Abstract
The nonpropositional Metric Temporal Graph Logic (MTGL) specifies the behavior of timed dynamic systems given by timed graph sequences (TGSs), which contain typed attributed graphs representing system states and the elapsed time between states. MTGL satisfaction can be analyzed for finite TGSs by translating its satisfaction problem to the satisfaction problem of nested graph conditions using a folding operation (aggregating a TGS into a graph with history) and a reduction operation (translating an MTGL condition into a nested graph condition).
In this paper, we introduce an analysis procedure for MTGL to allow for an on-the-fly analysis of finite/infinite TGSs. To this end, we introduce a further (optimistic) reduction of MTGL conditions, which leads to violations during the on-the-fly analysis only when non-satisfaction is guaranteed in the future whereas the former (pessimistic) reduction leads to violations when satisfaction is not guaranteed in the future. We motivate the relevance of our analysis procedure, which uses both reduction operations, by means of a running example. Finally, we discuss prototypical support in the tool AutoGraph.
Keywords: Graph logic with binding, Nonpropositional metric temporal logic, Runtime monitoring, Three-valued logic
Introduction
The challenges for developing embedded real-time systems with a high degree of parallelism, data dependencies, and timing constraints that must adhere to a given specification are manifold. The formal verification of such systems given by formal models is often intractable and, moreover, such formal models cannot be obtained for systems with unpredictable behaviors such as human-in-the-loop systems. Model-based testing and runtime monitoring are two standard model-driven approaches supporting the engineering of such systems.
In this paper, we check the conformance of a timed graph sequence (TGS), given by a sequence of states where time elapses between the states, against a formal specification. TGSs can be (a) generated using timed graph transformation [3, 7, 17] or can be (b) returned incrementally by a monitor. While offline analysis procedures suffice for finite TGSs, infinite TGSs require an on-the-fly conformance analysis to determine violations as early and as precise as possible.
As a running example, we consider an operating system as an advanced embedded real-time system in which tasks are executed by handlers computing results. For such an operating system, we require the following property 
.
- P:
Whenever a task T is created in a system S, S must have a handler H applicable to T (based on a common id). Moreover, within 10 timeunits, H must produce a result R with value
and, during the computation of R, no other handler 
applicable to T (based on a common id) may exist in S.
For specifying desired system behavior such as the property 
from above, we employ an extension of the Metric Temporal Graph Logic (MTGL) [8]. This logic permits to concisely express (a) state properties to specify single graphs in a TGS and (b) sequence properties relating graphs at different timepoints in a TGS by their attributes and inner structure. For state properties, MTGL subsumes the graph logic GL of nested graph conditions [9], which is as expressive as first-order logic on graphs. For sequence properties, MTGL has metric temporal operators that refer to matches of graph patterns in graphs in a TGS as first-class citizens. Due to these operators, MTGL is more expressive compared to metric temporal logics such as MTL [12] only relying on atomic propositions since MTGL allows to keep track of an unbounded number of elements. For example, for the property 
, we must separately track tasks T and 
for which corresponding results R and 
must be created before the corresponding deadline expires.
The main contributions of this paper are as follows. Firstly, we integrate the metric-exists-new operator as a first-class citizen into MTGL, which was not explicitly done in [8]. It matches graph patterns as early as possible to fix a timepoint from which a deadline can be started as in our running example when a new task is matched. Secondly, we formally integrate attribute quantification into MTGL and GL. Thirdly, we develop an on-the-fly checking procedure, which takes a formal MTGL specification and considers a TGS incrementally returning a lower (optimistic) and an upper (pessimistic) bound of the set of true violations, which determine a ground truth of violations that would be obtained ideally. The optimistic lower bound does not contain all true violations to handle TGSs that are continued in a way leading to satisfaction in the future whereas the pessimistic upper bound contains additional false violations to handle TGSs that are continued in a way not leading to satisfaction in the future. Returning the optimistic bound in addition to the pessimistic bound as computed in [8] results essentially in a three valued logic1 where an intervention (e.g. by a user) may depend on whether a pessimistic violation is also an optimistic violation.
