Model checking of causal knowledge formulas

URL: http://www.elsevier.nl/locate/entcs/volume28.html 19 pages

Model checking of causal knowledge formulas 1 Wojciech Penczek Institute of Computer Science Polish Academy of Sciences 01-237 Warsaw, ul. Ordona 21 POLAND, email: [email protected]

Stanislaw Ambroszkiewicz Institute of Computer Science Polish Academy of Sciences 01-237 Warsaw, ul. Ordona 21 POLAND, email: [email protected]

Abstract

A model checking algorithm for a variant of the temporal logic of causal knowledge
25] is given. The temporal language is interpreted over labelled prime event structures. Knowledge operators express agents' history knowledge and the knowledge acquired about other agents. The temporal modalities correspond to the immediate causality and causality. For systems represented by deterministic Asynchronous Automata we prove that the complexity of the model checking algorithm for formula O (N 3 logN ) ' over automaton A of N -agents is j'j
jAj
jGAj
2 , where jGA j is the size of the global state space of A and A is the alphabet of actions. Partial order reductions are used in order to make the model checking algorithm more e cient.

1 Introduction

In the theory of distributed systems, knowledge formulas are usually interpreted over innite linear or branching runs of global states of the systems 12,13,11,16,26,27]. It is clear that capturing changes in state due to actions is crucial for successful modeling of knowledge. While these changes are usually present in the frames, logical formalisms quite rarely incorporate them. One of the reasons is that when actions are incorporated into global state formalisms, 1

Partly supported by Esprit under the grant No. 20288 CRIT-2.

c 2000 Published by Elsevier Science B. V.

Penczek and Ambroszkiewicz

this leads to high undecidability 17,16]. In 25], Penczek considers a temporal logic of causal knowledge interpreted over a variant of ow event structures. The logic is decidable, possesses a complete axiomatization and incorporates changes in state due to actions. Therefore, there is an important reason to develop semantic models for multi-agent systems based on event structures 3]. Classical denitions of knowledge are built on global states and global time, see Aumann 4], and Halpern et al. 11]. The consequence of that denition is logical omniscience of the agents and an arbitrarily deep nesting of knowledge operators, that is, formulas under consideration are of the form: agent i1 knows that agent i2 knows that ... that agent in knows that event e occurred. This very omniscience is frequently regarded as a drawback especially if agent is to be modeled to take decisions in real time. Moreover, when modeling such an agent it turns out that the representation of the whole world must to be put into the "brain" of the agent, see the concept of BDI-agent of Rao & George 27]. This is acceptable if the world is small, say up to ten agents and several hundreds of decision nodes (global states), but if the world is getting larger then it is computationally unrealistic do deal with such a model 1]. Hence, if the world is large and/or what is even worse, the world is "open," then the classical notion of knowledge remains only an elegant theoretical notion. Our alternative proposal to the classical notion of knowledge of Aumann, Halpern et al. is acquisition of knowledge by the agents (initially they may know almost nothing) via communication in environment (possibly "open") with local interactions instead of logical omniscience and arbitrary deep nesting of knowledge operator. In our denition, knowledge of each agent is about the most recent events of the other agents, which occurred in his past. A similar idea of dening knowledge has been already explored by Ramanujam 26], who considers two logics of knowledge interpreted on Synchronization Knowledge Transition Systems (SKTS) and their linear partial order runs, and indirectly in 15]. In addition to the advantage of having a very intuitive and "practical" notion of knowledge, there are two more important reasons for investigating knowledge in the framework of partial order models of local states:
there is no distinction between computations that are equivalent with respect to the ordering of independent operations, which makes it a natural framework,
using local state based interpretations allows for ecient methods of alleviating the state explosion problem in verication 24,21]. Model checking is one of the most successful methods of automatic verication of program properties. A model-checking algorithm decides whether a nitestate distributed system satises its specication, given as a formula of a temporal logic 7,14]. In this paper we address a model checking problem of a variant of the temporal logic of knowledge suggested in 25]. 2

Penczek and Ambroszkiewicz

So far model checking algorithms have been given for several temporal logics of multi-agent systems interpreted on global states 9,6]. The rst model checking algorithm for a temporal logic of knowledge on local states has been suggested by Ramanujam 26]. Our frames are dened as labelled prime event structures including branching runs of Petri Nets 8], and branching partial order runs of SKTS's. In this respect they are close to the models used by Huhn and al. 22], who consider model checking algorithm of temporal logic of communicating sequential agents 15]. Our method of model checking enjoys the following important features:
We do not use unfoldings, but exploit the partial order reduction method 24].
Our nite representations of multi-agent systems are dened as quotient structures of the base models, where the equivalence relation depends on the interpretation of the knowledge operators.
We use the gossip asynchronous automaton in order to obtain quotient structures of our models. The technique of applying the Gossip automaton is used for the rst time for model checking of a branching time temporal logic. So far it has been successfuly applied for partial order temporal logics of linear time for Mazurkiewicz traces 20]. The main contribution of this paper relies on suggesting for the rst time, a model checking algorithm of feasible complexity for a branching time temporal logic of causal knowledge. Moreover, our temporal logic of knowledge can be used for specifying open multi-agent systems, where the agents do not have information about the whole system, i.e., they do not know the number of the other agents, their possible local states, and their alphabets of actions. The agents acquire their knowledge gradually by getting informations from other agents during execution of synchronization actions. Thanks to the restriction on nesting knowledge operators and exploiting the notion of a gossip automaton, we obtain a nice upper bound on the complexity of the model checking problem. The rest of the paper is organized as follows. In section 2 labelled branching synchronization structures are introduced. Section 3 contains denition of history memory and knowledge acquisition. Temporal logic of causal knowledge is dened in section 4. Model checking is explained in section 5. The case when systems are represented by deterministic asynchronous automata is presented in section 6. Partial order reductions are described in section 7. Conclusions are given in section 8. 2 Labelled branching synchronization structures

We start with a denition of general partially ordered structures, which are used for representing behaviours of multi{agent systems. 3

