## An abstraction-refinement framework for multi-agent systems (2006)

Venue: | In LICS |

Citations: | 4 - 1 self |

### BibTeX

@INPROCEEDINGS{Ball06anabstraction-refinement,

author = {Thomas Ball},

title = {An abstraction-refinement framework for multi-agent systems},

booktitle = {In LICS},

year = {2006},

publisher = {Society Press}

}

### OpenURL

### Abstract

Abstraction is a key technique for reasoning about systems with very large or even infinite state spaces. When a system is composed of reactive components, the interaction between the components is modeled by a multi-player game and verification corresponds to finding winners in the game. We describe an abstraction-refinement framework for multiplayer games, with respect to specifications in the alternating alternating transition systems (AATSs). Each agent in an AATS has transitions that over-approximate its power and transitions that under-approximate its power. We define the framework, define a 3-valued semantics for AMC formulas in an AATS, study the model-checking problem, define an abstraction preorder between AATSs, suggest a refinement procedure (in case model checking returns an indefinite answer), and study the completeness of the framework. For the case of predicate abstraction, we show how reasoning can be automated with a theorem prover. Abstractions of multi-player games have been studied in the past. Our main contribution with respect to earlier work is that we study general (rather than only turn-based) ATSs, we add a refinement procedure on top of the model checking procedure, and our abstraction preorder is parameterized by a set of agents. 1

### Citations

3400 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ...an open system, which interacts with its environment and whose behavior depends on the state of the system as well as the behavior of the environment. Modeling languages for open systems, such as CSP =-=[16]-=- and I/O Automata [22], distinguish between internal nondeterminism — choices made by the system, and external nondeterminism — choices made by the environment. Such a distinction exists naturally als... |

1533 |
Distributed Algorithms
- LYNCH
- 1996
(Show Context)
Citation Context ...interacts with its environment and whose behavior depends on the state of the system as well as the behavior of the environment. Modeling languages for open systems, such as CSP [16] and I/O Automata =-=[22]-=-, distinguish between internal nondeterminism — choices made by the system, and external nondeterminism — choices made by the environment. Such a distinction exists naturally also in software, ∗ Addre... |

1329 |
A calculus of communicating systems
- Milner
- 1980
(Show Context)
Citation Context ...′ , a ′ )) |= θ] for all AML Ω formulas θ. Note that, by Theorem 4.6, we have that Theorem 3.2 is a special case of Theorem 4.7. As with usual simulation relations and alternatingsimulation relations =-=[23, 2]-=-, a maximal Ω-abstraction relation H between two AATSs can be calculated as a fixedpoint of intermediate relations (the sequence H0, H1, . . . used in the proof of Theorem 4.7). Accordingly, we have t... |

686 |
Introduction to Metamathematics
- Kleene
- 1952
(Show Context)
Citation Context ... π : SA × Π → {T, F, ⊥} is three-valued, and there are two types of transitions, δmust : SA × Σ → 22SA and δmay : SA × Σ → 22SA . The elements of {T, F, ⊥} can be arranged in an “information lattice” =-=[17]-=- in which ⊥ ⊑ T and ⊥ ⊑ F. Note that for two values v1, v2 ∈ {T, F, ⊥}, we have v1 ⊑ v2 iff v1 �= ⊥ implies v1 = v2. Consider an ATS S = 〈Π, Σ, SC, cin, π, δ〉. Let SA be a set of abstract states and l... |

444 | Alternating-time temporal logic
- Alur, Henzinger, et al.
- 1998
(Show Context)
Citation Context ...e environment [24]. Alternating transition systems (ATSs) model reactive components and their interactions, providing a general framework for verification of systems composed from reactive components =-=[1]-=-. Alternating temporal logics (ATLs) logically characterize ATSs and have, in addition to the usual universal and existential path quantifiers, a path quantifier that is parameterized by a set Ω of ag... |

334 |
On the Synthesis of a Reactive Module
- Pnueli, Rosner
- 1989
(Show Context)
Citation Context ... is possible for P1 to eventually prevent P2 from making y positive”. Such an alternating satisfaction can be viewed as a winning condition in a two-player game between the system and the environment =-=[24]-=-. Alternating transition systems (ATSs) model reactive components and their interactions, providing a general framework for verification of systems composed from reactive components [1]. Alternating t... |

298 |
Results on the propositional µ-calculus
- Kozen
- 1983
(Show Context)
Citation Context ...singletons. Likewise, δ(q, ∅) contains the single set of all successors of q. 2.2 Alternating µ-calculus The temporal logic AMC (Alternating µ-calculus) is the alternating extension of the µ-calculus =-=[18]-=-. Formulas of AMC are defined with respect to a finite set Π of propositions and a finite set Σ of agents. Formulas of AMC are interpreted over states of an ATS. The ∀ ❢ and ∃ ❢ modalities of the µ-ca... |

