Collection Mémoires et thèses électroniques
Accueil À propos Nous joindre

Chapter 8[*] A Tableau Method for Verifying Dialogue Game Protocols (a Model Checking Approach)

Table des matières

In this chapter, we address the problem of verifying dialogue game protocols using a tableau-based model checking technique. These protocols are specified using the DCTL*CAN logic that we developed in Chapter 7. Unlike the model checking algorithms proposed in the literature, the algorithm that we propose in this chapter allows us not only to verify if the dialogue game protocol (the model) satisfies a given property expressed in DCTL*CAN, but also if this protocol respects the tableau rules of the communicative acts. This algorithm is an on-the-fly efficient algorithm.

As outlined in Chapter 3, dialogue games provide an interesting way of specifying agent communication protocols (see for example (Dastani et al., 2000), (McBurney and Parsons, 2002), (Maudet and Chaib-draa, 2002), (Bentahar et al., 2004a, 2004d)). These games aim at offering more flexibility by combining different small games to construct complete and more complex protocols. Dialogue games can be thought of as interaction games in which each agent plays a move in turn by performing utterances according to a pre-defined set of rules.

From another point of view, formal verification methods became usable by industry quite recently and there is a growing demand for professionals able to apply them (Huth and Ryan, 2000). We can think of formal verification techniques as being composed of three parts:

  • A framework for modeling systems, typically a description language.

  • A specification language for describing the properties to be verified.

  • A verification method to establish whether the description of a system satisfies the specification or not.

The two main approaches to verify system properties are proof-based approaches and model-based approaches. In the proof-based approaches, the system description is a set of logical formulae Γ and the specification is another formula ø . The verification method consists of trying to find a proof that Γ ø . This typically requires guidance and expertise from the user in order to identify suitable lemmas and auxiliary assertions. In the model-based approaches, the system is represented by a finite model M using an appropriate logic. The specification is again represented by a formula ø and the verification method consists of computing whether the model M satisfies ø or not. This is usually done automatically.

Model-based techniques rely on models describing the system’s possible behaviors in a mathematical precise and unambiguous manner (Queille and Sifakis, 1981), (Lichtenstein and Pneuli, 1985), (Clarke et al., 1986). The system models are accompanied by algorithms that systematically explore all the states of the system model. This provides the basis for a whole range of verification techniques ranging from an exhaustive exploration (model checking) to experiments with a restrictive set of scenarios in the model (simulation), or in reality (testing).

Recently, the verification of MAS has become an attractive field of research. Several proposals have been put forward for model checking MAS. Some of these proposals use existing model checkers (for example SPIN and JPF2) by translating some agent specification languages (for example MABLE and AgentSpeak) to the languages used by these model checkers (Wooldridge et al., 2002), (Bordini et al., 2003a, 2003b). Other proposals adapt some model checking techniques (for example bounded and unbounded model checking) and propose new algorithms for verifying temporal and epistemic properties of MAS (Penczek and Lomuscio, 2003), (Kacprzak and Penczek, 2004a, 2004b), (Raimondi and Lomuscio, 2004).

In the domain of agent communication, only some research work tried to address the verification of agent communication protocols. Endriss and his colleagues (2003) dealt with the problem of checking and possibly enforcing conformance to agent communication protocols. Huget and Wooldridge (2004) addressed the problem of checking that agents correctly implement the semantics of an agent communication language. Walton (2004) applied model checking techniques in order to verify the correctness of a communication protocol. Baldoni and his colleagues (2004) tackle some aspects of the conformance verification, i.e. the verification that a given protocol implementation conforms to its abstract specification. Giordano and her colleagues (2004) addressed the problem of specifying and verifying systems of communicating agents in a Dynamic Linear Time Temporal Logic (DLTL).

Except the work done by (Giordano et al., 2004), all the other work on model checking of MAS are based only on temporal and epistemic logics. In this chapter, we propose a model checking-based verification of dialogue game protocols using a temporal and dynamic logic. These protocols are specified as transition systems using our DCTL*CAN logic (Dynamic and CTL* logic for Commitment and Argument Network) that we developed in Chapter 7. In contrast to (Giordano et al., 2004), the dynamic aspect of our logic is represented by action formulae and not by strengthening the until operator by indexing it with the regular programs of dynamic logic. Our protocols are specified as actions that agents apply to social commitments (SC) and to SC contents. In addition, the model checking procedure that we propose allows us to verify not only that the dialogue game protocol (the theoretical model) satisfies a given property, but also that the tableau semantics of the communicative acts is respected. The idea is to integrate this semantics in the specification of the protocol, and then to propose a parsing method to verify that the protocol specification respects the semantic definition. Consequently, if agents respect these protocols, then they also respect the semantics of the communicative acts. We have here a mechanism for checking the agents’ compliance with the semantics without taking into account the agents’ specifications created by the developers. Indeed, we have only one procedure to verify: 1) the correctness of the protocols relative to the properties that the protocols should satisfy; and 2) the conformance of agents to the semantics of the communicative acts. However, the tableau semantics (the tableau rules) we use in this chapter describe only the structure of the commitment formulae and not the semantics as defined in Chapter 7. The purpose of this technique is to verify the temporal properties of the protocol and to ensure that the structures of the commitments are the same in both the protocol and the specification. The advantage of verifying the structures of the commitments is to ensure that all agents participating in a communication share the same description of the communicative acts. In addition this technique based on the tableau method can be generalized to also verify the semantic definitions proposed in Chapter 7. This work goes beyond the objectives of this thesis and will be a priority subject of our future research.

To our knowledge, until now there is no work that addressed the verification problem of dialogue game protocols. Indeed, the contributions of this chapter are:

1- A formulation of dialogue game protocols using transition systems. This formulation enables us to represent not only the allowed communicative acts but also the underlying tableau semantics.

2- An automata and tableau-based technique to check if a protocol satisfies the specifications and the structure. These two verifications are done at the same time.

The rest of this chapter is organized as follows. Section 8.2 introduces the model checking problem and a class of algorithms based on the tableau method to which our procedure belongs. Section 8.3 presents a tableau semantics of our DCTL*CAN logic. Section 8.4 defines the transition systems that we use to model dialogue game protocols and the underlying semantics. The problem of verifying these protocols is addressed in Section 8.5. In this section, we present the Alternating Büchi Tableau Automata, the translation procedure of temporal and action formulae to this automata, and the model checking algorithm. Proofs of different properties are also presented in this section. Section 8.6 presents related work and Section 8.7 concludes the chapter.

The model-checking problem for a branching temporal logic is as follows: Given a Kripke structure K and a branching temporal formula ψ , determine if K ψ . The state space of a transition system can be thought of as a Kripke structure. For linear temporal logics, a close and fruitful connection with the theory of automata on infinite words has been developed (Vardi and Wolper, 1986), (Courcoubetis et al., 1992). The basic idea is to associate with each linear temporal logic formula a finite automaton on infinite words that accepts exactly all the computations that satisfy the formula. For these logics, each Kripke structure may correspond to infinitely many computations. Model checking is thus reduced to check inclusion between the set of computations allowed by the Kripke structure and the language of an automaton describing the formula (Vardi and Wolper, 1986). For branching temporal logics, each Kripke structure corresponds to a single non-deterministic computation. On that account, model checking is reduced to check the membership of this computation to the language of the automaton describing the formula (Wolper, 1989). For these logics, the automata-theoretic counterpart is automata on infinite trees. By reducing the satisfiability to the non-emptiness problem for these automata [6] , optimal decision procedures have been obtained for various branching temporal logics (Emerson and Lei, 1986), (Vardi and Wolper, 1986), (Emerson and Sistla, 1984), (Courcoubetis et al., 1992).

