El Sínodo y la Consueta de Martín Pérez de Ayala

We now discuss how we have implemented the checking of state-based, agent-local ∀CTLK guarantees against A-LTL assumptions.

The cases where we need to ensure we are checking a current path for validity against a given assumption are as follows:

• Formulae of the form AU or AU (potentially) admit infinite paths, so these are easy to check using the approach of the previous sections (i.e., using Algorithm 2) • As per the semantics of |=CTLK

ψ , formulae of the form p and ¬p need to be checked

to ensure that the state where p or ¬p is evaluated has a valid extension before returning

• Any subformula φ that is either a Ki formula, or exists a subformula under the

modality Ki, needs to be checked to ensure that the state after the epistemic relation

exists on an assumption valid path

While the formula Kiϕ does allow for an infinite branch in the product automaton (as the

transition function for Kiin a WEAA/LEAA includes the formula itself), we note that

these paths are not temporal (i.e., it is a chain of states related by the indistinguishability relation for i). However, as Kiϕ will appear in the acceptance condition for the whole formula, this means that we will never opt to reject an infinite branch of Ki. Therefore,

6.4 Extensions toMCMAS 159

false, this would mean that the current state is related to some other state that both falsifies ϕ and exists on some assumption-valid path).

We summarise the acceptance criteria from Algorithm 2 in Table 6.7. It is once again immediate that we only reject the product automaton if the path is rejecting against the guarantee but accepting against the assumption. A path that is rejecting against both is classed as invalid.

Table 6.7. Acceptance Criteria

Guarantee Acceptance ( Assumption Acceptance z }| { ACCEPT REJECT

ACCEPT ACCEPT ACCEPT

REJECT REJECT INVALID

We now consider the formula AX φ at a state g, such that g does not have any assumption-valid successors. It is clear that as g has no assumption-valid successors, the state itself is invalid. However, any subformula of AX φ would have eventually been checked for assumption validity. Therefore, when using the three valued semantics as presented in Section 6.4.3, the conjunction rules used to encode AX would have either returned invalid (if all successors are invalid) or true (if, e.g., φ , or one of its subformulae, was Kiψ and g was related to a state g0that was accepting).

Example 6.1.Invalid Runs and Until Formulae

If we take the formula φ = A [φ1U φ2], such that φ1and φ2are not Kior AU formulae,

it then follows that the acceptance condition for φ is the empty set. Consequently, an infinite run that does not eventually satisfy φ2will either be invalid (i.e., it enters an

infinite run that is not admitted by the acceptance condition for the assumption) or is rejectingbecause the branch is accepting with respect to the assumption but rejecting with respect to the acceptance condition of the formula (i.e., the infinite set of formula on the current branch had an empty intersection with the Büchi acceptance condition). In other words, φ is only accepted on finite runs as φ2must eventually be satisfied at

some state, and therefore it is implicit that φ can never be accepting on infinite runs. 4

6.4.4.1 Detecting invalid runs

To decide if a current state occurs on an assumption valid path, we check the formula EGtrue using the standard automata-theoretic approach based on the WEAA encoding.

In Chapter 5, we used the formula Afalse to detect invalid paths. However, to allow for an easier approach, we check EG true, which returns true if and only if the current state has at least one assumption-valid path leaving it. EG true has the advantage that it also supports the check for seriality, as well as the check for validity; EG true is a EUformula, so it requires at least one state to exist, unlike an AU , which may hold at a state that has no successors. The encoding of EU formulae follows the presentation of Chapter 4, but with the checks presented so far in this section to support checking against the validity of the assumption (i.e., with the additional checks for assumption validity for any subformulae of the form Ki, p or ¬p).

A check of an EG true at a given state will return Invalid if none of its successors have any assumption-valid paths (and therefore the current state is also has no assumption- valid paths leaving it).

Using the previously defined acceptance criteria, checking EG true resolves to finding a loop in the model that meets the acceptance condition of the assumption. However, unlike the CHECK_PATHalgorithm presented so far, we remove the need to check against the acceptance condition for the guarantee (as EG true is always true on deadlock-free models), and we are only concerned with acceptance against the assumption.

We note that the case of rejecting would never be met: the formula EG true cannot be false on transition systems with a serial relation (i.e., the model has no deadlock). As such, checking EG true either returns accepting (if the state has at least one path that is accepting starting from it) or invalid (if there are no accepting paths starting at the state).

6.4.4.2 Verification Approach for ∀CTLK guarantees

To summarise, inside agr-mcmas, we implement the following high-level approach when checking a guarantee:

1. Construct the full reachable state-space for the composition of the agent under test and the property environment for the assumption

2. Build the product automaton on-the-fly between the system, the assumption and the guarantee, while also checking for acceptance

3. If an infinite loop is found in the product automaton:

• Check against acceptance condition for the formula (onlyKiand AU branches

are allowed)

6.4 Extensions toMCMAS 161

• Return invalid if rejected by the DRA,

4. If the current subformula is p, ¬p or the parent formula is Ki, spawn a check for

EGtrue that tries to find at least one accepted path outwards. If there are no such successors, and the subformula returns reject, then return invalid