TÍTULO TERCERO. ORGANIZACIÓN Y FUNCIONES - NOTA. El presente texto es un documento de divulgaci

cutoff _

SFE(S,

¯)= (

max

(

,

¯(

)), . . . ,

max

(

,

¯(

)))

forany

S ∈ SFE

with

k ≥

1 rolesandanym

¯

∈ N

k_.

Fig. 14. Them-stuttering simulation of a bigger system¯ S(¯n)by the cutoff systemS(¯c).

Following thecutoffcalculation, themodelcheckingprocedure checkstheconcrete system

S(¯

)

against thetrivialin- stantiation

φ[

trivial

]

∀

v_¯

(φ (

))

.If

φ[

trivial

]

issatisﬁedby

S(¯

)

,thentheprocedurereturnstrue,otherwiseitreturnsfalse. Note that,differentlyfromthemodelcheckingprocedures for

SMR

and

SGS

systems,the modelcheckingprocedurefor

SFE

systemsalways producesan output.Weshowthat thisoutputisalwayscorrectinSection 7.3.First,we computeits valuefortheautonomousrobotexample.

7.2. Verifying the autonomous robot example

InSection2.3.3weencodedtheautonomousrobotexampleasaPIIS

S

ARcomposedofanagenttemplate

TR1 represent-

ing robotswithaccessto asensor,an agenttemplate

TR2 representing

robotswithnoaccesstoasensor, anda template environment

E

representingtheenvironment.InSection3.2we expressedtheproperty“wheneverarobot halts,itknows thatitisinthegoalregion”inthefollowing

(

,

)

-indexedformula:

φ

= ∀

({v},{x})AG

((

h_1

,

)→

K_TR1v

((

gr_1

,

))∧ (

h_2

,

)→

K_TR2x

((

gr_2

,

)))

where v is avariableof

TR1, u is

avariableofTR2, theatomicproposition

gr_1 (gr_2,

respectively)holdsinthetemplate states wherethevalue ofthe positioncomponentoftemplate robot 1(templaterobot 2,respectively) isin

{

,

}

,and the atomicproposition

h_1 (h_2,

respectively) holdsinthetemplatestateswherethetemplaterobot 1(templaterobot 2, respectively)hashalted.

Wenowusetheprocedure Check_

SFE

toestablishwhetherornottheautonomousrobotmeetstheabovespeciﬁcation. Wehavethat

¯

=

cutoff _

SFE(S

, (

,

))= (

,

)

Thus, we need to check whetherornot

S

((

,

))|= φ

[

trivial

]

.The latter querycan be testedwitha standard model checker; thiswill returntrue thereby establishing thecorrectness of theprotocol irrespectively ofthe number ofrobots present.

7.3. Soundness of the Check_

SFE

procedure

Wenowassessthesoundnessofthe Check_

SFE

procedure.

Theorem7.2.

Given S = T ,E, V∈ SFE

and an m-indexed formula

¯

∀

v¯

φ (

¯)

, Check_

SFE(S,∀

v¯

φ (

¯))

returns true iff

S |= ∀

v¯

φ (

¯)

. We provethisresultbyshowingthat:(i) thecutoffsystem

S(¯

)

m-stuttering

¯

simulateseverybigger system;(ii) every bigger systemm-stuttering

¯

simulates

S(¯

)

. Differentlyfromthe corresponding resultsforthe

SMR

and

SGS

classes,the absenceofagent-environmentandmulti-roleactions inthe

SFE

classremovesthenecessitytosimulatesynchronisations of the environment on actions that are not admitted by the agents in

A( ¯

)

. Indeed, whenever an agent not in

A( ¯

)

synchronises withtheenvironment,all agentsofthesamerole (orallagentsinthesystemdependingonthetype ofthe action)synchronisetheenvironmentaswell.

7.3.1. Part A: the cutoff system m-stuttering simulates every bigger system

¯

Consider an arbitrarily big system

S(¯

)

withn

¯≥ ¯

c, where

S(¯

)

is the cutoff system. Fig. 14 showsthe m-stuttering

¯

simulationbetween

S(¯

)

and

S(¯

)

.Tosimulateanactionperformedbytheagentsin

A(¯

)

S(¯

)

S(¯

)

performsthesame action.Anyactionperformedin

S(¯

)

thatisnotadmittedby anagentin

A(¯

)

isboundtobean asynchronousaction.As onlythestateoftheagentperformingtheactionisupdated,

S(¯

)

simulatestheseactionsbyperformingthenullaction.