225 |
Efficient model checking in fragments of the propositional mu-calculus
- Emerson, Lei
- 1986
(Show Context)
Citation Context ... states c that satisfy s. In fact, [(Ss, s) |= νz.s ∧ 〈〈P1〉〉z] = T; thus once in a s state, P1 can force s forever. 3.2 AMC model checking The standard symbolic µ-calculus model-checking algorithm of =-=[11]-=- can be extended to a symbolic model-checking algorithm for AMC formulas with respect to ATSs. As we show now, this can be done also with respect to AATSs, yielding a symbolic model-checking algorithm... |

130 |
A modal process logic, in
- Larsen, Thomsen
- 1988
(Show Context)
Citation Context ...ng about a finite state AATS that abstracts the interaction between the two processes. 3 Abstraction For finite state systems, abstraction frameworks often are based on modal transition systems (MTS) =-=[20]-=-. Traditional MTS have two types of transitions: must (underapproximating transitions) and may (over-approximating transitions). The idea is that universal properties of a concrete system can be prove... |

116 | Alternating refinement relations
- Alur, Henzinger, et al.
(Show Context)
Citation Context ...he second program, P1 can increase or decrease by 1 the value of x, and P2 can increase or decrease by 1 the value of y. Clearly, P1 is more powerful in the first program, and the simulation order of =-=[2]-=- would show that. On the other hand, the first program is not less abstract, with respect to either P1 or P2, than the second program. Accordingly, if we examine two AATSs, abstracted, say, according ... |

95 | Model checking partial state spaces with 3-valued temporal logics
- Bruns, Godefroid
- 1999
(Show Context)
Citation Context ...are even more crucial than in verification of closed systems. A key technique for coping with very large or even infinite state spaces is abstraction. Abstraction frameworks in the 3-valued semantics =-=[3]-=- are typically based on modal transition systems (MTS). Such systems have two types of transitions: may transitions, which over-approximate the transitions of the concrete system, and must transitions... |

63 | Abstraction-based model checking using modal transition systems
- Godefroid, Huth, et al.
(Show Context)
Citation Context ...hat WP(x := v, e) = e[x/v] (that is, e with all occurrences of x replaced by v). In the case of MTSs, weakest preconditions can be used in order to automate the generation of must and may transitions =-=[12]-=-. As we show now, the same can be done in AATSs, given a definition of weakest precondition that takes internal nondeterminism into an account. For a statement s = s1 | s2| · · · | sn with internal no... |

54 | Cooperation, knowledge, and time: Alternatingtime temporal epistemic logic and its applications
- Hoek, Wooldridge
(Show Context)
Citation Context ..., which is the essence of ATS and ATL, has turned out to be very useful. In particular, games are used in compositional verification [9], reasoning about security protocols [19], multi-agent planning =-=[28, 29]-=-, control and synthesis [24], and more. The complexity of game solving, however, is higher than that of model checking [1]. Thus, methods for coping with large state spaces are even more crucial than ... |

48 | A game-based verification of nonrepudiation and fair exchange
- Kremer, Raskin
- 2001
(Show Context)
Citation Context ...The game theoretic-approach, which is the essence of ATS and ATL, has turned out to be very useful. In particular, games are used in compositional verification [9], reasoning about security protocols =-=[19]-=-, multi-agent planning [28, 29], control and synthesis [24], and more. The complexity of game solving, however, is higher than that of model checking [1]. Thus, methods for coping with large state spa... |

48 |
L.: Equation solving using modal transition systems
- Larsen, Xinxin
- 1990
(Show Context)
Citation Context ...a ρ(c′ c). Also, {a ′ } ∈ δmay(a, sys) iff there is c ∈ a and {c ′ } ∈ δ(c, sys) such that a ′ = ρ(c ′ ). Thus, the definition coincides with the standard definition for hypermust and may transitions =-=[21]-=-. The fact that we get hypermust highlights that AATSs naturally have the game nature 6 Note that since S is a general ATS, we do not have to limit ρ to an agent preserving function, as is the case wi... |

32 |
Automatic abstraction using generalized model checking
- Godefroid, Jagadeesan
- 2002
(Show Context)
Citation Context ...t H ⊆ SC × SA be such that H(c, a) iff ρ(c) = a. For all sets Ω of agents, H is an Ω-abstraction relation from S to S ′ . While the µ-calculus logically characterizes the abstraction preorder on MTSs =-=[13]-=-, AMC characterizes the abstraction preorder on AATSs. Formally, for a set Ω of agents, let AMC Ω be the fragment of AMC in which all 〈〈 〉〉 and [ ] quantifiers are parameterized by a set Ω ′ ⊆ Ω of ag... |

26 |
The existence of finite abstractions for branching time model checking
- DAMS, NAMJOSHI
(Show Context)
Citation Context ...f model checking and abstraction, of the asymmetry between must and may transitions. The appropriateness of the model is also reflected in the fact that AATSs enjoy monotonicity [26] and completeness =-=[6]-=-. From a practical point of view, handling general ATSs broadens the scope of abstraction to systems with full concurrency. In particular, the success of the game-theoretic approach in the verificatio... |

