Behavior Composition in the Presence of Failure

Transcription

1 Behvior Composition in the Presence of Filure Sebstin Srdin Deprtment of Computer Science RMIT University Melbourne, Austrli Fbio Ptrizi nd Giuseppe De Gicomo Diprtimento di Informtic e Sistemistic Spienz Universit di Rom Rom, Itly {fbio.ptrizi,degicomo}@dis.unirom1.it Abstrct In this pper we rticulte theoreticl bses for robust behvior composition of multiple modules (e.g., gents, devices, etc.) by relying on the forml notion of simultion. Specificlly, we consider the problem of synthesizing fully controllble trget behvior from librry of vilble prtilly controllble behviors tht re to execute within shred, fully observble, but prtilly predictble, environment. Both behviors nd environment re represented s finite stte trnsition systems. While previous solutions to this problem ssumed full relibility, here we consider unforeseen potentil filures, such s module, or the environment, unexpectedly chnging its stte, or module becoming temporrily unvilble or dropping out permnently. Bsed on the notion of simultion, we propose n lterntive synthesis pproch tht llows for refining the solution t hnd, either on-the-fly or prsimoniously, so s to cope with filures. Interestingly, it turns out tht the proposed simultion-bsed technique is computtionlly n improvement over previously known methods tht ssumed full-relibility. Introduction In this pper we rticulte theoreticl bses for robust behvior composition of multiple modules (e.g., gents, devices, etc.). Specificlly, we consider the problem of synthesizing fully controllble trget behvior from librry of vilble prtilly controllble behviors tht re to execute within shred, fully observble, but prtilly predictble environment (De Gicomo & Srdin 2007; Srdin, Ptrizi, & De Gicomo 2007). A behvior stnds for the logic of ny rtifct tht is ble to operte in the environment. For exmple, consider ing blocks-world scenrio in which blocks re ed nd processed by different robotic rms; different behviors stnd for different types of rms, ll cting in the sme environment. The im is to relize desired (intelligent) virtul ing system by suitbly combining the vilble rms. Techniclly, we bstrct the ctul behviors nd environment s finite stte trnsition systems. More precisely, ech vilble module is represented s nondeterministic trnsition system (to model prtil controllbility); the trget behvior is represented s deterministic trnsition system Copyright c 2008, Americn Assocition for Artificil Intelligence ( All rights reserved. (to model full controllbility); nd the environment is represented s nondeterministic trnsition system (to model prtil predictbility). The environment s sttes re fully ccessible by the other trnsition systems. Working with finite stte trnsition systems llows us to leverge on reserch in the re of Verifiction (Pitermn, Pnueli, & S r 2006; Tn & Clevelnd 2001; Kupfermn & Vrdi 1996; Alur, Henzinger, & Kupfermn 2002; Clrke, Grumberg, & Peled 1999). Solving the composition problem consists in utomticlly synthesizing (Pnueli & Rosner 1989) controller tht coordintes the (prtilly controllble) vilble behviors to obtin the trget behvior (De Gicomo & Srdin 2007). This synthesis problem cn be recst in vriety of forms within severl sub-res of AI nd CS, including webservice composition (McIlrith & Son 2002; Berrdi et l. 2005; Muscholl & Wlukiewicz 2007), gent-oriented progrmming (Georgeff & Lnsky 1987), robotics (Pettersson 2005), plnning (Ghllb, Nu, & Trverso 2004), nd pln coordintion nd monitoring (Ktz & Rosenschein 1993; Grosz & Krus 1996; Tripthi & Miller 2001). In the literture, the bove behvior composition setting hs so fr lwys been studied ssuming full relibility of ll vilble modules nd, s result, the (defult) pproch for deling with behvior filures is to re-pln for new solution, if ny, from scrtch. It is obvious tht full relibility is n unrelistic ssumption in mny dynmic settings, where modules my become unexpectedly unvilble for vrious resons. For instnce, n gent (e.g., RoboCup robot plyer) my, t some point, brek down or opt not to prticipte in the composition nymore, possibly becuse it hs greed to join nother behvior composition. It could lso be the cse tht, while still cooperting, the gents my move too fr prt losing the communiction. The unvilbility of behvior my be temporry, i.e., the behvior will eventully resume opertion, or permnent, i.e., the behvior will not prticipte ny more in the overll system. In this pper, we propose solution for the composition problem tht is ble to cope with unexpected behvior filures in n incrementl, nd often fully rective, wy. Specificlly, we propose novel technique to synthesize the controller tht is bsed on the forml notion of simultion (Milner 1971; Henzinger, Henzinger, & Kopke 1995). We rgue tht, when it comes to behvior filures, the composi-

2 tion solution obtined is robust in two wys. First, it cn hndle temporry behvior unvilbility s well s unexpected behvior/environment evolution in totlly rective nd on-the-fly mnner, tht is, without ny extr effort or replnning required to continue the reliztion of the trget behvior, if t ll possible. Second, the composition solution cn be prsimoniously refined when module becomes permnently unvilble, or unexpectedly resumes opertion. Interestingly, the results here show tht the computtionl complexity of synthesizing such robust solutions remins the sme s in the cse of full-relibility. In fct, the technique we propose improves the known results by better chrcterizing the sources of complexity (cf. Theorem 2). We remrk tht it is not the objective of this work to gurntee up-front to stnd (ny) potentil filures. Tht could possibly be chieved by extending ech behvior with distinguished filure stte nd dding corresponding trnsitions from where filure my occur. Insted, if we think of ech vilble module s trnsition system s contrct, wht we wnt is to ddress unforeseen breches of such contrct. The filures we investigte here cn therefore be seen s the core wys of breking the contrct represented by the trnsition systems. The rest of the pper is orgnized s follows. We first describe the generl setting nd problem we re concerned with. After tht, we explin the role of potentil filures within such frmework. Then, we propose new pproch to the problem t hnd by ppeling to the notion of simultion. In the next two sections, we show how the new pproch cn be used to cope with the discussed filures. We end the pper by drwing some conclusions. The Frmework The setting we re concerned with is tht in (De Gicomo & Srdin 2007), summrized below. For the ske of brevity we mke some minor nd non-substntil simplifictions with respect to the originl one. (In prticulr, we drop finl sttes in trnsition systems every stte my be considered finl in De Gicomo & Srdin 2007 s terminology.) Environment nd behviors We ssume to hve shred fully observble environment, which provides n bstrct ccount of ctions preconditions nd effects, nd men of communiction mong modules. In doing so, we tke into considertion tht, in generl, we hve incomplete informtion bout the ctul preconditions