Lemma 7.3. Consider a PIIS

S = T ,E, V∈ SFE

of k roles and m

¯

≥ N

k. Then,

S(¯

)≤

mss_¯

S(¯

)

for all n

¯

≥ ¯

c, where c

¯

=

cutoff _

SFE(S,

¯)

Proof. Choose an arbitraryn

¯≥ ¯

c. We show that

S(¯

)≤

mss¯

S(¯

)

.Deﬁne thesimulationrelation

∼

mss¯

⊆G(¯

)×G(¯

)

asfollows:

Fig. 15. Them-stuttering simulation of the cutoff system¯ S(¯c)by a bigger systemS(¯n).

(

,

)∈∼

mss_¯ iff lsri

(

)=

lsri

(

),

for

(

,

)∈A(

¯)

Weshowthat

∼

mss_¯ isanm-stuttering

¯

simulationbetween

S(¯

)

and

S(¯

)

.Itisclearthat

ι(

¯)∼

mss¯

ι(

¯)

.Let

g∼

mss¯ gforan arbitrarypairofglobalstatesin

G(¯

)×G(¯

)

.Weshowsimulationrequirements (i)and (iii).Requirement (i)followsbythe deﬁnitionof

∼

mss_¯ .Forsimulationrequirement (iii), let

π∈ (

)

.Construct a path

π

∈ (

)

asfollows:foreach j

≥

π

(

,

Act

)=π(

,

Act

)

π(

,

Act

)∈

₍_i_,_r₎_∈_A(¯_c₎Actr_i;otherwise,

π

(

,

Act

)=

.Itcanbecheckedthat

π

isavalidpath,and that

π(

)∼

mss_¯

π

(

)

,foreach j

≥

1.Thus,partition

π

and

π

intosingletonblocks.Itfollowsthat

S(¯

)≤

mss¯

S(¯

)

2

7.3.2. Part B: every bigger system m-stuttering simulates the cutoff system

¯

Fig. 15showsthem-stuttering

¯

simulationbetween

S(¯

)

and

S(¯

)

.An asynchronousaction

a deﬁned

fortemplate

i is

simulatedby

S(¯

)

bymeansoftwocases.If

a is

notadmittedintherepertoireofagent

(

,

)

,then

S(¯

)

simplyperforms

a.

a is

admittedintherepertoireofagent

(

,

)

,then,onebyone,theagents

(

,

),(

,

¯(

)+

),. . . ,(

,

¯(

))

perform

a.

Thus, foreachrole

i,

everyagentin

{¯

(

)+

, . . . ,

¯(

)}

mimicsagent

(

,

)

S(¯

)

maythensimulatearole-synchronousactionor aglobal-synchronousactionbyperformingtheactioninquestion.

Lemma7.4.

Consider a PIIS S = T ,E, V∈ SFE

of k roles and m

¯

∈ N

k. Then,

S(¯

)≤

mss¯

S(¯

)

, where

¯

=

cutoff _

SFE(S,

¯)

Proof. Let n

¯≥ ¯

c. Assume an integer i with 1

≤

k. Deﬁne n

¯

to be a k-tuple of integers such that: n

¯

(

)= ¯

(

)+

¯

(

)= ¯

(

)

forall j with 1

≤

k and j

=

i. Weshowthat

S(¯

)≤

mss¯

S(¯

)

.Thatis,weprovethatthesystemobtainedby addingoneconcreteagent(ofanarbitraryrole)to

S(¯

)

m-stuttering

¯

simulates

S(¯

)

.Theinductiveapplicationofthelatter entailsthemainclaimofthelemma.

Assume

r= ¯

(

)

.Deﬁnethesimulationrelation

∼

mss_¯

⊆G(¯

)×G(¯

)

asfollows:

∼

mss_¯ giff lsqj

(

)=

ls q j

(

)

for

(

,

)∈A(

¯),

lsE

(

)=

lsE

(

)

and g

→

Ar i∗g 1

_,

_{where tls}r i

(

)=

tls1i

(

)

g∼

mss¯ g,thenthelocalstatesoftheagentsin

A(¯

)

andthelocalstatesoftheenvironmentarethesameinthetwo globalstates.Additionally,theagent

(

,

)

S(¯

)

isabletochangeitslocalstatetothelocalstateofagent

(

,

)

S(¯

)

viaasynchronoustransitions.Weshowthat

∼

mss¯ isanm-stuttering

¯

simulationbetween

S(¯

)

and

S(¯

)

Thecaseof

ι(

¯)∼

mss¯

ι(

¯

)

followstrivially.Supposethat g

∼

mss¯ g foran arbitrarypairofglobalstatesin

G(¯

)×G(¯

)

. We show simulation requirements (i) and(iii). The former requirement followsby the deﬁnitionof

∼

mss_¯ .For the latter requirement,let

π∈ (

)

.Byinductiononthelengthof

π

,weconstructapath

π

∈ (

)

suchthat:(i)

π

isasrequired bythem-stuttering

¯

simulation;(ii)

tls

(π

[])=

tls

1 i

(π

[])

. Forthe base step, g

∼

mss¯ g gives g

→

i∗ g

1_, _where _tlsr

(

)=

tls 1

(

)

. Let

π

be the pathfrom g to g1.The ﬁrst blocks

B

,

B₁ aredeﬁnedasfollows:

B

=

g and B₁ isthesequenceofstatesin

π

.Clearly, g is

∼

mss¯ -relatedtoeverystate in

π

For the inductive step, assume that for a preﬁx

[

−

]π

we have already constructed a preﬁx

[

−

]π

such that

tlsr_i

(π

(

−

))=

tls1_i

(π

(

−

))

,andapartitionofthestatesin

[

−

]π

and

[

−

]π

intocorrespondingblocks.Wenow deﬁnethenextblocks Bxand

B

x.Therearetwocases.

