T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

Time
Modelling, Verification and Duration: Three times 105 minutes
Dates: Thursday, 9:30-11:15, 15-16:45 and Friday 15-16:45,
Reasoning in Multi-Agent Systems
Nils Bulling and Jürgen Dix Course type
Level: advanced
EASSS 2012 Prerequisites: knowledge of propositional/predicate logic, basics
Valencia, Spain of automata and complexity theory, some universal algebra.

28. May – 1. June 2012 Course website
http://www.in.tu-clausthal.de/index.php?id=easss2012

N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 1 N. Bulling, J. Dix · Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 2

Course Overview Reading Material I
The course is divided into 6 lectures à 50 minutes:
Lec. 1: Linear and Branching Time (D, 60 min)
Alur, R., Henzinger, T. A., and Kupferman, O. (2002).
SL, FOL, temporal logics: LTL, CTL∗ , CTL, Alternating-time Temporal Logic.
Lec. 2: Cooperative Agents (D, 40 min) Journal of the ACM, 49:672–713.
Strategic logics: ATL, ATL∗ , effect of memory
Baier, C. and Katoen, J.-P. (2008).
Lec. 3: Comparing Semantics of ATL (B, 50 min) Principles of Model Checking.
Semantic variants of ATL, tree unfolding The MIT Press.
Lec. 4: Reasoning and Examples (D, 50 min)
Blackburn, P., de Rijke, M., and Venema, Y. (2001).
Basic Modal Logic, axiomatizations of LTL, CTL, ATL Modal Logic.
viewed as modal logics Number 53 in Cambridge Tracts in Theoretical Computer Science.
Lec. 5: Complexity of Veri cation: Model Checking (B, 60 Cambridge University Press, Cambridge, UK.
min)
Model checking problem and complexity
Lec. 6: Complexity of Reasoning: Satis ablity (B, 40 min)
Satisfiability checking problem and complexity


Reading Material II Reading Material III

Bulling, N., Dix, J., and Jamroga, W. (2010).
Model checking logics of strategic ability: Complexity.
In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors,
Specification and Verification of Multi-Agent Systems. Springer. Jamroga, W. and Bulling, N. (2011).
Comparing variants of strategic ability.
Clarke, E., Grumberg, O., and Peled, D. (1999). In Proceedings of the 22nd International Joint Conference on Artificial
Model Checking. Intelligence (IJCAI), pages 252–257, Barcelona, Spain.
MIT Press.
Jürgen Dix and Michael Fisher (2012).
Chapter 14: Specification and Verification of Multi-agent Systems.
In G. Weiss (Ed.), Multiagent Systems, MIT Press.


1 Linear and Branching Time

Outline
1 Linear and Branching Time
2 Cooperative Agents
1. Linear and Branching Time
3 Comparing Semantics of ATL
4 Reasoning and Examples 1 Linear and Branching Time
Sentential Logic
5 Complexity of Verification: Model Checking First-Order Logic
6 Complexity of Reasoning: Satisfiability Linear Time Logic
Branching Time Logic
7 Appendix: Automata Theory
8 References


1 Linear and Branching Time 1 Linear and Branching Time
1.1 Sentential Logic

Outline

We recapitulate very briefly sentential (also called
propositional) logic (SL) and first-order logic (FOL),
As an example of FOL, we consider FO(≤) monadic FOL
of linear order. 1.1 Sentential Logic
Then we present LTL, a logic to deal with linear time (no
branching). This logic is equivalent to FO(≤).
CTL∗ is an extension of LTL to branching time.
CTL is an interesting fragment of CTL∗ , incomparable
with LTL, but with interesting computational properties.
While LTL is defined over path formulae, CTL is defined
over state formulae.
CTL∗ is defined over both sorts of formulae.


