DECLAREd: A Polytime LTL_f Fragment

1. Brief Related Work

Formal Synthesis.

Lydia2 [3] generates a DFA for a LTL_f specification $\Phi$ such that it will accept a trace $\sigma$ iff. $\sigma \vDash \Phi$. This works over a finite alphabet $\Sigma$ inferred from such formula. The authors efficiently do so by exploiting a compositional bottom-up approach after rewriting a LTL_f formula into an equivalent LDL_f one. Automata operations are implemented using MONA for compact representation. Benchmarks show the effectiveness of such an approach if compared to competing ones. By considering the effects of specification rewriting in automata generation, we want to verify whether temporal short-circuit rewriting tasks are already occurring over Lydia while building the automaton instead of pursuing the approach in §2.2 (see lemr-1 vs. coroll1).

Formal Verification.

KnoBAB3 [2] is a tool implementing the semantics for LTL_f operators into custom relational operators (xtLTL_f) providing a 1-to-1 mapping with the former. This was achieved by adequately representing all the traces in a log $\mathfrak{S}$ under a main memory columnar representation. Its architecture stores all the activities associated to traces’ events in an ActivityTable, which is then sorted by increasing activity id in $\Sigma$, trace id, and event id. At loading time, the system also builds up a CountingTable, which determines the number of occurrences of each activity label per trace. This architecture supports MAX-Sat queries, declarative confidence and support, and returning the traces satisfying a given clause alongside its associated activated and target conditions ($\sigma \vDash \Phi$ for $\sigma \in \mathfrak{S}$). As KnoBAB outperforms existing tools for formal verification, we take this as a computational model of reference for determining the computational complexity of formal verification tasks over given specifications ${\Phi }_d$ in xtLTL_f (see lem-1).

SAT-Solvers.

AALTAF4 [15] is a SAT-checker determining whether an LTL_f formula is satisfiable by generating a corresponding transition system where each state represents subformulæ  of the original LTL_f specification while leveraging traditional SAT-solvers. Differently from KnoBAB, which determines whether traces in a log satisfy an LTL_f specification expressed in algebraic terms (xtLTL_f) or not, AALTAF is more general than this and determines whether no traces will ever satisfy a given specification, thus determining its unsatisfiability, or whether there might exist a finite trace allowing this. This paper will show that DECLAREd provides a polytime fragment of LTL_f for which our equational rewriting algorithm (§3) also provides a decidable polyspace decision function for satisfiability (see thm).

LTL_f   Modulo Theories

While LTL_f is generally known as a decidable language, most recent research [16] also consider decidable fragments of LTL_f also involving first-order logic arithmetic properties. Differently from our proposed characterization, events are not labelled as required when actions need to be ascertained. Furthermore, none of the proposed decidable fragments with arithmetic properties involves considerations on polytime complexity, while still referring to polyspace complexity.

2. Preliminaries

We consider temporal specifications ${\Phi }_d$ expressed in DECLAREd as a finite set of clauses from tab:dt being instantiated over a finite set of possible activity labels $\Sigma$. By interpreting this as conjunctive models [10], we can equivalently represent ${\Phi }_d$ as the finite conjunction of the LTL_f semantics associated to such clauses, i.e. $\Phi \equiv {\bigwedge }_{c_l\in {\Phi }_d}\left[\left[c_l\right]\right]$. We use both notations interchangeably. Proofs are postponed to the Appendix.

2.1. Rewriting Rules

fig:rewriting identifies any possible rewriting of the DECLAREd clauses into Absence or Exists, while determining the effects of the latter when interfering with the templates’ activation (A) or target (B) conditions. If available, we are also interested in rewriting rules to identify an inconsistency leading to an unsatisfiable specification ⊥. We now consider rewriting rules not assuming the temporal non-simultaneity axiom, thus remarking on the possibility of encoding these in already-existing tools as an LTL_f pre-processing step without any further assumption. As $\mathtt{AltPrecedence}(\mathsf{a},\mathsf{b})$ can be rewritten as the LTL_f expression associated to $\mathtt{Precedence}(\mathsf{a},\mathsf{b})$ as well as $\square (\mathsf{b}\to ⊚(\neg \mathsf{b}\mathcal{U}\mathsf{a}\left)\right)$, we named AltPrecedence rewriting rules only the ones related to this LTL_f expression. We omit the proofs, but the reader can easily verify their correctness by checking that both sides of the equivalences generate the same automata5.

In all the rules, we assume that $\mathsf{a}\ne \mathsf{b}$ where $\mathsf{a},\mathsf{b}\in \Sigma$. Other rewriting rules (Lemma A6) are implicitly assumed in forthcoming algorithmic subroutines (sec:subrout) and while loading and indexing specifications (algo:load).

2.2. Temporal Short-Circuit Rewriting

A finite conjunction ofLTL_f statements $\phi :={\bigwedge }_i{\phi }_i$ leads to atemporal short-circuitif this can be rewritten as a finitary conjunction, either ${\phi }^{\prime }:={\bigwedge }_j\square \neg {\mathsf{a}}_j$ or ${\phi }^{\prime }:={\bigwedge }_j◊{\mathsf{a}}_j$, for each distinct atom ${\mathsf{a}}_j$ freely occurring in φ when ${\phi }^{\prime }$ is not syntactically equivalent to φ. We apply a(temporal) short-circuit rewritingto aLTL_f specification Φ if we replace any sub-formula φ in Φ leading to a temporal short-circuit with ${\phi }^{\prime }$.

Short-circuits based on ChainResponse boil down to the absence of each of its atoms:

Lemma 1. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$, ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ is equivalent to $\Phi :=\square ({\mathsf{c}}_n\Rightarrow ⊚{\mathsf{c}}_1)\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ⊚{\mathsf{c}}_{i+1})$ inLTL_f.

Such a rewriting will streamline formal verification tasks:

Lemma 2. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$, computing ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ in lieu of $\Phi :=\square ({\mathsf{c}}_n\Rightarrow ⊚{\mathsf{c}}_1)\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ⊚{\mathsf{c}}_{i+1})$ always leads to a positive average speed-up.

After representing all the $\mathtt{ChainResponse}(\mathsf{a},\mathsf{c})$ in a input specification as a graph $G^{\mathtt{cr}}$ with edge $\mathsf{a}\to \mathsf{c}\in E_{G^{\mathtt{cr}}}$ and nodes $\mathsf{a},\mathsf{c}\in V_{G^{\mathtt{cr}}}$, we can show as a corollary of the first lemma that this boils down to removing all circuits appearing over some nodes ${\beta }^{\mathtt{cr}}\subseteq V_{G^{\mathtt{cr}}}$ and rewriting such clauses as $\left({\bigwedge }_{v\in {\beta }^{\mathtt{cr}}}\mathtt{Absence}\left(v\right)\right)\wedge \left({\bigwedge }_{\stackrel{u\to v\in E_{G^{\mathtt{cr}}}}{u,v\notin {\beta }^{\mathtt{cr}}}}\mathtt{ChainResponse}(u,v)\right)$ in polytime on the size of $\Phi$ (Corollary A1). We can infer similar lemmas for AltResponse in terms of rewriting such resulting temporal short-circuits to absences (arlemma) thus resulting in time speed-up (coroll3).

2.3. Temporal Non-Simultaneity

Axiom 1 

(Temporal Non-Simultaneity). Given the set of all the possible activity labels Σ, we prescribe that no distinct activity could occur simultaneously in the same instant of time. This can be expressed as $\forall \mathsf{a},\mathsf{b}\in \Sigma .\mathsf{a}\ne \mathsf{b}\Rightarrow \square (\mathsf{a}\wedge \mathsf{b}\Rightarrow \perp )$.

As we assume a finite set of activity labels $\Sigma$ to be fully known from our specification or data, we can represent this axiom as an extension of the properties $\Phi$ to be checked as a new property ${\Phi }_{\downarrow \Sigma }:=\Phi \wedge {\bigwedge }_{\stackrel{\mathsf{a},\mathsf{b}\in \Sigma }{\mathsf{a}\ne \mathsf{b}}}\square (\mathsf{a}\wedge \mathsf{b}\Rightarrow \perp )$. As prior approaches using LTL_f did not consider this assumption, $\Phi$ should be directly stated as ${\Phi }_{\downarrow \Sigma }$ for both Lydia and AALTAF. On the other hand, our solver Reducer only takes ${\Phi }_d$ as it works under such an axiom. KnoBAB automatically assumes that each distinct activity label is different from the rest, thus entailing an implicit semantic difference between different types of events.

