are valid in particular frames. E.g. ♦♦ϕ → ♦ϕ is valid in all transitive frames. Here, we consider such correspondences systematically. Definition 4.22 (KDT45) 4.3 Correspondence Theory We define the following formulae, that will play an important role for defining various modal logics. K (p → q) → ( p → q) D ¬ (p ∧ ¬p) T p→p 4 p→ p 5 ¬ p→ ¬ p In epistemic logic, e.g., these formulae will have intuitive epistemic properties.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 173 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 174 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Properties of Frame (1) Example 4.24 We consider properties of the accessibility relations R of frames: We have Serial: For all w there is a w with wRw . Reflexive: For all w: wRw. F |= p → p iff F is reflexive. Transitive: For all w, w , w : wRw and w Rw implies wRw . Let F be a frame satisfying p → p. That is, Euclidean: For all w, w , w : wRw and wRw implies w Rw . Symmetric: For all w, w : wRw implies w Rw. for all w ∈ W , F, w |= p → p. Definition 4.23 (Frame property) This is the case, if for all models M over F and We say a frame F = (W, R) has property X if its relation R has for all w ∈ W , M, w |= p → p. property X. Which properties must R satisfy? Suppose R is not reflexive. Remember Slide 173 where we discussed transitive frames . Then, there is a state w with not w Rw . Make p true at all states of W {w }. Then, M, w |= p → p and hence F |= p → p. Contradiction!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 175 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 176
  • 45. 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Validity in Several Frames (3) Now suppose we are given a reflexive frame F and suppose Lemma 4.25 (Appropriate Frames) F |= p → p. Let (W, R) be a Kripke frame. Then the following holds: Then, there is a model M = (F, π) and a state w, M, w |= p → p. K: (W, R) |= (p → q) → ( p → q). That is, M, w |= p and M, w |= p. D: (W, R) |= ¬ (p ∧ ¬p) iff R is serial. By reflexivity we have wRw. T: (W, R) |= p → p iff R is re exive. But then, from M, w |= p it follows that M, w |= p. 4: (W, R) |= p→ p iff R is transitive. Contradiction! 5: (W, R) |= ¬ p → ¬ p iff R is Euclidean. We must have F |= p → p. B: (W, R) |= p → ♦p iff R is symmetric. In other words, axiom T characterises reflexive frames. Proof. : Exercise.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 177 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 178 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.3 Correspondence Theory Axiomatic Systems Proposition 4.27 As in classical logic, one can ask about a complete axiom system. Axiom K is equivalent to (ϕ → ψ) → ( ϕ → ψ). Is there a calculus that allows to derive all sentences true in all Kripke models? Theorem 4.28 (Sound-/completeness of K) Definition 4.26 (System K) System K is sound and complete with respect to arbitrary Kripke The system K is an extension of the propositional calculus by the models. axiom K ( ϕ ∧ (ϕ → ψ)) → ψ Note that we have not assumed any properties of the accessibility relation R: It is just any binary relation. ϕ and the inference rule ϕ (Necessitation). Assuming that R is an equivalence relation, what additional statements (axioms) are true in all such Kripke models? Note, ϕ and ψ can be substituted by any formula.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 179 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 180
  • 46. 4 Reasoning and Examples 4 Reasoning and Examples 4.3 Correspondence Theory 4.4 Epistemic Logic Theorem 4.29 (Sound/complete subsystems) Let X be any subset of {D, T, 4, 5} and let X be the subset of {serial, reflexive, transitive, euclidean} corresponding to X. Then system K extended with axioms X is sound and complete with respect to Kripke frames which satisfy properties X . 4.4 Epistemic Logic For example, we have the following important instance: Corollary 4.30 (KT45) System KT45 is sound and complete with respect to Kripke frames with an accessibility relation which is an equivalence relation.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 181 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 182 4 Reasoning and Examples 4 Reasoning and Examples 4.4 Epistemic Logic 4.4 Epistemic Logic Interpreting i as knowledge Let us now assume we have several agents i and we interpret iϕ What other properties should hold when interpreting as as agent i knows that ϕ. In that case one often writes knowledge? Ki ϕ instead of i ϕ. K K(p → q) → (Kp → Kq) D ¬K⊥ consistency Accessibility relation T Kp → p truth 4 Kp → KKp positive introspection What does the equivalence relation encode? Incomplete 5 ¬Kp → K¬Kp negative introspection information: wRw The agent cannot distinguish w and w . Both states provide the same information. Knowledge = Truth in all indistinguishable statesN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 183 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 184
  • 47. 4 Reasoning and Examples 4 Reasoning and Examples 4.4 Epistemic Logic 4.5 Axioms for LTL Interpreting as belief Up to now we were thinking of i as agent i knows that ϕ. What if we interpret the operator as belief? Under such an interpretation axiom T is usually not assumed to hold. But all other axioms make sense. 4.5 Axioms for LTL Definition 4.31 (System KD45) Axiom system KD45 is called the standard logic of beliefs. Axiom K is called logical omniscience, axiom D is called consistency, axiom 4 (resp. axiom 5) is called positive (resp. negative) introspection.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 185 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 186 4 Reasoning and Examples 4 Reasoning and Examples 4.5 Axioms for LTL 4.5 Axioms for LTL Weakly Completeness Like many modal logics, LTL is only weakly complete, i.e. Note that Φ |= ψ implies Φ ψ we have “¬”, “∨”, as basic propositional is only true for finite sets Φ, not for infinite sets. operators (all the others are macros), and The set {r → s, r → Xs, r → XXs, . . .} “· U ·”, and “ ·” as basic LTL operators, serves as a counterexample. It certainly implies r → Gs, but All other operators are defined as usual. this can not be inferred using any sound axiom system (the reason is that no finite subset of the above set implies this formula).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 187 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 188
  • 48. 4 Reasoning and Examples 4 Reasoning and Examples 4.5 Axioms for LTL 4.6 Axioms for CTL Theorem 4.32 (Axiomatization of LTL) The system consisting of HilbertSL and the following L (A1 ) G(ϕ → Xϕ) → (ϕ → Gϕ) (A2 ) (ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ X(ϕ U ψ))) (A3 ) (ϕ U ψ) → Fψ 4.6 Axioms for CTL (Fun) ¬Xϕ ↔ X¬ϕ ϕ (KX ) X(ϕ → ϕ ) → (Xϕ → Xϕ )) (NX ) Xϕ ϕ (KG ) G (ϕ → ϕ ) → G (Gϕ → Gϕ ) (NG ) Gϕ is sound and weakly complete with respect to LTL Kripke models.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 189 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 190 4 Reasoning and Examples 4 Reasoning and Examples 4.6 Axioms for CTL 4.6 Axioms for CTL Theorem 4.33 (Axiomatization of CTL) The system consisting of HilbertSL and the following Note that L we have “¬”, “∨”, as basic propositional (A1 ) EFϕ ↔ E( U ϕ) (A1 ) AFϕ ↔ A( U ϕ) (A2 ) AGϕ ↔ ¬EF¬ϕ (A2 ) EGϕ ↔ ¬AF¬ϕ operators (all the others are macros), and (A3 ) EX(ϕ ∨ ψ) ↔ (EXϕ ∨ EXψ) (A4 ) AXϕ ↔ ¬EX¬ϕ ϕ “E · U ·”, “E ·”, and “EG·”, as basic CTL (A5 ) EX ∧ AX (R) AGϕ operators, (A6 ) E(ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ EXE(ϕ U ψ))) (A6 ) A(ϕ U ψ) ↔ (ψ ∨ (ϕ ∧ AXA(ϕ U ψ))) All other operators are defined as usual. (A7 ) AG(ρ → (¬ψ ∧ EXρ)) → (ρ → ¬A(ϕ U ψ)) (A8 ) AG(ρ → (¬ψ ∧ EXρ))) → (ρ → ¬AFψ) (A9 ) AG(ρ → (¬ψ ∧ (ϕ → AXρ))) → (ρ → ¬E(ϕ U ψ)) (A10 ) AG(ρ → (¬ψ ∧ AXρ))) → (ρ → ¬EFψ) (A11 ) AG(ϕ → ψ) → (EXϕ → EXψ) is sound and weakly complete with respect to CTL Kripke models.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 191 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 192
  • 49. 4 Reasoning and Examples 4 Reasoning and Examples 4.6 Axioms for CTL 4.7 Axioms for ATL A (very complicated) sound and complete (with respect to the appropriate Kripke models) axiomatization of CTL∗ has been defined in 4.7 Axioms for ATL [Reynolds, 2001].N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 193 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 194 4 Reasoning and Examples 4 Reasoning and Examples 4.7 Axioms for ATL 4.7 Axioms for ATL Note that Theorem 4.34 (Axiomatization of ATL) The system consisting of HilbertSL and the following (where A, A1 , A2 are we have “¬”, “∨”, as basic propositional L subsets of Agt are A1 , A2 are disjoint): operators (all the others are macros), and ϕ1 →ϕ1 (⊥) ¬ A ⊥ (Mon) A ϕ2 → A ϕ1 “ A ·”, “ A ·”, “ A · U ·”, as basic CTL ( ) A (Nec) ∅ ϕ ϕ operators, (Agt) ¬ ∅ ¬ϕ → Agt ϕ (S) ( A1 ϕ1 ∧ A2 ϕ2 ) → ( A1 ∪ A2 (ϕ1 ∧ ϕ2 )) all other operators are defined as usual, and (FP ) A ϕ ↔ (ϕ ∧ A A ϕ) (GFP ) ∅ (θ → (ϕ ∧ A θ)) → ∅ (θ → A ϕ) we only consider the version of ATL based on (FP U ) A ϕ1 U ϕ2 ↔ (ϕ2 ∨ (ϕ1 ∧ A A ϕ1 U ϕ2 )) perfect information and perfect recall: ATLIR (LFP U ) ∅ ((ϕ2 ∨ (ϕ1 ∧ A θ)) → θ) → ( ∅ ϕ1 U ϕ2 → θ) (=ATLIr ). is sound and weakly complete with respect to ATL models (concurrent game structures). This axiomatization is from [Goranko and van Drimmelen, 2006a]. Nothing is known for ATL∗ , ATL+ , ATL+ or ATL+ . ir iRN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 195 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 196
  • 50. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking Outline 5. Complexity of Verification: Model Checking We introduce the model checking method which can be used for the verification of systems. 5 Complexity of Verification: Model Checking What is Model Checking? We show how automata on infinite words can be used to Model Checking Temporal Logic solve the model checking problem for LTL. LTL: Automaton Aϕ and Proof of Theorem (skipped) We present polynomial time algorithms for CTL and ATL. Model Checking MAS with Perfect Information and Recall We determine the model checking complexities of CTL∗ using Model Checking MAS with Imperfect Information or No the results for LTL. Recall We identify the complexities of the remaining strategic logics. Summary of Complexity ResultsN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 197 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 198 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Why do we need verification methods? AT&T Telephone Network Outage (1990) Problem in New York City: 9 hour outage of large parts of US telephone network. 5.1 What is Model Checking? Costs: several 100 million $. Source: wrong interpretation of a break statement in C. “. . . Virtually the entire AT&T network of 4ESS toll tandems switches went in and out of service over and over again on Jan. 15, 1990 . . . . A software bug was found.” [Wikipedia] Acknowledgment: The following presentation is partly based on the book “Principles of Model Checking” by Christel Baier and Joost-Pieter Katoen.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 199 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 200
  • 51. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Ariane 5 Desaster (1996) Pentium FDIV BUG (1994) Crash of Ariane 5-missle. (FDIV: Floating point division unit) Costs: > 500 million $. Incorrect results. Source: Costs: 500 million $ and image loss. “. . . a data conversion from a 64-bit floating point to 16-bit Source: signed integer value caused a hardware exception. . . ” “. . . Certain floating point division operations performed [Wikipedia] with these processors would produce incorrect results.” [Wikipedia] What are the lessons learned? Veri cation may pay off! In such cases the extra costs and efforts put into proper verification techniques may be cheaper as the results of an error.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 201 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 202 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Software becomes larger. Use in safety-critical systems, important domains. Testing and reviewing ( non-formal methods) Increasing need for reliable software. Deductive methods (Hoare Calculus), code integration ( Errors can be costly and fatal (Ariane-5 launch, stock market undecidable, expertise during programming necessary) systems,...). Model checking ( how is the correct model obtained?) Mass production of products (errors are expensive, computer chips,...).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 203 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 204
