On-the-Fly Mean-Field Model-Checking for Attribute-Based Coordination

. Typical Collective Adaptive Systems (CAS) consist of a large number of interacting objects that coordinate their activities in a decentralised and often implicit way. The design of such systems is challenging, as it requires scalable analysis tools and methods to check properties of proposed system designs before they are put into operation. A promising technique is Fast Mean-Field Approximated Model-checking. The FlyFast model-checker uses an on-the-ﬂy algorithm for bounded PCTL model-checking of selected individuals in the context of very large populations whose global behaviour is approximated using deterministic limit techniques. Recently, speciﬁc modelling languages have been proposed for CAS. A key feature of such languages is the attribute-based interaction paradigm. In this paper we present an attribute-based coordination language as a front-end for FlyFast. Its formal probabilistic semantics is provided and a translation to the original FlyFast language is given and proved correct. Application examples are also provided.


Introduction and Related Work
Collective Adaptive Systems (CAS) consist of a large number of entities with decentralised control and varying degrees of complex autonomous behaviour. CAS are at the core of the envisioned smart cities of the future and encompass systems like smart urban transport and smart grids. The pervasive nature of CAS and thus their impact on society requires the development of reliable rigorous design models as well as a priori analysis techniques of such models-covering all relevant aspects of their behaviour, including quantitative and emergent onesbefore they are put into operation 1 .
Model-checking has been widely recognised as a powerful approach to the automatic verification of concurrent and distributed systems. It consists of an efficient procedure that, given an abstract model of the system, decides whether the model satisfies a logical formula, typically drawn from a temporal logic. Unfortunately, traditional model-checking suffers from the so called state-space explosion problem which hampers scalability of the approach. In particular, its application to very large models, like those typical of CAS, is infeasible. In [17,15] Latella et al. presented a scalable mean-field model-checking procedure for verifying bounded PCTL (Probabilistic Computation Tree Logic) [11] properties of selected individuals in the context of systems consisting of a large number of similar, but independent, interacting objects; a limited form of global system properties can be treated as well. The procedure can be used with huge population sizes, as typical of analysis techniques based on mean-field approximation; the average behaviour of the population is approximated using a population Discrete Time Markov Chain (DTMC) convergence result [21] and is used for representing the context in which the selected individuals operate (see [21,17,15] for details). The model-checking procedure is implemented in the tool Fly-Fast as an instantiation of a probabilistic on-the-fly model-checker; the latter is parametric on (the semantic model of) the modelling language [16,15].
FlyFast comes with simple modelling language. An agent 2 is a finite state process, a generic state C of which is specified by a state defining equation like C := a 1 .C 1 + . . . + a r .C r . Intuitively, the above notation defines state C of the agent and postulates that there are r outgoing transitions from C,with action a j labelling a transition going from C to C j . A probability value is assigned to each action a by means of a probability function definition a :: E, where the actual probability is given by the value of expression E in the current occupancy measure vector m. Assume a system is composed of N instances of the agent and that the states of the agent are C 1 , . . . C S . The occupancy measure vector at the current time is the vector (m 1 , . . . , m S ) s.t. m j yields the fraction of agents currently in state C j over the total number N of agents. A system specification is a triple composed by an agent specification-given as a set of state defining equations-a set of probability function definitions, and an initial global state. Finally, FlyFast provides the user with formula declarations which allow for the interpretation of bounded PCTL atomic propositions in the model at hand. The computational model is clock-synchronous; at each step each agent must perform an independent step (which may be an idle self-loop) so that the global state probabilities are given as the product of agent step probabilities, and a new occupancy measure vector can be computed. The global system behaviour is thus a DTMC as well as the stochastic process given by the occupancy measure vector. Notably, for N sufficiently large, the latter can be approximated deterministically, i.e. by a function of time. This brings to a dramatic decrease in size of the global state space: at each step, the total number of potential next states drops from S N to S, which makes bounded PCTL model-checking of very large population systems possible (the interested reader is referred to [17,15,21] for details).
Recently, modelling and programming languages have been proposed specifically for autonomic computing systems and CAS [9,3,12]. Typically, in such frameworks, a system is composed of a set of independent components where a component is a process equipped with a set of attributes describing features of the component. A classical example of attribute is the component location.