Rewriting Rules

We can identify that the following rewriting rule holds for $\mathsf{c}\ne \mathsf{b}$ in $\Sigma$, as we can never have an event being labelled with both $\mathsf{c}$ and $\mathsf{b}$ after the same occurring event:

$${[\mathtt{ChainResponse}(\mathsf{a},\mathsf{b})\wedge \mathtt{ChainResponse}(\mathsf{a},\mathsf{c})]}_{\downarrow \Sigma }\equiv \mathtt{Absence}\left(\mathsf{a}\right)$$

Temporal Short-Circuit Rewriting

We now consider temporal short-circuit rewriting rules that only hold under temporal non-simultaneity. For $\mathsf{a}\ne \mathsf{b}$ in $\Sigma$, as any b shall always occur after the first occurring a for Response, we can express it as:

$$\square {(\mathsf{a}\to ◊\mathsf{b})}_{\downarrow \Sigma }\equiv \square (\mathsf{a}\to ⊚◊\mathsf{b})$$

Due to this, we need to discard the eventuality that $\left|A\right|=1$, as $\square (\mathsf{a}\to ◊\mathsf{a})$ is, on the other hand, trivially true and leads to no temporal short-circuit.

Lemma 3. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$ with $\left|A\right|=n>2$, ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ is equivalent to $\Phi :={\left[\square ({\mathsf{c}}_n\Rightarrow ◊{\mathsf{c}}_1)\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ◊{\mathsf{c}}_{i+1})\right]}_{\downarrow \Sigma }$ inLTL_f.

Lemma 4. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$ with $\left|A\right|=n>2$, computing ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ in lieu of $\Phi :={\left[\square ({\mathsf{c}}_n\Rightarrow ◊{\mathsf{c}}_1)\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ◊{\mathsf{c}}_{i+1})\right]}_{\downarrow \Sigma }$ always leads to a positive average speed-up.

3. Reducer: Equational Rewriting

The Reducer algorithm for rewriting ${\Phi }_d$ into ${\Phi }_d^{\prime }$ proceeds as follows: after showing the subroutines for removing redundant clauses from the specification while propagating the detection of an inconsistency towards the function call chain (§3.1), we outline how a specification ${\Phi }_d$ can be efficiently loaded as a collection of graphs $G^{★}$ for each DECLAREd template ★ for clause indexing (§3.2). After applying the aforementioned equivalence rules (§3.3), we apply the temporal short-circuit rewriting (§3.4) before returning the rewritten specification ${\Phi }_d^{\prime }$ from the edges remaining from $G^{★}$ and values in an F map storing Absence and Exists clauses. Upon detecting the joint satisfaction of an Absence(x) and Exists(x) for an activity label x, we immediately detect an inconsistency for which we return ⊥. If the resulting specification appears to be empty in spite of no inconsistency being detected, we then obtain a trivially true specification ⊤. Otherwise, we return a rewritten specification ${\Phi }_d^{\prime }$.

3.1. Algorithmic Subroutines

Algorithm 1 shows crucial algorithmic subroutines ensuring to propagate the detection of an absence/presence of an activity label while dealing with clauses $c_l$ derivable from the input specification ${\Phi }_d$ clauses of the specification.

Let F be a finite multimap associating each activity label $\mathsf{a}\in \Sigma$ to a set of booleans, where true (and false) denotes that $\mathtt{Exists}\left(\mathsf{a}\right)$ (and $\mathtt{Absence}\left(\mathsf{a}\right)$) can be inferred from the specification. If both $\mathtt{Exists}\left(\mathsf{a}\right)$ and $\mathtt{Absence}\left(\mathsf{a}\right)$ are entailed, we deem the overall specification as inconsistent, for which we will return ⊥. Ex in L. 1 (and Abs in L. 2) returns false whether the addition of Exists (or an Absence) to a specification makes it explicitly inconsistent.

Clear at L. 4 removes all the clauses in which activation condition x would never occur per Absence(x). For $\mathtt{Choice}(\mathsf{x},\mathsf{b})$, this triggers the generation of Exists(b) which, in turn, might lead to an inconsistent specification (L. 6 and 7). For Precedence(x,b), the absence of the activation requires Absence(b), which is then in turn added while testing for the specification’s inconsistency (L. 10). The function returns true if the specification is not currently detected as inconsistent (L. 12).

Reduce at L. 15 can be applied to templates ★ such as ChainResponse, Response, and AltResponse for implementing a cascade effect upon the specification supporting $\mathtt{Absence}\left(\mathsf{x}\right)$ by also requiring that the associated activations should be absent from the specification (L. 22). We return true if no inconsistency was detected, and false otherwise. This idea was revised so as to be applied to Precedence (L. 32): for this, the absence of the activation triggers the necessity of the second argument to be absent as well, thus enforcing to visit the graph towards the outgoing edges (L. 39). We also ensure to remove all the vertices and edges associated with x (L. 40).

Dually, Expand^re works by recursively applying the head from the tail of the RespExistence clauses upon the request that an event x shall exist in the data (L. 56). As this trivially exists, we remove all the clauses having this condition in the head of such rules (L. 53) while, if x appears as a second argument of a $\mathtt{NegSuccession}(\mathsf{u},\mathsf{x})$, we still postulate for the absence of u from the specification (L. 54).

3.2. Specification Loading as Graphs

algo:load shows the process of loading and indexing the clauses from ${\Phi }_d$ in primary memory.

We add Absence and Exists in map F; at this stage, the specification is deemed inconsistent (returning ⊥) if a given activity label a is required to both appear and be absent from each trace.

Binary clauses $★(\mathsf{a},\mathsf{b})$ are loaded as edges $(\mathsf{a},\mathsf{b})$ of a graph $G^{★}$ where $V_{G^{★}}\subseteq \Sigma$. Clauses being the conjunction of other clauses are then rewritten into their constituents; $\mathtt{AltPrecedence}(\mathsf{a},\mathsf{b})$ is rewritten into $\mathtt{Precedence}(\mathsf{a},\mathsf{b})$, to be stored in an edge $(\mathsf{a},\mathsf{b})$ for $G^{\mathtt{p}}$, and $\square (\mathsf{b}\to ⊚(\neg \mathsf{b}\mathcal{W}\mathsf{a}\left)\right)$, to be stored in an edge $(\mathsf{b},\mathsf{a})$ for $G^{\mathtt{ap}-}$. For binary clauses entailing the universal truth ⊤ when both arguments are associated with the same activity label (e.g., Response), we avoid inserting this clause as an edge. For other clauses (e.g., AltResponse, L. 42), this same situation might be rewritten as the absence of a specific activity label which, if leading to an inconsistency, also immediately ensures to return an empty specification. Conversely, a Choice having both arguments being the same boils down to an Exists, which is also added in place of Choice (L. 57), while we might never have an ExclChoice where both arguments are the same (L. 62). For clauses being symmetric (e.g., Choice), we avoid duplicated entries by preferring only one of the two equivalent writings (e.g., Choice(a,b) over Choice(b,a) for $\mathsf{a}⪯\mathsf{b}$, L. 58).

3.3. Applying Equational Rewriting

Equational rewriting for rules in fig:rewriting is run as follows: we consider each graph in order of appearance in §2.1 and we iterate over its edges. For each of these, we detect their match with one of the cases appearing in the first binary clause $★(\mathtt{a},\mathtt{b})$ on the left-hand side of the formula, and we look up for the occurrence of any clause appearing in the same hand-side.

