=Paper=
{{Paper
|id=Vol-1195/long6
|storemode=property
|title=Specification and Verification of Commitment-Regulated Data-Aware Multiagent Systems
|pdfUrl=https://ceur-ws.org/Vol-1195/long6.pdf
|volume=Vol-1195
|dblpUrl=https://dblp.org/rec/conf/cilc/MontaliCG14
}}
==Specification and Verification of Commitment-Regulated Data-Aware Multiagent Systems==
Specification and Verification of Commitment-Regulated Data-Aware Multiagent Systems ? Marco Montali1 , Diego Calvanese1 , and Giuseppe De Giacomo2 1 Free University of Bozen-Bolzano, Piazza Domenicani 3, 39100 Bolzano, Italy lastname@inf.unibz.it 2 Sapienza Università di Roma, Via Ariosto, 25, 00185 Rome, Italy lastname@dis.uniroma1.it Abstract. In this paper we investigate multiagent systems whose agent interaction is based on social commitments that evolve over time, in presence of (possibly incomplete) data. In particular, we are interested in modeling and verifying how data maintained by the agents impact on the dynamics of such systems, and on the evolution of their commitments. This requires to lift the commitment-related conditions studied in the literature, which are typically based on propositional logics, to a first-order setting. To this purpose, we propose a rich framework for modeling data-aware commitment-based multiagent systems. In this framework, we study verification of rich temporal properties, establishing its decidability under the condition of “state-boundedness”, i.e., data items come from an infinite domain but, at every time point, each agent can store only a bounded number of them. 1 Introduction In this paper we investigate multiagent systems (MASs) whose agent interaction is based on social commitments that evolve over time, in presence of possibly incomplete data. MASs based on social commitments have been extensively studied in the literature [8]. Intuitively, a social commitment CC(d, c, qp , qd ) models a relationship between a debtor agent d and a creditor agent c, in which d commits towards c that, whenever condition qp holds in the system, it will bring about condition qd in the following course of interaction. Commitments provide a semantics for the agent interaction that abstracts away from the internal agent implementation, and can be thus employed to specify business protocols and contracts. The establishment of commitments is regulated by contracts, which depend on domain-specific events and conditions. Established commitments, in turn, have a lifecycle that is regulated by a so-called commitment machine [12] on the basis of such contracts. While in the literature, virtually all the work is based on propositional contents for such commitments [8], here we explicitly manage data described through first-order formalisms, in line with [7]. In other words, we study how data maintained by the agents impact on the dynamics of such systems, and on the evolution of their commitments. Technically, this requires to lift to first-order the notions related to contracts, commitments, and commitment machines. As a result, we obtain a powerful framework of data-aware commitment-based MASs (DACMASs), which incorporates the typical notions of commitment-based MASs ? This paper is a short version of [10], to be presented at AAMAS 2014. 84 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS but in a rich, data-aware context. In our framework, the commitment machine itself becomes a special agent, called institutional, which is a agent, in charge of supporting the evolution of the system according to the commitments. In addition, this agent manages core information about the MAS itself, such as the list of participating agents, which changes over time as the system unfolds. In this light, it maintains and manipulates a common knowledge base, of interest for all the interacting agents. The data manipulated by the agents are described in terms of a domain ontology, expressed in a lightweight description logic (DL), tailored towards ontology-based data access. This ontology provides a common ground for the agent interaction and commitments, establishing the vocabulary that is shared by all of them. In particular, we rely on DLR-Lite [5], which is the n-ary version of the DL at the base of the OWL 2 QL profile of the OWL 2 semantic web standard. Each agent has its own data about the domain and the contracts it is involved in, expressed in terms of such ontology. Such data are manipulated through actions, in response to events and according to the commitments in place. At each point in time, only a finite number of data is present in the system. However, such data change over time: old data are removed by the agents, and new data (coming from a countably infinite domain ) are inserted. Our main result is that, when a DACMAS is state-bounded, i.e., the number of data that are simultaneously present at each moment in time is bounded, verification of rich temporal properties becomes decidable. More specifically, we are able to check DACMASs against properties expressed in a sophisticated first-order variant of µ- calculus with a controlled form of quantification across states. We do this by exploiting recent results in [2], and reducing verification of state-bounded DACMASs to finite-state model checking through a faithful form of abstraction, essentially obtained by replacing real data items with a finite number of symbolic values, while correctly preserving the relationships among the real data items themselves. 