Fig. 16.MCMAS-Parchitecture.

π(

−

,

Act

)∈/

i. Deﬁne Bx

=π(

)

and Bx

=π

(

)

,where

π

(

−

)→

π(x−1,Act)

π

(

)

. The inductive hypothesis

gives

π(

−

)∼

mss_¯

π

(

−

)

and

tls

(π

(

−

))=

tls 1

(π

(

−

))

.Therefore,

π

(

−

)→

π(x−1,Act)

π

(

)

isavalid

transition,

π(

)∼

mss¯

π

(

)

,and

tls

(π

(

))=

tls 1 i

(π(

))

. 2.

π(

−

,

Act

)∈

i. Let

a be

the corresponding template action of

π(

−

,

Act

)

. Deﬁne Bx

=π(

)

and Bx

=π

(

)◦

π

(

+

)

,where

π

(

−

)→

(a,1)

π

(

)→

(a,r)

π

(

+

)

.Theinductivehypothesisgives

π(

−

)∼

mss¯

π

(

−

)

and

tlsr_i

(π

(

−

))=

tls1_i

(π

(

−

))

. Therefore,

π

(

−

)→

(a,1)

π

(

)→

(a,r)

π

(

+

)

are validtransitions,

π(

)∼

mss¯

π

(

)

π(

)∼

mss¯

π

(

+

)

,and

tls

(π

(

+

))=

tls

1 i

(π

(

))

Simulation requirement (iii) istherefore satisﬁed. It follows that

S(¯

)≤

mss_¯

S(¯

)

. Bythe inductive application of the latterandbytransitivityof

≤

mss¯ ,weobtainthat

S(¯

)≤

mss¯

S(¯

)

2

Corollary7.5.

Consider a PIIS S = T ,E, V∈ SFE

of k roles and an m-indexed formula

¯

∀

v¯

φ (

¯)

. Then,

S(¯

)|= ∀

v¯

φ (

¯)

iff

∀¯

≥

¯

.S(¯

)|= ∀

v¯

φ (

¯)

, where c

¯=

cutoff _

SFE(S,

¯)

Proof. Let n

¯≥ ¯

c be arbitrary. ByTheorem 3.9 itsuﬃces to show that

S(¯

)≤

mss¯

S(¯

)

and

S(¯

)≤

mss¯

S(¯

)

.The former is givenbyLemma 7.3.ThelatterisgivenbyLemma 7.4.

2

This concludes theproof ofTheorem 7.2.Corollary 7.5 givesa methodology forsolving the PMCPby modelchecking the cutoff system. Differently from Corollary 5.13and Corollary 6.6,where certain conditions are assumed, by means of

Corollary 7.5 we always solve the PMCP forany givensystem andspeciﬁcation. In other words,while Check_

SMR

and Check_

SGS

donotprovideananswertothePMCPintheabsenceofanagent-environmentsimulation, Check_

SFE

always providesasolution.Therefore,thePMCPforthe

SFE

classofPIISisdecidable.

Corollary7.6.

The PMCP for the SFE

class of PIIS is decidable.

In document NOTA. El presente texto es un documento de divulgación sin ningún carácter oficial, que recoge la norma íntegra actualizada. (página 35-39)

TÍTULO TERCERO. ORGANIZACIÓN Y FUNCIONES

SFE(S,

¯)= (

(

,

¯(

)), . . . ,

(

,

¯(

)))

S ∈ SFE

k ≥

¯

∈ N

S(¯

)

φ[

]

∀

(φ (

))

φ[

]

S(¯

)

SMR

SGS

SFE

S

TR1 represent-

TR2 representing

E

(

,

)

φ

= ∀

((

,

)→

((

,

))∧ (

,

)→

((

,

)))

TR1, u is

gr_1 (gr_2,

{

,

,

}

h_1 (h_2,

SFE

¯

=

SFE(S

, (

,

))= (

,

)

S

((

,

))|= φ

[

]

SFE

SFE

Given S = T ,E, V∈ SFE

¯

∀

φ (

¯)

SFE(S,∀

φ (

Given S = T ,E, V∈ SFE

S = T ,E, V∈ SFE