If the condition described by the left-hand side is then reflected by the specification represented by edges for graphs $G^{★}$ and F, we determine the rewriting strategy depending on the definition of the right-hand side. If the latter is ⊥, we immediately return it and detect an unsatisfiable model. Also, we remove any edge $(\mathsf{a},\mathsf{b})$ from $G^{★}$ if $★(\mathsf{a},\mathsf{b})$ does not appear on the right-hand side of the formula, and we add any edge $†(\mathsf{a},\mathsf{b})$ in $G^{†}$ not appearing on the left-hand side. If an $\mathtt{Exists}\left(\mathsf{a}\right)$ (or $\mathtt{Absence}\left(\mathsf{a}\right)$) appears only on the right-hand side, we add it by invoking Ex(a) (or Abs(a)), while immediately returning an empty specification if an inconsistency is detected while doing so. These methods are also changed according to the interdependencies across templates: e.g., the generation of new Exists(x) for RespExistence rules triggers Expand${}^{\mathtt{re}}$(x) instead, and the Absence(x) for NotCoExistence invokes Reduce${}^{\mathtt{ch}}$(x) which, in turn, will also call for Expand${}^{\mathtt{re}}$(x) as per alg:asur; Absence(x) for RespExistence will call for Reduce${}^{\mathtt{re}}$(x). Similar considerations can be provided for other templates and rules. This process does not clear out clauses, as we at least fill in F, from which we are also returning Exists or Absence for ${\Phi }_d^{\prime }$.

After applying the rules on a single graph $G^{†}$, we then iterate over all the activities x required to be absent by the specification ($\mathbf{false}\in F\left(x\right)$), for which we run all the $Reduc{e}^{★}\left(x\right)$ methods and $Clear\left(x\right)$, through which we propagate the effect of requiring the absence of a specific activity label to all the clauses in the specification. If, while doing so, any inconsistency is detected by returning a false, we immediately return ⊥ (see absurdity).

3.4. Applying Short-Circuit Rewriting

This further algorithmic step is run after running the AltPrecedence Rules and before running the RespExistence ones, thus potentially reducing the number of clauses to be considered due to the absence of a specific activity label.

We prefer to detect the existence of a circuit $v_{{\alpha }_1}\to \cdots \to v_{{\alpha }_n}\to v_{{\alpha }_1}$ of length $n+1$ through a DFS visit of the graph with back-edge detection [17]. Once we detect a circuit, we generate Absence($v_{{\alpha }_i}$) clauses for each node $v_{{\alpha }_i}$ in it, while removing such nodes from the graph. The latter operation is efficiently computed by creating a view over such a graph through an absence set R which will contain all of the nodes in the circuit being removed. Then, for each graph traversal, we avoid starting the visit from nodes in R and we avoid traversing edges leading to nodes in R. This avoids extremely costly graph restructuring operations. As by construction we cannot have a single non-connected node as each clause is represented by one single edge, if at the end of this reduction process we obtain nodes with zero degrees, such nodes were previously connected to nodes belonging to cycles and that were therefore also part of cycles: those also constitute Absence clauses.

For all the novel $\mathtt{Absence}\left(\mathsf{a}\right)$ clauses being inserted in the specification in lieu of the detected temporal short-circuits, we also run all the available Reduce^★(x) methods as well as Clear(x), thus ensuring a cascading effect removing the remaining clauses that will never be activated while keeping searching for inconsistencies via sub-routine calls.

4. A PolyTime$\left(\right|{\Phi }_d\left|\right)$ SAT-Solver for DECLAREd

This section is mainly to prove that satisfiability in DECLAREd can be carried out in polytime over the size of the original specification $|{\Phi }_d|$; this strengthens the previous informal results over conformance checking provided over KnoBAB over such a fragment. We twin this result with the overall algorithmic correctness.

Theorem 1. 

The Reducer specification rewriting process is a decidable SAT-Solver for DECLAREd running in $Poly\left(\right|{\Phi }_d\left|\right)$-time.

Proof. 

The main lemmas supporting this proof are reported in the appendix. First, we need to prove that the previous section describes an always-terminating computation: given subrouteDec,exploadDec,rewritingDec and shortDec, we have that each previous subsection in §3 describes a polytime procedure. The composition of each single non-mutually-recursive sub-routine terminates and leads to a polytime decision function.

Last, we discuss the correctness of the resulting procedure. If ${\Phi }_d$ in input were a tautology, all the clauses in the original specification would have been cancelled out as they would have trivially held, thus providing no further declarative clause to be returned (tautology). If, on the other hand, any inconsistency was detected, the computation would have stopped before returning the reduced specification, thus ignoring all the remaining rewriting steps (absurdity). If neither of the previous cases holds, we have then by exclusion a satisfiable specification ${\Phi }_d$ which is also rewritten into an equivalent specification ${\Phi }_d^{\prime }$ under the temporal non-simultaneity axiom (Axiom 1).    □

5. Empirical Evaluation

We determine a set of activity labels $\Sigma$ from the Cybersecurity dataset [14] and by creating 8 distinct subsets $A_1,\cdots ,A_8\subseteq \Sigma$ of size $|A_i|=2^i$ such that $A_i\subset A_j$ for each $1\le i<j\le 8$. We then consider each $A_i$ as a set of vertices for which we instantiate a complete graph, a cyclic graph representing a chain, and a circulant graph ${\mathcal{C}}_{\{0,1,2,3\}}^{|A_i|,\pm }$. Given each of these graphs g, we then generate a specification ${\Phi }_i^{c,g}$ for each of these $A_i$ by interpreting each edge $(a,b)\in A_i^2$ in the generated graph as a declarative clause:

• c=ChainResponse: $\mathtt{ChainResponse}(\mathsf{a},\mathsf{b})$
• c=Precedence: $\mathtt{Precedence}(\mathsf{a},\mathsf{b})$
• c=Response: $\mathtt{Response}(\mathsf{a},\mathsf{b})$
• c=RespExistence+Exists: $\mathtt{RespExistence}(\mathsf{a},\mathsf{b})$
• c=RespExistence+ExclChoice+Exists: $\mathtt{RespExistence}(\mathsf{a},\mathsf{b})$,
  $\mathtt{ExclChoice}(\mathsf{a},\mathsf{b})$

For the last two cases, we also add a clause $\mathtt{Exists}\left(\mathsf{u}\right)$ for $\mathsf{u}=min{A}_i$. Given the same $A_i$ and u, we also generate two other specifications ${\Phi }_i^{c,g}$ where clauses are instead generated for each activity label $\mathsf{a}\in A_i$:

• c=(Chain+Alt)Response: $\mathtt{ChainResponse}(\mathsf{a},\mathsf{a})$,
  $\mathtt{AltResponse}(\mathsf{a},\mathsf{a})$
• c=ChainResponseAX: $\mathtt{ChainResponse}(\mathsf{u},\mathsf{a})$.

We then expect that, if any of the aforementioned verified temporal artificial intelligence tasks provide no LTL_f or Declarative rule rewriting as per this paper, running any verified temporal artificial intelligence task over a ${\Phi }_i^{g,c}$ being generated from $g={\mathcal{C}}_{\{0,\cdots ,|{\Sigma }_i|-1\}}^{|A_i|,\pm }$ will take more time than running it over a ${\Phi }_i^{g^{\prime },c}$ where $g^{\prime }={\mathcal{C}}_{\{0,1,2,3\}}^{|A_i|,\pm }$, which in turn will take more time than running a specification ${\Phi }_i^{g^{\prime \prime },c}$ generated over $g^{\prime \prime }={\mathcal{C}}_{\left\{1\right\}}^{|A_i|,+}$. This last consideration also includes the aforementioned rewriting task in its worst-case scenario. As we are expecting that, for each c, each of these ${\Phi }_i^{c,g}$ for any of such graphs g will be then always rewritten into the same specification ${\Phi }_i^{\prime c}$, we are expecting to have similar running times for each rewritten specification, as we expect the running time in the latter to be dependant on the number of atoms/vertices and not on the number of clauses as the former.

Each of these generated specifications is then fed to our rewriting algorithm, which returns the specification in both the LTL_f representation required by Lydia and AALTAF and the declarative specification for KnoBAB. We discard parsing and query plan generation times for each solution: running times for Lydia only considered the time required for generating the DFA from the LTL_f formula as per their internal main-memory representation. For the formal verification task run in KnoBAB as a relational database query, we consider a sample of 9 traces from the original log over which we run the generated specifications. To alleviate potential out-of-memory issues, we test the specifications in batches of 10 at a time, thus sacrificing greater query plan minimization with the certainty of completing the computation without out-of-memory errors. On the other hand, the two aforementioned tools do not require a log to work, for which it is sufficient to have a specification. The dataset for specifications and logs is available online6.