Bernholtz, Vardi, and Wolper (1994) argued that alternating tree automata are the key to a comprehensive and satisfactory automata-theoretic framework for branching temporal logics. Alternating tree automata on infinite trees generalize the standard notion of non-deterministic tree automata by allowing several successor states to go down along the same branch of the tree (Muller and Schupp, 1987). Tree automata generalize sequential automata in the following way: on a given binary tree, the automaton starts its computation at the root in an initial state and then simultaneously works down the paths of the tree level by level. The transition relation specifies the two states that are the two sons of a node. The tree automaton accepts the tree if there is a run built up in this fashion which is successful . A run is successful if all its paths are successful in a sense given by an acceptance condition for sequential automata.

It is known that while the translation from branching temporal logic formulae to non-deterministic tree automata is exponential, the translation to alternating tree automata is linear (Muller et al., 1988). This explains the efficiency of model checking for these logics. Thus, alternating tree automata provide a unifying and optimal framework for both satisfiability and model-checking problems for branching temporal logics.

The model checking approach that we use for our logic is based on an alternative view of model checking proposed by Bhat and Cleaveland (1996, 2001). This view relies on translating formulae into intermediate structures, Alternating Büchi Tableau Automata (ABTA). Unlike the other model checking techniques, this technique allows us to verify not only temporal formulae, but also action formulae. Because our logic is based on an action theory, this technique is more suitable. This approach is a tableau-based model checking. The following section introduces this approach.

Tableau-based algorithms are based on the use of assertions and proof rules . Assertions are typically of the form s M ø and mean that state s in model M satisfies the formula ø . Using a set of proof rules we aim to prove the truth or falsity of assertions. But unlike traditional proof systems which are bottom-up approaches, tableau-based algorithms work in a top-down or goal-oriented fashion. Proof rules are used in order to prove a certain formula by inferring when a state in a Kripke structure satisfies such a formula. According to this approach, we start from a goal, and we apply a proof rule and determine the sub-goals to be proven. The proof rules are designed so that the goal is true if all the sub-goals are true. The advantage of this method is that the state space is explored in a need-driven fashion. The algorithm searches only the part of the state space that needs to be explored to prove or disprove a certain formula. The state space is constructed while the algorithm runs. This kind of algorithms, also referred to on-the-fly or local algorithms, have been found to be useful in practice since in many cases only a small part of the state space needs to be explored to prove a formula (Cleaveland, 1990), (Stirling and Walker, 1991), (Bhat and Cleaveland, 2001).

The tableau-based algorithms proposed in (Cleaveland, 1990), (Stirling and Walker, 1991) have exponential time and space complexity. The exponential penalty incurred by these algorithms is mainly due to the fact that these algorithms work by constructing proof trees. Like (Bhat, 1998), the algorithm that we use for our DCTL*CAN logic avoids this exponential penalty by using graphs instead of trees to represent proofs.

The tableau decision algorithm that we use provides a systematic search for a model which satisfies a particular formula of our logic. It is a graph construction algorithm. Nodes of the graph are sets of DCTL*CAN formulae and tableau rule names. Tableau rules are inference rules designed so that the formula is true if all the sub-formulae are true. The main difference between proof rules and tableau rules is that proof rules work on assertions, while tableau rules work on logical formulae. The difference between assertions and logical formulae is that logical formulae are written without taking into account the states of the model. The interpretation of vertex labeling is that for the vertex to be satisfied, it must be possible to satisfy all the formulae in the set together. Each edge in the graph represents a satisfaction step of the formula contained in the starting vertex. These steps correspond to the application of a set of tableau rules. These rules express how the satisfaction of a particular formula (the goal) can be obtained by the satisfaction of its constituent formulae (sub-goals).

The semantics we use here is a tableau semantics (Cleaveland, 1990) that we can consider as a simplification of the semantics that we defined in Chapter 7. This semantics is specified in terms of the decomposition of formulae to sub-formulae using a set of tableau rules. These rules are given in Figures 8.1, 8.2, 8.3 and 8.4. For simplification reasons, we use in this chapter a simplified version of DCTL*CAN that is sufficient for the specification of dialogue game protocols. For example we consider only propositional and action commitments, and we do not consider formulae of commitment states and formulae of contradiction of commitment contents. In addition, to simplify the Challenge-content formula, we introduce a syntactical operator ?. Syntactically, means that, a given agent does not know whether is true or not.

The tableau semantics enables us to define top-down proof systems. The idea is: given a formula, we apply a tableau rule and determine the sub-formulae to be proven. Tableau rules are inference rules used in order to prove a formula by proving all the sub-formulae. The labels of these rules are the labels of states in the automata constructed from a given formula. For example, rule R 1 of Figure 8.1 labeled by "∧" indicates that ψ1 and ψ2 are the two sub-formulae of ψ1 ψ2 . This means that, in order to prove that a state labeled by "∧" satisfies the formula ψ1 ψ2 , we have to prove that the two children of this state satisfy ψ1 and ψ2 respectively. This idea will be detailed in Section 8.5.1 when we will define the alternating Büchi tableau automata. According to rule R 2, in order to prove that a state labeled by "∨" satisfies the formula ψ1 ψ2 , we have to prove that one of the two children of this state satisfies ψ1 or ψ2 . Rule R 3 labeled by "∨" indicates that ψ is the sub-formula to be proved in order to prove that a state satisfies E( ψ ). According to rule R 4 (resp. R 5), the formula ¬ ψ (resp. ? ψ ) is satisfied in a state labeled by "¬" (resp. ?), if this state has a successor representing ψ . Rule R 6 is defined in the usual way where is a set of path formulae.

The label "< αø >" (rule R 7 of Figure 8.2) is the label associated with the action α whose performance makes the proposition ø true (see Chapter 7). According to this rule, in order to prove that a state labeled by "< αø >" satisfies Perform ( α ) ø , we have to prove that an accessible state via a transition labeled by Perform ( α ) satisfies ø . Rule R 8 is defined using the same idea. The label "< C >" (rule R 9) is the label associated with the creation action of a social commitment SC. According to this rule, in order to prove that a state satisfies Create ( Ag1 , SC ( Ag1 , Ag2 , t , ø )), we have to prove that an accessible state via a transition labeled by the creation action satisfies the sub-formula SC ( Ag1 , Ag2 , t , ø ). The rules R 10 to R 21 are defined in the same way.