In Sect. 2, we recall symbolic graphs and the logic GL of nested graph conditions. In Sect. 3, we extend MTGL by integrating the operator metric-exists-new. We present our on-the-fly analysis procedure and discuss its prototypical tool support by AutoGraph in Sect. 4. Finally, we discuss related work in Sect. 5 and conclude the paper with a summary and remarks on future work in Sect. 6.
Symbolic Graphs and Graph Logic
We now recall typed attributed graphs and nested graph conditions used for representing system states and properties on these states, respectively.
We use symbolic graphs (see e.g. [18–20, 24]), called graphs subsequently, to encode typed attributed graphs. Symbolic graphs are an adaptation of E-Graphs [5] where nodes and edges of a graph G are connected to (sorted) variables 
instead of data nodes representing actual values. To specify the possible values of variables, graphs are equipped with an attribute constraint (AC)
over the variables 
(e.g. 
, 
, and 
).
An AC 
is constructed using variables from a set X and the usual operators for the sorts 
, 
, 
, and 
, which range over the set 
of all values. Satisfaction of an AC 
by a valuation 
is denoted by 
.2 If an AC 
is satisfiable or tautological, we write 
or 
, respectively.
In the following, we consider graphs that are typed over a type graph 
using a typing morphism 
. Type graphs restrict attributed graphs to an admitted subclass 
. The empty graph is denoted by 
. For our running example, we employ the type graph 
from Fig. 1a. Examples of graphs that are typed over 
are given in Fig. 3b.
Fig. 1.
The type graph 
of our running example, two morphisms, and a GC
Fig. 3.
The MTGC 
and the TGS 
from our running example
Morphisms
between graphs 
and 
are defined as usual (see e.g. [24] for a formal definition) and consist of mappings between the components of 
and 
. In the remainder of this paper, we only use morphisms 
for which all mappings are injective.
Moreover, we distinguish between two kinds of morphisms 
. Firstly, restrictive (mono)morphisms
must ensure that the AC of 
is more restrictive compared to the AC of 
. This means that each valuation that satisfies the AC of 
also satisfies the f-translated AC of 
(i.e., 
where 
is the mapping contained in f between the variables of 
and 
). Secondly, consistent morphisms
must ensure that the AC of 
is compatible with the AC of 
. This means that there is at least one valuation that satisfies the AC of 
as well as the f-translated AC of 
(i.e., 
). See Fig. 1b for examples of restrictive and consistent morphisms. The initial (mono)morphism 
for graph G is restrictive and, when the AC of G is satisfiable, also consistent.
The graph logic GL over nested graph conditions (GCs) can be used to specify graphs. GL features propositional connectives and the operator 
(called 
) to extend given matches of graph patterns (given by graphs) in a graph (called host graph) with a satisfiable AC. Technically, the 
operator describes the extension of a graph pattern H using a restrictive monomorphism 
. See Fig. 1c for an example of a GC. For improved readability, we visualize restrictive monomorphisms 
occurring in GCs by omitting graph elements from H not connected to graph elements in 
.
Definition 1
(Nested Graph Conditions (GCs)). If H is a graph and 
is a restrictive monomorphism, then 
is a nested graph condition (GC) over H, written 
, as follows.
 |
We also make use of the operators false
, disjunction
, and universal quantification
, which can be derived from the operators above.
The semantics of GL is given by the satisfaction relation below, which deviates from [24] by using (a) variable valuations 
and (b) consistent instead of restrictive matches 
. Most notably, the GC 
is satisfied by a match m and a valuation 
when they can be extended to a match 
and a valuation 
that are consistent with f. To ensure that the valuation 
is used consistently when evaluating ACs occurring in graphs in 
, we require that the consistency condition is satisfied by 
(i.e., 
) using a valuation compatible with 
. Finally, as in [9, 24], a graph G satisfies a GC defined over 
when the initial morphism 
and the empty valuation 
satisfy the GC.
