Bruno Mermet, Gaële Simon, Equipe MAD - Laboratoire GREYC - UMR6072, Groupe de Recherche en Informatique, Image et Instrumentation de Caen (GREYC), Centre National de la Recherche Scientifique (CNRS)-École Nationale Supérieure d'Ingénieurs de Caen (ENSICAEN), Normandie Université (NU)-Normandie Université (NU)-Université de Caen Normandie (UNICAEN), Normandie Université (NU)-Centre National de la Recherche Scientifique (CNRS)-École Nationale Supérieure d'Ingénieurs de Caen (ENSICAEN), Normandie Université (NU), and Mermet, Bruno
International audience; For several years, we have worked on the usage of theorem proving techniques to validate Multi-Agent Systems. In this article, we present a preliminary case study, that is part of larger work whose long-term goal is to determine how proof tools can be used to help to develop error-free Multi-Agent Systems. This article describes how an error caused by a synchronisation problem between several agents can be identied by a proof failure. We also show that analysing proof failures can help to nd bugs that may occur only in a very particular context, which makes it dicult to analyse by standard debugging techniques. 1 Introduction This article takes place in the general context of the validation of Multi-Agents Systems, and more specically in the tuning stage. Indeed, for several years now, we have worked on the validation of MAS thanks to proof techniques. This is why the designed the GDT4MAS model (Mermet and Simon, 2009) has been designed, which provides both formal tools to speciy Multi-Agent Systems and a proof system that generates automatically , from a formal specication, a set of Proof Obligations that must be proven to guarantee the correctness of the system. In the same time, we have begun to study how to answer to the following question: What happens if the theorem prover does not manage to carry out the proof ?. More precisely, is it possible to learn anything from this failures (that we call in the sequel proof failures), in order to de-bug the MAS ? Answering to this question in a general context is tricky. Indeed, a rst remark is that a proof failure may occur in three dierent cases: • rst case: a true theorem is not provable (Gödel Incompleteness Theorem). Indeed, theorems generated by GDT4MAS are rst-order logic formulae, with arithmetic, which is typically the contexy where Gödel has established that there are non provable true theorems; • second case: a true theorem can not be automatically proven by the prover because rst-ordre logic is semidecidable. It means that there is not any automatic strategy that can prove all probable theorems. An ad hoc strategy must be provided by an expert. • third case: an error in the MAS specication has led to generate a false theorem that, hence, cannot be proven. So, when a proof failure is considered, the rst problem is to determine the case it corresponds to. It would be rather long and o-topic to give complete explanations here. However, it is important to knwow that the proof system has been designed to generate theorems that have good chances to be proven by standard strategies of provers, without requiring the expertise of a human. Moreover, unprovable true theorems generally do not correspond to real cases. Thus, in most cases, a proof failure will correspond to a mistake in the specication, and this is the context that is considered in the sequel. The subject of our study is then the following: if some generated proof obligations are note proven automatically, can we learn from that in order to help to correct the specication of the MAS ? So, the main idea is to check wether proof failures can be used to detect, even correct bugs in the specication of the MAS. Indeed, contrary to what is presented in (Das-tani and Meyer, 2010), where authors consider