SMT-based BMC for Dense Timed Interpreted Systems and EMTLK
Properties
Agnieszka M. Zbrzezny
1 a
, Andrzej Zbrzezny
2 b
and Bo
˙
zena Wo
´
zna-Szcze
´
sniak
2 c
1
Faculty of Mathematics and Computer Science, University of Warmia and Mazury,
Słoneczna 54, 10-710 Olsztyn, Poland
2
Department of Mathematics and Computer Science, Jan Długosz University in Cze¸stochowa,
Armii Krajowej 13/15, 42-200 Cze¸stochowa, Poland
Keywords:
Satisfiability Modulo Theories, Bounded Model Checking, The Existential Fragment of the Epistemic Metric
Temporal Logic, Dense Timed Interpreted Systems.
Abstract:
The use of automated verification, performed by the analysis of their models, is often recommended to assess
the correctness of safety-critical systems, failure of which could cause dramatic consequences for both people
and hardware. In the past, several automated verification methods, including model checking, have been pro-
posed and consequently applied for the trustworthy development of real-time multi-agent systems (RTMAS).
In this paper, we investigate a Satisfiability Modulo Theories based Bounded Model Checking (SMT-BMC)
method for EMTLK (the existential fragment of an epistemic Metric Temporal Logic) that is interpreted over
models generated by Dense Timed Interpreted Systems (DTIS). In particular, we translate the existential model
checking problem for EMTLK to the existential model checking problem for a variant of an epistemic Linear
Temporal Logic with a new set of propositional variables (called ELTLK
q
), and we provide an SMT-BMC
technique for ELTLK
q
. We have implemented our technique and tested it using the Timed Generic Pipeline
Paradigm scenario. Our preliminary experimental results allow us to draw positive conclusions regarding the
future applications of our new method in the automated verification of other benchmarks for RTMAS modelled
by DTIS.
1 INTRODUCTION
With the development and deployment of multi-
agent systems (MAS) (Wooldridge, 2009) growing
demand has emerged to develop robust and compre-
hensive MAS verification techniques. Model check-
ing (Clarke et al., 1999) is a well known, automatic
verification technique, which helps to establish the
correctness of systems. Its main idea is to represent
a system as a labelled transition system (model) and a
property as a modal formula, and automatically check
whether the formula holds in the model. However,
model checking of even moderately large MAS can
be difficult due to an exponential growth of the num-
ber of states with the number of components. This
phenomenon is known as the state explosion prob-
lem. Several state reduction techniques and symbolic
model checking approaches have been developed to
a
https://orcid.org/0000-0001-9897-3561
b
https://orcid.org/0000-0003-2771-9683
c
https://orcid.org/0000-0002-1486-6572
avoid this problem.
One of the symbolic model checking approaches
is bounded model checking (BMC) (Me¸ski et al.,
2014; Zbrzezny et al., 2015). BMC is a verification
technique designed for finding witnesses of existen-
tial properties. Its main idea is to represent a wit-
ness of finite length by a propositional formula or a
quantifier-free first-order formula; next, check the re-
sulting formula with a SAT solver or an SMT solver.
If the formula is satisfiable, a satisfying assignment
returned by the SAT or SMT solver can be translated
into a concrete witness showing that the property is
violated. Otherwise, the bound is increased. Further-
more, the process repeated. Note that the satisfiability
modulo theories problem (SMT) (Biere et al., 2009)
is a generalisation of the SAT problem (Biere et al.,
2009), where propositional variables are replaced by
predicates from various background theories, such as
linear, real, and integer arithmetic. In this paper, we
investigate an SMT-based BMC for a real-time ver-
sion of MAS with semantics based on interpreted sys-
tems (IS) (Fagin et al., 1995).
Zbrzezny, A., Zbrzezny, A. and Wo´zna-Szcze
´
sniak, B.
SMT-based BMC for Dense Timed Interpreted Systems and EMTLK Properties.
DOI: 10.5220/0010882100003116
In Proceedings of the 14th International Conference on Agents and Artificial Intelligence (ICAART 2022) - Volume 1, pages 345-352
ISBN: 978-989-758-547-0; ISSN: 2184-433X
Copyright
c
2022 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
345
The formalism of IS provides a useful frame-
work to model MASs, and to verify various classes
of temporal and epistemic properties of MAS. The
timed interpreted system (TIS) (Wo
´
zna-Szcze
´
sniak
and Zbrzezny, 2016) formalism extends the IS formal-
ism to make possible reasoning about discrete real-
time and epistemic properties of MASs. Especially,
TIS provides computationally grounded semantics on
which it is possible to interpret discrete time-bounded
temporal modalities as well as epistemic modalities.
In this paper, we extend the TIS formalism to a new
dense timed interpreted system (DTIS) formalism that
yields computationally grounded semantics for real-
time MAS, enabling the interpretation of both the
dense time-bounded temporal modalities and tradi-
tional epistemic modalities. The resulting transition
system that models the DTIS behaviour, which we
call the dense timed model (DTM), can evolve in two
different ways: with action transitions and with time
transitions. An action transition occurs whenever an
enabled join action is taken. It takes no time and may
cause a change of agents’ location and clock resets. A
time transition affects only the clocks, which are in-
creased by a certain (real) value and correspond to the
passage of continuous time. Furthermore, due to the
real-valued clock variables, the state space of DTM is
infinite. To represent infinite paths of DTM by finite
paths, thereby making the bounded model checking
analysis feasible, we define an equivalence relation in
the set of all the valuations for the clock variables that
induce a finite number of states that preserve time and
action transitions.