Definition 2
(Satisfaction of GCs). If 
is a GC, 
is a consistent morphism, and 
is a valuation, then m
satisfies
via
, written 
, if an item applies.
.
and 
.
, 
, and 
.
and there are 
and 
s.t. 
, 
, 
, and 
.3
If 
, 
, 
, and 
, then 
.
This novel adaptation of the satisfaction relation (informally handled in [8]) allows to express quantification over attribute values as required for our on-the-fly analysis procedure in Sect. 4. For example, we can state that “for each 
satisfying 
there is a variable 
with the value of x” using the GC 
in Fig. 2a, which is satisfied by the graph G from Fig. 2b containing a matchable copy of x. In our implementation in the tool AutoGraph, we operationalize the satisfaction check by constructing the AC from Fig. 2c incorporating all possible matches for the variable y for which satisfiability then implies that G satisfies 
.
Fig. 2.
Satisfaction of GCs by graphs
Metric Temporal Graph Logic
The Metric Temporal Graph Logic (MTGL) over metric temporal graph conditions (MTGCs) [8] extends GL with two metric temporal operators. In particular, (a) the until operator 
is well-known from MTL [12] and (b) the formal integration of the metric-exists-new operator 
allows to match graph patterns at a future timepoint (restricted by an interval) when the match is first available.
Definition 3
(Metric Temporal Graph Conditions (MTGCs)). If H is a graph, 
is a restrictive monomorphism, and I is an interval over 
, then 
is a metric temporal graph condition (MTGC) over H, written 
, as follows.
 |
The derived operator metric-forall-new
is the dual operator to 
. Also, operators such as eventually and globally can be derived using the operator 
.
The integration of graph pattern matching of GCs (for state properties) and the two metric temporal operators (for sequence properties) allows for the formalization of properties where a match into a graph (established using the operators 
or 
) is preserved/extended over multiple timed steps of the system (using the operator 
) and where the duration of these timed steps can be specified using intervals. For our running example, see Fig. 3a for a formalization of the property P introduced in Sect. 1 in the form of an MTGC 
.
The semantics of MTGL is defined over Timed Graph Sequences (TGSs) [8] (e.g. 
in Fig. 3b), which describe a single (possibly infinite) evolution of a system in terms of its visited states and the durations between these states. A TGS 
starting in a graph G (written 
or 
when 
is finite) is a sequence of timed spans 
where 
is the relative time at which the successor state 
is reached from 
and where 
and r describe the deletion and addition of graph elements as usual. We also assume the reversal operation 
, the concatenation operation 
, the prefix relation 
, the length operation 
(which counts the timed spans), the duration operation 
(which sums the durations 
of all timed spans), the projection operation 
to the graph at timepoint t, and the slicing operation 
delivering the TGS between timepoints 
and 
. For well-definedness of the slicing operation (and the satisfaction relation of MTGL later on), we require that 
implies 
ruling out Zeno TGSs.
For the semantics of MTGL, we define that a match m (also called binding) is propagated over a single timed span 
by adapting it according to the renaming given by 
and r. However, the propagation operation is partial when graph elements matched by m are not preserved across the timed span.
Definition 4
(Operation
). If 
, 
are consistent morphisms, 
is a timed span, and there is a consistent morphism 
s.t. 
and 
, then 
is obtained by propagation of
m
over
, written 
. Also, we extend the operation 
to finite TGSs as expected.
The semantics of MTGL is given by the satisfaction relation below, which is defined as for GL for the operators conjunction, negation, and exists and uses a current observation timepoint t (which does not exceed the duration of the TGS) in addition to a consistent match 
and a valuation 
. Note that the target of the match m is adapted (via propagation over timed spans from TGS 
) and the current timepoint t is modified (according to the provided intervals) only in the cases of the metric-exists-new and until operators. For these two metric temporal operators, we provide further informal explanations below. Finally, a TGS satisfies an MTGC defined over 
when the TGS, the initial observation timepoint 0, the initial morphism 
representing an empty binding, and the empty valuation 
satisfy the MTGC.
