SAT-Based Bounded Model Checking for Weighted Deontic Interpreted Systems (Extended Abstract)

SAT-based Bounded Model Checking for Weighted Deontic Interpreted Systems (Extended Abstract)

Bo˙zena Wo´zna-Szcze´sniak

IMCS, Jan Długosz University. Al. Armii Krajowej 13/15, 42-200 Cze¸stochowa, Poland.

[email protected]

Abstract. We present WECTL^∗KD, a weighted branching time temporal logic to specify knowledge, and correct functioning behaviour in multi-agent systems (MAS). We interpret the formulae of the logic over models generated by weighted deontic interpreted systems (WDIS). Furthermore, we investigate a SAT-based bounded model checking (BMC) technique for WDIS and for WECTL^∗KD.

1 Introduction

The formalism of interpreted systems(IS) [4] provides a useful framework to model multi-agent systems (MASs) [13], and to verify various classes of temporal and epis- temic properties. The formalism ofdeontic interpreted systems(DIS) [7] is an extension of ISs, which makes possible reasoning about temporal, epistemic and correct function- ing behaviour of MASs. An important assumption in this line of models is that there are no costs associated to agents’ actions. The formalism ofweighted deontic interpreted systems(WDISs) [16] extends DISs to make the reasoning possible about not only tem- poral, epistemic and deontic properties, but also about agents quantitative properties.

In particular, in the Kripke model of WDIS each transition is labelled by a pair: a joint action and a positive integer value that represents the cost of acting agents.

The basic idea in SAT-based bounded model checking (BMC) [1, 9] is to translate the existential model checking problem for a modal (e.g., temporal, epistemic, deontic) logic [2, 13] to the propositional satisfiability problem. In particular, in BMC we first represent a counterexample, whose length is bounded by some integerk, by a propo- sitional formula, and then check the resulting propositional formula with a specialised SAT-solver. If the formula in question is satisfiable, then the SAT-solver returns a satis- fying assignment that can be converted into a concrete counterexample. Otherwise, the boundkis increased and the process repeated; we increaseskuntil either a witness is found, the problem becomes intractable, or some pre-known upper bound is reached.

To model check the requirements of MASs various extensions of temporal logics [3] with epistemic [4], beliefs [6], and deontic [7] components have been proposed. In this paper we aim at completing the picture of applying the SAT-based BMC techniques to MASs by looking at the existential fragment of the weighted CTL^∗KD (i.e. weighted CTL^∗extended with epistemic and deontic components), interpreted over theweighted deontic interpreted systems (WDISs). The proposed BMC encoding is based on the

?Partly supported by National Science Center under the grant No. 2011/01/B/ST6/05317.

BMC encoding introduced in [16, 21, 24]. Namely, in [24] a propositional encoding of the BMC problem for ECTL^∗and for standard Kripke models has been introduced. The method has been experimentally evaluated. Next, in [16] weighted deontic interpreted systems (WDIS) and a propositional encoding of the BMC problem for WECTLKD and for WDIS have been introduced. Finally, in [21] a BMC method for WELTLK and for weighted interpreted systems has been introduced and experimentally evaluated.

The rest of the paper is organised as follows. In Section 2 we introduce WDIS together with its Kripke model. In Section 3 we define the WECTL^∗KD language to- gether with the bounded semantics. In Section 4 we provide a SAT-based BMC method for WECTL^∗KD and for WDIS. In the last section we conclude the paper.

Fig. 1.Classical temporal and weighted logics with discrete semantics, and their epistemic and deontic extensions. The dedicated SAT-based BMC methods have been defined for the logics placed in rectangles. The logics for which SAT-BMC methods can be easily inferred from the dedicated one are placed in ”dashed” rectangles.

Related work.Figure 1 provides diagram showing the relations between classical tem- poral logics, weighted temporal logics, and their epistemic and deontic extensions, and indicates for which logic a SAT-based BMC method (SAT-BMC for short) has been developed. For classical temporal logics with discrete semantics over Kripke mod- els SAT-BMC has been defined in [1] for LTL, in [10, 23] for ECTL, in [14, 24] for ECTL^?, in [22] for RTECTL, and in [12] for MTL. For classical weighted tempo- ral logics with discrete semantics over weighted Kripke models generated, for exam- ple, by simply timed systems, SAT-BMC has been defined for WECTL [20] only. For epistemic and deontic variants of classical temporal logics with semantics over Kripke models generated by (deontic) interpreted systems SAT-BMC has been defined in [9, 5] for ECTLK, in [15] for ECTLKD, in [11, 8] for ELTLK, in [19] for RTECTLK, in [18] for RTECTLKD, and in [17] for EMTLKD (this method provides obviously a SAT-BMC solution for EMTLK). There is no paper about SAT-BMC for ECTL^?K

and for ECTL^?KD. These missing methods can however be easily designed as a fu- sion of SAT-BMC methods for ECTL^? and for ECTLK / ECTLKD. For epistemic and deontic variants of classical weighted temporal logic with semantics over Kripke models generated by (deontic) weighted interpreted systems SAT-BMC has been de- fined in [21] for WELTLK (this method provides obviously a SAT-BMC solution for WELTL), and in [16] for WECTLKD (this method provides obviously a SAT-BMC solution for WECTLK).