  • 52. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Model Checking Technique informal problem Errors are expensive: Ariane 5 missile crash,. . . system requirement Model checking provides means to detect such erros! formalization Formal model wait,wait formal model formal specification push,push q0 pos0 pu ait sh, ush wa ,w model checker wa sh it,p it,p pu it ush wa wait,wait wait,wait push,push M |= hh{1, 2}ii⇤ g push,push q2 wait,push q1 Problem pos2 push,wait pos1 ? model checking true (e.g. mobile phone) + > algorithm (Safety) Property (e.g. deadlock free) Lets model ckeck... false = hh{1, 2}ii⇤ g Computational > Complexity? counterexample Logical (formal) specification flaw in systemN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 205 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 206 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Model checking refers to the problem to determine whether a given formula ϕ is satisfied in a state q of model M . Global model checking: Determine all states in which ϕ is true. Local model checking is the decision problem that determines membership in the set Here: The complexities of local and global model checking MC(L, Struc, |=) := {(M, q, ϕ) ∈ Struc × L | M, q |= ϕ} , coincide. where We are interested in the decidability and the computational L is a logical language, Struc is a class of (pointed) models for L (i.e. a tuple complexity of determining whether an input instance consisting of a model and a state), and (M, q, ϕ) belongs to MC(. . . ). |= is a semantic satisfaction relation compatible with L and Struc.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 207 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 208
  • 53. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.1 What is Model Checking? 5.1 What is Model Checking? Input size Input size Important Size of the model (|M|): number of (states and) transitions The complexity is always relative to the size of the input! in the M Size of the formula (|ϕ|): given by its length (i.e., the number That is, the size of the representation of the model and the of elements it is composed of, apart from parentheses). representation of the formula that we use. In order to establish the complexity, it is necessary to fix how For example, the formula A (pos0 ∨ pos1 ) has length 5. we represent the input and how we measure its size. Be careful... Remark 5.1 ...if numbers are involved! Sometimes it makes sense to only consider the size of the model or of the formula. In this course, we always consider the size of the model and of the formula .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 209 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 210 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Representation of Paths Let M be a Kripke model and q be a state in the model. Model checking a LCTL /LCTL∗ -formula ϕ in M, q means to determine whether M, q |= ϕ, i.e., whether ϕ holds in M, q. 5.2 Model Checking Temporal Consider the path λ = qi1 qi2 . . . with i1 .i2 i3 i4 · · · = 3.14159265 . . . . How can we represent such a path? We need a nite Logic representation. For LTL, checking M, q |= ϕ means that we check whether ϕ holds on all the paths in M which start from q. That is, it is equivalent to CTL∗ model checking of a formula Aϕ in M, q.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 211 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 212
  • 54. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking CTL Remark 5.2 (Representation of paths) We determine all states in which ϕ holds: ϕ = p: Return all states in in which p holds Paths are in nite entities. ϕ = ¬ψ: Suppose ψ holds in Q1 . Return QQ1 . They are theoretical constructs. ϕ = ψ1 ∧ ψ2 : Suppose ψi holds in Qi . Return Q1 ∩ Q2 ϕ = E ψ: Suppose ψ holds in Q1 . Return all states Q which We need a nite representation! lead to some state in Q1 . Q is the preimage of Q1 . We consider paths in a Kripke structure. Preimage Q1 We use a (pointed) Kripke model M, q and consider the problem pre(Q1 ) Formally: Given a set of states whether an LLTL -formula holds on all paths of M starting in q. Q ⊆ Q the preimage of Q , pre(Q ), consists of all states q such that there is a state q ∈ Q with (q , q ) ∈ R.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 213 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 214 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic ϕ = E ψ: Suppose ψ holds in Q1 and that Q is returned. ϕ = E ψ: Similarly, we have Then, we make the following observations: Q ⊆ Q1 E♦ϕ ↔ ϕ ∨ E E♦ϕ, For all states q ∈ Q there is a state q with qRq and hence we return the smallest xed-point: q ∈ Q ⊆ Q1 . µX.[ϕ]M ∪ pre(X) Hence, we are looking for the greatest set Q with these Eϕ1 U ϕ2 : Similarly, we have properties. Actually, this observation corresponds to the following xed-point formula: Eϕ1 U ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ E Eϕ1 U ϕ2 ) E ϕ ↔ ϕ ∧ E E ϕ, hence we return the smallest xed-point: The formula allows to compute a satisfying path µX.[ϕ2 ]M ∪ ([ϕ1 ]M ∩ pre(X)) step-by-step by computing the greatest xed-point: Note, that the three (associated) functions are monotonically νX.[ϕ]M ∩ pre(X) decreasing and increasing hence by Knaster/Tarski the greatest where [ϕ]M denotes the set of states in which ϕ holds. and smallest fixed-points exist.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 215 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 216
  • 55. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model checking E ψ Theorem 5.3 (CTL [Clarke et al., 1986, Schnoebelen, 2003]) Q = Q1 ¬ Model checking CTL is P-complete, and can be done in time Q2 = Q3 O(|M| · |ϕ|), where |M| is given by the number of transitions. Proof The algorithm determining the states in a model at which a given formula holds is presented in Figure 4 on Slide 221. The lower bound (P-hardness) can be for instance proven by a Q = Q1 ¬ reduction of the Circuit-Value-Problem [Schnoebelen, 2003]. Q3 Q2 := Q3 pre(Q1 )N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 217 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 218 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic function mcheck(M, ϕ). Büchi automata case ϕ ≡ p : return {q ∈ Q | p ∈ π(q)} We are mainly interested in the complexity class (and an case ϕ ≡ ¬ψ : return Q mcheck(M, ψ) abstract algorithm) of the model checking problem. case ϕ ≡ ψ1 ∧ ψ2 : return mcheck(M, ψ1 ) ∩ mcheck(M, ψ2 ) case ϕ ≡ E ψ : return pre(mcheck(M, ψ)) Is there a more convenient way to determine the complexity case ϕ ≡ E ψ : Q1 := Q; Q2 := Q3 := mcheck(M, ψ); without working out the algorithm? while Q1 ⊆ Q2 do Q1 := Q1 ∩ Q2 ; Q2 := pre(Q1 ) ∩ Q3 od; return Q1 Automata-theory to build algorithms. case ϕ ≡ Eψ1 U ψ2 : Q1 := ∅; Q2 := mcheck(M, ψ2 ); Q3 := mcheck(M, ψ1 ); Unified approach. while Q2 ⊆ Q1 do Q1 := Q1 ∪ Q2 ; Q2 := pre(Q1 ) ∩ Q3 od; Automata are well studied. return Q1 end case Simplifies complexity analysis. Usually, one is only interested in a complexity class. It is very Figure 4 : CTL-model checking algorithm time-demanding to come up with a good algorithm.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 219 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 220
  • 56. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Automata and Model Checking Definition 5.5 (Büchi-automaton) How can we use ω-automata for the model checking problem? An ω-automaton is a tuple The basic idea is the following: A = (Q, Σ, ∆, qI , F ) 1 We build an automaton AM,q0 accepting the paths of model where M, q0 . 1 Q is a finite set of states; 2 We build an automaton Aϕ accepting all paths satisfying ϕ. 2 Σ is a nite alphabet; 3 Then, we have: 3 ∆ ⊆ Q × Σ × Q a transition relation ; M |= ϕ iff L(AM,q0 ) ⊆ L(Aϕ ). 4 qI is the initial state; and 5 F ⊆ Q is the acceptance component (which is specialised in the following). Remark 5.4 A more detailed presentation of Büchi automata can be found in Section 9 (cf. pages 353).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 221 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 222 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic We define Inf (ρ) as the set of all states that occur in nitely Definition 5.6 (Run) often on ρ; that is, A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1 w2 · · · ∈ Σω is Inf (ρ) = {q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)} an infinite sequence of states of A such that: Definition 5.7 (Acceptance) 1 ρ(0) =qI 2 ρ(i) ∈ ∆(ρ(i − 1), wi ) for i ≥ 1. A Büchi automaton A accepts w ∈ Σω if, and only if, there is a run ρ of A such that Inf (ρ) ∩ F = ∅. How could we accept the following language? L = {w ∈ {a, b}ω | w contains infinitely many a and only finitely The language accepted by A, L(A), consists of all words accepted many b }. by A. That is, L(A) = {w ∈ Σω | A accepts w}. Is it sufficient to reach a nal state once? Thus, such an automaton accepts all words such that some state from F is visited infinitely often on a corresponding run. Other acceptance conditions yield different automata types: Rabin automata, Muller automata.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 223 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 224
  • 57. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Example 5.8 Example 5.9 Is there a Büchi Automaton that accepts the following language L over Σ = {a, b, c}? Is there a Büchi Automaton that accepts the following language L over Σ = {a, b}? L = {w ∈ Σω | w contains infinitely many a or b and only finitely many c } L = {w ∈ Σω | w ends with aω or (ab)ω } blackboardN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 225 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 226 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking LTL LTL Semantics Revisited Büchi Automata and Kripke Models The truth of λ, π |= ϕ does only depend on the propositions true at states. We can relate a Kripke model M = (Q, R, π) and a state q0 ∈ Q to a Büchi automaton AM,q0 = (Σ, Q, q0 , ∆, Q) where Clearly, for path λ, λ we have the following: If for all i ∈ N0 Σ = P(Prop): Each input symbol is a set of propositions, π(λ[i]) = π(λ [i]) then λ, π |= ϕ iff λ , π |= ϕ. q ∈ ∆(q, w) iff ((q, q ) ∈ R and w = π(q)), Hence, we can also use the infinite word all states being accepting states (i.e. each in nite run of the automaton is accepting). λπ := π(λ[0])π(λ[1])π(λ[2]) · · · ∈ P(Prop)ω {r, s} {p} to give truth to LTL-formulae. q0 q1 {r, s} Now, we can simply replace λ, π by λπ everywhere and q0 q1 modify the clause for propositions as follows: r, s p λπ |=LT L p iff p ∈ λπ [0]. Note: The automaton accepts words over P(Prop) but paths are sequences of states! What now?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 227 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 228