Definition 5
(Satisfaction of MTGCs by TGSs). If 
is an MTGC, 
is a TGS, 
is a timepoint before the end of 
, 
is a consistent morphism into the graph at timepoint t, and 
is a valuation, then 
, if an item applies.
.
and 
.
, 
, and 
.
and there are 
and 
s.t. 
, 
, 
, and 
.-
and there are 
, 
, and 
s.t.- there is
s.t. 
, 
, 
, 
, and - for each
there is no 
.
-
and there is 
s.t.- there is
s.t. 
and - for each
there is 
s.t. 
.
If 
, 
, 
, and 
, then 
.
For the metric-exists-new operator, we state that there is some timepoint 
in the future that is compatible with the given interval I where the propagated match 
can be extended to a match 
such that (first item) this extension is compatible with f as required for the case of exists and (second item) the extended match 
cannot be propagated to any timepoint in the strict past. For the until operator, we state (first item) that 
is eventually satisfied for some timepoint 
in the future that is compatible with the given interval I and (second item) that 
is permanently satisfied for all timepoints between the current observation timepoint t and the timepoint 
except for 
.
For our running example, see Fig. 3b for a TGS 
, which does not satisfy the MTGC 
from Fig. 3a. In this TGS, we find a fresh match of a task on a system at timepoint 
(after step 2). Moreover, we find immediately a (unique) handler for this task (based on the common id 123) such that there is no second handler for that task (with common id) until we find at timepoint 
a result with the successful attribute value ok obtained by the handler. However, this result is not obtained within the specified interval of at most 10 timeunits, which corresponds to the global time interval 
in this case.
On-the-fly Analysis for MTGL
We now present an on-the-fly analysis procedure for checking MTGCs against finite and infinite TGSs as our main contribution. For this aim, we build upon [8] where an operation 
for translating an MTGC 
into a GC 
and an operation 
for translating a finite TGS 
into a so-called graph with history (GH)
G were presented. These two operations ensured that 
iff 
, which allows for an efficient check of MTGL satisfaction for finite TGSs by checking GL satisfaction for finite GHs instead. Note that the problem of checking MTGL satisfaction (as for other metric temporal logics) becomes particularly difficult when instances of until operators are nested.
When considering a TGS 
in an on-the-fly scenario where timed spans are added one-by-one, we cannot simply apply the procedure from [8] to all prefixes of 
because the MTGL satisfaction relation is inherently pessimistic not returning the desirable results. For example, the MTGC 
from Fig. 3a would be violated by the TGS 
from Fig. 3b not only at timepoint 21 when the violation of the deadline is detected (as discussed before) but also at timepoint 6 since the prefix of length 2 of 
does not contain any node of type Result. Note that we would indeed expect a violation at timepoint 6 already when the prefix of length 2 of 
would be the entire TGS to be considered. As a ground truth of violations that would ideally be returned by our procedure, we define true violations later on in Definition 12 where also all subsequent behavior given by the timed spans in the TGS, which is not available to the on-the-fly procedure, is also taken into account.
For our on-the-fly analysis procedure (see Fig. 4 for an overview), we employ extensions/adaptations of the operations 
and 
from [8]. As inputs, we consider an MTGC 
and a finite/infinite TGS 
that is incrementally considered. If the given TGS 
is finite, it may include a node of type Terminated in its last graph to denote that it is not going to be continued (see Fig. 3b). Firstly, we employ a modification of the operation 
(see Definition 9) to obtain for 
(via a parameter 
), in addition to the pessimistic GC 
as in [8], a second optimistic GC 
. Note that we apply the operation 
offline (once for each mode) before considering the timed spans of the TGS for increased efficiency. Secondly, we split the operation 
into two operations 
and 
to allow for an incremental rather than a batch folding of a TGS. That is, 
produces a first GH from the start graph of the TGS and 
modifies a given GH 
into a GH 
for each timed span from the TGS as soon as that timed span is available. The sequence of GHs constructed in this way results in a GH TGS
that corresponds to the prefix of the TGS available so far. Thirdly, we check for the conformance of each 
with 
and 
as soon as 
is available by separately applying the GL satisfaction relation to 
and 
as well as to 
and 
. Each determined non-satisfaction is a violation for which we add the global time of its occurrence (which is given by the sum of all 
so far) to the resulting sets of pessimistic and optimistic violations.