nd effects of ctions (kin to n ction theory). Therefore, we llow the environment to be nondeterministic in generl. In other words, the incomplete informtion on the ctul world, nd hence its prtil predictbility, shows up s nondeterminism in our setting. Formlly, n environment is tuple E = A, E, e 0, ρ, where: A is finite set of shred ctions; E is the finite set of environment s sttes; e 0 E is the initil stte; ρ E A E is the trnsition reltion mong sttes: e,, e ρ, or e e in E, denotes tht ction performed in stte e my led the environment to successor stte e. A behvior is essentilly progrm for n gent or the logic of some vilble device which provides, step by step, the gent with set of ctions tht cn be performed. Precisely, t ech step, the gent selects one ction mong those provided nd executes it. Then, new set of ctions is provided, the gent selects one, executes it, nd so on. Obviously, behviors re not intended to be executed on their own but, rther, to interct with the environment (cf. bove). Hence, they re equipped with the bility to test conditions (i.e., gurds) on the environment, when needed. Formlly, behvior over n environment E = A, E, e 0, ρ is tuple B = B, b 0, G, ϱ, where: B is the finite set of behvior s sttes; b 0 B is the initil stte; G is set of gurds, tht is, boolen functions g : E {true, flse}; δ B G A B is the behvior s trnsition reltion, where b, g,, b ϱ, or b g, b in B, denotes tht ction executed in behvior stte b, when the environment is in stte e such tht g(e) = true, my led the behvior to successor stte b. Observe tht behviors re, in generl, nondeterministic, tht is, given stte nd n ction, there my be severl trnsitions whose gurds evlute to true. Consequently, when choosing the ction to execute next, one cnnot be certin of the resulting stte, nd hence of which ctions will be vilble lter on, since this depends on wht prticulr trnsition hppens to tke plce. In other words, nondeterministic behviors re only prtilly controllble. We sy tht behvior B = B, b 0, G, ϱ over n environment E = A, E, e 0, ρ is deterministic if there re no behvior stte b B nd no environment stte e E for which there exist two trnsitions b g1, b nd b g2, b in B such tht b b nd g 1 (e) = g 2 (e) = true. Notice tht, given stte in deterministic behvior nd legl ction in tht stte, we lwys know exctly the next behvior s stte. In other words, deterministic behviors re indeed fully controllble through the selection of the next ction to perform. A system S = B 1,..., B n, E is built from n environment E nd n predefined, possibly nondeterministic, vilble behviors B i over E. A trget behvior is deterministic behvior over E tht represents the fully controllble desired behvior to be obtined through the vilble behviors. Exmple 1. Figure 1 depicts n extended version of the ing rms scenrio described in (De Gicomo & Srdin 2007). The overll im of the system is to process existing blocks, which cn be ed nd ed. Before being processed, block needs to be d; only one block t time cn be processed. Clening nd ing require resources, nmely, wter nd, respectively: we ssume there re two tnks, for wter nd, nd tht both re d simultneously by pressing rechrging button. The nondeterministic environment E provides the generl rules of the domin. For instnce, blocks cn be ed or

3 dispose e 1 e 4 dispose ENVIRONMENT E dispose ARM B A 1 2 e 1 : ARM B C c 1 c 2 dispose ARM B B b 1 b 2 b 3 b 4 t 1 t 5 dispose t 4 TARGET ARM B T t 2 t 3 Figure 1: The ing rms system S = B A, B B, B C, E nd the trget rm B T. ed only fter they hve been d. It lso includes some informtion bout wter tnk used to blocks: in sttes e 1 nd, the wter tnk is not empty; wheres in sttes nd e 4, it is. The desired behvior of n rm-gent module tht one would like to hve is given by the (deterministic) trget behvior B T. Notice tht it is optionl to blocks when using B T only some dirty blocks my need to be wshed before being ed. Observe lso tht B T is conservtive, in tht it lwys s the tnks fter processing block. The desired rm B T does not exist in relity. Nonetheless, there re three different rms vilble. The first rm B A, ing-disposing rm, is ble to nd dispose blocks. The second rm B B is cpble of prepring, ing, nd ing blocks. The third rm B C is rm, which cn lso blocks for processing. All three rms re ble to press the button to refill tnks. Notice tht rm B B behves nondeterministiclly when it comes to ing block. This nondeterminism shows the incomplete informtion we hve of B B s internl logic. Observe lso the requirement of rm B A for the environment to be in stte (e 1 or ) where wter is vilble so s to be ble to perform ction. It is still physiclly conceivble, though, to block in environment stte, by some method tht does not rely on wter (cf. E). Encted behviors Given behvior B = B, b 0, G, ϱ over n environment E = A, E, e 0, ρ, we define the encted behvior of B over E s tuple T B = S, A, s 0, δ, where: S = B E is the (finite) set of T B s sttes given stte s = b, e, we denote b by beh(s) nd e by env(s); A is the set of ctions in E; s 0 S, with beh(s 0 ) = b 0 nd env(s 0 ) = e 0, is the initil stte of T B ; δ S A S is the encted trnsition reltion, where s,, s δ, or s s in T B, iff: (i) env(s) env(s g, ) in E; nd (ii) beh(s) beh(s ) in B, with g(env(s)) = true for some g G. Encted behvior T B is techniclly the synchronous product of the behvior nd the environment, nd represents ll possible executions obtined from those of behvior B once gurds re evluted nd ctions re performed in the environment E. In generl, the sources of nondeterminism in encted behviors re twofold: the environment (effects of ctions on the environment re nondeterministic); nd the behvior itself (which my be nondeterministic). All vilble behviors in system re to ct concurrently, in n interleved fshion, in the sme environment. To refer to the behvior tht emerges from their joint execution, we define the notion of encted system behvior. Let S = B 1,..., B n, E be system, where E = A, E, e 0, ρ nd B i = B i, b i0, G i, ϱ i, for i {1,..., n}. The encted system behvior of S is the tuple T S = S S, A, {1,..., n}, s S0, δ S, where: S S = B 1 B n E is the finite set of T S s sttes; when s S = b 1,..., b n, e, we denote b i by beh i (s S ), for i {1,..., n}, nd e by env(s S ); s S0 S S with beh i (s S0 ) = b i0, for i {1,..., n}, nd env(s S0 ) = e 0, is T S s initil stte; δ S S S A {1,..., n} S S is T S s trnsition reltion, where s S,, k, s S δ,k S, or s S s S in T S, iff: env(s S ) env(s S ) in E; g, beh k (s S ) beh k (s S ) in B k, with g(env(s S )) = true, for some g G k ; nd beh i (s S ) = beh i (s S ), for i {1,..., n} \ {k}. Note tht the encted system behvior T S is techniclly the synchronous product of the vilble behviors plus the synchronous product with the environment. It is nlogous to n encted behvior except for the presence of index k in trnsitions. The presence of such index mkes explicit which behvior in the system is the one performing the ction in the trnsition ll other behviors remin still. Exmpl. The encted behvior T BC describes the evolution of rm B C if it were to ct lone in the environment.