2 Weighted Deontic Interpreted Systems

Let Ag = {1, . . . , n} be the non-empty and finite set of agents. We assume that a MAS consists ofnagents and a special agentEthat represent the environment in which the agents operate. Next, we assume that a given MAS is modelled by theweighted deontic interpreted system(WDIS), in which each agentc ∈ Ag ∪ {E}is modelled using a non-empty set Lc = Gc ∪ Rc of local states such thatGc is a non-empty set offaultless (green) states andRc is a set of faulty (red)states, a non-empty set ι_c ⊆L_cofinitialstates, a non-empty setAct_cofpossible actions, aprotocol function P_c : L_c → 2^Actc that defines rules according to agents operate, a (partial)evolution functiont_c:L_c×Act→L_cwithAct=Act₁× · · · ×Act_n×Act_E(each element of Actis called ajoint action), aweight functiond_c:Act_c→IN, and avaluation function V_c :L_c→2^PV that assigns to each local state a set of propositional variables that are assumed to be true at that state. Further, we do not assume that the setsAct_care disjoint for allc∈Ag∪ {E}.

Now for a given set of agentsAg, the environmentE and a set of propositional variablesPV, we define theweighted deontic interpreted systemas a tuple WDIS = ({ιc, Lc,Gc, Actc, Pc, tc,Vc, dc,}_c∈Ag∪{E}). For a given WDIS we define:

• a set of allpossible global states S = L1 ×. . .×Ln ×L_E such that L1 ⊇ G1, . . . , Ln ⊇ Gn, L_E ⊇ G_E; bylc(s)we denote the local component of agent c∈Ag∪ {E}in a global states= (`1, . . . , `n, `E);

• aglobal evolution functiont:S×Act→Sas follows:t(s, a) =s⁰(ors−→^a s⁰) iff for allc∈Ag,t_c(l_c(s), a) =l_c(s⁰)andt_E(l_E(s), a) =l_E(s⁰);

• aweighted model(ora model) as a tupleM = (ι, S, T,V, d), where

• ι=ι₁×. . .×ι_n×ι_E is the set of all possible initial global state;

• Sis the set of all possible global states as defined above;

• T ⊆S×Act×Sis a transition relation defined by the global evolution function as follows:(s, a, s⁰)∈ T iffs−→^a s⁰. We assume that the relationT is total, i.e., for anys∈Sthere existss⁰∈Sand an actiona∈Act\{(1, . . . , n, _E)}

such thats−→^a s⁰;

• V:S→2^PVis the valuation function defined asV(s) =S

c∈Ag∪{E}Vc(lc(s)).

• d : Act → IN is a “joint” weight function defined as follows: d((a₁, . . . , a_n, a_E)) = P

c∈Ag∪{E}d_c(a_c); note that this definition is reasonable, since we are interested in MASs, in which transitions carry some cost;

• an indistinguishability relation∼_c⊆ S ×S for agent cas follows:s ∼_c s⁰ iff lc(s⁰) =lc(s);

• a deontic relation∝c⊆S×Sfor agentcas follows:s∝cs⁰ifflc(s⁰)∈ Gc.

ApathinM is an infinite sequenceπ=s₀ −→^a1 s₁−→^a2 s₂ −→^a3 . . .of transitions.

For such a path, and for j 6 m ∈ IN, by π(m) we denote them-th states_m, by π^m we denote the m-th suffix of the path π, which is defined in the standard way:

π^m =sm a_m+1

−→ sm+1 a_m+2

−→ sm+2. . .. Next, byπ[j..m]we denote the finite sequence sj

a_j+1

−→sj+1 a_j+2

−→. . . smwithm−jtransitions andm−j+ 1states, and byDπ[j..m]

we denote the (cumulative) weight ofπ[j..m]that is defined asd(aj+1) +. . .+d(am) (hence0whenj =m). ByΠ(s)we denote the set of all the paths starting ats ∈S, and byΠ =S

s⁰∈ιΠ(s⁰)we denote the set of all the paths starting at initial states.

3 The logic WECTL

KD

Our specification language, which we call WECTL^∗KD, extends ECTL^∗[3] with cost constraints on temporal modalities and with epistemic and deontic modalities. More precisely, the basic modalities of WECTL^∗KD consist of the path quantifierE(for some path) followed by a temporal-epistemic-deontic formula, which is built up from: propo- sitional variables; the boolean operators (∧-conjunction, ∨-disjunction, ¬-negation);

the temporal modalities (X_I-weighted next step,U_I-weighted until,R_I-weighted re- lease,G_I-weighted always, andF_I-weighted sometime); the epistemic modalitiesK_c (for “agentcdoes not know whether or not”),DΓ,EΓ, andCΓ (for the dualities to the standard group epistemic modalities representing distributed knowledge in the groupΓ, everyone inΓ knows, and common knowledge among agents inΓ); the deontic modal- ities (O_candKb^c_c²

1representing thecorrectly functioning circumstances of agents).

Syntax of WECTL^∗KD.Letp∈ PVbe a propositional variable,c,c₁,c₂∈Ag,Γ ⊆ Ag, andIbe an interval inIN ={0,1,2, . . .}of the form:[a, b)and[a,∞), fora, b∈ INanda6=b. We have the following syntax for WECTL^∗KD. We inductively define a class of state formulae (interpreted at states) and a class of path formulae (interpreted along paths) by the following grammar:

ϕ::=true|false|p| ¬p|ϕ∧ϕ|ϕ∨ϕ|Eφ|Kcφ|EΓφ|DΓφ|CΓφ| Ocφ|Kb^c_c²₁φ φ::=ϕ|φ∧φ|φ∨φ|XIφ|φUIφ|φRIφ

whereϕis a state formula andφis a path formula. WECTL^∗KD consists of the set of state formulae generated by the above grammar.

The derived basic temporal path modalities forweighted eventually(F_I) andweighted globally(G_I) are defined as follows:F_Iφ::= trueU_Iφ, andG_Iφ::= falseR_Iφ.