Fig. 4.
Overview of the on-the-fly analysis procedure
The operations 
and 
ensure that each GH resulting from folding a TGS contains for each node/edge occurring in the TGS the timepoints of its creation and (if it was deleted) its deletion using additional 
and 
attributes. For our running example, the type graph 
from Fig. 1a contains these 
and 
attributes already and the GH eventually obtained for the entire finite terminated TGS 
from Fig. 3b is given in Fig. 5c.
Fig. 5.
The results of reducing the MTGC 
from Fig. 3a and the result of incrementally folding the entire TGS 
from Fig. 3b
The operation 
returns GCs that encode the satisfaction checks for MTGL operators according to Definition 5 using ACs. These ACs make use of (a) the 
and 
attributes as added to the GH to control the matching of elements, (b) additional variables for quantifying over observation timepoints as in Definition 5, and (c) a variable 
storing the current global time (i.e., the duration of the considered TGS prefix 
). As for the variable 
in Fig. 2, the additional quantified variables and the variable 
for the current global time are required to be contained in the GHs. The operation 
returns for this purpose, besides the GC, also a graph 
containing these additional variables including the distinguished global time variable 
. For our running example, the graph 
is given in Fig. 5b where all variables are associated with :Encoding nodes to decrease the number of matches via the 
attributes that need to be considered when we check whether a GH subsuming 
satisfies the obtained GC. Note that the construction of :Encoding nodes is omitted later in Definition 9 to ease presentation. While 
is a subgraph of each constructed GH, we add the AC 
to the current GH assigning the current global time to the variable 
just before checking GL satisfaction whenever a new GH has been constructed during the on-the-fly analysis.
We now define the operations used in the on-the-fly analysis procedure. The predicate 
identifies a unique global time variable 
in a GH G (subsuming the graph 
obtained from folding) and the operation 
adds the AC that assigns the current global time to the 
into the graph G.
Definition 6
(Predicate
and Operation
). If G is a GH with a variable x of sort 
, then G
is a graph with global time variable
x, written 
. If, additionally, 
is a global timepoint and 
is the graph obtained from G by adding the AC 
, then 
is the time-assigned version of G for the timepoint
t, written 
.
For incrementally folding a TGS starting in a graph H into a GH, we use in the first step the following operation 
, which joins the graphs 
and H as well as adds 
attributes to all nodes and edges originating from H.
Definition 7
(Operation
). If 
is the componentwise disjoint union of the graphs 
and H where the attributes 
and 
are added to each node and edge 
originating from H, then 
.
The operation 
adapts a GH G reached at global timepoint t to a GH 
by incorporating the changes described by a timed span 
. Firstly, 
attributes of nodes and edges deleted by 
are updated to the new global timepoint 
. Secondly, 
attributes with new global timepoint 
and 
attributes with default value 
are added to all nodes and edges created by r.
Definition 8
(Operation
). If G is a graph, 
is the current global timepoint, 
is a timed span, and 
is a graph constructed from G by (a) changing the attribute 
to 
for each node or edge 
, (b) renaming each node and edge 
according to 
, (c) renaming each node and edge 
according to r, (d) adding each node and edge 
, and (e) adding the attributes 
and 
to each node and edge 
, then 
.
