El desarrollo de la diócesis desde su fundación hasta el siglo XVII

We have implemented the automata-theoretic technique approach as presented Chapter 4 in C++ as a new explicit-state model checker called etav (Epistemic Tree Automata Verifier). Currently, etav only supports models specified directly as Kripke structures, with all relations explicitly constructed, i.e., the full state space has to be enumerated prior to verification. An open source, GNU GPL-licenced release of etav is avail- able [Jones, 2011].

In the following, we use X↓nto represent the n-th element of the tuple X . Additionally,

we use ⊥ and > to represent the evaluation of a node in an AND/ORgraph to either true or false respectively [Kupferman et al., 2000]. We use ℘(A) to represent the power-set of A.

6.2.1.1 Approach

The approach taken by etav is to perform depth first construction of the product automaton AP,ψfor the interpreted system, P, and the CTLK formula, ψ, constructed

as an AND/ORgraph, interleaved with checking the non-emptiness of the tree. If it can be decided that the tree is accepting (or rejecting) without constructing the full product automaton, etav will return this result early and save on unnecessary computation.

The crux of etav’s construction of product automaton relies upon the following structures:

• visited : Formula × World → Bool • eval : Formula × World → {>, ⊥} • path : (Formula × World)+

6.2 An Epistemic Tree Automata Verifier 137

• tf : Formula → (Formula)+_{× Node_Type × {d ∪ }, d ∈ {℘(A) \ /0} ∪ t}

For clarity, we write tf (ϕ)↓1 : (Formula)+ for the subformulae of ϕ; tf (ϕ)↓2 :

Node_Type for the node type (to be discussed); and tf (ϕ)↓3: {d∪ } for the “direction”

(e.g., either an epistemic direction or a temporal one).

The visited data structure.

The data structure visited, implemented using std:: multiset [Plauge et al., 2000], holds a set of nodes of AP,ψvisited on a certain path. If a newly constructed node in

the product automaton is already in visited, then a cycle has been detected. Once a path in the tree reaches a node that evaluates to either ⊥ or >, or completes a cycle, that node is removed from visited and added to eval along with the calculated valuation (i.e., > or ⊥).

The eval data structure.

In a similar way, eval, implemented with std::map [Plauge et al., 2000], records the evaluation of previously seen nodes. This saves re-evaluating a formula at a given world, or searching for a cycle when one has already been detected. If a node has been previously explored, it will have a definitive value; etav can simply reuse that value from eval.

The path data structure.

The list path records all of the nodes on a path of the tree in the order that they appear. The acceptance of an infinite path-suffix depends upon the non-emptiness of the intersec- tion between the states occurring in the path-suffix and the acceptance condition. The path-suffix can be created by iterating backwards along path until the cycle is found.

The tf data structure.

Finally, tf holds the encoding of the transition function δ . Taking inspiration from [Qian and Nymeyer, 2006], we use a simplified transition relation in which rules are labelled with ∧, ∨, > or ⊥, representing a node-type in the product AND/ORgraph.

For a given formula ϕ in CTLK, tf (ϕ) returns a tuple containing three elements: 1. A selection of subformulae — tf (ψ)↓1

2. The type of node in the AND/ORgraph — tf (ψ)↓2

3. Where to evaluate all of the subformulae — tf (ψ)↓3— an agent index, e.g., i,

in the case of Ki, a temporal index, t, for AX/EX, or —evaluation at the current

To support multiple directions, i.e., a direction in Γ ⊆ A or t (used when constructing the transition function for either a epistemic formula or a temporal formula), tf either returns a member of ℘(A) \ /0 (the set of all non-empty groups), t or . We use the first to locate (possibly many) Ri(e.g., when translating a group formula) and the second to

locate Rt. The final entry is used to represent evaluation at the current state (e.g., in

the case of atomic propositions, disjunction or conjunction).

The rules for constructing tf are shown in Table 6.1. We note that propositions (and their negations) are a special case; the node in the AND/ORgraph only evaluates to, e.g., > for the formula p iff the current state in the run is labelled with p (similarly, ⊥ for p if the state is not labelled with p).