  • 58. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic The Automaton Aϕ We can state the relation between ΛM , M, q and AM,q precisely. In the following we define the automaton Aϕ accepting exactly Proposition 5.10 those infinite words w over P(Prop) such that w |= ϕ. Then, we have: Let M = (Q, R, π) and q0 ∈ Q. The automaton AM,q0 accepts the language M, q |= ϕ iff L(AM,q ) ⊆ L(Aϕ ) iff L(AM,q ) ∩ L(Aϕ ) = ∅. {λπ | λ ∈ ΛM (q0 )}. How can we avoid the complementation of the Büchi automaton (this operation is expensive)? We have: Proof. L(AM,q ) ∩ L(Aϕ ) = ∅ iff L(AM,q ) ∩ L(A¬ϕ ) = ∅. Exercise! So: model checking is reduced to emptiness checking Büchi automata.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 229 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 230 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Example 5.11 (Automaton for ♦green) Example 5.12 (Automaton for ♦ green) Construct a Büchi automaton which accepts all path satisfying Construct a Büchi automaton which accepts all path satisfying ♦green over Prop = {green}. Thus, the autmaton can read ∅ or ♦ green over Prop = {green}. {green}. {green} ∅ {green} ∅ {green} ∅ {green} {green} {green} ∅ q0 q1 q2 q0 q1 ∅ The automaton accepts e.g. Note, that this automaton is non-deterministic. ∅∅∅({green})ω = ˆ q0 q0 q0 (q1 )ω (∅{green})ω = (q0 q1 )ω ˆN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 231 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 232
  • 59. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic In the following we describe how the automaton Aϕ can be Main ideas underlying automaton construction constructed systematically. States are built from subformulae of ϕ. Theorem 5.13 ([Sistla and Clarke, 1985, Each state is labelled with propositionally consistent sets. Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986]) The transition relation reflects the semantics of LTL; e.g. if a For a given LLTL -formula ϕ a Büchi Automaton Aϕ = (S, Σ, ∆, S0 , F ) state contains p then, all related states contain p. accepting exactly the words satisfying ϕ can be constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)) . Initial states are states which contain ϕ. Runs of the automaton correspond to ω-paths. The proof of this Theorem is given in Section 3. It needs to be ensured that all eventualities are fulfilled.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 233 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 234 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic ˆ Definition 5.14 (Aϕ ) The generalized Büchi automaton for ϕ over Prop is defined as ˆ Aϕ = (Σ, S, ∆, S0 , F ) where Let ϕ1 U ψ1 , . . . , ϕn U ψn be all eventualities occurring in cl(ϕ). 1 Σ = P(Prop) Then, we define F = {F1 , . . . , Fn } with 2 S = EL(ϕ) (cf. Def. 5.23) Fi = {s ∈ S | {ϕi U ψi , ψi } ⊆ s or ϕi U ψi ∈ s}. 3 S0 = {s ∈ S | ϕ ∈ s} That is, 4 F see below 5 (s, a, t) ∈ ∆ iff F = {{s ∈ Q | ϕ1 U ϕ2 ∈ s or ϕ2 ∈ s} | ϕ1 U ϕ2 ∈ cl(ϕ)}. 1 s ∩ Prop = a 2 ∀ ψ ∈ cl(ϕ) : ψ ∈ s iff ψ ∈ t 3 ∀ϕ1 U ϕ2 ∈ cl(ϕ) : ϕ1 U ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1 U ϕ2 ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 235 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 236
  • 60. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic rU s rU s r, s r, s {r} ¬(r U s) ¬(r U s) {r} ¬r, ¬s ¬r, ¬s rU s A reads {r} rU s A reads {s} {r} {s} r, ¬s r, ¬s {s} A reads {s} {s} A reads {r, s} {r} ¬(r U s) ¬(r U s) r, ¬s r, ¬s rU s rU s {s} ¬r, s ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 237 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 238 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic {r, s} rU s ∅ rU s r, s r, s {r, s} {r, s} ∅ ¬(r U s) ¬(r U s) ¬r, ¬s ¬r, ¬s ∅ {r, s} A reads {r, s} rU s ∅ A reads ∅ rU s {r, s} r, ¬s r, ¬s ∅ A reads ∅ ¬(r U s) ¬(r U s) r, ¬s r, ¬s rU s rU s ¬r, s ¬r, s (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 239 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 240
  • 61. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic {r, s} rU s ∅ r, s {r, s} {r} {r, s} ¬(r U s) Theorem 5.15 (LTL [Sistla and Clarke, 1985, ∅ {r} ¬r, ¬s Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986]) ∅ rU s {r, s} {r, s} The complete Model checking LTL is PSPACE-complete, and can be done in {s} {r} ∅ r, ¬s {s} automaton time 2O(|ϕ|) O(|M|), where |M| is given by the number of transitions. {r} {s} ∅ ¬(r U s) r, ¬s rU s {s} ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 241 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 242 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Proof: Upper Bound Proof: In PSPACE . Given an LLTL -formula ϕ. We consider the automaton A := AM,q × Aϕ where Aϕ is a GBA accepting paths satisfying ϕ (cf. Def. 7.11). We guess an accepting 1 Construct Büchi automaton A¬ϕ of size 2O(|ϕ|) accepting run as follows: exactly the words satisfying ¬ϕ. Non-deterministically guess a run u0 . . . un−1 (un . . . un+m−1 )ω 2 Kripke model M, q can directly be interpreted as a Büchi where each ui = (qi , Bi ). automaton AM,q of size O(|M|) accepting all possible words in the Kripke model starting in q. Check whether it is a valid run (this can be done “locally”.). 3 The model checking problem reduces to the emptiness In particular, all eventualities between un and un+m−1 must check of L(AM,q ) ∩ L(A¬ϕ ) which can be done in polynomial be satisfied. time wrt the size of the automaton (cf.pp. 377). That is, in time O(|M|) · 2O(|ϕ|) by constructing the product automaton. Implementation: Guess state un and only the next state in the sequence. Keep a counter that counts the number of steps. At most O(|M| · exp(|ϕ|)) steps are necessary (binary encoding).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 243 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 244
  • 62. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Proof: Lower Bound Proof: Lower Bound Simulate nk -space bounded deterministic Turing machine A path will be related to a sequence of instantaneous A = (S, Σ, δ, s0 , Sf ). descriptions. 1 Use nk -operators to describe an ID. Tape Cell 1 Tape Cell 2 Tape Cell n^k 2 ψw : Encodes the input w. A configuration (Instant Description) ID-End 3 ψvalid : Checks whether an ID is valid. ID-Start 4 ψnext : Ensures that each successive ID follows from the current one. 5 ψaccept : Describes the halting con gurations. Content of one cell Let ψ := ψw ∧ ψvalid ∧ ψnext ∧ ψaccept . Then, we have M, q0 |= ¬ψ iff ∃λ ∈ Λ(q0 ) : λ, π |= ψ iff A accepts w. Prop = (S × Σ) ∪ Σ ∪ {ID − Start, ID − End}N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 245 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 246 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.2 Model Checking Temporal Logic Model Checking CTL∗ Proof. Theorem 5.16 Upper bound: Combine CTL and LTL model checking. (CTL∗ [Clarke et al., 1986, Emerson and Lei, 1987]) Consider LCTL∗ -formula ϕ containing Eψ where ψ is a pure Model checking CTL∗ is PSPACE-complete. LLTL -formula. Determine all states which satisfy Eψ (these are all states q Example 5.17 (LTL mchecking for CTL∗ mchecking) with M, q |=LTL ¬ψ), Complexity: PSPACE. In which states does ϕ = E♦ A ♦¬r hold? How to use LTL Label them by a fresh proposition, say p, and replace Eψ in ϕ p2 model checking? by p: E (r ∧ E♦s ) E (p2 ∧ p1 ) r p1 q2 Applying this procedure recursively yields a pure LCTL -formula q1 q4 which can be verified in polynomial time. Complexity: PPSPACE = PSPACE q3 Hardness: immediate from Theorem 5.15 as LLTL “can be seen” as a fragment of LCTL∗ .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 247 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 248 This is a standard approach often used!
  • 63. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.2 Model Checking Temporal Logic 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Summary Model checking CTL is P-complete. Model checking LTL is PSPACE-complete. The algorithm 5.3 LTL: Automaton Aϕ and Proof has been constructed from Büchi automata. of Theorem (skipped) Model checking CTL∗ is also PSPACE-complete. The algorithm is obtained by combining the one for CTL and LTL.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 249 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 250 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) How does the automaton look like? States will consist of subformulae of ϕ (or their negations). Definition 5.18 (Closure cl(ϕ)) A run ρ = S1 S2 . . . of the automaton is an infinite sequence of The closure cl(ϕ) is defined as follows: such sets ofsubformulae. 1 ϕ ∈ cl(ϕ), Given a word λπ = w1 w2 . . . with λπ |= ϕ we would like to enrich each (propositional) wi with subformulae to Si such that 2 φ ∧ ψ ∈ cl(ϕ) implies φ, ψ ∈ cl(ϕ), 3 ¬ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ), λπ [i, ∞] |= ψ iff ψ ∈ Si 4 ψ ∈ cl(ϕ) and ψ = ¬φ implies ¬ψ ∈ cl(ϕ), for all subformulae ψ of ϕ. 5 ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ), Intuitively, each Si encodes the formulae which should be true at 6 ψ U φ ∈ cl(ϕ) implies ψ, φ ∈ cl(ϕ). this moment. Note, that it holds that |cl(ϕ)| ≤ 2|ϕ|. The basic idea is that a run of the automaton simulates the LTL semantics.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 251 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 252
  • 64. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Example 5.19 (Closure) Definition 5.20 (Logically consistent) How does the closure for ϕ = r U (s ∨ t) look like? We call B ⊆ cl(ϕ) propositionally consistent iff for all The closure cl(ϕ) consists of the following formulae: ϕ1 ∧ ϕ2 , ψ ∈ cl(ϕ): 1 ϕ 1 ϕ1 ∧ ϕ2 ∈ B iff ϕ1 ∈ B and ϕ2 ∈ B, 2 s∨t 2 ψ ∈ B implies ¬ψ ∈ B, 3 r 3 ∈ cl(ϕ) implies ∈ B. 4 s We identify ¬¬ϕ with ϕ. 5 t Definition 5.21 (Locally consistent) and their negations! We call B ⊆ cl(ϕ) locally consistent iff for all ϕ1 U ϕ2 ∈ cl(ϕ): What other properties should such sets fulfill? Note, that we are 1 ϕ2 ∈ B implies ϕ1 U ϕ2 ∈ B. interested in a correspondence to runs. 2 ϕ1 U ϕ2 ∈ B and ϕ2 ∈ B implies ϕ1 ∈ B.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 253 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 254 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Definition 5.22 (Maximal consistent) The closure of ϕ = r U s is given by {ϕ, ¬ϕ, r, s, ¬r, ¬s}. Which of the following sets are elementary? We call B ⊆ cl(ϕ) maximal iff for all ψ ∈ cl(ϕ) 1 ∅ ψ∈B implies ¬ψ ∈ B. 2 {r U s, r, s} 3 {r U s, r} We identify ¬¬ϕ with ϕ. 4 {r U s, ¬r, ¬s} Definition 5.23 (Elementary, EL(ϕ)) 5 {r U s, ¬r, s} We call B ⊆ cl(ϕ) elementary iff B is propositionally and locally 6 {r U s, r, ¬s} consistent and maximal. 7 {r U s, r, ¬r, ¬s} We define EL(ϕ) as the set of all elementary subsets of cl(ϕ). 8 {¬(r U s), r, ¬s} In the following we construct infinite words over EL(ϕ) that 9 {¬(r U s), ¬r, ¬s} corresponds to accepting paths.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 255 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 256
  • 65. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Example 5.24 (Elementary sets) Constructing the Automaton for r U s The closure of ϕ = r U s is given by rU s r, s cl(ϕ) = {ϕ, ¬ϕ, r, s, ¬r, ¬s} The following list contains all elementary sets of ϕ: ¬(r U s) Initial states? ¬r, ¬s {s ∈ S | ϕ ∈ s} 1 E1 = {r U s, r, s} rU s 2 E2 = {r U s, ¬r, s} r, ¬s Accepting states? 3 E3 = {r U s, r, ¬s} If ϕ1 U ϕ2 ∈ cl(ϕ) then ¬(r U s) ϕ1 U ϕ2 ∈ s or 4 E4 = {¬r U s, r, ¬s} r, ¬s 5 E5 = {¬r U s, ¬r, ¬s} ϕ2 ∈ s rU s In the following, we construct the Büchi automaton Aϕ for ¬r, s ϕ = r U s.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 257 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 258 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) rU s rU s r, s r, s Initial states? {r} ¬(r U s) ¬(r U s) ¬r, ¬s {s ∈ S | ϕ ∈ s} {r} ¬r, ¬s Accepting states? A reads {r} rU s rU s r, ¬s If ϕ1 U ϕ2 ∈ cl(ϕ) then r, ¬s {r} ϕ1 U ϕ2 ∈ s or A reads {s} ¬(r U s) ϕ2 ∈ s {r} ¬(r U s) r, ¬s r, ¬s rU s A reads {r} rU s ¬r, s ¬r, s {r} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 259 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 260
  • 66. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) {r, s} rU s r, s rU s r, s {r, s} ¬(r U s) {r, s} ¬r, ¬s ¬(r U s) ¬r, ¬s rU s A reads {s} {r, s} A reads {r, s} r, ¬s {s} rU s {r, s} {s} A reads {r, s} r, ¬s {s} A reads ∅ ¬(r U s) r, ¬s ¬(r U s) r, ¬s rU s {s} ¬r, s rU s ¬r, s {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 261 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 262 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) {r, s} rU s ∅ r, s rU s ∅ r, s {r, s} ∅ ¬(r U s) {r} {r, s} ∅ ¬(r U s) ¬r, ¬s {r} ¬r, ¬s ∅ {r, s} ∅ rU s ∅ A reads ∅ {r, s} rU s The complete r, ¬s {s} {r} ∅ r, ¬s {s} automaton ∅ ¬(r U s) {r} {s} ∅ ¬(r U s) r, ¬s r, ¬s rU s rU s {s} ¬r, s ¬r, s {r} {s} (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : (s, a, t) ∈ ∆ then ∀r U s ∈ cl(ϕ) : r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t)) r U s ∈ s iff (s ∈ s or (r ∈ s and r U s ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 263 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 264