We present a condensed version of the benchmarks, while §Appendix E gives more extensive plots.

5.1. Rule Rewriting without Temporal Non-Simultaneity

We now consider all the resulting specifications being generated except Response and ChainResponseAX, which are discussed in the next subsection as they assume the temporal non-simultaneity axiom. The ones here discussed are a mere application of temporal short-circuit rewriting. Therefore, this section aims at remarking on the generality of our result, which can be shown even without assuming ax:tns.

Each plot in fig:bennoax is grouped by c and the black solid line refers to the time required for the solver to generate ${{\Phi }_d}_i^{\prime c}$ from ${{\Phi }_d}_i^{c,g}$ in milliseconds. Missing data points refer to data points not being collected as the solutions went out of primary memory. For both Lydia and AALTAF, we consider running those over both the non-rewritten specification ${\Phi }_i^{c,g}$ as well as over the rewritten one ${\Phi }_i^{\prime c}$ (LYDIA(R) and AALTAF(R) in fig:bennoax). In its worst-case scenario, Reducer has a running time comparable to AALTAF over the non-reduced specification while, in the best-case scenario, it has a running time inferior or comparable to AALTAF over the rewritten specification. This ensures that running our solver as a pre-processing mechanism can benefit existing verified temporal artificial intelligence algorithms.

Given these experiments, such tools did not support our suggested rewriting rules. Otherwise, the tasks’ running time on the original specification ${\Phi }_i^{c,g}$ would have been comparable to the one for ${\Phi }_i^{\prime c}$ plus the running time for Reducer. Since experimental evidence suggests that the running time for ${\Phi }_i^{c,g}$ is always greater than the one for ${\Phi }_i^{\prime c}$, we have thus empirically demonstrated both the novelty and necessity of these rewriting rules in the aforementioned tools. fig:knonoax shows the benchmarks for the formal verification task running on KnoBAB. This plot was separated from the rest to improve the plot’s readability. Even in this scenario, the formal verification task over the reduced specification comes, in the worst case scenario, with a running time comparable to the one over the original specification while, in the best case scenario, we have a speed-up of seven orders of magnitude, as all the tasks requiring the access to the ActivityTable are rewritten into clauses that can leverage the sole CountingTable. This also remarks that the query plan minimisation strategy cannot satisfactorily outperform any declarative specification pre-processing strategy, leading to a resulting reduced specification, as its associated running time would have had a comparable running time otherwise.

5.2. Rule Rewriting Requiring Temporal Non-Simultaneity

We now consider rewriting rules assuming the temporal non-simultaneity axiom. For this, we then need to compare the running time for ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ where the axiom is grounded over the finite set of activity labels $A_i$ to the one resulting from the rewriting process by ${{\Phi }_i^c}^{\prime }$. In fig:benax, we give running times for ${\Phi }_i^{c,g}$ for detecting any additional overheads being implied by the instantiation of the axiom over the atoms in $A_i$. If both Lydia and AALTAF supported LTL_f rewriting rules as per this paper, carrying a task over ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ would have a comparable running time to ${{\Phi }_i^c}^{\prime }$, while a considerable overhead for computing ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ if compared to ${\Phi }_i^{c,g}$ denotes that the additional rules coming from the instantiation to the axiom provide a significant computational burden rather than helping in simplifying the specification.

This set of experiments confirms all our previous observations from the previous set-up regarding comparisons between our specification rewriting strategy and the existing verified temporal artificial intelligence tasks. We observe that, in the best-case scenario, such tasks exhibit a running time for ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ comparable to the one for ${\Phi }_i^{c,g}$ while, in the worst-case scenario, they increase their computational gap proportionally to the increase of the number of clauses. Still, the tasks running over ${{\Phi }_i^c}^{\prime }$ are consistently outperforming the same tasks running in ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ while also guaranteeing to minimise the out-of-memory exceptions. In the case of AALTAF, these are then completely nullified. Similar considerations can be drawn for running formal specification tasks over the 9 traces sampled from our Cybersecurity scenario, fig:knoax shows that running ${{\Phi }_d}_i^{\prime }$ gives speed-ups between 3 and 7 orders of magnitude by consistently exploiting the CountingTable instead of the ActivityTable if compared to the running times for the original specification ${{\Phi }_d}_i^{c,g}$.

6. Conclusion and Future Works

This paper showed for the first time the existence of a polytime fragment of LTL_f, DECLAREd by simply circumscribing the temporal expressiveness of the language. This was possible by observing differences between LTL_f and LTL and, to some extent, assuming mutually exclusive conditions across events. We, therefore, design a scalable SAT-Solver working under equational rewriting, thus rewriting a temporal specification into an equivalent and more tractable rewritten temporal specification ${\Phi }_d^{\prime }$. Future works will analyse DECLAREd’s time complexity by also considering first-order arithmetic conditions [16]. Experiments on Lydia remarked that the latter does not support adequate rewriting for internal formula minimisation as computing ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ is always slower than ${\Phi }_i^{\prime c}$: no algebraic rewriting is considered, as the minimisation steps are only performed while composing the DFA and never at the LTL_f level. Running Lydia on ${\Phi }_i^{\prime c}$ significantly improves the running time for temporal formal synthesis. Future works will assess whether the construction of the DFA over the alphabet $\left\{\right\{\mathsf{c}\left\}\right|\mathsf{c}\in \Sigma \}\cup \{⌀\}$ instead of $\wp (\Sigma )$ per Axiom 1, where ⌀ denotes any other atom not in $\Sigma$, will boost the algorithm. We will also consider using graph equi-joins in lieu of product construction for conjunction of states, as the former technique already proved to be more efficient than traditional automata composition for DFA generation over $\Phi$s [18].

Experiments on AALTAF showed it does not exploit rewriting rules as introduced in this paper: computing ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ is also more costly than ${\Phi }_i^{c,g}$, and the computation over ${\Phi }_i^{\prime c}$ as generated by our solver is always faster than computing either ${\left({\Phi }_i^{c,g}\right)}_{\downarrow A_i}$ or ${\Phi }_i^{c,g}$, thus remarking the benefit of our approach in rewriting the formula. Future works will consider generalising the rewiring rules here defined for DECLAREd, a fragment of LTL_f, so as to be implemented in any LTL_f tool considering such a rewriting step.

Last, our tool also proved to be beneficial as a specification preprocessing step for optimising formal verification tasks over relational databases, as computing ${\Phi }_d^{\prime }$ is always faster than computing ${\Phi }_d$. Future work will consider defining a query plan optimisation strategy not only by computing each shared sub-expression within a given specification once, but also implementing suitable algebraic rewriting rules while supporting Axiom 1.

Appendix A.1. Graph Operations

$$Ou{t}_G\left(u\right):=\left\{v\in V_G|(u,v)\in E_G\right\}$$

$$I{n}_G\left(v\right):=\left\{u\in V_G|(u,v)\in E_G\right\}$$

$$De{g}_G\left(v\right):=|Ou{t}_G\left(v\right)|+|I{n}_G\left(v\right)|$$

$$E_G^{+}(\alpha ,\beta ):=(V_G\cup \{\alpha ,\beta \},E_G\cup \left\{(\alpha ,\beta )\right\})$$

$$V_G^{-}\left(\alpha \right):=(V_G\setminus \left\{\alpha \right\},\{(u,v)\in E|u\ne \alpha \wedge v\ne \alpha \})$$

$$\begin{array}{cc}& E_G^{-}(\alpha ,\beta ):=\hfill \\ & (V_G\setminus \left\{u\right|(\alpha ,\beta )\in E_G\wedge (u=\alpha \vee u=\beta )\wedge De{g}_G\left(u\right)=1\},\hfill \\ & \{(u,v)\in E_G|u\ne \alpha \wedge v\ne \beta \left\}\right)\hfill \end{array}$$

Appendix A.2. Multimap Operations

$$De{l}_f\left(x\right):=y\mapsto \left\{\begin{array}{cc}⌀\hfill & y=x\hfill \\ f\left(y\right)\hfill & y\ne x\hfill \end{array}\right.$$

$$Pu{t}_f(x,v):=y\mapsto \left\{\begin{array}{cc}f\left(x\right)\cup \left\{v\right\}\hfill & y=x\hfill \\ f\left(y\right)\hfill & y\ne x\hfill \end{array}\right.$$

Appendix B.1. Automata-Based Strategy

Figure A1. Representation of the NFA associated to ${\Phi }_d={\left\{\mathtt{ChainResponse}({\mathsf{c}}_i,{\mathsf{c}}_{i+1mod2})\right\}}_{i\in \{1,2\}}$ before minimisation for lemr-1.

