Trace expressions are a specification formalism expressly designed for RV. They are based on the notions of event and its abstraction, event type.

Events. In the following we denote by E a fixed universe of events. An event trace over E is a possibly infinite sequence of events in E. As an example, we might have E = { msg(bob, alice, tell, m1), msg(alice, bob, tell, a1), msg(bob, carol, tell, m2), msg(carol, bob, tell, a2), msg(bob, dave, tell, m3), msg(dave, bob, tell, a3) } where the interaction event msg(S, R, P, C) corresponds to the interaction between agent S and agent R, with S sending a message with performative P and content C to R. In this example, contents m1, m2 and m3 correspond to actual messages, and contents a1, a2 and a3 correspond to acknowledges of reception. • τ1·τ2 (concatenation), denoting the set of all traces obtained by concatenating the traces of τ1 with those of τ2. • τ1∧τ2 (intersection), denoting the intersection of the traces of τ1 and τ2. • τ1∨τ2 (union), denoting the union of the traces of τ1 and τ2. • τ1|τ2 (shuffle ), denoting the set obtained by shuffling the traces in τ1 with the traces in τ2.

To support recursion without introducing an explicit construct, trace expressions are regular (a.k.a. rational or cyclic) terms. A regular term can be represented by a finite set of syntactic equations, as happens, for instance, in most modern Prolog implementations where unification supports cyclic terms. A trace expression τ is contractive if all its infinite paths from the root contain the prefix operator.

From the operators above we can derive the filter operator, useful for making trace expressions more compact and readable. The expression ϑ τ denotes the set of all traces contained in τ , when deprived of all events that do not match ϑ. Assuming that event types are closed by complementation, the expression above is a convenient syntactic shortcut for T |τ , where T = ∨ϑ:T , and ϑ is the complement event type of ϑ, that is, JϑK = E \ JϑK.

In the context of RV, where the three-valued semantics is considered for LTL, trace expressions are strictly more expressive than LTL [6]: every LTL formula can be encoded into a trace expression with an equivalent three-valued semantics, whereas the opposite property does not hold, since trace expressions are also able to specify all context-free languages, and also some non context-free ones.

Although trace expressions can define protocols involving events of any kind, in the sequel we will limit our investigation to interaction events like msg(S, R, P, C) and interaction types that we will identify with α.

Event types. To be more general, trace expressions are built on top of event types (chosen from a set ET), rather than of single events; an event type denotes a subset of E.

For example, if we were interested only in the type of the message content (actual message or acknowledge), we might define the two event types Msg= { msg(bob, alice, tell, m1), msg(bob, carol, tell, m2), msg(bob, dave, tell, m3) } and Ack= { msg(alice, bob, tell, a1), msg(carol, bob, tell, a2), msg(dave, bob, tell, a3) }, and use them for describing interaction patterns.

The projection function was first introduced in [2]. Given the finite set AGS of all the agents that could play a role in the MAS and an interaction type α, senders(α) is the set of all the agents in AGS that could play the role of sender in actual interactions having type α, and receivers(α) is the set of all the agents in AGS that could play the role of receiver

Trace expressions. A trace expression τ represents a set of in interactions of type α. The involves predicate holds on one possibly infinite event traces, and is defined on top of the interaction type α and one set of agents Ags, involves(α, Ags), following operators (binary operators associate from left, and iff (senders(α) ∩ Ags 6= ∅) ∨ (receivers(α) ∩ Ags 6= ∅). are listed in decreasing order of precedence, that is, the first Projection can be described as a function Π : T × operator has the highest precedence): P(AGS) → T where T is the set of trace expressions. Π is • (empty trace), denoting the singleton set { } containing driven by the syntax of the trace expression to project; since the empty event trace . Π is defined on cyclic terms, the simplest way to define it • ϑ:τ (prefix ), denoting the set of all traces whose first event would be by coinduction2 as follows: e matches the event type ϑ (e ∈ ϑ), and the remaining (i) Π( , Ags) = part is a trace of τ . For example, if our communication protocol just required that an interaction from the set 2Coinduction is a technique for defining and proving properties of systems Msg must take place, no matter which one, and then an of concurrent interacting objects. It is the mathematical dual to structural interaction from Ack must occur, no matter which one, isnudcuhctaiosn.stCreoaimndsu.cStieveelyhtdtpe:fi//ncseedwteybp.uescsadr.eedtuy/pgircoaullpys/tiantfia mniit/ehadnadtdaesmtrousc/tduorce/s, we could express it as Msg:Ack: . coind.htm for a more technical formalization. (ii) Π(α : τ, Ags) = α : Π(τ, Ags) if involves(α, Ags) (iii) Π(α : τ, Ags) = Π(τ, Ags) if ¬involves(α, Ags) (iv) Π(τ 0 op τ 00, Ags) = Π(τ 0, Ags) op Π(τ 00, Ags), where op ∈ {·, ∧, ∨, |}.