1.1 Sentential Logic 1.1 Sentential Logic

Syntax of SL Semantics (SL)
The propositional language is built upon A valuation (or truth assignment) v : Prop → {t, f} for a
Propositional symbols: p, q, r, . . . , p1 , p2 , p3 , . . . language LP L (Prop) is a mapping from the set of
Logical connectives: ¬ and ∨ propositional constants defined by Prop into the set
Grouping symbols: (, ) {t, f}.
Often we consider only a finite, nonempty set of Inductively, we define the notion of a formula ϕ being
propositional symbols and refer to it as Prop. true or satis ed by v (denoted by v |= ϕ):
Propositional language LP L (Prop): v |= p iff v(p) = t and p ∈ Prop,
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ v |= ¬ϕ iff not v |= ϕ,
v |= ϕ ∨ ψ iff v |= ϕ or v |= ψ
Macros:
For a set Σ ⊆ LP L we write v |= Σ iff v |= ϕ for all ϕ ∈ Σ.
ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ)
:= p ∨ ¬p) We use v |= ϕ instead of not v |= ϕ.
ϕ → ψ := ¬ϕ ∨ ψ
⊥ := ¬
ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ)


1.1 Sentential Logic 1.1 Sentential Logic

Truth Tables Fundamental Semantical Concepts
If it is possible to ﬁnd some valuation v that makes ϕ
Truth tables are a conceptually simple way of working true, then we say ϕ is satis able.
with PL (invented by Wittgenstein in 1918). If v |= ϕ for all valuations v then we say that ϕ is valid
and write |= ϕ . ϕ is also called tautology.
p q ¬p p∨q p∧q p→q p↔q A theory is a set of formulae: Φ ⊆ LP L .
t t f t t t t A theory Φ is called consistent if there is a valuation v
f t t t f t f with v |= Φ.
t f f t f f f A theory Φ is called complete if for each formula ϕ in the
f f t f f t t language, ϕ ∈ Φ or ¬ϕ ∈ Φ .
Two simple examples
Consider the two formulae p ∧ ¬b and a ∨ ¬a.
Are they satisﬁable or valid?
Are they both consistent? What if we add b?


1.1 Sentential Logic 1.2 First-Order Logic

Consequences
Given a theory Φ we are interested in the
following question: Which facts can be derived
from Φ? We can distinguish two approaches:
1 semantical consequences, and 1.2 First-Order Logic
2 syntactical inference.

Let Φ be a theory and ϕ be a formula. We say
that ϕ is a semantical consequence of Φ if for
all valuations v:
v |= Φ implies v |= ϕ.


1.2 First-Order Logic 1.2 First-Order Logic

Predicate logic Functions
In addition to the propositional language (on which the
modal language is built as well), the rst-order language Definition 1.3 (Function Symbols)
(FOL) contains variables, function-, and predicate Let k ∈ N0 . The set of k-ary function symbols is denoted by
symbols. Func k . Elements of Func k are given by f1 , f2 . . . . Such a
k k

Definition 1.1 (Variable) symbol takes k arguments. The set of all function symbols is
defined as
A variable is a symbol of the set Var . Typically, we denote
variables by x0 , x1 , . . .. Func := Func k
k
Example 1.2
A 0-ary function symbol is called constant.
2 1 1 0
ϕ := ∃x0 ∀x1 (P0 (f0 (x0 ), x1 ) ∧ P2 (f1 ))



Predicates Syntax
The rst-order language with equality LF OL is built from
Definition 1.4 (Predicate Symbols) terms and formulae.
Let k ∈ N0 . The set of k-ary predicate symbols (or relation In the following we fix a set of variables, function-, and
symbols) is given by Pred k . Elements of Pred k are denoted predicate symbols.
k k
by P1 , P2 . . . . Such a symbol takes k arguments. The set of
predicate symbols is defined as Definition 1.5 (Term)
A term over Func and Var is inductively defined as follows:
Pred := Pred k
k 1 Each variable from Var is a term.
If t1 , . . . tk are terms then f k (t1 , . . . , tk ) is a term as well,
A 0-ary predicate symbol is called (atomic) proposition.
2
where f k is an k-ary function symbol from Func k .



Definition 1.7 (Macros)

Definition 1.6 (Language) We define the following syntactic constructs as macros
(P ∈ Pred 0 ):
The rst-order language with equality
LF OL (Var , Func, Pred ) is defined by the following grammar: ⊥ := P ∧ ¬P
. := ¬⊥
ϕ ::= P k (t1 , . . . , tk ) | ¬ϕ | ϕ ∨ ϕ | ∃x(ϕ) | t = r ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ)
where P k ∈ Pred k is a k-ary predicate symbol and t1 , . . . , tk ϕ → ψ := ¬ϕ ∨ ψ
and t, r are terms over Var and Func. ϕ ↔ ψ := (ϕ → ψ) ∧ (ψ → ϕ)
∀x(ϕ) := ¬∃x(¬ϕ)



