Technical Report: Model-Checking for Resource-Bounded ATL with Production and Consumption of Resources

Several logics for expressing coalitional ability under resource bounds have been proposed and studied in the literature. Previous work has shown that if only consumption of resources is considered or the total amount of resources produced or consumed on any path in the system is bounded, then the model-checking problem for several standard logics, such as Resource-Bounded Coalition Logic (RB-CL) and Resource-Bounded Alternating-Time Temporal Logic (RB-ATL) is decidable. However, for coalition logics with unbounded resource production and consumption, only some undecidability results are known. In this paper, we show that the model-checking problem for RB-ATL with unbounded production and con- sumption of resources is decidable but EXPSPACE-hard. We also investigate some tractable cases and provide a detailed comparison to a variant of the resource logic RAL, together with new complexity results.


Introduction
Alternating-Time Temporal Logic (ATL) [1] is widely used in verification of multi-agent systems. ATL can express properties related to coalitional ability, for example, one can state that a group of agents A has a strategy (a choice of actions) such that whatever the actions by the agents outside the coalition, any computation of the system generated by the strategy satisfies some temporal property. A number of variations on the semantics of ATL exist: agents may have perfect recall or be memoryless, and they may have full or partial observability. In the case of fully observable models and memoryless agents, the model-checking problem for ATL is polynomial in the size of the model and the formula, while it is undecidable for partially observable models where agents have perfect recall [2]. Additionally, even in the simple case of fully observable models and memoryless agents, the complexity increases substantially if the model-checking problem takes into account models with compact (implicit) representations [2].
In this paper, we consider an extension of perfect recall, fully observable ATL where agents produce and consume resources. The properties we are interested in are related to coalitional ability under resource bounds. Instead of asking whether a group of agents has a strategy to enforce a certain temporal property, we are interested in whether the group has a strategy that can be executed under a certain resource bound (e.g., if the agents have at most b 1 units of resource r 1 ✩ This work was supported by the Engineering and Physical Sciences Research Council [grants EP/K033905/1 and EP/K033921/1]. and b 2 units of resource r 2 ). Clearly, some actions may no longer be used as part of the strategy if their cost exceeds the bound. There are several ways in which the precise notion of the cost of a strategy can be defined. For example, one can define it as the maximal cost of any path (computation of the system) generated by the strategy, where the cost of a path is the sum of resources produced and consumed by actions on the path. We have chosen a different definition which says that a strategy has a cost at most b if for every path generated by the strategy, every prefix of the path has cost at most b. This means that a strategy cannot, for example, start with executing an action that consumes more than b resources, and then 'make up' for this by executing actions that produce enough resources to bring the total cost of the path under b. It is however possible to first produce enough resources, and then execute an action that costs more than b, so long as the cost of the path is less than b.
There are also many choices for the precise syntax of the logic and the truth definitions of the formulas. For example, in [3] several versions are given, intuitively corresponding to considering resource bounds both on the coalition A and the rest of the agents in the system, considering a fixed resource endowment of A in the initial state which affects their endowment after executing some actions, etc. In this paper we give a precise comparison of our logic with the variants of L RAL introduced in [3], and in the process solve an open problem stated in [3]. In [4,5] different syntax and semantics are considered, in which the resource endowment of the whole system is taken into account when evaluating a statement concerning a group of agents A. As observed in [3], subtle differences in truth conditions for resource logics result in the difference between decidability and undecidability of the model-checking problem. In [3], the undecidability of several versions of the logics is proved. Recently, even more undecidability results were shown in [6]. The only decidable cases considered in [3] are an extension of Computation Tree Logic (CTL) [7] with resources (essentially one-agent ATL) and the version where on every path only a fixed finite amount of resources can be produced. Similarly, [4] gives a decidable logic, PRB-ATL (Priced Resource-Bounded ATL), where the total amount of resources in the system has a fixed bound. The model-checking algorithm for PRB-ATL runs in time polynomial in the sizes of the model and the formula, and exponential in the number of resources and the size of the representation (if in binary) of the resource bounds. In [5] an EXPTIME lower bound in the number resources and in the size of the representation (if in binary) of the resource bounds is shown.
The structure of this paper is as follows. In sections 2, 3, and 4, we introduce Resource-Bounded ATL with production and consumption of resources, a model-checking algorithm for it, and prove that the model-checking problem is EXPSPACE-hard. This part of the paper extends [8]. In section 5 we discuss two special cases with feasible model-checking, one of them being a generalisation of the model-checking algorithm for (production-free) RB-ATL introduced in [9] to unbounded resources. In section 6 we give a detailed comparison with the logics in [3] and show that for one of them the model-checking problem is decidable, solving an open problem stated in [3]. 1

Syntax and semantics of RB±ATL
The logic RB-ATL was introduced in [9]. Here we generalise the definitions from [9] to allow for production as well as consumption of resources. To avoid confusion with the consumption-only version of the logic from [9], we refer to RB-ATL with production and consumption of resources as RB±ATL.
Let Agt = {a 1 , . . . , a n } be a set of n agents, Res = {res 1 , . . . , res r } be a set of r resources, be a set of propositions and B = N r ∞ be a set of resource bounds where N ∞ = N ∪ {∞}.
Formulas of RB±ATL are defined by the following syntax φ, ψ :: where p ∈ is a proposition, A ⊆ Agt, and b ∈ B is a resource bound. Here, A b φ means that a coalition A can ensure that the next state satisfies φ under resource bound b. A b 2φ means that A has a strategy to make sure that φ is always true, and the cost of this strategy is at most b. Similarly, A b φ U ψ means that A has a strategy to enforce ψ while maintaining the truth of φ, and the cost of this strategy is at most b.
We extend the definition of a concurrent game structure with resource consumption and production.