Table 6.1. The rules for constructing the data structure tf for a formula ψ.

ψ tf(ψ)↓1 tf(ψ)↓2 tf(ψ)↓3 p – > iff p ∈ σ – p – ⊥ iff p 6∈ σ – ¬p – > iff p 6∈ σ – ¬p – ⊥ iff p ∈ σ – ϕ1∧ ϕ2 {ϕ1, ϕ2} ∧ ϕ1∨ ϕ2 {ϕ1, ϕ2} ∨ AXϕ {ϕ1} ∧ t EXϕ {ϕ1} ∨ t A[ϕ1U ϕ2] {ϕ2, ϕ1∧ AXψ} ∨ E[ϕ1U ϕ2] {ϕ2, ϕ1∧ EXψ} ∨ Aϕ1U ϕ2  {ϕ2, ϕ1∨ AXψ} ∧ Eϕ1U ϕ2 {ϕ2, ϕ1∨ EXψ} ∧ Kiϕ {ϕ} ∧ i Kiϕ {ϕ} ∨ i EGϕ {ϕ} ∧ G EGϕ {ϕ} ∨ G CGϕ {ϕ ∧ CGϕ } ∧ G CGϕ  ϕ ∨ CGϕ ∨ G

Construction of the product automaton.

When tf (ϕ)↓3∈ {℘(A) \ /0} ∪ t (i.e., it is not evaluation at the current state), we have

|tf (ϕ)↓1| = 1, otherwise |tf (ϕ)↓1| = 2 (as is the case for non-temporal-epistemic

6.2 An Epistemic Tree Automata Verifier 139

EXor an epistemic modality; all of these are unary operators and therefore only have a single subformula. Only an evaluation at the current state ( _{) has two operands (e.g., in} the case of ∧ or ∨).

If the number of successors in Ri or Rt for a given world is greater than two, the

successors are iterated over and the AND/ORnode is constructed in the intuitive manner (i.e., a disjunction or conjunction—depending on the node type—is constructed as a tree over all successors). For example, if φ = EϕU ψ, then tf (φ ) returns the tuple h(ψ, ϕ ∨ EXφ ) , ∧, i. This means that the current state must satisfy the conjunction of ψ and ϕ ∨ EX φ . It follows that tf (Kiϕ )↓3= i, tf (CΓϕ )↓3= Γ (Γ ⊆ A) and tf (AX ϕ)↓3

= t (c.f., Table 6.1). When φ is an atomic proposition, we have tf (φ )↓2∈ {>, ⊥}.

The depth first construction is called recursively for all elements in tf (ϕ)↓1until

tf(ϕ0)↓2∈ {>, ⊥}, for ϕ0∈ cl (ϕ). This result is then stored in eval and is also used to

label the current node in the AND/ORgraph of the product automaton. Eventually, the procedure returns with the root of the AND/ORgraph being labelled with > or ⊥.

6.2.1.2 Efficiency

etav builds the product automaton in such a way that it only constructs the parts of the product automaton that are required for deciding the satisfiability of the formula. The eval structure is used to remove the possibility of over computation. By storing the acceptance or rejection of a node in eval, etav attempts to save memory by avoiding constructing another part of the product automaton for which it has already calculated the subtree.

As another step, etav will only generate a sibling for a node if the current node is not sufficient to decide the acceptance of the path. For example, if one child of an ∧-node evaluates to ⊥, then etav does not check the acceptance of the other child.

A third optimisation step implemented in etav consists of constructing the transition rule for a formula only when it is required, i.e., the transition function tf is not fully instantiated prior to starting the construction of the product automaton. This, in conjunc- tion with the fact that etav only constructs world-formula pairs in the product graph when reached, leads to an “on-the-fly” construction of both AD,ψ(the WEAA for the

formula) and AP,ψ(the WEAA for the product automaton).

Despite this, the technique cannot be regarded as truly “on-the-fly” as the whole reachable state space for the model is known prior to verification. The indistinguishabil- ity relations used when evaluating an epistemic formula are expressed over the whole, reachable state-space. Without having computed the state-space, it is therefore not possible to correctly calculate the satisfaction of a subformula at all indistinguishable states.