Notation Semantics
We will often leave out the index k in fik and Pik Definition 1.8 (Model, Structure)
indicating the arity and just write fi and Pi .
Variables are also denoted by u, v, w, . . . A model or structure for FOL over Var , Func and Pred is
Function symbols are also denoted by f, g, h, . . . given by M = (U, I) where
Constants are also denoted by a, b, c, . . . , c0 , c1 , . . . 1 U is a non-empty set of elements, called universe or

Predicate symbols are also denoted by P, Q, R, . . . domain and
We will use our standard notation p for 0-ary predicate 2 I is called interpretation. It assigns to each function
symbols and also call them (atomic) propositions. symbol f k ∈ Func k a function I(f k ) : U k → U , to each
predicate symbol P k ∈ Pred k a relation I(P k ) ⊆ U k ; and
Attention to each variable x ∈ Var an element I(x) ∈ U .
In this course, we only need unary predicates (monadic We write:
logic) and we do not need any function symbols at all. So k k
1 M(P ) for I(P ),
our terms are exactly the variables. k k
2 M(f ) for I(f ), and

3 M(x) for I(x).



Note that a structure comes with an interpretation I, which
is based on functions and predicate symbols and
assignments of the variables. But these are also defined in
the notion of a language. Thus we assume from now on Definition 1.10 (Value of a Term)
that the structures are compatible with the underlying Let t be a term and M = (U, I) be a model. We define
language: The arities of the functions and predicates must inductively the value of t wrt M, written as M(t), as follows:
correspond to the associated symbols.
M(x) := I(x) for a variable t = x,
Example 1.9 M(t) := I(f k )(M(t1 ), . . . , M(tk )) if t = f k (t1 , . . . , tk ).
ϕ := Q(x) ∨ ∀z(P (x, g(z))) ∨ ∃x(∀y(P (f (x), y) ∧ Q(a)))
U =R
I(a) : {∅} → R, ∅ → π constant functions,
I(f ) : I(f ) = sin : R → R and I(g) = cos : R → R,
I(P ) = {(r, s) ∈ R2 : r ≤ s} and I(Q) = [3, ∞) ⊆ R,
I(x) = π , I(y) = 1 and I(z) = 3.
2



Definition 1.11 (Semantics)
Example: FO(≤)
Monadic first-order logic of order, denoted by FO(≤), is
Let M = (U, I) be a model and ϕ ∈ LF OL . ϕ is said to be
first-order logic with the only binary symbol ≤ (except
true in M, written as M |= ϕ, if the following holds:
equality, which is also allowed) and, additionally, any
M |= P k (t1 , . . . tk ) iff (M(t1 ), . . . , M(tk )) ∈ M(P k ) number of unary predicates. The theory assumes that ≤ is
M |= ¬ϕ iff not M |= ϕ a linear order, but nothing else.
M |= ϕ ∨ ψ iff M |= ϕ or M |= ψ
A typical model is given by
M |= ∃x(ϕ) iff M[x/a] |= ϕ for some a ∈ U where M[x/a]
N = N, ≤N , P1 , P2 , . . . Pn
N N N
denotes the model equal to M but M[x/a] (x) = a.
.
M |= t = r iff M(t) = M(r) where ≤N is the usual ordering on the natural numbers and
PiN ⊆ N.
Given a set Σ ⊆ LF OL we write M |= Σ iff M |= ϕ for all
ϕ ∈ Σ. The sets PiN determine the timepoints where the property
Pi holds.


1.2 First-Order Logic 1.3 Linear Time Logic

What can we express in FO(≤)?

Can we nd formulae that express that
a property r is true infinitely often?
r is true at all even timepoints and ¬r at all 1.3 Linear Time Logic
odd timepoints?
whenever r is true, then s is true in the next
timepoint?