Penczek and Ambroszkiewicz

De
nition 2.1 Winskel 28]]

A labelled prime event structure (lpes, for short) is a 6-tuple R = (E
A
!
#
k
l), where (i) E is a nite set, called a set of events or action occurrences, (ii) A is a nite set, called a set of actions, (iii) ! E  E is an irre exive, acyclic relation, called the immediate causality relation such that # e def = fe0 2 E j e0  eg is nite for each e 2 E , def  where  = ! is the re exive and transitive closure of !, (iv) #  E  E is a symmetric, irre exive relation, called con ict relation, such that #    # (called con ict preservation), (v) k = (E  E ) n (  1  #), is called the concurrency relation, (vi) l : E ! A is a labelling function, The lpes's represent behaviours of multi-agent systems by taking occurrences of actions as the starting point. Every occurrence of an action is modelled as a separate event a labelling function indicates which action is represented. Three relations are provided that capture, respectively, the causality, con ict and concurrency relationship between events. In order to keep our approach as general as possible, but to be able to introduce knowledge operators, we assume that N is a nite number of agents and stick to the following interpretation of E : E = E1  : : :  EN , where Ei is a set of events of agent i, for 1  i  N . Obviously, we assume that (Ei  Ei) \k = , which corresponds to the fact that the events of each agent cannot be concurrent. This, in fact, means that they are either causally related or in con ict. Since events can be joint, for each event e 2 E let agent(e) = fi 2 SN j e 2 Eig be the set of agents to whom e belongs. Moreover, let Ai = e2E l(e) for 1  i  N be the set of actions of agent i and agent(a) = fi 2 N j a 2 Aig be theSset of agents to whose actions a belongs. Analogously, for B  A agent(B ) = a2A agent(a). We assume that the causal relationship between events of dierent agents is introduced by joint events, i.e., for each two events e
e0 2 E , e ! e0 implies agent(e) \ agent(e0 ) 6= . This is a very natural assumption for systems with synchronous communication. We dene the dependency relation D  A  A such that (a
b) 2 D i a
b 2 Ai for some i 2 N . De
nition 2.2 Let R be a labelled prime event structure.
X  E is left-closed in R if for all e 2 X , d 2 E : if d < e, then d 2 X . X  E is con ict-free if (X  X ) \ ] = .
A nite, left-closed, con ict-free subset of E is called a conguration of R.
Let Conf (R) denote the set of all congurations of R. Let c 2 Conf (R). By Max(c) we mean the set of maximal events in c w.r.t. ! and by Maxi(c) the maximal event in c \ Ei. Dene !  Conf (R)  4 i

Penczek and Ambroszkiewicz

a c0 i there is e 2 E with c0 = c  feg, e 62 c, and A  Conf (R) such that c ! S l(e) = a. Let agent(c) = e2Max c agent(e) be the set of names of agents, whose events are maximal in c. A conguration c is local if jMax(c)j = 1, and c is i-local when additionally i 2 agent(c). Let Lconf (R) denote the set of all local congurations (l-conguration, for short) of R, whereas Lconfi (R) ( )

denote the set of all i-local congurations. For a conguration c, let the i-view at c be given by: #i c =# (c \ Ei). It is easy to show that the i-view at c is the maximal i-local conguration contained in c. Notice that each local conguration c can be identied with its maximal event Max(c), i.e., c = # Max(c). Therefore, we frequently use events for referring to the corresponding local congurations. Notice that for each conguration structure (Conf (R)
!) the lpes R is isomorphic to (E 0
A
!0
#0
k0
l0 ), where
E 0 = Lconf (R),
e !0 e0 i e ! e0 and (e ! e00 ! e0 implies e = e00 or e0 = e00 ), for each e00 2 E 0,
e#0 e0 i there is no c 2 Conf (R) with e ! c and e0 ! c,
eke0 i e
e0 are not ordered by !0 and there is c 2 Conf (R) with e ! c and e0 ! c, a
l(e) = a i there is c 2 Conf (R) such that c ! e. Let EN = f(e
i) 2 E  N j i 2 agent(e)g denote the set of local state occurrences (lso's, for short), i.e., (e
i) represents the lso of agent i reached after executing event e. Since our language is to be interpreted over lso's rather than over events, so for each lpes we dene the corresponding lso-structure. De
nition 2.3 lso-structure] Let R = (E
A
!0
#0
k0
l0 ) be a lpes. The corresponding lso structure is dened as S = (EN
A
!
#
k
l ), where (i) (e
i) ! (e0
j ) i e !0 e0 and i 2 agent(e0 ), (ii) (e
i) # (e0
j ) i e#0e0 , (iii) (e
i)k(e0
j ) i :(e
i)#(e0
j ) _ (e
i) ! (e0
j ) _ (e0
j ) ! (e
i)], (iv) l : EN ! A such that l(e
i) = l0 (e), for each (e
i) 2 EN . The above denition needs some explanation. Intuitively, for two lso's (e
i) ! (e0
j ) if (e
i) is one of the starting lso's of event e0 . Notice that it follows from the denition that (e
i) k (e0
j ) i i 6= j and (i) ek0e0 or (ii) e = e0 and i 6= j or (iii) e !0 e0 and :((e
i) ! (e0
j )) or (iv) e0 !0 e and :((e0
j ) ! (e
i)). Intuitively, two lso's are concurrent if they can be reached by the system at the 5

Penczek and Ambroszkiewicz @

1

2

(e1,1)

(e1,2)

l(e1) = @ l(e2) = a

c

a

f

d

b

l(e3) = b

(e3,2)

(e2,1)

g

l(e4) = c

3

4

(e5,2)

(e4,1) (e5,1)

l(e5) = e

(e6,2)

l(e6) = d l(e7) = f

(e8,2)

(e7,1) e

l(e8) = g

5

6

agent 1

. (e9,1) . . . .

agent 2

l(e9) = a

(e10,2) . . . . .

