In this section abstraction is applied to a very well known example in the temporal-epistemic logic literature: the bit transmission protocol [FHVM95]. The system is made of three agents: a sender, a receiver and an environment. The sender S tries to send some information to a receiver R via a lossy communication channel. To study the behaviour of the transmission protocol a domain with just two values {0, 1} is sufficient. If the protocol works correctly for a domain of just two bits then it would also work for any data domain.
The behaviour of this system for a general domain D works as follows. A sender S and a receiver R communicate via a unreliable channel that can lose the information while this travels at any moment. The goal of the protocol is to transmit a data value d ∈ D from the sender S to the receiver R in such a way that the sender S will know that the receiver R knows the value d. The protocol specifies that S sends the data value to R, and continues to send it until S receives an acknowledgement from R. For its part, once R receives the data value, R sends an acknowledgement of receipt to S, and re-sends it indefinitely. When |D| = 2, the transmission protocol is the bit transmission protocol.
The transmission protocol for a non-empty data domain D is defined as an interpreted system ID with two agents, the sender S and the receiver R. Let us assume the sender S observes his value and whether or not he has received an acknowledgement:
LS =
[
d∈D
{d, hd, acki}
In local state d, the sender sees (has) his data value d, while in local state hd, acki, the sender sees (has) his value d and the acknowledgement. The receiver, on the other hand, either sees nothing or sees the data value:
LR = {λ} ∪ D
In local state λ, the receiver has not yet seen any value, while in local state d ∈ D, the receiver sees the value d.
The sender can send his data value or do nothing (ǫ):
3.3. Existential abstraction examples 83
while the receiver can send an acknowledgement of receipt or do nothing: ACTR = {sendack d | d ∈ D} ∪ {ǫ}
The protocol for the sender is to keep sending his data value until he receives an acknowledge- ment:
PS(d) = {send d} PS(hd, acki) = {ǫ}
The receiver should do nothing until it receives a data value, and then keep sending an ac- knowledgement:
PR(λ) = {ǫ}
PR(d) = {sendack d}
The local evolution function tS for the sender contains the following transitions:
d hsend d,ǫi−→ d (3.12)
d hsend d,sendack di−→ d (3.13)
d hsend d,sendack di−→ hd, acki (3.14)
hd, acki hǫ,sendack di−→ hd, acki (3.15)
In (3.12), the joint action hsend d, ǫi leaves the local state of S unchanged: Since the receiver does nothing, the sender obtains no new information. In (3.13), the receiver sends an acknowl- edgement which is lost on the communication channel, so the local state of S is unchanged. In (3.14), on the other hand, the acknowledgement reaches the sender, and the local state is updated accordingly. In (3.15), the sender stays in the same local state once the the sender has received the acknowledgement.
Analogously, the local evolution function tR for the receiver contains the following transitions:
λ hsend d,ǫi−→ λ λ hsend d,ǫi−→ d d hπ,sendack di−→ d
for π ∈ ACTS.
Initially, the sender sees its data value d and the receiver sees nothing: I0 = {hd, λi | d ∈ D}
Let the set A of propositions contain the proposition recack (“The sender has received an acknowledgement”) and the propositions val = d (“The value is d”), for all d ∈ D. The evaluation function is as expected:
V (hd, li) = {val = d}
V (hhd, acki, li) = {val = d, recack}
for l ∈ LR. This completes the definition of the interpreted system ID for the transmission protocol.