An additional environment is often used for the specification of common or global features. The attributes of a component can be updated during its execution so that the association between attribute names and attribute values is mantained in the dynamic store of the component. Attributes can be used in predicates appearing in language constructs for component interaction. For instance a component may broadcast a message to all those components satisfying a given predicate; similarly a component may wait for a message from any of those components satisfying a given predicate.
In the present paper, we propose an extension of the FlyFast front-end modelling language for dealing with components and predicate-based interaction. The extension has been inspired by Carma [3]. Components are expressed as pairs process-store; actions are predicate based multi-cast output and input primitives 3 . Associated to each action there is also an (atomic) probabilistic store-update. For instance, assume components have an attribute named loc which takes values in the set of points of a space type. The following action models a multi-cast via channel α to all components in the same location as the sender, making it change location randomly: α * [loc = my.loc] {loc ← randomLoc(loc)}. Here randomLoc is assumed to be a random generator of points in the space 4 . The computational model is clock-synchronous as well, but at the component level. In addition, each component is equipped with a local outbox. The effect of an output action α * [π r ] σ is to deliver output label α to the local outbox, together with the predicate π r , which receiver components will be required to satisfy, as well as the current store γ of the component executing the action; the current store is updated according to update σ. Note that output actions are non-blocking and that successive output actions of the same component rewrite its outbox. An input action α * [π s ]()σ by a component will be executed with a probability which is proportional to the fraction of all those components whose outboxes currently contain the label α , a predicate π r which is satisfied by the component, and a store γ which satisfies in turn predicate π s . If such a fraction is zero, then the input action will not take place (input is blocking), otherwise the action takes place, the store of the component is updated via σ, and its outbox cleared. Thus, as in the original FlyFast language, component interaction is probabilistic, but now the fraction of the components satisfying the relevant predicates plays a role in the computation of transition probabilities. We provide the formal probabilistic semantics of the extended language and a translation to the original FlyFast language which makes the model-checker support the extended language. The translation is proved correct.
Related Work. As we mentioned before, this work has been inspired by Carma [3], which in turn shares features with SCEL [9]. There are several aspects of either languages that are not present in our proposal. The main reason for the absence of most of them is the fact that this work is intended as a proof of concept rather than the realisation of a ready-to-use tool for reasoning about CAS. So we aim at keeping the language minimal and focussing only on attribute-based interaction in the context of stochastic and mean-field semantics and modelchecking. A feature of Carma not considered here is the notion of global environment, since it represents a singularity point that does not fit well with limit approximation techniques. Finally, we point out that the stochastic semantics of Carma are based on time inhomogeneous CTMCs, due to the fact that action parameters may be time dependent, while we use DTMCs as semantic basis. The notion of the outbox is reminiscent of the notion of the ether in PALOMA [10] in the sense that the collection of all outboxes together can be though of as a kind of ether; but such a collection is intrinsically distributed among the components so that it cannot represent a bottleneck in the execution of the system neither a singularity point in the deterministic approximation. Fluid model-checking for continuous time systems is addressed in [4] where a global model-checking procedure for the Continuous Stochastic Logic (CSL, [2]) is given, which is based on continuous limit approximated semantics. Fluid semantics have proved very useful for reasoning about large coordination systems (see e.g. [23,6,18]). Predicate-/attribute-based inter-process communication has been originally proposed in [19] where several variants of predicate-/attributebased communication primitives-including blocking / non-blocking, bounded / unbounded-are discussed in the context of a study on high-level language constructs for distributed systems with decentralised control (see for instance [22]). The notion of predicate-/attribute-based interaction is central in the definition of SCEL [9] where its synchronous-communication variant has been given formal semantics. Asynchronous-communication variants have been defined for stochastic versions of SCEL [20]. An attribute-interaction based calculus is proposed in [1] where broadcast communication links among components are dynamically established on the basis of the interdependences determined by predicates over attributes. A reduction semantics approach is adopted where each transition involves the group composed of both sender and receivers. Attribute π-Calculus has been proposed in [14] and extended to Imperative π-Calculus in [13]; in both calculi, which inherit the classical point-to-point communication paradigm of the π-Calculus, as opposed to multi-cast, attributes are related to messages rather than to processes. None of the above mentioned works on predicate-/attributebased languages addresses mean-field approximated model-checking so, to the best of our knowledge, the present paper is the first proposal on the subject.