l(e10) = b

Fig. 1. Petri Net together with the corresponding lso-structure

same time. According to the denition two lso's ( ) ( ) are in the relation k if they correspond either to the same event (then = ) or to concurrent events, or to causally related events ( ) ( ), which are not comparable by ! . Notice that ! i (9 2 ) : ( ) ! ( )). Consider the lso structure corresponding to the two synchronizing agent system represented by the Petri Net in Figure 1. We have added two starting lso's corresponding to an articial action @ putting tokens to the places 1 and 2. The agents can synchronize by executing the joint action . The immediate causality relation is marked by the arrows, the concurrency relation by the dotted lines, whereas the con ict relation is not marked. Note that there is the following correspondance between lso's and local states (places) of the Petri Nets: ( 1 1) { 1, ( 1 2) { 2, ( 2 1) { 3, ( 3 2) { 4, ( 4 1) { 1, ( 5 1) { 5, ( 5 2) { 6, etc. 0

e
i


e
j

e

e
i




e

0

e

0

k
j

N

e

0

0

e
j



e
k

0

e
j

e

e


e


e


e


e


e


e


3 History memory and knowledge acquisition In this section we suggest two general denitions of agents' knowledge corresponding to his remembered local history and information about other agents. Then, we give some specic examples of each of these notions, which are of our interest for verifying multi-agent systems. De
nition 3.1 Agent 's history memory function is dened as i : i ! 2E i . The intuition behind the above denition is that i( ) gives all the lso's of agent , which cannot be dierentiate with ( ) by agent w.r.t. the remembered history. Example 3.2 Below, we give two simple examples of specic denitions of history memory functions: 6 i

E

i f g

e

i

e
i

i

Penczek and Ambroszkiewicz

= f( 0 ) 2 i  f g j ( ) = ( 0)g, i.e., agent remembers only the label of the most recently executed event, 0 0 2
i ( ) = f( ) 2 i  f g j the local state corresponding to ( ) is the same as the one corresponding to ( )g, i.e., agent remembers his most recent local state. In what follows, we consider i( ) = 1i ( ) \ 2i ( ). For our example of Fig.1: g. 1 ( 2) = f( 2 1) ( 9 1)


i (e) 1

e
i

e

E

e
i

i

E

l e

l e

i

i

e
i

e
i

e





e


e

e

e

e

i


:::

De
nition 3.3 Agent 's knowledge acquisition function is dened as E

E i ! 2 N .

i

i

K

:

There are two possible interpretations of the expression i ( ) = . (i) The lso's of occurred in the past of . This is a kind of knowledge, which ts to the open and closed multi-agent systems. In this paper we give a model checking algorithm for the temporal language with a knowledge operator corresponding to this kind of knowledge. (ii) Agent considers the lso's of as possible locations for the other agents. This is a kind of knowledge, which ts only to closed multi-agent systems since the agent has to know all the possible lso's of the other agents. The temporal logic with a knowledge operator corresponding to this kind of knowledge has been axiomatized in 25]. K

B

i

e

B

e

B

Example 3.4 Below, we give two examples of specic denitions of knowledge acquisition functions:
K 1 (e) = f(M ax(#j # e)
j ) 2 EN j j 2 N g - the most recent causal i knowledge, agent i knows the most recent lso's of the other agents occurring in his past. Notice that the knowledge about the most recent lso of agent j could be acquired either by direct synchronization with agent j or by a synchronization with another agent who has had this knowledge. For our example of Fig.1.: K1 (e7) = f(e7
1)
(e5
2)g, K2 (e8) = f(e8
2)
(e5
1)g.
K 2 (e) = f(e0
j ) 2 EN j (e
i)k(e0
j )g - the causal knowledge, agent i i knows the concurrent lso's of the other agents. This knowledge is obtained by substracting from all the possible lso's of the other agents the lso's, which are causally dependent or in con ict. For our example of Fig.1.: K1 (e7) = f(e5
2)
(e8
2)
: : :g.

4 Temporal logic of causal knowledge In this section we introduce the language of temporal logic of causal knowledge. We will use operators corresponding to the relations !, , h, and a . 7

Penczek and Ambroszkiewicz

4.1 Syntax Let PV = fp1
p2
: : :g  fi j i 2 N g be a countable set of propositional variables including propositions corresponding to the agents' numbers. The logical connectives : and ^, as well as modalities 2 (causally always),  (all causally next), and epistemic modalities Kh (history knowledge operator) and Ka (acquired knowledge operator) will be used. The set of temporal and epistemic formulas is built up inductively: E1. every member of PV is a temporal formula, E2. if  and  are temporal (epistemic) formulas, then so are : and  ^  , E3. if  is a temporal (epistemic) formula, then so are 2  and  , K4. if  is a temporal formula, then Kh and Ka are epistemic formulas. Notice that epistemic modalities cannot be nested. This means that reasoning on knowledge about knowledge of other agents is not allowed. The restriction allows to keep the complexity of the model checking algorithm polynomial in the size of the model. The following derived logical connectives and modalities are dened:  _  def = :(: ^ : ) (standard) def  )  = : _  (standard) 3  def = : 2 : (causally sometimes) def   = :  : (some immediately causal) def 9Kh = :Kh: (some h-indistinguishable) 9Ka def= :Ka: (some a-indistinguishable) 4.2 Semantics Frames are based on lso-structures extended with the indistinguishability relations, induced by the functions Ki and i. De
nition 4.1 frame]

Let (EN
A
!
#
k
l) be the lso-structure corresponding to a lpes. A structure F = (EN
!
h
a ) is a frame, where
h  EN  EN is a relation, called history indistinguishability relation such that (e
i) h (e0
i) i (e0
i) 2 i (e).
a  EN  EN is a relation, called indistinguishability relation such that (e
i) a (e0
j ) i (e0
j ) 2 Ki(e).

The relation h represents the ignorance of each agent about his local histories, whereas a represents the knowledge of each agent about other agents. 8

Penczek and Ambroszkiewicz

M = ( ), where : N ! 2PV is a valuation function such that 2 (( )), for each ( ) 2 N and 2 .

