La ciudad de Guadix

For assume-guarantee-based compositional model checking, we are interested in check- ing the satisfaction of an i-local ∀CTLK guarantee over an individual component, when Aiis constrained to the paths satisfying an A-LTL assumption. For an arbitrary i-local

∀CTLK formula ϕ and an arbitrary A-LTL formula ψ, we write: Ai|=ψCTLKϕ

when the agent Aisatisfies the formula ϕ if restricted to paths in i that validate the

A-LTL formula ψ.

Following from the previous section, we see that one approach to verifying the agent Aiagainst ϕ could be composing Aiwith Uiand then performing model checking as

normal (e.g., using the approach as presented in Chapter 4). However, when it comes to checking the satisfaction of the i-local ∀CTLK guarantee, we wish to restrict the paths of Aito those that satisfy the e-local A-LTL assumption ψ. Composing Aiwith Uiand

not taking into consideration the language as specified by ψ could cause significantly more false-negatives than would occur if we had used ψ.

Given an assumption ψ, the set of assumption-valid paths are the set of paths such that all paths satisfy the ψ. When performing model checking for ∀CTLK, quantification of paths takes place over the tree-unwinding of these assumption-valid paths.

It now remains to define a model checking procedure that eliminates paths in Aithat

5.3 Assumption-Based Model Checking 121

5.3.2.1 Model Checking Guarantees Against Assumptions

We begin by introducing the constructs required to verify a ∀CTLK guarantee against an A-LTL assumption. To support this, we introduce the notion of property agents and property closure environments. The latter are environments that can be instantiated from a given A-LTL formula, and can be used in the verification of these formulae.

Property agents.

Given the DRA Aϕfor an e-local formula ϕ in A-LTL, the property agent for ϕ (denoted

Pϕ) is an agent that transitions as per the transition relation of the DRA Aϕ, but has e’s

identifier (i.e., id Pϕ
≡ id (Ae)) and its action set are those actions appearing in the

closure of ϕ, plus the “null” action τ. Observation 9.Observer interactions.

Unlike the property observer Oϕ for ϕ, the property agent Pi performs actions

as e would and does not observe any other actions. That is, while int Oϕ
= {e},

int Pϕ
= /0. Furthermore, despite differences in lang (Ae) and lang Pϕ
, composing

the agent Aiwith either Aeor Pϕis undetectable to i.

Finally, it holds that:

lang Pϕ
= {{ae∈ Acte|ae∈ cl (ϕ)} ∪ {τ}}ω

Property closure environments.

Given two agent programs Ai and Ae, such that int (i) = {e} and the e-local A-LTL

formula ϕ, we define the property closure environment P{ϕ,i}for i and ϕ to be the

extension of the property agent Pϕwith the appropriate actions to be a valid closure

environment for Ai.

We do not require the protocol of P_{ϕ,i}to enable any additional actions in the closure environment; it is simply a syntactic transform of Act_{ϕ,i}such that the composition of AikP{ϕ,i}is well-defined (Definition 5.1).

As int (i) = {e}, it is simply sufficient to suitably extend the action set of P_{ϕ,i}for it to become a closure environment for Ai.

Observation 10.Property agents vs. tableaux.

Neither ϕ, Pϕ or P{ϕ,i}are tableaux for ϕ. The reason for this is that the model

checking procedure takes into consideration the Rabin condition for the DRA of ϕ. The agent Pϕ is not capable of exhibiting only those behaviours that satisfy ϕ.

This is reflected by the fact that

(i.e., the language of P_{ϕ,i}is not L (ϕ)).

As we will see in the coming section, it is the act of performing model checking whilst taking the Rabin condition into consideration that ensures we only quantify over the behaviours of e consistent with ϕ.

5.3.2.2 Construction of P_{ϕ,i}

For an e-local A-LTL formula ϕ, we first construct the non-deterministic Büchi automa- ton Bϕ= hActe, S, S0, δ , Ai, such that L(Bϕ) are the paths that satisfy ϕ. As ϕ is e-local,

the actions in cl(ϕ) are a subset of Acte.

We determinise the NBA Bϕ into the DRA Aϕ by applying the subset construc-

tion and using Safra trees [Safra, 1988; Roggenbach, 2002]. As only one action from Acte can be performed per transition, the alphabet of Aϕ can be defined over

{ae∈ Acte| ae∈ cl (ϕ)} ∪ {τ} rather than 2Acte, where τ is used to represent an action

occurring that is not specified in cl (ϕ). For an action ae∈ Actesuch that ae6∈ cl(ϕ),

Aϕcan be stimulated to run over aeby setting aeto represent the negation of all the

actions that are present in the formula.

Given the DRA Aϕ= hQ, Σ , δ , Q0, Acci as above, we can construct the property

closure environment agent P_{ϕ,i}=id, Lϕ, lϕ0, Actϕ, Pϕ, Eϕ, /0, /0, where:

• id is the same as id (e) • Lϕ= Qϕ

• l0 ϕ= Q

0 ϕ

• Actϕ= {{ae∈ Acte| ∃ei∈ Ei, (e, ae) ∈ ei2} ∪ {ae∈ Acte| ae∈ cl (ϕ)} ∪ {τ}}

• Pϕ=  lϕ→ a
| lϕ∈ Lϕ, a ∈ Actϕ • Eϕ=  lϕ, id, aϕ
→ l 0 ϕ
| lϕ, l 0 ϕ∈ Lϕ, aϕ∈ Actϕ, δϕ lϕ, aϕ
= l 0 ϕ

The construction of Actϕ is such that it contains:

• those actions occurring in ϕ:

{ae∈ Acte| ae∈ cl (ϕ)}

• those actions occurring in i’s evolution protocol for the agent e: {ae∈ Acte| ∃ei∈ Ei, (id (e) , ae) ∈ ei2}

• the additional action τ.

The determinism of Bϕis key to the above construction. As the evolution function of

each agent should be deterministic, we also require that the transition function of Aϕbe

deterministic, leading to a deterministic evolution function of P_{ϕ,i}. Observation 11.Actions not cl (ϕ).

5.3 Assumption-Based Model Checking 123

We draw attention to the fact that it might seem strange that Actϕ contains more

actions than appear in closure of ϕ. Even if the protocol function enables these actions, and the property closure environments performs them, the agent will still act as per the DRA Aϕ. As such, if taking any action outside of cl (ϕ) invalidates ϕ, then this will be

reflected by P_{ϕ,i}entering an infinite path that would not be accepted by Aϕ.

For example, for the formula ϕ = G a, taking any action that is not a would invalidate P_{ϕ,i}“acting like” ϕ. However, performing an action such as b would then place P{ϕ,i}

in a state that does not appear on any run that is accepted by Aϕ.

Example 5.13.Property closure environment construction

We now revisit the DRA from Example 5.11 for the A-LTL formula ϕ = F G a, and show the construction of P_{ϕ,i}. While the property ϕ contains only the single proposition a, we assume that the agent i (which will be composed with P_{ϕ,i}) also contains the action b attributed to agent e in its evolution function.

Consequently, the consistent parts of P_{ϕ,i}are as follows: • Lϕ= {0, 1, 2}

• l0 ϕ= 2

• Actϕ= {a, b, τ}

• Pϕ= {(0, {a, τ}) , (1, {a, τ}) , (2, {a, τ})}

• Eϕ= {(1, (idi, a) → 0) , (1, (idi, b) → 2) , . . .}

The rest of Eϕwould be defined to be consistent with Figure 5.8.

4