Figure A1. Representation of the NFA associated to ${\Phi }_d={\left\{\mathtt{ChainResponse}({\mathsf{c}}_i,{\mathsf{c}}_{i+1mod2})\right\}}_{i\in \{1,2\}}$ before minimisation for lemr-1.

Proof 

(Proof for lemr-1). Please observe that the following proof works independently from the non-simultaneity axiom: as we will show, the activation of at least one condition in A will require to verify all the requirements in the specification indefinitely, thus never leading to an acceptance state. So, we now prove this for A not necessarily containing mutually exclusive activity labels.

For this, let us define an atom substitution function $\rho$ as ${[c_i\mapsto c_{(i+1mod|\Sigma \left|\right)}]}_{1\le i\le n}$ indicating the next required atom to follow according to the formula requirements. The generic formula for a ChainResponse temporal short-circuit leads to the NFA that can be constructed as follows: an initial state $q_0$ being also the sole acceptance state, having a self-loop for ${\bigwedge }_{\mathsf{a}\in A}\neg \mathsf{a}$, a sink falsehood state ⊥ having a self-loop as the only outgoing edge with the universal truth formula ⊤; for each $S\in \wp \left(A\right)\setminus \{\varnothing \}$, we generate a new state S associated to the formula $S_{\varphi }=S_{\varphi }^{+}\wedge S_{\varphi }^{-}$ with $S_{\varphi }^{+}={\bigwedge }_{\mathsf{a}\in S}\mathsf{a}$ and $S_{\varphi }^{-}:={\bigwedge }_{\mathsf{a}\in A\setminus S}\neg \mathsf{a}$ , describing the actions that were performed to each this system state. For each of these, where we outline the following edges:

• an edge $q_0\stackrel{S_{\varphi }}{\to }S$: this requires that, as soon as at least one of the activities in A is run, then we need to follow the requirements associated to the specification;
• an edge $S\stackrel{\neg \left(\rho S_{\varphi }^{+}\right)}{\to }\perp$: this requires that, as soon as we miss one of the transition conditions requiring that each of the activities being true in S should then immediately move to the immediately following activities $\rho S$, we then violate the specification;
• for each $T\in \wp \left(A\right)\setminus \{\varnothing \}$, we define a new edge $S\stackrel{T_{\varphi }}{\to }T$ if $\rho S\subseteq T$: we connect each of such states not only to the immediately following actions as per $\rho$, but we also assume that further activation conditions must hold.

Please observe that, as soon as all the activities in A are activated, all are then required to be always true, thus having that the state A will have as outgoing edges its self-loop, prescribing that all the conditions in A must hold, and a transition towards ⊥ as soon as at least one of these conditions are no more satisfied. After minimising this DFA, we can observe that we obtain $q_0$, still an initial acceptance state retaining its self-loop, and ⊥, also retaining its self-loop while having an edge labelled as ${\bigvee }_{\mathsf{a}\in A}a$ coming from $q_0$, thus entailing a DFA accepting only the traces where none of the atoms in A. Thus, we proved the correctness of our reduction into a conjunction of DECLAREd absences for each activity label in A.

As the number of states is in $O\left(\right|\wp \left(A\right)\left|\right)$, the generation of the automaton will take at least exponential time over the size of the ChainResponse short-circuit, also corresponding to the size of $A\subseteq \Sigma$.    □

Figure A2. Representation of the NFA associated to $\Phi ={\bigwedge }_{1\le i\le 3}\square ({\mathsf{c}}_i\Rightarrow ⊚◊{\mathsf{c}}_{i+1mod3})$ before minimisation for b1lemma.

Figure A2. Representation of the NFA associated to $\Phi ={\bigwedge }_{1\le i\le 3}\square ({\mathsf{c}}_i\Rightarrow ⊚◊{\mathsf{c}}_{i+1mod3})$ before minimisation for b1lemma.

Figure A3. Representation of the NFA associated to $\Phi ={\left\{\mathtt{AltResponse}({\mathsf{c}}_i,{\mathsf{c}}_{i+1mod4})\right\}}_{1\le i\le 4}$ before minimisation for arlemma.

Figure A3. Representation of the NFA associated to $\Phi ={\left\{\mathtt{AltResponse}({\mathsf{c}}_i,{\mathsf{c}}_{i+1mod4})\right\}}_{1\le i\le 4}$ before minimisation for arlemma.

Lemma A1. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$ with $\left|A\right|>2$, ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ is equivalent to $\Phi :=\left[\square ({\mathsf{c}}_n\Rightarrow ⊚◊{\mathsf{c}}_1)\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ⊚◊{\mathsf{c}}_{i+1})\right]$ inLTL_f.

Proof. 

Differently from the previous proof, where the NFA automaton could have been greatly simplified due to the involvement of ⊚ within the construction, the proof for this lemma needs to be handled with greater care. Before starting, we remind the reader of the special temporal properties holding in LTL_f: $\square \varphi =\varphi \wedge ⊚\square \varphi$, $\square (\varphi \wedge {\varphi }^{\prime })=\square \varphi \wedge \square {\varphi }^{\prime }$, and $◊\varphi =\varphi \vee ⊚◊\varphi$.

The activation of a i-th clause at any state S while constructing the NFA by $c_i\in A$ “generates” the corresponding target condition to be met ${\nabla }_i:=◊\left(c_{(i+1mod|A\left|\right)}\right)$ expressed as ${\nabla }_i\equiv (c_{(i+1mod|A\left|\right)}\vee ⊚{\nabla }_i)$ by the special temporal property of the eventuality operator. By running [6], we also generate $2^{\left|A\right|}$ states, where the sole initial and acceptance state associated to $\Phi$, and the other states S are associated to the formulæ  in $\mathcal{S}=\{S^{\prime }\cup \{\Phi \}|S^{\prime }\in \wp \left(\left\{{\nabla }_i\right|{\mathsf{c}}_i\in A\}\right)\setminus \{\varnothing \}\}$, none of which is an accepting state. No explicit falsehood sink state is present, as the invalidation of one of the ${\nabla }_i$ will actually require never having an event ${\mathsf{c}}_{i+1mod\left|A\right|}$, for which we would still transit across non-accepting states in $\mathcal{S}$ indefinitely. We then identify the following transitions among such states:

(1)

$\Phi \stackrel{{\bigwedge }_{{\mathsf{c}}_i\in A}\neg {\mathsf{c}}_i}{\to }\Phi$: if none of the clauses is activated, we trigger no activation condition ${\mathsf{c}}_i$ leading into a ${\nabla }_i$ target requirement to be met; we, therefore, persist on the same initial accepting state.

(2)

$\Phi \stackrel{{\bigwedge }_{{\nabla }_i\in S}{\mathsf{c}}_i\wedge {\bigwedge }_{{\nabla }_j\notin S}\neg {\mathsf{c}}_j}{\to }S$ for each $S\in \mathcal{S}$: when at least one activity label in $\Phi$ activates one clause, we transit to a state representing the activation of the specific clause.