To express the MASs’ requirements various exten-
sions of standard temporal logics, for example Linear
Temporal Logic (LTL) (Clarke et al., 1999) or Metric
Temporal Logic (MTL) (Koymans, 1990), with epis-
temic (Fagin et al., 1995) modalities have been pro-
posed. LTL allows for expressing properties about
each execution of a system, e.g., any occurrence of
a problem eventually triggers the alarm. LTL, how-
ever, is inadequate to express specifications for MAS
whose correct behaviour depends on quantitative tim-
ing requirements. MTL extends LTL by constrain-
ing the temporal operators by time intervals and ad-
mits the specification of quantitative time require-
ments, e.g., every problem is followed within 30 time
units by an alarm. MTLK (Wo
´
zna-Szcze
´
sniak and
Zbrzezny, 2016) is an epistemic extension of MTL
interpreted over discrete timed models generated by
TIS, and it allows for the representation of the quan-
titative, but discrete-time, the temporal evolution of
epistemic states of the agents. For example, an agent
P knows that each time a problem occurs, then is it
followed within 30 discrete-time units by an alarm.
In this paper, we consider an existential version of
MTLK (called EMTLK) with the pointwise semantics
(Bouyer, 2009) and the time domain being the non-
negative real numbers. We interpret EMTLK over
models generated by DTIS. The EMTLK allows for
the representation of the quantitative temporal evolu-
tion of epistemic states of the agents. For example,
it is not true that an agent P knows that each time
a problem occurs, then is it followed within 30 time
units by an alarm.
Contributions. We study an SMT-based BMC
method for EMTLK that is interpreted over models
generated by DTIS. We first define the DTIS and its
dense timed model. Next, we translate the existential
model checking problem for EMTLK to the existen-
tial model checking problem for a variant of an epis-
temic LTL with a new set of propositional variables
(called ELTLK
q
). Finally, we define an SMT-based
BMC technique for ELTLK
q
. We have implemented
our technique and tested it using the Timed Generic
Pipeline Paradigm scenario to illustrate new model
checking techniques.
2 DENSE TIMED INTERPRETED
SYSTEM
Each interpreted systems formalism consists of a set
of agents and the environment in which the agents op-
erate. Therefore, we assume a non-empty and finite
set of agents A = {1,... ,n}, and a special agent E
that models the environment. The set of agents A to-
gether with the environment E constitute a MAS.
In order to model our agents formally, and to de-
fine the DTIS, we start by establishing the notation
used through the paper. By IR we denote the set of
non-negative real numbers, and by IR
+
the set of pos-
itive real numbers. We also assume the following:
• X =
S
c∈A
X
c
∪ X
E
is a finite set of non-negative
real variables, called clocks, such that X
c
∩X
d
=
/
0,
for all c,d ∈ A ∪ {E}.
• v : X 7→ IR is a total clock valuation function that
assigns to each clock x ∈ X a non-negative real
value v(x).
• The set IR
|X |
consists of all the clock valuations.
• For Y ⊆ X the valuation v
0
= v[Y := 0] is defined
as: ∀x ∈ Y , v
0
(x) = 0 and ∀x ∈ X \Y , v
0
(x) = v(x).
• For δ ∈ IR, the valuation v
0
= v + δ is defined as:
∀x ∈ X , v
0
(x) = v(x) + δ.
• Let x ∈ X , c ∈ IN, and ∼∈ {≤,<,=,>,≥}. The
set C (X ) of clock constraints over the set of
clocks X is defined by the following grammar:
cc := x ∼ c | cc ∧ cc.
ICAART 2022 - 14th International Conference on Agents and Artificial Intelligence
346
• For any clock valuation v ∈ IR
|X |
and cc ∈ C (X ),
the satisfaction relation v |= cc is defined as fol-
lows: v |= x ∼ c iff v(x) ∼ c, and v |= cc ∧ cc
0
iff
v |= cc and v |= cc
0
.
• P V =
S
c∈A
P V
c
∪P V
E
is a set of propositional
variables such that P V
c
∩ P V
d
=
/
0, for all c,d ∈
A ∪ {E }.
The formalism of dense timed inter-
preted system (DTIS) is a tuple D =
({L
c
,ι
c
,Σ
c
,X
c
,P
c
,V
c
,I
c
}
c∈A∪{E}
,{t
c
}
c∈A
,t
E
),
where
• L
c
is a non-empty and finite set of local states of
agent (environment) c. Each local state of an agent
captures the complete information about the system
that the agent has at a given moment. We assume
that the local states of E are ”public”.
• ι
c
⊆ L
c
is a non-empty set of initial local states of
agent (environment) c.
• Σ
c
is a non-empty and finite set of local actions of
agent (environment) c that are used to model the
temporal evolution of the system. It is assumed that
the special null action ε
c
belongs to Σ
c
, and that
all actions are ”public”. Each element of the set
Σ = Σ
1
× ... × Σ
n
× Σ
E
is called the joint action.
• X
c
is a non-empty and finite set of clocks of agent
(environment) c. We assume that the clocks of the
environment E are ”public”.
• P
c
: L
c
7→ 2
Σ
c
is a local protocol function that as-
signs to every local state a set of local actions that
can be executed at that state.
• V
c
: L
c
→ 2
P V
c
is a valuation function that assigns
to each local state a set of propositional variables
that are true at that state.