Attribute-based Coordination Language and Logic
In this section we define an attribute-based population description language and related logic. A system is defined as a population of N identical interacting components 5 in a clock-synchronous fashion. Each component is equipped with a finite set of attributes; the current store γ ∈ Γ of the component maps each attribute name to an attribute value.

Syntax
A component specification is a pair (∆, F ) where ∆ is a finite set of state-defining equations, one for each state of the component and F is a set of auxiliary function definitions 6 . We let S, ranged over by C, C , C 1 , . . . denote the (denumerable, non-empty) set of all states which can be used in equations. Each equation defines the transitions from the state to other states of the component; each transition is labelled by the action the component performs when the transition takes place. The general format of a state defining equation is: is a predicate π defined according to the following grammar: π ::= | ⊥ | e 1 e 2 | ¬π | π 1 ∧ π 2 .
(⊥, resp.) stands for the truth value true (false resp.), while ∈ {≥, >, ≤, <}; we let ∈ {>, <}. An expression e can be an attribute name a, or my.a referring to the value of a in the component where it occurs, or a value v in given set V. In defining equations as above, we abbreviate [ ]P j with P j and we omit summands of the form [⊥]P j . Each P j in a state defining equation as above is of the form p j :: act j .C j , where p j is a probability expression, i.e. an expression with value in [0, 1], built from constants v ∈ [0, 1] and the special operator frc C, combined using standard arithmetic operators; for state C, frc C returns the fraction of the components that are currently in state C, over the total of N components. Clearly, the use of the frc operator allows action (and, ultimately, transition) probability to depend on the global state of the system. Actions act j can be output actions α * [π] σ or input actions α * [π]()σ. We assume a countable set of action types A, with α ∈ A. The effect of an output action α * [π] σ is a broadcast to all those components satisfying predicate π and which are willing to accept the interaction. This is achieved by means of delivering α , together with some additional information, to the outbox of the component executing the action, as we will discuss in detail in Sect. 2.2. In addition, the store of the component executing the action is updated according to the update σ, which is a function from Γ to the class of probability distributions over Γ -i.e., in the general case, the update may be probabilistic. Similarly, an input action α * [π]()σ is used to receive an α-message sent by a component satisfying predicate π. More specifically, the probability of executing the input action will be proportional to the fraction of components which have sent the α-message while satisfying predicate π and requiring a predicate which is satisfied by the component executing the input action. Also input actions are provided with a store update σ whereas the component outbox is cleared as (a side) effect of their execution. In the sequel, we shall call address predicates the predicates [π] used for identifying the partners in input/output actions. For updates, we use in a given set being unreachable from states of other sets. Each such a set of states can be seen as a component with a different behaviour. 6 The specific syntax of auxiliary function definitions is irrelevant and left out here. the following notation: {a 1 ← e γ 1 , . . . , a t ← e γ t } where e γ j is an expression which may also include functions-the definition of which are to be provided in Fwhich may depend on the component store γ and produce random results, as we shall see below. Attributes different from a 1 , . . . , a t are left unchanged by the update. We require that any attribute name a occurring in a guard [g], or in the expressions e γ 1 , . . . , e γ t , must appear in the form my.a (thus referring to the value of the attribute in the local store of the component). An attribute name a may appear both with and without the my. prefix in the address predicate π. Intuitively, equation C := [g 1 ]P 1 + . . . + [g r ]P r defines state C of the component at hand and postulates that there are r potential outgoing transitions from C, with action act j labelling a transition going from C to C j . The actual transitions will be determined by the value of the guards and the action probabilities. Note that it may happen that the current cumulative probability value of the enabled transitions is less than 1; for this reason, the language provides the construct rest :: α[π] σ.C, where rest is defined as the residual probability; it is required that there is at most one rest-branch (typically the last one) in every state defining equation. Only output actions are allowed in rest-branches; this ensures that the residual probability is not affected by the fraction of those components in the system satisfying the address predicate. Obviously, in a given component specification there is exactly one defining equation for each state of the component. We let S ∆ denote the finite set of states defined by ∆. Similarly, Γ ∆ , A ∆ and Π ∆ denote the set of all stores associated to ∆, the action types and the predicates occurring in (the equations of) ∆. Finally, we let V ∆ denote the set of values which can be taken by the attributes of a component specified by ∆. Note that we assume V ∆ is a finite set-thus also Γ ∆ is finite; model finiteness is a common assumption for modelling languages supported by automatic analysis and verification tools.