2 Preliminaries Description Logics (DLs) [1] are logics that represent the domain of interest in terms of objects, concepts, denoting sets of objects, and relations between objects. We consider here the DL DLR-Lite [5], which is a DL that belongs to the DL-Lite family of lightweight DLs and that is equipped with relations of arbitrary arity. In DLR-Lite, concepts C and relations R are built from atomic concepts N and atomic relations P (of arity 2): C ! N | P [i] | C u C R ! P | P [i1 , . . . , ih ] where h 2 and for i1 , . . . , ih , which denote pairwise distinct components of relation P , we have that {i1 , . . . , ih } ✓ {1, . . . , n}, where n is the arity of P . Similarly, i 2 {1, . . . , n}. Intuitively, u denotes concept conjunction, while P [i1 , . . . , im ] denotes the projection of relation P on its components i1 , . . . , im . This results in a concept if m = 1 and in a relation otherwise. Formally, the semantics of DLs is given in terms of first-order interpretations I = ( I , ·I ), where I is a nonempty interpretation domain, and ·I is an interpretation function, assigning to each concept C a subset C I of I , and to each n-ary relation R an n-ary relation RI over I such that (C1 u C2 )I = C1I \ C2I (P [i1 , . . . , im ])I = {(o01 , . . . , o0m ) | there is o 2 P I s.t. o[ij ] = o0j , for j 2 {1, . . . , m}} 85 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS (Here, o[i] denotes the i-th component of tuple o.) Also, ·I assigns to each constant a an object aI of I . We adopt the unique name assumption, i.e., a1 6= a2 implies aI1 6= aI2 . In DLs, knowledge about the domain of interest is encoded in an ontology O = hT , Ai, which is formed by a TBox T , encoding intensional knowledge, and an ABox A, encoding extensional knowledge about individuals objects. A DLR-Lite TBox is a finite set of assertions of the form: E1 v E2 (concept/relation inclusion assertion), E1 v ¬E2 (concept/relation disjointness assertion), (key i1 , . . . , i` : R) (key assertion), where R has arity n, and 1 i1 < i2 < · · · < i` n. To ensure decidability of inference, and good computational properties, we require that no relation P can appear both in a key assertion and in the right hand side of a relation inclusion assertion [11,5]. A DLR-Lite ABox is a finite set of assertions of the form: N (a1 ) (concept membership assertion), P (a1 , . . . , an ) (relation membership assertion), where P has arity n, and a1 , . . . , an denote constants. The semantics of an ontology is given by stating when an interpretation I satisfies an assertion, where I satisfies: E1 v E2 , if E1I ✓ E2I ; E1 v ¬E2 , if E1I \ E2I = ;; (key i1 , . . . , i` : R), if there are no two distinct tuples in RI that agree on all their components i1 , . . . , i` ; N (a1 ), if aI1 2 N I ; and P (a1 , . . . , an ), if (aI1 , . . . , aIn ) 2 P I . A model of an ontology O = hT , Ai is an interpretation that satisfies all assertions in T and A. An ontology O is satisfiable if it has at least one model, and it logically implies an assertion ↵, written O |= ↵, if all models of O satisfy ↵. Next we introduce queries, whose answers, as usual in ontologies, are formed by constants denoting individuals explicitly mentioned in the ABox. A union of con- junctive Wn queries (UCQ) q over an ontology hT , Ai is a FOL formula of the form i=1 9y i .conj i (x, y i ) with free variables x and existentially quantified variables y 1 , . . . , y n . Each conj i (x, y i ) in q is a conjunction of atoms of the form N (z), P (z), where N and P respectively denote a concept and a role name occurring in T , and z, z are constants of A or variables in x, y 1 , . . . , y n . The (certain) answers to q over hT , Ai is the set ANS (q, T , A) of substitutions ✓ of the free variables of q with constants in A such that q✓ evaluates to true in every model of hT , Ai, denoted hT , Ai |= q✓. DLR-Lite enjoys nice computational properties, in particular w.r.t. query evaluation: computing the certain answers to a UCQ can be done in polynomial time in the size of hT , Ai, and in AC0 in the size of A alone (i.e., in data complexity) [5]. Such result is based on the FOL rewritability property of DLR-Lite [5], which states that for every UCQ q and TBox T , we can rewrite q into a new UCQ rew T (q) such that ANS (q, T , A) = ANS (rew T (q), ;, A), for every ABox A. In other words, the TBox can be “compiled away”. We also consider ECQs, which are FOL queries whose atoms are UCQs evaluated according to the certain answer semantics above [4]. An ECQ over T and A is a possibly open formula of the form (where q is a UCQ): Q ! [q] | ¬Q | Q1 ^ Q2 | 9x.Q The (certain) answers to Q over hT , Ai, is the set of substitutions ✓ of the free variables of Q with constants in A defined by composing the certain answers of the UCQs q in Q 86 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS through first-order constructs, and interpreting existential variables as ranging over the constants in A. Hence, the first-order constructs in ECQs are interpreted under a (weaker) epistemic semantics. ECQs over DLR-Lite ontologies enjoy the same computational properties as UCQs, in particular FOL rewritability of query answering [4]. 3 Framework We introduce now our framework for modeling DACMASs. Formally, a DACMAS is a tuple hT , E, X , I, C, Bi, where: (i) T is a global DLR-Lite TBox; (ii) E is a set of predicates denoting events (where the predicate name is the event type, and the arity determines the content/payload of the event); (iii) X is a finite set of agent specifica- tions; (iv) I is a (partial) specification for the institutional agent; (v) C is a contractual specification; (vi) and B is a Commitment Box (CBox). 