Definition 1.
A resource-bounded concurrent game structure (RB-CGS) is a tuple M = (Agt, Res, S, , π, Act, d, c, δ) where: • Agt is a non-empty set of n agents, Res is a non-empty set of r resources and S is a non-empty set of states; • is a finite set of propositional variables and π : → ℘ (S) is a truth assignment which associates each proposition in with a subset of states where it is true; 1 Intuitively, the main difference between our logic (with a decidable model-checking problem) and a version of RAL from [3] where the model-checking problem is undecidable under infinite semantics (considering only infinite computations) is that in our logic, each agent always has an option of executing an idle action that does not consume any resources. This means that a finite strategy which conforms to a resource bound and enforces a particular outcome can always be extended to an infinite strategy by choosing the idle action. The model-checking problem for the same version of RAL but under finite semantics (considering finite computations) turns out also to be decidable, and a model-checking algorithm for it is obtained as an easy adaptation of the model-checking algorithm for our logic.
• Act is a non-empty set of actions which includes idle, and d : S × Agt → ℘ (Act) \ {∅} is a function which assigns to each s ∈ S a non-empty set of actions available to each agent a ∈ Agt. For every s ∈ S and a ∈ Agt, idle ∈ d(s, a). We denote joint actions by all agents in Agt available at s by D(s) = d(s, a 1 ) × · · · × d(s, a n ); • c : S × Agt × Act → Z r is a partial function which maps a state s, an agent a and an action α ∈ d(s, a) to a vector of integers, where the integer in position i indicates consumption or production of resource res i by the action (positive value for consumption and negative value for production). We stipulate that c(s, a, idle) =0 for all s ∈ S and a ∈ Agt, where 0 = 0 r ; • δ : S × Act |Agt| → S is a partial function that maps every s ∈ S and joint action σ ∈ D(s) to a state resulting from executing σ in s.
Given a RB-CGS M, we denote the set of all infinite sequences of states (infinite computations) by S ω and the set of non-empty finite sequences (finite computation) of states by S + . For a computation λ = s 0 s 1 . . . ∈ S ω we use the notation Given a RB-CGS M and a state s ∈ S, a joint action by a coalition A ⊆ Agt is a tuple σ = (σ a ) a∈ A (where σ a is the action that agent a executes as part of σ , the ath component of σ ) such that σ a ∈ d(s, a). The set of all joint actions for A at state s is denoted by D A (s). Given a joint action by the grand coalition σ ∈ D(s), σ A (a projection of σ on A) denotes the joint action executed by A as part of σ : σ A = (σ a ) a∈ A . The set of all possible outcomes of a joint action σ ∈ D A (s) at state s is: In the sequel, we use the usual point-wise notation for vector comparison and addition. In particular, Given a function f returning a vector, we also denote by f i the function that returns the i-th component of the vector returned by f .
The cost of a joint action σ ∈ D A (s) is defined as cost A (s, σ ) = a∈ A c(s, a, σ a ) and the subscript A is omitted when Given a RB-CGS M, a strategy for a coalition A ⊆ Agt is a mapping F A : S + → Act |A| such that, for every λs Note that this definition implies that the cost of every prefix of the computation is below b.
The set of all computations starting from state s that are b-consistent with F A is denoted by out(s, Given a RB-CGS M and a state s of M, the truth of a RB±ATL formula φ with respect to M and s is defined inductively on the structure of φ as follows: • M, s |= p iff s ∈ π(p); Since the infinite resource bound version of RB±ATL modalities correspond to the standard ATL modalities, we will write A∞ When the context is clear, we will sometimes write s |= φ instead of M, s |= φ.
Note that although we only consider infinite paths, the condition that the idle action is always available and costs 0 makes the model-checking problem easier (we only need to find a strategy with a finite prefix under bound b to satisfy formulas of the form A b φ and A b φ U ψ , and then the strategy can make the idle choice forever).
As an example of the expressivity of the logic, consider the model in Fig. 1 with two agents a 1 and a 2 and two resources r 1 and r 2 . Let us assume that c(s I , a 1 , α) = −2, 1 (action α produces 2 units of r 1 and consumes one unit of r 2 ), c(s, a 2 , β) = 1, −1 and c(s, a 1 , γ ) = 5, 0 . Then agent a 1 on its own has a strategy to enforce a state satisfying p under resource bound of 3 units of r 1 and 1 unit of r 2 (M, s I |= {a 1 } 3,1 U p): a 1 has to select action α in s I which requires it to consume one unit of r 2 but produces two units of r 1 , and then action γ in s that requires 5 units of r 1 which is now within the resource bound since the previous action has produced 2 units. All outcomes of this strategy lead to s where p holds. After this, a 1 has to select idle forever, which does not require any resources. Any smaller resource bound is not sufficient. However, both agents have a strategy to enforce the same outcome under a smaller resource bound of just one unit of r 2 (M, s I |= {a 1 , a 2 } 0,1 U p): agent a 2 needs to select β and a 1 idle in s until the agents have gone through the loop between s I and s four times and accumulated enough of resource r 1 to enable agent a 1 to perform γ in s.

