Page 1

Towards Model Checking Interpreted Systems

?

F. Raimondi, A. Lomuscio

Department of Computer Science

King’s College

London WC2R 2LS, UK

?franco,alessio ?@dcs.kcl.ac.uk

M.J. Sergot

Department of Computing

Imperial College

London SW7 2BZ, UK

mjs@doc.ic.ac.uk

ABSTRACT

We show how it is possible to pair the NuSMV model checker with

Akka, a software platform used to check validity of propositional

modal formulas, to verify static properties of multi-agent systems

formalised on interpreted systems semantics.

Categories and Subject Descriptors

I.2.11 [Artificial Intelligence]: Distributed Artificial Intelligence-

Multiagent systems

General Terms

Verification

Keywords

Model checking, Interpreted Systems, Epistemic Logic, Deontic

Logic

1.INTRODUCTION

Though J. Halpern and M. Vardi suggested the use of model

checking techniques in the verification of multi-agent systems in

1991 ([6]), it is only recently that results along these lines have

been achieved ([2, 11, 12, 10, 7]). In this paper we try to bring

together interpreted systems semantics [5] and model checking [4]

on a concrete and well-defined scenario—a variant of the bit trans-

mission problem. The way we tackle the problem is as follows:

1. We study our scenario formally using the formalism of deon-

tic interpreted systems [9].

2. Wecodethisrepresentation inNuSMV andfeedittoaNuSMV

checker [3].

3. We use the NuSMV checker to produce the set of runs of the

system, and deduce from there the set of reachable states of

the system.

4. We feed these into the modal checker Akka [1].

5. We use the Akka front-end to check the epistemic properties

of the scenario.

The scenario examined here was investigated (together with a more

complex variation) in [8] without model checking techniques.

Due to space considerations we assume some familiarity with

interpreted systems, model checking, and deontic interpreted sys-

tems [9].

?The authors acknowledge support from EU project ALFEBIITE,

IST-1999-20298 and from the Nuffield Foundation through grant

NAL/00690/G.

Copyright is held by the author/owner.

AAMAS’03, July 14–18, 2003, Melbourne, Australia.

ACM 1-58113-683-8/03/0007.

2.THE BIT TRANSMISSION PROBLEM

The bit-transmission problem [5] involves two agents, a sender

?, and a receiver

channel

channel may drop messages but will not change the value of a bit

being sent. Communication is established when

of the bit and

interpreted systems semantics.

For the sender

states. They represent the value of the bit

mit, and whether or not

?, communicating over a faulty communication

?.

? wants to communicate some information to

?. The

? knows the value

? knows that

? knows. We represent this scenario in

?, it is enough to consider four possible local

? is attempting to trans-

? has received an acknowledgement from

?. Three possible local states are enough to capture the state of

the value of the received bit, and

der which no bit has been received yet. To model the environment

we consider four local states, representing the possible combina-

tions of messages that have been sent in the current round:

?:

? representing a circumstance un-

?

?

?????????????? ??????????

?

?????????

?

?

???????????????????????????????????????????????????

where ‘.’ represents configurations in which no message has been

sent by the corresponding agent.

For every agent in the system, the set of actions is:

???

?

??????????????????????????????

?

?????????????

???

?

??????????????

Here

environment correspond to the actual delivery of messages between

? stands for no action (‘no-op’). The actions

???

? for the

? and

Wecan model the evolution of the system by means of a function

? on the unreliable communication channel.

?

of joint actions for the system and

of global states. For the example under consideration the protocols

can be defined as follows:

????????, where

???? ???

?

????

?

????

? is the set

???

?

??

?

??

? is the set

?

?

????????????????

?

???????????????

?

?

???????????

?

????????????

?

?

???????

?

?????

?

???? ????????

?

?

??

?

?????

?

???????????????

for all

?

?

??

?

?

Given the description above, we can implement the scenario in

NuSMV by representing the local states as NuSMV variables and

translating the protocol functions and system evolution function

into the syntax of NuSMV.

We modified the NuSMV code to generate the reachable global

states of the system, producing a Kripke model in the syntax of

Akka [1]. Akka offers a Kripke model editor and supports model

testing. We are now in a position to check any epistemic property

of the system. To this end, let us name

following the process described above, on which an appropriate set

?

??

?the model obtained by

Page 2

of propositional variables is interpreted in a natural way [8]. The

following propositions areeasilytranslatedintothesyntax of Akka.

As expected, the propositions can be tested to be valid on

??

?.

??

?

?? ???????

?

?

?

?????????

?

???????

?

??

?

?? ????????????????

?

?

?

???????

??

?

??????????

?

?

?

?

?????????

?

???????

?

2.1Faulty Receiver

Suppose that the receiver

when it is not supposed to, i.e., when it has not yet received the

value of the bit. For this version of the problem we introduce new

local states for the receiver

did not receive a bit but nevertheless

The local states

has received the value of the bit and has sent an erroneous acknowl-

edgement at some time in the past. All the local states of

are green. We thus have:

? may send acknowledgements even

?:

????? is the local state in which

?