3.1 The Global TBox The global TBox represents the key concepts, relations and constraints characterizing the domain in which the agents operate, so as to provide a common ground for the agent interaction. Part of this TBox is fixed for every agent system, and is used to model core notions related to the system itself. The extension of such core notions is maintained by a single, special institutional agent, which is also responsible for the manipulation of commitments (cf. Section 3.6). The data maintained by such an agent are publicly available and can be queried by the other agents, but only modified by the institutional agent. Specifically, the institutional agent maintains data about the following relations: – Agent denotes the set of (names of) agents that currently participate to the system. Since the institutional agent is always part of the system, we fix its name as inst, and enforce that inst always belongs to the extension of Agent. – Spec, whose extension is immutable, denotes the set of agent specification names mentioned in X (cf. Section 3.2). – hasSpec connects agents with their current specification(s): hasSpec[1] v Agent, hasSpec[2] v Spec. Each agent, including the institutional agent, maintains a proprietary DLR-Lite ABox, in which it stores its own data. Such data can be queried only by the agent itself and by the institutional agent, which exploits the results of such queries to keep track of the evolution of commitments. Furthermore, each agent progresses its own ABox during the execution in such a way that it is always consistent with the global TBox T . Notice that the overall collection of ABoxes is not assumed to be consistent with the TBox, i.e., the TBox assertions are only required to be satisfied by each agent individually. Since, in general, queries may involve the ABoxes of several agents, to disambiguate to which ABox a query atom refers, we augment the vocabulary of the TBox with a location argument that points to an agent. We use R@a(x) to denote an atomic query returning the extension of R in the ABox of a. If a does not point to an agent currently in the system, then R@a(x) evaluates to empty. Beside the special constant inst, we also use self to implicitly refer to the agent that is posing the query (similarly to “this” in object-oriented programming). When clear from the context, we omit @self and just use relations without the location argument. We denote with UCQ ` (resp., ECQ ` ) the language obtained from UCQ (resp., ECQ) by extending atoms with a location argument. 87 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS 3.2 Agent Specifications In a DACMAS, agents interact by exchanging messages. A message is sent by a sender agent to a receiver agent, and is about the occurrence of an event with a payload, containing data to be communicated. All agents but the institutional one are only aware of the events they send and receive. As for data, the institutional agent has instead full visibility of all exchanged messages, so as to properly handle the evolution of commitments. Agents determine the events they may send, and also how they react to events, through proactive and reactive rules. Such rules are grouped into behavioural profiles called agent specifications, and model: (i) the possible, proactive emission of an event, directed to another agent (communicative rule); (ii) conditional internal (re)actions, which lead to update the agent ABox when sending/receiving an event to/from another agent (update rule). The update could result in the insertion of new data items (from the countably infinite domain ), not already present in the system. The exchange of a message represents a synchronization point among the sender, receiver and institutional agent. Hence, the reaction of the three agents is interpreted as a sort of transaction, such that each of them effectively enforces the update on its own ABox only if each of the three resulting ABoxes is consistent with T . An inconsistency could potentially arise when reacting to an event either because the same data item is asserted to be member of two disjoint classes, or because a key assertion is violated. Formally, an agent specification is a tuple hsn, ⇧i, where sn is the specification name, and ⇧ is a set of communicative and update rules. Such rules are defined over the vocabulary of T and B, and are applied over the ABoxes of the agent and of inst. This allows the agent to query the status of commitments and obtain the names of the other participants. A communicative rule has the form Q(r, x) enables EV(x) to r where Q is an ECQ ` , and EV(x) is an event supported by the system, i.e., predicate EV /|x| belongs to E. The semantics of a communicative rule is as follows. Whenever Q(r, x) evaluates positively, the agent autonomously selects one of the answers ✓ returned by the query, using it to determine the event receiver and its payload. This states that the ground event EV(x)✓ can be sent by the agent to r✓, provided that r✓ points to an actual agent name in the system (including the two special names inst and self). Example 1. Consider a DACMAS where customers and sellers interact to exchange goods. We model the behavioural rules for customers and sellers using two agent specifications. To buy from a seller, a customer must register to that seller. A registration request is modeled in the customer specification as: Spec@inst(sel, seller) enables REQ REG to sel Assuming that each seller maintains its customers and items respectively in relations MyCust and Item, the proposal of an item to a customer is modeled in the seller specifi- cation as: MyCust(m) ^ Item(i) enables PROPOSE(i) to m. Update rules are ECA-like rules of the form: – on EV(x) to r if Q(r, x) then ↵(r, x) (on-send) – on EV(x) from s if Q(s, x) then ↵(s, x) (on-receive) 88 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS where EV/|x| is an event type from E, Q is an ECQ ` , and ↵ is an update action with parameters (described below). Each such rule triggers when an event is sent to/received from another agent, and Q holds. This results in the application of ↵ using the actual event payload and receiver/sender. Action ↵ queries the ABox of the agent and of inst, using the answers to add and remove facts to the ABox. Formally, an update action is an expression ↵(p) : {e1 , . . . , en }, where ↵(p) is the action signature (constituted by the name ↵ and by a list p of parameters), and {e1 , . . . , en } are update effects, each of which has the form [q + (p, x)] ^ Q (p, x) add A, del D – q + is an UCQ ` , and Q is an ECQ ` whose free variables occur all among those of q + ; intuitively, q + selects a set of tuples from the agent ABox and that of inst, while Q filters away some of them.3 During the execution, the effect is applied with a ground substitution d for the action parameters, and for every answer ✓ to the query [q + (d, x)] ^ Q (d, x). – A is a set of facts (over the alphabet of T and B) which include as terms: free variables x of q + , action parameters p and/or Skolem terms f (x, p). We use SKOLEM(A) to denote all Skolem terms mentioned in A. At runtime, whenever a ground Skolem term is produced by applying ✓ to A, the agent autonomously substitutes it with a possibly new data item taken from . This mechanism is exploited by the agent to inject new data into the system. The ground set of facts so obtained is added by the agent to its ABox. – D is a set of facts which include as terms free variables x of q + and action parameters p. At runtime, whenever a ground fact in D is obtained by applying ✓, it is removed from the agent ABox. As in STRIPS, we assume that additions have priority over deletions (i.e., if the same fact is asserted to be added and deleted during the same execution step, then the fact is added). The “add A” (resp. “del D”) part can be omitted if A = ; (resp., if D = ;). Example 2. Consider three possible reaction rules for the seller. The fact that the seller makes every agent that sends a request become one of its customers is modeled as: on ASK REG from c if true then makeCust(c) where makeCust(x) : {[true] add{MyCust(x)}}. Assume now that the seller maintains the item cart for a customer, using relation InCart(i, c) to model that item i is in the cart of c. The seller reaction to an “empty cart” request is modeled as: on EMPTY CART REQ from c if MyCust(c) then doEmpty(c) where doEmtpy(c) : {[InCart(i, c)] del{InCart(i, c)}}. Note that the effect is ap- plied to each i in the cart of c. Consider now the case where the seller receives a new item i to be sold. It reacts by adding i and deciding its price (denoted with Skolem p(i)): on NEW ITEM(i) from a if true then addItem(i) where addItem(i) : {[true] add{Item(i), Price(i, p(i))}}. 3 The distinction between q + and Q is needed for technical reasons, borrowed from [2]. 89 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS 3.3 Institutional Agent Specification The institutional agent inst manages the core information of the DACMAS. Its behaviour is (partially) captured by the institutional agent specification I, which differs from the other agent specifications in two respects. First, since inst is aware of all messages exchanged by the other agents and can query their ABoxes, its specification is not only constituted by communicative rules and on-send/on-receive reactive rules, but also by on-exchange rules of the form: on EV(x) from s to r if Q(s, r, x) then ↵(s, r, x) where Q and ↵ can query the internal ABox of the institutional agent, and the ABoxes of s and r. To conveniently specify reactions of inst that do not depend on a specific event, but trigger whenever an event is exchanged, we use: on any event from s to r if Q(s, r) then ↵(s, r) Second, I is only a partial specification for inst. In fact, inst is also responsible for the manipulation of commitments, which results in a set of additional on-exchange rules that, starting from the contractual specification (cf. Section 3.4), encode the commitment machines for the commitments involved in the contract. These rules are automatically extracted from the contractual specification (cf. Section 3.6). Example 3. Consider a portion of institutional agent specification, modeling the creation of a new agent whenever inst receives a request (whose payload denotes the specification to be initially followed by that agent). To handle this request, inst uses relation NewA to store a newly created agent together with is initial specification. The axiom NewA[1] v ¬Agent is part of T , and enforces that a new agent has indeed a new name. The behaviour is defined in two steps. In the first step, inst reacts to a creation request by choosing an agent name (using Skolem term n()). The reaction is applied only if there is no pending new agent to be processed. on AG REQ(s) from a if ¬(9x9y.NewA(x, y)) then create(s) create(s) : { [true] add{NewA(n(), s))} } Note that axiom NewA[1] v ¬Agent ensures that the update is blocked if the chosen name is already used in the system. In the second step, inst informs itself that a new agent has to be processed; the corresponding reaction finalizes the insertion of the new agent, moving it to the set of participating agents: NewA(a, s) enables INSERT AG(a, s) to self on INSERT AG(a, s) from self if true then do ins(a, s) do ins(a, s) : { [true] add{Agent(a), Spec(a, s)}, del{NewA(a, s)} } 3.4 Contractual Specification The contractual specification C consists of a set of commitment rules, which are reactive rules similar to on-exchange rules. The main difference is that, instead of actions, they 90 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS describe (first-order) conditional commitments and their creation: on EV(x) from s to r if Qc (s, r, x) (⇤) then CCn (s, r, [qp+ (s, r, x, y)] ^ Qp (s, r, x, y), Qd (s, r, x, y)) where n is the commitment name, the ECQ ` Qc is the condition for the creation of the conditional commitment, [qp ]+ ^ Qp (where, as in update effects, qp+ is a UCQ ` , and Qp is an ECQ ` whose free variables all occur among those of qp+ ) is the precondition determining the generation of a corresponding base-level commitment, and the ECQ ` Qd is the discharge condition for such base-level commitment. All the aforementioned queries