Model checking RB±ATL
The model-checking problem for RB±ATL is the question whether, for a given RB-CGS structure M, a state s in M and an RB±ATL formula φ 0 , M, s |= φ 0 . In this section we prove the following theorem: Theorem 1. The model-checking problem for RB±ATL is decidable.
To prove decidability, we give an algorithm which, given a structure M = (Agt, Res, S, , π, Act, d, c, δ) and a formula φ 0 , Given φ 0 , we produce a set of subformulas Sub(φ 0 ) of φ 0 in the usual way, however, in addition, if A b γ ∈ Sub(φ 0 ), its infinite resource version A γ is added to Sub(φ 0 ). Sub(φ 0 ) is ordered in increasing order of complexity, and the infinite resource version of each modal formula comes before the bounded version. Note that if a state s is not annotated with A γ then s cannot satisfy the bounded resource version A b γ .
We then proceed by cases. For all formulas in Sub(φ 0 ) apart from A b φ, A b φ U ψ and A b 2φ we essentially run the standard ATL model-checking algorithm [1]. Labelling states with A b φ makes use of a function Pre( A, ρ, b) which, given a coalition A, a set ρ ⊆ S and a bound b, returns a set of states s in which A has a joint action σ A with cost(s, σ A ) ≤ b such that out(s, σ A ) ⊆ ρ. Labelling states with A b φ U ψ and A b 2φ is more complex, and in the interests of readability we provide separate functions: until-strategy for A b φ U ψ formulas is shown in Algorithm 2, and box-strategy for A b 2φ formulas is shown in Algorithm 3.
Both algorithms proceed by depth-first and-or search of M. We record information about the state of the search in a search tree of nodes. A node is a structure which consists of a state of M, the resources available to the agents A in that state (if any), and a finite path of nodes leading to this node from the root node. Edges in the tree correspond to joint actions by all agents. Note that the resources available to the agents in a state s on a path constrain the edges from the corresponding node to be those actions σ A where cost(s, σ A ) is less than or equal to the available resources. For each node n in the tree, we have a function s(n) which returns its state, p(n) which returns the nodes on the path and e(n) which returns the vector of resource availabilities in s(n) as a result of following p(n). The function node 0 (s, b) returns the root node, i.e., a node n 0 such that s(n 0 ) = s, p(n 0 ) = [ ] and e i (n 0 ) = b i for all resources i. The function node(n, σ , s ) returns a node n where s(n ) = s , p(n ) = [p(n) · n] and for all resources i, e i (n ) = e i (n) − cost i (s(n), σ ).
Both until-strategy and box-strategy take a search tree node n and a formula φ ∈ Sub(φ 0 ) as input, and have similar structure. They first check if the infinite resource version of φ (i.e., φ where the outermost coalition modality has bound∞) is false in the state represented by node n, s(n). (Note that the state represented by n has already been labelled by the resource bounded subformulas φ and ψ .) If so, they return false immediately, terminating search of the current branch of the search tree (lines 2-3 of Algorithms 2 and 3). until-strategy also returns true if the second argument ψ of φ is true in s(n) (lines 8-9 of Algorithm 2). Both until-strategy and box-strategy check whether the state s(n) has been encountered before on p(n), i.e., p(n) ends in a loop. In the case of until-strategy, if the loop is unproductive (i.e., resource availability has not increased since the previous occurrence of s(n) on the path), then the loop is not necessary for a successful strategy, and search on this branch is terminated returning false (lines [4][5]. If on the other hand the loop strictly increases the availability of at least one resource i and does not decrease the availability of other resources, then e i (n) is replaced with ∞, as a shorthand denoting that any finite amount of i can be produced by repeating the loop sufficiently many times (lines 6-7 of Algorithm 2). If all resource values have been replaced by ∞, until-strategy returns true (lines 10-11), since the branch satisfies the infinite resource version A φ U ψ of φ , and an arbitrary amount of any resource can be accumulated along the path. For box-strategy the loop check is slightly different. If the loop decreases the amount of at least one resource without increasing the availability of any other resource, it cannot form part of a successful strategy, and the search terminates returning false (lines 4-5 of Algorithm 3). If a non-decreasing loop is found, then it is possible to maintain the invariant formula φ forever without expending any resources, and the search terminates returning true (lines 6-7).

11:
return true 12: if strat then 20: return true 21: return false If none of the if statements evaluates to true, then, in both until-strategy and box-strategy, search continues by considering each action available at s(n) in turn. For each action σ ∈ ActA, the algorithm checks whether a recursive call of the algorithm returns true in all outcome states of σ (i.e., σ is part of a successful strategy). If such a σ is found, the algorithm returns true. Otherwise the algorithm returns false. Note that the argument φ is passed through the recursive calls unchanged: information about the resources available to the agents in s(n) as a result of following p(n) is encoded in the search nodes.