4 ENACTED ARM T BC c 1 c 1 c 1 c 1 e 1 e 4 c 2 c 2 c 2 c 2 e 1 Observe tht some joint sttes my be reched (only) when other behviors re lso cting: stte c 1, e 4 would be reched fter ctions,, nd dispose re executed. Controller nd composition The controller is system component ble to ctivte, stop, nd resume ny of the vilble behviors, nd to instruct them to execute n ction mong those llowed in their current stte (of course, lso tking the environment into ccount). The controller hs full observbility on the vilble behviors nd the environment, tht is, it cn keep trck (t runtime) of their current sttes. Although other choices re possible, full observbility is the nturl one in this context, since both the vilble behviors nd the environment re lredy suitble bstrctions for ctul modules: if detils hve to be hidden, this cn be done directly within the bstrct behviors exposed, by mens of nondeterminism. To formlly define controllers, we first need the following technicl notions. A trce for given encted behvior T B = S, A, s 0, δ is, possibly infinite, sequence of the form s 0 s 1 2, such tht (i) s 0 = s 0 ; nd (ii) s j j+1 s j+1 in T B, for ll j > 0. A history is just finite prefix h = s 0 l s l of trce. We denote s l by lst(h), nd l by length(h). The notions of trce nd history extend immeditely to encted system behviors: system trces hve the form s 0 1,k s 1 2,k 2, nd system histories hve the form s 0 1,k l,k l s l. Let S = B 1,..., B n, E be system nd H be the set of its system histories (i.e., histories of T S ). A controller for system S is function P : H A {1,..., n, u} which, given system history h H nd n ction A to perform, selects behvior ctully, returns its index to delegte to for execution. For technicl convenience, specil vlue u ( undefined ) my be returned, thus mking P totl function which returns vlue even for irrelevnt histories or ctions tht no behvior cn perform fter given history. The problem we re interested in is the following: given system S = B 1,..., B n, E nd deterministic trget behvior B t over E, synthesize controller P which relizes the trget behvior B t by suitbly delegting ech ction requested by B t to one of the vilble behviors B i in S. A solution to such problem is clled composition. Intuitively, the controller relizes trget if for every trce of the encted trget, t every step, it returns the index of n vilble behvior tht cn perform the requested ction. e 4 Note tht these controllers re somewht kin to n dvnced form of conditionl plns nd, in fct, the problem itself is relted to plnning (Ghllb, Nu, & Trverso 2004), being both synthesis tsks. Here, though, we re not plnning for choosing the next ction, but for who shll execute the next ction, whtever such ction hppens to be t runtime. One cn formlly define when controller relizes the trget behvior solution to the problem s done in (De Gicomo & Srdin 2007). In prticulr, one first defines when controller P relizes trce of the trget B t. Then, since the trget behvior is deterministic trnsition system, nd thus its behvior is completely chrcterized by its set of trces, one defines tht controller P relizes the trget behvior B t iff it relizes ll its trces. Exmpl. Let P 1 nd P 2 be the two finite controllers depicted below. Their min difference hs to do with the rm used to blocks: while P 1 uses rm B B, the ltter uses rm B C. Also, P 1 s the tnks with either B A or B B, depending on B B s stte: if rm B B is in stte b 1, then rm B A is used to ; nd if rm B B is in stte b 3, then rm B B is used insted. On the other hnd, controller P 2 lwys uses rm B C to the tnks. b1 :, A s 1 s 5 b3 :, B, B, B s 4, B CONTROLLER P 1 s 2 s 3 s 1, C s 5, C, C s 4, C CONTROLLER P 2 s 2 The controller P 1 is indeed composition of B T on E, tht is, P 1 relizes ll the trces of T BT. This is not the cse for controller P 2, which does not even relize the simple onection trce t 1, e 1 t 2, of T BT. Finlly, tke P 1 to be like P 1 but with the edge from s 5 to s 1 re-lbeled, A (i.e., ction is to be lwys delegted to rm B A ). Then, P 1 would only relize those trces where behvior B B lwys hppens to evolve to stte b 1 fter doing ction. Becuse of tht, P 1 would not count s solution either. We close this section by pointing out tht techniques for checking the existence of (nd indeed synthesizing) controller re known (De Gicomo & Srdin 2007; Srdin, Ptrizi, & De Gicomo 2007). Such techniques re bsed on reduction to PDL stisfibility (Hrel, Kozen, & Tiuryn 2000), nd provide n EXPTIME upper-bound to the computtionl complexity, being t most exponentil in the number of sttes of the vilble behviors, of the environment, nd of the trget behvior. Note tht this bound is ctully tight since EXPTIME-hrdness ws shown in (Muscholl & Wlukiewicz 2007). s 3

5 On Behvior Filures In discussing the bove behvior composition problem, we hve implicitly ssumed tht the vilble component modules re fully relible they re lwys vilble nd behve correctly reltive to the behvior/environment specifiction provided to the system. Nonetheless, there re mny situtions nd domins in which ssuming full relibility of components is not dequte. For exmple, in multi-gent complex nd highly dynmic domins, one cnnot rely on the totl vilbility nor on the relibility of ll the existing modules. There re vriety of resons why modules my stop being vilble t some point or nother. Devices my brek down, gents my decide to stop cooperting, communiction with gents my drop, exogenous events my chnge the stte of the environment, nd so on. Similrly, behviors my possibly re-pper into the system t lter stge, thus creting new opportunities for the overll system. As mentioned before, behviors nd environment s specifictions cn be seen s contrcts, nd filures, s the ones bove, s breches of such contrcts. We identify five core wys of breking contrcts, nmely: 1 () A behvior temporrily freezes, tht is, it stops responding nd remins still, then eventully resumes in the sme stte it ws in. As result, while frozen, the controller cnnot delegte ctions to it. (b) A behvior unexpectedly nd rbitrrily (i.e., without respecting its trnsition reltion) chnges its current stte. The controller cn in principle keep delegting ctions to it, but it must tke into ccount the behvior s new stte. (c) The environment unexpectedly nd rbitrrily (i.e., without respecting its trnsition reltion) chnges its current stte. The controller hs to tke into ccount tht this ffects both the trget nd the vilble behviors. (d) A behvior dies, tht is, it becomes permnently unvilble. The controller hs to completely stop delegting ctions to it. (e) A behvior tht ws ssumed ded unexpectedly resumes opertion strting in certin stte. The controller cn exploit such n opportunity nd strt delegting ctions to it gin. The composition techniques in (De Gicomo & Srdin 2007; Srdin, Ptrizi, & De Gicomo 2007) do not ddress the bove cses, since they ssume tht controllers lwys del with fully relible modules. As consequence, upon ny of the bove filures, we re only left with the option of re-plnning from scrtch for whole new controller. Wht we shll propose in the reminder of this pper is n lterntive wy of solving the composition problem (i.e., synthesizing controllers) tht is intrinsiclly more robust. Roughly speking, this lterntive pproch dels with unexpected filures by suitbly refining the solution t hnd, either on-the-fly (for cses (), (b), nd (c)), or prsimoniously (for cses (d) nd (e)), thus voiding full re-plnning. 