This definition works properly only on all non cyclic terms and on some, but not all, cyclic terms. To guarantee that the projection function always returns a contractive type and that the correct coinductive definition is implemented, it is necessary to keep track of all types visited by Π along a path; each type is associated with its depth in the path, and with a fresh variable which will be unified with the corresponding computed projection. During the visit, the depth DeepestSeq of the deepest visited sequence operator is kept. If a type τ has been already visited, then a cycle is detected: if its depth is less than DeepestSeq then the cycle contains an occurrence of the sequence constructor, therefore the projected type associated with τ is contractive and, hence, is returned; otherwise, the projection would not be contractive, therefore is returned.

The graph partitioning problem (GPP) is defined in the following way [12]: given a number k ∈ N>1 and an undirected graph G = (V, E) with non-negative node and edge weights, GPP asks for a partition of V , that is, with blocks of nodes (V1, ..., Vk) such that all edges in the CI G have weight 1, but the approach works also in case edge weights are different: a higher edge weight would model a preferential communication channel; 4) partition the new graph obtained so far using some suitable graph partition method; 5) project the interaction protocol onto these agents’ partitions.

The algorithm is explained by means of two running examples introduced in [2].

1) V1 ∪ V2 ∪ ... ∪ Vk = V 2) Vi ∩ Vj = ∅ ∀i 6= j

A balance constraint may be required, demanding that all blocks have about equal weights. To be more precise, a good Fig. 1. The “Socks and Shoes” MAS partition is the one where the sum of the node weights in each Vi is “about the same” and the sum of all edge a) Socks and Shoes (SaS): Let us consider the simple weights of edges connecting all different pairs Vi and Vj is scenario illustrated in Figure 1 where two robots (right minimized. Applications of graph partitioning include parallel and left), two monitors (right and left) associated with processing, road networks, image processing, VLSI design, each robot, and a plan monitor which supervises them, social networks, and bioinformatics. Among the many existing must reach the goal to put the right and left socks and tools for graph partitioning we opted for using METIS [20], shoes in the correct way (socks first!). As robots are a set of serial programs for partitioning graphs, partitioning autonomous, they could perform the two actions in the wrong finite element meshes, and producing fill reducing orderings order: monitors are there to ensure that wrong actions are for sparse matrices (http://glaros.dtc.umn.edu/gkhome/views/ immediately rolled back. Robots communicate their actions metis, accessed on June 2016). The choice of METIS was due to their corresponding monitors, which, in turn, notify the to the efficiency of the multi-level Kernighan/Lin approach it plan monitor when the robots accomplish their goal. The builds upon [19] and to the ease of its installation and usage. interaction types involving the right robot and the right node monitor are defined as msg(right robot, right node monitor, IV. MAS-DRIVE: DESIGN tell, put sock) ∈ put right sock; msg(right robot, right node monitor, tell, put shoe) ∈ put right shoe; msg(right robot, right node monitor, tell, removed shoe) ∈ removed right shoe; msg(right node monitor, right robot, tell, oblige remove shoe) ∈ oblige remove right shoe; msg(right node monitor, plan monitor, tell, ok) ∈ ok right.

Those for the left robot and left node monitor are symmetrical.