• I
c
: L
c
→ C (X
c
) is an invariant function that speci-
fies the amount of time agent (environment) c may
spend in its local states.
• t
c
: L
c
× L
E
× C (X
c
) × 2
X
c
× Σ → L
c
is a (partial)
evolution function for agent c ∈ A.
• t
E
: L
E
× C (X
E
) × 2
X
E
× Σ → L
E
is a (partial) evo-
lution function for the environment E .
We define the semantics of DTIS D by associating a
dense timed model that is a tuple M = (Σ, S,ι,T,V ),
where
• Σ is the set of joint actions.
• S =
∏
c∈A∪{E}
(L
c
× IR
|X
c
|
) is the non-empty set
of all global states. For a global state s =
((`
1
,v
1
),. .. ,(`
n
,v
n
),(`
E
,v
E
)) ∈ S, the symbol
l
c
(s) = `
c
denotes the local component of agent
c ∈ A ∪{E } in s, and v
c
(s) = v
c
denotes the clock
valuation of agent c ∈ A ∪ {E} in s.
• ι =
∏
c∈A∪{E}
(ι
c
× {0}
|X
c
|
) is the non-empty set
of all initial global states such that ι ⊆ S.
• T ⊆ S ×(Σ∪IR)×S is a transition relation defined
by action and time transitions:
– Action transition: for any a ∈ Σ, (s, a,s
0
) ∈
T iff for all c ∈ A, there exists a transi-
tion t
c
(l
c
(s),l
E
(s),cc
c
,Y,a) = l
c
(s
0
) such that
v
c
(s) |= cc
c
∧ I
c
(l
c
(s)) and v
0
c
(s
0
) = v
c
(s)[Y :=
0] and v
0
c
(s
0
) |= I
c
(l
c
(s
0
)), and there exists
a transition t
E
(l
E
(s),cc
E
,Y,a) = l
E
(s
0
) such
that v
E
(s) |= cc
E
∧ I
E
(l
E
(s)) and v
0
E
(s
0
) =
v
E
(s)[X
0
:= 0] and v
0
E
(s
0
) |= I
E
(l
E
(s
0
)).
– Time transition: let δ ∈ IR
+
, (s,δ,s
0
) ∈ T iff
for all c ∈ A ∪ {E }, l
c
(s) = l
c
(s
0
) and v
c
(s) |=
I
c
(l
c
(s)) and v
0
c
(s
0
) = v
c
(s) + δ and v
0
c
(s
0
) |=
I
c
(l
c
(s)).
• V : S → 2
P V
is the valuation function defined as
V (s) =
S
c∈A∪{E}
V
c
(l
c
(s))
We assume that the relation T is total, i.e. for any s ∈ S
there exists s
0
∈ S and there exist either a non-empty
joint action a ∈ Σ or real number δ ∈ IR such that it
holds T (s,a,s
0
) or T (s, δ,s
0
). Furthermore, given a
DTIS and an agent c ∈ A, we assume the following
definition of the indistinguishability relation : for any
s,s
0
∈ S, s ∼
c
s
0
iff l
c
(s
0
) = l
c
(s).
A run ρ in a dense timed model that is based on the
transition relation T is an infinite sequence of global
states s
0
δ
0
,a
0
−→ s
1
δ
1
,a
1
−→ s
2
δ
2
,a
2
−→ ... such that s
i
∈ S, a
i
∈ Σ,
and δ
i
∈ IR
+
for all i ∈ IN. An assumption that δ
i
∈
IR
+
implies that runs are strongly monotonic, that is,
every two action transitions must be separated by a
time one.
3 EMTLK WITH A DENSE
SEMANTICS
In what follows we assume that ◦ ∈ {∧, ∨}.
Definition 3.1. Let p ∈ P V , c ∈ A, and I be an inter-
val in IR of the form: [a,b) or [a,∞), for a,b ∈ IN and
a 6= b. Then the formulae α of EMTLK are defined
inductively:
α := t | f | p | ¬p | α ◦ α | αU
I
α | G
I
α | K
c
α.
The linear-time operators U
I
and G
I
are read
as “bounded until” and “bounded globally”, re-
spectively. The derived basic modal operators for
“bounded eventually” and “bounded release” are de-
fined as follows: F
I
α
def
= tU
I
α and αR
I
β
def
= βU
I
(β ∧
α) ∨ G
I
β. Hereafter, if the interval I is of the form
[0,∞), we omit it for the simplicity of the presenta-
tion. The epistemic operator K
c
is read as “agent c
considers possible” and it is dual to the standard epis-
temic operator K
c
, which is read as “agent c knows”.
To define the semantics we need the notions of
a path λ
ρ
corresponding to run ρ, and of a duration
function D
ρ
: IN 7→ IR
+
as in (Bouyer, 2009).
SMT-based BMC for Dense Timed Interpreted Systems and EMTLK Properties
347
Let M = (Σ,S,ι,T,V ) be a dense timed model,
and ρ = s
0
δ
0
,a
0
−→ s
1
δ
1
,a
1
−→ s
2
δ
2
,a
2
−→ . .. a run in M. Each
run generates the unambiguous path λ
ρ
: IN → S, be-
cause we consider only the strongly monotonic runs.
Further, Π(s) denotes the set of all the paths starting
at s ∈ S, and Π =
S
s
0
∈ι
Π(s
0
) is the set of all the paths
starting at all initial states. Finally, given a run ρ and
a position j > 0, a duration function D
ρ
( j) returns the
sum of all the time transitions along the run ρ till the
position j.