1.3 Linear Time Logic 1.3 Linear Time Logic

Reasoning about Time Temporal logic was originally developed in order to
represent tense in natural language.
The accessibility relation represents time.
Time: linear vs. branching.
Reasoning about a particular computation of a system. Within Computer Science, it has achieved a significant role
Models: paths (e.g. obtained from Kripke structures) in the formal specification and verification of concurrent
and distributed systems.
start
Much of this popularity has been achieved because a
number of useful concepts can be formally, and concisely,
specified using temporal logics, e.g.

start safety properties
liveness properties
fairness properties



Typical temporal operators Safety Properties

“something bad will not happen”
Xϕ ϕ is true in the neXt moment in time “something good will always hold”
Gϕ ϕ is true Globally: in all future moments
Fϕ ϕ is true in Finally: eventually (in the future) Typical examples:
ϕU ψ ϕ is true Until at least the moment when ψ
becomes true (and this eventually happens) G¬bankrupt
Gf uelOK
G((¬passport ∨ ¬ticket) → X¬board_f light) and so on . . .
send(msg, rcvr) → Freceive(msg, rcvr)
Usually: G¬....



Liveness Properties Fairness Properties
Combinations of safety and liveness possible:
“something good will happen” FG¬dead
G(request_taxi → Farrive_taxi) fairness
Typical examples:
Strong fairness
Frich
power_on → Fonline “If something is requested then it will be allocated”:
and so on . . . G(attempt → Fsuccess),
GFattempt → GFsuccess.
Usually: F....
Scheduling processes, responding to messages, etc.
No process is blocked forever, etc.



Definition 1.12 (Language LLTL [Pnueli, 1977]) Models of LTL
The language LLTL (Prop) is given by all formulae generated The semantics is given over paths, which are infinite
by the following grammar, where p ∈ Prop is a proposition: sequences of states from Q, and a standard labelling
function π : Q → P(Prop) that determines which
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕ U ϕ | Xϕ. propositions are true at which states.
Definition 1.13 (Path λ = q1 q2 q3 . . .)
The additional operators
F (eventually in the future) and A path λ over a set of states Q is an infinite sequence
G (always from now on) from Qω . We also identify it with a mapping N0 → Q.
can be defined as macros :
λ[i] denotes the ith position on path λ (starting from
i = 0) and
Gϕ ≡ Uϕ and Fϕ ≡ ¬G¬ϕ
λ[i, ∞] denotes the subpath of λ starting from i
(λ[i, ∞] = λ[i]λ[i + 1] . . . ).
The standard Boolean connectives , ⊥, ∧, →, and ↔ are
defined in their usual way as macros.



Other temporal operators
λ = q1 q2 q3 . . . ∈ Qω

Definition 1.14 (Semantics of LTL)
Let λ be a path and π be a labelling function over Q. The λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ;
semantics of LTL, |=LT L , is defined as follows: λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ;
λ, π |=LTL p iff p ∈ π(λ[0]) and p ∈ Prop;
λ, π |=LTL ¬ϕ iff not λ, π |=LTL ϕ (we will also write
λ, π |=LT L ϕ); Exercise
λ, π |=LTL ϕ ∨ ψ iff λ, π |=LTL ϕ or λ, π |=LTL ψ; Prove that the semantics does indeed match the
λ, π |=LTL Xϕ iff λ[1, ∞], π |=LTL ϕ; and definitions Fϕ ≡ U ϕ and Gϕ ≡ ¬F¬ϕ.
λ, π |=LTL ϕ U ψ iff there is an i ∈ N0 such that
λ[i, ∞], π |= ψ and λ[j, ∞], π |=LTL ϕ for all 0 ≤ j < i.



pos0 pos1 pos2 pos0 pos1 pos2
pos0 pos1 pos2 pos0 pos1 pos2
q0 q1 q2 q0 q1 q2
q0 q1 q2 q0 q1 q2

λ, π |= GFpos1 iff
λ, π |= Fpos1 λ[0, ∞], π |= Fpos1 and
λ[1, ∞], π |= Fpos1 and
λ = λ[1, ∞], π |= pos1
λ[2, ∞], π |= Fpos1 and
pos1 ∈ π(λ [0])
...



Representation of paths Computational vs. bbehavioral structure

Paths are in nite entities. System Computational str.
They are theoretical constructs. 1 2

pos0

We need a nite representation! q0 pos0

Such a ﬁnite representation is given by a
transition system or a pointed Kripke

1
2 pos2
pos1
structure. q2 q1

2
1

pos2 pos1



Computational str. Behavioral str. Some Exercises
q0 Example 1.15

Formalise the following as LTL formulae:
q0 pos0
q0 q1 1 r should never occur.
2 r should occur exactly once.
q2 q1 q0 q1 q1 q2 3 At least once r should directly be followed by
pos2 pos1 s.
4 r is true at exactly all even states.
5 r is true at each even state (the odd states do
Important! not matter). Does r ∧ G(r ∧ XXr) work?
The behavioral structure is usually in nite! Here, it is an
infinite tree. We say it is the q0 -unfolding of the model.