  • 67. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Encoding as Generalised Büchi Automaton Remark 5.25 (Acceptance states) We need to ensure that eventualities become actually fulfilled. The basic idea of the encoding is the following: So, once a state containing an eventuality ϕ1 U ϕ2 is visited Semantics of propositional logic? states sometime in the future a state containing ϕ2 must be visited. -operator? transition relation We require that states containing U -operator? states plus transition relation plus acceptance condition (ϕ2 and ϕ1 U ϕ2 ) or ¬ϕ1 U ϕ2 ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ ϕ1 U ϕ2 ) occur in nitely often. But what if there is more than one eventuality in cl(ϕ)? We need to fulfill all of them.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 265 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 266 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) ˆ Definition 5.26 (Aϕ ) We use generalized Büchi automata (cf. pp. 365). They The generalized Büchi automaton for ϕ over Prop is defined as ˆ Aϕ = (Σ, S, ∆, S0 , F ) where allow sets of sets of final states. We associate each eventuality formula with one of these sets: the Büchi acceptance set 1 Σ = P(Prop) F ⊆ Q is replaced by F ⊆ P(Q): 2 S = EL(ϕ) A accepts w ∈ Σω if, and only if, there is a run ρ of A such 3 S0 = {s ∈ S | ϕ ∈ s} that for each Fi ∈ F 4 F see below Inf (ρ) ∩ Fi = ∅. 5 (s, a, t) ∈ ∆ iff For each generalised Büchi automaton one can construct an 1 s ∩ Prop = a equivalent Büchi automaton (cf. Theorem 7.12). 2 ∀ ψ ∈ cl(ϕ) : ψ ∈ s iff ψ ∈ t 3 ∀ϕ1 U ϕ2 ∈ cl(ϕ) : ϕ1 U ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1 U ϕ2 ∈ t))N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 267 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 268
  • 68. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Proof of the Theorem In the following we introduce notation necessary for the proof. Let ϕ1 U ψ1 , . . . , ϕn U ψn be all eventualities occurring in cl(ϕ). Then, we define F = {F1 , . . . , Fn } with It is easily seen that we have the following xed-point equivalence Fi = {s ∈ S | {ϕi U ψi , ψi } ⊆ s or ϕi U ψi ∈ s}. ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ ϕ1 U ϕ2 ). That is, We construct a path over EL(ϕ) which “respect” the semantics of LTL. Recall that we would like to have: F = {{s ∈ Q | ϕ1 U ϕ2 ∈ s or ϕ2 ∈ s} | ϕ1 U ϕ2 ∈ cl(ϕ)}. λπ [i, ∞] |= ψ iff ψ ∈ SiN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 269 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 270 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Definition 5.27 (ϕ-closure-labelling) Given a word λπ a closure labelling corresponding to λπ should A ϕ-closure-labelling is a function agree with the propositional symbols. τ : N0 → EL(ϕ) Definition 5.28 (λπ -valid) such that: A ϕ-closure-labelling τ is said to be λπ -valid iff for all p ∈ Prop it holds that (C1) ϕ ∈ τ (i) iff ϕ ∈ τ (i + 1), (C2) ϕ1 U ϕ2 ∈ τ (i) iff 1 p ∈ τ (i) implies p ∈ λπ [i], and ϕ2 ∈ τ (i) or (ϕ1 ∈ τ (i) and ϕ1 U ϕ2 ∈ τ (i + 1)), 2 ¬p ∈ τ (i) implies p ∈ λπ [i]. (C3) ϕ1 U ϕ2 ∈ τ (i) implies ∃j(j ≥ i and ϕ2 ∈ τ (j)).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 271 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 272
  • 69. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Lemma 5.29 (Soundness Lemma) From these lemmata we obtain the following theorem. Let ϕ ∈ LLTL (Prop) and τ be a λπ -valid closure labelling. Then, for Theorem 5.31 all ϕ ∈ cl(ϕ) and all i ≥ 0 it holds that Let ϕ ∈ LLTL (Prop). Then, λπ |= ϕ iff there is a λπ -valid ϕ-closure ϕ ∈ τ (i) iff λπ [i, ∞] |= ϕ . labelling τ such that ϕ ∈ τ (0). The proof is done by structural induction on ϕ . Exercise! Now we proceed with the proof of Theorem 5.13. Lemma 5.30 (Existence Lemma) Let ϕ ∈ LLTL (Prop). If λπ |= ϕ. Then, there is a λπ -valid ϕ-closure For a given LLTL -formula ϕ a Büchi Automaton labelling τ such that ϕ ∈ τ (0). Aϕ = (S, Σ, ∆, S0 , F ) accepting exactly the words satisfying ϕ can be constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)) . Prof: The labelling is constructed from subformulae true at each point of λπ . Exercise!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 273 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 274 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) Proof of Theorem 5.13. Using Theorem 5.31 we build a generalised Büchi automaton accepting all the in nite words λπ that correspond to a λπ -valid λ = q0 q1 q2 . . . ϕ-closure-labelling. Idea: λ, π |= ϕ iff λπ |= ϕ 1 The automaton reads λπ . 2 Each set of propositions causes a state change, states are λπ = π(q0 )π(q1 )π(q2 ) . . . elementary sets. λπ |= ϕ iff 3 Runs ρ of the automaton correspond to ϕ-closure labellings. τ is λπ -valid ϕ-closure labelling iff 4 ρ is accepting iff it is λπ -valid and satisfies ϕ. τ accepted by the automaton τ = B0 B1 B2 . . . run of the automaton given λπN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 275 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 276
  • 70. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.3 LTL: Automaton Aϕ and Proof of Theorem (skipped) 5.4 Model Checking MAS with Perfect Information and Recall Correctness: In line with Theorem 5.31 we have to show that A accepts λπ iff there is an accepting run ρ with ϕ ∈ ρ(0) and which is an λπ -valid ϕ-closure labelling. This is immediate by construction. 5.4 Model Checking MAS with Finally, we convert the generalised Büchi automaton to a Büchi Perfect Information and Recall automaton (cf. Proposition 7.12). The number of states of the automaton is exponential in the length of the formula.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 277 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 278 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall Example 5.32 The ATL model checking algorithm employs the well-known xpoint characterisations : Which formulae are true in the model? A ϕ ↔ ϕ∧ A A ϕ, 1 M, q1 |= 1 r A ϕ1 U ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ A A ϕ1 U ϕ2 . 2 M, q1 |= 1 s 3 M, q1 |= 1 1 r Do these characterisations also hold for incomplete information? r r (1, 1) q2 q4 (1, 1) r No! A choice of an action at a state q has non-local consequences: q1 (2, 1) It automatically fixes choices at all states q indistinguishable from (1, 1) q for the coalition A. (2, 1) q3 q5 (1, 2) Again, crucial for model checking is the notion of preimage. s sN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 279 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 280
  • 71. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall function pre(M, A, Q). Example 5.33 (Preimage operator for ATL) Auxiliary function; returns the exact set of states Q such that, when the system is in a state q ∈ Q , agents A can cooperate and 1 What is the preimage of {q2 , q3 }? enforce the next state to be in Q. 2 What is the preimage of {q2 }? return {q | ∃αA ∀αAgtA o(q, αA , αAgtA ) ∈ Q} These questions are not well defined. The preimage depends on a The function follows the same idea as the pre-image function of group of agents which try to reach a given region. CTL model checking. 1 What is the preimage of {q2 , q3 } wrt. any group A? Q1 2 What is the preimage of {q2 } wrt. {1} and {2}? r r (1, 1) q2 q4 (1, 1) r (2, 1) q1 pre(A, Q1 ) (1, 1) (2, 1) q3 q5 (1, 2) s sN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 281 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 282 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall Besides the new definition of the preimage function the algorithm is the same as for CTL: Note that: ATL = ATLIr = ATLIR (cf. Theorem 2.9) function mcheck(M, ϕ). Returns states q with M, q |= ϕ. Theorem 5.34 (ATLIr and ATLIR [Alur et al., 2002]) case ϕ ∈ Π : return π(p) case ϕ = ¬ψ : return Q mcheck(M, ψ) Model checking ATLIr and ATLIR is P-complete, and can be done in case ϕ = ψ1 ∨ ψ2 : return mcheck(M, ψ1 ) ∪ mcheck(M, ψ2 ) time O(|M| · |ϕ|), where |M| is given by the number of transitions in case ϕ = A ψ : return pre(M, A, mcheck(M, ψ)) case ϕ = A ψ : M. Q1 := Q; Q2 := mcheck(M, ψ); Q3 := Q2 ; while Q1 ⊆ Q2 Note, that the size of M is exponential in the number of states do Q1 := Q2 ; Q2 := pre(M, A, Q1 ) ∩ Q3 od; and agents! return Q1 case ϕ = A ψ1 U ψ2 : Q1 := ∅; Q2 := mcheck(M, ψ1 ); Q3 := mcheck(M, ψ2 ); while Q3 ⊆ Q1 do Q1 := Q1 ∪ Q3 ; Q3 := pre(M, A, Q1 ) ∩ Q2 od; return Q1 end case Multi-agent extension of CTL model checking.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 283 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 284
  • 72. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall And-Or-Graph Reachability For the lower bound, we reduce reachability in and-or-graphs. Proof: Lower Bound Hardness is shown by a reduction of reachability in An and-or graph [Immerman, 1981] And-Or-Graphs: is a tuple (E, V, l) such that G = (E, V ) is a directed acyclic graph and l : V → {∧, ∨} a labeling function. Transform and-or-graph to a CGS; Player 1 owns or-states; Let x1 , . . . , xn denote all successor nodes of u. v is said to be reachable from u iff Player 2 owns and-states; u = v; or v reachable from a iff M, a |= 1 ♦lv . 1 2 l(u) = ∧, n ≥ 1, and v is reachable from all xi ’s; or, 3 l(u) = ∨, n ≥ 1, and v is reachable from some xi . Theorem 5.35 ([Immerman, 1981]) The and-or-graph reachability problem is P-complete.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 285 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 286 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.4 Model Checking MAS with Perfect Information and Recall ATL∗ with perfect recall Execution trees For perfect recall, we cannot simply guess a strategy Q+ → Act. (α, α) (β, α) (α, α) For model checking an automata theoretic approach is used. q1 q2 Consider the formula A ψ where ψ ∈ LLTL and CGS M and a (α, β) state q. Tree unravelling (q1 , {1})-execution tree 1 A tree automaton AM,q,A is used to accept all possible executions in M which can be enforced by A following q1 q1 some strategy. (Note: A ψ says that there is some “tree” such that ψ holds q1 q2 q2 along all branches). 2 A tree automaton Aψ is constructed to accept all (tree-like) models satisfying the LCTL∗ -formula Aψ. 3 We have: M, q |= A ψ iff L(AM,q,A ) ∩ L(Aψ ) = ∅. q1 q2 q1 q2 q1 q2N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 287 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 288
  • 73. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.4 Model Checking MAS with Perfect Information and Recall 5.5 Model Checking MAS with Imperfect Information or No Recall An (q, A)-execution tree is induced by out(q, sA ) for some strategy sA of A. Intuitively, the transition relation of AM,q,A in a state q0 is constructed from the different choices which A can enforce at q0 . 5.5 Model Checking MAS with (1, 1) (2, 1) q0 q0 q1 q0 (2, 2) q3 q1 q2 q3 q4 q5 Imperfect Information or No Recall q4 (2, 3) q2 (1, 2) q5 Theorem 5.36 (ATL∗ [Alur et al., 2002]) IR Model checking ATL∗ is 2EXPTIME-complete in the number of IR transitions in the model and the length of the formula. Complexity: Size of the automata and checking emptiness.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 289 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 290 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Complexity Classes Complexity Classes ΣP , ∆P , ∆P 2 2 3 Deterministic Turing machine (DTM) ΣP : problems solvable in polynomial time by a i infinite (readable and writable) tape non-deterministic Turing machine making adaptive queries to finitely many states a ΣP oracle; i.e. by ΣP -oracle polynomial time NTMs. i−1 i−1 deterministic moves ΣP = NPNP : problems solvable in polynomial time by a 2 non-deterministic Turing machine making adaptive queries to Non-deterministic Turing machine (NTM) an NP oracle. Like a DTM but non-deterministic moves are allowed. ∆P = PNP : A problem is in ∆P = PNP if it can be solved in 2 2 deterministic polynomial time with subcalls to an NP-oracle. Orcale Machine (OTM) NP We also have ∆P := P[NP ] and ∆P = P. 3 1 Let A be a language . An A-oracle machine is a DTM or NTM with a subroutine which allows to decide in one step whether We have: w ∈ A for some word w. For a complexity class C a C-oracle machine is a A-oracle P = ∆P ⊆ ΣP = NP ⊆ ∆P ⊆ ΣP ⊆ · · · ⊆ PH ⊆ PSPACE. 1 1 2 2 machine for any A ∈ C.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 291 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 292