1 Obviously, we ssume n infrstructure tht is ble to distinguish between these filures. Composition vi Simultion Let us next present our pproch for synthesizing composition solutions tht re suitble for deling with fults. Such n pproch is inspired by tht presented in (Berrdi et l. 2008), developed in the context of service composition nd bsed on the stndrd notion of simultion (Milner 1971; Henzinger, Henzinger, & Kopke 1995). Intuitively, (trnsition) system S 1 simultes nother system S 2 if it (i.e., S 1 ) is ble to mtch ll of S 2 s moves. Due to (devilish) nondeterminism of the vilble behviors nd the environment, we cnnot use the off-the-shelf notion of simultion, but vrint which we cll ND-simultion. Let S = B 1,..., B n, E be system, B t be the trget behvior over E, nd let T S = S S, A, {1,..., n}, s S0, δ S nd T t = S t, A, s t0, δ t be the encted system nd encted trget behviors corresponding to S nd B t, respectively. An ND-simultion reltion of T t by T S is reltion R S t S S, such tht s t, s S R implies: 1. env(s t ) = env(s S ); 2. for ll A, there exists k {1,..., n} such tht for ll trnsitions s t s t in T t :,k there exists trnsition s S s S in T S with env(s S ) = env(s t); nd,k for ll trnsitions s S s S in T S with env(s S ) = env(s t), we hve s t, s S R. In words, if pir is in the ND-simultion, then (i) they shre the sme environment; nd (ii) for ll moves of the trget (with respect to the environment), there exists behvior B k, which regrdless of its nondeterminism, lwys evolves to successor stte which is still in the ND-simultion reltion with the trget. Intuitively, the (encted) system cn mtch every possible move of the (encted) trget. We sy tht stte s t S t is ND-simulted by stte s S S S (or s S ND-simultes s t ), denoted s t s S, iff there exists n ND-simultion R of T t by T S such tht s t, s S R. Observe tht this is coinductive definition. As result, the reltion is itself n ND-simultion, nd it is in fct the lrgest ND-simultion reltion, i.e., ll ND-simultion reltions re contined in. The lrgest ND-simultion cn be computed by the following NDS lgorithm. Algorithm 1 NDS(T t, T S ) Lrgest ND-Simultion 1: R := S t S S \ { s t, s S env(s t ) env(s S )} 2: repet 3: R := (R \ C), where C is the set of s t, s S R such tht there exists A for which for ech k there is trnsition s t s t in T t such tht either: () there is no trnsition s S,k s S in T S such tht env(s t) = env(s S ); or (b),k there exists trnsition s S s S in T S such tht env(s t) = env(s S ) but s t, s S R. 4: until (C = ) 5: return R Roughly speking, the lgorithm works by itertively re-

6 t 1 e 1 t 5 e 1 t 4 dispose t 3 t 2 t dispose 5 t 4 t 3 e 4 ENACTED TARGET ARM T BT, B, B, C e 4 131, A, A, B e 1, B e 1, C, B e 131, B 2, B, B ENACTED SYSTEM BEHAVIOR T S, B, C, B e 4 232, C, C, C e Figur: The lrgest ND-simultion reltion between the encted trget behvior T BT nd ( prt of) the encted system behvior T S is shown using ptterns. A stte in T S ND-simultes the sttes in T BT tht shres its pttern, e.g., 1, b 3, c 1, in T S ND-simultes stte t 4, in T BT. Dshed sttes in T S ND-simulte no stte in T BT (e.g., stte 1, b 1, c 1, ). moving those tuples for which the conditions of the NDsimultion definition do not pply. Exmple 4. Figur shows frgment of the lrgest NDsimultion reltion for our ing blocks-world exmple. For instnce, stte 1, b 3, c 2, in T S ND-simultes stte t 2, in T BT, shown in the picture by the sme filling pttern. So, every conceivble ction tken in t 2, cn be replicted in 1, b 3, c 2,, nd moreover, this property propgtes to the new resulting sttes. Observe tht stte 1, b 1, c 1, e 1 in T S ND-simultes two sttes in T BT : t 1, e 1 nd t 5, e 1. The next result shows tht checking for the existence of composition cn be reduced to checking whether there exists n ND-simultion between the encted trget nd the encted system tht includes their respective initil sttes. Theorem 1. Let S = B 1,..., B n, E be system nd B t trget behvior over E. Let T t = S t, A, s t0, δ t nd T S = S S, A, {1,..., n}, s S0, δ S be the encted trget behvior nd the encted system behvior for B t nd S, respectively. A controller P for system S tht is composition of the trget behvior B t over E exists iff s t0 s S0. Proof (sketch). We prove the two directions seprtely. If. Given s t0 s S0 we show how to build controller P tht is composition. We proceed s follows. We observe tht given history h, we cn extrct the resulting stte of the encted system s S s lst(h). Moreover, we cn extrct the sequence of ctions performed in h nd the resulting environment stte, nd hence the stte of the encted trget behvior, sy s t. Now, if tuple s t, s S is in the lrgest NDsimultion, tht is s t s S, then for every ction A tht the trget my execute in s t, there is some index k which mintins the ND-simultion. We then define P (h, ) = k. If, insted s t s S, then function P (h, ) cn ssume ny vlue, in prticulr, P (h, ) = u. It cn be shown tht such controller P is indeed composition. Only-if. We ssume there exists controller P tht is composition. Let us define reltion R s the set of tuples s t, s S for which there exists history h obtined by running controller P from the initil stte s S0 such tht the resulting sttes of the encted trget nd the encted system fter history h re s t nd s S, respectively. It cn be shown tht such reltion R is indeed n ND-simultion of T t by T S nd therefore R. As result, considering tht s t0, s S0 R (by just tking h to be the initil history where no ction hs yet been performed), it follows tht s t0 s S0, hence the thesis holds. Theorem 1 gives us strightforwrd method for checking the existence of composition. Nmely: (i) compute the lrgest ND-simultion reltion of T t by T S ; nd (ii) check whether s t0, s S0 is in this reltion. From the computtionl point of view, the lgorithm NDS bove computes the lrgest ND-simultion reltion between T t nd T S in polynomil time in the size of T t nd T S. Since in our cse the number of sttes of T S is exponentil in the number of vilble behviors B 1,..., B n, we get tht we cn compute the lrgest ND-simultion reltion in exponentil time in the number of vilble behviors. As result, the new technique is notble improvement with respect to the ones bsed on reduction to PDL (De Gicomo & Srdin 2007; Srdin, Ptrizi, & De Gicomo 2007), which re exponentil lso in the number of sttes of the behviors nd of the environment. 2 Theorem 2. Checking for the existence of compositions by computing the lrgest ND-simultion reltion cn be done 2 Though in light of the result in here, better complexity nlysis involving the specific PDL stisfibility procedures could be crried out.