Note that the combination of weighted temporal, epistemic and deontic operators allows us to specify how agent’s knowledge or correctly functioning circumstances of agents evolve over time and how much they cost.

Semantics of WECTL^∗KD. The semantics of WECTL^∗KD formulae is determined with respect to a model, defined in Section 2. In the semantics we assume the follow- ing definitions of epistemic relations:∼^E_Γ^def= S

c∈Γ ∼c,∼^C_Γ^def= (∼^E_Γ)⁺(the transitive closure of∼^E_Γ),∼^D_Γ^def= T

c∈Γ ∼_c, whereΓ ⊆Ag.

Definition 1. LetM be a model, sa state ofM,π a path inM, and m ∈ IN. For a state formulaαoverPV, the notation M, s |= αmeans thatαholds at the state

s in the model M. Similarly, for a path formula ϕover PV, the notation M, π |= ϕmeans that ϕholds along the pathπ in the model M. Moreover, letp ∈ PV be a propositional variable, α,β be state formulae of WECTL^∗KD, andϕ,ψ be path formulae of WECTL^∗KD. The relation|=is defined inductively as follows:

M, s|= true,M, s6|= false,M, s|=piffp∈ V(s),M, s|=¬piffp /∈ V(s), M, s|=α∧β iff M, s|=αandM, s|=β,

M, s|=α∨β iff M, s|=αorM, s|=β,

M, s|= Kcα iff (∃π∈Π)(∃i>0)(s∼cπ(i)andM, πⁱ |=α),

M, s|=YΓα iff (∃π∈Π)(∃i>0)(s∼^Y_Γ π(i)andM, πⁱ|=α), Y∈ {D,E,C}, M, s|=O_cα iff (∃π∈Π)(∃i>0)(s∝_cπ(i)andM, πⁱ |=α),

M, s|=Kb^c_c²₁α iff (∃π∈Π)(∃i>0)(s∼c₁ π(i)ands∝c₂ π(i)andM, πⁱ|=α), M, s|= Eϕ iff (∃π∈Π(s))(M, π⁰|=ϕ),

M, π^m|=α iff M, π(m)|=α,

M, π^m|=ϕ∧ψ iff M, π^m|=ϕandM, π^m|=ψ, M, π^m|=ϕ∨ψ iff M, π^m|=ϕorM, π^m|=ψ,

M, π^m|= XIϕ iff Dπ[m..m+ 1]∈IandM, π^m+1|=ϕ, M, π^m|=ϕUIψ iff (∃j>m) Dπ[m..j]∈IandM, π^j |=ψand

(∀m6i < j)M, πⁱ|=ϕ ,

M, π^m|=ϕRIψ iff (∃j>m) Dπ[m..j]∈IandM, π^j |=ϕand(∀m6i6j) M, πⁱ|=ψ

or(∀j >m)(Dπ[m..j]∈IimpliesM, π^j |=ψ).

A WECTL^∗KD state formulaαistruein the modelM, denoted byM |=α, iff for somes ∈ ι,M, s |= α, i.e.,αholds at some initial state ofM. Themodel checking problemasks whetherM |=α.

Bounded semantics of WECTL^∗KD.Abounded semanticsfor WECTL^∗KD is the ba- sis of the translation ofbounded model checking problemto the satisfiability of propo- sitional formulae problem (i.e., SAT-problem) that is defined in the next section. To define the bounded semantics we need to represent infinite paths of a model in a special way. To this aim, as usually, we define the notions ofk-pathsandloops.

Definition 2. LetMbe a model,k∈INa bound, and06l6k. Ak-pathπlis a pair (π, l), whereπis a finite sequences0

a₁

−→s1 a₂

−→. . . −→^ak skof transitions. Ak-path π_lis aloopifl < kandπ(k) =π(l).

Note that if ak-pathπ_lis a loop, then it represents the infinite path of the formuv^ω, whereu= (s₀−→^a1 s₁−→^a2 . . .−→^al s_l)andv= (s_l+1−→^al+2. . .−→^ak s_k).Π_k(s)denotes the set of all thek-paths ofM that start ats, andΠk =S

s⁰∈ιΠk(s⁰).

As in the definition of bounded semantics we need to define the satisfiability relation on suffixes ofk-paths, we denote byπ^m_l the pair(πl, m), i.e. thek-pathπltogether with the designated starting pointm, where06m6k. Further, letsbe a state andπlbe a k-path. For a state formulaαoverPV, the notationM, s|=k αmeans thatαisk-true at the statesin the modelM. Similarly, for a path formulaϕoverPV, the notation M, π^m_l |=k ϕ, where06m6k, denotes that the formulaϕisk-true along the suffix π(m)^a−→^m+1π(m+ 1)^a−→^m+2. . .−→^ak π(k)ofπ.

Definition 3. LetMbe a model,sa state ofM,π_lak-path inM,06m6k,p∈ PV a propositional variables,α,βstate formulae of WECTL^∗KD, andϕ,ψpath formulae of WECTL^∗KD. The relation|=_kis defined inductively as follows:

M, s|=ktrue, M, s6|=kfalse,M, s|=kpiffp∈ V(s), M, s|=k¬piffp /∈ V(s), M, s|=kα∧β iff M, s|=k αandM, s|=k β,