Given an interaction protocol expressed in some suitable formalism, the MAS-DRiVe algorithm for partitioning a MAS in such a way that the identified subsystems can be safely monitored in a decentralized way is the following: 1) extract the interaction graph I G from the interaction

protocol; 2) identify the sets of agents which cannot be split during the decentralized monitoring (unsplittable agents), since the interactions they are involved in are not independent; 3) compute the collapsed interaction graph CI G by collapsing each of those sets into a single node with weight equal to the cardinality of the collapsed set, and by computing the collapsed edges consistently; for simplicity,

The right robot (RIGHT branch in the protocol description below) can start by putting the sock, which is the correct action to do, or (∨ operator) by putting the shoe, which requires a recovery by the right robot monitor and looping back to the RIGHT branch. The left robot has the same behavior (LEFT branch in the protocol description). The SaS protocol is described by the shuffle of the actions of the right and left verify MA2, and if an event has type msg3 or ack3 , then it must verify MA3.

As already introduced in the beginning of this section, the MAS-DRiVe algorithm consists of five steps. robots and monitors (RIGHT | LEFT): (put right sock:put right shoe:ok right: )∨ (put right shoe:oblige remove right shoe: removed right shoe:RIGHT) (put left sock:put left shoe:ok left: )∨ (put left shoe:oblige remove left shoe: removed left shoe:LEFT) RIGHT|LEFT. (msg MM )∧(msg ack ( 1 ) MA1)∧ (msg ack ( 2 ) MA2)∧(msg ack ( 3 ) msg1 :msg2 :msg3 :MM msg1 :ack1 :MA1 msg2 :ack2 :MA2 msg3 :ack3 :MA2 where msg ack (i), i ∈ {1, 2, 3}, and msg denote the event types s.t. Jmsg ack (i)K = Jmsg iK ∪ Jack iK, i ∈ {1, 2, 3}, and Jmsg K = Jmsg1 K ∪ Jmsg2 K ∪ Jmsg3 K.

The trace expression defined by MM corresponds to the first constraint informally stated above, while MA1, MA2, and MA3 formalize the second constraint. The main trace expression ABP3 can be easily read as follows: if an event has type msg1 or msg2 or msg3 , then it must verify MM , and if an event has type msg1 or ack1 , then it must verify MA1, and if an event has type msg2 or ack2 , then it must extract(ID, AlreadyMetTrExp, Str, Level, τ ) is defined by cases: 1) if TrExpr belongs to AlreadyMetTrExp, then return; 2) if TrExpr is , then return; 3) if τ is α uop τ1, where uop is an operator in {:, }, then a) NewStr = Str • (uop, Level+1) b) extract all the possible pairs of senders and receivers (S, R) such that S and R are involved in α c) for each of such pairs, generate and assert edge(ID,

d) NewAlreadyMetTrExp = {τ } S AlreadyMetTrExp

Level+1, τ1) 4) if τ is τ1∧τ2, then a) NewStr = Str • (∧, Level+1) b) NewAlreadyMetTrExp = {τ } S AlreadyMetTrExp

Level+1, τ1)

Level+1, τ2) 5) if τ is τ1 bop τ2, where bop is an operator in {·, ∨, |}, then a) NewStr1 = Str • (bop, Level+1) b) NewStr2 = Str • (bop, 2*Level+1) c) NewAlreadyMetTrExp = {τ } S AlreadyMetTrExp

Level+1, τ1)

2*Level+1, τ2)

Given a protocol identified by ID and represented by the trace expression τ , extract(ID, {}, Λ, 1, τ ) generates and asserts all the edges in IGext. The generation of IGext nodes is straightforward. The idea behind this function is that edges whose labels share the same prefix have a strong dependency as they belong to the same intersection. In fact, the only case where labels of edges share the same prefix is that of ∧ (case 4), where the same string and level are passed to the recursive calls. If the operator is not an intersection (case 5), the strings and levels passed to the recursive calls are different, meaning that the two operands are independent from one another and so will be the edges generated during their exploration.