Lemma 1. Algorithm 1 terminates.
Proof. All the cases in Algorithm 1 apart from A b φ U ψ and A b 2φ can be computed in time polynomial in |M| and |φ|. The cases for A b φ U ψ and A b 2φ involve calling the until-strategy and box-strategy procedures, respectively, for every state in S. In order to prove that these procedures terminate, we are going to show that there is no infinite sequence of calls to until-strategy or box-strategy.
Assume to the contrary that n 1 , n 2 , . . . is an infinite sequence of nodes in an infinite sequence of recursive calls to untilstrategy or box-strategy. Then, since the set of states is finite, there is an infinite subsequence n i 1 , n i 2 , . . . of n 1 , n 2 , . . . such that for all j, s(n i j ) = s for some state s (the state is the same for all the nodes in the subsequence). We show that then there is an infinite subsequence n 1 , n 2 , . . . of n i 1 , n i 2 , . . . such that for k < j, e(n k ) ≤ e(n j ). The proof is very similar to the proof of Lemma f in [10, p. 70] and proceeds by induction on the number of resources r. For r = 1, since e(n) is always positive, the claim is immediate. Assume the lemma holds for r and let us show it for r + 1. Then there is an infinite subsequence m 1 , m 2 , . . . of n i 1 , n i 2 , . . . where for all resources i ∈ {1, . . . , r} e i (m k ) ≤ e i (m j ) for k < j. Clearly there are two nodes m j 1 and m j 2 in this sequence such that e r+1 (m j 1 ) ≤ e r+1 (m j 2 ) (since there are only finitely many positive integers

N. Alechina et al. / Journal of Computer and System Sciences
for σ ∈ ActA do 10: if strat then 16: return true 17: return false which are smaller than e r+1 (m 1 )). Hence e(m j 1 ) ≤ e(m j 2 ). The same argument can be repeated to show that there is a node m j 3 in the sequence such that e(m j 2 ) ≤ e(m j 3 ), etc. Hence, if there is an infinite sequence of nodes corresponding to an infinite sequence of recursive calls, then there is an infinite subsequence of that sequence of nodes, where the nodes in the subsequence have the same state and the same or growing resource availability. The existence of the latter subsequence would constitute a contradiction, because comparable resource availability vectors for nodes with the same state will lead to termination after finitely many steps (so there cannot be an infinite sequence of recursive calls). To see why this is so, consider the simpler case of box-strategy first. In Algorithm 3, when in a node n we discover that previously we encountered a node n such that s(n) = s(n ) and e(n ) ≤ e(n), we return true. So the box-strategy will terminate after encountering just one pair of nodes with the same state where the second node has the same or higher resource availability. Hence, there cannot be an infinite sequence of calls to the box-strategy. Consider until-strategy. Given a subsequence n 1 , n 2 , . . . , n r (where r is the number of resource types) of nodes with the same state such that e(n i ) ≤ e(n i+1 ), either e(n i ) = e(n i+1 ) (and Algorithm 2 returns false) or e(n i ) ≤ e(n i+1 ) with e j (n i ) < e j (n j+1 ) for some j and one or more resource types are reset to ∞. When all resource types are reset to ∞, Algorithm 2 returns true. In either case, the existence of such a subsequence implies termination after finitely many steps, which contradicts our original assumption that there is an infinite sequence of recursive calls. Hence, Algorithm 1 terminates. 2 Before we prove correctness of until-strategy and box-strategy, we need some auxiliary notions. Let n be a node where one of the procedures returns true. We will refer to tree(n) as the tree representing the successful call to the procedure. In particular, if the procedure returns true before any recursive call is made, then tree(n) = n. Otherwise the procedure returns true because there is an action α ∈ Act A such that for all s ∈ out(s(n), α) the procedure returns true in n = node(n, α, s ). In this case, tree(n) has n as its root and trees tree(n ) are the children of n. We refer to the action α as n act (the action that generates the children of n). For the sake of uniformity, if tree(n) = n then we set n act to be idle. Such a tree corresponds to a strategy F where for each path n · · ·m from the root n to a node m in tree(n), F (s(n) · · · s(m)) = m act .
A strategy F for satisfying A b φ U ψ is U -economical for a node n if, intuitively, no path generated by it contains a loop that does not increase any resource. A strategy is 2-economical for a node n if, intuitively, no path generated by it contains a loop that decreases some resources and does not increase any other resources. Formally, a strategy F is U -economical for ; and • Every state is reached by F U -economically with respect to the path p(n), i.e., for every computation A strategy F is 2-economical if: • F satisfies A e(n) 2φ at s(n), i.e., F is a e(n)-strategy and ∀λ ∈ out(s(n), F ), • Every state is reached by F 2-economically, i.e., for each computation Note that any strategy F satisfying A e(n) φ U ψ ( A e(n) 2φ) at s(n) can be converted to an economical one by eliminating unproductive loops, as stated by the following proposition.

Proposition 1. There is a strategy to satisfy
Next we prove correctness of until-strategy. The next lemma essentially shows that replacing a resource value with ∞ in Algorithm 2 is harmless. For the inductive step of the proof, we need the following notion. Given a tree tree(n), we call its pruning, denoted as prune(tree(n), m 1 , . . . , m k ), the tree obtained by removing all children of some nodes m 1 , . . . , m k that have only leaves as children in tree(n).