Definition 3.2. Let α and β be EMTLK formulae, M
the dense timed model, and λ
ρ
a path. By λ
ρ
[n] we de-
note the path λ
ρ
with a designated formula evaluation
position n ∈ IN. An EMTLK formula α is true along
a path λ
ρ
(in symbols M,λ
ρ
|= α) iff M,λ
ρ
[0] |= α,
where
• M,λ
ρ
[n] |= p iff p ∈ V (λ
ρ
(n)),
• M,λ
ρ
[n] |= ¬p iff p 6∈ V (λ
ρ
(n)),
• M,λ
ρ
[n] |= αU
I
β iff (∃ j ≥ n)
(D
ρ
( j) − D
ρ
(n)) ∈ I and M,λ
ρ
[n + j] |= β
and (∀n 6 i < j)(M,λ
ρ
[n + i] |= α)
,
• M,λ
ρ
[n] |= G
I
β iff (∀ j ≥ n)
(D
ρ
( j)−D
ρ
(n)) ∈ I
implies M,λ
ρ
[n + j] |= β
,
• M,λ
ρ
[n] |= K
c
α iff (∃π ∈ Π)(∃i ≥ 0)(π(i) ∼
c
λ
ρ
(n) and M,π[i] |= α).
The semantics of the Boolean constants t and f, and
propositional operators ∨ and ∧ is defined in the stan-
dard way.
The EMTLK formula ϕ is existentially valid in the
model M (written M |= ϕ) iff M,λ
ρ
|= ϕ for some path
λ
ρ
∈ Π. The existential model checking problem asks
whether M |= ϕ.
4 TRANSLATION FROM EMTLK
TO ELTLK
q
Definition 4.1. Let I be an interval as assumed in
Def. 3.1, I V the set of all intervals in IR, and
P V
I V
= {q
I
| I ∈ I V }. The formulae α of ELTLK
q
are defined inductively:
α := t | f | υ | ¬υ | α ◦ α | αUα | Gα | K
c
α
where υ ∈ P V ∪ P V
I V
and c ∈ A.
The modal operators U and G are read as the “un-
til” and the “globally”, respectively. The modal oper-
ator K
c
is the standard epistemic modality for “agent
c considers possible”.
Definition 4.2. Let α and β be ELTLK
q
formulae, M
the dense timed model, and λ
ρ
a path. By λ
ρ
[n] we de-
note the path λ
ρ
with a designated formula evaluation
position n ∈ IN. The satisfiability relation |=
d
, which
indicates truth of an ELTLK
q
formula in the model M
along the path λ
ρ
with the starting point n and at the
depth d > n, is defined inductively as follows:
• M,λ
ρ
[n]|=
d
p iff p ∈ V (λ
ρ
(d)),
• M,λ
ρ
[n]|=
d
¬p iff p 6∈ V (λ
ρ
(d)),
• M,λ
ρ
[n]|=
d
q
I
iff D
ρ
(d) − D
ρ
(n) ∈ I,
• M,λ
ρ
[n]|=
d
¬q
I
iff D
ρ
(d) − D
ρ
(n) 6∈ I,
• M,λ
ρ
[n]|=
d
αUβ iff (∃ j ≥ d)
M,λ
ρ
[d]|=
j
β and
(∀d 6 i < j) (M,λ
ρ
[d]|=
i
α)
,
• M,λ
ρ
[n]|=
d
Gβ iff (∀i ≥ d) M,λ
ρ
[d]|=
i
β,
• M,λ
ρ
[n]|=
d
K
c
α iff (∃λ
ρ
0
∈ Π)(∃i ≥ 0) (λ
ρ
0
(i) ∼
c
λ
ρ
(d) and M,λ
ρ
0
[0]|=
i
α).
The semantics of the Boolean constants t and f, and
propositional operators ∨ and ∧ is defined in the stan-
dard way.
An ELTLK
q
formula ϕ is existentially valid in the
model M (written M |= ϕ) iff M,λ
ρ
[0] |=
0
ϕ for some
path λ
ρ
∈ Π. The existential model checking problem
asks whether M |= ϕ.
Let p ∈ P V , α, β be formulae of EMTLK. We
define the translation from EMTLK into ELTLK
q
as
a function tr : EMTLK → ELTLK
q
in the following
way: tr(t) = t, tr(f) = f, tr(p) = p, tr(¬p) = ¬p,
tr(α ∧ β) = tr(α) ∧ tr(β), tr(α ∨ β) = tr(α) ∨ tr(β),
tr(αU
I
β) = tr(α)Utr(q
I
∧ β), tr(G
I
β) = G(¬q
I
∨
tr(β)), tr(K
c
α) = K
c
tr(α).
Observe that the translation of literals as well as
Boolean connectives is straightforward. The transla-
tion of U
I
r ensures that β holds somewhere in the in-
terval I (expressed by the requirement q
I
∧ tr(β)), and
α holds always before β. Similarly, the translation of
G
I
ensures that β always holds in the interval I (ex-
pressed by the requirement ¬q
I
∨ tr(β)).
The following theorem can be proven by induction
on the length of the EMTLK formula.
Theorem 4.1. Let M be the dense timed model, and
ϕ an EMTLK formula. Then, M |= ϕ iff M |= tr(ϕ).
5 SMT-BASED BMC OF ELTLK
q
PROPERTIES
5.1 Bounded Semantics
We start by recalling some basic definitions of k-path
and loop that allow to represent infinite paths of the
dense timed model M in a finite way.