Rule R 22 of Figure 8.3 indicates that E( ø ) is the sub-formula of the formula E( PC ( Ag1 , Ag2 , t , ø )). Thus, in order to prove that a state satisfies E( PC ( Ag1 , Ag2 , t , ø )), we have to prove that the accessible state via a transition labeled by "[ PCAg1 ]" satisfies E( ø ). In the same way, we define the rule R 23.

Finally, the rules R 24 to R 32 of Figure 8.4 are defined in the usual way. For example, according to rule R 29, in order to prove that a state satisfies E(X+ φ ), we have to prove that the next state via the transition labeled by "X+" satisfies the sub-formula E( φ ).

In this section we define the theoretical model of our model checking procedure. This model specifies the dialogue game protocols. These protocols are specified as a set of rules describing the entry condition, the dynamics and the exit condition of the protocol (Bentahar et al., 2004a) (this aspect will be detailed in Chapter 9). These rules can be specified in our logic as action formulae (actions on SC, actions on SC contents and argumentation relations). We define these protocols as transition systems. The purpose of these transition systems is to describe not only the sequence of the allowed actions (classical transition systems), but also the semantics of these actions and the semantics of the different elements used in our commitment and argument-based approach. The states of these transition systems are sub-transition systems (called semantic transition systems) describing the semantics of the actions labeling the entry transitions. Defining transition systems in such a way allows us to verify:

1- The correctness of the protocol (if the model of the protocol satisfies the properties that the protocol should specify).

2- The compliance to the semantics of the communicative actions (if the specification of the protocol respects the semantics).

In this chapter, we propose a model checking procedure in order to verify both (1) and (2) at the same time.

The definition of the transition system of dialogue game protocols is given by the following definitions:

Intuitively, states s’ contain the sub-formulae of the action formulae, and the transitions are labeled by operators associated with the formula of the starting state. Semantic transition systems enable us to describe the semantics of formulae by sub-formulae connected by logical operators. Thus, there is a transition between states s’i and s’j iff L’ ( s’j ) is a sub-formula or an semantically equivalent formula of L’ ( s’i ). Following traditional usage we write s r s’ instead of < s , r , s’ > ∈ → where s , s’ S’ and r R .

The transitions are labeled by the actions applied to SC and to SC contents and the argumentation actions. We write s s’ instead of < s , ●, s’ > ∈ → where s , s’ S and • ∈ Act . Figure 8.5 illustrates a part of a transition system for a dialogue game protocol.

In this section, we use a combination of an automata-theoretic approach and a tableau-based approach to model-checking for our commitment and argument logic.

As a kind of Büchi automata, ABTAs (Bhat, 1998), (Bhat and Cleaveland, 2001) are used in order to prove properties of infinite behavior. These automata can be used as an intermediate representation for system properties. Let £ be the set of atomic propositions and let be a set of tableau rule labels defined as follows:

The associated tableau rules are given in Figures 8.1, 8.2, 8.3 and 8.4.

Formally, we define ABTAs for our DCTL*CAN logic as follows:

ABTAs allow us to encode " top-down proofs " for temporal formulae. Indeed, an ABTA encodes a proof schema in order to prove, in a goal-directed manner, that a transition system satisfies a temporal formula. Let us consider the following example. We would like to prove that a state s in a transition system satisfies a temporal formula of the form F1 F2 , where F1 and F2 are two formulae. Regardless of the structure of the system, there would be two sub-goals if we want to prove this in a top-down, goal-directed manner. The first would be to prove that s satisfies F1 , and the second would be to prove that s satisfies F2 . Intuitively, an ABTA for F1 F2 would encode this "proof structure" using states for the formulae F1 F2 , F1 , and F2 . A transition from F1 F2 to each of F1 and F2 should be added to the ABTA and the labeling of the state for F1 F2 being "∧" which is the label of a certain rule. Indeed, in an ABTA, we can consider that: 1) states correspond to "formulae", 2) the labeling of a state is the "logical operator" used to construct the formula, and 3) the transition relation represents a "sub-goal" relationship.

In order to decide about the satisfaction of formulae, we use the notion of the accepting runs of an ABTA on a transition system. These runs are not considered to be finite, but rather infinite, while cycling infinitely many times through acceptance states. In order to define this notion of the ABTA’s run, we need to introduce three types of nodes: positive , negative and neutral (neither positive nor negative). Intuitively, nodes classified positive are nodes that correspond to a formula without negation (for example Create ( Ag1 , PC ( Ag1 , Ag2 , t , ø ))), and negative nodes are nodes that correspond to a formula with negation (for example ¬ Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , ø ))). Neutral nodes are used in order to verify the semantics of an action formula ( act Act ) written in the formula to be verified under the form ¬ act . From the syntax point of view, ¬ act means that the action act is not performed. For example, if in the formula to be verified appears the sub-formula:

Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , ø ), ø’ )",

we use in the ABTA neutral nodes in order to verify the semantics of:

" Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , ø ), ø’ )".

The reason is that in transition systems, and consequently in the sub-transition systems, we have only action formulae without negation, whereas in the formula to be verified, we can have action formulae with negation. We note that we can not use here negative nodes because we do not interested in the formula in itself (i.e. in the example "¬ Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , ø ), ø’ )") but in the semantics of the underlying action (i.e. " Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , ø ), ø’ )"). In other words, we are not interested in the semantics of the negation action, but in the semantics of the action itself. Section 8.5.5 presents an example (Example 2) illustrating this case. We note here that in order to verify that an action formula ¬ act is satisfied, we have to verify that from a given state there is no transition in the transition system labeled by act . Definition 8.4 gives the definition of this notion of run. In this definition, elements of the set S of states are denoted si or ti . The explanation of the different closes is given after the definition and a detailed example of this notion of run is given in Figure 8.11 at the end of this chapter.

The notion of run of an ABTA on a transition system is a non-synchronized product graph of the ABTA and the transition system. This run uses the label of nodes in the ABTA ( l ( q )), the transitions in the ABTA ( q q’ ), and the transitions in the transition system ( si sj ). The product is not synchronized in the sense that it is possible to use transitions in the ABTA while staying in the same state in the transition system (this is the case for example of the closes 2, 4, and 5).

The second close in the definition says that if we have a positive node φ in the product graph such that the corresponding state in the ABTA is labelled with ¬ and we have a transition q q’ in this ABTA, then φ has one negative successor labelled with < q’, si >. In this case we use a transition from the ABTA and we stay in the same state of the transition system. In the case of a positive node and if the current state of the ABTA is labelled with ∧, all the transitions of this current state of the ABTA are used (close 4). However, if the current state of the ABTA is labelled with ∨, only one arbitrary transition from the ABTA is used (close 5). The intuitive idea is that in the case of ∧, all the sub-formulae must be true in order to decide about the formula of the current node of the ABTA, and in the case of ∨ only one sub-formula must be true.

The cases in which a transition of the transition system is used are:

1. The current node of the ABTA is labelled with X+ (which means a next state in the transition system) or X (which means a previous state in the transition system). This is the case of the closes 6, 7, 14, and 15. In this case we use all the transitions from the current state si to next or previous states of the transition system.