Lemma 2.
Let n = node 0 (s, b) be a node where until-strategy returns true. Let f be a function that for each leaf n of tree(n) returns can be any natural number if e i (n ) = ∞). Then, there is a strategy F such that for every leaf n of the tree induced by F , e(n ) ≥ f (n ) holds.
Proof. By induction on the structure of tree(n).
Base Case: Let tree(n) contain only its root. The proof is obvious for any strategy. Inductive Step: Let us consider a pruning T of tree(n). By the induction hypothesis, any tree T that has a less complex structure than T has a strategy to generate at least f (n ) ∈ N r ≤ e(n ) for all leaves n of T . In the following, given nodes n, n 1 , . . . , n k , we denote by n(n 1 , . . . , n k ) the depth-1 tree which has n as its root and n 1 , . . . , n k as the immediate leaves of n. Let m(m 1 , . . . , m k ) be an arbitrary depth-1 sub-tree of T (see Fig. 2). By removing m 1 , . . . , m k from T , we obtain a pruning T of T .
Let n · · ·m ·m i be a path in T from the root n to one of the leaves m i . For each resource r the availability of which turns to ∞ at m i , there must be a node, denoted by w r (m i ), in the path n · · ·m · m i which is used to turn the availability of We may repeat the path from w r (m i ) to m i several times to generate enough resource availability for r. We call the path from w r (m i ) to m i together with all the immediate child nodes of those along the path the column graph from  At the end, we obtain a tree where all leaves mĥ

Lemma 3.
If until-strategy(n, A b φ U ψ) returns false, then them there is no strategy satisfying A e(n) φ U ψ from s(n) that is U -economical for n.
Proof. We prove the lemma by induction on the height in the recursion tree of until-strategy calls.
Base Case: If false is returned by the first if-statement, then s(n) |= A φ U ψ ; this also means there is no strategy satisfying A e(n) φ U ψ from s(n). If false is returned by the second if-statement, then any strategy satisfying A e(n) φ U ψ from s(n) is not economical.

Inductive
Step: If false is not returned by the first two if-statements, then, for all actions σ ∈ ActA, there exists s ∈ out(s(n), σ ) such that until-strategy(n , A b φ U ψ) (where n = node(n, σ , s )) returns false. By induction hypothesis, there is no strategy satisfying A e(n ) φ U ψ from s(n ) that is U -economical for n . Assume to the contrary that there is a strategy satisfying A e(n) φ U ψ from s(n) that is U -economical for n. Let σ = F (s(n)), then σ ∈ ActA.
Obviously, for all s ∈ out(s(n), σ ), F (λ) = F (s(n)λ) is an economical strategy from n = node(n, σ , s ). This is a contradiction; hence, there is no strategy satisfying A e(n) φ U ψ from s(n) that is U -economical for n. 2 Now we turn to Algorithm 3 for labelling states with A b 2φ. First we show its soundness.  e(w(m)) ≤ e(m) (see Fig. 4). Let us expand tree(n) as follows: is T i where all its leaves m are replaced by sub(tree(n), w(m)) (see Fig. 5).
Let T = lim i→∞ T i , then T is a strategy for A b 2φ. 2 Lemma 5. If box-strategy(n, A b 2φ) returns false, then there is no strategy satisfying A e(n) 2φ from s(n) that is 2-economical for n.
Proof. We prove the lemma by induction on the height in the recursion tree of box-strategy calls.
Base Case: If false is returned by the first if-statement, then s(n) |= A 2φ; this also means there is no strategy satisfying A e(n) 2φ at s(n). If false is returned by the second if-statement, then any strategy satisfying A e(n) 2φ at s(n) is not 2-economical.

Inductive
Step: If false is not returned by the first two if-statements, for all actions σ ∈ ActA, there exists s ∈ out(s(n), σ ) such that box-strategy(n , A b 2φ) (where n = node(n, σ , s )) returns false. Assume to the contrary that there is a strategy F satisfying A e(n) 2φ from s(n) that is 2-economical for n. Let σ = F (s(n)), then σ ∈ ActA. Obviously, for all s ∈ out(s(n), σ ), F (λ) = F (s(n)λ) is a strategy 2-economical for n = node(n, σ , s ). This is a contradiction; hence, there is no strategy satisfying A e(n) 2φ from s(n) that is 2-economical for n. 2 Then, we have the following result directly: Corollary 3. If box-strategy(node 0 (s, b), A b 2φ) returns false then s |= A b 2φ.

Lower bound
In this section we show that the lower bound complexity for the model-checking problem for RB±ATL is EXPSPACE, by reducing from the reachability problem of Petri Nets. Note that the exact complexity of the reachability problem of Petri Nets is still an open question (although it is known to be decidable and EXPSPACE-hard, [10]). The exact complexity of the RB±ATL model-checking problem is also unknown. Note that an upper bound for the RB±ATL model-checking problem would also be an upper bound for the reachability problem of Petri Nets due to the reduction below. Even an Ackermannian upper bound for this problem is still open [11]. This suggests that determining an upper bound for the RB±ATL modelchecking problem is also a hard problem.
A Petri net is a tuple N = (P , T , W , M) where: • P is a finite set of places; • T is a finite set of transitions; • W : P × T ∪ T × P → N is a weighting function; and • M : P → N is an initial marking. where: • c r (s 0 , 1, t − ) = W (r, t) for all r ∈ P and t ∈ T ; • c r (t, 1, t + ) = −W (t, r) for all r ∈ P and t ∈ T ; The following is straightforward: Then, we consider the following strategy F for agent 1: Since s |= p, it is straightforward that F is a strategy satisfying 1 M U p from s 0 . (⇐): Assume that s 0 |= 1 M U p, then there exists a strategy F which satisfies 1 M U p from s 0 . Since there is only one agent, out(s 0 , F ) contains a single path s 0 . . . s . . . . Obviously, e cannot be visited on the prefix s 0 . . . s; hence s 0 . . . s must have the form s 0 t 1 s 0 t 2 . . . t n s 0 s for some t 1 , . . . , t n ∈ T . Furthermore, Therefore, We have the following result:

Feasible cases
In the previous section, we have seen that the model-checking problem for RB±ATL is EXPSPACE-hard. There are, however, several tractable special cases of the model-checking problem. Here we consider two of them: model-checking RB±ATL with a single resource, and model-checking RB-ATL (RB±ATL with only consumption of resources).