Definition 5.1. Let M be the dense timed model,
k ∈ IN, and 0 6 l 6 k. A k-path is a pair
(π,l), also denoted by π
l
, where π is a finite se-
quence π = (s
0
,. .. ,s
k
) of states such that for each
ICAART 2022 - 14th International Conference on Agents and Artificial Intelligence
348
0 6 j < k, either (s
j
δ
−→ s
j+1
) for some δ ∈
IR
+
, or (s
j
a
−→ s
j+1
) for some a ∈ Σ, and ev-
ery action transition is preceded by at least one
time transition. A k-path π
l
is a loop, written
e
π
l
for short, if l < k, l
c
(π(k)) = l
c
(π(l)) for each
agent c ∈ A, and (v
1
(π(k)),...,v
n
(π(k)),v
E
(π(k))) '
(v
1
(π(l)),. .. ,v
n
(π(l)),v
E
(π(l))), where ' is the
equivalence relation on the set of all the clock val-
uations defined as in (Alur et al., 1993).
If a k-path π
l
is a loop, then it represents the infi-
nite path of the form uv
ω
, where u = (π(0), .. ., π(l))
and v = (π(l + 1), .. ., π(k)). We denote this unique
path by
e
π
l
. Note that for each j ∈ IN,
e
π
l
l+ j
=
e
π
l
k+ j
.
Furthermore, by Π
k
(s) we denote the set of all the
k-paths starting at s ∈ S, and we define the set of
all the k-paths starting at all initial states in S as:
Π
k
=
S
s
0
∈ι
Π
k
(s
0
).
Definition 5.2 (Bounded Semantics). Let α and β be
ELTLK
q
formulae, M the dense timed model, π
l
a k-
path, and 0 6 n,d 6 k. The satisfiability relation |=
d
k
,
which indicates truth of an ELTLK
q
formula in the
model M along the k-path π
l
with the starting point n
and at the depth d is defined inductively as follows:
• M,π
l
[n] |=
d
k
p iff p ∈ V (π
l
(d)),
• M,π
l
[n] |=
d
k
¬p iff p /∈ V (π
l
(d)),
• M,π
l
[n] |=
d
k
q
I
iff
1. D
π
l
(d) − D
π
l
(n) ∈ I, if π
l
is not a loop,
2. D
e
π
l
(d) − D
e
π
l
(n) ∈ I, if π
l
is a loop and d > n,
3. D
e
π
l
(d + k − l) − D
e
π
l
(n) ∈ I, if π
l
is a loop and
d < n,
• M,π
l
[n] |=
d
k
¬q
I
iff M, π
l
[n] 6|=
d
k
q
I
• M,π
l
[n] |=
d
k
αUβ iff (∃
d6 j6k
)
M,π
l
[d] |=
j
k
β and
(∀
d6i< j
)M,π
l
[d] |=
i
k
α
or
π
l
is a loop and
(∃
l< j<d
) M,π
l
[d] |=
j
k
β and (∀
l<i<k
)M,π
l
[d] |=
i
k
α
and (∀
d6i6k
)M,π
l
[d] |=
i
k
α
,
• M,π
l
[n] |=
d
k
Gβ iff loop(π
l
) and
(∀
i6k
)(i > min(d, l) implies M,π
l
[d] |=
i
k
β),
• M,π
l
[n] |=
d
k
K
c
α iff (∃π
0
l
0
∈ Π
k
)(∃
0≤i≤k
)
(M,π
0
l
0
[0] |=
i
k
α and π(d) ∼
c
π
0
(i)).
The semantics of the Boolean constants t and f, and
propositional operators ∨ and ∧ is defined in the stan-
dard way.
Observe that to evaluate propositional vari-
ables we use only finite prefixes of the sequence
(D
π
l
(0),D
π
l
(1),. ..). Namely, if a k-path π
l
is not a
loop, then we have to consider the prefix of the length
k only. However, if a k-path π
l
is a loop, then we have
to consider the prefix of the length k + k − l.
An ELTLK
q
formula ϕ is existentially k-valid in
the model M, written M |=
k
ϕ, iff M,π
l
[0] |=
0
k
ϕ for
some k-path π
l
starting at the initial state.
The proof of Lemma 5.1 below is based on induc-
tion on the length of the given formula. It is analogous
to the proof of Lemma 7 from the paper (Biere et al.,
1999).
Lemma 5.1. Let M be the dense timed model. For
each ELTLK
q
formula ϕ, each k-path π
l
in M, each
0 ≤ m ≤ k and each 0 ≤ d ≤ k, if M,π
l
[m] |=
d
k
ϕ, then
there exists a path π
0
such that π
0
[..k] = π
l
and: m ≤ d
and M,π
0
[m] |=
d
ϕ or m > d and M,π
0
[m] |=
d+k−l
ϕ.
The proof of the Lemma 5.2 below is based on
the well-known fact that if the LTL formula is true on
some infinite path, it is also true on an infinite path of
the form uv
ω
, where u and v are finite sequences of
states (Biere et al., 1999).
Lemma 5.2. Let M the dense timed model, π a path
in the model, and k ≥ 0. For each ELTLK
q
formula ϕ,
each 0 ≤ m ≤ k and each 0 ≤ d ≤ k, if M,π[m] |=
d
ϕ,
there exists a k-path π
l
such that M, π
l
[m] |=
d
k
ϕ.