  • 74. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Number of Strategies Assume we are looking for a good Ir-strategy wrt some We have introduced four types of strategies: property P . How complex is this task? (Upper bound) 1 ir-strategies; 2 Ir-strategies; It is in NP, provided P ∈ P! 3 IR-strategies; 1 Guess sA ; 4 iR-strategies. 2 check whether sA satisfies P . How many strategies are there for each type? And the case for good ir-strategies? 1 exponentially many; 2 exponentially many; It is also in NP, provided P ∈ P! Why? What about uniformity? 3 infinitely many; 4 infinitely many. 1 Guess Ir-strategy sA ; 2 check whether it is an ir-strategy, i.e. for uniformity (Q is Exponentially many wrt the size of the input! ≈ |Act||Agt|·|Q| finite!); 3 check whether sA satisfies P .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 293 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 294 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Imperfect Information What if P is verifiable in C for an arbitrary complexity class C? Agent’s ability to identify a strategy as winning also varies throughout the game in an arbitrary way (agents can learn as well as forget). This suggests that winning strategies cannot be Finding ir- and Ir-strategies is in NPC . synthesized incrementally.Indeed the xpoint characterisations do not hold! : A ϕ ↔ ϕ∧ A A ϕ, What about perfect recall strategies? A ϕ1 U ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ A A ϕ1 U ϕ2 . How to model check a formula M, q |= A γ where γ includes no There are infinitely many: So there is no general method! nested cooperation modalities ? Theorem 5.37 (ATLir ) Model checking ATLir is ∆P -complete. 2 The lower bound is proven by a reduction of SNSAT1 .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 295 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 296
  • 75. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Recall: ∆P = PNP 2 ATL and CTL: Pruning Proof: Upper Bound (β, α) Let A γ be given where γ includes no nested cooperation (α, α) (α, α) modalities. (β, α) 1 Guess a strategy sA of A. (α, β) (α, α) (α, β) (α, α) (α, α) (α, α) 2 “ Prune” M to M|sA ; i.e. remove transitions that cannot occur according to sA . (β, α) 3 Remove labels from M|sA and interpret it as Kripke structure M |sA (α, α) (α, α) (α, β) (α, α) 4 Then, Guess the strategy s1 in which 1 always plays α . M, q |= A γ iff M |sA , q |=CTL Aγ 1 ♦γ guess s1 , check A♦γ in the pruned model The basic idea is to guess a strategy and apply CTL model checking.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 297 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 298 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Model Checking ATL∗ with memoryless Pruning the model strategies We can reduce model checking to model checking CTL∗ : (β, α) To solve the model checking problem for ATL∗ we make use of Ir CTL∗ model checking. (α, α) (α, α) The basic idea for model checking A ψ is as follows: (β, α) (α, α) (α, β) (α, α) (α, α) (α, β) (α, α) 1 Guess a strategy sA : Q → Act|A| (in NP). (β, α) 2 Prune the model; i.e. remove transitions which cannot occur. (α, α) (α, α) (α, β) (α, α) 3 CTL∗ model check Aψ in the resulting model. Guess the strategy s1 in which 1 always plays α . 1 ♦γ guess s1 , check A ♦γ in the pruned model s1 : agent 1 plays α in all states.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 299 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 300
  • 76. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.5 Model Checking MAS with Imperfect Information or No Recall Proof: Upper Bound Let A ψ where ψ is an LLTL -formula. Theorem 5.38 (ATL∗ and ATL∗ [Schobbens, 2004]) ir Ir 1 Guess an Ir-strategy (resp. ir-strategy) sA of A. Model checking ATL∗ and ATL∗ is PSPACE-complete in the ir Ir 2 “Prune” M to M|sA ; i.e. remove transitions that cannot occur number of transitions in the model and the length of the formula. according to sA . 3 Remove transition labels from M|sA and interpret it as Proof: Lower Bound Kripke structure M |sA LTL model checking is a special case of LATL∗ model checking: 4 Then, PSPACE-hard. iff ∗ M, q |= A γ M |sA , q |=CTL Aγ This procedure can be performed in NPPSPACE , which renders the complexity of the whole language to be in PSPACE PNP = PSPACE.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 301 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 302 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.5 Model Checking MAS with Imperfect Information or No Recall 5.6 Summary of Complexity Results Imperfect Information and Perfect Recall Conjecture 1 (ATLiR ) Model checking ATLiR is undecidable. Recently, a proof has been proposed by Dima and Tiplea (June 2010). 5.6 Summary of Complexity Conjecture 2 (ATL∗ ) Results iR Model checking ATL∗ is undecidable. iR Conjecture 3 (ATL+ ) iR Model checking ATL+ is undecidable. iRN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 303 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 304
  • 77. 5 Complexity of Verification: Model Checking 5 Complexity of Verification: Model Checking 5.6 Summary of Complexity Results 5.6 Summary of Complexity Results Nice results: model checking CTL and ATL is tractable. But: the result is relative to the size of the model and the Ir IR ir iR formula Undecidable† LATL P P ∆2 P Well known catch (CTL): size of models is exponential wrt a LATL+ ∆P 3 PSPACE ∆P 3 Undecidable† higher-level description LATL∗ PSPACE 2EXPTIME PSPACE Undecidable† Another problem: transitions are labelled Figure 5 : † These problems are believed to be undecidable. So: the number of transitions can be exponential in the number of agents.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 305 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 306 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability Outline 6. Complexity of Reasoning: Satisfiability We present tableau procedures for 6 Complexity of Reasoning: Satisfiability propositional logic, LTL, and Satisfiability Problem and Tableaux CTL. A Tableau Algorithm for LTL A Tableau Algorithm for CTL We discuss the complexity of the satis ability problems for CTL∗ is 2EXPTIME-complete LTL, CTL, CTL∗ , ATL, and ATL∗ . ATL and ATL*N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 307 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 308
  • 78. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.1 Satisfiability Problem and Tableaux 6.1 Satisfiability Problem and Tableaux Satisfiability Problem The satis ability problem is the following question: Given a formula ϕ (of some logic L) is there a model M 6.1 Satisfiability Problem and (from a class M of models associated with L) and a state q in M such that M, q |= ϕ? Tableaux More precisely, this is the L-satis abilty problem (over class M ) of models. In the following we consider the class of all Kripke structures for the temporal logics.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 309 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 310 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.1 Satisfiability Problem and Tableaux 6.1 Satisfiability Problem and Tableaux To obtain a decision procedure one often proceeds as follows: Tableaux for Propositional Logic Establish a small model theorem for L: That is, if there is a Tableau model for ϕ then there also is a “small model” (in particular nite one). Encodes all models of a given formula Rule-based definition allows an intuitive presentation Methods of choice: quotient constructions / ltrations (“equivalent states” are identified). Semantic structures can often be extracted easily easy construction of satisfying models Well-known methods are tableaux procedure: They Often, tight limits on their size which allows a good “encode” all models of a given formula. complexity analysis. Automata-theoretic constructions offer another alternative A tableau is a graph/tree-like structure to visualize attempts (cf. the LTL automata theoretic construction, CTL∗ and ATL∗ to create a model. decision procedures). For building a tableau there are rules to systematically split the input formula into subformulae. Each branch of the tableau represents a way of trying to build a model.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 311 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 312
  • 79. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.1 Satisfiability Problem and Tableaux 6.1 Satisfiability Problem and Tableaux Example 6.1 (Tableau for ϕ = (a ∧ c) ∧ (¬a ∨ b)) We assume as basic connectives: ∧ and ¬ (one can also take ϕ ∨ instead of ∧). We use Σ to represent a set of propositional formulae. ϕ, a ∧ c Definition 6.2 (Propositional logic tableau rules) ϕ, a ∧ c, ¬a ∨ b A tableau rule has the form Σ or Σ Σ . Both rules can be applied Σ |Σ to a node n with label Σ. The effect of the first rule is a new node ϕ, a ∧ c, ¬a ∨ b, ¬a ϕ, a ∧ c, ¬a ∨ b, b n with label Σ connected to n, and of the second rule two nodes n and n labeled Σ and Σ , respectively, both connected to n. ϕ, a ∧ c, ¬a ∨ b, ¬a, a ϕ, a ∧ c, ¬a ∨ b, b, a The propositional logic tableau rules are given as follows: Contradiction! Σ∪{ψ,¬ψ} Σ∪{¬¬ψ} Σ∪{ψ∧χ} Σ∪{ψ∨χ} ϕ, a ∧ c, ¬a ∨ b, b, a, c ⊥ Σ∪ψ Σ∪{ψ,χ} Σ∪{ψ}|Σ∪{χ}} All nodes are labelled with subformulae of ϕ or their negation. We call a branch of a tableau closed if it contains ⊥; The last set in the right branch is maximally propositionally otherwise, open. consistent (wrt. the closure of ϕ) and represents a model of ϕ.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 313 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 314 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.1 Satisfiability Problem and Tableaux 6.2 A Tableau Algorithm for LTL Remark 6.3 Termination can be achieved by marking subformulae already treated. Movement along branches represents adding consequences. Branching represents choices between alternatives. 6.2 A Tableau Algorithm for LTL The tableau can be interpreted as a graph/tree. We call these tableau rules static (as the whole tableaux procedure is about finding a propositional model). Note also, that the tableau procedure does not require any normal form (what is for instance the case for resolution).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 315 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 316