Relation to first-order logic (1) Relation to first-order logic (2)
1 More precisely: an infinite path λ is described as a
1 The monadic first-order theory of (linear) first-order structure with domain N and predicates Pp
order, FO(≤) (see Slide 29) is equivalent to for p ∈ Prop. The predicates stand for the set of
timepoints where p is true. So each path λ can be
LTL. represented as a structure Nλ = N, ≤N , P1 , P2 , . . . Pn .
N N N

Then each LTL formula φ translates to a first-order
2 There is a translation from sentences of LTL to formula αφ (x) with one free variable s.t.
sentences of FO(≤) and vice versa, such that φ is true in λ[n, ∞] iff αφ (n) is true in Nλ .
the LTL sentence is true in λ, π iff its translation And conversely: for each first-order formula with a free
is true in the associated first-order structure. variable there is a corresponding LTL formula s.t. the
same condition holds.



The formulae GFp, FGp Some Remarks

1 A particular logic LTL is determined by the
1 What are their counterparts in FO(≤)? number n of propositional variables. Strictly
2 We will see later that FGp does not belong to speaking, this number should be a parameter
CTL, but to CTL∗ . It is not even equivalent to a of the logic. This also applies to the logics CTL
CTL formula. and ATL.
3 However, GFp is equivalent to a CTL formula: 2 While both F and G can be expressed using U ,
AGAFp the converse is not true: U can not be
expressed by F and G.



Satisfiability of LTL formulae Satisfiability of LTL formulae (cont.)

A formula is satisfiable, if there is a path where it is true. Can Theorem 1.16 (Periodic model theorem
we restrict the structure of such paths? I.e. can we restrict [Sistla and Clarke, 1985])
to simple paths, for example paths that are periodic?
A formula ϕ ∈ LLTL is satis able iff there is a path λ which is
If this is the case, then we might be able to construct ultimately periodic, and the period starts within 21+|ϕ| steps
counterexamples more easily, as we need only check and has a length which is ≤ 41+|ϕ| .
very specific paths.
It would be also useful to know how large the period is
and within which initial segment of the path it starts,
depending on the length of the formula ϕ.
 2O(n)  4O(n)


1.4 Branching Time Logic 1.4 Branching Time Logic

Branching Time
CTL, CTL∗ : Computation Tree Logics.
Reasoning about possible computations of a
system.
1.4 Branching Time Logic Time is branching: We want all possible
computations included!
Models: states (time points, situations),
transitions (changes). ( Kripke models).
Paths: courses of action, computations. (
LTL)



Example 1.17 (Branching Time)
Path quanti ers: A (for all paths), E (there is a
path); p
q0
Temporal operators: X (nexttime), F (finally), p
G (globally) and U (until); q q1 q2

CTL: each temporal operator must be
immediately preceded by exactly one path q3 q4
q
quantifier;
CTL∗ : no syntactic restrictions.
In this structure, whenever p holds at some timepoint, then
there is a path where q holds in the next step and there is
(another) path where ¬q holds in the next step. And this
holds along all paths (there are three infinite paths).


Definition 1.18 (LCTL∗ [Emerson and Halpern, 1986]) The LCTL∗ -formula EFϕ, for instance, ensures that there
is at least one path on which ϕ holds at some (future)
The language LCTL∗ (Prop) is given by all formulae generated time moment.
by the following grammar:
The formula AFGϕ states that ϕ holds almost
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | Eγ everywhere . More precisely, on all paths it always
holds from some future time moment.
where
LCTL∗ -formulae do not only talk about temporal patterns
γ ::= ϕ | ¬γ | γ ∨ γ | γ U γ | Xγ on a given path, they also quantify (existentially or
and p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp. universally) over such paths.
path) formulae. The logic is complex! For practical purposes, a fragment
with better computational properties is often
We use the same abbreviations as for LLTL : sufficient.