can be posed over the ABoxes of s, r, and inst. We use GET- CC(C) to extract the set of conditional commitments contained in C. According to the literature, commitments are manipulated either explicitly via spe- cific events (such as a commitment cancellation or delegation), or implicitly when the commitment precondition or discharge condition becomes true. The allowed commit- ment manipulations, together with the resulting commitment states, are captured by means of a commitment machine [12]. In this work, we consider a simple commitment machine, inspired by [12,13], and show how to lift it to a first-order setting, taking into account that in our framework the precondition and the discharge condition are specified through queries over the data of the involved agents. More elaborated commitment machines, in terms of events and states, can be seamlessly incorporated. Specifically, every commitment in GET- CC(C) is associated to a specific first-order commitment machine, which is activated using the corresponding commitment rule in C of the form above, instantiated possibly multiple times, depending on the agent data. The machine evolves as follows: 1. When an event of type EV is sent by agent a to agent b with payload d, if Qc (a, b, d) is satisfied, an instance of the conditional commitment n is created. The debtor, creditor, and payload of this instance are respectively a, b, and d. 2. Such instance is explicitly or implicitly manipulated by the involved agents. Explicit manipulation is done via specific message exchanges; we consider in particular the case of delegation from the debtor a to a new debtor, and the case of cancellation. Implicitly, instead, the instance can generate one or more corresponding base-level commitment instances: whenever [qp+ (a, b, d, v)] ^ Qp (a, b, d, v) is satisfied with actual values v for variables y, the conditional commitment instance creates a base-level commitment instance with payload d and v. Such base-level instance is put into the active state. The discharge condition for this instance is the instantiation of Qd with the involved agents and specific payload, i.e., a is committed to bring about Qd (a, b, d, v). 3. Also a base-level commitment instance is explicitly and implicitly manipulated by the involved agents. Explicit manipulation of an active base-level instance resembles that of conditional commitment instances, with the difference that, when canceled, a base-level commitment instance enters into the violated state. Implicit manipulation determines instead the discharge of the instance as soon as Qd (a, b, d, v) holds, moving the instance from active to satisfied. Example 4. Consider a commitment rule establishing a conditional commitment that the seller takes whenever it accepts the registration of a customer c. The conditional commitment is about the delivery of items paid by c. Specifically, for each item sold by the seller, if c has paid that item, then the seller commits to ensure that c will hold that 91 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS item. Note that the two conditions are correlated by the same item, and that a base-level commitment is created for each paid item. This cannot be expressed in propositional logic. Assuming that the seller stores a fact Paid(i, c) if c has paid for i, and that the customer stores a fact Owned(i) whenever it owns i, the commitment rule can be specified as: on ACCEPT REG from s to c if MyCust@s(c) then CCDelivery (s, c, [Item@s(i) ^ Paid@s(i, c)], Owns@c(i)) Note the use of location arguments, reflecting that payments are maintained by the seller, whereas the items owned by the customer are maintained by the customer itself. 3.5 Commitment Box The commitment box B is a set of relations used by inst to maintain the concrete instances of conditional commitments, and the instances of their corresponding base- level commitments (with their states). In fact, due to the presence of data, commitments do not only require to keep track of the involved agents, but also of the payload associated to each of their instances. Such relations are extracted from the contractual specification as follows. Each commitment CCn (s, r, [qp+ (s, r, x, y)] ^ Qp (s, r, x, y), Qd (s, r, x, y)) in GET- CC(C) induces two relations in B, on the basis of the commitment name n and the payloads x and y: (i) nCC/ar, where ar = 2 + |x| for debtor, creditor, and conditional commitment payload; (ii) nC/ar, where ar = 3 + |x| + |y| for debtor, creditor, state, and base-level commitment payload. Example 5. The commitment in Example 4 induces the following relations in B: DeliveryCC(debtor, creditor) and DeliveryC(debtor, creditor, state, item). 3.6 Commitment Machine Formalization As anticipated in Section 3.3, the specification of inst must be complemented with a set of additional on-exchange rules, used to properly manipulate the evolution of commitments as the interaction unfolds. Commitment instances are stored by inst using the vocabulary of the CBox B, and evolved through the application of these rules. Specifically, these rules ground the (first-order) commitment machine described in Section 3.4 to each specific commitment of GET- CC(C), according to the “templates” described in the remainder of this section. We denote with CC - RULES(C) all the commitment manipulation rules produced from C. When discussing the templates, we refer to a commitment rule ⇢ 2 C of the form (⇤) in Section 3.4. Notice that, when n, x and y are mentioned in the rule templates, they are meant to be replaced with the actual commitment name and payload variables. CC creation. For each ⇢ 2 C, a corresponding creation rule is obtained, depending on n and x. When the rule triggers, a new instance of the conditional commitment nCC is created, with the actual agents and payload: on EV(x) from s to r if Qc (s, r, x) then create