  • 80. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL We extend the propositional tableaux algorithm such that we can Our first proposal to an LTL-tableau procedure is based on new check satisfiability of LTL formulae. tableau rules capturing the temporal evolution. Later, we will Basic connectives: ¬, ∧, , U . discuss an alternative approach. Recall: ω-models are propositional worlds connected by Definition 6.5 (LTL-tableau rules) temporal transitions. We introduce two kinds of tableau rules: The LTL-tableau rules extend the propositional ones from static rules: affect the very (propositional) state Definition 6.2 by the following static rules: transition rules: temporal evolution Σ∪{ψ1 U ψ2 } Σ∪{¬(ψ1 U ψ2 )} As before: nodes are labeled with subsets from cl (ϕ). Σ∪{ψ1 }|Σ∪{ψ2 } Σ∪{¬ψ2 } Definition 6.4 (Closure) and the following transition rules: Σ∪{¬ψ2 ,ψ1 U ψ2 } Σ∪{ ψ} Σ∪{ψ1 U ψ2 } Σ∪{ψ} Let sub(ϕ) denote the set of subformulae of ϕ. The closure of ϕ is where defined as follows: Σ= {ψ | ψ ∈ Σ} ∪ {¬ψ | ¬ψ ∈ Σ} cl (ϕ) = sub(ϕ) ∪ {¬ψ | ψ ∈ sub(ϕ)} ∪ {ψ1 U ψ2 | ¬ψ2 , ψ1 U ψ2 ∈ Σ} (Note, that cl (ϕ) is not closed under negation. We do identify ∪ {¬(ψ1 U ψ2 ) | ψ1 , ¬(ψ1 U ψ2 ) ∈ Σ} ¬¬ψ with ψ.) ∪ {t | t ∈ Σ}N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 317 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 318 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The tableau rules model In the following we follow an alternative approach and “hide” the propositional reasoning and application of static rules completely and consider sets which are temporal reasoning. maximally propositionally consistent. How to apply these rules? Can we apply them in any order? Definition 6.7 (Maximally propositionally consistent) Example 6.6 A set Σ ⊆ cl (ϕ) is maximally propositionally consistent wrt. cl (ϕ) Suppose we are given Σ = {p ∧ ¬p, q}. Then, we can obtain a if the following conditions are satisfied: label {q}. The corresponding branch of the tableau is open. for all ψ ∈ cl (ϕ): ψ ∈ Σ iff ¬ψ ∈ Σ; However, Σ is not satisfiable! if ψ1 ∧ ψ2 ∈ cl (ϕ) then ψ1 ∈ Σ and ψ2 ∈ Σ; and Propositional consistency has to be ensured before applying if ¬(ψ1 ∧ ψ2 ) ∈ cl (ϕ) then ¬ψ1 ∈ Σ or ¬ψ2 ∈ Σ. transition rules! The set of all such sets is called PC (ϕ). That is, we are only allowed to apply transition rules if no more static rules can be applied and the branch is open! We note that such sets are not necessarily consistent in general; How to achieve this? Mark subformulae to which no static consider e.g. { p, ¬p}. The tableau takes care about it by a rule can be applied or to which a static rules has been deletion mechanism. applied. Then, do only apply transition rules if all subformulae have been marked and if the branch is open.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 319 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 320
  • 81. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The nodes of the tableau procedure are labelled with sets from Example 6.9 PC (ϕ). How to connect these nodes? Consider the set Σ = { p, p, p} where ψ is defined as We define a relation R ⊆ PC (ϕ) as follows: ¬♦¬ψ ≡ ¬( U ¬ψ). This set results in a non-terminating, looping Σ1 RΣ2 iff branch. Such branches are declared open. 1 for all ψ ∈ cl (ϕ): ψ ∈ Σ1 iff ψ ∈ σ2 ; and 2 for all ψ1 U ψ2 ∈ cl (ϕ): ψ1 U ψ2 ∈ Σ1 iff (ψ2 ∈ Σ1 or ( ψ1 ∈ Σ1 Definition 6.10 (Initial tableau) and ψ1 U ψ2 ∈ Σ2 )). Moreover, we add a “dummy” start node which we connect to all We call the graph (PC (ϕ), R) the initial LTL-tableau of ϕ. Σ with ϕ ∈ Σ. If such nodes do not exist, then ϕ is obviously not Clearly, a node with label Σ in the tableau can be considered as a satisfiable. propositional sate; we simply take Σ ∩ Prop(ϕ) where Prop(ϕ) is Remark 6.8 (Efficiency) the set of propositional symbols occurring in ϕ. In the following We note that from a practical point of view, this method is not very we identify nodes and states in this way. efficient as all states from PC (ϕ) have to be constructed! An Now, the question is whether the initial tableau contains an incremental approach does usually perform better on average. LT L-model of ϕ. How to determine this?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 321 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 322 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL There are two possible types of error: Theorem 6.11 1 States may not have successors? (Consider e.g. { p, ¬p}.) The LTL-tableau algorithm terminates and is correct; i.e. 2 There are non-fulfilled eventualities. “satisfiable” is returned on input ϕ iff ϕ is satisfiable. Moreover, the An eventuality ψ1 U ψ2 is ful lled in a node, if there is a node algorithm runs in exponential time. reachable from the current one which contains ψ2 . Sketch. LTL-Tableau algorithm Termination: PC (ϕ) is a finite set of finite sets. The tableau 1 Construct (PC (ϕ), R). algorithm does only remove nodes. Checking fulfillment can 2 Remove all nodes from (PC (ϕ), R) which do not have a be done in a depth-first manner with marking. successor. Correctness: “⇐”: Suppose ϕ is satisfiable in λ. We define 3 Remove all nodes which contain a non-fulfilled eventuality. the sets Σi = {ψ ∈ cl (ϕ) | λ[i, ∞] |= ψ} for i ∈ N0 . It is easy to 4 If none of the above steps can be applied and a node which see that none of these sets is removed by the tableau contains ϕ remains return “satisfiable”; otherwise, algorithm; hence, it returns “satisfiable”. “unsatisfiable”.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 323 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 324
  • 82. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL “⇒”: Suppose the algorithm returns “satisfiable”. Complexity: Let G ⊆ PC (ϕ) be the set of remaining nodes and let ϕ ∈ Σ0 . Each Σ ∈ PC (ϕ) is of size linear in |ϕ| and there are We recursively define sequences 0 = i0 < i1 < · · · < ω and exponentially many such subsets. Σ0 , Σ1 , . . . . Suppose we have constructed this sequence up to The deletion steps can be done in deterministic time Σi j . polynomial in the size of PC (ϕ). If Σij does not contain any unfulfilled eventuality set ij+1 = ij + 1 and chose Σij+1 as some R-successor of Σij . The LTL-tableau algorithm can also be implemented in Otherwise, find a path Σij , Σij +1 , . . . , Σij+1 such that all polynomial space by guessing the “right” branch of the tableau. unfulfilled eventualities in Σij are fulfilled in Σij+1 . However, since a branch can be of exponential length we can not Now it is easy to show that the constructed path satisfies all store it explicitly. We make use of the ultimately periodic model eventualities occurring in any state, and also those newly introduced in Σij +1 , . . . , Σij+1 −1 . property of LTL (cf. Theorem 1.16):  2O(n)  4O(n)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 325 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 326 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.2 A Tableau Algorithm for LTL 6.2 A Tableau Algorithm for LTL The idea is the same as for LTL model checking (cf. Theorem 5.15). Theorem 6.12 (LTL is PSPACE-complete [Sistla and Clarke, 1985]) Remark 6.13 Satisfiability checking LTL is PSPACE-complete. In Section 1.3 (cf. Theorem 5.13) we have constructed an automaton which accepts all models of an LLTL -formula. This directly yields Proof. another decision procedure for LTL-satisfiability which essentially We use a polynomially space bounded Turing machine: reduces to checking emptiness of the automaton. Given ϕ, guess a path through the tableaux-construction of exponential length (in |ϕ|). Only the current state and the state at which the path loops back, and a counter has to be kept in memory. Hardness: Reduction from polynomial space-bounded Turing machines.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 327 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 328
  • 83. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL In this section we discuss a tableau algorithm for CTL. The idea is the very same as for LTL. Given PC (ϕ) we define a relation R as follows: Σ1 RΣ2 iff 1 For all A ψ ∈ cl (ϕ): if A ψ ∈ Σ1 then α ∈ Σ2 6.3 A Tableau Algorithm for CTL 2 For all ¬E ψ ∈ cl (ϕ): if ¬E ψ ∈ Σ1 then ¬ψ ∈ Σ2 3 For all Aψ1 U ψ2 ∈ cl (ϕ): if Aψ1 U ψ2 ∈ Σ1 then (ψ2 ∈ Σ1 or (ψ1 ∈ Σ1 and Aψ1 U ψ2 ∈ Σ2 )) 4 For all ¬Eψ1 U ψ2 ∈ cl (ϕ): if ¬Eψ1 U ψ2 ∈ Σ1 then (¬ψ2 ∈ Σ1 and (either ¬ψ1 ∈ Σ1 or ¬Eψ1 U ψ2 ∈ Σ2 )).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 329 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 330 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL CTL-tableau algorithm 1 Construct (PC (ϕ), R). Again, the deletion process consists of two steps: 2 Remove all nodes Σ from (PC (ϕ), R) which do not satisfy the 1 Local pruning: Remove states which do not “agree with” the following conditions: semantics of the subformulae contained in the states. 1 if E ψ ∈ Σ then there is Σ with ΣRΣ and ψ ∈ Σ ; 2 Remove states which contain non-fulfillable eventualities. 2 if ¬A ψ ∈ Σ then there is Σ with ΣRΣ and ¬ψ ∈ Σ ; 3 if Eψ1 U ψ2 ∈ Σ then ψ2 ∈ Σ or (ψ1 ∈ Σ and there is Σ with In the case of CTL, eventualities are given by Eψ1 U ψ2 and ΣRΣ such that Eψ1 U ψ2 ∈ Σ ); and Aψ1 U ψ2 . 4 if ¬Aψ1 U ψ2 ∈ Σ then ¬ψ2 ∈ Σ and (either ¬ψ1 ∈ Σ or there is Σ with ΣRΣ such that ¬Aψ1 U ψ2 ∈ Σ ). 3 Remove all nodes which contain an eventuality which is not fulfilled. 4 If none of the above steps can be applied and a node which contains ϕ remains return “satisfiable”; otherwise, “unsatisfiable”.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 331 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 332
  • 84. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.3 A Tableau Algorithm for CTL 6.3 A Tableau Algorithm for CTL Theorem 6.14 LTL-satisfiability revisited The CTL-tableau algorithm terminates and is correct; i.e. Yet another approach to check LTL-satisfiability is a reduction “satisfiable” is returned on input ϕ iff ϕ is satisfiable. Moreover, the to CTL-satisfiability. algorithm runs in exponential time. Given an LTL-formula, we define the translation tr : LLTL [pnf ] → LCTL by replacing ♦, , , U , B by A♦, A , Theorem 6.15 (Satisfiability of CTL) A , A U , A B , respectively. The satisfiability problem for CTL is EXPTIME-complete The following theorem shows that LTL-satisfiability can be checked in EXPTIME as well: Proof. Theorem 6.16 (LTL is in EXPTIME) Membership in EXPTIME is proven by the CTL-tableaux Let ϕ ∈ LLTL be in positive normal form. Then, tr(ϕ) ∈ LCTL and ϕ is algorithm (cf. Theorem 6.11). LTL-satis able iff tr(ϕ) is CTL-satis able. Hence, LTL-satisfiability Hardness can be shown by a reduction alternating polynomial is in EXPTIME. space bounded Turing machines.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 333 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 334 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete Satisfiability of CTL∗ can be shown by a subtle automata-theoretic construction. The idea is sketched in the following: A normal form for CTL∗ formulae is established. This normal form is essentially built from 3 types of subformulae: Aψ, Eψ, or A Eψ where ψ ∈ LLTL 6.4 CTL∗ is 2EXPTIME-complete It is shown that CTL∗ is satis able iff there is a(n) (infinite) tree-like model with xed branching. A tree automaton accepting these tree-like models is constructed from ω-word automata (cf. LTL model checking), one for each subformula of the aforementioned type of the normal form. In particular, the construction of the automaton for Aψ is costly. Satis ability of ϕ is reduced to checking emptiness of this tree automaton.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 335 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 336