De
nition 4.2 A model is a tuple V




F
V

F

is a frame and

E

i

V

e
i

e
i

E

i

PV

Let M = ( ) be a model, where = ( ! h a ), and 2 be a state, and be a formula. M j= denotes that the formula is true at the state in the model M (M is omitted, if it is implicitly understood). This notion is dened inductively as follows: E1. j= i 2 ( ), for 2 , E2. j= : i not j= , j= ^ i j= and j= , E3. j= 2 i (8 0 2 ) ( ! 0 implies 0 j= ), j=  i (8 0 2 ) ( ! 0 implies 0 j= ), Kh. j= h i (8 0 2 ) ( h 0 implies 0 j= ). Ka. j= a i (8 0 2 ) ( a 0 implies 0 j= ). Below, we give three examples of knowledge involved properties in addition to various temporal properties, which can be expressed in our language:
2 - holds in all the states (safety),
 - holds in all the next states,
3 - is possible in the causal future,
 - is possible in the next step,
^ h( ) 3 ) - if agent knows about himself, then is possible in the causal future.
a )  - if agent knows about the other agents, then holds in a next step.
^ a( ) ) ) ( ^ ) - agent can perform an action from his lso leading to state satisfying if he knows that formula holds for agent . F
V

F




s

S








s



S



s

s

p

s

p



s



s

p

s



s





s



PV

s

S

s



s

S

s

s

s

s

s





s

K 

s

S

s

s

s



s

K 

s

S

s

s

s



















K



K 

i

s



s

i

V

K



i



j









i





i





j

5 Model checking

Since we are interested in verifying properties of open multi-agent systems we consider model checking of the language, where a has the most recent causal knowledge semantics. For h we assume that it is induced by i, which does not distinguish between lso's corresponding to the same actions and the same local states (see Section 3). Let the set of local states of each agent be denoted by i, the set of global states = 1   N , and : ! be the function assigning to each conguration the corresponding global state of the system, i.e., the N-tuple of local states. In order to develop an automated model checking procedure, we rst have to restrict the class of models to nitely representable 9 i

Glob

S

:::

S

M

C onf

S

Glob

Penczek and Ambroszkiewicz

ones. De
nition 5.1



equivalence relation c




0

c , then


if

nitely representable

is

i there is an

on congurations of F of the nite index such that if

M c

c and c c

)

F
V

( ) = ( 0)

M c


if



M=(

Model

! a

0

( ) = ( 0 ),

are local, then V c

V

c

0 c1 , then there is c1 such that

c

0

!a 2

0

c1 and c1



0

c1 .

Moreover, we assume that for each the valuation function assigns the same propositions to the lso's of agent corresponding to the same global states, i.e., for each 0 2 i if (# ) = (# 0 ), then ( ) = ( 0 ). For two global states 1 2 dene a 1  2 i there are 1 2 2 with ( 1 ) = 1 , ( 2 ) = 2 , and 1 ! 2 . Let M = ( ) be a nitely representable model, where is the frame corresponding to a lpes R, and is a formula. The model checking problem is to establish whether M j= ? The idea is to represent model M by a nite structure M, which preserves the validity of the formulas. Then, model checking is reduced to the standard model checking of a modal logic over a nite model M. To this aim two problems have to be solved. The rst one is the denition of an equivalence relation on M, which equivalence classes are the states of M (unfortunately,  is not strong enough). The second one is an eective algorithm for building the quotient structure. We show that partial order reductions can be applied to meet this aim. It has been already mentioned that each local conguration can be identied with the event ( ). Therefore, we sometimes refer to lso's ( ) by ( ), where =# , rather than by ( ( ) ). Next, we dene an equivalence relation, which preserves the formulas of our language. For technical reasons, the equivalence is dened for all the congurations. i

N

V

i

e
e

E

M

e

M

M
M

M c

M

M c

M

M

c

e

V

e
i

V

a > M

c
c

e
i

C onf

c

F
V

F





F

F

F

c

M ax c

c
i

c

e
i

e

M ax c
i

De
nition 5.2

Dene two functions:




Glob




g : C onf fl : C onf

f

!  2A ! "Ni (  2A) l ( ) = ( g ( ) g (#

such that f

=0

c

such that f

Glob f

c
f

1

( )) c

g (c) = (M (c)
l(M ax(c)),


:::
f

#

g( N

0

( ))). c

Two congurations c and c are said to be:

globally equivalent (written, g 0 ) i g ( ) = g ( 0 ).
locally equivalent (written, l 0 ) i l ( ) = l ( 0 ). Intuitively, two congurations are globally equivalent if they correspond to the same global states and the maximal events have the same labels. Two congurations are locally equivalent if in addition all their i-views are globally equivalent. The following theorem follows from the main result in 24].


c

c

c

c

f

f

10

c

c

f

f

c

c

Penczek and Ambroszkiewicz

Theorem 5.3 Let c
c be i-local congurations such that c g c . Then, M
(c
i) j=  i M
(c
i) j= , for each temporal formula . Notice that in 24] formulas are assigned to the local congurations c 2 0

0

0

Lconf rather than to the lso's, but the idea of the above proof is exactly the

same. The next theorem is the basis for our model checking algorithm. Theorem 5.4 Let c
c be i-local congurations such that c l c . Then, the following conditions hold: 1) M
(c
i) j= Kh  i M
(c
i) j= Kh , for each temporal formula . 2) M
(c
i) j= Ka  i M
(c
i) j= Ka , for each temporal formula , Proof. The proof of condition 1) is straightforward. 2) Let c l c . We show that for each lso (d
j ) s.t. (c
i) a (d
j ) there is (d
j ) s.t. (c
i) a (d
j ) and d g d . Assume that for some (d
j ), (c
i) a (d
j ). Then, d =#j c. So, we put d =#j c . Note that it follows from the denition of l that d g d . 2 0