2. The current state of the ABTA and a transition from the current state of the transition system are labelled with the same action. This is the case of the closes 8 and 16. In this case, the current transition of the ABTA and the transition from the current state si of the transition system to a state si+1 , 0 of the associated semantic transition system are used. The idea is to start the parsing of the formula coded in the semantic transition system.

3. The current state of the ABTA and a transition from the current state of the transition system are labelled with the same action which is preceded by ¬ in the ABTA. This is the case of the closes 9 and 17. In this case, the current transition of the ABTA and the transition from the current state si of the transition system to a state si+1 , 0 of the associated semantic transition system are used. The successor node is classified neutral. This allows us to verify the structure of the formula coded in the transition system.

4. The current state of the ABTA and a transition from the current state of the transition system are labelled with different actions where the state of the ABTA is labelled with a negative formula. This is the case of the closes 10 and 18. In this case, the formula is satisfied, but its structure cannot be verified. Consequently, the current transition of the ABTA and the transition from the current state si of the transition system to a next state si+1 are used. This means that, we do not visit the associated semantic transition system.

Finally, the closes 19, 20, 21, 22, and 23 deal with the case of verifying the structure of the commitment formulae in the sub-transition systems. In these closes, transitions si , j → s i , j + 1 are used. We note here that when si,j has no successor, the formula contained in this state is an atomic formula or a boolean formula whose all the sub-formulae are atomic (for example p q where p and q are atomic).

We also need to define the notion of success of a run for the correctness of the model checking. To define this notion, we first introduce the following terminology:

In an ABTA, every infinite path has a suffix that contains either positive or negative nodes, but not both. Such a path is referred to as positive in the former case and negative in the latter.

We note here that a positive or negative leaf labeled by < q , s > such that l ( q ) = <•> where • ∈ Act and there is no s’ such that s s’ is considered a successful leaf because we can not consider it unsuccessful. The reason is that it is possible to find a transition labeled by • and starting from another state s’’ in the transition system. This is the case of the leaf labeled by (< Ch >, s0 ) in the Example 2, Section 8.5.5 (see Figure 8.11, Section 8.5.6). If we consider such a leaf unsuccessful, then even if we find a successful infinite path, the run will be considered unsuccessful. However this is false.

An ABTA B accepts a transition system T iff there exists a successful run of B on T .

The procedure for translating a DCTL*CAN formula p = E ø to an ABTA B uses goal-directed rules in order to build a tableau from this formula. Indeed, these proof rules are conducted in a top-down fashion in order to determine whether states satisfy properties or not. The tableau is constructed by exhaustively applying the rules contained in Figures 8.1, 8.2, 8.3 and 8.4 to p . Then, B can be extracted from this tableau as follows. First, we generate the states and the transitions. Intuitively, states will correspond to state formulae, with the start state being p . To generate new states from an existing state for a formula p’ , we determine which rule is applicable to p’ , starting with R 1, by comparing the form of p’ to the formula appearing in the "goal position" of each rule. Let rule ( q ) denote the rule applied at node q . The labeling function l of states is defined as follows. If q does not have any successor, then l ( q ) ∈ £ . Otherwise, the successors of q are given by rule ( q ). The label of the rule becomes the label of the state q , and the sub-goals of the rule are then added as states related to q by transitions.

A tableau for a DCTL*CAN formula p is a maximal proof tree having p as its root and constructed using R 1- R 32. If p’ results from the application of a rule to p , then we say that p’ is a child of p in the tableau. The height of a tableau is defined as the length of the longest sequence < p0 , p1 , ...>, where pi+1 is the child of pi (Cleaveland, 1990). Finally, in order to compute the successful run of the generating ABTA, we should compute the acceptance states F . For this purpose we use the following definition.

According to this definition, a state that contains the formula ø or the formula X+ ø is not an acceptance state. The reason is that according to Definition 8.4, there is a transition from a state containing ø to a state containing X+ ø and vice versa. Therefore, according to Definition 8.5, there is a successful run in the ABTA B . However, we can not decide about the satisfaction of a formula using this run. The reason is that in an infinite cycle including a state containing ø and a state containing X+ ø , we can not be sure that a state containing ø2 is reachable. However, according to the semantics of U+, the satisfaction of ø needs that a state containing ø2 is reachable while passing by states containing ø1 .

In this section we prove the termination of the translation procedure. Since this procedure is based on tableau rules, we need to prove the finiteness of the tableau. The methodology that we follow is inspired by (Cleaveland, 1990), (Adi et al., 2003).

If σ2 is a DCTL*CAN formula resulting from the application of a rule to a DCTL*CAN formula σ1 , then we say that σ2 is a child of σ1 in the tableau and σ1 is the parent of σ2 . The height of a tableau (Cleaveland, 1990) is defined as the length of the longest sequence < σ0 , σ1 , ...>, where σi is the parent of σi+1 . To prove the finiteness of a tableau, we will establish that each formula has a maximum height tableau.

Intuitively, to show the finiteness of the tableau, we will define a strict ordering relation between DCTL*CAN formulae and then show that:

1 - if σ1 is the parent of σ2 , then σ1 σ2 .

2 - the strict ordering relation has no infinite ascending chains.

The ordering relation should reflect the fact that applying tableau rules results in shorter formulae or recursive formulae. The idea is to prove that the number of nodes of the ABTA is finite. Therefore, the definition of this ordering is based either on the fact that formulae are recursive or on the length of formulae. We notice that in the case of recursive formulae, we obtain cycles which are infinite paths on a finite number of nodes. The length of a formula is defined inductively as follows:

The ordering relation is defined as follows:

The first close is used when we have a recursive formula (this means that an until formula).

is irreflexive, asymmetric and transitive. The proof is straightforward from the definition since > and are strict ordering relations.

In what follows, the notation σ1 R σ2 means that σ1 is the parent of σ2 using a tableau rule R . Now, let us prove the following lemma.

Proof

The proof is based on the analysis of the different cases of our tableau rules. Most cases are straightforward. Here we only consider rules R 7, R 9, R 30, and R 32.

To show that the ordering relation has no infinite ascending chains, we use the notion of Fischer-Ladner closure of a formula ψ ( CL ( ψ )) (Emerson et al., 1993). The idea underlying the definition of this notion is to prove that if a tableau has a root ψ , then all formulae ψ’ of this tableau have a formula in CL ( ψ ) (i.e. ψ’ CL ( ψ )). Furthermore, if we prove that CL ( ψ ) is a finite set, then we conclude that each formula appearing in a given tableau belongs to a finite set. This result will be very helpful to prove that the ordering relation has no infinite ascending chains.

Lemma 8.11 Let ψ be a formula, then CL ( ψ ) is finite and bounded in size by 2 |.

Proof

The proof is based on the induction of the structure of ψ . Most cases are straightforward. Here we only consider the four following cases:

The next lemma establishes the link between tableau rules and Fischer-Ladner closure of formulae.

Proof

The proof is based on the case analysis of the rule R . Most cases are straightforward. Here we consider the rules R 7, R 9, R 30, and R 32.

Intuitively, σi σj holds if σi is an ancestor of σj in some tableau, i.e. if there are rules Ri , ..., Rj such that: σi Ri σi+1... Rj σj

Lemma 8.13 The ordering relation has no infinite ascending chains.