Model-checking RB±ATL with a single resource
For the case when |Res| = 1, the problem whether M, s |= φ 0 is decidable in PSPACE.

Theorem 2. The upper bound for the model-checking problem complexity of RB±ATL with a single resource is PSPACE.
Proof. All the cases in Algorithm 1 apart from A b φ U ψ and A b 2φ can be computed in time polynomial in |M| and |φ|. The cases for A b φ U ψ and A b 2φ are more computationally expensive. They involve calling the until-strategy and the box-strategy procedures, respectively, for every state in S. The procedures explore the model in a depth-first manner, one path at a time. Their space requirement corresponds to the maximal length of such a path. Note that unlike depth-first search, until-strategy and box-strategy in the general case (multiple resources) do not terminate when they encounter a loop, that is a path containing two nodes with the same state: . . . , n 1 , . . . , n 2 where s(n 1 ) = s(n 2 ), since in the general case e(n 1 ) and e(n 2 ) may be incomparable. However, for a single resource, it will always be the case that either e(n 1 ) = e(n 2 ), or e(n 1 ) < e(n 2 ), or e(n 1 ) > e(n 2 ). Inspection of until-strategy and box-strategy shows that they will return in all of these cases. Hence, we never need to keep a stack of more than |S| nodes, which requires polynomial space. 2 The result above can be generalised to the case when |Res| > 1, but the formula φ 0 is of a special form, where at most one resource is non-∞ in each bound. To be precise, φ 0 is such that in each resource bound b occurring in it, for at most one resource i, b i = ∞.

Model-checking RB-ATL
In this section, we briefly revisit the problem of model-checking RB-ATL (the logic where only consumption of resources is considered). The syntax of RB-ATL is the same as the syntax of RB±ATL, and the models are the class of RB-CGS with no production of resource (all action costs are non-negative). We will refer to such models as RB-CGS − . A symbolic modelchecking algorithm for that logic was introduced in [9] (without infinite resource bounds). Here we re-state the algorithm and discuss upper and lower bounds for the complexity of RB-ATL model-checking.
The algorithm uses an abbreviation split(b) that takes a resource bound b and returns the set of all pairs (d, d ) ∈ N ∞ × N ∞ such that: 3. d has at least one non-0 value.
We assume that split(b) is partially ordered in increasing order of the second component d (so The algorithm is similar to the symbolic model-checking algorithm for ATL given in [1]. The main differences from the algorithm for ATL is the addition of costs of actions, and, instead of working with a straightforward set of subformulas Sub(φ 0 ) of a given formula φ 0 , we work with an extended set of subformulas Sub + (φ 0 ). Sub + (φ 0 ) includes Sub(φ 0 ), and in addition: We assume that Sub + (φ 0 ) is partially ordered in the increasing order of complexity and of resource bounds (so e.g.,

Comparison with RAL
In this section, we compare RB±ATL with the logics introduced in [3], in particular with the logic pr-rf-RAL'. In [3], it is shown that the model-checking problem for pr-rf-RAL' with infinite semantics is undecidable. The decidability of the model-checking problem for pr-rf-RAL' with finite semantics is stated in [3] as an open problem. Here we show that modelchecking for pr-rf-RAL' with finite semantics is decidable.