λ, π |= Fϕ iff λ[i, ∞], π |= ϕ for some i ∈ N0 ;
λ, π |= Gϕ iff λ[i, ∞], π |= ϕ for all i ∈ N0 ;


Definition 1.19 (LCTL [Clarke and Emerson, 1981]) For example, AGEXp is a LCTL -formula whereas AGFp is not.

The language LCTL (Prop) is given by all formulae generated Example 1.20 (CTL∗ or CTL?)
by the following grammar, where p ∈ Prop is a proposition: Are the following CTL∗ or CTL formulae? What do they
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | E(ϕ U ϕ) | EXϕ | EGϕ. express?
1 EFAXshutdown

2 EFXshutdown
We introduce the following macros:
3 AGFrain
Fϕ ≡ U ϕ,
4 AGAFrain (Is it different from (3)?)
AXϕ ≡ ¬EX¬ϕ,
5 EFGbroken
AGϕ ≡ ¬EF¬ϕ, and
6 AG(p → (EXq ∧ EX¬q))
Aϕ U ψ ≡ . . . Exercise!



The precise definition of Kripke structures is given in
Section 4. To understand the following definitions it suffices Definition 1.21 (Semantics |=CTL )
∗

to note that:
Given a set of states Q (each is a propositional model), a Let M be a Kripke model, q ∈ Q and λ ∈ Λ. The semantics
Kripke model M is simply a tuple (Q, R) where of LCTL∗ - and LCTL -formulae is given by the satisfaction
relation |=CTL for state formulae by
∗
R ⊆ Q × Q is a binary relation. ∗

q1 Rq2 (also written (q1 , q2 ) ∈ R or R(q1 , q2 )) means that M, q |=CTL p iff λ[0] ∈ π(p) and p ∈ Prop;
∗ ∗
state q2 is reachable from state q1 (by executing M, q |=CTL ¬ϕ iff M, q |=CTL ϕ;
∗ ∗ ∗
certain actions). M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ;
The relation R is serial: for all q there is a q such that M, q |=CTL Eϕ iff there is a path λ ∈ Λ(q) such that
∗

∗
qRq . This ensures that our paths are infinite. M, λ |=CTL ϕ;
Given a state q in a Kripke model, by Λ(q) we mean the
set of all paths determined by the relation R starting in
q: q, q1 , q2 , . . . , qi , . . . where qRq1 , . . . qi Rqi+1 , . . .



State-based semantics for CTL
and for path formulae by: M, q |=CTL p iff q ∈ π(p);
∗ ∗
M, λ |=CTL ϕ iff M, λ[0] |=CTL ϕ; M, q |=CTL ¬ϕ iff M, q |=CTL ϕ;
∗ ∗
M, λ |=CTL ¬γ iff M, λ |=CTL γ; M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ;
M, q |=CTL EXϕ iff there is a path λ ∈ Λ(q) such that
∗ ∗ ∗
M, λ |=CTL γ ∨ δ iff M, λ |=CTL γ or M, λ |=CTL δ;
∗ ∗
M, λ |=CTL Xγ iff λ[1, ∞], π |=CTL γ; and M, λ[1] |=CTL ϕ;
∗
M, λ |=CTL γ U δ iff there is an i ∈ N0 such that M, q |=CTL EGϕ iff there is a path λ ∈ Λ(q) such that
∗ ∗
M, λ[i, ∞] |=CTL δ and M, λ[j, ∞] |=CTL γ for all M, λ[i] |=CTL ϕ for every i ≥ 0;
0 ≤ j < i. M, q |=CTL Eϕ U ψ iff there is a path λ ∈ Λ(q) such that
M, λ[i] |=CTL ψ for some i ≥ 0, and M, λ[j] |=CTL ϕ for all
Is this complicated semantics over paths necessary for CTL? 0 ≤ j < i.



LTL as subset of CTL∗ Application of Clarke and Draghiescu
LTL is interpreted over infinite chains (infinite words), but We consider the LTL formula GFp. Viewed as a CTL∗ formula
not over (serial) Kripke structures (which are branching). it becomes AGFp. But this is equivalent (in CTL∗ ) to AGAFp,
To consider LTL as a subset of CTL∗ , one can just add a CTL formula.
the quantifier A in front of a LTL formula and use the Now we consider the CTL formula EGEFp. It is not
semantics of CTL∗ . For infinite chains, this semantics equivalent to any LTL formula. This is because
coincides with the LTL semantics.
The theorem of Clarke und Draghiescu gives a nice EGEFp and AGFp
characterization of those CTL∗ formulae that are are not equivalent in CTL∗ :
equivalent to LTL formulae. Given a CTL∗ formula ϕ,
we construct ϕ by just forgetting all path operators. p
q0 q1 q2
Then
ϕ is equivalent to a LTL formula
iff
ϕ and Aϕ are equivalent under the semantics of CTL∗ . The first formula holds, the second does not.