Now, we can easily prove the finiteness theorem as shown below.

Theorem 8.14 For any DCTL*CAN formula σ1, there is a maximum height tableau has σ1 as a root.

Proof

Suppose that there exists a tableau with root σ1 having an infinite path:

σ1 Ri σ2 Rj σ3 ...

where Ri , Rj , ... ∈ { R 1, ..., R 32}. Then, from Lemma 8.9 and from the fact that the ordering relation is transitive (since < is transitive), it follows that there exists an infinite chain:

σ1 σ2 ...

However this is contradictory from Lemma 8.13.

Soundness and completeness of our method are stated by the following theorem.

Proof

This theorem is a consequence of Proposition 8.16 and Lemmas 8.19, 8.20 and 8.21.

Proposition 8.16 Let r a run of an ABTA B on a transition system T. In all infinite paths of r, the semantics of the action formulae appearing in these paths is verified.

Proof

The proof follows from Definitions 8.4 and 8.5. Indeed, the only case in which the semantics of an action formula is not respected is the case of a positive leaf < q , si,j > such that si,j ¬ l ( q ). Because infinite paths do not encounter any leaf, the semantics of these formulae is verified in these paths.

Now, we introduce the following definitions:

We note that if we have a run r in which a leaf < q , si,j > is unsuccessful, then we conclude that the semantics is not respected and consequently the property to be verified is not satisfied. However, if r contains an unsuccessful leaf < q , si >, we conclude only that the property is not satisfied (there is no need to verify the semantics).

Proof

To prove that T is accepted by Bψ , we have to prove that there exists a run r of Bψ on T such that all leaves and all infinite paths in the run are successful.

Let us assume that s0 ψ . First, let us suppose that there exists a leaf < q , s > in r such that s ¬ l ( q ). Since the application of tableau rules does not change the satisfaction of formulae, it follows from the definition of r that s0 ¬ ψ which contradicts our assumption.

Now, we will prove that all infinite paths are successful. The proof proceeds by contradiction. ψ is a state formula that we can write under the form , where Φ is a set of path formulae. Let us assume that there exists an unsuccessful infinite path σ in r and prove that σ T ¬ Φ . The fact that σ is infinite implies that R 32 occurs at infinitely many position in σ and that ø1 U+ ø2 Φ . Since σ is unsuccessful, there is a formula ø1 U+ ø2 qi such that for all j i we have ø2 qj . When this formula appears in the ABTA at the position qi , we have l ( qi ) = ∨. Thus, according to the definition of r and the form of R 32, the current node φ1 of r labeled by < qi , s > has one successor φ2 labeled by < qi+1 , s > with ø1 U+ ø2 qi and { ø1 , X+( ø1 U+ ø2 )} ∈ qi+1 . Therefore, l ( qi+1 ) = ∧, and φ2 has a successor φ3 labeled by < qi+2 , s > with X+( ø1 U+ ø2 ) ∈ qi+2 . Using R 29 and the fact that l ( qi+2 ) = X+, the successor φ4 of φ3 is labeled by < qi+3 , s’ > with ø1 U+ ø2 qi+3 and s s’ . This process will be repeated infinitely since the path is unsuccessful. It follows that there is no s in T such that s ø2 . Thus, according to the semantics of ø1 U+ ø2 , there is no s in T such that s ø1 U+ ø2 . Therefore, σ T ¬ Φ .

Lemma 8.20 Let ψ be a DCTL*CAN state formula and Bψ the corresponding ABTA, and let Τ = < S , , L , Act , →, s0 > be a transition system such that T is accepted by Bψ . Then s0

Proof

The proof proceeds by contradiction. We assume that s0 ¬ ψ and we prove that r contains a failed path such that one of the following holds: either σ (a path in the run r of Bψ on T ) is finite and the leaf is unsuccessful or σ is infinite and unsuccessful. Since s0 ¬ ψ there is a path ΠT in T such that ΠT ¬ ø for ø Φ or there is a path ΠT’ in a semantic transition system T’ of T such that ΠT’ ¬ ø for ø Φ . The idea is to show that r contains a failed path σ such that:

1. σT is a prefix of ΠT or σT’ is a prefix of ΠT’ and

2. if σT = < sφ0 , ..., sφi >, then for all ø φi , we have ΠT ( sφi ) ¬ ø or there is a sub-state s’φi of sφi such that ΠT’ ( s’φi ) ¬ ø where σT ( σT’ ) is a path in T (in T’ ) constructed from σ as explained in Definition 8.18 and sφi is the state that correspond to the node φi .

We proceed by an inductive construction of σ . For | σ | = 1, we have σ = < φ0 > and σT = < s0 >. Thus, σT is a prefix of ΠT and ΠT (0) ¬ ø since ΠT (0) = ΠT . First, we suppose that σ is finite. Using the construction process of a run, we can construct such a path from ΠT = < s0 , ..., sn > and eventually from ΠT’ = < sn,0 , ..., sn,n’ > such that σ = <( s0 , q0 ) ..., ( sn , qm )> or σ = <( s0 , q0 ) ..., ( sn,n’ , qm )>. Since l ( qm ) is a sub formula of ø obtained by using some tableau rules, and ΠT ¬ ø or ΠT’ ¬ ø , it follows that sn ¬ l ( qm ) or sn,n’ ¬ l ( qm ). Therefore, σ is a failed path. Now, we assume that we have constructed σ so that | σ | = i +1, for some i ≥ 0, and we prove that σ could be extended to be of length i +2. Since σ is infinite, there is a tableau rule R that appear at position i in σ . The goal position of this rule has the form E Φ . The proof is thus proceeds by an analysis of R .

  • R = R 6. In this case we have ø φi with φi is a positive (negative) node. φi has one negative (positive) node φj with ¬ ø φj . σ can be extended by adding φj .

  • R = R 7. Here we have ø = Perform ( α ) ø1 for some ø1 and some action α . The node φi has one successor φj labeled by < q’ , s0φj > such that ø1 φj , sφi α sφj and s0φj is the first sub-state of sφj . According to the semantics of the perform operator and since ΠT' ( sφi ) ¬ ø it follows that ΠT’ ( s0φj ) ¬ ø1 . Thus, we can choose σ ( i +1) = φj . It is clear that σT’ is a prefix of ΠT’ .

  • R = R 8. This case is similar to the last case ( R = R 7) by substituting ø1 by SC ( Ag1 , Ag2 , t , φ ).

  • R = R 9. In this case we have ø = Create ( Ag1 , SC ( Ag1 , Ag2 , t , φ )). The current node φi has one successor φj labeled by < q’ , s0φj > such that SC ( Ag1 , Ag2 , t , φ ) ∈ φj , sφi C sφj and s0φj is the first sub-state of sφj . It follows from the semantics of the create operator and from the fact that ΠT ( sφi ) ¬ ø that ΠT ( s0φj ) ¬ SC ( Ag1 , Ag2 , φ ). Thus, it is possible to extend σ such that 1 and 2 are always verified.