The operations 
and 
preserve the predicate 
implying that the variable 
for the current global time can still be identified and used after the folding steps during the on-the-fly analysis. Moreover, the operation 
induces a timed span between the GHs G and 
leading to a GH TGS as discussed above. For our running example, the result of applying 
and then incrementally 
to the TGS 
from Fig. 3b leads to the graph 
in Fig. 5c where the elements of the graph 
from Fig. 5b are omitted for brevity. Since no elements are deleted in 
, all elements in 
have 
attributes of value 
.
We apply the operation 
, which is equipped with a 
parameter, to separately construct the GCs 
and 
for a given MTGC 
. The following definition of 
extends the definition in [8] by additionally covering the optimistic reduction for 
and explicitly integrating the formal reduction for the MTGL operator metric-exists-new introduced in Definition 3.
Definition 9
(Operation
). If 
is an MTGC and 
is the chosen mode for reduction, then 
where the graph 
contains the variable 
and an additional variable 
for the initial observation timepoint 0. The employed recursive operation 
is homomorphic for 
, 
, and 
and adds 
and 
attributes to all nodes and edges in the resulting GC. For the remaining operators, 
is defined as follows where the formal parameter 
corresponds to the variable t in Definition 5 capturing the timepoint at which the MTGC provided to 
is checked for satisfaction.
where 
additionally requires
4 ensuring that 
is matchable at timepoint 
.
where 
additionally requires a variable 
satisfying
5 ensuring that 
is matchable at timepoint 
but not earlier.
with
where 
additionally requires a variable 
satisfying 
ensuring that 
is a future timepoint where 
is satisfied and 
additionally requires a variable 
satisfying 
for checking that 
is satisfied until timepoint 
.
for 
disabling the optimistic check.
for 
where 
additionally requires a :Terminated node disabling the optimistic check when the TGS corresponding to the GH against which the resulting GC is checked is known to have ended, 
additionally requires a variable 
satisfying 
ensuring that there is still a timepoint in the strict future at which 
could be satisfied, and 
additionally requires a variable 
satisfying 
for checking that 
was satisfied at least until the current global time 
.
The returned graph 
contains all additional variables used in the reduction.6
For our running example, the result of the reduction of the MTGC 
from Fig. 3a is given in Fig. 5a for both reduction modes. The first line requires that the initial observation timepoint 
is 0 and that the variable 
is matched into the GH thereby binding it to the current global time. The second line (a) attempts to match T, 
, and S for some observation timepoint 
in the future of 
such that the matched elements are alive at timepoint 
and not all of them are alive at any earlier timepoint (encoding the metric-forall-new operator) and (b) then checks whether a suitable handler with the same id exists at timepoint 
. The third line (for 
) tries to determine some timepoint 
in the future of 
restricted by the given interval 
of the until operator where (a) a result with value ok can be matched and where (b) at all timepoints 
no second handler with the same id can be matched. The fourth line (for 
) checks whether the TGS has not terminated already (which disables the optimistic checking), whether there is still some time left for the right-hand side condition of the until operator to become satisfied, and whether the left-hand side condition of the until operator was satisfied at all timepoints 
since 
and up-to the current global time.
The theorem on soundness of 
from [8] is now adapted for the included operator metric-exists-new and extended to cover also the optimistic mode.
Theorem 1
(Soundness of
). If 
is an MTGC, 
is a finite TGS starting in H and ending in 
, 
is the result of pessimistic reduction, 
is the result of optimistic reduction, and G is obtained from 
and 
using 
and the iterated application of 
, then (a) 
iff 
and (b) 
only if 
.
Proof Idea
Straightforward inductions on 
and 
along the lines of [8]. 
The reverse direction of the item (b) in the theorem above does not hold for the MTGC 
even though non-satisfaction in the future is guaranteed. Moreover, no other reduction can achieve the equivalence for item (b) since satisfiability is undecidable for GCs and hence also for MTGCs implying that guaranteed non-satisfiability as for 
cannot always be determined. However, we may simplify generated GCs using the sound and refutationally complete procedure from [24] for checking GL satisfiability. For example, the GC obtained by reducing the MTGC 
from above can be simplified to 
using this approach.