For example, the edges in the auxiliary IGext graph extracted from the ABP3 protocol are: (bob, alice, ((∧, 2) ( , 3 ) ( , 4 ) ( , 5 )) )

∧ ∧ (bob, carol, ((∧, 2) ( , 3 ) ( , 4 ) ( , 5 )) )

∧ ∧ (bob, dave, ((∧, 2) ( , 3 ) ( , 4 ) ( , 5 )) )

∧ ∧ (bob, alice, ((∧, 2) ( , 3 ) ( , 4 ) ( , 5 ) (:, 6)) )

∧ ∧ (bob, carol, ((∧, 2) (∧, 3) (∧, 4) ( , 5 ) (:, 6) (:, 7)) ) (bob, dave, ((∧, 2) (∧, 3) (∧, 4) ( , 5 ) (:, 6) (:, 7) (:, 8)) ) (alice, bob, ((∧, 2) ( , 3 ) (∧, 4) ( , 5 ) (:, 6) (:, 7)) ) ∧ (bob, carol, ((∧, 2) (∧, 3) ( , 4 )) ) (carol, bob, ((∧, 2) ( , 3 ) ( , 4 )) )

∧ (bob, carol, ((∧, 2) ( , 3 ) ( , 4 ) (:, 5)) )

∧ (carol, bob, ((∧, 2) ( , 3 ) ( , 4 ) (:, 5) (:, 6)) )

∧ (bob, dave, ((∧, 2) ( , 3 )) ) (dave, bob, ((∧, 2) ( , 3 )) ) (bob, dave, ((∧, 2) ( , 3 ) (:, 4)) ) (dave, bob, ((∧, 2) ( , 3 ) (:, 4) (:, 5)) ) The IG nodes are alice, bob, dave, carol and the edges are (alice, bob), (dave, bob), (carol, bob), which are extracted in a trivial way from IGext.

can be monitored independently from one another, as some interaction patterns that must be respected by a set of agents seen as a whole, could be lost when looking at subsets of the agents.

As an example, alice, bob, carol and dave in the ABP3 represent an unsplittable set of agents. In fact, if we monitored interactions involving alice and bob only, we could find that they respect the second constraint of the protocol, but we could never ensure that the first constraint – which also depends on the interactions of bob with carol and dave – is respected as well. The notions of dependence and independence are related to the protocol but also to the formalism used for modeling it, so no general rule for this step can be devised. When the interaction formalism F is that of trace expressions, however, dependencies among interactions are naturally modeled using the intersection operator. Thus, although it may be an overcautious approach, when using trace expressions we define “unsplittable” the agents involved in interactions connected by an intersection operator.

The algorithm for performing the identification of unsplittable agents looks at the labels in IGext and creates sets of agents involved in interactions whose label has the same prefix before the first∧ operator in the label, if any. For example, in SaS no label contains ∧ and hence the set of unsplittable agents is empty, whereas in ABP3 all the edge labels share the ( , 2 ) prefix, meaning that all the ∧ interactions in the protocol belong to branches connected by the same intersection operator. As a consequence, all the agents involved in the ABP3 protocol interactions belong to the same set of unsplittable agents, which coincides with all the agents in the MAS. 3) Graph collapse. In this stage, we transform the unweighted undirected interaction graph IG into a weighted undirected graph CIG, obtained by collapsing each node in IG corresponding to an agent belonging to unsplittable set U , into a single node with label U and weight equal to U cardinality. Nodes in CIG are labeled with sets of agents, which can be the singleton set for agents belonging to no unsplittable set. Edges exiting from (resp. entering into) a node are all those which, in IG, exited from (resp. entered into) one of the nodes in the label.

Considering the running examples above, the weighted nodes in the SaS CIG are ({right robot},1) ({right node monitor},1) ({plan monitor},1) ({left robot},1) ({left node monitor},1) namely, no collapse took place, while the only weighted node in the ABP3 CIG is ({alice,bob,carol,dave},4) labeled with the set of unsplittable agents.