Theorem 5.1 shows that for some specific bound,
bounded and unbounded semantics are equivalent.
The proof of Theorem 5.1 follows directly from Lem-
mas 5.1 and 5.2.
Theorem 5.1. Let M be the dense timed model for
the dense timed interpreted system D, ϕ an ELTLK
q
formula, and ψ = tr(ϕ) an ELTLK
q
formula. Then,
M |= ψ iff there exists k > 0 such that M |=
k
ψ.
5.2 Translation to SMT
The presented SMT encoding of the BMC problem
for ELTLK
q
and for a DTIS is based on the SMT en-
coding presented in (Zbrzezny and Zbrzezny, 2017).
It consists in encoding of both the transition relation
of the dense timed model M, and the ELTLK
q
formula
tr(ϕ) as a quantifier-free first-order formula. The nov-
elty of the encoding lies in encoding of both the tran-
sition relation of the dense timed model, and the finite
prefix of the sequence (D
π
l
(0),D
π
l
(1),. ..).
Let M be a dense timed model, ϕ an EMTLK for-
mula, ψ = tr(ϕ) the ELTLK
q
formula, and k ∈ IN
a bound. The main idea of the SMT-based BMC
method consists in translating the BMC problem, i.e.,
M |=
k
ψ, to the satisfiability problem of the following
formula:
[M,ψ]
k
:= [M
ψ,ι
]
k
∧ [ψ]
M,k
.
The definition of the formula [M,ψ]
k
assumes
that each global state s ∈ S of M can be repre-
sented by a valuation of a symbolic global state
w = (w
1
,. .. ,w
n
,w
E
) that consists of symbolic local
states. Each w
c
is a pair (w
c
,v
c
) of individual inte-
ger variables ranging over the natural numbers (en-
coding a local state of the agent c) and individual real
SMT-based BMC for Dense Timed Interpreted Systems and EMTLK Properties
349
variables ranging over the real numbers (encoding a
clock valuation of the agent c). Similarly, each action
a ∈ Σ can be represented by a valuation of a symbolic
joint action a that is a vector of the individual vari-
ables ranging over the natural number.
The formula [M
ψ,ι
]
k
constrains the f
k
(ψ) sym-
bolic k-paths to be valid k-paths of M, while the for-
mula [ψ]
M,k
encodes a number of constraints that must
be satisfied on these sets of k-paths for ψ = tr(ϕ) to
be satisfied. Note that the exact number of neces-
sary symbolic k-paths depends on the checked for-
mula ψ, and it can be calculated using the function
f
k
: EMTLK → IN as in (Me¸ski et al., 2014). The
number of k-paths sufficient to validate ψ is given by
the function that is defined as
b
f
k
(ψ) = f
k
(ψ) + 1.
Let w and w
0
be two different symbolic states,
a a symbolic action,
b
δ a symbolic time passage,
and u be a symbolic number. We assume def-
initions of the following auxiliary quantifier-free
first-order formulae as in (Zbrzezny, 2012): I
s
(w)
that encodes the state s of the dense timed model
M, p(w) that encodes the set of states of M in
which p ∈ P V holds, H
c
(w
c
,w
0
c
) that encodes
equivalence of two local states for c ∈ A ∪ E ,
H(w, w
0
) that encodes equivalence of two global
states such that (w
1
,. .. ,w
n
,w
E
) = (w
0
1
,. .. ,w
0
n
,w
0
E
)
and (v
1
,. .. ,v
n
,v
E
) ' (v
0
1
,. .. ,v
0
n
,v
0
E
), T
Σ
(w,a, w
0
)
that encodes action transitions of M, and T
δ
(w,
b
δ,w
0
)
that encodes time transitions of M. A pair consisting
of a sequence of symbolic transitions and a symbolic
number is called a symbolic k-path. Let π
j
denote
the j-th symbolic k-path: (
w
0, j
b
δ
−→ ...
b
δ
−→
w
0, j
a
1, j
−→
w
1
b
δ
−→ ...
b
δ
−→ w
1, j
a
2, j
−→ ...
b
δ
−→ w
k−1
a
k, j
−→ w
k, j
,u
j
),
where w
i, j
are symbolic states, a
i, j
are symbolic ac-
tions, and u
j
is a symbolic number for 0 ≤ i ≤ k and
1 ≤ j ≤
b
f
k
(ψ). Further, let the function Gt
m
(π
n
) en-
code a global time on the symbolic k-path π
n
at the
depth m.
The formula [ψ]
M,k
encodes the bounded seman-
tics of an ELTLK
q
formula ψ = tr(ϕ), and it is defined
on the same sets of individual variables as the formula
[M
ψ,ι
]
k
.
Let F
k
(ψ) = { j ∈ IN | 1 ≤ j ≤
b
f
k
(ψ)}, and
[ψ]
[m,n,A]
k
denote the translation of ψ along the n-th
symbolic path π
m
n
with the starting point m by using
the set A ⊆ F
k
(ψ). Then, the next step is a transla-
tion of an ELTLK
q
formula ψ to a quantifier-free first-
order formula
[ψ]
M,k
:= [ψ]
[0,1,F
k
(ψ)]
k
.
Definition 5.3 ((Zbrzezny, 2012)). Let M be a dense
timed model, ψ an ELTLK
q
formula, and k ≥ 0 a
bound. We define inductively the translation of ψ
over a path number n ∈ F
k
(ψ) starting at the sym-
bolic state w
d,n
at the depth m as shown below, where
n
0
= min(A):
• [q
I
]
[d,n,A]
[k,m]
:=
1.