7 in polynomil time in the number of sttes of the vilble behviors, of the environment, nd of the trget behvior, nd in exponentil time in the number of vilble behviors. Considering tht the composition problem itself is EXPTIME-hrd (Muscholl & Wlukiewicz 2007), this is the best we cn hope for. Once we hve computed the ND-simultion, synthesizing controller becomes n esy tsk. In fct, there is welldefined procedure tht, given n ND-simultion, builds finite stte progrm tht returns, t ech point, the set of vilble behviors cpble of performing trget-conformnt ction. We cll such progrm controller genertor. Formlly, let S = B 1,..., B n, E be system, B t trget behvior over E, nd let T S = S S, A, {1,..., n}, s S0, δ S nd T t = S t, A, s t0, δ t be the encted system behvior nd the encted trget behvior corresponding, respectively, to S nd B t. The controller genertor (CG) of S for B t is tuple CG = Σ, A, {1,..., n},, ω, where: 1. Σ = { s t, s S S t S S s t s S } is the set of sttes of CG, formed by those pirs of T t s nd T S s sttes tht re in the lrgest ND-simultion reltion; given stte σ = s t, s S we denote s t by com t (σ) nd s S by com S (σ). 2. A is the finite set of shred ctions. 3. {1,..., n} is the finite set of vilble behvior indexes. 4. Σ A {1,..., n} Σ is the trnsition reltion, where σ,, k, σ, or σ,k σ in CG, iff com t (σ) com t (σ ) in T t ; com S (σ),k com S (σ ) in T S ; for ll com S (σ),k s S in T S, com t (σ ), s S Σ. 5. ω : Σ A 2 {1,...,n} is the output function, where ω(σ, ) = {k σ s.t. σ,k σ in CG}. Thus, CG is finite stte trnsducer tht, given n ction (complint with the trget behvior), outputs, through function ω, the set of ll vilble behviors tht cn perform next ccording to the lrgest ND-simultion. Observe tht computing CG from the reltion is esy, since it involves checking locl conditions only. If there exists composition of B t by S, then s t0 s S0 nd CG does include stte σ 0 = s t0, s S0. In such cses, we get ctul controllers, clled generted controllers, which re compositions of B t by S, by picking up, t ech step, one vilble behvior mong those returned by ω in CG. Formlly we proceed s follows. A trce for CG strting from σ 0 is finite or infinite sequence of the form σ 0 1,k σ 1 2,k 2, such tht σ j+1,k j+1 j σ j+1 in CG, for ll j. A history for CG strting from stte σ 0 is prefix of trce strting from stte σ 0. By using histories, one cn introduce CG-controllers, which re functions CGP CHOOSE : H CG A {1,..., n, u}, where H CG is the set of CG histories strting from ny stte in Σ, nd defined s follows: CGP CHOOSE (h CG, ) = CHOOSE(ω(lst(h CG ), )), for ll h CG H CG, where CHOOSE stnds for choice function tht chooses one element mong those returned by ω(lst(h CG ), )). Let us ssume tht the controller genertor CG of S for B t includes stte σ 0 = s t0, s S0. Then, for ech CG s history h CG = σ 0 1,k l,k l σ l strting from σ 0 = σ 0, we cn obtin its corresponding system history proj S (h CG ), clled the projected system history, s follows: proj S (h CG ) = com S (σ 0 ) 1,k l,k l com S (σ l ), i.e., we tke the system component of ech CG stte σ i in the history. Moreover, from CG-controller CGP CHOOSE, we obtin the corresponding generted controller s the function P CHOOSE : H A {1,..., n, u}, where H is the set of system histories strting from s S0, defined s follows. For ech system history h nd ction : (i) if h = proj S (h CG ) for some CG history h CG, then P CHOOSE (h, ) = CGP CHOOSE (h CG, ); else (ii) P CHOOSE (h, ) = u. Through generted controllers, we cn relte CGs to compositions nd show tht, one gets ll controllers tht re compositions by considering ll choice functions for CHOOSE. Notbly, while ech specific composition my be n infinite stte progrm, the controller genertor CG, which in fct includes them ll, is lwys finite. Theorem 3. If CG includes the stte σ 0 = s t0, s S0, then every controller generted by CG is composition of the trget behvior B t by system S. Theorem 4. Every controller tht is composition of the trget behvior B t by system S cn be generted by CG. Intuitively, CG is nlogous to sort of met-pln or stteful nondeterministic complete universl pln, which keeps ll the existing plns t its disposl nd decides which one to follow for the next ction, possibly with contingent decisions. Exmple 5. The controller genertor (CG), with the lrgest ND-simultion t hnd, cn decide how to delegte ctions s the trget rm B T s requests come in. For instnce, if ction is requested fter block hs been d, the CG knows it ought to delegte such request to rm B A so s to sty within the ND-simultion. While physiclly possible, delegting such ction to rm B B would bring the encted system into stte 1, b 1, c 1, which is known not to be in ND-simultion with the (encted) trget. Rective Adptbility Next we show tht Theorems 3 nd 4 give us sound nd complete technique for deling with filure cses (), (b), nd (c) without ny re-plnning. As mtter of fct, once we hve the controller genertor CG, ctul compositions cn be generted just-in-time, s (trget complint) ctions re requested. Wht is prticulrly interesting bout CG-controllers is tht one cn dely the choice performed by CHOOSE until run-time, where one cn tke into ccount contingent informtion, e.g., bout vilbility of behviors. This gives the controller gret flexibility, which, in sense, cn switch compositions online s needed. We cll such CG-controller, just-in-time CG-controller, nd denote it by CGP jit.