  • R = R 10. This case is similar to the last one by substituting the semantics of the Create operator by the semantics of the Withdraw operator.

  • R = R 11. Here we have ø = Satisfy ( Ag1 , PC ( Ag1 , Ag2 , t , φ )). The current node φi has one successor φj labeled by < q’ , s0φj > such that φ φj , sφi Spc sφj and s0φj is the first sub-state of sφj . It follows from the semantics of the Satisfy operator and from the fact that ΠT ( sφi ) ¬ ø that ΠT’ ( s0φj ) ¬ φ . In other words, this means that if an agent does not satisfy a propositional commitment, then the content of this commitment is false. Thus, it is possible to extend σ such that 1 and 2 are always verified.

  • R = R 12. This case is similar to the previous case. If an agent does not satisfy an action commitment about α , then Perform ( α ) p is not satisfied in the path ΠT’ ( s0φj ).

  • R = R 13. Here we have ø = Violate ( Ag1 , PC ( Ag1 , Ag2 , t , φ )). The current node φi has one successor φj labeled by < q’ , s0φj > such that ¬ φ φj , sφi Vpc sφj and s0φj is the first sub-state of sφj . It follows from the semantics of the Violate operator and from the fact that ΠT ( sφi ) ¬ ø that ΠT’ ( s0φj ) ¬(¬ φ ). In other words, this means that if an agent does not violate a propositional commitment, then the content of this commitment is true. Thus, it is possible to extend σ such that 1 and 2 are always verified.

  • R = R 14. This case is similar to the case of R 13.

  • R = R 15. In this case we have ø = Reactivate ( Ag1 , SC ( Ag1 , Ag2 , t , φ )). The current node φi has one successor φj labeled by < q’ , s0φj > such that SC ( Ag1 , Ag2 , t , φ ) ∈ φj , sφi R sφj and s0φj is the first sub-state of sφj . It follows from the semantics of the Reactivate operator and from the fact that ΠT ( sφi ) ¬ ø that ΠT’ ( s0φj ) ¬( SC ( Ag1 , Ag2 , t , φ )). In other words, this means that if an agent does not reactivate a SC in a model, then this commitment is not satisfied in this model. Thus, it is possible to extend σ such that 1 and 2 are always verified.

  • R = R 16. This rule deals with the challenge action. Thus we have PC ( Ag2 , Ag1 , t , ? φ ) ∈ φj with φj is the only successor of φi . Since the fact that an agent does not challenge a SC implies that this agent does not commit about ? φ , it follows that ΠT’ ( s0φj ) ¬( PC ( Ag2 , Ag1 , t , ? φ )). Therefore, we can choose σ ( i +1) = φj .

  • R = R x 17□x□18. In this case we can choose σ ( i +1) = φj with φj is the successor of φi in r and SC ( Ag2 , Ag1 , φ’ ) ∈ φj ( φ’ ∈ { φ , ¬ φ }). In this case we have ΠT ( s0φj ) ¬( SC ( Ag2 , Ag1 , t , φ’ )). The informal explanation is as follows: if an agent does not accept (respectively refuse) the content φ of a SC, this agent does not commit about φ (respectively ¬ φ ).

  • R = R x 19□x□21. These cases are similar. We deal with only the justification one. For this action we have ø = Justify-content ( Ag1 , PC ( Ag1 , Ag2 , t , φ ), φ’ ). The current node φi has one successor φj labeled by < q’ , s0φj > such that PC ( Ag1 , Ag2 , t , φ’ φ ) ∈ φj , sφi Jus sφj and s0φj is the first sub-state of sφj . It follows from the semantics of the Justify-content operator and from the fact that ΠT ( sφi ) ¬ ø that ΠT’ ( s0φj ) ¬( PC ( Ag1 , Ag2 , t , φ’ φ )). In other words, this means that if an agent does not justify a SC in a model, then this agent does not commit about φ’ φ . Thus, it is possible to extend σ by φj such that 1 and 2 are always verified.

  • R = R x 22□x□23. These two cases are straightforward using the semantics of PC and AC.

  • R = R 24. this case is similar to the case of R 25.

  • R = R 25. In this case we have ø = ø1 ø2 for some ø φi . Therefore, φi has two successors in r φj and φk with ø1 ∈ φj and ø2 ∈ φk . Since ΠT ( sφi ) ¬ ø it follows that ΠT ( sφj ) ¬ ø1 or ΠT ( sφj ) ¬ ø2 . Thus, σ can be extended by φj or by φk . It is clear that 1 and 2 are maintained.

  • R = R 26. In this case we have ø = ø1 ø2 for some ø φi . Therefore, φi has one successor φj or φk with ø1 ∈ φj and ø2 ∈ φk . Since ΠT ( sφi ) ¬ ø it follows that ΠT ( sφj ) ¬ ø1 and ΠT ( sφj ) ¬ ø2 . Thus, we can extend σ by adding φj or φk . Constraints 1 and 2 are maintained.

  • R = R 27. In this case we have ø = ? ø1 for some ø φi . Therefore, φi has one successor φj with ø1 ∈ φj . Since ΠT’ ( sφi ) ¬ ø it follows that ΠT’ ( sφj ) ¬ ø1 . Thus, we can extend σ by adding φj . Constraints 1 and 2 are maintained.

  • R = R 28. Here we have ø = {X ø1 , ..., X øn ) for some ø1 , ..., øn . φi labeled by ( q , sφi ) has one successor φj in r labeled by < q’ , sφj > such that q q’ and sφj sφi (notice that X is a past operator). Since ΠT ( sφi ) ¬X øk for 1 □ k □ n, it follows that ΠT ( sφj ) ø k. Thus, σ ( i +1) = φj .

  • R = R 29. This rule is applied when ø = {X+ ø1 , ..., X+ øn ) for some ø1 , ..., øn . φi labeled by ( q , sφi ) has one successor φj in r labeled by < q’ , sφj > such that sφi sφj . Since ΠT ( sφi ) ¬X+ øk for 1 □ k □ n, it follows that ΠT ( sφj ) ¬ ø k. Thus, σ ( i +1) = φj .

  • R = R 30. Here there is a ø φi such that ø = ø1 ø2 for some ø φi . Therefore, φi has one successor φj with ø1 ∧ X+ ø1 ø2 ) ∈ φj . Since ΠT’ ( s’φi ) ¬ ø it follows from the semantics of ∴ that ΠT’ ( s’φj ) ¬( ø1 ∧ X+ ø1 ø2 )). We choose σ ( i +1) = φj . It is clear that σT’ is a prefix of ΠT’ .

  • R = R 31. In this case we have ø = ø1 U ø2 . The node φi has one successor in r : φj ( ø2 φj ) or φk ({ ø1 , X ø } ∈ φk ). According to the semantics of U and since ΠT ( sφi ) ¬ ø it follows that either ΠT ( sφj ) ¬( ø1 ø2 ) or ΠT ( sφk ) ø1 ∧¬ ø2 but ΠT ( sφk ) ¬X ø . In the two cases, σ can be extended such that 1 and 2 are maintained.