  • 85. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete Theorem 6.17 (Normal form [Emerson and Sistla, 1984]) Theorem 6.19 ([Vardi and Stockmeyer, 1985, Emerson and Sistla, 1984, Emerson and Jutla, 1999]) For each ϕ ∈ LCTL∗ it is possible to construct a formula ϕ ∈ LCTL∗ Satisfiability checking CTL∗ is 2EXPTIME-complete. with the following properties: 1 ϕ is composed of conjunctions and disjunctions of subformulae Proof. of the form Aψ, Eψ, or A Eψ where ψ ∈ LLTL . Hardness is shown in [Vardi and Stockmeyer, 1985]. 2 The length of ϕ is linear in the length of ϕ. Membership is shown by a subtle automata-theoretic 3 ϕ is satisfiable iff ϕ is satisfiable. construction. Let ϕ be a formula in normal form. 4 Any model of ϕ can be used to construct a model of ϕ and vice Theorem 6.18 allows to use tree automata (fixed branching). versa. For a pure LLTL formula let Aψ denote the Büchi word We say that ϕ is a normal form of ϕ. automaton accepting exactly the paths satisfying ψ (cf. Theorem 5.13). Theorem 6.18 ([Emerson and Sistla, 1984]) Any satisfiable formula ϕ ∈ LCTL∗ in normal form has an in nite tree-like model in which each node has at most |ϕ| outgoing edges and each subformula Eψ of ϕ is satisfied along a designated path of the tree-like model.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 337 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 338 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.4 CTL∗ is 2EXPTIME-complete 6.4 CTL∗ is 2EXPTIME-complete states O(|ψ|) For each subformula Aψ, Eψ, or A Eψ of ϕ we construct a The resulting deterministic automaton Aψ has 22 tree automaton (build from the aforementioned word and 2O(|ψ|) pairs (cf. Theorem ??). automata Aψ ) accepting those trees satisfying the formula. The tree automaton for Aψ runs Aψ along all path of the We construct a complemented pairs tree automaton for each input tree. It as the same size as Aψ . of these subformulae as follows: All these tree automata are combined to a product automaton Eψ: Run Aψ at the root of any given tree on the designated O(|ϕ|) path. which yields a complemented pairs automaton with 22 A Eψ: Run Aψ at any node and run it down the designated states and 2O(|ϕ|) pairs. path for Eψ. By Theorem ?? non-emptiness can be checked in Both automata have 2O(|ψ|) states and |ψ| pairs. deterministic time (mn)O(n) where m is the number of Aψ: Running Aψ down all paths from the root does not work! Why? states and n the number of pairs. Firstly, we have to transform Aψ into a deterministic Rabin Hence, we have time complexity of automaton. (22 O(|ϕ|) · 2O(|ϕ|) )2 O(|ϕ|) = 22 O(|ϕ|) steps.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 339 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 340
  • 86. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.4 CTL∗ is 2EXPTIME-complete 6.5 ATL and ATL* Summary We have shown (via a tableau algorithm) that the satisfiability problem for LTL is PSPACE-complete. Alternatively, we have presented an automata-theoretic approach and a reduction to CTL-satisfiability checking. 6.5 ATL and ATL* We have shown (via a tableau algorithm) that the satisfiability problem for CTL is EXPTIME-complete. The algorithm for CTL∗ is based on a subtle construction based on tree automata. Non-trivial results from automata theory (Safras construction and non-emptyness checks) were necessary.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 341 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 342 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.5 ATL and ATL* 6.5 ATL and ATL* In this section we briefly discuss the satisfiability problems for ATL and ATL∗ . A detailed presentation is out of scope of this tutorial. Firstly, we state the satis ability problem. There are at least four sensible settings: Proposition 6.21 1 Is ϕ satis able over a xed and finite set Agt of agents? The satisfiability problems (2) and (4) are polynomially reducible 2 Is ϕ satis able over Agt where Agt(ϕ) ⊆ Agt? to each other. Problem (3) is polynomially reducible to (2). 3 Is there a set Agt of agents with Agt(ϕ) ⊆ Agt such that ϕ is satis able over Agt? Moreover, we have that ϕ is satis able over Agt (with 4 Is ϕ satis able over Agt(ϕ)? Agt(ϕ) ⊆ Agt) iff ϕ is satis able over Agt(ϕ) ∪ {|Agt(ϕ)| + 1}. Agt(ϕ): Agent names occurring in ϕ. Do these settings affect the satisfiability of formulae? Example 6.20 Is the following formula satisfiable? ¬ 1 p∧¬ 1 q∧ 1 (p ∨ q)N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 343 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 344
  • 87. 6 Complexity of Reasoning: Satisfiability 6 Complexity of Reasoning: Satisfiability 6.5 ATL and ATL* 6.5 ATL and ATL* In [van Drimmelen, 2003] and [Goranko and van Drimmelen, 2006b] an automata theoretic approach is used to show that the satisfiability problem is Proof of lower bound. EXPTIME-complete for a fixed set of agents (setting 1). Membership follows from the tableau procedure. In [Walther et al., 2006] it is shown that the general setting 4 Hardness: Reduction of global consequence in logic K: Given ψ1 is EXPTIME-complete (over alternating transition sysmtes). and ψ2 . Does M |= ψ1 imply M |= ψ2 for all Kripke models M? The basic idea is similar to the one used in the CTL-tableaux ATL can “encode” logic K: e.g. ♦p=¬ ∅ ˆ ¬p. algorithm. Models are essentially built from A ψ-formulae occurring in ϕ Now we have: ψ2 follows globally from ψ1 iff ∅ ψ1 ∧ ¬ψ2 is ATL-unsatisfiable over an arbitrary set of agents. In [Goranko and Shkatov, 2009] a generic “incremental” tableaux decision procedure is proposed (over CGS). The approach can be used for the general setting (4). Theorem 6.22 (Complexity: Membership) The satisfiability problems for ATL are EXPTIME-complete, even for the general setting (4).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 345 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 346 6 Complexity of Reasoning: Satisfiability 7 Appendix: Automata Theory 6.5 ATL and ATL* Satisfiability of ATL∗ Membership is shown by an automata-theoretic construction. 7. Appendix: Automata Theory The model is transformed into a special tree like model which is enriched with additional information on witnessing 7 Appendix: Automata Theory strategies. Büchi Automata Hardness is shown by a reduction of satis ability checking Generalized Büchi Automata of CTL∗ . Tree automata Emptiness Checking Theorem 6.23 ( [Schewe, 2008]) Satisfiability checking ATL∗ is 2EXPTIME-complete.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 347 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 348
  • 88. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Büchi Automata We would like to use nite automata to solve the model checking problem. Finite automata (on finite words) accept only finite words but 7.1 Büchi Automata paths are in nite. We need to extend the model to nite automata that accept in nite words. How can we accept in nite words?N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 349 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 350 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Definition 7.1 (ω-automaton) Definition 7.2 (Run) An ω-automaton is a tuple A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1 w2 · · · ∈ Σω is A = (Q, Σ, ∆, qI , C) an infinite sequence of states of A such that: 1 ρ(0) =qI where ρ(i) ∈ ∆(ρ(i − 1), wi ) for i ≥ 1. Q is a finite set of states; 2 1 2 Σ is a nite alphabet; 3 ∆ ⊆ Q × Σ × Q a transition relation ; How could we accept the following language? 4 qI is the initial state; and L = {w ∈ {a, b}ω | w contains infinitely many a and only finitely 5 C an acceptance component (which is specialised in the many b }. following). Is it sufficient to reach a nal state once? The crucial point is the acceptance component!N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 351 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 352
  • 89. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata We define Inf (ρ) as the set of all states that occur in nitely Definition 7.4 (Acceptable language) often on ρ; that is, The language accepted by A, L(A), consists of all words accepted Inf (ρ) = {q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)} by A. That is, Definition 7.3 (Büchi automaton) L(A) = {w ∈ Σω | A accepts w}. A Büchi automaton is an ω-automaton A language is said to be (Büchi) acceptable if there is a Büchi A = (Q, Σ, ∆, qI , F ) automaton that accepts it. where F ⊆ Q with the following acceptance condition: A accepts w ∈ Σω if, and only if, there is a run ρ of A such that Remark 7.5 (Other automata types) Inf (ρ) ∩ F = ∅. Other acceptance conditions yield different automata types: Rabin automata, Muller automata. Thus, such an automaton accepts all words such that some state from F is visited infinitely often on a corresponding run.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 353 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 354 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Example 7.6 Example 7.7 Is there a Büchi Automaton that accepts the following language L Is there a Büchi Automaton that accepts the following language L over Σ = {a, b, c}? over Σ = {a, b}? L = {w ∈ Σω | w contains infinitely many a or b and only finitely L = {w ∈ Σω | w ends with aω or (ab)ω } many c } blackboard : Back to model checking LTL, pp. 225.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 355 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 356
  • 90. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Proof sketch Proposition 7.8 (Closure propeties) 1 Union: Nondeterministically guess which automata should be 1 Büchi acceptable languages are closed under union, executed. Exercise intersection, and negation. Intersection: Product automaton yields a generalised Büchi automaton. The acceptance set is given by 2 If A is a regular language with ∈ A, then, Aω is Büchi {F1 × S2 , S1 × F2 }. Exercise acceptable. Complement: This part is non-trivial and cannot be done in the scope of this lecture. 3 If A is a regular language and B is Büchi recognizable, then AB 2 Aω : Connect transitions to final states also with the initial is Büchi acceptable. state Exercise 3 AB: Connect transitions to final states of the finite automaton with the initial state of the Büchi automaton. ExerciseN. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 357 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 358 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.1 Büchi Automata 7.1 Büchi Automata Theorem 7.9 (Characterization Theorem) A language L is Büchi acceptable if, and only if, there are finitely Proof of Theorem 7.9 many regular languages U1 , . . . , Un and V1 , . . . , Vn such that “⇒”: Let W(q,q) = {w ∈ Σ∗ | q →w q }. Each language W (q, q ) is regular. Then, L= Ui (Vi )ω i=1,...,n L(A) = W (qI , q)(W (q, q))ω . q∈Qf This shows that any language L = ∅ acceptable by a Büchi “⇐”: Let L = i=1,...,n Ui (Vi )ω where each Ui , Vi is regular. By automaton contains an ultimately periodic word. Proposition 7.8 we have that (Vi )ω and Ui (Vi )ω are Büchi recognizable. Thus also their finite union. Example 7.10 For the language L = {w ∈ Σω | w ends with aω or (ab)ω } from Example 7.7 we have that L = Σ∗ {a}ω ∪ Σ∗ {ab}ω .N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 359 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 360
  • 91. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata Definition 7.11 (Generalised Büchi automaton) A generalised Büchi automaton is an ω-automaton A = (Q, Σ, ∆, qI , F ) where F ⊆ P(Q) with the following acceptance condition: A 7.2 Generalized Büchi Automata accepts w ∈ Σω if, and only if, there is a run ρ of A such that for each Fi ∈ F Inf (ρ) ∩ Fi = ∅. Thus, such an automaton accepts all words such that some state from each Fi is visited infinitely often on a corresponding run.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 361 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 362 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata We will use generalised Büchi automata for model checking LTL. Example 7.13 How is the relation between Büchi and generalised Büchi automata? b Proposition 7.12 (Generalised Büchi Büchi) For each generalised Büchi automaton one can construct an a equivalent Büchi automaton. q0 , 1 q1 , 1 F1 F2 a Proof. a a b b Idea: Consider state-tuples: S × {1, . . . , k}. If the GBA moves to b b the next acceptance set a counter is incremented (modulo k). Then, a run visits states from each Fi infinitely often iff states q0 q1 q0 , 2 q1 , 2 from F1 × {1} appear infinitely often. b a We first consider an example: a Back to LTL-model checking, pp. 269.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 363 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 364