8 Freezing of behviors CGP jit lredy ddresses temporry freezing of behviors, i.e., filure cse (). In prticulr, if behvior is temporrily frozen, then CGP jit simply voids choosing it, nd continues with one of the other possible choices. 3 Obviously, if no other choices re possible, then CGP jit shll wit for the behvior to come bck. Stte chnge of behviors nd environment CGP jit lso ddresses unexpected chnges in the internl stte of behviors nd/or of the environment, tht is, filure cses (b) nd (c). 4 To understnd this, let us denote by T S (z S ) the vrint of the encted system behvior whose initil stte is z S insted of s S0. Similrly, let us denote by T t (z t ) the encted trget behvior whose initil stte is z t insted of s t0. Now suppose tht the stte of the encted system behvior chnges, unexpectedly, to stte ŝ S, due to chnge of the stte of behvior (or set of behviors) nd/or of the environment. Then, if s t is the stte of the trget when the filure hppened, one should recompute the composition with the system strting from ŝ S nd the trget strting from ŝ t, where ŝ t is just s t with its environment stte replced by the one in ŝ S (note ŝ t = s t for filures of type (b)). Observe, though, tht ND-simultion reltions re independent from the initil sttes of both the trget nd the system. Therefore, the lrgest ND-simultion between T t (ŝ t ) nd T S (ŝ S ) is the ND-simultion we lredy hve. This implies tht we cn still use the very sme controller genertor CG (nd the sme just-in-time CG-controller CGP jit s well), with the gurntee tht ll compositions of the system vrint for the trget vrint, if ny, re still cptured by CG (nd CGP jit too). Put it ll together, we only need to check whether ŝ t ŝ S, nd, if so, continue to use CGP jit (now from the CG history of length 0: ŝ t, ŝ S ). Exmple 6. Upon n unexpected chnge in the system, in the environment or ny vilble behvior, the CG cn rect/dpt to the chnge immeditely. For instnce, suppose the trget is in stte t 3, the environment in stte, nd the vilble behviors B A, B B, nd B C re in their sttes 2, b 2, nd c 2, respectively. Tht is, T BT is in stte t 3, wheres T S is in stte 2, b 2, c 1,. Suppose tht, in n unexpected wy, the environment hppens to chnge to stte someone hs re-chrged the wter tnk. All tht is needed in such cse is to check tht the new sttes of T BT nd T S, nmely t 3, nd 2, b 2, c 1,, re still in the ND-simultion. Since they re, the CG continues the reliztion of the trget from such (new) encted sttes. Computing rective compositions on-the-fly We close the section by observing tht CGP jit, tht is CGP CHOOSE with CHOOSE resolved t run-time, (nd CG for the mtter) cn be computed on-the-fly by storing only the NDsimultion. In fct, t ech point, the only informtion required for the next choice is ω(σ, ), where σ Σ (recll 3 If more informtion is t hnd, CGP jit my use it to choose in n informed wy, though this is out of the scope of this pper. 4 Although hrdly s meningful s the ones bove, unforeseen chnges in the trget s stte cn be ccounted for in similr wy. Σ = ) is formed by the current stte of the encted trget behvior nd tht of the encted system behvior. Now, in order to compute ω(σ, ) we only need to know. Prsimonious Refinement When considering filure cses (d) nd (e), simple rective pproch is not sufficient nd more complex refinement techniques re required. We show then how to do the composition refinement in n intelligent mnner. Let us strt by defining prmetric version of the lgorithm for computing the lrgest ND-simultion. Such version, clled NDSP, tkes two extr prmeters: R init, the strting reltion from which the lrgest ND-simultion is extrcted; nd R sure, reltion contining tuples lredy known to be in the NDsimultion to be computed. Algorithm 2 NDSP(T t, T S, R init, R sure ) 1: R := R init \ R sure 2: R := R \ { s t, s S env(s t ) env(s S )} 3: repet 4: R := (R \ C), where C is the set of s t, s S R such tht there exists A for which for ech k there is trnsition s t s t in T t such tht either: () there is no trnsition s S,k s S in T S such tht env(s t) = env(s S ); or (b),k there exists trnsition s S s S in T S such tht env(s t) = env(s S ) but s t, s S R R sure. 5: until (C = ) 6: return R R sure The next result shows tht the output of lgorithm NDSP coincides with tht of NDS, provided its two new prmeters re used dequtely. Lemm 5. Let S be system nd B t trget behvior. If R sure NDS(T t, T S ) R init, then NDSP(T t, T S, R init, R sure ) = NDS(T t, T S ). Proof (sketch). Let R i 1 nd R i 2 be the sets representing R in lgorithms NDS nd NDSP, respectively, fter i repet-loop itertions. It cn be shown, by induction on i, tht R i 2 R sure R i 1 NDS(T t, T S ) nd tht NDS(T t, T S ) R i 2 R sure. Hence, since t the limit R i 2 R sure = NDSP(T t, T S, R init, R sure ), the thesis follows. Next, we introduce convenient nottions to shrink nd expnd systems nd ND-simultion reltions. Consider system S = B 1,..., B n, E nd set of behvior indexes W {1,..., n}. We denote by S(W ) the system derived from S by considering only (i.e., projecting on) ll behviors B i such tht i W (note S = S({1,..., n})). Let T t be n encted trget behvior over E. We denote by W the lrgest ND-simultion reltion of T t by T S(W ). Let U {1,..., n} such tht W U =. We denote by W U, the reltion obtined from W by (trivilly) putting ll behviors B i, with i U, bck into the system. Formlly, we cn define such opertion s follows