  • R = R 32. This rule is used when ø = ø1 U+ ø2 . The node φi has one successor in r : φj ( ø2 φj ) or φk ({ ø1 , X+ ø } ∈ φk ). According to the semantics of U+ and since ΠT ( sφi )╞ T ¬ ø it follows that either ΠT ( sφj ) ¬( ø1 ø2 ) or ΠT ( sφk ) ø1 ∧¬ ø2 but ΠT ( sφk ) ¬X+ ø . In the two cases, σ can be extended such that 1 and 2 are maintained.

The last point in the proof of this lemma is to show that the path σ is unsuccessful. Let i ≥ 0 be such that ø1 U+ ø2 σ ( i ) for some ø1 and ø2 . According to Definition 8.17, we must show that is no j i such that ø2 σ ( j ).

Now, we prove the third element of the correctness theorem that deals with the acceptance condition.

Lemma 8.21 An infinite path σ in a run r of Bψ is successful iff it satisfies the generalized Büchi condition.

In this section we illustrate the construction of an ABTA for two formulae. The first formula is a propositional one. The second formula is an action one.

Our model checking algorithm for verifying that a dialogue game protocol satisfies a given property and checks that it respects the semantics of the underlying communicative acts is based on the procedure proposed by (Bhat and Cleaveland, 1996). Like the algorithm proposed by (Courcoubetis et al., 1992), our algorithm explores the product graph of an ABTA for DCLT*CAN and a transition system for a dialogue game. This algorithm is on-the-fly (or local) algorithm that consists of checking if a transition system is accepted by an ABTA. This ABTA model checking is reduced to the emptiness of the Büchi automata (Vardi and Wolper, 1986).

Let T = < S , Lab , , L , Act , →, s0 > be a transition system for a dialogue game and let B = < Q , l , →, q0 , F > be an ABTA for DCTL*CAN. The procedure consists of building the ABTA product B of T and B while checking if there is a successful run in B . The existence of such a run means that the language of B is non-empty. The automaton B is defined as follows: B = < Q × S , → B , q0B , FB >. There is a transition between two nodes < q , s > and < q’ , s’ > iff there is a transition between these two nodes in some run of B on T . Intuitively, B simulates all the runs of the ABTA. The set of accepting states FB is defined as follows: q0B FB iff q F .

Unlike the algorithms proposed in (Courcoubetis et al., 1992) and (Bhat and Cleaveland, 1996), our algorithm uses only one depth-first search (DFS) instead of two. This is due to the fact that our algorithm explores directly the product graph using the sign of the nodes (positive, negative or neutral). In addition, unlike the algorithm proposed in (Bhat and Cleaveland, 1996), our algorithm does not distinguish between recursive and non-recursive nodes. Therefore, we do not take into account the strongly-connected components in the ABTA, but we use a marking algorithm that works on the product graph.

The pseudo-code of this algorithm is given in Figure 8.10. The idea is to construct the product graph while exploring it. However, in order to make it easy to understand, we omit the instructions relative to the addition of nodes in the product graph. The construction procedure is directly obtained from Definition 8.4. The algorithm uses the label of nodes in the ABTA, and the transitions in the product graph obtained from the transition system and the ABTA as explained in Definition 8.4.

In order to decide if the ABTA contains an infinite successful run, all the explored nodes are marked "visited". Thus, when the algorithm explores a visited node, it returns false if the infinite path is not successful. If the node is not already visited, the algorithm tests if it is a leaf. In this case, it returns false if the node is a non-successful leaf. If the explored node is not a leaf, the algorithm calls recursively the function DFS in order to explore the successors of this node. If this node is labeled by "∧", and signed neutrally or positively, then DFS returns false if one of the successors is false. However, if the node is signed negatively, DFS returns false if all the successors are false. A dual treatment is applied when the node is labeled by "∨". We note that if the DFS does not explore a false node (i.e. it does not return false), then it returns true.

Theorem 8.22 (correctness) Let B an ABTA and T a transition system. DFS ( q0 , s0 ) returns true if and only if T is accepted by B.

Proof

This theorem follows from Theorem 8.15 and Definition 8.5. Indeed, DFS returns true if and only if all the leaves are successful, and all the infinite paths are successful. The reason is that DFS returns true if and only if it does not find any unsuccessful leaf and any unsuccessful infinite path.

Figure 8.11 illustrates the automaton B resulting from the product of the transition system of Figure 8.5 (TS[8.5]) and the ABTA of Figure 8.9 (ABTA[8.9]). In order to check if the language of this automaton is empty, we check if there is a successful run. The idea is to verify if B contains an infinite path visiting the state (3) and infinitely often the state (9) of ABTA[8.9]. If such a path exists, then we conclude that the formula is not satisfied by TS[8.5]. Indeed, the only infinite path of B is successful because it does not touch any accepted state and all leaves are also successful. For instance, the leaf labeled by (< Ch >, s0 ) is successful since there is no state si such that s0 Ch si . The leaf labeled by ( , s3,4 ) is successful because it is a positive leaf and s3,4 . Therefore, TS[8.5] is accepted by ABTA[8.9]. Consequently, TS[8.5] satisfies the formula and respects the semantics of challenge and justification actions.

We conclude this section by discussing the worst-case time complexity of our model checking technique.

Lemma 8.23 Let ψ be a DCTL*CAN formula, ant let Bψ = < Q , l , , q0 , F > be the ABTA obtained by the translation procedure. Then | Bψ | < 2| ψ |.

Proof

From the transition procedure, each formula ψ’ in the tableau is a sub-formula of ψ . The formula ψ is decomposed into a set of sub-formulae using the tableau rules. The nodes in the ABTA are labeled by the operators from the sub-formulae and there is a transition from a node φ to a node φ’ if the formula corresponding to φ’ is a sub-formula of the one corresponding to φ . Since for every sub-formula ψ’ of ψ we have ψ’ CL ( ψ ) and | CL ( ψ )| < | (from Lemma 8.11), it follows that | Bψ | < 2| ψ |. □

The complexity of the transition procedure is thus exponential in the size of the formula (Ο(2| ψ |)). However, if ψ is a DCTLCAN formula, | Bψ | is bounded by | ψ |. The complexity is then linear in the size of the formula. This result follows from the fact that in DCTLCAN we have only state formulae.

Proof

The algorithm is based on a product graph of the ABTA Bψ and the transition system T . The size of this product is bounded by | T | × | Bψ |. Like the algorithms proposed in (Courcoubetis et al., 1992) and (Bhat and Cleaveland, 2001), our algorithm marks nodes and determines if an accepting state is reachable from itself. This algorithm visits each state once and there are |S| × | Q | recursive calls to a depth-first search algorithm. We note also that the ABTA we use is an and-restricted one. In an and-restricted ABTA only one of the children of a node labeled by ∧ can have his truth values determined by recursive calls to search algorithm (Bhat and Cleaveland, 2001). The run time of the algorithm is thus proportional to the size of the product graph, i.e. Ο(| T | × | Bψ |).

The worst-case time complexity of our model-checking technique is therefore linear in the size of the model and exponential in the size of the formula to be checked.