25 | Implementing a multi-valued symbolic model checker
- Chechik, Devereux, et al.
(Show Context)
Citation Context ... states a such that [(A, a) |= θ] = T and [(A, a) |= θ] = F, respectively. For Boolean and fixedpoint operators, the algorithm proceeds as known symbolic multi-valued model-checking algorithms (c.f., =-=[5]-=-). For the symbolic operator 〈〈Ω〉〉, the algorithm proceeds according to the following characterization: • |〈〈Ω〉〉 ❢ θ| T = {a : ∃A ∈ δmust(a, Ω) s.t. A ⊆ |θ| T }, • |〈〈Ω〉〉 ❢ θ| F = {a : ∀A ∈ δmay(a, Ω)... |

25 | Monotonic Abstraction-Refinement for CTL
- Shoham, Grumberg
- 2004
(Show Context)
Citation Context ...e answer carries with it information that enables the refinement of the abstract system. In the case of 3-valued semantics, the information comes from analyzing the source of the answer being unknown =-=[25, 26]-=-. We describe an abstraction-refinement framework for games, based on ATSs and ATL. Our abstraction framework for games is based on lifting the notions of may and must transitions to abstract alternat... |

24 | A game-based framework for CTL counterexamples and 3-valued abstraction-refinement
- Shoham, Grumberg
- 2003
(Show Context)
Citation Context ...e answer carries with it information that enables the refinement of the abstract system. In the case of 3-valued semantics, the information comes from analyzing the source of the answer being unknown =-=[25, 26]-=-. We describe an abstraction-refinement framework for games, based on ATSs and ATL. Our abstraction framework for games is based on lifting the notions of may and must transitions to abstract alternat... |

22 | Threevalued abstractions of games: Uncertainty, but with precision
- ALFARO, GODEFROID, et al.
(Show Context)
Citation Context ... achieve a goal (〈〈 〉〉 properties), and may transitions are helpful for the verification of properties referring to their disability ([ ] properties). Two earlier works in this direction are [15] and =-=[8]-=-. In [15], the authors describe an abstract interpretation of game properties: the basic modalities 〈〈Ω〉〉 ❢ and [Ω] ❢ of ATL correspond to the predicate transformers CPreΩ and UPreΩ, which take as an ... |

19 | Detecting errors before reaching them - Alfaro, Henzinger, et al. - 2000 |

18 |
K.S.: Automata as Abstractions
- Dams, Namjoshi
(Show Context)
Citation Context ...rocesses that concurrently assign variables to integers. A nice theoretical contribution of our framework is that it unifies three games: the model-checking game (cf. [27]), the abstraction game (cf. =-=[7]-=-), and the game between the different agents. In particular, though the may and must transitions of an AATS have the same structure, which is similar to the one of an ATS, the special case of an AATS ... |

15 | Abstract interpretation of game properties
- Henzinger, Majumdar, et al.
- 2000
(Show Context)
Citation Context ...agents to achieve a goal (〈〈 〉〉 properties), and may transitions are helpful for the verification of properties referring to their disability ([ ] properties). Two earlier works in this direction are =-=[15]-=- and [8]. In [15], the authors describe an abstract interpretation of game properties: the basic modalities 〈〈Ω〉〉 ❢ and [Ω] ❢ of ATL correspond to the predicate transformers CPreΩ and UPreΩ, which tak... |

14 | Don’t know in the µ-calculus
- Grumberg, Lange, et al.
- 2005
(Show Context)
Citation Context ...nement procedure exists for the temporal logic CTL [26], the refinement procedure for the µ-calculus is based on Zielonka’s enumerative algorithm for solving parity games, and thus it is not symbolic =-=[14]-=-. 6 Predicate Abstraction In this section we focus on the special case where the ATS models several concurrent processes, each given as a program. Each program location is associated with a statement ... |

6 | On the expressivity of the modal µ-calculus - Bradfield - 1996 |

5 |
A Discipline of Programming
- Dijksta
- 1976
(Show Context)
Citation Context ...est precondition WP(s, e) is such that the execution of s from every state that satisfies WP(s, e) results in a state that satisfies e, and WP(s, e) is the weakest predicate for which the above holds =-=[10]-=-. For example, for an assignment statement x := v, we have that WP(x := v, e) = e[x/v] (that is, e with all occurrences of x replaced by v). In the case of MTSs, weakest preconditions can be used in o... |

4 |
Model checking with 3-valued temporal logics
- Bruns, Godefroid
- 2004
(Show Context)
Citation Context ...noted [(A, a) |= θ], is defined as follows. Due to the lack of space, we do not include the semantics of fixed-point operators 7 . The latter is similar to the one described for 3-valued µcalculus in =-=[4]-=-, where the semantics we give below to the 〈〈 〉〉 operator, replaces the one described there for the usual modal operators of µ-calculus. [(A, a) |= p] = π(a, ⎧ p). ⎨ T if [(A, a) |= θ] = F. [(A, a) |=... |

1 |
Tractable multi agent planning for epistemic goals
- Hoek, Wooldridge
- 2002
(Show Context)
Citation Context ..., which is the essence of ATS and ATL, has turned out to be very useful. In particular, games are used in compositional verification [9], reasoning about security protocols [19], multi-agent planning =-=[28, 29]-=-, control and synthesis [24], and more. The complexity of game solving, however, is higher than that of model checking [1]. Thus, methods for coping with large state spaces are even more crucial than ... |