(3)

$S\stackrel{F}{\to }S$ for each $S\in \mathcal{S}$: for remaining in the same state, we require that no other condition $c_i$ not appearing as ${\nabla }_i\in S$ shall be activated, otherwise, we will be transiting towards another state. Furthermore, we require that the activation of any $c_{i+1mod\left|A\right|}$ for which both ${\nabla }_{i+1mod\left|A\right|}$ and ${\nabla }_i$ appear in S should also require the activation of the activity $c_i$ as, otherwise, we will reduce the number of ${\nabla }_i$, thus ending into a state containing a subset of activated conditions: this is enforced by the construction of $\Phi$. Given this, we obtain the following formulation for F:

$$\underset{{\nabla }_{i+1mod\left|A\right|},{\nabla }_i\in S}{\bigwedge }({\mathsf{c}}_{i+1}\Rightarrow {\mathsf{c}}_i)\wedge \underset{{\nabla }_j\notin S}{\bigwedge }\neg {\mathsf{c}}_j$$

Please observe that we do not require that ${\bigwedge }_{{\nabla }_{i+1mod\left|A\right|}\notin S,{\nabla }_i\in S}\left({\mathsf{c}}_i\right)$ should also hold, as the eventuality of the condition for the target condition does not strictly require that such condition must immediately hold in a subsequent step, so either the possibility of $c_i$ being still activated or its opposite are both considered.

(4)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\subset S^{\prime \prime }$: we need to ensure that the conditions appearing only in $S^{\prime \prime }$ are newly activated, while the ones being active in $S^{\prime }$ shall be kept active in $S^{\prime \prime }$; given this, we obtain the following F:

$$\underset{\begin{array}{c}i\in S^{\prime \prime }\setminus S^{\prime }\cup \\ \left\{j\right|(j=1\wedge \left|A\right|\in S^{\prime })\vee (j\ne 1\wedge j-1\in S^{\prime })\}\end{array}}{\bigwedge }{c}_i\wedge \left(\underset{i\in \{1,\cdots ,|A\left|\right\}\setminus (S\cup S^{\prime })}{\bigwedge }\neg c_i\right)$$

(5)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\supset S^{\prime \prime }$: this transition can only occur if, by attempting to consume ${\nabla }_i$ with $i\in S^{\prime }$ by executing an action ${\mathsf{c}}_{i+1mod\left|A\right|}$, this leads to generating ${\nabla }_{i+1mod\left|A\right|}$ appearing in $S^{\prime \prime }\cap S^{\prime }$ or, otherwise, we would have transited towards another state. This then provides a restriction of the states towards which we can transit and the states that can move backwards. F can be then defined as:

$$\underset{\begin{array}{c}i\in S^{\prime },\\ i+1mod\left|A\right|\in S^{\prime }\cap S^{\prime \prime }\end{array}}{\bigwedge }{\mathsf{c}}_{i+1mod\left|A\right|}\wedge \underset{i\in \{1,\cdots ,|A\left|\right\}\setminus (S^{\prime \prime }\cup S^{\prime })}{\bigwedge }\neg c_i$$

(6)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\ne S^{\prime \prime }$: otherwise, we can transit ${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\ne S^{\prime \prime }$ at the following conditions: for each $j\in S^{\prime }$, either $(j+1mod|A\left|\right)\in S^{\prime \prime }$ or $j\in S^{\prime \prime }$. If those conditions had not been met, given the previous considerations, it would not have been possible to transit exactly between these two states.

As we can observe from the former transitions, once one trace event satisfies a condition in A, we will always navigate towards states in $\mathcal{S}$ without ever having the possibility of going back to the initial and sole accepting state $\Phi$, as we must perennially guarantee that the conditions in A shall be eventually satisfied in turns, thus entailing that no finite trace will ever satisfy such conditions. As the number of states required for generating these formulae is therefore exponential in the size of both $\Phi$ and A as $|\Phi |=\left|A\right|$ by construction, by assuming that the most efficient algorithm for generating such automaton from the LTL_f specification will take at least a time comparable to the size of the graph without any additional computation overhead, we therefore have that such algorithm will take at least an exponential time on the size of the specification, thus in $o\left(2^{\left|A\right|}\right)$.

Similarly to the previous lemma, even in this scenario, the minimisation of such automaton will lead to one being equivalent to the one predicate the absence of all the activities in A.

   □

Proof 

(Proof for lemwdue). It derives as a corollary from b1lemma, which holds independently from the non-simultaneity axiom.    □

Lemma A2. 

Given $A=\left\{{\mathsf{c}}_1,{\mathsf{c}}_2,\cdots ,{\mathsf{c}}_n\right\}\subseteq \Sigma$, ${\Phi }^{\prime }:={\bigwedge }_{{\mathsf{c}}_i\in A}\square \neg {\mathsf{c}}_i$ is equivalent to $\Phi :=\square ({\mathsf{c}}_n\Rightarrow ⊚(\neg {\mathsf{c}}_n\mathcal{U}{\mathsf{c}}_1))\wedge {\bigwedge }_{\stackrel{i\in \mathbb{N}}{1\le i<n}}\square ({\mathsf{c}}_i\Rightarrow ⊚(\neg {\mathsf{c}}_i\mathcal{U}{\mathsf{c}}_{i+1}))$ inLTL_f.

Proof. 

We proceed similarly to the previous lemma where now, due to the adoption of the Until operator, we change the definition of ${\nabla }_i$ per its special property as follows:

$${\nabla }_i:={\mathsf{c}}_{i+1mod\left|A\right|}\vee (\neg {\mathsf{c}}_i\wedge \neg {\mathsf{c}}_{i+1mod\left|A\right|}\wedge ⊚{\nabla }_i)$$

prescribing that in any subsequent step ${\mathsf{c}}_i$ can never occur until the first occurrence of ${\mathsf{c}}_{i+1mod\left|A\right|}$ . Furthermore, similarly to the ChainResponse case, we add a falsehood sink state, towards each state will transit upon violation of the conditions prohibited by ${\nabla }_i$. In fact, this lemma restricts the expected behaviour in the former lemma, as we now prescribe that ${\mathsf{c}}_i$, once activating a clause thus adding ${\nabla }_i$ to a state, cannot occur before the occurrence of ${\mathsf{c}}_{i+1mod\left|A\right|}$ or, otherwise, we have to transit towards a never-accepting sink falsehood state. Consequently, except for the sink falsehood state, I could loop over any other state only if none of the activities in A are considered. We now stress the main differences from the definition of the transition functions if compared with the previous lemma:

(1)

$\Phi \stackrel{{\bigwedge }_{{\mathsf{c}}_i\in A}\neg {\mathsf{c}}_i}{\to }\Phi$: Same as per the previous lemma.

(2)

$\Phi \stackrel{{\bigwedge }_{{\nabla }_i\in S}{\mathsf{c}}_i\wedge {\bigwedge }_{{\nabla }_j\notin S}\neg {\mathsf{c}}_j}{\to }S$ for each $S\in \mathcal{S}$: Same as per the previous lemma.

(3)

$S\stackrel{F}{\to }S$ for each $S\in \mathcal{S}$: As per previous observation, this is now changed to $F={\bigwedge }_{{\mathsf{c}}_i\in A}\neg {\mathsf{c}}_i$, as performing none of the states that are recorded in A is the only possible way not to transit into any other state.

(4)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\subset S^{\prime \prime }$: Same as per previous lemma.

(5)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\supset S^{\prime \prime }$. This type of transition never occurs similarly to lemr-1. Without any loss of generality, let us assume that $S^{\prime }=\{i,j,k\}$ and $S^{\prime \prime }=\{i,j\}$ as in the previous lemma: allowing such transition would require to have an event abiding by ${\mathsf{c}}_{k+1mod\left|A\right|}$ for which either $i=k+1mod\left|A\right|$ or $j=k+1mod\left|A\right|$. The only possible way to make this admissible is to make also ${\nabla }_i$ (or ${\nabla }_j$) move with a corresponding ${\mathsf{c}}_{i+1mod\left|A\right|}$ (or ${\mathsf{c}}_{j+1mod\left|A\right|}$) action; still, this would have contradicted the assumption that i and j are not moving, and therefore this action would either violate ${\nabla }_i$ or ${\nabla }_j$, which is then impossible. Therefore, executing any of the activation conditions ${\mathsf{c}}_i$ for $i\in S^{\prime }$ being explicitly prohibited by the corresponding ${\nabla }_i$ will just move the current source state of interest towards the sink falsehood state.