The edges in the SaS CIG are the same as those in the SaS IG, while there are no edges in the ABP3 CIG due to the presence of only one node. 4) Graph partitioning. This stage of the algorithm consists in partitioning the CIG graph obtained by the collapse stage. The number of expected partitions is given as an input by the user and must be grater than one. Any suitable partitioning algorithm could be used during this stage. We will discuss our implementative choice in Section V.

The partition of the original, not collapsed graph IG, is trivially derived by that of CIG by making the union of the agents in the labels of the nodes in each CIG partition. the node weights in each partition is about the same and the number of edges connecting nodes in two different partitions is minimized (by associating the unit weight with each edge), we can obtain the following partition for the agents {plan monitor, right node monitor, right robot} } . involved in the SaS protocol: {{left node monitor, left robot},

The agents involved in the ABP3 protocol cannot be partitioned because the collapsed graph consists of only one node. 5) Projection. Once the agents belonging to the same partition have been devised, the projection algorithm presented in Section III-B can be used to project the global interaction protocol onto each of them.

node(abp3,bob) node(abp3,alice) node(abp3,carol) node(abp3,dave)

edge(abp3,bob,alice,[ ((/\),2), ((/\),3), ((/\),4), ((>>),5)]) edge(abp3,bob,carol,[ ((/\),2), ((/\),3), ((/\),4), ((>>),5)]) ....

@((S_1|S_2), [S_1= (put_right_sock:put_right_shoe:ok_right:lambda)\/ (put_right_shoe:oblige_remove_right_shoe: removed_right_shoe:S_1), S_2= (put_left_sock:put_left_shoe:ok_left:lambda)\/ (put_left_shoe:oblige_remove_left_shoe:

removed_left_shoe:S_2)]) can be partitioned into {[left_node_monitor],[left_robot]} {[plan_monitor],[right_node_monitor],[right_robot]}

node(socks,right_robot) node(socks,right_node_monitor) node(socks,plan_monitor) node(socks,left_robot) node(socks,left_node_monitor)

edge(socks,right_robot,right_node_monitor, [((|),2), ((\/),3), ((:),4)]) edge(socks,right_robot,right_node_monitor, [((|),2), ((\/),3), ((:),4), ((:),5)]) ........

cnode(socks,[right_robot],1) cnode(socks,[right_node_monitor],1) cnode(socks,[plan_monitor],1) cnode(socks,[left_robot],1) cnode(socks,[left_node_monitor],1)

cedge(socks,[right_robot],[right_node_monitor]) cedge(socks,[right_node_monitor],[plan_monitor]) cedge(socks,[left_robot],[left_node_monitor]) cedge(socks,[left_node_monitor],[plan_monitor])

We run experiments with protocols that involve distinct groups of agents each following the ABP3 protocol. For example, in the DoubleABP3, alice, bob, carol and dave follow the ABP3 protocol, alice2, bob2, carol2 and dave2 follow the ABP3 protocol as well, and both bob and bob2 interact with boss. Since alice, bob, carol and dave have no interactions with alice2, bob2, carol2 and dave2, the two groups are independent from each other and can be safely partitioned for the purpose of decentralized runtime verification. In such a situation, the partition computed by MAS-DRiVe is the following:

[ ((*),3), ((\/),7), ((:),8), ((:),9), ((/\),10)], [alice2,bob2,carol2,dave2] [ ((*),3), ((\/),4), ((:),5), ((:),6), ((/\),7)], [alice,bob,carol,dave]