Example 1 (A spatially distributed Computer Epidemic Model). We enrich the Computer Epidemic Model of [5], SEIR, with infection communication and a bi-dimen-sional Regular GRID [7] model for space, where for each point the following specific operators are defined, with the usual North, South, East, West meaning: N( ), S( ), E( ), W( ). Each component is equipped with a position attribute, named loc, which is always yielding the current position (i.e. point) in space of the component and is the only attribute of the component. Note that, given the abstract nature of the bi-dimensional Regular GRID, such a "point" could be a physical point is space, but also a specific region (or patch) in a patched representation of space. We will implicitly refer to the second interpretation in the sequel. In the model, given in Fig. 1, the purpose of auxiliary function Jump is twofold: (i) it defines a function from positions to discrete probability distributions which, given position , characterizes a probability distribution which assignes probability p N ( ) to N( ), probability p S ( ) to S( ), and so on and (ii) defines a random position generator which, given position , randomly returns a new position according to the specified probabilities. Note that the probabilities are themselves functions of the position and they are assumed being declared as additional auxiliary functions. In the equation for S in Fig. 1 probability constants h, m N , . . . , m W are factors in [0, 1] with cumulative value at most 1, each to be multiplied by the actual probability of the associated (input) action. The latter will be computed as the fraction of the local states which satisfy the required predicate. The resulting values, when taken all together, will characterize a probability sub-distribution; the residual probability will be associated to a rest-self-loop. Similar considerations apply to the probability constants in the definition of other states (e.g. i in the figure). We assume h > m N ≈ m S ≈ m E ≈ m W . In other words, an agent has higher probability to get the infection from agents in the same place than from agents in adjacent places; the probability drops to zero in all other cases. • A system is modelled as a population of N instances of a component, so a system specification Υ is a triple (∆, F, Σ 0 ) (N ) where (∆, F ) is a component specification and Σ 0 is the initial (system) global state, which will be discussed below. In the sequel we will often write ∆ instead of (∆, F ).

Probabilistic Semantics
In order to model component interactions within a system, each component is equipped with a local outbox. The idea is that, whenever a component executes an output action, the related output will be available in the component's outbox only during the next clock tick; in the next state, (other) components will be able to get the message by means of corresponding input actions. After such a tick, the outbox will be empty or filled with the information generated by a subsequent output action of the component. Formally, let Λ O ∆ be the set is the component-state of the j-th instance in the population for j = 1 . . . N . We say that N is the population size of the system. In the sequel, we will omit the explicit indication of the size N in (∆, F, Σ 0 ) (N ) , and elements thereof or related functions, writing simply (∆, F, Σ 0 ), when this cannot cause confusion. In summary, a system specification can be thought of as process algebraic clock-synchronous parallel composition of N processes. The probabilistic behaviour of a system can be derived from its specification (∆, F, Σ 0 ) (N ) . We remind that Ω ∆ is finite, since so are sets S ∆ , Γ ∆ and O ∆ . Assume  . The definition of the above semantic interpretation functions on composition terms can be given recursively on the structure of the terms and is left out here. In particular, we assume them extended to tuples. Similarly, we assume standard techniques and machinery for auxiliary functions in store updates; the semantics of update σ in the current store γ will be denoted by E U [[σ]] γ , that is a probability distribution over stores 7 .