The logic pr-rf-RAL'
The logical language pr-rf-RAL' is a proponent-restricted and resource-flat version of RAL without the release operator (for a complete description of RAL and its variants, we refer the reader to [3] and its technical report version [12]; in fact the name pr-rf-RAL' comes from [12]).
The syntax of pr-rf-RAL' is defined using endowment functions (or just endowments) rather than resource bounds. An endowment is a function η : Agt × Res → N ∪ {∞}. We will sometimes write η a (r) instead of η(a, r). Let En denote the set of all possible endowments.
Formulas of pr-rf-RAL' are defined as follows: φ, ψ :: Formulas of pr-rf-RAL' are interpreted on resource-bounded models (RBM) which are RB-CGS (i.e., CGS structures extended with resources) whose transitions are in general not total, i.e., at a state, an agent is not required to have any available actions. This means that there may be a state in an RBM model which does not have any successor. An RBM is defined as follows: (Agt, Q , , π, Act, d, o, Res, t) where Agt, Act, Q , , Res, and o are defined as Agt, Act except that idle is not required to be in Act, S, , Res, and δ, respectively, in Definition 1 and: • π : Q → ℘ ( ) specifies propositional valuation; • d : Agt × Q → ℘ (Act) specifies available actions; • t : Act × Res → Z for an action α ∈ Act and a resource r ∈ Res specifies the consumption of r by α if t(α, r) ≤ 0 or the production of r by α if t(α, r) > 0. Let cons(α, r) = − min{0, t(α, r)} and prod(α, r) = max{0, t(α, r)}.
Given a RBM M, Q ≤ω = Q ω ∪ Q + denotes the set of all finite and infinite sequences over Q . A sequence λ ∈ Q ≤ω is a path in M iff there exist transitions in M between adjacent states in λ. A finite or infinite sequence λ = (q 0 , η 0 ), (q 1 , η 1 ), . . . over Q × En is a resource-extended path (r-path) in M iff q 0 , q 1 , . . . is a path in M.
Let Share( A, η, ρ) denote the set of all possible (A, η)-shares for ρ. It is straightforward that Share ( A, η, ρ) is always finite and it is ∅ if a∈ A η a (r) < ρ(r), i.e., resource endowment for agents in A is not enough to create a share. As defined in [3], a path is maximal if it cannot be extended due to unavailability of resources. Given an endowment η and a strategy F A for a coalition A, a maximal r-path λ = (q 0 , η 0 ), (q 1 , η 1 ), . . . of M is an (η, F A )-path starting from a state q 0 iff: Then, out(q 0 , η, F A ) denotes the set of all (η, F A )-paths starting from a state q 0 . As shown in [3], out(q 0 , η, F A ) is never empty. In the worst case, out(q 0 , η, F A ) contains a single r-path (q 0 , η).
Given an RBM M and a state q, the truth of pr-rf-RAL' formulas is defined inductively as follows (we omit the propositional cases): The definition above gives finite semantics of pr-rf-RAL'. Infinite semantics is obtained if the condition "for all λ ∈ out(q, η, F A )" above is replaced with "for all infinite λ ∈ out(q, η, F A )".

Theorem 4. [3,12] The model-checking problem for pr-rf-RAL' with infinite semantics is undecidable.
The problem whether model-checking for pr-rf-RAL' with finite semantics is decidable is left open in [3]. Below we show that it is in fact decidable by adapting the model-checking algorithm for RB±ATL. Before we do this, we investigate the differences between pr-rf-RAL' and RB±ATL in more detail. In particular we consider whether we can obtain a logic equivalent to pr-rf-RAL' by simply removing the restriction that agents always have at least the idle action available from the semantics of RB±ATL.

The logic RB±ATL-nt
As models for pr-rf-RAL' are not total in general, we facilitate a comparison with RB±ATL by introducing a variant RB±ATL-nt of RB±ATL where we remove the requirement of total transitions in Definition 1. In other words, RB±ATL-nt has the same syntax as RB±ATL yet a broader class, namely RB-CGS-nt, of models which do not need to be total. In particular, in Definition 1, Act does not need to include idle and d : S × Agt → ℘ (Act) may be mapped to an empty set or to a set not containing idle.
Obviously, any RB-CGS model is an RB-CGS-nt but not vice versa. Since RB-CGS-nt models are not total in general, at a state s, the set D A (s) of possible joint actions by a coalition A and the set of possible outcomes of a joint action σ A ∈ D A (s) may be empty.
Given a RB-CGS-nt model M, a strategy F A for a coalition A ⊆ Agt, a finite computation λ ∈ S + is consistent with Under a resource bound b ∈ B, a computation λ ∈ out nt (s, F A ) can be only carried out until an index i max ∈ N ∞ (see Note that this definition implies that the cost of every prefix of a b-consistent computation is below b and out nt (s, F A , b) may contain finite computations. Furthermore, out nt (s, F A , b) is always non-empty, as in the worst case, it contains a single computation s.
The semantics of RB±ATL-nt formulas is defined as follows (the atomic case and Boolean connectives are defined in the standard way): If the condition "for all λ ∈ out nt (s, F A , b)" is replaced with "for all infinite λ ∈ out nt (s, Proof. (⇒) is obvious. For (⇐), the proof is by induction on the structure of φ .
If φ = A b φ, let us consider the following strategy for A: the proof is similar to the above case, hence it is omitted here. 2 The above result shows that over the class of RB-CGS models, RB±ATL and RB±ATL-nt with finite semantics are equivalent. Furthermore, we have the following result:

Comparing pr-rf-RAL' and RB±ATL-nt
At the semantical level, every RBM M = (Agt, Q , , π, Act, d, o, Res, t) can be converted straightforwardly into an RB-CGS-nt M = (Agt, Res, Q , , π , Act, d, c, δ) where: • π (p) = {q ∈ Q | p ∈ π(q)} for all p ∈ ; • c(q, a, α) = (−t(α, r)) r∈Res for all q ∈ Q , a ∈ Agt, α ∈ Act; and At the syntactical level, pr-rf-RAL' and RB±ATL-nt are rather different. While pr-rf-RAL' enables specifying the ability of a coalition under a resource endowment, RB±ATL-nt allows one to specify the ability of a coalition within a resource bound. Let us consider an example, as depicted in Fig. 8, in order to clarify the difference between endowments and bounds. In this example, our model has two agents a and b and one resource. From state s, agents a and b can only perform α and β, respectively, which cost −c and c (for some c > 0), respectively. As their joint action is cost-free, we have that s |= nt {a, b} 0 p. However, given an empty endowment η 0 = {a → 0, b → 0}, there is no possible share from this endowment to cover the cost c of action β; i.e., s |= ral {a, b} η 0 p. This is because (s, η 0 ) is the only r-path from s under η 0 and it is shorter that the computation s, t under 0. In general, we have the following result:  η 1 ), . . . , (q k , η k ) is the prefix of some r-path in out(q 0 , η 0 , F A ), then q 0 q 1 . . . q k is also the prefix of some computation Proof. The proof is done by induction on k; additionally, we also show that ( a∈ A η k a (r)) r∈Res = b − k−1 j=0 cost(q j , F A (q 1 . . . q j )).
Base case k = 0: The proof is trivial.
As (q 0 , η 0 ), (q 1 , η 1 ), . . . , (q k+1 , η k+1 ) is a prefix, Share( A, η k , ( a∈ A cons(F A (q 0 . . . q k ) a , r)) r∈Res ) = ∅, i.e., a∈ A η k We also have ( a∈ A η k+1 a (r)) r∈Res = ( a∈ A (η k a (r) is also a prefix of some computation in out nt (q 0 , F A , b). 2 As suggested by the function η b which translates resource bounds into endowments (introduced in [12] by Bulling and Farwer to relate their framework to RBCL [13]), pr-rf-RAL' formulas can also be converted into RB±ATL-nt formulas by a translation function tr where an endowment η is converted to a bound ( a∈ A η a (r)) r∈Res . The function tr is defined inductively as follows (propositional cases are omitted): Here, resource bounds are sums of individual endowments for each resource. The example in Fig. 8 and Lemma 8 show that satisfiability is not preserved by the translation function tr. In order to obtain preservation of satisfiability, it is necessary to relax the requirement in the definition of computations in RBM models. In particular, the last condition is relaxed as follows: • ∃sh i ∈ Share( A, η, ρ) : ∀a ∈ A, r ∈ Res : η i+1 a (r) = η i a (r) (σ a , r)).
Comparing the original condition, the production of resource in a step is also considered to cover for the consumption in the same step by adding it into the share function. Let us call RBM models with this relaxed condition relaxed RBM models.
We have the following result: Given a relaxed RBM model M, for any state q 0 , strategy F A , endowment η 0 and bound b = ( a∈ A η a (r)) r∈Res , then: Proof. The claim directly follows from Lemma 8. 2 Let pr-rf-RAL" be pr-rf-RAL' interpreted over relaxed RBM models. We have the following result: Proof. Let us prove the direction from left to right. The other direction is similar. The proof is done by induction on the structure of φ . The base case is trivial, hence omitted here.
Hence, M , s |= A b 2tr(φ). 2 The above lemma shows that over the class of relaxed RBM models, RB±ATL-nt and pr-rf-RAL" with finite semantics are equivalent. Similar to the above result, it is also straightforward that RB±ATL-nt with infinite semantics is equivalent to pr-rf-RAL" with infinite semantics: Lemma 11. Given a relaxed RBM model M, under the infinite semantics, M, s |= pr-rf-RAL" φ iff M , s |= nt tr(φ ).
Proof. The proof is the same as the proof of Lemma 10 except we only consider infinite computations. 2 Note that the proof for the undecidability of pr-rf-RAL' in [3] with infinite semantics can be applied for pr-rf-RAL" with infinite semantics. Hence, we have the following result:

Lemma 12. Model-checking pr-rf-RAL" with infinite semantics is undecidable.
Then, we have the following consequences:

Proof.
We adapt further the model-checking algorithm for RB±ATL-nt (which in turn is an adaptation of the one for RB±ATL) by replacing the role of resource bounds for a coalition with endowments for each agent in the coalition.
In particular, each node in a search tree consists of a state, an endowment (where η(n) returns the endowment of a node n) and a finite path of nodes from the root leading to this node. We also adapt the function node to take into account shares where node(n, σ A , sh, s ) returns a node n where s(n ) = s , p(n ) = [p(n) · n] and for all a ∈ A and r ∈ Res: η(n )(a, r) = η(n)(a, r) + prod(σ a , r) − sh(a, r). The adaptation of Algorithm 2 is shown in Algorithm 5. In this algorithm, apart from the exchange of bounds with endowments, we also add an or-search for shares in lines 18-22. A similar adaption can be applied to Algorithm 3 and the detail is omitted here. 2 Fig. 9 summarises the above decidability and undecidability results for the model-checking problems for RB±ATL, RB±ATL-nt, pr-rf-RAL" and pr-rf-RAL' where D stands for decidable and U for undecidable. Note that RB±ATL is decidable in both semantics due to the fact that both semantics are indistinguishable thanks to idle.

Conclusion
We have presented a model-checking algorithm for RB±ATL, a logic with resource production, which makes RB±ATL exceptional in the landscape of resource logics, for most of which the model-checking problem is undecidable [3,6]. We compared RB±ATL with a similar logic (a variant of RAL, [3]) to understand the differences between the two logics and why the model-checking problem for RB±ATL is decidable while the model-checking problem for pr-rf-RAL' with infinite semantics is undecidable. As a by-product of this comparison, we show that the model-checking problem for pr-rf-RAL' with finite semantics is decidable, solving a problem left open in [3].
Although the model-checking problem for RB±ATL is decidable, it is EXPSPACE-hard. In future work, we plan to implement model-checking algorithms for feasible fragments of RB±ATL in the model-checker MCMAS [14].