Los procesos de ingreso

There are a number of prospects related to extending the specification language of assumptions to allow for the specification of a richer set of properties. We highlight three possibilities below.

7.2.4.1 “Reactive” Properties

Currently, assumptions are specified as purely “inward-looking” specifications against the observable actions of the component they are specified over. For example the property

Assi= G (Actx→ X Acty)

expresses that whenever Aidoes Actxat the next step it should do Acty.

However, it would be of benefit to specify how the environment of a component reacts to the agent under test. For example an assumption such as

AssE= G (Agentn act m→ XEnvironment act x)

would specify that when agent n does actm, at the next step, the environment should do

actx. This would be a suitable assumption for agent n as it is a stronger specification on

how the environment interacts with it.

While this has not been investigated in the context of this thesis, the general frame- work for property closure environments and property observer agents would still apply to this class of specifications. For the property observer Oϕ, it would be necessary to

perform the check [true] Ae[ϕ] against a universal agent for Ai, such that Oϕcan observe

both what Aeand Aido. For the guarantee check, Pi,ϕwould also have to observe the

actions that i does while transitioning as Ae.

Such an extension could be simply implemented as part of dra2ispl; however, similar to Section 7.2.1.1, care will have to be taken in handling the single action condition, as Ai and Aeare composed synchronously and therefore two actions can

7.2 Future Work 197

7.2.4.2 Fluent Properties

Another candidate would be in extending assumptions to also include fluent propo- sitionsthat are enabled by actions. Fluent propositions are atomic propositions that are enabled, and subsequently disabled, when certain actions are performed. The idea of fluents enabled by actions in (a variant of) A-LTL has previously been addressed in [Giannakopoulou and Magee, 2003].

For example, we might wish to express

G(Environment act y → X ((prop U Environment act z))

∨G (prop ∧ ¬Environment act z)) which states that when the environment performs the action act y then from the next state, either the proposition prop holds until the environment performs the action act y or the environment never performs act y and therefore prop never ceases to hold. In the framework of [Giannakopoulou and Magee, 2003 ], the proposition prop would not be embedded in the assumption itself, but would be as an ancillary proposition enabled by act yand disabled by act z.

The use of these propositions would then support checking properties outside of the “introspective” class. In such a setting, the fluents defined over the environment could be

used to encapsulate a local variable of the environment. As shown previously, for local propositions, pi↔ Kipi; therefore, such propositions can be used to encapsulate that

the environment holds certain knowledge about its own state. As such, it could further be verified that the agent under test knows that the other agent possesses this knowledge after the fluent-enabling action has been performed.

For example, if we have the assumption G F prop_e, then it would be possible to verify (as an extremely simple illustration):

[G F prop_e] A_ihAF Kipropei

That is, if it can be assumed that the environment will eventually always assert prop_e, then it should be possible to demonstrate using assumption-based model checking that the agent i will eventually know this proposition.

Under a less extreme example, it would be possible to formulate an assumption as follows (based on the alternating bit transmission problem from[Lomuscio and Sergot, 2004]):

[G (send_even → G even)] AihAG (seen_even → (Kieven∧ KiKeeven))i

The above asserts the following: if it can be assumed that when the environment performs the action send_even then it holds forever that the proposition even holds, we can then prove that once the agent has observed the action send_even that the agent both knows even and it also knows that the environment knows even. That latter follows

trivially as shown in Chapter 5 where an agent always knows a local proposition defined over its own local states (i.e., for pi∈ APi, g |= piiff g |= Kipi).

7.2.4.3 Assumptions Over Observable Variables

ISPL supports the concepts of Obsvars and Lobsvars. These are variables that are declared as part of the environment, but where each agent has visibility of them (“glob- ally observable” to all agents, or “locally observable” to only one agent, respectively). When verifying epistemic properties, the interpretation of the knowledge modality has to be suitably extended to include the observation of these variables when calculating epistemic indistinguishability.

One such use of these declaration blocks is to support a similar variant of “shared variable” concurrency, similar to nusmv. That is, rather than support communication via the observation of observable actions, the environment can communicate with a given agent by manipulating variables occurring in that agent’s Obsvars/Lobsvars declaration.

As such, it would be of interest to extend the modular approach presented to work on these shared variables, either exclusively over shared variables or a mixed presentation for both actions and state assignments. This would be in a similar vein to [Nam et al., 2008] where they investigate learning-based assume-guarantee in the context of shared variable concurrency in nusmv.

Furthermore, this would nicely dove-tail with fluent-based properties, as these could be specified in a “state-event” logic [Chaki et al., 2005], where assumptions would contain propositions both over actions and (locally) observable variables.