  • 92. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.2 Generalized Büchi Automata 7.2 Generalized Büchi Automata Proof ctd. Proof ctd. Let A = (Σ, S, ∆, S0 , {F1 , . . . , Fn }) be a generalised Büchi It remains to prove that both automata accept the same automaton. We construct the Büchi Automaton languages. We present the main ideas. A = (Σ, S , ∆ , S0 , F ): “⇒“: Let A be a GBA that accepts the word w. Then, there is a run ρ such that states from each Fi , i = 1, . . . , k, occur infinitely often S = S × {1, . . . , n}; on ρ. That is, there is an infinite subsequence (q1 . . . qk )ω of ρ such S0 = S0 × {1}; that qi ∈ Fi . Hence, the state (q1 , 1) is visited infinitely often in the ((s, j), a, (t, i)) ∈ ∆ iff automaton A . i=j , if s ∈ Fj ; “⇐“: Let A accept the word w. Then, some state (q1 , 1) with (s, a, t) ∈ ∆ and i = (j + 1) mod k , if s ∈ Fj ; q1 ∈ F1 is visited infinitely often. After it has been visited once the F = F1 × {1}. automaton is in a state (q, 2) and can only return to (q , 1) if some state q ∈ F2 is visited, some from F3 and so on is visited.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 365 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 366 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata As before let Σ be a finite alphabet and k a natural number. A k-ary Σ-tree t = (dom t , L) is a tree with maximal branching k and in which each node is labelled by an element from Σ. That is L : dom t → Σ 7.3 Tree automata where dom t ⊆ {0, . . . , k − 1}∗ denotes the domain of the tree. It is required that dom t is closed under prefixes, i.e. wx ∈ dom t → ∀y(0 ≤ y < x → wy ∈ dom t ). A k-ary ω-tree automaton over the alphabet Σ is an automaton that accepts infinite k-ary Σ-trees.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 367 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 368
  • 93. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata Definition 7.14 (k-ary ω-tree automaton) Definition 7.15 (Run, path, successful, accepting) A k-ary ω-tree automaton over the alphabet Σ is given by a tuple A run of a k-ary ω-tree automaton A on an infinite k-ary Σ-tree t = (dom t , Lt ) is an infinite k-ary Q-tree r = (dom r , Lr ) such that A = (Q, qI , ∆, C) 1 dom r = dom t , where 2 Lr (∅) = qI and Q is a set of states, 3 ∀w ∈ dom t : (Lr (w0), . . . , Lr (wi)) ∈ ∆(Lr (w), Lt (w), i) where qI ∈ Q the initial state, i = max{j | wj ∈ dom t }. ∆ : Q × Σ × {1, . . . , k} → P(∪i=1...k Qi ) with ∆(q, a, i) ⊆ Qi a A path of the run r is an infinite linearly ordered subset of dom r transition relation, and (i.e. it denotes a branch in the tree). We say that run r is C an acceptance component (which is specified in the successful if each path of r satisfies the accepting condition C. following). An input tree t is accepted by A if there is a successful run.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 369 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 370 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.3 Tree automata 7.3 Tree automata Definition 7.17 (Rabin tree automaton) Definition 7.16 (Büchi tree automaton) A Rabin tree automaton (or pairs tree automaton) is given by an A Büchi tree automaton is given by an ω-tree automaton ω-tree automaton A = (Q, qI , ∆, Ω) where A = (Q, qI , ∆, F ) where F ⊆ Q is a set of final states. A run Ω = {(L1 , U1 ), . . . , (Ln , Un )} r = (dom r , L) is successful if, and only if, for each path p on r there is a state that occurs infinitely often on p; i.e. for all paths p where each pair (Li , Ui ) ⊆ Q × Q is a set of “accepting” pairs of r we have that (these pairs are called Rabin pairs). A run r = (dom r , L) is successful if, and only if, for each path p on r there is an index Inf (L|p ) ∩ F = ∅. i ∈ {1, . . . , n} such that no state (resp. a state) from Li (resp. from L|p denotes the set of states in L which do also appear on p. Ui ) occurs infinitely often on p; i.e. Inf (L|p ) ∩ Li = ∅ and Inf (L|p ) ∩ Ui = ∅ Theorem 7.18 ([Rabin, 1970]) There is a set of trees that is acceptable by a Rabin tree automaton but not by any Büchi tree automaton.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 371 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 372
  • 94. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.4 Emptiness Checking Checking Emptiness For the model checking algorithms we need to check whether the language of a Büchi automaton is empty. Definition 7.19 (Graph reachability) 7.4 Emptiness Checking Let G = (V, E) be graph. Given two vertices u, v ∈ V the graph-reachability problem is the question whether v is reachable from u. Theorem 7.20 ([Jones, 1977, Jones, 1975]) The graph-reachability problem is NLOGSPACE-complete under logspace-reductions.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 373 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 374 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.4 Emptiness Checking Theorem 7.21 ([Emerson and Lei, 1987]) The emptiness problem for Büchi automata is solvable in linear How does reach(x , y) work? time and in nondeterministic logarithmic space . 1 Chose some x-successor x (non-determinism!). 2 Return “yes”, if x = y else reach(x , y). Proof We check whether there is some ultimately periodic word by Hardness is shown by a reduction of the finding an accepting state reachable from the initial state and NLOGSPACE-complete problem of graph reachability from from itself. The following algorithm runs in non-deterministic Definition 7.19. Given G, u, v, transform G to a Büchi automaton logarithmic space: with initial state u and final state v and add a loop to v. Then: 1 Guess an accepting state r, and v reachable from u in G iff automaton non-empty. 2 check whether reach(r, r). : Back to LTL model checking, pp. 245.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 375 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 376
  • 95. 7 Appendix: Automata Theory 7 Appendix: Automata Theory 7.4 Emptiness Checking 7.5 Determinization Theorem 7.22 ([Rabin, 1970, Vardi and Wolper, 1984]) The emptiness problem for Büchi tree automata is decidable and P-complete under logarithmic space reductions. Theorem 7.23 ([Emerson and Jutla, 1988, Pnueli and Rosner, 1989]) The non-emptiness problem for Rabin tree automata is decidable 7.5 Determinization and complete for NP. Theorem 7.24 ([Emerson and Jutla, 1999]) The non-emptiness problem for pairs tree automata is decidable in deterministic time (mn)O(n) where m is the number of states and n the number of pairs in the automaton.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 377 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 378 7 Appendix: Automata Theory 8 References 7.5 Determinization Determinization of Automata Theorem 7.25 (Safra’s construction [Safra, 1988]) 8. References Let A be a nondeterministic Büchi automaton with n states. Then, there is an equivalent deterministic Rabin automaton with 2O(n log n) 8 References states.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 379 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380
  • 96. 8 References 8 References Alur, R., Henzinger, T. A., and Kupferman, O. (1997). Emerson, E. A. and Jutla, C. S. (1999). Alternating-time Temporal Logic. The complexity of tree automata and logics of programs. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS), pages 100–109. IEEE SIAM J. Comput., 29:132–158. Computer Society Press. Emerson, E. A. and Lei, C.-L. (1987). Alur, R., Henzinger, T. A., and Kupferman, O. (2002). Modalities for model checking: Branching time logic strikes back. Alternating-time Temporal Logic. Science of Computer Programming, 8(3):275–306. Journal of the ACM, 49:672–713. Emerson, E. A. and Sistla, A. P. (1984). Clarke, E. and Emerson, E. (1981). Deciding branching time logic. Design and synthesis of synchronization skeletons using branching time temporal logic. In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 14–24, New York, In Proceedings of Logics of Programs Workshop, volume 131 of Lecture Notes in Computer Science, pages 52–71. NY, USA. ACM. Clarke, E., Emerson, E., and Sistla, A. (1986). Goranko, V. and Shkatov, D. (2009). Automatic verification of finite-state concurrent systems using temporal logic specifications. Tableau-based decision procedures for logics of strategic ability in multiagent systems. ACM Transactions on Programming Languages and Systems, 8(2):244–263. ACM Trans. Comput. Logic, 11(1):3:1–3:51. Emerson, E. and Halpern, J. (1986). Goranko, V. and van Drimmelen, G. (2006a). Sometimes and not never revisited: On branching versus linear time temporal logic. Complete axiomatization and decidability of alternating-time temporal logic. Journal of the ACM, 33(1):151–178. Theor. Comput. Sci., 353(1-3):93–117. Emerson, E. A. and Jutla, C. S. (1988). Goranko, V. and van Drimmelen, G. (2006b). The complexity of tree automata and logics of programs. Complete axiomatization and decidability of alternating-time temporal logic. In SFCS ’88: Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 328–337, Theor. Comput. Sci., 353:93–117. Washington, DC, USA. IEEE Computer Society. Immerman, N. (1981).N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380 8 References 8 References Number of quantifiers is better than number of tape cells. The temporal logic of programs. Journal of Computer and System Sciences, 22(3):384 – 406. In Proceedings of FOCS, pages 46–57. Jamroga, W. and Bulling, N. (2011). Pnueli, A. and Rosner, R. (1989). Comparing variants of strategic ability. On the synthesis of a reactive module. In Proceedings of the 22nd International Joint Conference on Artificial Intelligence (IJCAI), pages 252–257, Barcelona, In POPL ’89: Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, Spain. pages 179–190, New York, NY, USA. ACM. Jones, N. D. (1975). Rabin, M. (1970). Space-bounded reducibility among combinatorial problems. Weakly definable relations and special automata. Journal of Computer and System Sciences, 11(1):68 – 85. Mathematical Logic and Foundations of Set Theory, pages 1–23. Jones, N. D. (1977). Reynolds, M. (2001). Corrigendum: Space-bounded reducibility among combinatorial problems. An axiomatization of full computation tree logic. J. Comput. Syst. Sci., 15(2):241. J. Symb. Log., 66(3):1011–1057. Lichtenstein, O. and Pnueli, A. (1985). Safra, S. (1988). Checking that finite state concurrent programs satisfy their linear specification. On the complexity of omega -automata. In POPL ’85: Proceedings of the 12th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, In Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 319–327, Washington, pages 97–107, New York, NY, USA. ACM. DC, USA. IEEE Computer Society. Maidl, M. (2000). Schewe, S. (2008). The common fragment of ctl and ltl. ATL* satisfiability is 2ExpTime-complete. In FOCS, pages 643–652. IEEE Computer Society. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II (ICALP 2008), 6–13 July, Reykjavik, Iceland, volume 5126 of Lecture Notes in Computer Science, pages 373–385. Pnueli, A. (1977). Springer-Verlag.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380
  • 97. 8 References 8 References Schnoebelen, P. (2003). Vardi, M. Y. and Wolper, P. (1986). The complexity of temporal model checking. An automata-theoretic approach to automatic program verification (preliminary report). In Advances in Modal Logics, Proceedings of AiML 2002. World Scientific. In Proceedings of the First Annual IEEE Symposium on Logic in Computer Science (LICS 1986), pages 332–344. IEEE Computer Society Press. Schobbens, P. Y. (2004). Alternating-time logic with imperfect recall. Walther, D., Lutz, C., Wolter, F., and Wooldridge, M. (2006). Electronic Notes in Theoretical Computer Science, 85(2):82–93. ATL satisfiability is indeed EXPTIME-complete. Journal of Logic and Computation, 16(6):765–787. Sistla, A. P. and Clarke, E. M. (1985). The complexity of propositional linear temporal logics. J. ACM, 32(3):733–749. van Drimmelen, G. (2003). Satisfiability in Alternating-time Temporal Logic. In Proceedings of LICS’2003, pages 208–217. IEEE Computer Society Press. Vardi, M. Y. and Stockmeyer, L. (1985). Improved upper and lower bounds for modal logics of programs. In Proceedings of the seventeenth annual ACM symposium on Theory of computing, STOC ’85, pages 240–251, New York, NY, USA. ACM. Vardi, M. Y. and Wolper, P. (1984). Automata theoretic techniques for modal logics of programs: (extended abstract). In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 446–456, New York, NY, USA. ACM.N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 380