nCC (s, r, x) create nCC (s, r, x) : { [true] add{nCC(s, r, x)} } CC delegation. The delegation of a conditional commitment instance for commitment n is triggered when the old debtor do sends to the new debtor dn a DELEGATE nCC 92 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS event, specifying in the event payload the creditor and the payload of the instance to be delegated. If such an instance exists, the debtor is updated by inst: on DELEGATE nCC(c, x) from do to dn if nCC(do , c, x) then changedeb nCC (do , dn , c, x) changedeb nCC (do , dn , c, x) : { [true] add{nCC(dn , c, x)}, del{nCC(do , c, x)}} CC cancelation. The cancelation of a conditional commitment instance for commitment n is triggered when the debtor sends to the creditor a CANCEL nCC event, providing the instance payload. If the instance exists, it is removed: on CANCEL CC(x) from d to c if nCC(d, c, x) then delete nCC (d, c, x) delete nCC (d, c, x) : { [true] del{nCC(d, c, x)} } C creation. Every conditional commitment instance for relation nCC creates a base-level commitment instance whenever the precondition (whose variables x are grounded with the instance payload) holds with an answer substitution ✓ for variables y. This results in the creation of a new tuple for relation nC with the actual, full payload. This does not depend on the specific exchanged event, but only on the actual configuration of the data. Hence, a single “any-event” rule can be used to manage the creation of all base-level instances at once: on any event from d to c if true then createC (d, c) where, for each commitment CCn (s, r, [qp+ (s, r, x, y)] ^ Qp (s, r, x, y), Qd (s, r, x, y)) in GET- CC(C), action createC (d, c) contains the following detachment effect: [nCC(d, c, x) ^ qp+ (d, c, x, y)] ^ Qp (d, c, x, y) add {nC(d, c, active, x, y)} Differently from the propositional formalization of a commitment machine, in which the conditional commitment detaches to a base-level one, in our setting the conditional commitment instance is maintained, and keeps waiting for other situations matching the precondition with different data. C delegation. It resembles the CC delegation: on DELEGATE nC(c, x, y) from do to dn if nC(do , c, active, x, y) then changedeb nC (do , dn , c, x) changedeb nC (do , dn , c, x, y) : {[true] add{nC(dn , c, active, x, y)}, del{nC(do , c, active, x, y)}} C cancelation. It determines a transition for the base-level commitment instance from the active to the violated state: on CANCEL C(x, y) from d to c if nC(d, c, x, y) then viol nC (d, c, x, y) viol nC (d, c, x, y) : {[true] add{nC(d, c, viol, x, y)}, del{nC(d, c, active, x, y)}} C discharge. Similarly to the case of C creation, the discharge of base-level commitment instances is handled by a single “any-event” rule, which checks the discharge condition 93 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS for each active commitment instance with the actual payload, evolving the instance to the satisfied state if it holds: on any event from d to c if true then dischargeC (d, c) where, for each CCn (s, r, [qp+ (s, r, x, y)] ^ Qp (s, r, x, y), Qd (s, r, x, y)) in CC(C), ac- tion dischargeC (d, c) contains: [nC(d, c, active, x, y)] ^ Qd (d, c, x, y) add{nC(d, c, sat, x, y)}, del{nC(d, c, active, x, y)} C removal. A last “any-event” reactive rule is used by inst to remove those instances of base-level commitments that already achieved a final state (sat or viol): on any event from a to b if true then removeFinal () where, for each base-level commitment relation nC in B, action removeFinal () contains: [nC(d, c, s, x, y)] ^ (s = sat _ s = viol) del{nC(d, c, s, x, y)} Example 6. Assume that the only rule in C is that of Example 4. The following CC creation rule is produced on ACCEPT REG from s to c if MyCust@s(c) then create DeliveryCC (s, c) create DeliveryCC (s, c) : {[true] add{DeliveryCC(s, c)}} Furthermore, the following C creation and C discharge update actions are produced: createC (d, c) : {[DeliveryCC(d, c) ^ Item@d(i) ^ Paid@d(i, c)] add{DeliveryC(d, c, active, i)}} dischargeC (d, c) : {[DeliveryC(d, c, active, i)] ^ Owns@c(i) add{DeliveryC(d, c, sat, i)}, del{DeliveryC(d, c, active, i)}} 4 Execution Semantics The execution semantics of a DACMAS is defined in terms of a transition system that, starting from a given initial state, accounts for all the possible system dynamics, considering all the (possibly infinite) sequences of message exchanges, and all the possible substitutions that the agents choose during the application of update actions to provide concrete values for the Skolem terms. Given a DACMAS S = hT , E, X , I, C, Bi and an initial state 0 , the execution semantics of S over 0 is defined by a transition system ⌥S 0 = h , T [ B, ⌃, 0 , )i, where: – ⌃ is a (possibly infinite) set of states. Each state 2 ⌃ is equipped with a function abox that, given the name a of an agent, returns the ABox .abox(a) of a in , if and only if a participates to the system in state , i.e., a belongs to the extension Agent in .abox(inst). Hence, .abox(inst) is always defined. – 0 2 ⌃ is the initial state. We assume that every ABox A in 0 is such that (T , A) is satisfiable, and that Spec(sn) 2 0 .abox(inst) if and only if hsn, i 2 X . – ) ✓ ⌃ ⇥ ⌃ is a transition relation. 