M, s|=_kα∨β iff M, s|=_k αorM, s|=_k β,

M, s|=kKcα iff (∃πl∈Πk)(∃06j6k)(M, π^j_l |=kαands∼cπ(j)), M, s|=_kY_Γα iff (∃πl∈Π_k)(∃06j6k)(M, π^j_l |=_kαands∼^Y_Γ π(j)),

whereY ∈ {D,E,C},

M, s|=kOcα iff (∃πl∈Πk)(∃06j6k)(M, π^j_l |=kαands∝cπ(j)), M, s|=kKb^c_c²₁α iff (∃πl∈Πk)(∃06j6k)(M, π^j_l |=kαands∼c₁π(j)

ands∝c₁ π(j)),

M, s|=kEϕ iff (∃πl∈Πk(s))(M, π⁰_l |=k ϕ), M, π^m_l |=k α iff M, π(m)|=kα,

M, π^m_l |=k ϕ∧ψ iff M, π_l^m|=k ϕandM, π_l^m|=k ψ, M, π^m_l |=_k ϕ∨ψ iff M, π_l^m|=_k ϕorM, π^m_l |=_k ψ,

M, π^m_l |=k XIϕ iff (m < kandDπ[m..m+ 1]∈IandM, π_l^m+1|=kϕ)or (m=kandl < kandπ(k) =π(l)andDπ[l..l+ 1]∈I

andM, π_l^l+1|=kϕ),

M, π^m_l |=_k ϕU_Iψ iff (∃m6j6k)(Dπ[m..j]∈IandM, π^j_l |=_kψand (∀m6i < j)M, π_lⁱ|=_k ϕ)or(l < mandπ(k) =π(l)

and(∃l < j < m)(Dπ[m..k] +Dπ[l..j]∈IandM, π^j_l |=kψ and(∀l < i < j)M, πⁱ_l|=ϕand(∀m6i6k)M, π_lⁱ|=k ϕ)), M, π^m_l |=k ϕRIψ iff (Dπ[m..k]>right(I)and(∀m6j 6k)(Dπ[m..j]∈I

impliesM, π^j_l |=_k ψ))or(Dπ[m..k]<right(I)andπ(k) =π(l) and(∀m6j6k)(Dπ[m..j]∈IimpliesM, π_l^j|=k ψ)and (∀l6j 6k)(Dπ[m..k] +Dπ[l..j]∈IimpliesM, π^j_l |=kψ))or (∃m6j6k)(Dπ[m..j]∈IandM, π^j_l |=kϕand

(∀m6i6j)M, π_lⁱ|=k ψ)or(l < mandπ(k) =π(l) and(∃l < j < m)(Dπ[m..k] +Dπ[l..j]∈IandM, π^j_l |=kϕ and(∀l < i6j)M, πⁱ_l|=ψand(∀m6i6k)M, πⁱ_l|=kψ)).

A WECTL^∗KD state formulaαisk-true inM, denoted M |=_k ϕ, iff for some s ∈ ι,M, s |=k ϕ. Thebounded model checking problem asks whether there exists k∈INsuch thatM |=k ϕ.

Lemma 1. LetM be a model,sa state ofM, andαa WECTL^∗KD state formula.

• for somek∈IN, ifM, s|=_kα, thenM, s|=α.

• ifM, s|=α, thenM, s|=_k αfor somek∈IN.

The following theorem follows from Lemma 1 and it states that for a given model M and a formulaαthere exists a boundksuch that the model checking problem can be reduced to the bounded model checking problem.

Theorem 1. LetM be a model andαbe a WECTL^∗KD state formula. Then, for some s∈ι,M, s|=αiffM, s|=_k αfor somek∈IN.

4 Bounded Model Checking

In the section we present a propositional encoding of the bounded model checking problem for WECTL^∗KD and for weighted deontic interpreted systems (WDIS).

LetM = (ι, S, T,V, d)be a model, αa WECTL^∗KD state formula, andk > 0 a bound. The BMC encoding relies on defining the following propositional formula:

[M, α]k:=[M^α,ι]k∧[α]M,k, which is satisfiable if and only ifM |=kαholds.

The definition of[M^α,ι]k assumes that the states, the joint actions ofM, and the sequence of weights associated to the joint actions are encoded symbolically, which is possible, since both the set of states and the set of joint actions are finite. Formally, let c∈Ag∪ {E}. Then, each states= (`<sub>1</sub>, . . . , `_n, `_E)∈Sis represented by asymbolic statewhich is a vectorw = (w₁, . . . ,wn,wE)ofsymbolic local states. Each symbolic local statew_cis a vector of propositional variables (calledstate variables) whose length depends on the number of green and red local states of agentc. Next, each joint action a = (a1, . . . , an, a_E) ∈ Act is represented by a symbolic action which is a vector a = (a1, . . . ,an,a_E) of symbolic local actions. Each symbolic local action ac is a vector of propositional variables (called action variables) whose length depends on the number of actions of agent c. Next, each vector of weights associated to a joint action is represented by a symbolic weight which is a vectord = (d1, . . . ,dn,d_E) ofsymbolic local weights. Each symbolic local weightdcis a vector of propositional variables (calledweight variables), whose length depends on the weight functionsdc.

Further, we assume thatSV,AV andW V denote, respectively, the set of all the state variables, the set of all the action variables, and the set of all the weight variables such thatSV ∩AV = ∅,SV ∩W V = ∅, and AV ∩W V = ∅. Next, we assume thatSV(w),SV(w_c),AV(a),AV(a_c), andW V(d)denote, respectively, the set of all the state variables occurring in the symbolic statew, the set of all the state variables occurring in the local symbolic statewc of agentc, the set of all the action variables occurring in the symbolic actiona, the set of all the action variables occurring in the local symbolic actiona_cof agentc, and the set of all the weight variables occurring in the symbolic weightd. Furthermore, we assume thatN V denotes the set of proposi- tional variables (called thenatural variables) such thatSV∩N V =∅,AV∩N V =∅, andW V ∩N V = ∅. Moreover, byu = (u1, . . . ,uy)we denote a vector of natural variables of lengthy=max(1,dlog2(k+ 1)e), which we call asymbolic number, and byN V(u)we denote the set of all the natural variables occurring inu. Furthermore, we assume that:

• P V =SV ∪AV ∪W V ∪N V.