? sent an acknowledgement.

????? and

????? of

? represent the case where

?

? and

?

?

??

?

??

??

?

?????? ??????????????????

??

?

???

?

??

?

????

??

?

??

??

?

?

?

??

?

????????????????????????????????????????? ??????????

For

?, we define the local states as follows:

?

??

?

??????????

??

?

??????????????????????

??

?

??

??

?

??

??

?

?

Given that the two sets of local states for

we can keep the functions

need to extend

of

? and

? have not changed

?

? and

?

? as for the basic version. We

?

? so that it is defined also on the red local states

?.

?

??

?

?????

?

??????

?

??

?

?????

??

?

?????

?

?????

?

????????????

?

??

?

?????????

??

?

?????????

??

?

???????????

?

????????????

The NuSMV implementation of this version of the bit transmission

problem is an extension of the code for the basic version. As in the

previous case, NuSMV outputs the reachable global states, from

which in turn we can create a model with epistemic relations for

?

states into red and green states for

which the doubly relativised operator

ispossibletocheck thatnone of theepistemicformulaspresented in

the earlier section hold in this version. However, a particular form

of knowledge still holds. If

functioning behaviour, then, upon receipt of an acknowledgement,

it makes sense for

bit; this is exactly what is captured by

we are able to check the validity of the following formulas in the

model:

? and

?

?. Further, it is straightforward to classify the global

? and so create a model on

?

?

?

?[9] can be interpreted. It

? makes the assumption of

?’s correct

? to assume that

? does know the value of the

?

?

?

?. Indeed, using Akka

??

??

?

?????????

?

?

?

?

?

?

?

?????????

?

???????

?

??

??

?

?????????????????

?

?

?

?

?

?

???????

We refer to [8] for more details.

3.CONCLUSIONS

We see the contribution of this paper as being twofold. Firstly,

we provide a simple methodology for checking static epistemic

properties in interpreted systems. Secondly, we find the technical

results on violations of the bit-transmission protocol interesting on

their own merits.

Finally, we have tried to show that in some examples verifying

static epistemic and deontic properties is sufficient to establish ba-

sic properties of the system. Still, we would like to extend the

methodology to deal with the full dynamic case, i.e., to move to

a system in which we can check temporal deontic and epistemic

formulas.

4.ACKNOWLEDGEMENTS

The authors are grateful to Marco Pistore of the NuSMV devel-

opment team for providing important directions for modifying the

source code of NuSMV to deal with the collection of global states

from the NuSMV software. We also thank Lex Hendriks for pro-

viding us with a new release of Akka.

5.

[1] Akka, A Workbench for Mathematical Logic.

http://turing.wins.uva.nl/

[2] M. Benerecetti, F. Giunchiglia, and L. Serafini. Model

checking multiagent systems. Journal of Logic and

Computation, 8(3):401–423, June 1998.

[3] A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri.

NuSMV: A new symbolic model verifier. Lecture Notes in

Computer Science, 1633, 1999.

[4] E. M. Clarke, O. Grumberg, and D. A. Peled. Model

Checking. The MIT Press, Cambridge, Massachusetts, 1999.

[5] R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi.

Reasoning about Knowledge. MIT Press, Cambridge, 1995.

[6] J. Halpern and M. Y. Vardi. Model checking vs. theorem

proving: A manifesto. In J. Allen, R. E. Fikes, and

E. Sandewall, editors, Proceedings 2nd Int. Conf. on

Principles of Knowledge Representation and Reasoning,

KR’91, pages 325–334. Morgan Kaufmann Publishers, San

Mateo, CA, 1991.

[7] A. Lomuscio and W. Penczek. Bounded model checking for

interpreted systems. Technical report, Institute of Computer

Science of the Polish Academy of Sciences, 2002.

[8] A. Lomuscio and M. Sergot. Violation, error recovery, and

enforcement in the bit transmission problem. In Proceedings

of DEON’02, London, May 2002. Elsevier. To appear in the

Journal of Applied Logic.

[9] A. Lomuscio and M. Sergot. Deontic interpreted systems.

Studia Logica, 75, 2003.

[10] R. van der Meyden and N. V. Shilov. Model checking

knowledge and time in systems with perfect recall. FSTTCS:

Foundations of Software Technology and Theoretical

Computer Science, 19, 1999.

[11] R. van der Meyden and K. Su. Symbolic model checking the

knowledge of the dining cryptographers. Submitted, 2002.

[12] M. Wooldridge, M. Fisher, M.-P. Huget, and S. Parsons.

Model checking multi-agent systems with MABLE. In

M. Gini, T. Ishida, C. Castelfranchi, and W. L. Johnson,

editors, Proceedings of the First International Joint

Conference on Autonomous Agents and Multiagent Systems

(AAMAS’02), pages 952–959. ACM Press, July 2002.

REFERENCES

?lhendrik/.