Fig. 2. Probabilistic Semantics Rules
Note that all the above summations are finite under our assumption that so is V ∆ . The behaviour of the system is the result of the parallel-synchronous execution of the N instances of the component. Thus, the probabilistic behaviour of the system is characterised by the DTMC X (N ) (t) with initial probability distribution δ Σ0 and one step probability matrix P (N ) defined by the following product: P (N ) . Of course, the 'occupancy measure' view of the evolution in time of stochastic process X (N ) (t) is again a DTMC, namely the occupancy measure DTMC, which is defined as expected:

Bounded PCTL
We recall that, given a set P of atomic propositions, the syntax of PCTL state formulas Φ and path formulas ϕ is defined as follows, where ap ∈ P and k ≥ 0:

A Translation to FlyFast
In this section we define a translation I such that, given system specification Υ = (∆ Υ , F Υ , Σ 0 ) (N ) , I(Υ ) = ∆, A, C 0 (N ) is a FlyFast [15,17] system specification preserving probabilistic semantics. The attribute-based FlyFast front-end is then completed with a simple translation at the PCTL level, also provided in this section. We map every component state of Υ to a distinct state of I(Υ ) by means of a total injection I S : Ω ∆ Υ → S. The mapping of actions is a bit more delicate because we have to respect FlyFast static constraints and, in particular, we have to avoid multiple probability function definitions for the same action. To that purpose, we could distinguish different occurrences of the same action in different transitions, characterized by their source and target states in Ω ∆ Υ . In practice, since an action of a component cannot be influenced by the current outbox of the component, it is sufficient to use a total injection I A of the following type (S ∆ Υ ×Γ ∆ Υ )×Λ ∆ Υ ×Ω ∆ Υ → A for the mapping of actions. In the sequel we show how to build The translation algorithm is given in Fig. 3, where for action act ∈ {α * [π] σ, α * [π]()σ} we let T (act) = α, P (act) = π, and U (act) = σ. SUM{t|cond(t)} denotes the syntactical term representing the sum of terms t ∈ {t|cond(t) = tt}, i.e. 3. If there exists k ∈ J s.t. [g k ]p k = rest, and act k = α * [π] σ, letĀ be the set of probability function definitions which has been constructed in steps (1) and (2)   ; the algorithm will generate probability function definition ξ :: p W (A) * ext as well as a transition leading to (a state which is the encoding, via I S , of) the component state with E as (proper) state, store γ , and outbox (γ, ⊥, ext ). Since the action is not depending on the current outbox, in practice a copy of such a transition is generated for each component state sharing the same proper state S and the same store γ. In the general case, in a defining equation for a state C there might be multiple occurrences of the same action, bringing to the same next state C ; the algorithm takes care of this and collects them in order to generate a single transition; the appropriate probability is expressed by means of the SUM{. . .} term. The translation scheme for input actions is defined in case 2 and is similar, except that for each term p j in the SUM{. . .} expression one has also to consider the sum Φ j of the fractions of the possible partners. The translation of the rest case is straighforward. Let K (N ) 1] be the step probability function associated to I(Υ ) by the FlyFast language probabilistic semantics definition (see [15,17] for details) and K Proof (scketch). We first observe that, by definition, K Consider the outer summation and suppose (α , p) be the index of a summand. Without loss of generality, assume there is only one instance of such a summand and there is only one k ∈ J such that the following transition is derived using the rules of  [15,17], we get that the probability assigned to ξ is The proof for all the other cases is similar. • The translation of atomic proposition declarations into FlyFast formula declarations is the obvious one and is shown in Fig. 4 where OR{e|cond(e)} denotes the

Epidemic Example Revisited
We return to the distributed Epidemic example of Fig. 1 where, for the sake of simplicity, we consider a simple patched space, consisting of the usual four quadrants A, B, C, D in the Cartesian Plane, as in Fig. 5 (left). We model a 'flow' from quadrant C to quadrant A by defining the jump probabilities as in the table in Fig. 5 (right) 9 , where l = 0.6 and s = 1 − l, so that l > s.  