W
k−1
l=0
Gt
d
(π
n
) − Gt
m
(π
n
) ∈ I ∧
¬H(w
k,n
,w
l,n
)
∨
W
k−1
l=0
Gt
d
(π
n
) − Gt
m
(π
n
) ∈
I ∧ H(w
k,n
,w
l,n
)
, if m ≥ d,
2.
W
k−1
l=0
Gt
d
(π
n
) − Gt
m
(π
n
) ∈ I ∧
¬H(w
k,n
,w
l,n
)
∨
W
k−1
l=0
Gt
d+k−l
(π
n
) −
Gt
m
(π
n
) ∈ I ∧ H(w
k,n
,w
l,n
)
, if d < m,
• [¬q
I
]
[d,n,A]
[k,m]
:= ¬[q
I
]
[d,n,A]
[k,m]
,
• [K
c
α]
[d,n,A]
[k,m]
:=
W
s∈ι
I
s
(w
0,n
0
) ∧
W
k
j=0
[α]
[ j,n
0
,g
s
(A)]
[k,m]
∧ H
c
(w
d,n
,w
j,n
0
)
.
For the Boolean constants t and f, propositional vari-
ables ∈ P V , propositional operators ∨ and ∧, and
temporal operators U and G the translation is de-
fined as in (Zbrzezny, 2012; Wo
´
zna-Szcze
´
sniak and
Zbrzezny, 2016; Zbrzezny and Zbrzezny, 2017).
Let w
i, j
, a
i, j
, and
b
δ
i, j
are, respectively, symbolic
states, symbolic actions, and symbolic time passage
for 0 ≤ i ≤ k and 1 ≤ j ≤
b
f
k
(ψ). Now, we can define
the formula [M
ψ,ι
]
k
as follows:
_
s∈ι
I
s
(w
0,0
) ∧
b
f
k
(ψ)
_
j=1
H(w
0,0
,w
0, j
)∧
b
f
k
(ψ)
^
j=1
k
_
l=0
l = u
j
∧
b
f
k
(ψ)
^
j=1
T
δ
(w
0, j
,
b
δ,w
1, j
)∧
k−1
^
i=1
T
δ
(w
i, j
,
b
δ,w
i+1, j
) ∨ T
Σ
(w
i, j
,a
i, j
,w
i+1, j
)
∧
k−2
^
i=1
T
δ
(w
i, j
,
b
δ,w
i+1, j
) ∨ T
δ
(w
i+1, j
,
b
δ,w
i+2, j
)
.
The following theorem states that the translation
is correct and complete.
Theorem 5.2. Let M be a dense timed model, ϕ
an EMTLK formula, and tr(ϕ) an ELTLK
q
formula.
Then, for every k ∈ IN, M |=
d
k
tr(ϕ) iff, the quantifier-
free first-order formula [M, tr(ϕ)]
k
is satisfiable.
6 EXPERIMENTAL RESULTS
In this section, we experimentally evaluate the perfor-
mance of our new translation. To this aim, we have
conducted the experiments using the slightly modified
ICAART 2022 - 14th International Conference on Agents and Artificial Intelligence
350
timed generic pipeline paradigm (TGPP) (Wo
´
zna-
Szcze
´
sniak and Zbrzezny, 2014).
The DTIS for the TGPP (Zbrzezny and Zbrzezny,
2017) consists of n + 2 agents: a Producer producing
data within the certain time interval ([a,b]) or being
inactive, a Consumer receiving data within the cer-
tain time interval ([c,d]) or being inactive within the
certain time interval ([g,h]), and a chain of n inter-
mediate Nodes that can be ready for receiving data
within the certain time interval ([c, d]), processing
data within the certain time interval ([e, f ]) or send-
ing data. We assume that a = c = e = g = 1 and
b = d = f = h = 2 · n + 2, where n represents a num-
ber of nodes. We have tested the TGPP dense timed
interpreted system model, scaled in the number of in-
termediate nodes on the following EMTLK formulae
that existentially hold in the model of TGPP (n is the
number of nodes, ConRec stands for ConsReceived,
and PrdSend stands for ProdSend):
• ϕ
1
= G(K
P
(PrdSend ⇒ F
[0,2n+2)
(ConRec))). It
states that Producer knows that each time Producer
produces data, then Consumer receives this data in
time less than 2n + 1.
• ϕ
2
= K
C
(K
P
(F
[0,2n+2)
(ConRec))). It states that
Consumer knows that Producer knows that finally
Consumer will receive data in time less than 2n+2.
• ϕ
3
= K
P
(ConRec ⇒ F
[0,2n+1)
(¬ConRec)). It states
that Producer knows that time Consumer receives
data, then Consumer is ready to receive data in time
less than 2n + 1 after that Consumer will receive
data.
The number of considered k-paths for the properties
ϕ
1
, and ϕ
3
is equal to 2, and for the property ϕ
2
is
equal to 3.
We have performed our experiments on
a computer equipped with I7-3770 processor,
32 GB of RAM, and the operating system Linux.
We implemented our SMT-BMC algorithm as a
standalone program that is written in C++. We used
the SMT-solvers Z3 (Moura and Bjørner, 2008) in
version 4.8.9, and Yices2 (Dutertre, 2014) in version
2.6.2.
