The key idea is to treat the predicate saysIdϕ as kind of eventuality. As we discussed
in Section 2.3.2, to evaluate saysIdϕ at time i, we need to check the utterances
obtained from the laws in Id at time i. If the preconditions of the laws in Id are
temporal, we need to wait until they are evaluated before the utterances are obtained.
So, we need to keep utterances for a time i until all subformulas saysIdϕ for time i
have been evaluated. Given saysIdϕ and a time i, we attempt to evaluate it using
transformed into saysId(ϕ, i) (read as “saysIdϕ is true at time i”), and evaluated
at subsequent times. We extend the syntax of preconditions to accomodate such formulas:
Definition 3.5 (Syntax of Preconditions). Given countable sets Φ1, ...,Φn (of pred-
icate names), object names O, and a set of variables X, the language L′(Φ1, ...,Φ n,
O, X), abbreviated as L′, is the smallest set such that:
– p(y1, ..., yj)∈L′, where p∈Φj and (y1, ..., yj)∈Xj.
– If ϕ∈L′, then ¬ϕ ∈L′ and 2ϕ ∈L′. If ϕ, ψ∈L′, then ϕ∧ψ ∈L′
– If Id ⊆ ID and ϕ ∈ L(Φ1, ...,Φn, X) (Definition 2.2), then saysIdϕ ∈ L′. In
addition, for all natural numbers i∈N, saysId(ϕ, i)∈L′.
The syntax of regulatory statements (Definition 2.3) is modified so that the pre-
conditions of laws are statements fromL′. The set L′together with a set of regulatory
statements Reg is denoted by L+ = L′ ∪Reg. Given a set of objects O, V(X, O)
denotes the set of all variable assigments, i.e., functions v :X →O.
We now extend the transformation function (Definition 3.3). As in Chapter 2, we use two utterance sequences u and u′ such that for all i, u(i) ⊆ u′(i). u(i) is
the set of utterances obtained from laws with true preconditions, while u′(i) is set of
utterances from laws with true or undetermined preconditions. The truth of saysIdϕ
is determined using u, and falsity is determined using u′.
Definition 3.6 (Transformation function). Given a pair of utterance sequences u
and u′ such that u(i) ⊆ u′(i) for all i ∈ N, the transformation function τ
(u,u′) : L+×S×N →L+ is defined as follows:
• τ(u,u′)(saysIdϕ, s, i) =τ(u,u′)(saysId(ϕ, i), s, i)
τ(u,u′)(saysId(ϕ, j), s, i) = ⊤ if j ≤i and u(j)Id|=ϕ ⊥ if j ≤i and u′(j) Id6|=ϕ saysId(ϕ, j) otherwise
• τ(u,u′)((id).o:ϕ7→ψ, s, i) = (id).o :τ(u,u′)(ϕ, s, i)7→τ(u,u′)(ψ, s, i) τ(u,u′)((id).p:ϕ7→ψ, s, i) = (id).p :τ(u,u′)(ϕ, s, i)7→ψ
τ(u,u′)((id) ϕ7→ψ, s, i) = (id).p:τ(u,u′)(ϕ, s, i)7→ψ
• For all other formulas, Definition 3.3 is used.
Note that the postcondition of permissions are not transformed, as their truth value is irrelevant. The only use of postconditions of permissions is to provide utter- ances. We now define the function to map formulas to truth values:
Definition 3.7 (Truth Value Mapping). Given a pair of utterance sequences u and
u′ such that u(i) ⊆ u′(i) for all i ∈ N, the function η
(u,u′) : L+ ×S×N → B3 is
defined as follows:
• η(u,u′)(saysIdϕ, s, i) =η(u,u′)(saysId(ϕ, i), s, i) η(u,u′)(saysId(ϕ, j), s, i) = ?
• η(u,u′)((id).o:ϕ7→ψ, s, i) = η(u,u′)(ϕ ⇒ψ, s, i). η(u,u′)((id).p:ϕ7→ψ, s, i) = ⊤
η(u,u′)((id) ϕ7→ψ, s, i) = ⊤
• For all other formulas, Definition 3.4 is used.
At the end of the trace, subformulas 2ϕ are replaced by ⊤, but subformulas
saysId(ϕ, j) may still be undetermined. This is due to the fact that with circular
references, we can create paradoxical statements – (id).o : ¬says{id}ϕ 7→ ϕ. This
statement requires ϕ to hold when it doesn’t requireϕ, and is always undetermined.
Algorithm 1 describes the procedure for computing the least fixed point in a
runtime setting. In addition to u and u′, we maintain a set of tuples Φ, where each
element is a transformed regulatory statement, the associated utterance, and time.
Given ((id).x : ϕ 7→ ψ, a, j) ∈ Φ, if ϕ is determined to be true, the utterance a is
Update(Reg,Φ, u, u′, s, i):
Input: The regulation Reg, the set of formulas to be updated Φ, the utterance
sequencesu and u′, the statesand timei
Let u(i) =u′(i) =∅; Let Φ′=∅; for all((id).x:ϕ7→ψ, a, j) ∈Φdo Φ′= Φ′∪ {τ(u,u′)((id).x:ϕ7→ψ, s, i)}; end Φ = Φ′;
for all(id).x:ϕ7→ψ∈Reg and assignments v do
Letφ=τ(u,u′)(v((id).x:ϕ7→ψ), s, i);
Φ = Φ∪ {(φ,(id, v(ψ)), i)}, andu′(i) =u′(i)∪ {(id, v(ψ))} end repeat foralle= ((id).x:ϕ7→ψ, a, j)∈Φdo Letφ= (id).x:ϕ7→ψ ; Ifη(u,u′)(ϕ, s, i, v) =⊤, thenu(j) =u(j)∪ {a}; Ifη(u,u′)(ϕ, s, i, v) =⊥, thenu′(j) =u′(j)− {a};
Ifη(u,u′)(φ, s, i, v)6= ? andη(u,u′)(ϕ, s, i, v)6= ?, Φ = Φ− {e};
Ifη(u,u′)(φ, s, i, v) =⊥, then raise alarm. end
until u and u′ do not change ;
u′(j). For all j ∈N, u(j) increases monotonically, andu′(j) decreases monotonically with each execution of the repeat loop, until a fixed point is reached.
As we mentioned in Section 3.1, Algorithm 1 does not determine a formula to be true or false as early as possible. To decide if a formula is true as early as possible, we need to check whether all possible suffixes to the trace satisfy the formula [14]. In other words, we need to decide if the transformed formula is valid. In Chapter 2, we showed that with references one can encode formulas in first-order logic as regulations, and as a result, the validity problem is undecidable. The satisfiability tests used to
evaluate the says predicate are in propositional LTL, and are decidable.
In the case where preconditions of laws are atemporal, optimal monitors can be synthesized. This is because the fixed point can be computed as soon as a state is received. The satisfaction of postconditions of obligations can then be handled using automata-based algorithms [14]. The sentences that we have examined in Section 610 of the CFR can be formalized with atemporal preconditions.