(6)

${\left\{{\nabla }_j\right\}}_{j\in S^{\prime }}\cup \{\Phi \}\stackrel{F}{\to }{\left\{{\nabla }_j\right\}}_{j\in S^{\prime \prime }}\cup \{\Phi \}$ with $S^{\prime }\ne S^{\prime \prime }$: otherwise, as observed in the previous point, we can move towards a new state by either consuming a ${\mathsf{c}}_{i+1mod\left|A\right|}$ with $i\in S^{\prime }$ leading to an $i+1mod\left|A\right|\in S^{\prime \prime }$, or by ensuring a ${\mathsf{c}}_{j+1mod\left|A\right|}$ with $j+1mod\left|A\right|\in S^{\prime \prime }\setminus S^{\prime }$ and $j\notin S^{\prime }$ for not violating an already-activated condition. Overall, we can observe that this leads to never transiting from a state containing more activation conditions towards one containing less than those, at any rate.

Under all the remaining circumstances, we transit from S towards the falsehood sink state. Similarly, as in the previous construction, we can observe that any algorithm generating such a graph before minimisation will take an exponential time on the size of both the specification $\Phi$ and A.    □

Appendix B.2. Proposed Methodology

In this section, we show an efficient algorithm for detecting short-circuit rewritings within the DECLAREd fragment in polytime over the size of the specification.

Corollary A1. 

We can rewrite ${\Phi }_d$ containing aChainResponseshort-circuit in polytime on the size of ${\Phi }_d$.

Proof. 

Given the construction sketched in §2.2, the best case scenario for $\Phi$ constitutes in $\Phi$ containing exactly one single ChainResponse circuit, for which we obtain a graph $G^{\mathtt{cr}}$ representing itself a cycle of size $|\Phi |$. By adopting a DFS visit for detecting a cycle, we take $O(V+E)$ to recognize the whole graph $G^{\mathtt{cr}}$ as a cycle.

In the worst-case scenario, $\Phi$ contains a conjunction of clauses ${\bigwedge }_{\stackrel{\mathsf{a},\mathsf{c}\in \Sigma }{\mathsf{a}\ne \mathsf{c}}}\mathtt{ChainResponse}(\mathsf{a},\mathsf{c})$ leading to a fully connected graph $G^{\mathtt{cr}}$. Within this scenario, the worst-case scenario for detecting a cycle is detecting a cycle of size 2 after fully visiting $G^{\mathtt{cr}}$. After doing so, we remove the two nodes from $G^{\mathtt{cr}}$ and repeat the visit over such a reduced graph. If we always assume to detect cycles of size 2 for each visit, we will end up running $\frac{|V^{\mathtt{cr}}|}{2}$ visits of the graph, and the overall time complexity becomes ${\sum }_{i=0}^{|V^{\mathtt{cr}}|/2}\left(\right|V^{\mathtt{cr}}|-2i+(|V^{\mathtt{cr}}{|-2i)}^2)\in O(|V^{\mathtt{cr}}{|}^3)$.

   □

As a further corollary from this, we immediately deduce that our strategy from §3.4 is far way more efficient than generating a DFA associated with a formula for then minimising it as in lemr-1, as in the best case scenario we still have to generate an exponential number of states in the size of A, while in our proposed approach we do not. This is possible as our current envisioned approach assumes lemr-1 to hold without needing to go through the aforementioned exponential construction algorithm.

Corollary A2. 

We can rewrite ${\Phi }_d$ containing aResponseshort-circuit in polytime on the size of ${\Phi }_d$.

Proof. 

This can be considered a further corollary of coroll1, as both the graph visit and construction phase are completely independent of the nature of the clause, which is completely neglected and sketched in terms of mutual dependencies across activity labels through a dependency graph. Similar conclusions then hold, also in terms of time complexity for the graph visit.    □

Corollary A3. 

We can rewrite ${\Phi }_d$ containing anAltResponseshort-circuit in polytime on the size of ${\Phi }_d$.

Proof. 

As per coroll2, the goal is closed similarly to b1lemma due to the same way the graph is constructed independently from its associated LTL_f semantics.    □

Appendix D.1. Correctness

Lemma A4. 

If the specification is a tautology, then the formula is completely rewritten into ⊤.

Proof. 

algo:load is the only part detecting trivially-holding conditions: this occurs all the time that an edge is not added in $G^{★}$ for a clause with the template ★ while invoking neither Abs nor Ex, as these would otherwise trigger the generation of Absence and Exists clauses at the end of the computation. In fact, any further clause rewriting resulting from applying the rewriting rules as described in §3.3 always invokes one of the two former functions, thus not necessarily guaranteeing that an empty specification will be returned. Therefore, the aforementioned algorithm is the only point in the code where the non-insertion of clauses jointly with the lack of the invocation of Abs/Ex might lead to the generation of an empty specification. As the clauses that were not inserted in the specification were actually trivially true, if we obtain a specification with empty graphs and an empty F, we infer that the overall specification is also trivially true. Therefore, in this situation, we return ⊤ as a resulting ${\Phi }^{\prime }$ for ${\Phi }_d^{\prime }$.    □

Lemma A5. 

If the specification is unsatisfiable, then the computation abruptedly terminates while returning ⊥

Proof. 

We observe that we detect the specification as unsatisfiable only under three circumstances, whether (i) $\exists x\in dom\left(F\right).\left|F\right(x\left)\right|=2$, thus implying by algorithmic construction that the absurd condition $\mathtt{Absence}\left(\mathsf{x}\right)\wedge \mathtt{Exists}\left(\mathsf{x}\right)$ should hold, (ii) whether we trigger a rewriting rule leading to ⊥, and (iii) at loading time. This proof follows from the assumption that no further inconsistency can be detected from the described rules and algorithms.

The first scenario requires checking, each time a new $\mathtt{Absence}\left(\mathsf{x}\right)$ or $\mathtt{Exists}\left(\mathsf{x}\right)$ clause is generated, to always check for (i) while ensuring that the detection of (i) is propagated through the function call chain. The second condition requires iterating over all the edges and correctly detecting the conditions leading to ⊥ from fig:rewriting while applying the rewriting rules as per §3.3: the return of ⊥ in this occasion is described in this section. The third scenario is as described in algo:load. We close the two last sub-goals as we covered all the possible cases leading to a direct inconsistency.

This leads to then proving the remaining first sub-goal. First, we can prove that detecting an inconsistent specification is propagated backwards given the function call stack. Let us now focus on the sub-routines in alg:asur: we observe that Abs/Ex returns false when a specification is being detected as inconsistent, while all the other sub-routines in the same Algorithm immediately return false upon calling any of the other functions when at least one call detects such an inconsistency. As the generation of $\mathtt{Absence}\left(\mathsf{x}\right)$ or $\mathtt{Exists}\left(\mathsf{x}\right)$ is also achieved by calling the previous functions, we always ensure that any potential inconsistency is detected. Furthermore, the code guarantees that any call to Reduce and Clear returning false immediately returns ⊥: this in fact holds as the respective functions guarantee that explicit application of the rewriting rules involving each clause that we know per Absence(x) that will be never activated, thus guaranteeing an a posteriori rewriting of the specification even after scanning all of the clauses associated to the same template as per §3.3. For NotCoExistence, we also guarnatee that this detection occurs by directly calling Reduce${}^{\mathtt{ch}}$ instead, thus also leading to the generation of Exists clauses. Dually, this also holds for the generation of new Exists(x) rules, which are then leading to the invocation of the Expand${}^{\mathtt{re}}\left(x\right)$ sub-routine which, in turn, is also checking for Ex(x). Thus we can observe that our algorithm guarantees that all of the rules are properly expanded as well as always updating on the current state for the existence/absence of inconsistencies, thus leading to correctly detecting an inconsistency if any. As the rewriting rules provide all the possible combinations for which the absence or the presence of specific activity labels might generate further activation or target conditions, we immediately ensure to return an inconsistent specification upon detection given the rewriting rules completely describing the language.    □

Last, we also provided some unit tests for ensuring, to the best of our knowledge, the correctness of the implemented solution: https://anonymous.4open.science/r/DECLAREd-B1BF/tests.cpp.

Appendix D.2. Convergence in PolyTime(Φ d )

We now prove the lemmas dealing with DECLAREd’s decidability and polynomial time complexity for each sub-routine within our equational rewriting algorithm.

Lemma A6. 

The sub-routines in alg:asur always terminate in polynomial time.

Proof. 

We now analyse each declared sub-routine. Before doing so, we observe that no rule generates activity labels that are not originally considered within the original specification ${\Phi }_d$, thus ensuring that the computation will always terminate. Given $\Sigma$ the set of all the activity labels occurring in the original specification ${\Phi }_d$, we can only have $|\Sigma |$ distinct calls to these functions and, given that no rule in both fig:rewriting and temporal short-circuit rewriting generates novel activity labels not occurring in the formula, we are never expecting having $\left|dom\right(F\left)\right|>|\Sigma |$, thus ensuring the non-divergence of our computation. This assumption (A1) is then transferred to each call of the following functions:

Ex(x):

This function takes note that the specification requires, at some point of the rewriting, that x shall exist anytime in a trace; this mainly updates a hashmap F and immediately returns a boolean value determining whether this is also associated to an absence, for which then F will be associated to two distinct values instead of one. Therefore, this trivially terminates in $O\left(1\right)$.

Abs(x):

This function is the exact dual of the previous one, as it predicates the absence of an event associated with an activity label x. Even in this case, this function always terminates in $O\left(1\right)$.

Clear(x):

This function calls only other functions for removing vertices and edges from a graph associated with a clause template, which functions are non-recursive and trivially terminating. Furthermore, this function only reduces the previously loaded and indexed information, except for the clauses associated with calls to Ex(x) and Abs(x), used to detect inconsistencies within the temporal specification. This is carried out in linear time over the size of the currently-loaded specification.

Reduce${}^{★}$(x) for $★\ne \mathtt{ch}$:

This function mainly describes an iterative backward DFS visit over a $G^{★}$ graph with $★\ne \mathtt{p}$ using toremove as a stack by traversing all the edges in the graph backwards from x; we avoid in-definitively traversing loops in the graph by remembering which nodes were already visited and popped from the aforementioned stack (visited). This call jointly with Clear(x) ensures that no clause containing $x\in \Sigma$ as an activity label will be returned in the resulting specification, as this function will remove all the vertices representing the activity label x. Henceforth, even this function does not generate new data jointly with A1. Overall, the algorithm is then guaranteed always to terminate in polynomial time over the size of the specification.

Reduce${}^{\mathtt{p}}$(x):

we can draw similar considerations as the previous algorithm, as the main difference is merely in the direction of the graph visit: we are now traversing the edges forward instead than in reverse ($\forall a,b\in \Sigma .\mathtt{Precedence}(a,b)\wedge \mathtt{Absence}\left(a\right)\equiv \mathtt{Absence}\left(a\right)\wedge \mathtt{Absence}\left(b\right)$, Line 56 also in fig:rewriting). Vertices from the $G^{\mathtt{p}}$ are also explicitly covered in this function (L. 40), as this is not considered as part of Clear(x); this ensures that this function cannot be called with the same argument x.

Expand${}^{\mathtt{re}}$(x):

Notwithstanding that this function is the dual of the previous, this works similarly: when a new Exists(x) DECLAREd clause is attempted to be generated, we ensure that this will not trigger another rewriting annihilating some RespExistence clauses ($\forall a,b\in \Sigma .\mathtt{RespExistence}(a,b)\wedge \mathtt{Exists}\left(a\right)\equiv \mathtt{Exists}\left(a\right)\wedge \mathtt{Exists}\left(b\right)$, Line 56). Similarly to the previous steps, we are not adding information in the graph $G^{\mathtt{re}}$ that we are traversing, rather than removing those, thus ensuring to avoid unnecessary re-computations over the same activity label $x\in \Sigma$. Furthermore, we remove any occurrence of a Choice clause that might be trivialised by the existence of x ($\forall a,b\in \Sigma .\mathtt{Choice}(a,b)\wedge \left(\mathtt{Exists}\right(a)\vee \mathtt{Exists}(b\left)\right)\equiv \left(\mathtt{Exists}\right(a)\vee \mathtt{Exists}(b\left)\right)$, Line 52) as well as checking whether the existence of x might lead to inconsistencies related to the required absence of the label expressed in the target condition at Line 54:

$$\forall a,b\in \Sigma .\mathtt{NegSuccession}(a,b)\wedge \mathtt{Exists}\left(a\right)\equiv \mathtt{Absence}\left(b\right)$$

Similarly to the other sub-routines, this function is gradually reducing the number of the clauses which are potentially rewritten in Exists/Absence: due to (A1), this procedure is also guaranteed to terminate.

Reduce${}^{★}$(x) for $★=\mathtt{ch}$:

This provides a restriction to the case $★\ne \mathtt{ch}$ inasmuch as the activity labels in toremove are not visited from the stack, rather than being used for calling Expand${}^{\mathtt{re}}$ which, in turn, is also a terminating function. Overall, Reduce is always terminating independently from ★.

Overall, we conclude that each of the sub-routines is guaranteed to terminate in at most polynomial time while also guaranteeing to reduce the information being stored in the graphs associated with each declarative template.    □

Lemma A7. 

The computation allowing the expansion of some DECLAREd clauses while loading those in the appropriate graphs $G^{★}$ for each template ★ terminates in linear time over the size of the specification (algo:load).

Proof. 

First, as the ${\Phi }_d$ set is always finite under the assumption that this algorithm works by loading specification as written in a computer, then this algorithm will always take a finite time to linearly iterate over all the finite set of DECLAREd clauses being represented in the specification. Next, each invocation to Ex and Abs is guaranteed to terminate in $O\left(1\right)$ due to Lemma A6. Furthermore, while graphs are instantiated by adding edges (and therefore the corresponding nodes if missing), we are never traversing those. As per previous considerations, at this stage we also consider expansion rules rewriting some of the given clauses in $\Phi$ as other clauses. As this expansion does not trigger any further rewriting rule in fig:rewriting, we are simply adding new clauses without being stuck in never-ending cycles. This also goes hand in hand with (A1) from the previous lemma, as we generate clauses without inferring new activity labels not in the original specification. Therefore, even this algorithmic step is guaranteed to terminate in most linear time concerning the specification size.    □

Corollary A4. 

The computation of short-circuit rewriting is guaranteed to terminate in a polytime over the size of the original specification.

Proof. 

This can be seen as a further corollary of Corollary A1, Corollary A2, and Corollary A3: as the composition of distinct terminating function calls leads to an overall terminating computation, we guarantee that all the short-circuit rewritings lead to a terminating computation in polytime over the size of the original specification, ${\Phi }_d$.    □

Lemma A8. 

The computation of the rewriting rules leads to a terminating procedure.

Proof. 

Last, we consider the termination for the procedure sketched in §3.3. In the worst case scenario, we are never generating an inconsistency, thus never abruptedly terminating the procedure by returning an inconsistent ⊥ specification. If no rewriting rule is ever triggered, we then simply linearly iterate over all the edges of the graphs $G^{★}$ for each template ★ without triggering any of the past functions. Furthermore, the iteration over the domain of F will be always be the same. Therefore, no additional overhead is introduced and the procedure terminates. On the other hand, we trigger at least one rewriting rule that, per the (A1) assumption, never generates a clause containing an activity label that was not present in $\Sigma$: under this, all the previous functions are also guaranteed not to generate more information than the one being available in $\Sigma$. Furthermore, this computation never generates new edges to be visited, as the only expansion phase occurs as described in exploadDec. At most. we trigger the deletion of edges from the graph in $O\left(1\right)$ that we are currently generating or the generation of novel Exists/Absence clauses, but we never generate other clauses. Furthermore, the graphs are mainly depleted after iterating over the edges, by invoking Reduce or Clear functions for each x s.t. $F\left(x\right)=\mathbf{false}$ after the aforementioned edge iteration. Even in this scenario, the computation is guaranteed to converge in polynomial time: as we mainly boil down the clauses to absences and existentials while ensuring to remove entailing clauses, and given that the number of such templates is finite, we therefore guarantee to converge in at most polynomial time over the size of the declarative specification.    □