The line charts in Figures 1-3, show the total time
and the memory consumption for all the tested prop-
erties. Our SMT-BMC program generated SMT files
that we have tested using SMT-solvers. The results we
have got allowed us to confirm the efficiency of our
method. By the way, we can compare the efficiency
of mentioned above SMT-solvers. For all the formu-
lae Yices SMT-solver outperforms Z3, and it could
verify the TGPP system with more nodes.
0
1000
2000
3000
4000
5000
6000
1 5 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150
Time in sec.
Number of Nodes
SMT − Yices
SMT − Z3
Total time usage for the TGPP and ϕ
1
1000
10000
100000
1×10
6
1×10
7
1 5 10 20 30 40 50 60 70 80 90 100110120130140150
Memory in kB
Number of Nodes
SMT − Yices
SMT − Z3
Memory usage for a TGPP and ϕ
1
Figure 1: ϕ
1
: TGPP with n nodes.
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
1 2 3 4 5 6
Time in sec.
Number of Nodes
SMT − Yices
SMT − Z3
Total time usage for the TGPP and ϕ
2
10000
100000
1×10
6
1×10
7
1 2 3 4 5 6
Memory in kB
Number of Nodes
SMT − Yices
SMT − Z3
Memory usage for a TGPP and ϕ
2
Figure 2: ϕ
2
: TGPP with n nodes.
0
200
400
600
800
1000
1200
1400
1 2 3 4 5
Time in sec.
Number of Nodes
SMT − Yices
SMT − Z3
Total time usage for the TGPP and ϕ
3
1000
10000
100000
1×10
6
1 2 3 4 5
Memory in kB
Number of Nodes
SMT − Yices
SMT − Z3
Memory usage for a TGPP and ϕ
3
Figure 3: ϕ
3
: TGPP with n nodes.
7 CONCLUSIONS AND FUTURE
WORK
We have proposed, implemented, and experimentally
evaluated SMT-based BMC method for dense timed
interpreted systems and for properties expressible in
SMT-based BMC for Dense Timed Interpreted Systems and EMTLK Properties
351
EMTLK with the semantics over dense timed inter-
preted systems. The method is based on a translation
of the existential model checking for EMTLK to the
existential model checking for ELTLK
q
, and then on
the translation of the existential model checking for
ELTLK
q
to the quantifier-free first-order formula.
The paper presents preliminary experimental re-
sults only, but they show that the proposed verifica-
tion method is quite efficient and worth exploring. We
plan to explore also the SAT-based BMC method.
REFERENCES
Alur, R., Courcoubetis, C., and Dill, D. (1993). Model
checking in dense real-time. Information and Com-
putation, 104(1):2–34.
Biere, A., Cimatti, A., Clarke, E., and Zhu, Y. (1999). Sym-
bolic model checking without BDDs. In TACAS’99,
volume 1579 of LNCS, pages 193–207. Springer-
Verlag.
Biere, A., Heule, M., van Maaren, H., and Walsh, T. (2009).
Handbook of Satisfiability: Volume 185 Frontiers in
Artificial Intelligence and Applications. IOS Press.
Bouyer, P. (2009). Model-checking timed temporal logics.
Electr. Notes Theor. Comput. Sci., 231:323–341.
Clarke, E., Grumberg, O., and Peled, D. (1999). Model
Checking. The MIT Press.
Dutertre, B. (2014). Yices 2.2. In Proceedings of CAV’2014,
pages 737–744.
Fagin, R., Halpern, J., Moses, Y., and Vardi, M. Y. (1995).
Reasoning about Knowledge. MIT Press. ISBN: 0-
262-06162-7.
Koymans, R. (1990). Specifying real-time properties with
metric temporal logic. Real-Time Systems, 2(4):255–
299.
Me¸ski, A., Penczek, W., Szreter, M., Wo
´
zna-Szcze
´
sniak,
B., and Zbrzezny, A. (2014). BDD- versus SAT-based
bounded model checking for the existential fragment
of linear temporal logic with knowledge: algorithms
and their performance. Autonomous Agents and Multi-
Agent Systems, 28(4):558–604.
Moura, L. D. and Bjørner, N. (2008). Z3: an efficient SMT
solver. In Proceedings of TACAS’2008, volume 4963
of LNCS, pages 337–340. Springer-Verlag.
Wo
´
zna-Szcze
´
sniak, B. and Zbrzezny, A. (2014). Check-
ing MTL properties of discrete timed automata
via bounded model checking. Fundam. Inform.,
135(4):553–568.
Wooldridge, M. (2009). An introduction to multi-agent sys-
tems - Second Edition. John Wiley & Sons.
Wo
´
zna-Szcze
´
sniak, B. and Zbrzezny, A. (2016). Checking
EMTLK properties of timed interpreted systems via
bounded model checking. Studia Logica, 104(4):641–
678.
Zbrzezny, A. (2012). A new translation from ECTL
∗
to
SAT. Fundamenta Informaticae, 120(3-4):377–397.
Zbrzezny, A. M., Wo
´
zna-Szcze
´
sniak, B., and Zbrzezny,
A. (2015). SMT-based bounded model checking
for weighted epistemic ECTL. In Proceedings of
EPIA’2015, pages 651–657. Springer.
Zbrzezny, A. M. and Zbrzezny, A. (2017). Simple SMT-
based bounded model checking for timed interpreted
systems. In Proceedings of IJCRS’2017, volume
10314 of LNAI, pages 487–504. Springer.
ICAART 2022 - 14th International Conference on Agents and Artificial Intelligence
352