• lit:{0,1} ×P V →P V ∪ {¬q|q∈P V}is a function defined as:lit(1, q) =q andlit(0, q) =¬q.

• V :P V → {0,1}is avaluation of propositional variables(avaluationfor short).

• r_wdenotes the length of symbolic state, i.e.w= (w₁, . . . ,wn,wE) = (w₁, . . . ,w_rw).

• r_adenotes the length of a symbolic action, i.e.a= (a₁, . . . ,an,aE) = (a₁, . . . ,a_ra),

• r_d = r_d1 +. . . +r_d(n+1) denotes the length of a symbolic weight, i.e. d = (d₁, . . . ,d_n,d_E) = (d¹₁, . . . ,d¹_r

d1, . . . ,dⁿ⁺¹₁ , . . . ,dⁿ⁺¹_r

d(n+1)), wherer_d1, . . . , r_d(n+1) denote lengths of local symbolic weights.

For every rw, ra, rd ∈ IN+, each valuation V induces the functions S : SV^rw → {0,1}^rw, A : AV^ra → {0,1}^ra,W : W V^rd → IN, andJ : N V^y → IN defined

in the following way:S((w₁, . . . ,w_rw)) = (V(w₁), . . . , V(w_rw)),A((a₁, . . . ,a_ra)) = (V(a1), . . . , V(ar_a)),W((d¹₁, . . . ,d¹_rd1, . . . ,dⁿ⁺¹₁ , . . . ,dⁿ⁺¹_r

d(n+1))) =Pn+1 j=1

Prdj

i=1V(d^j_i)·

2ⁱ⁻¹,J((u₁, . . . ,u_y)) =Py

i=1V(u_i)·2ⁱ⁻¹.

Letwandw⁰be two different symbolic states such thatSV(w)∩SV(w⁰) =∅,da symbolic weight,aa symbolic action, andua symbolic number. We assume definitions of the following auxiliary Boolean formulae:

• p(w)is a Boolean formula over SV(w) that is true for a valuation V iffp ∈ V(S(w)). It encodes a set of states ofM in whichp∈ PVholds.

• Is(w) = Vr_w

i=1lit(s[i],wi). This Boolean formula is defined overSV(w), and it encodes the statesof the modelM.

• H(w,w⁰) = Vr_w

i=1wi ⇔ w⁰i. This Boolean formula is defined over SV(w)∪ SV(w⁰), and it encodes equality of two symbolic states, i.e. it expresses that the symbolic stateswandw⁰represent the same states.

• Hc(w,w⁰)is a Boolean formula overSV(w)∪SV(w⁰)that is true for each valua- tionV ∈ {0,1}^SV such thatV satisfiesH_c(w,w⁰)iffS(w)∼cS(w⁰); it expresses that the local states of agentcare the same in the symbolic stateswandw⁰.

• H_a(a_c)forc∈Ag∪ {E}anda∈Act_c∪ {ε}is a Boolean formula overAV(a_c) that is true for each valuation V ∈ {0,1}^AV such that V satisfies H_a(a_c) iff A(a_c) =a.

• A(a) = V

a∈Act(V

c∈Ag(a)Ha(ac)∨V

c∈Ag(a)Hε(ac)), whereAg(a) = {c ∈ Ag∪ {E} | a∈ Actc}. This formula is defined overAV(a), and it encodes that each symbolic local actionac of ahas to be executed by each agent in which it appears.

• Tc(wc,(a,d),w⁰c)is defined overSV(wc)∪SV(w⁰c), and is true for a valuation V ifftc(S(wc),A(a)) =S(w⁰c). This Boolean formula encodes the local evolution function of agentc.

• T(w,(a,d),w⁰) = V

c∈Ag∪{E}Tc(wc,(a,d),w⁰_c)∧ A(a). This Boolean formula is defined overSV(w)∪SV(w⁰)∪AV(a)∪W V(d), and it encodes the transition relation of the modelM.

• N_j^∼(u)is a formula overN V(u)that is true for a valuationV iffj ∼J(u), where

∼∈ {<, >,6,=,>}. This formula encodes that the valuej is in the arithmetic relation∼with the value represented by the symbolic numberu.

Further, in order to define[M^α,ι]kwe need to specify the number ofk-paths of the modelM that are sufficient to validateα. Letp∈ PV. To calculate the number, we de- fine the following auxiliary functionfk :WECTL^∗KD→IN:fk(true) =fk(false) = 0,fk(p) =fk(¬p) = 0,fk(ϕ∧φ) =fk(ϕ)+fk(φ),fk(ϕ∨φ) =max{fk(ϕ), fk(φ)}, fk(XIϕ) =fk(ϕ),fk(ϕUIφ) =k·fk(ϕ)+fk(φ),fk(ϕRIφ) = (k+1)·fk(φ)+fk(ϕ), f_k(C_Γϕ) =f_k(ϕ) +k,f_k(Y ϕ) =f_k(ϕ) + 1, forY ∈ {Kc,D_Γ,E_Γ,Oc,Kb^c_c²

1,E}.

Furthermore, we define thej-th symbolic k-pathπj as the sequence ofsymbolic transitions:(w_0,j ^a1,j−→^,d1,j w_1,j ^a2,j−→^,d2,j. . .^ak,j−→^,dk,jw_k,j,u), wherew_i,jare symbolic states,ai,jare symbolic actions,di,jare symbolic weights, for06i6kand16j6 fk(α), anduis the symbolic number, and we define the following auxiliary Boolean formulae. Letw andw⁰ be two different symbolic states, da symbolic weighs, aa

symbolic action,ua symbolic number,Ian interval inINof the form:[a, b)and[a,∞), fora, b∈INanda6=b, andright(I)denote the right end of the intervalI.