LTL as subset of CTL∗ (2) Example 1.22 (Robots and Carriage)
How do LTL and CTL compare? Two robots push a carriage from
1 2

The CTL formula AG(p → (EXq ∧ EX¬q)) describes pos opposite sides.
0

Kripke structures of the form in Example 1.17. No LTL Carriage can move clockwise or
formula can describe this class of Kripke structures. anticlockwise, or it can remain in the
The LTL formula AF(p ∧ Xp) can not be expressed by a same place.

1
2
pos 1
CTL formula. Check why neither AF(p ∧ AXp) nor pos 2 3 positions of the carriage.
AF(p ∧ EXp) are equivalent. Similarly, the LTL formula

2
1
We label the states with propositions
AFGp can not be expressed by a CTL formula. pos0 , pos1 , pos2 , respectively, to allow
There is a syntactic characterisation of formulae for referring to the current position
Figure 1 : Two
expressible in both CTL and LTL. Model checking in this robots and a carriage.
of the carriage in the object
class can be done more efficiently. We refer to language.
[Maidl, 2000].



1 2

pos0
M0 , q0 |=CT L EFpos1 : In state q0 ,
q0 pos0 there is a path such that the
q0 pos0
carriage will reach position 1
sometime in the future.
The same is not true for all paths,

1
2

pos2
pos1
q2 q1 so we also have:
q2 q1 M0 , q0 |=CT L AFpos1 .
pos2 pos1
2
1

pos2 pos1

It becomes more interesting if abilities of agents are
Figure 2 : Two robots and a carriage: A schematic view (left) and a considered ATL.
transition system M0 that models the scenario (right).



Example: Rocket and Cargo Example: Rocket and Cargo

A rocket and a cargo.
roL roL 2 roP roP
The rocket can be moved between London (proposition 1
nofuel
caL
fuelOK
caL
nofuel
caL 3
fuelOK
caL 4
roL) and Paris (proposition roP ).
roL → E♦roP
The cargo can be in London (caL), Paris (caP ), or inside
5 roL 6
the rocket (caR). roL
nofuel fuelOK
roP
nofuel
roP
fuelOK
caR caR 7 caR caR 8 AG(roL ∨ roP )
The rocket can be moved only if it has its fuel tank full
(f uelOK). roL → AX(roP → nof uel)
roL roL roP roP
When it moves, it consumes fuel, and nof uel holds after nofuel fuelOK nofuel fuelOK
9 caP 10 caP caP 11 caP 12
each ﬂight.



Example: Rocket and Cargo In our logics, we assumed a serial accessibility relation:
no deadlocks are possible.
One can also allow states with no outgoing transitions.
roL roL 2 roP roP
nofuel fuelOK nofuel fuelOK In that case, in the semantical definition of E on Slide 65
1 caL
one has to replace “there is a path” by there is an
caL caL 3 caL 4

in nite path or one which can not be extended .
Similar modifications are needed in the definition of
5 roL roL 6 roP roP
nofuel fuelOK nofuel fuelOK E♦caP CTL.
caR caR 7 caR caR 8
One can also add to each state with no outgoing
transitions a special transition leading to a new state
that loops into itself.
roL roL roP roP
nofuel fuelOK nofuel fuelOK
9 caP 10 caP caP 11 caP 12

How to express that there is no possibility of a deadlock?

AGX ( CTL∗ ) AGEX ( CTL)

1 Linear and Branching Time 2 Cooperative Agents
1.4 Branching Time Logic

A Venn diagram showing typical formulae in the respective
areas.

2. Cooperative Agents
2 Cooperative Agents
Alternating-Time Temporal Logics
Imperfect Information


T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

Similar to T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems (20)

More from EASSS 2012

More from EASSS 2012 (9)

Recently uploaded

Recently uploaded (20)

T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems