Revisiting timed logics with automata modalities
HO, HM <http://orcid.org/0000-0003-0387-4857>
Available from Sheffield Hallam University Research Archive (SHURA) at:
http://shura.shu.ac.uk/25238/
This document is the author deposited version. You are advised to consult the
publisher's version if you wish to cite from it.
Published version
HO, HM (2019). Revisiting timed logics with automata modalities. In: HSCC '19
Proceedings of the 22nd ACM International Conference on Hybrid Systems:
Computation and Control. ACM Press, 67-76.
Copyright and re-use policy
See http://shura.shu.ac.uk/information.html
Revisiting Timed Logics with Automata Modalities
Hsi-Ming Ho
University of Cambridge
United Kingdom
hsi- [email protected]
ABSTRACT
It is well known that (timed)ω-regular properties such as ‘pholds at every even position’ and ‘poccurs at least three times within the next 10 time units’ cannot be expressed in Metric Interval Temporal
Logic (MITL) and Event Clock Logic (ECL). A standard remedy to
this deficiency is to extend these with modalities defined in terms of
automata. In this paper, we show that the logicsEMITL0,∞(adding
non-deterministic finite automatamodalities into the fragment of
MITLwith only lower- and upper-bound constraints) andEECL (adding automata modalities intoECL) are already as expressive asEMITL(fullMITLwith automata modalities). In particular, the satisfiability and model-checking problems forEMITL0,∞andEECL are PSPACE-complete, whereas the same problems forEMITLare EXPSPACE-complete. We also provide a simple translation from
EMITL0,∞todiagonal-freetimed automata, which enables practical
satisfiability and model checking based on off-the-shelf tools.
CCS CONCEPTS
•Theory of computation→Timed and hybrid models; Logic
and verification; Verification by model checking;
KEYWORDS
metric interval temporal logic, timed automata, model checking
1
INTRODUCTION
Timed logics.In the context of real-time systems verification, it is natural and desirable to addtiming constraintstoLinear Temporal
Logic(LTL) [42] to enable reasoning about timing behaviours of such systems. For instance, one may writeφ1UIφ2to assert thatφ1 holds until a ‘witness’ point whereφ2holds, and the time difference
between now and that point lies within theconstraining intervalI. The resulting logic,Metric Temporal Logic(MTL) [32], can be seen as a fragment ofMonadic First-Order Logic of Order and Metric(FO[< ,+1]) [4], the timed counterpart of the classicalMonadic First-Order
Logic of Order(FO[<]). There are, nonetheless, some loose ends in this analogy. For instance, whileLTLis as expressive asFO[<][22, 29], it is noted early on that certain ‘non-local’ timing properties in
FO[<,+1], albeit being very simple, cannot be expressed in timed temporal logics likeMTL[5]. As a concrete example, the property ‘everyp-event is followed by aq-event and, later, anr-event within the next 10 time units’, written as theFO[<,+1]formula
∀x(p(x) ⇒∃yq(y) ∧∃z r(z) ∧x ≤y≤z≤x+10)
(1)
is not expressible inMTL—indeed, no ‘finitary’ extension ofMTL can beexpressively completeforFO[<,+1][28].1 A more serious
1
(1) can, however, be expressed inMTLif thecontinuoussemantics of the logic is adopted or past modalities are allowed; see [14] for details.
practical concern is that the satisfiability problem forMTLis unde-cidable [4, 40]. For this reason, research efforts have been focused
on fragments ofMTLwith decidable satisfiability, most notably
Met-ric Interval Temporal Logic(MITL), the fragment ofMTLin which ‘punctual’ constraining intervals are not allowed [3]. In particular,
MITLformulae can be effectively translated intotimed automata (TAs) [2], giving practical EXPSPACE decision procedures for its
satisfiabilityandmodel-checkingproblems [16–18].
Automata modalities.It is well known that properties that are necessarilysecond order(e.g., ‘pholds at all even positions’) can-not be expressed inLTLorMITL. Fortunately, it is possible to
addautomata modalitiesintoLTLat no additional computational cost [46, 50]. In timed settings, the logic obtained fromMITL
by addingtime-constrainedautomata modalities defined by non-deterministic finite automata (NFAs) is calledExtended Metric
Inter-val Temporal Logic(EMITL) [48]. From a theoretical point of view,
EMITLis afully decidableformalism (i.e. constructively closed un-der all Boolean operations and with decidable satisfiability [26])
whose class of timed languages strictly contains that ofMITLand B ¨uchi automata.2In practice, it can be argued that automata modali-ties are natural, easy-to-use extensions of the usualMITLmodalities. They also allow properties like (1), which often emerge in
appli-cation domains like healthcare and automotive engineering, to be
written as specifications.
Example 1.1 ([1]). Discrimination algorithms are implemented in implantable cardioverter defibrillators (ICDs) to detect potentially
dangerous heartbeat patterns. As a simple example, one may want
to check whetherthe number of heartbeats in one minute is between 120and150. This can be expressed as theCTMITL[33] formula
C≥120 [0,59]p∧C
≤150 [0,59]p
wherepdenotes a peak in the cardiac signal.
Thecounting modalitiesC∼k
I (where 0∈I, which is the case here), as well as (1), be expressed straightforwardly in terms of automata.
Example 1.2 (adapted from [25]). In autonomous driving, one may want to specify thata car overtaking another from the left must
be done in10seconds. Suppose the lane on the left is empty and the events are sampled sufficiently frequently (say 5ms), this can be
expressed as theEMITLformulaA[0,10](TTC > 4, . . .)(see Fig. 1 and Fig. 2) whereTTCis the time to collision,distis the longitu-dinal distance between the two vehicles, andto left,to right are the actions for merging to the left/right lane—these are taken
immediately afterTTC <= 4anddist >= 5, respectively. Compared withLTLandMITL, however, translatingEMITLinto
TAs is considerably more challenging. The original translation by Wilke [48] is non-elementary and thus not suitable for practical
2
A very recent paper of Krishna, Madnani, and Pandya [35] showed that this class admits some alternative characterisations (namely, a syntactic fragment ofOCATAs and a timed monadic second-order logic).
TTC == 4
dist == 5
Fig. 1: The red car overtakes the blue car from the left.
TTC > 4 dist < 5
TTC <= 4 to left dist >= 5 to right
Fig. 2:Ain Example 1.2.
purposes. Krishna, Madnani, and Pandya [34] showed that any
EMITLformula can be encoded into anMITLformula of doubly exponential size (which can then be translated into aTA), but this
does not match the EXPSPACE lower bound inherited fromMITL. More recently, Ferr`ere [21] proposed an asymptotically optimal
construction fromMIDL(Metric Interval Dynamic Logic, which is strictly more expressive and subsumesEMITL) formulae toTAs,
but it is very complicated and relies heavily on the use ofdiagonal
constraints(i.e. comparison between clocks) which are, in general, not preferred in practice [12, 15, 23] and not well-supported by
existing model checkers.3
Contributions.We consider a simple fragment ofEMITL, which we callEMITL0,∞, obtained by allowing only lower- and upper-bound constraining intervals (e.g.,[0,a)and(b,∞)) andEECL[43] (adding automata modalities toEvent Clock LogicECL). The satisfi-ability and model-checking problems forEMITL0,∞andEECLare much cheaper than that ofEMITL(PSPACE-complete vs EXPSPACE-complete). Moreover, we show that they are already as expressive as
fullEMITL—this is in sharp contrast with the situation for ‘vanilla’
MITL0,∞/ECLandMITL, where the latter is strictly more expres-sive when interpreted over timed words [26, 43]—making them
expressiveyettractablereal-time specification formalisms. We then show thatEMITL0,∞admits a much simpler translation intoTAs. Specifically, by effectively decoupling the timing and operational
aspects of automata modalities, overlapping obligations imposed
by a single automaton subformula can be handled in a purely fifo
manner with a set ofsub-components(each of which is a simple one-clockTAwith a polynomial-sized symbolic representation), avoiding the use of diagonal constraints altogether.4This makes our construction better suited to be implemented to work with
existing highly efficient algorithmic back ends (e.g., Uppaal [11]
and LTSmin [30]).
Related work.The idea of extendingLTLto capture the full class ofω-regular languages dates back to the seminal works of Clarke, Sistla, Vardi, and Wolper [45, 46, 49, 50] in the early 1980s. In
par-ticular, it is shown thatLTLwithNFAmodalities—which essentially
underlies various industrial specification languages like ForSpec [6]
3
It is possible to obtain a diagonal-freeTAfrom anEMITLformula by first applying the construction in [21] and then removing the diagonal constraints [13]. This, however, is expensive and difficult to implement.
4
For simplicity we focus on logics with only future modalities, but our results read-ily carry over to the versions with both future and past modalities, thanks to the compositional nature of our construction (cf. e.g., [31, 38]).
and PSL [20]—are expressively equivalent to B ¨uchi automata, yet
the model-checking and satisfiability problems remain
PSPACE-complete, same asLTL.5Our approach generalises the construction in [50] in the case of finite acceptance.
Henzinger, Raskin, and Schobbens [26, 43] proved a number of
analogous results in timed settings; in particular, they showed that
in thecontinuoussemantics (i.e. over finitely variablesignals), (i)
MITL0,∞andECLare as expressive asMITL, and (ii) the fragment
ofEMITLwithunconstrainedautomata modalities is as expressive asrecursive event-clock automata, and the verification problems for this fragment can be solved in EXPSPACE. Our results can be seen
as counterparts in thepointwisesemantics (i.e. overtimed words). Besides satisfiability and model checking, extending timed logics
with automata or regular expressions is also a topic of great
inter-est inruntime verification. Basin, Krsti´c, and Traytel [10] showed thatMTLwith time-constrained regular-expression modalities
ad-mits an efficient runtime monitoring procedure in a pointwise,
integer-time setting. A very recent work of Niˇckovi´c, Lebeltel,
Maler, Ferr`ere, and Ulus [39] considered a similar extension of
MITLwithtimed regular expressions(TRE) [7, 8] in the context of monitoring and analysis of Boolean and real-valued signals.
2
TIMED LOGICS AND AUTOMATA
Timed languages.Atimed wordover a finite alphabetΣis an infinite sequence ofevents(σi,τi)i≥1overΣ×R≥0with(τi)i≥1a
non-decreasing sequence of non-negative real numbers such that
for eachr ∈R≥0, there is somej ≥1 withτj ≥r(i.e. we require
all timed words to be ‘non-Zeno’). We denote byTΣωthe set of all timed words overΣ. Atimed languageis a subset ofTΣω.
Extended timed logics.Anon-deterministic finite automaton(NFA) overΣis a tupleA=hΣ,S,s0,∆,FiwhereSis a finite set of
loca-tions,s0∈Sis the initial location,∆⊆S×Σ×Sis the transition rela-tion, andFis the set of final locations. We say thatAisdeterministic (aDFA) iff for eachs∈Sandσ ∈Σ,|{(s,σ,s0) | (s,σ,s0) ∈∆}| ≤1. ArunofAonσ1. . .σn∈Σ+(without loss of generality, we only
consider runs of automata modalities overnonemptyfinite words in this paper) is a sequence of locationss0s1. . .snwhere there is
a transition(si,σi+1,si+1) ∈∆for eachi, 0≤i<n. A run ofAis acceptingiff it ends in a final location. A finite word isacceptedby
AiffAhas an accepting run on it. We denote by
JAKthe set of finite words accepted byA.
Extended Metric Interval Temporal Logic(EMITL) formulae over a finite set of atomic propositionsAPare generated by
φ:=> |p|φ1∧φ2| ¬φ | AI(φ1, . . . ,φn)
wherep∈AP,Ais anNFAover then-ary alphabet{1, . . . ,n}, and
I⊆R≥0is a non-singular interval with endpoints inN≥0∪ {∞}. 6
As usual, we omit the subscriptIwhenI=[0,∞)and write pseudo-arithmetic expressions for lower or upper bounds, e.g., ‘<3’ for
[0,3). We also omit the argumentsφ1, . . . ,φn and simply write
AI, if clear from the context. Following [4, 5, 41, 48], we consider the pointwise semantics of EMITLand interpret formulae over
5
There are other ways to extendLTLto achieveω-regularity, e.g., adding monadic second-order quantifiers (QPTL[46]) or least/greatest fixpoints (µLTL[9, 47]). These formalisms unfortunately suffer from higher complexity or less readable syntax. 6
For notational simplicity, we will occasionally useφ1, . . . ,φndirectly as transition labels (instead of1, . . . ,n).
timed words: given anEMITLformulaφoverAP, a timed word
ρ=(σ1,τ1)(σ2,τ2). . . overΣAP=2APand apositioni≥1,
• (ρ,i) |=>;
• (ρ,i) |=piffp∈σi;
• (ρ,i) |=φ1∧φ2iff(ρ,i) |=φ1and(ρ,i) |=φ2;
• (ρ,i) |=¬φiff(ρ,i) 6|=φ;
• (ρ,i) |= AI(φ1, . . . ,φn)iff there existsj ≥ isuch that
(i)τj−τi ∈Iand (ii) there is an accepting run ofAon
ai. . .aj wherea` ∈ {1, . . . ,n}and(ρ, `) |=φa
`for each `,i≤`≤j.7
The other Boolean operators are defined as usual:⊥ ≡ ¬>,φ1∨φ2≡
¬(¬φ1∧ ¬φ2), andφ1 ⇒ φ2 ≡ ¬φ1∨φ2. We also define the
dual automata modalitiesA˜I(φ1, . . . ,φn) ≡ ¬AI(¬φ1, . . . ,¬φn).
With the dual automata modalities, we can transform everyEMITL formulaφintonegative normal form, i.e. anEMITLformula using only atomic propositions, their negations, and the operators∨,
∧, AI, andA˜I. It is easy to see that the standardMITL‘until’
φ1UIφ2can be defined in terms of automata modalities. We also
use the usual shortcuts likeFIφ ≡ >UI φ,GIφ ≡ ¬FI¬φ, and
φ1RIφ2 ≡ ¬ (¬φ1)UI (¬φ2)
. We say thatρsatisfiesφ(written
ρ|=φ) iff(ρ,1) |=φ, and we write
JφKfor the timed language ofφ, i.e. the set of all timed words satisfyingφ.EMITL0,∞is the fragment
ofEMITLwhere all constraining intervalsImust be lower or upper bounds (e.g.,<3 or≥5). Extended Event Clock Logic(EECL) is the fragment ofEMITLwhereAI is replaced by a more restricted ‘event-clock’ counterpart:
• (ρ,i) |=AI. (φ1, . . . ,φn)iff (i) there is aminimalposition
j≥isuch thatAhas an accepting run onai. . .ajwhere
a` ∈ {1, . . . ,n}and(ρ, `) |=φa
` for each`,i≤`≤j; and (ii)jsatisfiesτj−τi ∈I.
Timed automata.LetX be a finite set ofclocks(R≥0-valued
vari-ables). AvaluationvforX maps each clockx ∈X to a value in
R≥0. We denote by0the valuation that maps every clock to 0,
and we write the valuation simply as a value inR≥0whenXis a singleton. The setG(X)ofclock constraintsдoverXis generated by
д:=> |д∧д|x ./cwhere./∈ {≤, <,≥, >},x ∈X, andc∈N≥0.
The satisfaction of a clock constraintдby a valuationv(written
v|=д) is defined in the usual way, and we write
JдKfor the set of valuationsvsatisfyingд. Fort ∈R≥0, we letv+tbe the valuation
defined by(v+t)(x)=v(x)+tfor allx ∈X. Forλ⊆X, we let
v[λ←0]be the valuation defined by(v[λ←0])(x)=0 ifx ∈λ, and(v[λ←0])(x)=v(x)otherwise.
Atimed automaton(TA) overΣis a tupleA=hΣ,S,s0,X,∆,F i whereSis a finite set of locations,s0∈Sis the initial location,Xis
a finite set of clocks,∆⊆S×Σ× G(X) ×2X ×Sis the transition relation, andF ={F1, . . . ,Fn}, withFi ⊆Sfor alli, 1≤i≤n, is
the set of sets of final locations.8 We say thatAisdeterministic (aDTA) iff for eachs∈Sandσ ∈Σand every pair of transitions
(s,σ,д1,
λ1,
s1
) ∈∆and(s,σ,д2,λ2,s2) ∈∆,д1∧д2is not satisfiable. AstateofAis a pair(s,v)of a locations∈Sand a valuationv forX. ArunofAon a timed word(σ1,τ1)(σ2,τ2) · · · ∈TΣω is 7
Note that it is possible for (ρ,i) |= AI(φ1, . . . ,φn) and (ρ,i) |= AIc(φ1, . . . ,φn), whereAcis the complement ofA, to hold simultaneously. 8
We adoptgeneralised B¨uchiacceptance for technical convenience; indeed, anyTA with a generalised B ¨uchi acceptance condition can be converted into a classical B ¨uchi
TAvia a simple standard construction [19].
a sequence of states(s0,v0)(s1,v1). . . where (i)v0 = 0and (ii)
for eachi ≥ 0, there is a transition(si,σi+1,д,λ,si+1)such that
vi+(τi+1−τi) |=д(letτ0=0) andvi+1=(vi+(τi+1−τi))[λ←0].
A run ofAisacceptingiff the set of locations it visits infinitely often contains at least one location from eachFi, 1 ≤i ≤n. A timed word isacceptedbyAiffA has an accepting run on it. We denote by
JAKthe timed language accepted byA. For two
TAsA1=hΣ,S1,s1
0,X 1,∆1,
F1
iandA2 =hΣ,S2,s2
0,X 2,∆2,
F2
i
over a common alphabetΣ, the (synchronous) productA1× A2 is defined as theTAhΣ,S,s0,X,∆,F iwhere (i)S =S1×S2,s0 =
(s1 0,s
2
0), andX =X1∪X2; (ii)((s 1 1,s
2
1),σ,д,λ,(s 1 2,s
2
2)) ∈∆iff there
exists(s1
1,σ,д 1,
λ1,
s1 2) ∈ ∆
1
and(s2
1,σ,д 2,
λ2,
s2 2) ∈∆
2
such that
д=д1
∧д2
andλ=λ1∪λ2; and (iii) letF1={F1
1, . . . ,F 1
n},F2=
{F2 1, . . . ,F
2
m}, thenF ={F1
1×S 2, . . . ,
F1
n×S2,
S1
×F2 1, . . . ,S
1
×F2
m}. Note in particular that we have
JA
1
× A2
K=JA
1
K∩JA
2
K.
p∧ ¬q x:=0
¬q x≤1
x>1
Fig. 3: ATAacceptingJ¬G(p⇒F≤1q)K.
Example 2.1. Consider theTAoverΣ{p,q}in Fig. 3 (following the usual convention, we omit transition labels when they are>’s and use Boolean formulae over atomic propositions to represent
letters, e.g., herep∧ ¬qstands for{σ ∈ Σ{p,q} |p∈σ,q<σ}). It non-deterministically pick an event wherepholds butqdoes not hold (thusF≤qis not fulfilled immediately) and enforces that
qdoes not hold in the next time unit. In other words, it accepts
JF p∧G≤1(¬q)
K=J¬G(p⇒F≤1q)K.
Alternation. One-clock alternating timed automata (OCATAs) extend one-clock timed automata with the power ofuniversal choice. Intuitively, a transition of anOCATAmay spawn several copies of
the automaton that run in parallel from the targets of the transition;
a timed word is accepted iffallcopies accept it. Formally, for a set
Sof locations, letΓ(S)be the set of formulae defined by
γ :=> | ⊥ |γ1∨γ2|γ1∧γ2|s|x ./c|x.γ
wherexis the single clock,c ∈N≥0,./∈ {≤, <,≥, >}, ands ∈S
(the constructx.means “resetx”). For a formulaγ ∈Γ(S), let its dualγ ∈Γ(S)be the formula obtained by applying
• >=⊥;⊥=>;
• γ1∨γ2=γ1∧γ2;γ1∧γ2=γ1∨γ2;
• s=s;x ./c=¬(x ./c);x.γ =x.γ.
AnOCATAoverΣis a tupleA=hΣ,S,s0,δ,FiwhereSis a finite
set of locations,s0 ∈Sis the initial location,δ:S×Σ→Γ(S)is
the transition function, andF ⊆Sis the set of final locations. A
stateofAis a pair(s,v)of a locations∈Sand a valuationvfor the single clockx. Given a set of statesM, a formulaγ ∈Γ(S)and a clock valuationv, we define
• M |=v >;M |=v `iff(`,v) ∈M;M |=v x ./ciffv ./c;
M|=vx.γiffM|=0γ;
• M|=vγ1∧γ2iffM |=vγ1andM|=vγ2;
• M|=vγ1∨γ2iffM |=vγ1orM|=vγ2.
We say thatMis amodelofγ with respect toviffM |=vγ.9 A run ofAon a timed word(σ1,τ1)(σ2,τ2) · · · ∈TΣω is a rooted
directed acyclic graph (DAG)G=hV,→iwith vertices of the form
(s,v,i) ∈S×R≥0×N≥0,(s0,0,0)as the root, and edges as follows:
for every vertex(s,v,i), there is a modelMof the formulaδ(s,σi+1) with respect tov+(τi+1−τi)(again,τ0=0) such that there is an
edge(s,v,i) → (s0,v0,i+1)for every state(s0,v0)inM. A runG ofAisacceptingiff every infinite path inGvisitsFinfinitely often. A timed word isacceptedbyAiffAhas an accepting run on it. We denote by
JAKthe timed language accepted byA. For convenience, in the sequel we will regardNFAs as (untimed)OCATAs with finite
acceptance conditions and whose transition functions are simply
disjunctions over locations.
s0 ∧ s1
¬p p∧ ¬q
p∧q
x:=0 >
x≤1,q
Fig. 4: AnOCATAacceptingJG(p⇒F≤1q)K.
(s0,0,0) (s0,0.42,1)
(s0,0.42,2)
(s1,0,2)
(s0,0.7,3) . . .
Fig. 5: A run of the OCATAin Fig. 4 on the timed word
(∅,0.42)({p},0.42)({q},0.7) · · ·.
Example 2.2. Consider theOCATAoverΣ{p,q}in Fig. 4 which ac-cepts
JG(p⇒F≤1q)K. A run of it on(∅,0.42)({p},0.42)({q},0.7) · · ·
is depicted in Fig. 5 where the root is(s0,0,0). This vertex has
a single successor(s0,0.42,1), which in turn has two successors
(s0,0.42,2) and(s1,0,2) (after firing the transitionδ(s0,{p}) =
s0∧x.s1). Then,(s1,0,2)has no successor since the empty set
is a model ofδ(s1,{q})=x≤1 with respect to 0.28.
Verification problems.In this work we are concerned with the following standard verification problems. Given anEMITLformula
φ, thesatisfiabilityproblem asks whether
JφK=∅. Given aTAA and anEMITLformulaφ, themodel-checkingproblem asks whether JAK⊆JφK. AsTAs are closed under intersection and theemptiness problem forTAs is decidable, both problems above can be solved by first translatingφinto an equivalentTAAφ.
3
EXPRESSIVENESS
In this section we study the expressiveness ofEMITL0,∞,EECL,
and a ‘counting’ extension ofEMITL. It turned out that the class of
timed languages captured byEMITLis robust in the sense that it remains the same under all these modifications. For the purpose of
the proofs below, let us assume (without loss of generality) that the
automatonA=hΣ,S,s0,δ,Fiin question is aDFAand at most one
ofφ1, . . . ,φnmay hold at any position in a given timed word [50].
9
Note that|=vismonotonic: ifM ⊆M0andM |=vγthenM0|=vγ.
Counting in intervals.Recall that the constraining intervalsIin the counting modalities in Ex. 1.1 satisfy 0 ∈ I; this non-trivial extension ofMTL(andMITL) was first considered by Hirshfeld and Rabinovich [27, 28]. For the case of timed words, it is shown in [33]
that allowing arbitraryI(e.g.,(1,2)) makes the resulting logic even more expressive. Here we show that, by contrast, adding the ability
to count inI—regardless of whether 0∈I—does not increase the expressive power ofEMITL.10We consider an extention ofEMITL (which we callCEMITL) that enables specifying the number of
positions within a given intervalIfrom now at which final locations can be reached. More precisely, we have the following semantic
clause inCEMITL:
• (ρ,i) |=AI≥k(φ1, . . . ,φn)iff there existsj1<· · ·<jksuch
that for each`, 1≤`≤k, (i)j` ≥i; (ii)τj
`−τi ∈I; and (iii) there is an accepting run ofAon someai. . .aj
`where
a`0∈ {1, . . . ,n}and(ρ, `0) |=φa
`0 for each`0,i≤`0≤j`.
s1
0 s
1
1 s
1 2
Fig. 6:A1
in the proof of Theorem 3.1.
Theorem 3.1. CEMITLandEMITLare equally expressive over
timed words.
Proof. We give anEMITLequivalent ofA≥k
I (φ1, . . . ,φn).
Pro-vided thatφ1, . . . ,φnare already inEMITLandAis deterministic in the sense above, we can count modulokthe number of positions where final locations are reached and ensures thatIencompasses all possible values of the counter; in contrast to [33], here the counter
can be implemented directly using automata modalities. We give a
concrete example which should illustrate the idea. Letk=3 and
A2
be the product ofAandA1(Fig. 6), i.e. each location ofA2 is of the formhs,s1iwheres ∈ Sands1 ∈ {s1
0,s 1 1,s
1
2}, and it is
accepting iffsands1are both final. Then, letA3be the automaton obtained fromA2by:
• For all the transitionshs,s1
0i → hs 0,s1
1i,hs,s 1 1i → hs
0,s1 2i,
andhs,s1
2i → hs 0,s1
0i, keeping only those withs 0∈F;
• For all the transitionshs,s1
0i → hs 0,s1
0i,hs,s 1 1i → hs
0,s1 1i,
andhs,s1
2i → hs 0,s1
2i, keeping only those withs 0
<F.
Now letA1, `(`∈ {0,1,2}) be the automaton obtained fromA1by adding an extra final locations1
F and the transitions1
`−1(mod 3)→
s1
F, and letA3, `be the corresponding product withA, keeping transitionshs,s1
`−1(mod 3)i → hs 0,s1
Fiwiths0 ∈ F. The original
formulaA≥3
I is equivalent toÓ`∈ {0,1,2}A3, `
I .
Restricting to event clocks.We show that the equivalence ofECL andMITL0,∞carries over to the current setting. More specifically, anEECLformula can be translated into an equilvalentEMITL0,∞
formula of polynomial size (in DAG representation). On the other
10
AsEMITLcan easily express the ‘until with threshold’ modalities ofCTMITL, the
hand, our translation fromMITL0,∞toEECLinduces an
exponen-tial blow-up due to the fact that automataAhave to be
deter-minised.
Theorem 3.2. EECLandEMITL0,∞are equally expressive over
timed words.
Proof. Again, we assume that the argumentsφ1, . . . ,φn are
already in the target logic. The direction fromEECLtoEMITL0,∞is
simple and almost identical to the translation fromECLtoMITL0,∞; for example,A.(
3,5)can be written asA<5∧ ¬A≤3. For the other
direction consider the followingEMITL0,∞formulae:
• (ρ,i) |=A≤c: the equivalent formula is simplyA.≤c.
• (ρ,i) |=A≥c: as in [43], we consider the subcases where:
– There is no event in[τi,τi +c)apart from(σi,τi): letA2be the product ofAandA1whereA1is the automaton depicted in Fig. 7. We have(ρ,i) |=¬A.
1
<c ∧A.2≥c.
– There are events in[τi,τi+c)other than(σi,τi): let the last event in[τi,τi+c)be(σj,τj)andk>j >ibe the minimal position such that there existsai. . .ak ∈
JAKwith(ρ, `) |=φa` for all`,i ≤ ` ≤k. By as-sumption,ai. . .ak is unique andAmust reach a specific locations ∈ S after readingai. . .aj. The idea is to split the unique run ofAonai. . .ak at
s: we take a disjunction over all possibles ∈ S, en-force thatτj−τi <candAreaches a final location fromsby readingaj+1. . .ak. More specifically, let
Bs,φbe the automaton obtained fromAby adding a new locationsF, declaring it as the only final location,
and adding new transitionss0
φa∧φ
−−−−−→ sF for every
s0 −−→φa s inA. LetCs be the automaton obtained fromAby adding new non-final locationss0
0ands 0 1,
adding new transitionss0
0 → s 0
1 (i.e. labelled with
>) ands0
1
φa
−−→s00for everys
φa
−−→s00inA, remov-ing outgoremov-ing transitions from all the final locations,
and finally setting the initial location tos0
0. We have
(ρ,i) |=A.1<c∧A ∧¬. Ô s∈S
.
Bs<,φc whereφ=¬Cs. The equivalent formula is the disjunction of these.
The other types of constraing intervals, such as[0,c), are handled
almost identically.
s1
0 s
1
1 s
1 2
Fig. 7:A1
in the proof of Theorem 3.2.
Restricting to one-sided constraining intervals.Recall that a fun-damental stumbling block in the algorithmic analysis of TAs is that theuniversalityproblem is undecidable [2].DTAs with finite acceptance conditions, on the other hand, can be complemented
easily and have a decidable universality problem. This raises the
question of whether one can extendMITLwithDTAmodalities
without losing decidability (both are fully decidable formalisms).
Perhaps surprisingly, the resulting formalism already subsumes
MTLeven when punctual constraints are disallowed. For exam-ple,F[d,d]φcan be written as¬A0∧ ¬A00∧F[1,∞)φwhereA0 andA00are the one-clock deterministicTAs in Fig. 8 and Fig. 9, respectively (in particular, note thatA0andA00only use lower-and upper-bound constraints). It follows from [40] that the
sat-isfiability problem for this formalism is undecidable. Based on a
x<d
[image:6.612.338.545.176.225.2]x>d
Fig. 8:A0.
x<d ¬φ,x≤d
¬φ,x≥d x>d
Fig. 9:A00.
similar trick, we obtain the main result of this section:EMITL0,∞
already has the full expressive power ofEMITL. This, together with the fact that the satisfiability and model-checking problems for
EMITL0,∞are only PSPACE-complete (Theorem 4.6) as compared
with EXPSPACE-complete for fullEMITL[21], makesEMITL0,∞a
competitive alternative to other real-time specification formalisms—
while a translation fromEMITLtoEMITL0,∞inevitably induces at
least an exponential blow-up, it can be argued that many properties
of practical interest can be written inEMITL0,∞directly (e.g., Ex. 1.1
and Ex. 1.2). The idea of the proof below is similar to that of [43,
Lemma 6.3.11] (MITL0,∞andMITLare equally expressive in the
continuous semantics), but the technical details are more involved
due to automata modalities and the fact that each event is not
nec-essarily preceded by another one exactly 1 time unit earlier in a
timed word; the latter is essentially the reason why the expressive
equivalence ofMITL0,∞andMITLfails to hold in the pointwise
semantics.
Theorem 3.3. EMITL0,∞andEMITLare equally expressive over timed words.
Proof. We explain in detail below how to write theEMITL
for-mulaA(c,c+1)(φ1, . . . ,φn)wherec≥0, andφ1, . . . ,φn∈EMITL0,∞
as anEMITL0,∞ formula; the other cases, such as(c,c+1]and
[c,c+1], are similar.
First considerc=0. If(ρ,i) |=A(0,1)forρ=(σ1,τ1)(σ2,τ2). . .
andi ≥ 1, the finite wordai. . .ak accepted by Amust be at least two letters long. This again is enforced byA1in Fig. 7: let
A2
be the product ofAandA1. Then, letA3be the automaton obtained fromA2by adding¬X>0>(Xis the standardMITL‘next’
operator [41]) to all the transitionshs,s1
0i → hs 0,s1
0iandX>0>to
all the transitionshs,s1
0i → hs 0,s1
1ias conjuncts (in doing so, extend
the alphabet as necessary). It is not hard to see that(ρ,i) |=A3 <1
in the two possible situations: (i)τi+1−τi >0 and (ii)τj−τi >0
for somej >i+1 andτ`−τi =0 for all`,i< ` < j. The other direction ((ρ,i) |=A3
<1 ⇒ (ρ,i) |=A(0,1)) is straightforward. It
follows that the equivalentEMITL0,∞formula isA3 <1.
Now considerc >0. Suppose that(ρ,i) |= A(c,c+1)forρ =
(σ1,τ1)(σ2,τ2). . . andi ≥ 1, letk > ibe theminimal position
such thatτk−τi ∈ (c,c+1)and there existsai. . .ak ∈
JAKwith
(ρ, `) |=φa` for all`,i ≤`≤k(since at most one ofφ1, . . . ,φn
may hold at any position, we fixai. . .ak below). Consider the following cases (note that they are not mutually disjoint):
0 c−1 c c+1
σi σj σk
[image:7.612.61.289.81.139.2]1
Fig. 10: Case (i) in the proof of Theorem 3.3; solid boxes
in-dicate whenAaccepts the corresponding prefix ofai. . .ak.
0 c−1 c c+1
σi σj σk
1
Fig. 11: Case (ii) in the proof of Theorem 3.3.
(i) There exists amaximalj,i<j<ksuch that (a)τk−τj =1 and (b) there is no`,j < ` <ksuch thatai. . .a` ∈
JAK
with(ρ, `0) |=φa
`0for all`0,i≤`0≤`(Fig. 10): we take a disjunction over all possibles ∈Ssuch thatAreachess after readingai. . .aj and enforce thatτj−τi ∈ (c−1,c) (which we can, by the IH),Areaches a final location froms by readingaj+1. . .ak, andτk−τj =1; thanks to (b), the last condition, which is otherwise inexpressible inEMITL0,∞,
can be expressed as a conjunction of two formulae labelled
with≤ 1 and≥ 1. To this end, we useBs,φ andCs as defined in the proof of Theorem 3.2: we have
(ρ,i) |=φ1
=Ü s∈S
Bs(c,φ−
1,c)
whereφ=Cs
≤1∧ C
s
≥1.
(ii) There existsj,i <j <ksuch thatτk−τj <1,τj−τi ∈
(c−1,c], andai. . .aj ∈
JAKwith(ρ, `) |=φa` for all`,
i≤`≤j(Fig. 11): letDsbe the automaton obtained from
Ain the same way asCs except that we do not remove outgoing transitions from the final locations. Regardless
of whether there is a event atτk−1, it is clear that every position`withτ`−τi ∈ (c−1,c]must satisfyCs
(0,1)where
sis the location ofAafter readingai. . .a`. We have
(ρ,i) |=φ2
=A(c−1,c]∧ ¬
Ü
s∈S
Bs(c,φ−
1,c]
whereφ=¬Ds
(0,1).
(iii) There existsj,i <j <ksuch thatτk−τj <1,τj−τi ∈
(c−1,c], but there is no`,i< ` <ksuch that (a)τ`−τi ∈
(c−1,c]and (b)ai. . .a`∈
JAKwith(ρ, `
0) |=φa
`0for all `0,i≤`0≤`: we have
(ρ,i) |=φ3
=¬A(c−1,c]∧ Ü
s∈S
Bs(c,φ−
1,c]
whereφ=Ds
(0,1)
.
(iv) There exists amaximalj,i<j<ksuch thatτk−τj >1,
τj−τi ∈ (c−1,c], and there is no`,j< ` <ksuch that (a)
τ`−τi ∈ (c−1,c]and (b)ai. . .a`∈
JAKwith(ρ, `
0
) |=φa`0 for all`0,i ≤`0 ≤`: observe that (provided thats’s are correctly instantiated to the locationsAreaches as it reads
C>s1 C
s
≤1
C>s1∧s∈F
C>s1 C
s
≤1
C>s1∧s∈F∧φ
s
C>s1∧φ
s
Fig. 12: An illustration ofE3
in the proof of Theorem 3.3.
C≤s1
s∈F
Fig. 13: An illustration ofφsin the proof of Theorem 3.3.
ai. . .ak) whileCs
>1may hold arbitrarily often in[τi,τi+c],
the number of positions`,i≤`≤jsatisfying
(ρ, `) |=C>s1∧ (ρ, `+1) |= C
s
≤1∨ (C
s
>1∧s∈F)
(2)
is at mostc(since any two of such positions must be sep-arated by more than 1 time unit). We define a family of
automata modalities{Em |m≥1}such that each location ofEm is of the formhs,diwiths ∈Sand 1 ≤d ≤ 2m; see Fig. 12 for an illustration. Each transition updates the
s-component asAwould, enforces the formula labelled on the corresponding transition ofAand, additionally, the
formula as labelled in Fig. 12 (withsbeing thetarget loca-tion of the corresponding transiloca-tion ofA). The formula
φs (illustrated in Fig. 13), which also followsAwith an
s-component, checks that the next position either satis-fies (a)s ∈ F, or (b)Cs
≤1holds continuously untils ∈ F
eventually holds. LetEˆmbe obtained fromEmby ‘inlin-ing’φs: removing the leftmost locations ofφs and merge the middle locations ofφs with the rightmost locations of
Em. Apparently,EˆmandEmare equivalent if there is no constraing interval—the only difference between them is
which position is ‘timed’. Now suppose that the number of
positions`,i≤`≤jsatisfying (2) ism. Sincejis the last
of these positions, we have(ρ,i) |=Eˆm
<c+1. On the other
hand, as there are onlym−1 such positions in[τi,τi+c−1], we have(ρ,i) |=¬Em≤c−1. By the above, we have
(ρ,i) |=φ4
= Ü
1≤m≤c
ˆ
Em<c+1∧ ¬E
m
≤c−1
.
(v) There is no event in(τi+c−1,τi+c]: We have
(ρ,i) |=φ5
=¬F(c−1,c]> ∧φ0.
Ifc =1 thenφ0can simply be taken asA(0,2), which is equivalent toA3
<2
by the same argument as before. If
c>1, thenφ0can be taken as
Ü
1≤m≤c−1
ˆ
Em<c+1∧ ¬E
m
≤c−2
∨φ00
whereφ00is
¬F(c−2,c−1]> ∧
Ü
1≤m≤c−2
ˆ
Em<c+1∧ ¬E
m
≤c−3
∨φ000.
Intuitively, the former part ofφ0is used to handle the case when there is (at least) a event in(τi+c−2,τi+c−1], and
[image:7.612.63.289.182.239.2]the former part ofφ00is for(τi+c−3,τi+c−2], and so on.
We omit the other direction as it is (more or less) straightforward.
The equivalentEMITL0,∞formula isφ 1
∨φ2
∨φ3
∨φ4
∨φ5
.
4
FROM
EMITL
0,∞TO TIMED AUTOMATA
EmbeddingEMITLformulae intoOCATAs.We give a translation from a givenEMITLformulaφoverAP(which we assume to be in negative normal form) into anOCATAAφ =hΣAP,S,s0,δ,Fi
such that
JAφK=JφK. While this mostly follows the lines of the translation forMTL(andMITL) in [16, 41], it is worth noting that the resultingOCATAAφisweak[36, 37] but not necessarily
very-weak[24, 44] due to the presence of automata modalities. The set of locationsSofAφcontains (i)sinit; (ii) all the locations ofAfor every subformulaAI(φ1, . . . ,φn); (iii) all the locations ofAfor
every subformulaA˜I(φ1, . . . ,φn). The initial locations0issinit, and
the final locationsFare all the locations ofAfor every subformula ˜
AI(φ1, . . . ,φn). Finally, for eachσ∈ΣAP,δis defined inductively
as follows (letA=hΣA,SA,sA
0 ,δ
A,FAiwithΣA ={1, . . . ,n}):
• δ(sinit,σ)=x.δ(φ,σ),δ(>,σ)=>, andδ(⊥,σ)=⊥;
• δ(p,σ)=>ifp∈σ,δ(p,σ)=⊥otherwise;
• δ(¬p,σ)=>ifp<σ,δ(¬p,σ)=⊥otherwise;
• δ(φ1∨φ2,σ) =δ(φ1,σ) ∨δ(φ2,σ), andδ(φ1∧φ2,σ) =
δ(φ1,σ) ∧δ(φ2,σ);
• δ(AI(φ1, . . . ,φn),σ)=x.δ(s A 0 ,σ);
• δ(sA,σ)=Ô
a∈ΣA δ(φa,σ)∧δA[sFA ←sFA∨x∈I](sA,a) wheresA ∈SAandδA[sA
F ←sFA∨x ∈I]is obtained fromδA by substituting everysA
F ∈FAwithsA
F ∨x ∈I
for some subformulaAI(φ1, . . . ,φn);
• δ(A˜
I(φ1, . . . ,φn),σ)=x.δ(s A 0 ,σ)
;
• δ(sA,σ)=Ó
a∈ΣA δ(φa,σ)∨δA[sFA ←sFA∧x<I](sA,a)
wheresA ∈SAandδA[sA
F ←sFA ∧x <I]is obtained fromδA by substituting everysA
F ∈FAwithsA
F ∧x<I
for some subformulaA˜I(φ1, . . . ,φn).
Proposition 4.1. Given anEMITLformulaφin negative normal
form,JAφK=JφK.
We now focus on the case whereφ is anEMITL0,∞ formula and give a set of componentTAs whose product ‘implements’ the correspondingOCATAAφ. As we will need some notions from [17],
we briefly recall them here to keep the paper self-contained.
Compositional removal of alternation inφ.LetΦbe the set of temporal subformulae (i.e. whose outermost operator isAIorA˜I) ofφ. We introduce a new atomic propositionpψ for eachψ ∈Φ (thetriggerforψ) and letAPΦ={pψ |ψ ∈Φ}. For a timed wordρ0 overΣAP∪AP
Φ, we denote byproj
AP(ρ0)the timed word obtained fromρ0by hiding allp<AP(i.e.p∈APΦ). For a timed languageL overAP∪APΦwe writeproj
AP(L)={projAP(ρ0) |ρ0∈ L}. Letψ be the formula obtained from anEMITL0,∞formulaψ(in negative normal form) by replacing all of its top-level temporal subformulae
by their corresponding triggers, i.e.ψ is defined inductively as follows (wherep∈AP):
• ψ1∧ψ2=ψ1∧ψ2;
• ψ1∨ψ2=ψ1∨ψ2;
• ψ=ψwhenψis>or⊥orpor¬p;
• ψ=pψ whenψisAI(φ1, . . . ,φn)orA˜I(φ1, . . . ,φn).
Note thatψ is simply a positive Boolean combination of atomic propositions. In this way, we can turn the givenEMITL0,∞formula
φinto an equisatisfiableEMITL0,∞formulaφ 0
overAP∪APΦ: the conjunction ofφ,
Û
{ψ∈Φ|ψ=AI(φ1, ...,φn)}
G pψ ⇒ AI(φ1, . . . ,φn)
,
and the counterparts for{ψ ∈ Φ|ψ =A˜I(φ1, . . . ,φn)}. Finally, we construct the componentTAs Cinit(which accepts
JφK) and
Cψ (which accepts, say,
JG pψ ⇒ AI(φ1, . . . ,φn)
K) for every
ψ ∈ Φ. The timed language ofφ0is accepted by the product
Cinit×Î
ψ∈ΦCψ and, in particular,proj
AP(JC
init×Î
ψ∈ΦCψK)=
JAφK. Intuitively,pψ being>(the triggerpψ is ‘pulled’) at some position means that theOCATAAφspawns a copy (several copies)
ofAwhereψ =AI (ψ =A˜I) at this position or, equivalently, an obligation thatAI (A˜I) must hold is imposed on this position.
ComponentTAs for automata modalities.As the construction ofCinitis trivial, we only describe the componentTAsCψ for
ψ =AI(φ1, . . . ,φn)andψ =
˜
AI(φ1, . . . ,φn)whereI =[0,c]or
I=[c,∞)for somec∈N≥0; the other types of constraining
inter-vals are handled similarly. The crucial observation that allows us
to bound the number of clocks needed inCψis that two or more obligations, provided that their corresponding copies ofAare in the same location(s) at some point(s) andI is a lower or upper bound, can be merged into a single one. Instead of keeping track
of the order of the values of its clocks,Cψ non-deterministically
guesses how obligations should be merged and put them into
suit-able sub-components accordingly. To ensure that all obligations are
satisfied, we use an extra variable`such that`=0 when there is
no obligation,`=1 when there is at least one pending obligation, `=2 when the pending obligations have just been satisfied and a new obligation has just arrived, and finally`=3 when we have to
wait the current obligations to be satisfied (explained below). In
all the cases below we fixΣ=ΣAP∪AP
Φ and|SA|=m. We write Ssrc−σ→
∨ S
tgt, whereSsrcandStgtare two subsets ofSA
, iffStgtis
a minimal set such that for eachsA,1∈Ssrc, there is a transition
sA,1 φa
−−→ sA,2
(wherea ∈ {1, . . . ,n}) ofAwithσ |= φa and
sA,2
∈Stgt. Similarly, we writeSsrc−σ→
∧ S
tgtiffStgtis a minimal set
such that for eachsA,1∈Ssrcand each transitionsA,1
φa −−→sA,2
(wherea∈ {1, . . . ,n}) ofA, eithersA,2∈Stgtorσ|=φa.
ψ = A≤c.LetCψ = hΣ,S,s0,X,∆,F i be defined as follows
(to simplify the presentation, in this case we assume thatAonly
accepts words of length≥2):
• Each locations ∈ S is of the form h`1,S1, . . . , `m,Smi where`j ∈ {0,1,2}andSj ⊆SA for allj ∈ {1, . . . ,m}; intuitively,h`j,Sjican be seen as a location of the
sub-componentCψ
j ;
• s0=h0,∅, . . . ,0,∅i;
• X ={x1, . . . ,xm};
• F = {F1, . . . ,Fm}whereFj contains all locations with
`j=0 or`j =2;
• ∆is obtained by synchronising the transitionsh`,Si
σ,д,λ −−−−−→ h`0,S0iof individual components (we omit the sub-scripts for brevity):
– pψ <σ;`0=0,`=0;S0=∅,S=∅;д=>;λ=∅.
– pψ <σ;`0=1,`∈ {1,2};S−σ→
∨ S
0;д=>;λ=∅.
– pψ <σ;`0=0,` ∈ {1,2};S0=∅,S ={sA},sA
F |= δ(sA,σ)for somesA
F ∈FA;д=x ≤c;λ=∅.
– pψ ∈σ;`0 =1,`=0;{sA
0 }
σ −→
∨ S 0
,S =∅;д=>;
λ={x}.
– pψ ∈σ;`0=1,`∈ {1,2};S0is the union of someS00
such thatS−σ→
∨ S
00andS000with{sA 0 }
σ −→
∨ S
000;д=>;
λ=∅.
– pψ ∈ σ;`0=2,` ∈ {1,2};{sA
0 }
σ −→
∨ S 0
,S = {sA},
sFA |=δ(sA,σ)for somesA
F ∈ FA;д=x ≤c;λ =
{x}.
Ifpψ ∈σ, then exactly one of the sub-components takes a ‘pψ ∈σ’ transition while the others proceed as ifpψ <σ.
Proposition 4.2.
JC
ψ
K=JG pψ ⇒ A≤c(φ1, . . . ,φn)
K.
Proof sketch. Letψ0=G pψ ⇒ A≤c(φ1, . . . ,φn)
andAψ0 be the equivalentOCATAobtained via Proposition 4.1. If a timed
wordρ=(σi,τi)i≥1satisfiesψ 0
, there must be an accepting runG=
hV,→iofAψ0onρ; in particular, a copy ofAis spawned whenever
pψ holds. Now consider each ‘level’Li ={(s,v) | (s,v,i) ∈V}of
Gin the increasing order ofi. If|{(sA,v) | (sA,v) ∈Li}| ≤1 for everysA ∈SA, inCψwe simply put each corresponding obligation into an unused sub-component (with`=0 andS =∅) when it arrives, i.e.pψholds. If|{(sA,v) | (sA,v) ∈Li}|>1 for somesA ∈
SA, since the constraining interval[0,c]isdownward closed, the DAG obtained fromGby replacing all the subtrees rooted at nodes
(sA,v,i)with(sA,vmax,i), wherevmax=max{v | (sA,v) ∈Li}, is still an accepting run ofAψ0; inCψ, this amounts to putting
the obligations that correspond to nodes(sA,v,i)into the sub-component that holds the (oldest) obligation that corresponds to
(sA,vmax,i). We do the same for all suchsA, obtainG0, and start over fromi+1. In this way, we can readily construct an accepting run ofCψonρ. The other direction obviously holds as each
sub-componentCψ
j does not reset its associated clockxjwhenpψ ∈σ and`j ∈ {1,2}, unless the (only remaining) obligation inSj is
fulfilled right away. In other words,Cψ
j adds an obligation that is at least as strong toSjwithout weakening the existing ones in
Sj.
ψ=A≥c.LetCψ =hΣ,S,s0,X,∆,F ibe defined as follows:
• Each locations∈Sis of the formh`1,S1,T1. . . , `m,Sm,Tmi where`j ∈ {0,1,2,3}andSj,Tj ⊆SAfor allj∈ {1, . . . ,m}; intuitively,h`j,Sj,Tjican be seen as a location of the
sub-componentCψ
j ;
• s0=h0,∅,∅, . . . ,0,∅,∅i;
• X ={x1, . . . ,xm};
• F = {F1, . . . ,Fm}whereFj contains all locations with
`j=0 or`j =2;
• ∆is obtained by synchronising (in the same way as before)
h`,S,Ti−−−−−σ,д,→ hλ `0,S0,T0iof individual sub-components:
– pψ <σ;`0=0,`=0;S0=∅,S =∅,T0=∅,T =∅;
д=>;λ=∅.
– pψ <σ;`0=1,` ∈ {1,2};S −→σ
∨ S
0,T0 =∅,T =∅;
д=>;λ=∅.
– pψ <σ;`0=3,`=3;S−σ→
∨ S 0,T −→σ
∨ T
0;д=>;λ=∅.
– pψ <σ;`0=0,`∈ {1,2};S0=∅,S ={sA},sA
F |= δ(sA,σ)for somesA
F ∈FA,T0=∅,T =∅;д=x ≥c;
λ=∅.
– pψ < σ;`0 =2,` = 3;T −σ→
∨ S
0,S = {sA},sA
F |= δ(sA,σ)for somesA
F ∈ FA,T0 = ∅;д = x ≥ c;
λ={x}.
– pψ ∈σ;`0=1,`=0;{sA
0 }
σ −→
∨ S 0
,S =∅,T0 =∅,
T =∅;д=>;λ={x}.
– pψ ∈σ;`0=1,`∈ {1,2};S0is the union of someS00
such thatS−→σ
∨ S
00andS000with{sA 0 }
σ −→
∨ S
000,T0=∅,
T =∅;д=>;λ={x}.
– pψ ∈σ;`0=3,`=1;S −→σ
∨ S 0
,{sA
0 }
σ −→
∨ T 0
,T =∅;
д=>;λ=∅.
– pψ ∈σ;`0=3,`=3;S−σ→
∨ S 0
,T0is the union of some
T00such thatT −→σ
∨ T
00andT000with{sA 0 }
σ −→
∨ T 000;
д=>;λ=∅.
– pψ ∈σ;`0 =2,` ∈ {1,2};{sA
0 }
σ −→
∨ S
0,S ={sA},
sFA |=δ(sA,σ)for somesA
F ∈ FA,T0 =∅,T =∅;
д=x ≥c;λ={x}.
– pψ ∈σ;`0=2,`=3;S0is the union of someS00such
thatT −→σ
∨ S
00andS000with{sA 0 }
σ −→
∨ S
000,S ={sA},
sFA |=δ(sA,σ)for somesA
F ∈FA,T0=∅;д=x ≥c;
λ={x}.
Proposition 4.3.
JC
ψ
K=JG pψ ⇒ A≥c(φ1, . . . ,φn)
K.
Proof sketch. Similar to the proof of Proposition 4.2, but since
[c,∞)isupward closed, we replace all the subtrees rooted at nodes
(sA,v,i)with(sA,vmin,i), wherevmin =min{v | (sA,v) ∈Li}; inCψ, we still put the obligations that correspond to nodes(sA,v,i) into the sub-component that holds the (oldest) obligation that
cor-responds to(sA,vmax,i). There is, however, a potential issue: since we resetxj whenever the triggerpψ is pulled andCψ
j is chosen, it might be the case thatxj never reachesc, i.e. the satisfaction of the obligations inSj are delayed indefinitely. Following [17], we solve this by locations with`j =3 such that, when entered, we stop resettingxjand put the new obligations intoTj instead; when the obligations inSj are fulfilled, we move the obligations in
TjtoSjand resetxj. The other direction obviously holds as each
sub-componentCjψ resetsxjwhenpψ ∈σand`j ∈ {1,2}, unless
it goes from`j =1 to`j =3. In other words,Cψ
j adds the new obligation toSjwhile strengthening the existing ones inSj.
ψ=A˜
≤c.LetCψ =hΣ,S,s0,X,∆,F ibe defined as follows:
• Each locations ∈S is of the formhS1, . . . ,Sm+1iwhere
Sj ⊆SAfor allj ∈ {1, . . . ,m+1}; intuitively,Sj can be
seen as a location of the sub-componentCψ
j ;
• s0=h∅, . . . ,∅i;
• X ={x1, . . . ,xm+1};
• F =∅, i.e. any run is accepting;
• ∆is obtained by synchronising (in the same way as before)
S−σ−−−−,д,→λ S0of individual sub-components:
– pψ <σ;S0=∅,S=∅;д=>;λ=∅.
– pψ <σ;S−→σ
∧ S
0,S0∩FA =∅;д=x ≤c;λ=∅.
– pψ <σ;S0=∅;д=x >c;λ=∅.
– pψ ∈ σ;{sA
0 }
σ −→
∧ S 0
,S0∩FA =∅,S = ∅;д =>;
λ={x}.
– pψ ∈σ;S0is the union of someS00such thatS−→σ
∧ S 00
andS000with{sA
0 }
σ −→
∧ S 000
,S0∩FA=∅;д=x ≤c;
λ={x}.
– pψ ∈σ;{sA
0 }
σ −→
∧ S 0
,S0∩FA=∅;д=x >c;λ={x}.
Proposition 4.4.
JCψK=JG pψ ⇒
˜
A≤c(φ1, . . . ,φn)
K.
Proof sketch. Letψ0=G pψ ⇒A˜≤c(φ1, . . . ,φn)
andAψ0 be the equivalentOCATAobtained via Proposition 4.1. Consider
each levelLi = {(s,v) | (s,v,i) ∈ V}of an accepting runG =
hV,→iofAψ0onρ =(σi,τi)i≥1in the increasing order ofi. In
Cψ, whenever the triggerpψis pulled, we attempt to put the corre-sponding obligation into an unused sub-component (withS=∅) or a sub-component that can be cleared (withx>c); if this is not possible, since for everysA ∈SA all the subtrees rooted at nodes
(sA,v,i)can be replaced with the subtree rooted at(sA,vmin,i)
wherevmin=min{v | (sA,v) ∈Li}, at least one sub-component
Cψj becomes redundant, i.e. all of its obligations are implied by the
other sub-componentsCψ
k,k,j. A consequence is that the obli-gations in the sub-componentCψ
k with the minimal non-negative value ofxj−xkcan be merged with the obligations inCψ
j, freeing up a sub-component for the current incoming obligation. This can
be repeated to construct an accepting run ofCψ onρ. The other
direction holds as eachCψ
j adds the new obligation toSj while strengthening the existing obligations inSj.
ψ=A˜
≥c.LetCψ =hΣ,S,s0,X,∆,F ibe defined as follows (for
simplicity, assume thatc>0):
• Each locations∈Sis of the formhS1,T1. . . ,Sm+1,Tm+1i
whereSj,Tj ⊆SA for allj ∈ {1, . . . ,m+1}; intuitively,
hSj,Tjican be seen as a location of the sub-component
Cψj ;
• s0=h∅,∅, . . . ,∅,∅i;
• X ={x1, . . . ,xm+1};
• F =∅, i.e. any run is accepting;
• ∆is obtained by synchronising (in the same way as before)
h`,S,Ti−−−−−σ,д,→ hλ `0,S0,T0iof individual sub-components:
– pψ <σ;S0=∅,S=∅,T0=∅,T =∅;д=>;λ=∅.
– pψ <σ;S0=∅,S=∅,T −→σ
∧ T
0,T0∩FA =∅;д=>;
λ=∅.
– pψ <σ;S−σ→
∧ S 0
,T0=∅,T =∅;д=x <c;λ=∅.
– pψ <σ;S −→σ
∧ S 0
,T −→σ
∧ T 0
,T0∩FA =∅;д=x <c;
λ=∅.
– pψ < σ;S0 = ∅,T0is the union of someT00such
thatS −→σ
∧ T 00
andT000withT −σ→
∧ T 000
,T0∩FA =∅;
д=x ≥c;λ=∅.
– pψ ∈ σ;{sA
0 }
σ −→
∧ S
0,S =∅,T0=∅,T =∅;д=>;
λ={x}.
– pψ ∈σ;{sA
0 }
σ −→
∧ S
0,S =∅,T −→σ ∧ T
0,T0∩FA =∅;
д=>;λ={x}.
– pψ ∈σ;S0is the union of someS00such thatS−→σ
∧ S 00
andS000with{sA
0 }
σ −→
∧ S 000
,T0=∅,T =∅;д=x <c;
λ=∅.
– pψ ∈σ;S0is the union of someS00such thatS−→σ
∧ S 00
andS000with{sA
0 }
σ −→
∧ S 000,T −→σ
∧ T
0,T0∩FA =∅;
д=x <c;λ=∅.
– pψ ∈σ;{sA
0 }
σ −→
∧ S 0
,T0is the union of someT00such
thatS −→σ
∧ T 00
andT000withT −σ→
∧ T 000
,T0∩FA =∅;
д=x ≥c;λ={x}.
Proposition 4.5.
JC
ψ
K=JG pψ ⇒
˜
A≥c(φ1, . . . ,φn)
K.
Proof sketch. As in the proof of Proposition 4.4, wheneverpψ
is pulled inCψ, we attempt to put the corresponding obligation into an unused sub-component (withS=∅) or a sub-component that can be cleared (ifx >c, we move the obligations inStoT and let them remain there). If this is not possible, since for everysA ∈SAall the subtrees rooted at nodes(sA,v,i)can be replaced with the subtree rooted at(sA,vmax,i)wherevmax=max{v| (sA,v) ∈Li}, some
Cψj becomes redundant, and the obligations in the sub-component
Cψk with the minimal non-negative value ofxk−xj can be merged
with the obligations inCψj , freeing up a sub-component for the
current incoming obligation. This can be repeated to construct an
accepting run ofCψ onρ. The other direction holds as eachCψ
j
adds an obligation that is at least as strong toSjwithout weakening
the existing obligations inSj.
Finally, thanks to the fact that each location ofCψ can be repre-sented using space polynomial in the size ofA, and the product
Cinit×Î
ψ∈ΦCψneed not to be constructed explicitly, we can state the main result of this section.
Theorem 4.6. The satisfiability and model-checking problems for
Corollary 4.7. The satisfiability and model-checking problems
forEECLover timed words arePSPACE-complete.
5
CONCLUSION
It is shown thatEMITL0,∞andEECLare already as expressive
asEMITLover timed words, a somewhat unexpected yet very
pleasant result. We also provided a compositional construction
fromEMITL0,∞to diagonal-freeTAs based on one-clock alternat-ing timed automata (OCATAs); this allows satisfiability and model checking based on existing algorithmic back ends forTAs. The
nat-ural next step would be to implement the construction and evaluate
its performance on real-world use cases. Another possible future
direction is to investigate whether similar techniques can be used
to handle fullEMITLor larger fragments ofOCATAs (like [21]).
ACKNOWLEDGMENTS
The author would like to thank Thomas Brihaye, Chih-Hong Cheng,
Thomas Ferr`ere, Gilles Geeraerts, Timothy M. Jones, Arthur
Mil-chior, and Benjamin Monmege for their help and fruitful
discus-sions. The author would also like to thank the anonymous reviewers
for their comments. This work is supported by the Engineering
and Physical Sciences Research Council (EPSRC) through grant
EP/P020011/1 and (partially) by F.R.S.-FNRS PDR grant SyVeRLo.
REFERENCES
[1] Houssam Abbas, Alena Rodionova, Ezio Bartocci, Scott A. Smolka, and Radu Grosu. 2017. Quantitative Regular Expressions for Arrhythmia Detection Algo-rithms. InCMSB (LNCS), Vol. 10545. Springer, 23–39.
[2] Rajeev Alur and David L. Dill. 1994. A Theory of Timed Automata.Theoretical
Computer Science126, 2 (1994), 183–235.
[3] Rajeev Alur, Tom ´as Feder, and Thomas A. Henzinger. 1996. The Benefits of Relaxing Punctuality.J. ACM43, 1 (1996), 116–146.
[4] Rajeev Alur and Thomas A. Henzinger. 1993. Real-Time Logics: Complexity and Expressiveness.Information and Computation104, 1 (1993), 35–77.
[5] Rajeev Alur and Thomas A. Henzinger. 1994. A Really Temporal Logic.J. ACM 41, 1 (1994), 164–169.
[6] Roy Armoni, Limor Fix, Alon Flaisher, Rob Gerth, Boris Ginsburg, Tomer Kanza, Avner Landver, Sela Mador-Haim, Eli Singerman, Andreas Tiemeyer, Moshe Y. Vardi, and Yael Zbar. 2002. The ForSpec Temporal Logic:A New Temporal Property Specification Language. InTACAS (LNCS), Vol. 2280. Springer, 296– 311.
[7] Eugene Asarin, Paul Caspi, and Oded Maler. 1997. A Kleene Theorem for Timed Automata. InLICS. IEEE, 160–171.
[8] Eugene Asarin, Paul Caspi, and Oded Maler. 2002. Timed regular expressions.J.
ACM49, 2 (2002), 172–206.
[9] Behnam Banieqbal and Howard Barringer. 1987. Temporal Logic with Fixed Points. InTLS (LNCS), Vol. 398. Springer, 62–74.
[10] David A. Basin, Srdan Krstic, and Dmitriy Traytel. 2017. Almost Event-Rate Independent Monitoring of Metric Dynamic Logic. InRV (LNCS), Vol. 10548. Springer, 85–102.
[11] Gerd Behrmann, Alexandre David, Kim Guldstrand Larsen, John H ˚akansson, Paul Pettersson, Wang Yi, and Martijn Hendriks. 2006. UPPAAL 4.0. InQEST. IEEE, 125–126.
[12] Patricia Bouyer. 2003. Untameable Timed Automata!. InSTACS (LNCS), Vol. 2607. Springer, 620–631.
[13] Patricia Bouyer and Fabrice Chevalier. 2005. On Conciseness of Extensions of Timed Automata.Journal of Automata, Languages and Combinatorics10, 4 (2005), 393–405.
[14] Patricia Bouyer, Fabrice Chevalier, and Nicolas Markey. 2010. On the expressive-ness of TPTL and MTL.Information and Computation208, 2 (2010), 97–116. [15] Patricia Bouyer, Franc¸ois Laroussinie, and Pierre-Alain Reynier. 2005.
Diago-nal Constraints in Timed Automata: Forward ADiago-nalysis of Timed Systems. In
FORMATS (LNCS), Vol. 3829. Springer, 112–126.
[16] Thomas Brihaye, Morgane Esti ´evenart, and Gilles Geeraerts. 2014. On MITL and Alternating Timed Automata of Infinite Words. InFORMATS (LNCS), Vol. 8711. Springer.
[17] Thomas Brihaye, Gilles Geeraerts, Hsi-Ming Ho, and Benjamin Monmege. 2017. MightyL: A Compositional Translation from MITL to Timed Automata. InCAV
(LNCS), Vol. 10426. Springer, 421–440.
[18] Thomas Brihaye, Gilles Geeraerts, Hsi-Ming Ho, and Benjamin Monmege. 2017. Timed-Automata-Based Verification of MITL over Signals. InTIME (LIPIcs), Vol. 90. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 7:1–7:19. [19] Costas Courcoubetis, Moshe Y. Vardi, Pierre Wolper, and Mihalis Yannakakis.
1992. Memory-Efficient Algorithms for the Verification of Temporal Properties.
Formal Methods in System Design1, 2/3 (1992), 275–288.
[20] Cindy Eisner and Dana Fisman. 2006.A Practical Introduction to PSL. Springer. 1–240 pages.
[21] Thomas Ferr`ere. 2018. The Compound Interest in Relaxing Punctuality. InFM
(LNCS). Springer.To appear.
[22] Dov Gabbay, Amir Pnueli, Sharanon Shelah, and J. Stavi. 1980. On the Temporal Analysis of Fairness. InProceedings of POPL 1980. ACM Press, 163–173. [23] P. Gastin, S. Mukherjee, and B Srivathsan. 2018. Reachability in timed automata
with diagonal constraints.CoRRabs/1806.11007 (2018). arXiv:1806.11007 http: //arxiv.org/abs/1806.11007
[24] Paul Gastin and Denis Oddoux. 2001. Fast LTL to B ¨uchi Automata Translation. InCAV (LNCS), Vol. 2102. Springer, 53–65.
[25] VIRESSimulationstechnologie GmbH. 2016. OpenSCENARIO - Bring-ing content to the road. (2016). http://www.openscenario.org/docs/ OSCUserMeeting20160629pub.pdf Accessed: 2018-09-01.
[26] Thomas A. Henzinger, Jean-Franc¸ois Raskin, and Pierre-Yves Schobbens. 1998. The Regular Real-Time Languages. InICALP (LNCS), Vol. 1443. Springer, 580–591. [27] Yoram Hirshfeld and Alexander Rabinovich. 1999. A framework for decidable
metrical logics. InICALP (LNCS), Vol. 1644. Springer, 422–432.
[28] Yoram Hirshfeld and Alexander Rabinovich. 2007. Expressiveness of Metric modalities for continuous time.Logical Methods in Computer Science3, 1 (2007), 1–11.
[29] Johan A. Kamp. 1968.Tense logic and the theory of linear order. Ph.D. Dissertation. University of California, Los Angeles.
[30] Gijs Kant, Alfons Laarman, Jeroen Meijer, Jaco van de Pol, Stefan Blom, and Tom van Dijk. 2015. LTSmin: High-Performance Language-Independent Model Checking. InTACAS (LNCS), Vol. 9035. Springer, 692–707.
[31] Yonit Kesten, Amir Pnueli, and Li on Raviv. 1998. Algorithmic Verification of Linear Temporal Logic Specifications. InICALP (LNCS), Vol. 1443. Springer, 1–16. [32] Ron Koymans. 1990. Specifying Real-time Properties with Metric Temporal Logic.
Real-Time Systems2, 4 (1990), 255–299.
[33] Shankara Narayanan Krishna, Khushraj Madnani, and Paritosh K. Pandya. 2016. Metric Temporal Logic with Counting. InFoSSaCS (LNCS), Vol. 9634. Springer, 335–352.
[34] Shankara Narayanan Krishna, Khushraj Madnani, and Paritosh K. Pandya. 2017. Making Metric Temporal Logic Rational. InMFCS (LIPIcs), Vol. 83. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 77:1–77:14.
[35] Shankara Narayanan Krishna, Khushraj Madnani, and Paritosh K. Pandya. 2018. B ¨uchi-Kamp Theorems for 1-clock ATA. CoRRabs/1802.02514 (2018). arXiv:1802.02514 http://arxiv.org/abs/1802.02514
[36] Orna Kupferman and Moshe Y. Vardi. 1997. Weak Alternating Automata Are Not That Weak. InISTCS. IEEE, 147–158.
[37] David E. Muller, Ahmed Saoudi, and Paul E. Schupp. 1986. Alternating Automata, the Weak Monadic Theory of the Tree, and its Complexity. InICALP (LNCS), Vol. 226. Springer, 275–283.
[38] Dejan Niˇckovi´c. 2008.Checking Timed and Hybrid Properties: Theory and
Appli-cations. Ph.D. Dissertation. VERIMAG.
[39] Dejan Niˇckovi´c, Olivier Lebeltel, Oded Maler, Thomas Ferr`ere, and Dogan Ulus. 2018. AMT 2.0: Qualitative and Quantitative Trace Analysis with Extended Signal Temporal Logic. InTACAS (LNCS), Vol. 10806. Springer, 303–319. [40] Jo¨el Ouaknine and James Worrell. 2006. On Metric Temporal Logic and Faulty
Turing Machines. InFoSSaCS (LNCS), Vol. 3921. Springer, 217–230.
[41] Jo¨el Ouaknine and James Worrell. 2007. On the Decidability and Complexity of Metric Temporal Logic over Finite Words.Logical Methods in Computer Science 3, 1 (2007).
[42] Amir Pnueli. 1977. The temporal logic of programs. InFOCS. IEEE, 46–57. [43] Jean-Franc¸ois Raskin. 1999.Logics, automata and classical theories for deciding
real time. Ph.D. Dissertation. F UNDP (Belgium).
[44] Gareth Scott Rohde. 1997.Alternating automata and the temporal logic of ordinals. Ph.D. Dissertation. University of Illinois, Urbana Campaign.
[45] A. P. Sistla and E. M. Clarke. 1985. The Complexity of Propositional Linear Temporal Logics.J. ACM32, 3 (1985), 733–749.
[46] A. Prasad Sistla, Moshe Y. Vardi, and Pierre Wolper. 1985. The Complementation Problem for B ¨uchi Automata with Applications to Temporal Logic (Extended Abstract). InICALP (LNCS), Vol. 194. Springer, 465–474.
[47] Moshe Y. Vardi. 1987. Unified Verification Theory. InTLS (LNCS), Vol. 398. Springer, 202–212.
[48] Thomas Wilke. 1994. Specifying timed state sequences in powerful decidable logics and timed automata. InFTRTFT (LNCS), Vol. 863. Springer, 694–715.