0

0

0

0

0

0

0

0

0

0

0

Having the above theorem, one might think that relation l could be used to obtain the (nite) quotient structure of M. Unfortunately, this is not the case. The problem is that it is not possible to decide for c] and c ] whether a c ] ! c] for some a 2 A. This follows from the fact that c] does not have enough information to calculate c  feg] for l(e) = a. To explain why this is so, let fl (c) = ((Mg
Ag )
(M1
A1)
: : :
(MN
AN )). Let a be an operation enabled at c and c = c  feg with l(e) = a. Then, one can easily compute the result of executing a at Mg , but it is not possible to compute the result of executing a at Mi and Mj , when i
j 2 agent(a) and Mi and Mj dier at some local state k 62 fi
j g. Then, we do not know whether the most recent event of agent k in #i c =#j c should be taken from Mi or Mj . The solution to this problem is to add this information to the equivalence class of c. This is what the gossip automaton (19]) does. In the next section we show how to use the gossip automaton to dene nite quotient structures, which preserve the formulas of our language. 0

l

l

l

l

l

l

0

0

0

6 Systems represented by deterministic AA's In this section we assume that a nite representation of our model M is given by a deterministic asynchronous automaton A extended with a valuation function. It has been shown by Mukund and Sohoni 19] that it is possible to dene constructively a deterministic asynchronous automaton (called gossip), which keeps track about the latest information the agents have about each other. Therefore, the quotient structure is obtained as the global state space of the automaton B being a product of A and the gossip automaton G . In order to eliminate not-necessary equivalence classes of non-local congurations, the 11

Penczek and Ambroszkiewicz

partial order reduction method is used while building the global state space of the automaton B (see the next section). We start with dening asynchronous automata. Let Proc = f1
: : :
N g. De
nition 6.1 An asynchronous automaton (AA) over a distributed alphabet a (A1
: : :
AN ) is a tuple A = (fSigi2Proc
f!g a2A
S
fSiF gi2Proc ), where
Si is a set of local states of process i, a
! Sagent a  Sagent a , where Sagent a = "i2agent a Si,
S  GA = "i2Proc Si is the set of initial states,
SiF  Si is the set of nal states of process i, for each i 2 Proc. We will deal with deterministic AA's extended by valuation functions V : Glob ! 2fp1
p2
:::g. For a global state g 2 GA and K  Proc by g jK we mean the projection of g to the local states of processes in K . Let )A GA  A  GA be athe transition relation in the global state space GA dened as follows: a 0 0 g )A g i (g jagent a
g jagent a ) 2! and g jProcnagent a = g0 jProcnagent a . An execution sequence w = a : : : an 2 A of A is a nite sequence of actions s.t. there is a sequence ofa global states  = g g g : : : gn of A with g 2 S , gn 2 "i2ProcSiF , and gi )A gi , for each i < n. A word w is said to be accepted by A if w is an execution sequence of A. In order to dene the lso-structure semantics of automaton A, we rst dene the conguration structure CS = (Conf (A)
!) corresponding to A. Then, the lpes and the lso-structure is induced by CS . Since A is deterministic, the congurations of CS can be represented by Mazurkiewicz traces 18]. 0

( )

( )

( )

( )

0

( )

( )

( )

( )

0

0

0

i

0

1

2

+1

6.1 Trace semantics of AA's By an independence alphabet we mean any ordered pair (A
I ), where I  A2 n D (D was introduced in Section 2). Dene  as the least congruence in the (standard) string monoid (A

) such that (a
b) 2 I ) ab  ba, for all a
b 2 # i.e., w  w0, if there is a nite sequence of strings w1
: : :
wn such that w1 = w, wn = w0, and for each i < n, wi = uabv, wi+1 = ubav, for some (a
b) 2 I and u
v 2 A . Equivalence classes of  are called traces over (A
I ). The trace generated by a string w is denoted by w]. We use the following notation: A ] = fw] j w 2 A g. Concatenation of traces w]
v], denoted w]v], is dened as wv]. The successor relation ! in A] is dened as follows: w1] ! w2 ] i there is a 2 A such that w1]a] = w2]. De
nition 6.2 The structure CS = (Conf (A)
!) is a conguration structure of the automaton A, where
w] 2 Conf (A) i w is an execution sequence of A,
! is the trace successor relation in Conf (A). 12

Penczek and Ambroszkiewicz

The denition of the lpes and the lso-structure corresponding to A can be obtained from CS , as shown in section 2. When we represent congurations by traces, the same congurations can belong to dierent AA's. Therefore, we adopt the convention that MA (c) denotes the global state in automaton A corresponding to the conguration c. Moreover, by saying that c l c0 in A we mean that flA(c) = flA(c0 ), where
fgA : Conf (A) ! Glob  2A such that fgA(c) = (MA (c)
l(Max(c)),
flA : Conf (A) ! "Ni (Glob  2A) such that flA(c) = (fgA(c)
fgA(# (c))
: : :
fgA(#N (c))). =0 1

6.2 Gossip automaton Let A be an AA. For each i
j 2 N dene the functions: S a is dened as follows: latest (c) =
latesti!j : Conf (A) ! a2A f!g i! j (S
S 0) i (S
S 0 ) is the latest transition executed by agent j in #i c, i.e., if #j #i c =# e, then event e corresponds to the transition (S
S 0).
latesti : Conf (A) ! 2Proc is dened as follows: latesti (c) = K i #i #l (c) #i#k (c), for each l 2 N and k 2 K . Intuitively, latesti!j (c) gives the most recent transition in which agent j participated in the i-history of c, i.e., in #i c, whereas latesti (c) gives the set of agents, which have the most recent information about agent i. Theorem 6.3 ( 19]) There exists a deterministic asynchronous automaton, a called Gossip automaton, G = (fTi gi2Proc
f!g
T a2A 0
fTiF gi2Proc) such that:
TiF = Ti , for all i 2 Proc,
G accepts all the words of A ,
There are eectively computable functions: S a such that for each gossip : T1  : : :  TN  Proc  Proc ! a2Af!g c 2 A ] and every i
j 2 Proc, latesti!j (c) = gossip(t1
: : :
tN
i
j ), where MG (c) = (t1
: : :
tN ). gossip1 : T1  : : :  TN  Proc ! 2Proc such that for each c 2 A ] and every i 2 Proc, latesti (c) = gossip1(t1
: : :
tN
i), where MG (c) = (t1
: : :
t N ).