9 (without loss of generlity, ssume W = {1,..., l} nd U = {l + 1,..., m}): W U = { s t, s s = b 1,..., b l, b l+1,..., b m, e such tht s t, b 1,..., b l, e W nd b i is stte of B i, for i {l + 1,..., m} }. When putting bck set of behviors into the system in this wy, we re gurnteed to (lredy) get n NDsimultion for the (expnded) system S(W U). Observe, however, tht it my not necessrily be the lrgest one. Lemm 6. Let W, U {1,..., n} such tht W U =. Then, W U W U ; W U is n ND-simultion of T t by T S(W U). Proof. Without loss of generlity, tke W = {1,..., l}, nd U = {l + 1,..., m}. Suppose tht t, e, b 1,..., b l, b l+1,..., b m, e W U. Due to the definition of opertion, it is the cse tht t, e W b 1,..., b l, e. This mens tht e = e nd tht for ech A, there exists index k W stisfying the requirements of the NDsimultion definition for system S(W ). Clerly then t, e W U b 1,..., b l, b l+1,..., b m, e. Indeed, e = e, nd for every A, the sme index k would lso stisfy the requirements of the ND-simultion definition for system S(W U) the new behviors re not used nd they cnnot remove cpbilities of the other behviors. This shows tht W U is n ND-simultion of T t by T S(W U), nd hence, W U W U, s W U is the lrgest ND-simultion of T t by T S(W U). Let F W be the (indexes of the) behviors tht hppen to become permnently unvilble. We denote by W F the reltion obtined from W by projecting out ll (filed) behviors B i such tht i F. Interestingly, the new lrgest ND-simultion fter filure is in fct contined in the reltion obtined by merely projecting out the filed components from the ND-simultion t hnd right before the filure. Specificlly, we hve: Lemm 7. Let W, F {1,..., n} such tht F W. Then, W \F W F ; W F my not be n ND-simultion of T t by T S(W \F ). Proof. By Lemm 6, (W \F ) F (W \F ) F, tht is, (W \F ) F W. By projecting out F on both reltions, we get (W \F ) F F W F. Then, since X X = for ny nd X, (W \F ) W F follows. It is immedite to find cses where the continment is proper, nd hence the second prt follows. Notice tht despite W being the lrgest ND-simultion when the behviors in W re ctive, the projected reltion W F is not necessrily even n ND-simultion reltion for (contrcted) system S(W \ F ). Permnent unvilbility When behvior becomes permnently unvilble (cf. cse (d)), one cnnot rely on witing for it to resume when the composition relly needs it. Insted, one cn either continue the composition nd just hope for the best, tht is, hope tht the filed behvior will not be required, or one cn refine the current composition to continue gurnteeing the full reliztion of the trget. The following theorem guides such refinement. Due to Lemm 7, it is enough just to strt the NDSP lgorithm from the reltion obtined by merely projecting out the filed components, generlly resulting in substntilly less lgorithm itertions. Indeed, s behviors become unvilble, the effort to obtin the new lrgest ND-simultion reltion is systemtic nd incrementl in tht no tuples tht were previously discrded will be considered. Theorem 8. Let S = B 1,..., B n, E be system nd B t trget behvior over E. Let W {1,..., n} be the (indexes of the) behviors currently working in S, nd let F {1,..., n}, with F W, be the (indexes of the) behviors tht become permnently unvilble. Then, (W \F ) = NDSP(T t, T S(W \F ), W F, β), for every β such tht β (W \F ). Proof. It follows from Lemms 5 nd 7. Exmple 7. Suppose tht rm B T is being successfully relized by mens of controller P 1. At some point, however, rm B B suddenly breks down in stte b 3, just fter ing block. With B B out, controller P 1 cnnot gurntee the trget nymore. Interestingly, though, controller P 2 cn now keep relizing B T from the new (unexpected) sub-system. To hndle such filure cse, first behvior B B is projected out from the ND-simultion reltion {A,B,C}, thus getting {A,B,C} {B}. Then, the new lrgest ND-simultion reltion is computed using NDSP nd strting from reltion {A,B,C} {B}, thus getting {A,C}, see picture below., C e 4 SIMULATION WITHOUT ARM B B 2 1, C e 1 1 1, C, C, C, C e Observe tht tuple t 3,, 2, c 1, would indeed be in reltion {A,B,C} {B}, but it would lter be

10 filtered out by the NDSP lgorithm the originl tuple t 3,, 2, b 2, c 1, {A,B,C} relied on B B for mintining the ND-simultion. Finlly, if rm B B hppens to resume, then the CG comes bck to the ND-simultion of Figur. Resumed behviors Consider now the cse in which while behviors with indexes in W re currently operting, some behviors tht re supposed to be permnently unvilble, unexpectedly become vilble gin, cf. cse (e). Let the indexes of such behviors be U, with U W =. Obviously, this could never reduce the cpbilities of the whole system, but could enhnce it with more choices. To exploit them, one needs to compute the new lrgest ND-simultion (W U). In doing so, one cn leverge on the fct tht (W U) contins the reltion W U (cf. Lemm 6) by completely voiding considertion (for potentil filtering) of those tuples in W U, tht is, we pss those tuples s the sure set to the NDSP lgorithm. Theorem 9. Let S = B 1,..., B n, E be system nd B t trget behvior over E. Let W {1,..., n} be the (indexes of the) behviors currently working in S, nd U {1,..., n}, with W U =, be the (indexes of the) resumed behviors. Then, (W U) = NDSP(T t, T S(W U), α, W U), for every α such tht (W U) α. Proof. It follows from Lemms 5 nd 6. Observe tht U could even include new behviors not included in {1,..., n} the thesis of Lemm 6 would still hold. Reusing previous computed ND-simultions Suppose tht we hve lredy computed nd stored the NDsimultions for the sets of indexes in W (of course, {1,..., n} W), nd suppose we re to compute the NDsimultion W for W W. Let us then define: ᾱ = {W W W } W (W \W ); β = {W W W } W (W \ W ); where W W nd W W stnd for the set of tightest supersets nd subsets, respectively, of W in W, nmely: W W = {W W W W V W.W V V W }; W W = {W W W W V W.V W W V }. Then, by using the bove Theorems 8 nd 9 we get tht: W = NDSP(T t, T S(W ), ᾱ, β). Notice tht by using NDSP(T t, T S, ᾱ, β) to compute W, we mximlly reuse the computtions lredy done to devise other ND-simultions. Of course, once we hve computed W, we cn immeditely compute CGP jit on-the-fly s before. Conclusions In this pper, we presented simultion-bsed technique for behvior composition (De Gicomo & Srdin 2007) which rdiclly deprts from previous pproches. Such technique is substntil improvement over the previous ones from the complexity-theoretic perspective (it is exponentil in the number, nd not the size, of