The verification problem has recently begun to find a significant audience in the MAS community. Rao and Georgeff (1993) defined three variants of propositional BDI (beliefs, desires and intention) logics for MAS and they proposed basic model checking algorithms for these logics. These algorithms are an adaptation of the algorithms for CTL and CTL*. van der Hoek and Wooldridge (2002) proposed some techniques for model checking temporal epistemic properties of MAS using an epistemic logic (logic of knowledge). They proposed a technique in order to reduce the model checking of this logic to the model checking of linear temporal logic (LTL). Benerecetti and Cimatti (2002) proposed a general approach for model-checking MAS based on CTL together with modalities for BDI attitudes. Wooldridge and his colleagues (2002) presented the MABLE language for the specification and the verification of MAS. Agents specified in this language have data structures corresponding to BDI. MABLE is automatically translated into Promela, the language of SPIN model checker of LTL (Holzman, 1997). Bordini et al. (2003a) addressed the verification problem of MAS specified using AgentSpeak (Rao, 1996). They used a finite state version of this language and they showed how programs written in it can be automatically transformed into Promela. In order to specify the properties to be verified, the authors used a simplified form of BDI Logic. These specifications are then translated to LTL formulae. Propositional attitudes are modeled as Promela data structures. Bordini et al. (2003b) proposed another alternative for model checking AgentSpeak by translating this language to Java in order to apply JPF2, a Java model checker (Visser et al., 2000). Penczek and Lomuscio (2003) proposed a framework for verifying temporal and epistemic properties of MAS. They proposed a bounded model checking algorithm for branching time logic for knowledge (CTLK). The basic idea of bounded model checking is to search for a counterexample in executions whose length is bounded by some integer k . If no bug is found then one increases k until either a bug is found, the problem becomes intractable, or some pre-known upper bound is reached (this bound is called the Completeness Threshold of the design. In a similar way, Raimondi and Lomuscio (2004) implemented an algorithm to verify epistemic CTL properties of MAS via ordered binary decision diagrams (Clarke et al., 1999). Kacprzak and her colleagues (2004b) also investigated the problem of verifying epistemic properties using CTLK by means of an unbounded model checking algorithm based on the technique proposed by McMillan (2002). Kacprzak and Penczek (2004a) addressed the problem of verification of game-like structures by means of unbounded model checking using alternating-time temporal logic (Alur et al., 1997). There are many differences between all these proposals and the work presented in this chapter that we can summarize as follows:

1- These proposals are based on BDI and epistemic logics that stress the agents’ private mental states, whereas our work uses a logic highlighting the public states reflecting the agents’ interactions expressed in terms of social commitments and argumentation relations.

2- Our model checking algorithm allows us to verify not only the system’s temporal properties but also the action properties specified using dynamic logic.

3- The technique that we use is based on the tableau method and is different from the techniques used for LTL, CTL and CTL*.

Complementarily, the verification of agent communication protocols has been addressed by some research work. Endriss and his colleagues (2003) dealt with the problem of checking and possibly enforcing conformance to agent communication protocols. They proposed abductive logic-based agents and some means of determining whether or not these agents behave in conformance to the defined protocols. Baldoni et al. (2004) addressed the problem of verifying that a given protocol implementation conforms to its specification. They studied a special case in which protocols are implemented using a logical language and specified using AUML. These approaches are different from our proposal in the sense that they are not based on model checking techniques and they do not address the problem of verifying whether or not a protocol satisfies a given property.

In (Huget and Wooldridge, 2004), the problem of checking that agents correctly implement the semantics of an agent communication language is addressed. Huget and Wooldridge used a variation of the MABLE programming language to define a pre/post conditions semantics of ACL performatives and showed that the compliance to ACL semantics can be reduced to a conventional model checking problem. Walton (2004) applied model checking techniques in order to verify the correctness of protocol communication. The author defined a protocol language and used the SPIN model checker to verify LTL properties of this language. The model checking technique used by these two proposals are based on LTL whereas our technique is based on CTL* and dynamic logic. In addition, our approach is based on a new algorithm and not on the translation of the specification language to existing model checker language.

Recently, Giordano et al. (2004) addressed the problem of specifying and verifying agent interaction protocols using a Dynamic Linear Time Temporal Logic (DLTL) (Henriksen and Thiagarajan, 1999). These protocols are specified using temporal constraints representing permissions and SC. The authors addressed three kinds of verification problems: 1) the compliance of an execution history of a protocol to its specification, 2) the satisfaction of a property in the protocol, 3) the compliance of agents to the protocol. They showed that these problems can be solved by model checking in DLTL. This model checking technique uses a tableau-based algorithm for obtaining a Büchi automaton from a formula in DLTL (Giordano and Martelli, 2004). Although this work is close to our proposal, the model and the automata associated to the checked formulae used in the two techniques are different. Indeed, there are four main differences between these two approaches:

1- The protocols (the models) we dealt with are dialogue game protocols described as a combination of dialogue games (Bentahar et al, 2004a, 2004d) (see Chapter 9) and specified using actions that agents apply on SC. However, the protocols used in (Giordano et al., 2004) are abstract protocols specified in terms of the effects of communicative actions, some precondition laws, and some causal law.

2- The model checking technique proposed in (Giordano and Martelli, 2004) uses classical Büchi automaton that is constructed using a tableau-like procedure. This procedure is based on propositional rules and exploits two axioms defining the semantics of the indexing until operator. Our technique is different because it is based on ABTA and not on traditional Büchi automaton. In addition, the construction of this automaton uses proof rules that define the tableau semantics of the different formulae and not propositional rules.

3- Our approach is based not only on SC like (Giordano et al., 2004), but also on an argumentation theory. Consequently, our protocols are more suitable for autonomous agents. The reason is that agents can make decisions using their argumentation systems.

4- The dynamic part in our logic is reflected by an action theory, i.e. by the actions that agents perform. In our logic we deal with action formulae, whereas in DLTL, the dynamic part is represented by regular programs and by indexing the until operator with these programs.

In this chapter, we have addressed the verification problem of dialogue game protocols. We proposed a new model checking technique allowing us to verify both the correctness of the protocols and the agents’ compliance to the semantics of the communicative acts. This technique uses a combination of an automata-based and a tableau-based algorithm to verify temporal and action specification. The formal properties to be verified are expressed in DCTL*CAN logic and translated to ABTA using tableau rules. Our model checking algorithm that works on a product graph is an efficient on-the-fly procedure.

The semantics that we used in this chapter is a simplified version of the semantics defined in Chapter 7. This simplified semantics does not express the satisfaction of formulae in a given theoretical model, but expresses the decomposition of these formulae to sub-formulae. Consequently, what we can verify is the fact that a given protocol satisfies or not a given property and the fact that agents use the same decomposition of formulae. For example, in terms of the semantics of a social commitment, we can only verify if for the debtor there is a state in which the commitment content is true. This supposes that the content is a state formula, and not a path formula as defined in Chapter 7. Improving this simplified version of semantics is in our future work.



[6] The non-emptiness problem for automata is to decide, given an automaton A , whether its language L ( A ) is non-empty. The language L ( A ) is the set of words accepted by A .

© Jamal Bentahar, 2005