Each agent in the gossip automaton has 2O N 2logN local states. Moreover, the functions gossip and gossip1 can be computed in time, which is polynomial in the size of N . Consider the asynchronous automaton B, which is the product of automaton A and automaton G . We assume that all the local states of A are nal. This is also the case for G . Then, each state of the global state space of B is of the following form (l
: : :
lN
t
: : :
tN ), where li 2 Si and ti 2 Ti, for i 2 Proc. The transition relation )B is dened as follows: 13 (

1

)

1

Penczek and Ambroszkiewicz

(l1
: : :
lN
t1
: : :
atN ) )a B (l10
: : :
lN0
t01
: : :
t0N ) i (l1
: : :
lN ) )aA (l10
: : :
lN0 ) and (t1
: : :
tN ) )G (t01
: : :
t0N ). Notice that automaton B accepts exactly all the words accepted by A. Theorem 6.4 Let c
c0 2 Conf (A). If MB (c) = MB (c0), then c l c0 in A. Proof. Let MB (c) = MB (c0) = (l1
: : :
lN
t1
: : :
tn). Obviously, MA (c) = MA (c0) = (l1
: : :
lN ). Notice that i 2 agent(c) i i 2 agent(c0) i i 2 gossip1(t1
: : :
tN
j ) for each j 2 N . Therefore, a 2 Max(c) i a 2 Max(c0 ) a i gossip(t1
: : :
tN
i
i) 2! for i 2 agent(a) \ agent(c). MA (#i c) = MA (#i c0 ) = (s1
: : :
sN ) i gossip(t1
: : :
tN
i
j ) = (S
S 0), where S 0jj = sj for all j 2 Proc. Finally, a 2 Max(#i c) i a 2 Max(#i c0) i gossip(t1
: : :
tN
j
i) 2!a for some j 2 agent(c). 2 Therefore, model checking can be performed over the structure FM = (W
!
V ), where W =a f(MB (c)
i) j i 2 agent (c) for c-local, and i = , otherwiseg, (MB (c)
i) ! (MB (c0 )
j ) i MB (c) )a B MB (c0 ), and pi 2 V (MB (c)
i) i pi 2 V (MA(c)). 6.3 Model checking over FM Model checking is performed according to the following rules:
Formulas are assigned only to the states W 0  W corresponding to the local congurations, i.e., of the form (MB (c)
i), where i 6= . The other states are used only to compute the validity of formulas. Let c 2 Conf (B) and flB (c) = ((Mg
Ag )
(M1
A1)
: : :
(MN
AN )).
(MB (c)
i) j=   i there is a 2 A with i 2 agent(a) and (**) there is a nite path g0b0 g1b1 : : : bn1 gn in W such that g0 = (MB (c)
i), gn 2 W 0, and bn1 = a, i 62 agent(bj ) for j < n 1, and gn j= .
(MB (c)
i) j=   i (MB (c)
i) j= :  :.
(MB (c)
i) j= 2 i (MB (c)
i) j=  and (MB (c)
i) j= j , for each 0 < j  jW 0j,
(MB (c)
i) j= Kh  i (MB (c0 )
i) j=  for all i-local c0 2 Conf (B) such that if fgB (c0 ) = (Mg0
A0g ), then Mg ji = Mg0 ji and Ag = A0g .
(MB (c)
i) j= Ka  i (MB (c0 )
k) j=  for all k 2 N and k-local c0 2 Conf (B) with fgB (c0) = (Mk
Ak ). 6.4 Complexity of model checking The complexity of the model checking algorithm for formula ' over automaton O (N 3 logN ) A of N -agents is (j'j m) + m  jAj)  jGAj  2 , where jGAj is the size of the global state space of A and m is the number of the subformulas of ' of the form  . The complexity follows from the upper bound on the size of the gossip automaton, given in 19], and the complexity of checking the formulas of our language over the nite quotient structure. 14

Penczek and Ambroszkiewicz

7 Building e ciently a quotient structure

In this section we gice a method of generating a substructure (Wr
!r
Vr ) of (W
!
V ), containing the structure (W
!
V ), where W  W corresponds to the local congurations, ! =! \(W  W ), V = V jW , by applying partial order reduction methods 10,23,24]. Despite the formulas are not assigned to the equivalence classes of non-local congurations (called g-states), i.e., W nW , some of them need to be generated in order to establish whether two equivalence classes of local congurations (called l-states), i.e., W , are causally related. The idea of using partial order reductions relies on generating only these necessary g-states. For nding out whether w ! w for w
w 2 W , it is sucient to nd a sequence of g-states satisfying the condition (**) (Subsection 6.3). The new algorithm is the adaptation of the DFS-algorithm such that only a subset of transitions enabled at a current state is expanded. This subset (called ample-set) is computed statically at the current state. Let w = (g
i) be a current state, where g = M (c) and fl (c) = ((Mg
X )
(M1
A1)
: : :
(MN
AN )) with agent(X ) = J . A transition t is called J -transition, if agent(t) \ J 6= . Then, ample(w)  enabled(w) has to satisfy the following condition: t1 ( g
i ) ! t2 : : : t! tn n
1 C for all non-empty sequences (g
i) ! (gn 1
i n 1 ) ! 1 1 (gn
in) such that in 6=  and there is t 2 X with (ti
t) 62 D for 1  i < n, there is t 2 ample(g
i) s.t. ti = t for some i < n and (t
tj ) 62 D for all j < i. It follows from C that tn is an J -transition and all J -transitions t 2 enabled(w) are in ample(w). The condition C is slightly stronger than condition C1 used for LTL or CTL reduction methods 23]. Denote the structure generated by the modied DFS-algorithm by Fr = (Wr
!r
Vr ). In order to show the correctness of the partial order reduction method we need the following lemma, which is an adaptation of a similar lemma from 24] to our new framework. 0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