Fig. 6 shows the fast-simulation results 10 for the model for each of the four quadrants. This functionality is built-in in the FlyFast tool. In the figure, the fractions of numbers of the components in each of the four states at each of the four locations are shown. Note that these fractions correspond to appropriate predicates on standard atomic propositions; for instance the fraction of components in state S at quandrant A is captured by s ∧ a, assuming the following declarations: s at S and a def (my.loc = A). The simulation of single elements, taken as the average over 10 runs shows a very good correspondence with the fast-simulation results. The results also show good correspondence to the original SEIR model [5] when the probability to move between quadrants is set to zero and in the initial state the total population is in state S and in one specific quadrant in the former model. Besides fast simulation, that gives an idea of the average global behaviour of the system, we can also analyse the behaviour of a single component in the context of the overall behaviour. We consider two example properties as illustration. Let us first consider a component initially in state S and located in A and let atomic propositions i and c be declared as follows: i at I and c def (my.loc = C). The following formula (P1) states that the probability is greater than p that that the component ends up infected in quadrant C by time t: P >p (tt U ≤t (i ∧ c)). FlyFast allows one to study the dynamics of the actual probability as a function of t, by means of the notation P =? (tt U ≤t (i ∧ c)) and the resulting graph, for the above initial conditions and for the first 70 time units is shown in Fig. 7 (left). For comparison, the formula for an agent starting in C and ending up in A and being infected is shown as well in the same figure. The results for a more complicated, nested, formula (P2) are shown in Fig. 7 (right). P2 expresses the probability, over time, of a component reaching a situation in which it is neither infected nor exposed, and from which it can reach a state in which it has a probability higher than 0.15 to be infected and located in C within the next 10 time units; formula P2 is given below, where i is assumed defined by i at I: P =? (tt U ≤t (¬(i ∨ e) ∧ P >0.15 (tt U ≤10 (i ∧ c)))). The formula has been considered for a component which is initially in A and in state S; the figure shows also a similar formula, where the role of A and C is exchanged and a probability higher than 0.45 instead of 0.15 is considered. For both types of properties a considerable difference in the probabilities can be observed for an agent that is initially located in A or in C, due to the flow of movement that has been introduced. This illustrates a clear dependence of the results on the dynamically changing spatial distribution of components. The total number of states, actions and transitions for the resulting FlyFast object specification is 52, 114 and 468 respectively, while the number of states of the global approximated model which have been generated for the analysis of formula P2 is 2.323 (2.185 when A and C are swapped). The model checking time for the more complicated nested formula P2 and for all values of t (70) is 10.343 (9.921 when A and C are swapped) ms, ≈ 148 (141) ms per checking session, for a model with a total population of 10.100 objects. A well-known feature of mean-field model checking is that the model checking time is independent of the size of the population, however, further experimentation with more extended spatial models and more attributes, that do effect this time, is planned as future work.

Conclusions
The attribute-based interaction paradigm is deemed fundamental for agent interaction in the context of Autonomic or Collective Adaptive Systems [9,20,3,1,12]. In this paper we have presented a attribute-based coordination modelling language as a front-end for FlyFast, an on-the-fly mean-field model-checker for bounded PCTL. The language extends the original FlyFast modelling language by replacing its actions with input (output, respectively) actions where senders (receivers, respectively) are specified by means of predicates on dynamic attributes on system components, where a component is a process/attribute-store pair. A translation to the standard FlyFast language has been presented, its correctness has been showed as well as an example of its application to a simple case study. It should be noted that the introduction of attributes in a process model is an intrinsic source of complexity in terms of component state-space size. Such an increase, in the worst case, goes with |V ∆ | |Att ∆ | · (|A O ∆ | + 1), where Att ∆ is the set of attributes of the component, V ∆ is the set of values they can take, and A O ∆ is the set of output actions occurring in the component specification (which may appear in its outbox). The obvious consequence of this is that one has to carefully ponder the importance and necessity of each and every new attribute used in a model, although, it must be kept in mind that the real source of state-space explosion is the size of the system, and this issue is addressed by Mean-Field approximation. A first optimisation consists in considering only reachable component states as well as eliminating actions with constant zero probability and simplifying boolean combinations of FlyFast atomic propositions in the translation. A possible additional line of investigation is the study of techniques for DTMC minimization to Mean-field analysis, so that the number of difference equations can decrease as a consequence, in a similar way as for CTMCs and the number of differential equations in fluid flow analysis [24].