One of the specifications often checked on the transmission protocol system is that whenever the sender S has received an acknowledgement, the sender S knows that the receiver R knows that the value is d. Formally, for all d ∈ D, if ID satisfies:
AG ( ( val = d ∧ reckack ) → KSKR(val = d) ) (3.16)
By applying Preservation Theorem 3.2, it is possible to show that the specification (3.16) holds in ID for any chosen data domain D, if the specification holds for the bit transmission protocol, i.e., if it holds for D = {0, 1}. The latter is, of course, feasible for a model checker to determine. Fix any d0 ∈ D. The concrete system ID can be abstracted by identifying all data values d which are distinct from d0. Define an abstraction function ρ : D −→ {d0, ¬d0} by:
ρ(d0) = d0
ρ(d) = ¬d0, if d 6= d0
Local states that are identical are identified after applying ρ on the data values inside: d ≡S d′ ⇔ ρ(d) = ρ(d′)
d ≡R d′ ⇔ ρ(d) = ρ(d′) hd, acki ≡S hd′, acki ⇔ ρ(d) = ρ(d′)
3.3. Existential abstraction examples 85
Similarly, actions that are identical are collapsed together after renaming: send d ≡S send d′ ⇔ ρ(d) = ρ(d′) send ack d ≡R send ack d′ ⇔ ρ(d) = ρ(d′)
Now, let I′ be the quotient of ID with respect to equivalences ≡
S and ≡R.
The abstract system I′ is just the bit transmission protocol system I{d0,¬d0}, except that A′ contains only the abstract propositions reckack and val = d0.
If we check system I{d0,¬d0} against formula (3.16) we would find the formula to be satisfied. Therefore, it is possible to infer that the specification (3.16) holds for concrete system ID as well. Since, the abstract system I′ is just I{0,1}, by assumption, I′ satisfies:
AG (( val = d0 ∧ reckack) → KSKR(val = d0) ) (3.17)
By Preservation Theorem 3.2, it follows that the formula (3.17) is satisfied by the concrete system ID. Since, d
0 was chosen arbitrarily from D, it is possible to conclude that the general formula (3.16) holds for all d ∈ D.
The transmission protocol (together with its several variations) is a well known example em- ployed in the literature to illustrate abstraction for reactive systems. Usually, formulas checked on the transmission protocol describe only control flow. Therefore, those specifications permit us to abstract away all data values. Formula (3.16) instead is related to the knowledge of spe- cific data, and so does not permit us to abstract away all data values. For a surjection function that collapses all the data values (i.e. ρ : D −→ {0}), it is not possible to apply Theorem 3.2 to the formula (3.16) since the set of abstract atomic propositions A′ in the abstract system would contain only the proposition reckack according to Definition 3.1 of A′.
In this chapter we developed the theoretical basis for the abstraction techniques that will be presented in the next chapters. These contributions, regarding the construction of quotient interpreted systems, do not refer to the way this partition can be constructed. Hence, in this thesis we identify two ways to partition the state space of interpreted systems. The first concerns the partitioning of the domains of variables. This technique is called data-abstraction and will be presented in the next chapter. The second concerns the partitioning of the set of variables for each agent in the interpreted system under investigation. This technique is called variable-abstraction.
Both techniques rely on the results presented in this chapter that extend those results presented by Clarke in [CGL94, CGJ+00, CGJ+03].
Chapter 4
Automatic data-abstraction for MAS
4.1
Model checking in temporal epistemic logics: a gen-
eral overview
While a number of abstraction-based techniques have been put forward for plain temporal logic, e.g., [HSGS07, Cha05, CGJ+03, Wan04, CGL94], little attention has gone so far toward developing efficient state-reduction methodologies preserving the validity of temporal-epistemic specifications. Crucially, there is no automatic implementation enabling the user to perform automatic abstraction directly on the program. In this Chapter a data abstraction technique is presented in order to fill this gap. This technique makes use of ISPL, the input language of MC- MAS, to describe interpreted systems. Data-abstraction notions can be defined on interpreted systems semantics and automatic reduction can be performed directly on ISPL programs. The technique is applied on two scenarios inspired by popular examples in the MAS literature: a card game [CDLR09], and the transmission problem [FHVM95], which have been introduced in the previous Chapter. Both the scenarios considered have over 1010 reachable states so are too large to be checked by MCMAS directly, but can be verified effectively by model checking the reduced program. The examples describe reactive systems. Experimental results for those systems are reported in two tables. Both tables show considerable reductions in verification time and memory used.