B

B



0

Lemma 7.1

0



0

w = (g
i) with g = M (c) and fl (c) = ((Mg
X )
(M1
A1 )
: : :
(MN
AN )). If (g
i) 2 Wr with t 2 X and tn
1 t1 t2 tn there is a sequence (g
i) ! (g1
i1 ) ! : : : ! (gn 1
in 1 ) ! (gn
tn ) in FM such that tn 6=  and (t
ti ) 62 D , for 1  i < n, then there is a sequence t0n
1 t0 t01 (g
i ) ! t0 (g
i) ! r 1 1 2 r : : : ! r (gn 1
in 1) !n r (gn
in) in Fr such that (gn
in) = (gn
in) and (t
ti ) 62 D, for 1  i < n. Let

B

B



0

0

0

0

0



0



0

0



0

Proof. By induction on jnj. Let agent(X ) = J .

Base case. jnj = 1. Since t1 is an J -transition, it follows from condition C that t1 2 ample(g
i). So, (g1
i1) 2 Wr and (g
i) !r (g1
t1). t1 Induction step. Assume that the lemma holds for all jnj  k. Let (g
i) ! t2 : : : t! k+1 (g1
i1) ! (gk+1
ik+1), ik+1 6=  and t 2 X with (t
ti ) 62 D, for 15

Penczek and Ambroszkiewicz

1  i < k + 1. Since tk+1 is an J -transition, it follows from condition C that there is t 2 ample(g
i) s.t. ti = t for some i  k and (t
tj ) 62 D 00 for all j < i. Let (g
i) !t r (g1
i1), for some (g1
i1), where g1 = M (c ) with fl (c ) = ((Mg
X1)
(M1
A1 )
: : :
(MN
AN )) From (t
t) 62 D and t 2 X , it t2 t1 ( g
i ) ! follows that t 2 X1 . Moreover, there is the sequence (g1
i1 ) ! 2 2 : : : (gi 1
ii 1) t!
1 (gi
ii) t!+1 (gi+1
ii+1 ) : : : t!+1 (gk+1
ik+1) of length k in FM t00 such that (t
tj ) 62 D, for 1  j < i and i < j < k + 1, where (gj
ij ) ! (gj+1
ij+1) for 0 < j < i 1. Thus, the lemma holds by the inductive assumption. 2 00

00

0

00

0

0

0

0

0

B

B

0

00

0

0

0

0

0

0

0

0

i

0



0

0

0

i

0

0

k



0

It is easy to see that checking that condition C holds for a set of transitions is as hard as checking reachability, hence as hard as the original model-checking algorithm itself (which is in NP-hard for some standard representations of the program). However, one can benet from substantial reduction even when using a pessimistic heuristic algorithm that in some cases considers a subset of transitions not to satisfy C when it actually does. We suggest the following heuristic method of computing ample(g
i) with agent(X ) = J . Dene ample(g
i) as the minimal set of transitions satisfying the following conditions: (i) For each J -transition t, if t 2 enabled(g
i), then t 2 ample(g
i), (ii) For each J -transition t = (s
s ) 62 enabled(g
i) s.t. (9i 2 J ) sji = gji, either there is a transition t 2 enabled(g
i) s.t. (t
t ) 2 D and t 2 ample(g
i), or ample(g
i) = enabled(g
i), (iii) For each transition t 2 ample(g
i), it holds that t 2 ample(g
i) for all enabled transitions t s.t. (t
t ) 2 D. Thus, if there is an J -transition t, which is not enabled at (g
i), but it may become enabled in the future of (g
i), and no transition from the processes to which t belongs is enabled now, then ample(g
i) = enabled(g
i). Lemma 7.2 Conditions 1
2, and 3 imply condition C. t1 (g
i ) ! t2 : : : ( g
i ) ! t Proof. Consider a non-empty sequence (g
i) ! 1 1 n 1 n 1 (gn
in) such that in 6=  and there is t 2 X with (ti
t) 62 D for 1  i < n. Assume that ample(g
i) 6= enabled(g
i). If n = 1, then t1 2 ample(g
i) (by cond. 1). Assume that n > 1 and let tn = (s
s ). Notice that tn is the rst transition in the sequence s.t. (tn
t) 2 D. Therefore, (9i 2 agent(t)  J ) sji = gji. If tn 62 enabled(g
i), then let t be a transition dependent on tn such that t 2 enabled(g
i) and t 2 ample(g
i) (by cond. 2). It is easy to notice that it is not possible that all ti with i < n are independent of t . Because then, t 2 enabled(gn 1
in 1 ), which implies that (t
tn) 2 D. Since agent(t ) = agent(tn), tn is independent of all ti with i < n, which contradicts with the 16 0

0

0

0

0

00

00

0

00

n





0

0

0

0

0

0

0





0

Penczek and Ambroszkiewicz

fact that tn1 2 Xi1, where gi1 = MB (c0) with flB (c0 ) = ((Mg
1
Xi1)
: : :) t and (gn1
in1) ! (gn
in). If tn 2 enabled(g
i), then tn 2 ample(g
i) (by cond. 1). By repeating the same argument as before, we show that there is i < n s.t. (ti
tn) 2 D. In this case let t0 = tn. Next, consider the smallest index i s.t. (t0
ti) 2 D. Since (t0
tj ) 62 D for all j < i, t0 2 enabled(gi1
ii1). Thus, (ti
tj ) 62 D for all j < i. This implies that ti 2 enabled(g
i) and ti 2 ample(g
i) (by cond. 3). Therefore, the condition C is satised. 2 i