the vilble behviors). More importntly, it produces flexible solutions tht re redy to hndle exceptionl circumstnces unforeseen t specifiction time, voiding re-plnning ltogether in significnt cses nd bounding it in others. We remrk tht the proposed technique is quite suitble for optimized implementtions. First, optimized techniques exist for computing simultion, such s those in (Henzinger, Henzinger, & Kopke 1995; Tn & Clevelnd 2001; Gentilini, Pizz, & Policriti 2003), nd implemented in systems such s CWB-NC. 5 Second, it is known tht reltionship exists between simultion nd checking invrince properties in temporl-logic-bsed model checkers nd synthesis systems, see e.g., (Vrdi & Fisler 1999; Asrin et l. 1998). In fct, we re currently implementing the technique proposed in this pper using the synthesis system TLV, 6 see e.g., (Pitermn, Pnueli, & S r 2006). Another option would be to exploit ATL-bsed verifiers, such s Moch, 7 which cn check gme-structures for properties such s invrints, nd extrct winning strtegies for them, see e.g., (Alur, Henzinger, & Kupfermn 2002). the The kind of filures we hve considered here cn be seen s core forms of brech-of-contrct with respect to the specifiction. Of course other forms of filures re possible (Tripthi & Miller 2001; Pettersson 2005; Mrin, Bertier, & Sens 2003), but they essentilly ssume more informtion t hnd upon filure, e.g., module my stte unvilbility durtion nd/or the stte, or possible sttes, it will join bck. Moreover, such dditionl informtion my be of sttisticl or probbilistic nture. Exploiting such informtion for filure rection opens interesting directions for future work. require more informtion unvilbility durtion nd/or the stte, or possible bck, cf Conclusions. Acknowledgments The uthors would like to thnk the nonymous reviewers for their interesting comments. The first uthor ws supported by the Austrlin Reserch Council nd Agent Oriented Softwre (grnt LP ), nd the Ntionl Science nd Engineering Reserch Council of Cnd under PDF fellowship. The other uthors were prtilly supported by the the Europen FET bsic reserch project FP Thinking Ontologies (TONES). References Alur, R.; Henzinger, T. A.; nd Kupfermn, O Alternting-time temporl logic. Journl of the ACM 49(5): cwb/ moch/

11 Asrin, E.; Mler, O.; Pnueli, A.; nd Sifkis, J Controller synthesis for timed utomt. In Proceedings of the IFAC Conference on System Structure nd Control, Berrdi, D.; Clvnese, D.; De Gicomo, G.; Hull, R.; nd Mecell, M Automtic composition of trnsitionbsed semntic web services with messging. In Proceedings of the Interntionl Conference on Very Lrge Dt Bses (VLDB), Berrdi, D.; Cheikh, F.; De Gicomo, G.; nd Ptrizi, F Automtic service composition vi simultion. Interntionl Journl of Foundtions of Computer Science 19(2): Clrke, E. M.; Grumberg, O.; nd Peled, D. A Model checking. Cmbridge, MA, USA: The MIT Press. De Gicomo, G., nd Srdin, S Automtic synthesis of new behviors from librry of vilble behviors. In Proceedings of the Interntionl Joint Conference on Artificil Intelligence (IJCAI), Gentilini, R.; Pizz, C.; nd Policriti, A From bisimultion to simultion: Corsest prtition problems. Journl of Automed Resoning 31(1): Georgeff, M. P., nd Lnsky, A. L Rective resoning nd plnning. In Proceedings of the Ntionl Conference on Artificil Intelligence (AAAI), Ghllb, M.; Nu, D.; nd Trverso, P Automted Plnning: Theory nd Prctice. Morgn Kufmnn. Grosz, B. J., nd Krus, S Collbortive plns for complex group ction. Artificil Intelligence Journl 86(2): Hrel, D.; Kozen, D.; nd Tiuryn, J Dynmic Logic. The MIT Press. Henzinger, M. R.; Henzinger, T. A.; nd Kopke, P. W Computing simultions on finite nd infinite grphs. In Procedings of th6th Annul Symposium on Foundtions of Computer Science (FOCS), Ktz, M. J., nd Rosenschein, J. S The genertion nd execution of plns for multiple gents. Computers nd Artificil Intelligence 12(1):5 35. Kupfermn, O., nd Vrdi, M. Y Module checking. In Proceedings of the 8th Interntionl Conference on Computer Aided Verifiction (CAV), London, UK: Springer-Verlg. Mrin, O.; Bertier, M.; nd Sens, P Drx - A frmework for the fult tolernt support of gent softwre. In Proceedings of the 14th IEEE Interntionl Symposium on Softwre Relibility Engineering (ISSRE). McIlrith, S., nd Son, T. C Adpting Golog for progrmming the semntic web. In Principles of Knowledge Representtion nd Resoning (KR), Milner, R An lgebric definition of simultion between progrms. In Proceedings of the Interntionl Joint Conference on Artificil Intelligence (IJCAI), Muscholl, A., nd Wlukiewicz, I A lower bound on web services composition. In Proceedings of the 10th Int. Conf. on Foundtions of Softwre Science nd Computtion Structures (FoSSCS), volume 4423 of Lecture Notes in Computer Science (LNCS). Springer. Pettersson, O Execution monitoring in robotics: A survey. Robotics nd Autonomous Systems 53(2): Pitermn, N.; Pnueli, A.; nd S r, Y Synthesis of rective(1) designs. In Emerson, E. A., nd Nmjoshi, K. S., eds., Proceedings of the Interntionl Conference on Verifiction, Model Checking, nd Abstrct Interprettion (VMCAI), volum855 of Lecture Notes in Computer Science (LNCS), Chrleston, SC, USA: Springer. Pnueli, A., nd Rosner, R On the synthesis of rective module. In Proceedings of the ACM SIGPLAN- SIGACT Symposium on Principles of Progrmming Lnguges, Srdin, S.; Ptrizi, F.; nd De Gicomo, G Automtic synthesis of globl behvior from multiple distributed behviors. In Proceedings of the Ntionl Conference on Artificil Intelligence (AAAI), Tn, L., nd Clevelnd, R Simultion revisited. In In Proceedings of Tools nd Algorithms for the Construction nd Anlysis of Systems (TACAS), volum031 of LNCS, Tripthi, A., nd Miller, R Exception hndling in gent-oriented systems. In Exception Hndling, volume 2022 of Lecture Notes in Computer Science (LNCS), Springer-Verlg. Vrdi, M., nd Fisler, K Bisimultion nd model checking. In Proceedings of the Conference on Correct Hrdwre Design nd Verifiction Methods (CHARME),