• L^l_k(πn) :=N_l⁼(un)∧H(wk,n,wl,n).

• B_k^I(πn) is defined over Sk

i=1W V(di,n), and is true for a valuation V iff Pk

i=1W(d_i,n) 6 right(I). This Boolean formula encodes that the weight rep- resented by the sequenced_1,n, . . . ,d_k,nis less than or equal toright(I).

• D^I_a,b(π_n)fora6b: ifa < b, then the formula encodes that the weight represented by the sequenced_a+1,n, . . . ,d_b,nbelongs to the intervalI, i.e. the formula is true for a valuationV iffPb

i=a+1W(di,n)∈I; otherwise, i.e. ifa=b, thenD_a,b^I (πn) is true for a valuationV iff0∈I.

• D^I_a,b;c,d(πn)fora6bandc6d:

1. ifa < bandc < d, then the formula encodes that the weight represented by the sequencesda+1,n, . . . ,db,nanddc+1,n, . . . ,dd,nbelongs to the intervalI, i.e.

the formula is true for a valuationV iffPb

i=a+1W(d_i,n)+Pd

i=c+1W(d_i,n)∈I;

2. ifa=bandc < d, then the formula encodes that the weight represented by the sequencedc+1,n, . . . ,dd,nbelongs to the intervalI, i.e. the formula is true for a valuationV iffPd

i=c+1W(di,n)∈I;

3. ifa < bandc =d, then the formula encodes that the weight represented by the sequenced_a+1,n, . . . ,d_b,nbelongs to the intervalI, i.e. the formula is true for a valuationV iffPb

i=a+1W(di,n)∈I;

4. ifa=bandc=d, thenD^I_a,b;c,d(πn)is true for a valuationViff0∈I.

The formula[M^α,ι]k, which encodes the unfolding of the transition relation of the modelM fk(α)-times to the depthk, is defined as follows:

[M^α,ι]k:= _

s∈ι

Is(w0,0)∧

f_k(α)

^

j=1 k

_

l=0

N_l⁼(uj)∧

f_k(α)

^

j=1 k−1

^

i=0

T(wi,j,(ai,j,di,j),wi+1,j)

wherewi,j,ai,j,di,j, andujare, respectively, symbolic states, symbolic actions, sym- bolic weights, and symbolic numbers, for06i6kand16j6fk(α).

Then, the next step is a translation of a WECTL^∗KD state formulaαto a proposi- tional formula[α]_M,k. In order to define[α]_M,k, we have to know how to divide the set Aofk-paths such that|A|=f_k(α)into subsets needed for translating the subformu- lae ofα. To accomplish this goal we use some auxiliary functions that were defined in [24]. We recall their definitions now. First, the relation≺is defined on the power set of INas follows:A ≺ B iff for all natural numbers xandy, ifx ∈ Aandy ∈ B, thenx < y. Further, let A ⊂ IN be a finite non-empty set, andn, m ∈ IN, where m6|A|. Then,gl(A, m)denotes the subsetBofAsuch that|B|=mandB ≺A\B, gr(A, m)denotes the subsetCofAsuch that|C|=mandA\C≺C,gs(A)denotes the set A\ {min(A)}, and if ndivides |A| −m, then hp(A, m, n) denotes the se- quence(B0, . . . , Bn)of subsets ofAsuch thatSn

j=0Bj =A,|B0| =. . .=|Bn−1|,

|B_n| = m, and B_i ≺ B_j for every 0 6 i < j 6 n. Now let h^U_k(A, m) :=

hp(A, m, k)andh^R_k(A, m):=hp(A, m, k+1). Note that ifh^U_k(A, m) = (B₀, . . . , B_k), thenh^U_k(A, m)(j)denotes the setBj, for every0 6j 6k. Similarly, ifh^R_k(A, m) = (B0, . . . , Bk+1), thenh^R_k(A, m)(j)denotes the setBj, for every06j 6k+ 1.

The functionsg_l andg_r are used in the translation of the formulae with the main connective being either conjunction or disjunction: for a given WECTL^∗KD formula ϕ∧ψ, if the setAis used to translate this formula, then the setg_l(A, f_k(ϕ))is used to translate the subformulaϕand the setgr(A, fk(ψ))is used to translate the subformula ψ; for a given WECTL^∗KD formulaϕ∨ψ, if the setAis used to translate this formula, then the setgl(A, fk(ϕ))is used to translate the subformulaϕand the setgl(A, fk(ψ)) is used to translate the subformulaψ.

The functiongsis used in the translation of the formulae with the main connective Q∈ {E,Kc,DΓ,EΓ,Oc,Kb^c_c²₁}: for a given WECTL^∗KD formulaQϕ, if the setAis used to translate this formula, then the path of the numbermin(A)is used to translate the operatorQand the setgs(A)is used to translate the subformulaϕ.

The functionh^U_k is used in the translation of subformulae of the form ϕUIψ: if the setAis used to translate the subformulaϕUIψ at the symbolick-pathπn (with the starting pointm), then for everyj such thatm6j 6k, the seth^U_k(A, f_k(ψ))(k) is used to translate the formulaψ along the symbolic pathπ_n with starting pointj;

moreover, for everyisuch thatm6i < j, the seth^U_k(A, f_k(ψ))(i)is used to translate the formulaϕalong the symbolic pathπ_n with starting pointi. Notice that ifkdoes not divide|A| −d, thenh^U_k(A, d)is undefined. However, for every set A such that

|A|=fk(ϕUIψ), it is clear from the definition offkthatkdivides|A| −fk(ψ).