n

8 Conclusions

In this paper we have interpreted temporal logic of causal knowledge over the local state occurrences of labelled prime event structures. Then, we have shown that automated verication of properties expressible in the logic is feasible due to restricting the nesting of knowledge operators, exploiting the notion of the gossip automaton and the method of partial order reductions. We have shown the upper bound of the model checking procedure for systems represented by deterministic asynchronous automata. Notice that it is not dicult to dene the equivalence relation on Conf , which would preserve the unrestricted language, i.e., supporting the nesting of knowledge operators. Unfortunately, the coarsest (to our knowledge) such an equivalence is of non-elementary complexity:
c 0 c0 i c l c0 ,
c n+1 c0 i c n c0 and #i c n #i c0 , for each 1  i  N . The equivalence k preserves the formulas, where the depth of nesting the knowledge operators is at most k. We are going to implement our model checking algorithm and perform several experiments with "real" multi-agent systems. Our further research is to investigate extensions of the logic in order to incorporate notions of desire and goal for specifying behaviours of rational BDI{agents 2]. References
1] S. Ambroszkiewicz, O. Matyja, and W. Penczek. Team Formation by Self-Interested Mobile Agents. In Proc. 4-th Australian DAI-Workshop, Brisbane, Australia, July 13, 1998. Published in Springer LNAI 1544, http://www.ipipan.waw.pl/mas/.
2] S. Ambroszkiewicz and W. Penczek. Modeling rational BDI{agents within the framework of asynchronous automata, ICS Report 822, May 1997, also appeared in the Proc. of CS&P'97.

17

Penczek and Ambroszkiewicz


3] S. Ambroszkiewicz and W. Penczek. Local Interactions, Communication, and Causal Knowledge in Games, in Proc. of Third Conference on Logic and the Foundations of Game and Decision Theory (LOFT3), Turyn, 1998.
4] R. Aumann. Agreeing to Disagree. Annals of Statistics, Vol 4, No. 6, pp. 12361239, 1976.
5] G. Boudol and I. Castellani, Permutations of transitions: an event structure semantics for CCS and SCCS, LNCS 354, pp. 411{427, 1989.
6] M. Benerecetti, F. Giunchiglia, L. Serani, Model checking multiagent systems, Proc. of ATAL'98, pp. 107{120, 1998.
7] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verication of nite state concurrent systems using temporal logic specications: A practical approach. ACM Transactions on Programming Languages and Systems, 8(2), pp. 244{263, 1986.
8] J. Esparza, S. Romer, and W. Vogler, An improvement of McMillan's unfolding algorithm", Proc. of TACAS'96, LNCS 1055, pp. 87{106, 1996.
9] R. Fagin, J.Y. Halpern, Y. Moses, M.Y. Vardi, "Knowledge-based programs", Distributed Computing 10, pp.199{225, 1997.
10] R. Gerth, R. Kuiper, D. Peled, and W. Penczek, A partial order approach to branching time logic model checking, Proc. of the Israeli Conference on Theoretical Computer Science, IEEE Computer Society Press, pp. 130{139, 1995.
11] R. Fagin, J.Y. Halpern, Y. Moses, and M.Y. Vardi. Reasoning about knowledge, MIT Press, 1995.
12] J. Halpern, and R. Fagin, Modelling knowledge and action in distributed systems, Distributed Computing, Vol. 3 (4), pp. 159{177, 1989.
13] J. Halpern, and Y. Moses, Knowledge and Common Knowledge in a Distributed Environment, JACM, Vol. 37 (3), pp. 549{587, 1990.
14] O. Lichtenstein, A. Pnueli, Checking that nite-state concurrent programs satisfy their linear specication. Proc. 11th ACM POPL, pp. 97{107, 1984.
15] K. Lodaya, R. Ramanujam, P.S. Thiagarajan, "Temporal logic for communicating sequential agents: I", Int. J. Found. Comp. Sci., vol. 3(2), pp. 117{159, 1992.
16] K. Lodaya, K. Parikh, R. Ramanujam, P.S. Thiagarajan, A logical study of distributed transition systems, Information and Computation, vol. 19, (1), pp. 91{118, 1995.
17] R.E. Ladner and J.H. Reif, The logic of distributed protocols, Proc. of TARK 1986, pp. 207-221, 1996.
18] A. Mazurkiewicz, Basic notions of trace theory, LNCS 354, pp. 285{363, 1988. 18

Penczek and Ambroszkiewicz


19] M. Mukund and M. Sohoni. Keeping track of the latest gossip: Bounded timestamps su ce, FST&TCS'93, LNCS 761, pp. 388-199, 1993.
20] M. Mukund and P.S. Thiagarajan. Linear time temporal logics over Mazurkiewicz traces, LNCS 1113, pp. 62{92, 1996.
21] M. Huhn, P. Niebert, and F. Wallner, "Verication based on local states", LNCS 1384, pp. 36{51, 1998.
22] M. Huhn, P. Niebert, and F. Wallner, "Model checking logics for communicating sequential agents", submitted for publication, 1999.
23] D. Peled, Partial order reductions: model-checking using representatives, Proc. of MFCS'96, LNCS 1113, pp. 93{112, 1996.
24] W. Penczek. Model checking for a Subclass of Event Structures, LNCS 1217, Proc. of TACAS'97, pp. 145{164, 1997.
25] W. Penczek. A temporal logic of casual knowledge, Proc. of WoLLic'98, pp. 178{187, 1998.
26] R. Ramanujam. Local knowledge assertions in a changing world. In Proc.

of the Sixth Conference TARK 1996, Theoretical Aspects of Rationality and Knowledge, Y. Shoham editor, pp. 1-14, Morgan-Kaufmann 1996.


27] A. S. Rao and M. P. George. Modelling rational agents within a BDI{ architecture. In R. Fikes and E. Sandewall, editors, Proc. of the 2rd

International Conference on Principles of Knowledge Representation and Reasoning (KR'91), pp. 473{484, 1991.


28] Winskel, G., An Introduction to Event Structures, LNCS 354, Springer - Verlag, pp. 364-397, 1989.
29] M. Wooldrige, The logical modelling of computational multi-agent systems, Ph. D. thesis, Umist, Manchester, UK, 1992.

19