94 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS Instrumental to the definition of the transition system is the extension of answering ECQ ` queries so as to take into account location arguments. Formally, given a TBox T , we define that R@b(x) holds in state from the perspective of agent a under substitution ✓ for x, written T , , a, ✓ |= R@b(x), if:4 n .abox(a) is defined and (T , .abox(a)) |= R(x)✓, if b✓ = self .abox(b✓) is defined and (T , .abox(b✓)) |= R(x)✓, if b✓ 6= self Note that the semantics supports a sort of dynamic binding of location arguments, using ✓ to substitute a variable location argument with an agent name. This relation extends in the natural way to UCQ ` and ECQ ` , considering that quantification ranges over the active domain ADOM( ) of , which is defined as the union of the active domains of the ABoxes maintained by the agents present in . This, in turn, allows us to define the certain answers to Q obtained by agent a in state , denoted ANS` (Q, T , , a), as the set of substitutions ✓ for the free variables in Q such that Q holds in state from the perspective of a, i.e., ANS` (Q, T , , a) = {✓ | T , , a, ✓ |= Q}.. The construction of the transition system ⌥S 0 is given in Figure 1. 5 Verification of DACMAS To specify dynamic properties over DACMASs, we use a first-order variant of µ-calculus [14,6]. µ-calculus is virtually the most powerful temporal logic used for model checking of finite-state transition systems, and is able to express both linear time logics such as LTL and PSL, and branching time logics such as CTL and CTL* [9]. In our variant of µ-calculus, local properties are expressed as ECQ ` queries over the current state of the DACMAS. We allow for a controlled form of first-order quantification across states, inspired by [2], where the quantification ranges over data items across time only as long ECQ as such items persist in the active domain. Formally, we define the logic µLp ` as: ::= Q` | ¬ | 1 ^ 2 | 9x. LIVE (x)^ | LIVE(x)^h i | LIVE(x)^[ ] | Z | µZ. where Q is a (possibly open) ECQ ` query, in which the only constants that may appear are those in the initial state of the system, Z is a second order predicate variable (of arity V ECQ 0), and LIVE(x1 , . . . , xn ) abbreviates i2{1,...,n} LIVE(xi ). For µLp ` , the following assumption holds: in LIVE(x) ^ h i and LIVE(x) ^ [ ] , the variables x are exactly the free variables of , once we substitute to each bounded predicate variable Z in its bounding formula µZ. 0 . We adopt the usual abbreviations, including ⌫Z. for greatest ECQ fixpoints. Intuitively, the use of LIVE(·) in µLp ` ensures that data items are only considered if they persist along the system evolution, while the evaluation of a formula with data that are not present in the current state trivially leads to false or true. This is in line with DACMASs, where the evolution of a commitment instance persists until the commitment is discharged or canceled, and where an agent name is meaningful only while it persists in the system: when an agent leaves the system and its name a is canceled by inst, inst could reuse a in the future to identify another agent. The formula µZ. denotes the least fixpoint of the formula . As usual in µ-calculus, formulae of the form µZ. must obey to the syntactic monotonicity of w.r.t. Z, which 4 We assume that ✓ is the identity on data items (including the special constants self and inst). 95 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS 1: procedure BUILD - TS 2: input: DACMAS S = hT , E, X , I, C, Bi and initial state 0 3: output: Transition system h , T [ B, ⌃, 0 , )i 4: ⌃ := { 0 }, ) := ; 5: while true do 6: pick 2 ⌃ and a 2 {ag | Agent(ag) 2 .abox(inst)} 7: Fetch all current behavioural rules for a; Calculate enabled events with receivers for a 8: if There exists at least an enabled event then 9: pick an enabled event EV(e) for a with receiver b 10: Ai := APPLY(S, , inst, a, b, EV(e)) . New inst ABox 11: ⌃ := ⌃ [ { 0 } . Tentatively add a new state 0 12: for all x 2 {ag | Agent(ag) 2 Ai } do 0 13: .abox(x) := APPLY(S, , x, a, b, EV(e)) 14: if for every x 2 {ag | Agent(ag) 2 Ai }, hT , 0 .abox(x)i is satisfiable then 15: ) := ) [ h , 0 i 16: else ⌃ := ⌃ \ { 0 } . Inconsistent execution step 17: function APPLY(S, , x, a, b, EV(e)) 18: output: new ABox for x after reacting to EV(e) from a to b 19: if x 62 {inst, a, b} then return .abox(x) 20: Fetch all current behavioural rules for x 21: if x = a then . x is the sender agent 22: Fetch on-send and “self” on-receive rules and compute actions with actual params 23: if x = b then . x is the receiver agent 24: Fetch on-receive and “self” on-send rules and compute actions with actual param 25: if x = inst then . x is the institutional agent 26: Fetch matching/“any-event” on-exchange rules and compute actions with actual param 27: TOADD := ;, TODEL := ; 28: for all ↵(v) 2 ACT do . ACT = set of fetched actions 29: TOADDSK := ; 30: for all effect “[q + (p, x)] ^ Q (p, x) add A, del D” in the definition of ↵ do 31: for all ✓ 2 ANS` ([q + (v, x)] ^ Q (v, x), T , , x) do 32: TOADDSK := TOADDSK [ A✓[p/v] 33: TODEL := TODEL [ D✓[p/v] 34: pick a substitution ✓sk of the Skolem terms with data 35: TOADD := TOADD [ TOADDSK ✓sk 36: if x = inst then TOADD := TOADD [ {Agent(inst)} 37: return ( .abox(x) \ TODEL) [ TOADD Fig. 1. Transition system construction states that every occurrence of the variable Z in must be within the scope of an even number of negation symbols. This ensures that the least fixpoint µZ. always exists. ECQ The semantics of µLp ` formulae is defined over a possibly infinite transition system ⌥ = h , T [ B, ⌃, 0 , )i (cf. Section 4), assuming that ECQ ` queries are posed from the point of view of inst. This does not prevent the possibility to query the ABoxes of the other agents, thanks to the dynamic binding for location arguments. ECQ Since µLp ` contains formulae with both individual and predicate free variables, we introduce an individual variable valuation v, i.e., a mapping from individual variables x to , and a predicate variable valuation V , i.e., a mapping from the predicate variables Z to subsets of ⌃. With these three notions in place, we assign meaning to formulae by 96 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS (Q` )⌥v,V = { 2 ⌃ | T , , inst, v |= Q` } (¬ )⌥v,V = ⌃ \ ( )⌥v,V ( 1 ^ 2 )⌥v,V = ( 1 )⌥v,V \ ( 2 )⌥v,V (9x.LIVE(x) ^ )⌥v,V = { 2 ⌃ | 9d 2 ADOM( ). 