The functionh^R_k is used in the translation of subformulae of the formϕRIψ: if the setAis used to translate the subformulaϕRIψalong a symbolick-pathπn(with the starting pointm), then for everyjsuch thatm6j6k, the seth^R_k(A, fk(ϕ))(k+1) is used to translate the formulaϕalong the symbolic pathsπn with starting pointj;

moreover, for everyisuch thatm6i6j, the seth^R_k(A, fk(ϕ))(i)is used to translate the formula ψalong the symbolic pathπn with starting pointi. Notice that ifk+ 1 does not divide|A| −1, thenh^R_k(A, p)is undefined. However, for every setAsuch that

|A|=fk(ϕRIψ), it is clear from the definition offkthatk+ 1divides|A| −fk(ϕ).

Letαbe a WECTL^∗KD state formula andA⊂IN+be a set of numbers of symbolic k-paths such that|A|=fk(α). Ifn∈IN\Aand0 6m 6k, then byhαi^[m,n,A]_k we denote the translation of a WECTL^∗KD state formulaαat the symbolic statewm,n

by using the set A. Letϕbe a WECTL^∗KD path formula andB ⊂ IN+ be a set of numbers of symbolick-paths such that|B|=fk(ϕ). Ifn∈IN+\Aand0 6m6k, then by[ϕ]^[m,n,A]_k we denote the translation of a WECTL^∗KD path formulaϕalong the symbolick-pathπn with starting pointmby using the setA. Furthermore, we define [α]M,kashαi^[0,0,F_k ^k(α)], whereFk(α) ={j∈IN|16j6fk(α)}, and:

htruei^[m,n,A]_k :=true,hfalsei^[m,n,A]_k :=false,

hpi^[m,n,A]_k :=p(w_m,n), h¬pi^[m,n,A]_k :=¬p(w_m,n), hα∧βi^[m,n,A]_k := hαi^[m,n,g_k ^l(A,fk(α))]∧ hβi^[m,n,g_k ^r(A,fk(β))], hα∨βi^[m,n,A]_k := hαi^[m,n,g_k ^l(A,fk(α))]∨ hβi^[m,n,g_k ^r(A,fk(β))], hEϕi^[m,n,A]_k := H(w_m,n,w_0,min(A))∧[ϕ][0,min(A),gs(A)]

k ,

[α]^[m,n,A]_k := hαi^[m,n,A]_k ,

[ϕ∧ψ]^[m,n,A]_k := [ϕ]^[m,n,g_k ^l(A,fk(ϕ))]∧[ψ]^[m,n,g_k ^r(A,fk(ψ))], [ϕ∨ψ]^[m,n,A]_k := [ϕ]^[m,n,g_k ^l(A,fk(ϕ))]∨[ψ]^[m,n,g_k ^r(A,fk(ψ))],

[XIα]^[m,n,A]_k :=

(D^I_m,m+1(π_n)∧[α]^[m+1,n,A]_k , ifm < k Wk−1

l=0(D^I_l,l+1(π_n)∧ L^l_k(π_n)∧[α]^[l+1,n,A]_k ), ifm=k [αUIβ]^[m,n,A]_k := Wk

j=m(D^I_m,j(πn)∧[β]^[j,n,h

U k(k)]

k ∧Vj−1

i=m[α]^[i,n,h

U k(i)]

k )∨

(Wm−1

l=0 L^l_k(π_n))∧Wm−1

j=0 (N_j^>(u_n)∧[β]^[j,n,h_k ^Uk(k)]∧ Wm−1

l=0 (N_l⁼(un)∧ D^I_m,k;l,j(πn))∧

Vj−1

i=0(N_i^>(un)→[α]^[i,n,h

U k(i)]

k )

∧Vk

i=m[α]^[i,n,h

U k(i)]

k ),

[αRIβ]^[m,n,A]_k := Wk

j=m(D^I_m,j(πn)∧[α]^[j,n,h_k ^Rk(k)]∧Vj

i=m[β]^[i,n,h_k ^Rk(i)])∨

(Wm−1

l=0 (L^l_k(π_n))∧Wm−1

j=0 (N_j^>(u_n)∧[α]^[j,n,h_k ^Rk(k)]∧ Wm−1

l=0 (N_l⁼(un)∧ D^I_m,k;l,j(πn))∧

Vj

i=0(N_i^>(un)→[β]^[i,n,h_k ^Rk(i)])∧Vk

i=m[β]^[i,n,h_k ^Rk(i)])∨

(¬B^I_k(π_n)∧Vk

j=m(D^I_m,j(π_n)→[β]^[j,n,h_k ^Rk(k)]))∨

(B^I_k(π_n)∧Vk

j=m(D^I_m,j(π_n)→[β]^[j,n,h_k ^Rk(k)])∧

Wk−1

l=0[L^l_k(πn)∧Vk

j=l(D_m,k;l,j^I (πn)→[β]^[j,n,h

R k(k)]

k )]),

Kcα^[m,n,A]

k := W

s∈ιIs(w0,min(A))∧Wk

j=0([α][j,min(A),gs(A)]

k

∧Hc(wm,n,wj,min(A))), D_Γα^[m,n,A]

k := W

s∈ιI_s(w_0,min(A))∧Wk

j=0([α][j,min(A),gs(A)]

k ∧

V

c∈ΓH_c(w_m,n,w_j,min(A))), EΓα^[m,n,A]

k := W

s∈ιIs(w_0,min(A))∧Wk

j=0([α][j,min(A),g_s(A)]

k ∧

W

c∈ΓH_c(w_m,n,w_j,min(A))), CΓα^[m,n,A]

k := D

Wk

j=1(EΓ)^jαE[m,n,A]

k .

