Model Checking Games for a Fair Branching-Time Temporal Epistemic Logic Xiaowei Huang and Ron van der Meyden The University of New South Wales, Australia. The 22nd Australasian Joint Conference on Artificial Intelligence X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 1 / 20
Outline Model Checking Knowledge 1 Motivation: Counterexample 2 Model Checking Games 3 X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 2 / 20
Model Checking System: Kripke Structure M = ( S , I , → , π ) Property: Temporal Logic Formula φ branching time temporal logics, e.g., CTL 1 linear time temporal logics, e.g., LTL 2 Model Checking Problem: decide if M | = φ X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 3 / 20
Epistemic Property on Model Checking A simplified version of Byzantine-General protocol X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 4 / 20
Epistemic Property on Model Checking Running properties φ 1 Once General 2 receives the message, General 1 will know that General 2 knows his plan. φ 2 General 2 always thinks that it is possible that the message is lost but received. X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 5 / 20
Epistemic + Branching Time Temporal logic Syntax of CTLK n φ :== p | ¬ φ | φ 1 ∨ φ 2 | EX φ | E [ φ 1 U φ 2 ] | EG φ | K i φ | C G φ Interpreted System A run over S is a function r : N → S An interpreted system for n agents is a tuple I = ( R , ∼ 1 , . . . , ∼ n , π ) ◮ R : a set of runs over S ◮ ∼ i : indistinguishability relation on S w.r.t. agent i ◮ π : S → P ( Prop ) A point of I is a pair ( r , m ) where r ∈ R and m ∈ N X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 6 / 20
Epistemic + Branching Time Temporal logic (Cont.) Bundle semantics [J. Burgess, 1979; R. van der Meyden, 2003] I , ( r , m ) | = EF φ if there exists a run r ′ ∈ R equivalent to r up to time m and m ′ ≥ m such that I , ( r ′ , m ′ ) | = φ . Observational semantics I , ( r , m ) | = K i φ if for all points ( r ′ , m ′ ) of I such that r ( m ) ∼ i r ′ ( m ′ ) we have I , ( r ′ , m ′ ) | = φ X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 7 / 20
Epistemic + Branching Time Temporal logic (Cont.) Kripke Structure M = ( S , I , → , ∼ 1 , . . . , ∼ n , π, α ) Fairness Condition α : generalised B¨ uchi fairness, defined with several sets of states. A run is accepting if it passes through at least one state of every set of states infinitely often. can express some properties like ‘whenever A occurs, B occurs at some later time’ or ‘A occurs infinitely often’. Running Example Fairness = sndack , where proposition sndack denotes the set of 1 states on which ack is sent. Fairness = sndmsg . 2 X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 8 / 20
Epistemic Property on Model Checking φ 1 = AG ( rcvmsg ⇒ K 1 K 2 sndmsg ) Once General 2 receives the message, General 1 will know that General 2 knows his plan. φ 2 = AG ( ¬ K 2 ¬ ( msglost ∧ rcvmsg )) General 2 always thinks that it is possible that the message is lost but received. X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 9 / 20
Workflow on MCK X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 10 / 20
Counterexample of formula φ 1 φ 1 = AG ( rcvmsg ⇒ K 1 K 2 sndmsg ) (universal fragment of CTLK n ) φ 1 = EF ( rcvmsg ∧ K 1 K 2 ¬ sndmsg ) X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 11 / 20
Counterexample of formula φ 2 ? φ 2 = AG ( ¬ K 2 ¬ ( msglost ∧ rcvmsg )) φ 2 = EF ( K 2 ( msglost ∧ rcvmsg )) I , ( r , m ) | = K i φ if for all points ( r ′ , m ′ ) of I such that r ( m ) ∼ i r ′ ( m ′ ) we have I , ( r ′ , m ′ ) | = φ “we can expect to have simple natural counterexamples only for universal specifications.” [E.M. Clarke and H. Veith, 2003] X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 12 / 20
Game Scenario Players: Sys and Usr Roles: verifier ( V ) and refuter ( R ) Configurations: Initial configuration: Usr : φ . Intermediate configuration: p : { ( s 1 , φ 1 ) , ..., ( s m , φ m ) } Final configuration: “ p wins” X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 13 / 20
Game Rules CurrentConfiguration Role (Condition) NextConfiguration “if the game is in the CurrentConfiguration and the Condition holds, then it is the turn of the player in role Role to move, and one of the choices available to this player is to move the game into configuration NextConfiguration .” X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 14 / 20
Simple Rules p : ( s , φ 1 ∨ φ 2 ) V ( i ∈ { 1 , 2 } ) p : ( s , φ i ) p : ( s , φ 1 ∧ φ 2 ) ( i ∈ { 1 , 2 } ) opp ( p ) : ( s , ¬ φ i ) R Without Fairness p : ( s , EF φ ) V ( s = s 1 → ... → s m ) p : ( s m , φ ) X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 15 / 20
Game Rules with Fairness p : ( s , EF φ ) p : { ( s m , φ ) , ( s m , Fair ) } V ( s = s 1 → ... → s m ) p : { ( s 1 , φ 1 ) , ..., ( s m , φ m ) } R ( 1 ≤ k ≤ m ) p : ( s k , φ k ) p : ( s , Fair ) p : { ( s l 1 , χ 1 ) , ..., ( s l N , χ N ) } V ( s = s 1 → ... → s m , s m = s k , k ≤ l 1 , ..., l N < m ) X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 16 / 20
Game Rules with Fairness and Reachability p : ( s , K i φ ) ( t ∈ S , s ∼ i t ) opp ( p ) : { ( t , ¬ φ ) , ( t , Fair ) , ( t , Reach ) } R p : ( s , Reach ) V ( s 1 → ... → s m = s ) p : ( s 1 , Init ) p : ( s , Init ) p : ( s , Init ) ( s ∈ I ) ( s � I ) p wins opp ( p ) wins X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 17 / 20
Strategy and Winning Strategy A strategy of a player is a function mapping the set of configurations in which it is the players’ turn, to the set of possible next configurations according to the game rules. A winning strategy for player p is a strategy σ p , such that for all strategies σ opp ( p ) for the opponent, all plays of the game according to ( σ p , σ opp ( p ) ) are finite and end in the configuration “ p wins”. X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 18 / 20
Theoretical Results Finitness of Game If M is a finite state system and φ is any CTLK n formula, then all plays of the game for ( M , φ ) are finite. Main Theorem For all finite state systems M and formulas φ of CTLK n , we have M �| = φ iff there exists a winning strategy for Sys in the game for ( M , φ ) . X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 19 / 20
Conclusion and Future Works Provide a debugging facility for the epistemic model checker MCK. Current Implementation Abstract winning strategy from the result of model checking. 1 ◮ explicit-states model checker ◮ bounded model checker A logic combining CTL and epistemic opeartors 2 Future Abstract winning strategy from symbolic model checker 1 More expressive logics, e.g., a logic including µ -calculus operators 2 ... 3 X. Huang & R. van der Meyden (UNSW) Model Checking Games AI’09 20 / 20
Recommend
More recommend