2 ( )⌥v[x/d],V } (LIVE(x) ^ h i )⌥v,V = { 2 ⌃ | x/d 2 v implies d ✓ ADOM( ) and 9 0 . ) 0 and 0 2 ( )⌥v,V } (LIVE(x) ^ [ ] )⌥v,V = { 2 ⌃ | x/d 2 v implies d ✓ ADOM( ) and 8 0 . ) 0 implies 0 2 ( )⌥v,V } ⌥ (Z)v,V = VT(Z) (µZ. )⌥v,V = {E ✓ ⌃ | ( )⌥v,V [Z/E] ✓ E} ECQ ` Fig. 2. Semantics of µLp associating to ⌥ , v, and V an extension function (·)⌥v,V , which maps formulae to subsets of ⌃. Formally, the extension function (·)⌥v,V is defined inductively as shown in Figure 2. When is a closed formula, ( )⌥v,V does not depend on v or V , and we denote the extension of simply by ( )⌥ . A closed formula holds in a state s 2 ⌃ if s 2 ( )⌥ . ECQ In this case, we write ⌥, s |= . Given DACMAS S, an initial state 0 and a µLp ` formula , we are interested in the following verification problem: ⌥S , 0 |= . 0 Example 7. Consider the contract of Example 4. Assume that T contains that gold ECQ customers are seller customers: MyGoldCust v MyCust. The µLp ` property ⌫Z.(8s, c, i.DeliveryC(s, c, active, i) ^ MyGoldCust@s(c) ! µY.(DeliveryC(s, c, sat, i)) _ (LIVE(s, c, i) ^ h iY )) ^ [ ]Z models that, for every delivery commitment instance a seller has towards a gold customer, there must exist a run where the instance persists in the system until it is satisfied. The number of states of ⌥S 0 is in general infinite, and verification of (even proposi- tional) temporal properties of simple forms (e.g., reachability) turns out to be undecidable [2,6]. This calls for identifying interesting classes of DACMASs for which verification is decidable. Recently, the notion of state-bounded system has been proposed in the context of both data-aware business processes [2] and MASs [3], as an interesting condition that ensures decidability of verification for rich first-order temporal properties, while reflecting naturally occurring working assumptions in real-world systems. Intuitively, state-boundedness allows for encountering infinitely many different data during the evolution of the system, provided that such data do not accumulate in a single state. We take this general notion and adapt it to DACMASs. In particular, a DACMAS is state-bounded if, for every agent active in the system, there exists a bound on the number of data items simultaneously stored in its ABox. Since the ABox of inst stores the names of the active agents, this implicitly bounds also the number of simultaneously active agents. Observe, however, that the overall number of data items (and hence also agents) encountered across and along the runs of the system can still be infinite. With this notion in place, we obtain the following fundamental result: ECQ ` Theorem 1 ([10]). Verifying state-bounded DACMASs against µLp properties is decidable and reducible to finite-state model checking. This means that state-bounded DACMASs can be verified, in principle, using standard model checkers for propositional µ-calculus. 97 M. Montali et al. Specification and Verification of Commitment-Regulated Data-Aware MAS 6 Conclusion DACMASs are readily implementable in standard technologies such as JADE (which supports dynamic agent creation) and lightweight ontologies. Observe that a system execution requires polynomial time at each step (actually logspace w.r.t. the data, as any system based on relational databases). Only offline verification of the system is (as usual) exponential in the representation. Our framework complements that of [7], which employs data-aware commitments to monitor a system execution and track the state of commitment instances, but cannot be exploited for static analysis. We consider extending our framework with the possibility of checking epistemic properties, in the line of [3]. Notice that, if instead of relying on the µ-calculus, we rely on CTL, we can relax the persistence requirement in the logic, as in [3]. We also intend to study how to derive skeletons for the local agent specifications from a global, choreographic commitment-based protocol. References 1. Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook:. Cambridge University Press (2003) 2. Bagheri Hariri, B., Calvanese, D., De Giacomo, G., Deutsch, A., Montali, M.: Verification of relational data-centric dynamic systems with external services. In: Proc. of PODS (2013) 3. Belardinelli, F., Lomuscio, A., Patrizi, F.: An abstraction technique for the verification of artifact-centric systems. In: Proc. of KR (2012) 4. Calvanese, D., De Giacomo, G., Lembo, D., Lenzerini, M., Rosati, R.: EQL-Lite: Effective first-order query processing in description logics. In: Proc. of IJCAI (2007) 5. Calvanese, D., De Giacomo, G., Lembo, D., Lenzerini, M., Rosati, R.: Data complexity of query answering in description logics. Artificial Intelligence 195, 335–360 (2013) 6. Calvanese, D., De Giacomo, G., Montali, M., Patrizi, F.: Verification and synthesis in descrip- tion logic based dynamic systems. In: Proc. of RR (2013) 7. Chesani, F., Mello, P., Montali, M., Torroni, P.: Representing and monitoring social commit- ments using the event calculus. AutonȦgent and Multi-Agent Syst. 27(1), 85–130 (2013) 8. Chopra, A.K., Singh, M.P.: Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence, chap. Agent Communication. MIT Press (2013) 9. Clarke, E.M., Grumberg, O., Peled, D.A.: Model checking. MIT Press (1999) 10. Montali, M., Calvanese, D., De Giacomo, G.: Verification of data-aware commitment-based multiagent systems. In: Proc. of AAMAS (2014), to appear 11. Poggi, A., Lembo, D., Calvanese, D., De Giacomo, G., Lenzerini, M., Rosati, R.: Linking data to ontologies. J. on Data Semantics X, 133–173 (2008) 12. Singh, M.P.: Formalizing communication protocols for multiagent systems. In: Proc. of IJCAI (2007) 13. Singh, M.P., Chopra, A.K., Desai, N.: Commitment-based service-oriented architecture. IEEE Computer 42(11), 72–79 (2009) 14. Stirling, C.: Modal and Temporal Properties of Processes. Springer (2001) 98