Theorem 2. LetM be a model andαbe a WECTL^∗KD state formula. Then for some s∈ιand for everyk∈IN,M, s|=_kαif, and only if, the propositional formula[M, α]_k is satisfiable.

5 Conclusions

We have proposed the SAT-based BMC for WECTL^∗KD and for WDIS. The BMC of the WDIS may also be performed by means of Ordered Binary Diagrams (OBDD). This will be explored in the future. Moreover, our future work include an implementation of the algorithm presented here, a careful evaluation of experimental results to be obtained, and a comparison of the OBDD- and SAT-based BMC method for WDIS.

References

1. E. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking using satisfiability solving.Formal Methods in System Design, 19(1):7–34, 2001.

2. E. M. Clarke, O. Grumberg, and D. A. Peled.Model Checking. The MIT Press, 1999.

3. E. A. Emerson. Temporal and modal logic. InHandbook of Theoretical Computer Science, volume B, chapter 16, pages 996–1071. Elsevier Science Publishers, 1990.

4. R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi.Reasoning about Knowledge. MIT Press, Cambridge, 1995.

5. X. Huang, C. Luo, and R. van der Meyden. Improved bounded model checking for a fair branching-time temporal epistemic logic. InProc. of MoChArt 2010, volume 6572 ofLNAI, pages 95–111. Springer, 2011.

6. H. Levesque. A logic of implicit and explicit belief. InProc. of the 6th National Conference of the AAAI, pages 198–202. Morgan Kaufman, 1984.

7. A. Lomuscio and M. Sergot. Deontic interpreted systems.Studia Logica, 75(1):63–92, 2003.

8. Artur Me¸ski, W. Penczek, M.Szreter, B. Wo´zna-Szcze´sniak, and A. Zbrzezny. BDD- versus SAT-based bounded model checking for the existential fragment of linear temporal logic with knowledge: algorithms and their performance. Autonomous Agents and Multi-Agent Systems, 28(4):558–604, 2014.

9. W. Penczek and A. Lomuscio. Verifying epistemic properties of multi-agent systems via bounded model checking.Fundamenta Informaticae, 55(2):167–185, 2003.

10. W. Penczek, B. Wo´zna, and A. Zbrzezny. Bounded model checking for the universal frag- ment of CTL.Fundamenta Informaticae, 51(1-2):135–156, 2002.

11. W. Penczek, B. Wo´zna-Szcze´sniak, and A. Zbrzezny. Towards SAT-based BMC for LTLK over interleaved interpreted systems.Fundamenta Informaticae, 119(3–4):373–392, 2012.

12. M. Pradella, A. Morzenti, and P. San Pietro. A Metric Encoding for Bounded Model Check- ing. InProc. of FM’2009, volume 5850 ofLNCS, pages 741–756. Springer, 2009.

13. M. Wooldridge. An introduction to multi-agent systems - Second Edition. John Wiley &

Sons, 2009.

14. B. Wo´zna. Bounded Model Checking for the universal fragment of CTL*. Fundamenta Informaticae, 63(1):65–87, 2004.

15. B. Wo´zna, A. Lomuscio, and W. Penczek. Bounded model checking for deontic interpreted systems. InProc. of LCMAS’2004, volume 126 ofENTCS, pages 93–114. Elsevier, 2005.

16. B. Wo´zna-Szcze´sniak. SAT-based bounded model checking for weighted deontic interpreted systems. InProc. of EPIA’2013, volume 8154 ofLNAI, pages 444–455. Springer, 2013.

17. B. Wo´zna-Szcze´sniak and A. Zbrzezny. SAT-based BMC for Deontic Metric Temporal Logic and Deontic Interleaved Interpreted Systems. InPost-proc. of DALT’2012, volume 7784 of LNAI, pages 170–189. Springer, 2012.

18. B. Wo´zna-Szcze´sniak and A. Zbrzezny. SAT-based bounded model checking for deontic interleaved interpreted systems. InThe Proc. of KES-AMSTA’2012, volume 7327 ofLNCS, pages 494–503. Springer, 2012.

19. B. Wo´zna-Szcze´sniak, A. M. Zbrzezny, and A. Zbrzezny. The BMC method for the existen- tial part of RTCTLK and interleaved interpreted systems. InIn Proc. of EPIA’2011, volume 7026 ofLNAI, pages 551–565. Springer, 2011.

20. B. Wo´zna-Szcze´sniak, A. M. Zbrzezny, and A. Zbrzezny. SAT-based bounded model check- ing for RTECTL and simply-timed systems. InProc. of EPEW 2013, volume 8168 ofLNCS, pages 337–349. Springer, 2013.

21. B. Wo´zna-Szcze´sniak, A. M. Zbrzezny, and A. Zbrzezny. SAT-based bounded model check- ing for weighted interpreted systems and weighted linear temporal logic. InProc. of the PRIMA’2013, volume 8291 ofLNAI, pages 355–371. Springer, 2013.

22. B. Wo´zna-Szcze´sniak, A. M. Zbrzezny, and A. Zbrzezny. Verifying RTECTL properties of a train controller system. Scientific Issues of Jan Dugosz University in Czestochowa:

Mathematica, 16:153–162, 2011.

23. A. Zbrzezny. Improving the translation from ECTL to SAT. Fundamenta Informaticae, 85(1-4):513–531, 2008.

24. A. Zbrzezny. A new translation from ECTL^∗to SAT. Fundamenta Informaticae, 120(3- 4):377–397, 2012.