@((bobasks:lambda|bob2asks:lambda)* ((okbob:nobob2:msg3>>S_1/\msg_ack( 1 )>>S_2/\ msg_ack( 2 )>>S_3/\msg_ack( 3 )>>S_4)\/ (okbob2:nobob:mmsg3>>S_5/\mmsg_ack( 1 )>>S_6/\ By using a graph partitioning algorithm where the sum of Unsplittable list: [] The content of the socksOut.txt file that we obtain by mmsg_ack( 2 )>>S_7/\mmsg_ack( 3 )>>S_8)), [S_1=m1:m2:m3:S_1,S_2=m1:a1:S_2, calling partition(socks, 2, ’./socksOut.txt’) S_3=m2:a2:S_3,S_4=m3:a3:S_4,S_5=mm1:mm2:mm3:S_5, is: S_6=mm1:aa1:S_6,S_7=mm2:aa2:S_7,S_8=mm3:aa3:S_8]) events. For example, an interaction between the plan monitor can be partitioned into and the left node monitor, corresponding to a (plan monitor, {[boss],[alice2,bob2,carol2,dave2]} left node monitor) edge in the graph, will be monitored by {[alice,bob,carol,dave]} both the monitor in charge of {left node monitor, left robot} tfadoholfaservToaeahgpwleeaminrciattuteihlstsg2ito,ofthobrnbieletlohoaTbmmwrr2eioi,pcnnflocgoieatruAortrnehroBecdelPdt2.lA3yWaaBlrpnleePrdcot3oogt.doggoacentvotihetzlh,e2eers.w,tNeiahtxnhoapdtetoahtcthlrthieeaceedter,tdhccbioeoosrtnbisrsn,eatcccmrttaaeirgrnoerhtlossouaulonldptndsss trraabpheinneogdeodshuestnthnimbtuedhrlpmraoealntbobabcoyeryyietren}ads,coeacfotlanhofesenacdiroatmgiiguttneetpgbosiremnooaavvfacaopetrvlim{aovcorpseaietsdlslinalteyitpnodaan,ogdrmifetebninottugoeitntoscuianttrclosiagtn.rwhno,eGrobibrrtrooiekhagtp:mphhkthitsemttoprhpnfaataaolttredattnhgseimtueiiesimommnsmni.obimacnneloTrgiiltuzhoaeoliirdssssf,

The code of the MAS-DRiVe algorithm can be downloaded monitors to deploy, or at least guidelines may be provided in from http://www.disi.unige.it/person/MascardiV/Software/ the future. masdrive.html. It requires SWI Prolog and the METIS Finally, as part of our future work, we plan to make an exsoftware installed and accessible via the command line from haustive experimentation of MAS-DRiVe on existing complex everywhere. We tested it on Mageia Linux. protocols. METIS can easily partition graphs with hundreds of nodes so we will model protocols involving hundreds of

VI. CONCLUSIONS AND FUTURE WORK agents and test the scalability of the approach. Studying its This paper addresses the problem of how to partition a computational properties from a theoretical viewpoint is on MAS into agents’ subsets that can be verified at runtime, our agenda as well. independently from one another, in such a way that the results obtained by the decentralized runtime verification are the ACKNOWLEDGMENTS same as those obtained by monitoring the whole MAS in a We are grateful to the anonymous reviewers for their useful centralized way. remarks and constructive comments.

We designed and implemented the MAS-DRiVe algorithm, whose results are consistent with those discussed in [2]. In that REFERENCES paper, the feasibility of distributing the runtime monitoring over user-defined sets of agents was empirically validated by checking the traces of events compliant with the decentralized subprotocols up of a given length, and verifying whether they were compliant with the original global protocol as well. That approach gave a semi-decidable information: if all traces up to a given length l were found to be compliant with the protocol, this did not ensure that problems could not arise with traces of length l + 1. With MAS-DRiVe we propose a constructive way to partition agents in the MAS, rather than letting the user decide how to partition them, and we overcome the problems due to the empirical validation approach by proposing partitions that are “safe” w.r.t. the trace expression operators. In particular, we assume that agents involved in an intersection can never be partitioned. This is an overcautious approach, but since intersection is the construct used to state constraints across different independent branches of the protocol, we assume that those branches cannot be monitored independently.

In its current version, then, the MAS can not get split if no semi-independent parts of the system can get identified.

Although this is a limitation of our approach, this could have an interesting side effect that we aim to explore in the close future, namely the possibility to come up with suggestions for MAS designers in terms of good practices for better subsystems encapsulation based on interaction protocol analysis.

Such suggestions could be applied to distributed systems in general, and not only to MASs, and could prove useful in those approaches where there is an embedded notion of some sort of encapsulation.

As far as graph partitioning is concerned, we point out that the obtained partitions do not correspond to partitions of