The following two operations 
and 
rely on the operations 
and 
, respectively, and are used in our on-the-fly analysis procedure, which is given in pseudo code in Procedure 1. To simplify presentation, Procedure 1 describes the on-the-fly analysis using only one of both modes requiring that two instances of Procedure 1 are executed concurrently to cover the optimistic and the pessimistic mode. Procedure 1 maintains during its execution a triple (G, t, V) consisting of the current GH G, the current global time t, and the set of computed violations V. The operation 
constructs the first triple (G, t, V) by applying 
and by inserting the initial timepoint 0 into the set of violations when the resulting GH G does not satisfy the GC 
.
Definition 10
(Operation
). If 
was returned by an application of the operation 
, 
is a finite TGS starting in graph H, G is the GH obtained using 
, and if 
then 
else 
, then 
.
The operation 
modifies a triple (G, t, V) to a triple 
according to a timed span 
by modifying the GH G to a GH 
, by increasing the global time t to 
, and by inserting the global time 
into the set of violations V when 
does not satisfy the GC 
.
Definition 11
(Operation
). If 
was returned by an application of the operation 
, 
is a timed span, 
is the global time before 
, G is a GH with time-storing variable 
satisfying 
, 
is a set of violations computed until the timepoint t, 
is the global time after 
, 
is the modification of the GH G according to 
, and if 
then 
else 
implements the conditional addition of a violation 
to the set of violations V, then the triple (t, G, V) is modified to the triple
according to the timed span
, written 
.
Moreover, we extend the operation 
to finite TGSs using its iterated application starting with the triple obtained using 
.
For our running example, Procedure 1 returns the sets 
and 
of violations for the pessimistic and the optimistic mode, respectively. Note that the given MTGC is violated at each timepoint in 
, i.e., the violation is detected with a delay of about 5 timeunits. However, we believe that assuming a sufficiently high timed span rate (checking for violations permanently in a hot loop) mitigates this problem of delayed detection. Also, we assume a user-provided policy for deciding whether timepoints are recorded as violations when employed solvers such as Z3 are unable to decide the satisfaction problem in time.
Subsequently, we formally evaluate Procedure 1 by comparing the violations printed by it with a ground truth of violations that would be returned ideally. This ground truth is defined by the operation 
delivering the set of true violations of an MTGC 
in a TGS 
for a maximum checking index n. This set of true violations contains the durations of all prefixes 
of the TGS 
where the MTGC 
is not satisfied subsequently by any continuation 
that is a prefix of 
. Observe that a precise detection of violations thereby requires the knowledge of future steps, which is unavailable in the context of our proposed on-the-fly analysis approach.
Definition 12
(Operation
). If 
is an MTGC, 
is a TGS, 
is a maximum checking index, and 
, then 
.
To enable a comparison of Procedure 1 with the set of true violations, we now introduce the operation 
, which gathers the optimistic and pessimistic violations printed by Procedure 1 up to a given index n.
Definition 13
(Operation
). If 
is the reduction obtained using the operation 
, 
is a TGS of length at least 
starting in graph H, 
is the prefix of length n of 
, 
is the first triple for the on-the-fly analysis, and 
computes the violations 
using the on-the-fly analysis on the prefix 
, then 
.
Based on the presented definitions, we introduce our main result stating that the optimistic and the pessimistic on-the-fly analysis carried out using Procedure 1 (and formalized using the operation 
) determines under- and over-approximations of the set of true violations, respectively. That is, optimistic violations must be true violations and pessimistic violations may be true violations.
Theorem 2
(Approximate Detection of True Violations using Optimistic and Pessimistic On-the-fly Analysis). If 
is an MTGC, 
is a TGS, 
is a maximum checking index, and 
, then
and
.
Proof Idea
The first item holds using Theorem 1 since every violation of the GC 
obtained using reduction for 
ensures that the future evolution used in the operation
is also guaranteed to violate the MTGC 
as the violation cannot be undone in any continuation. The second item holds using Theorem 1 because (via contraposition) when the GC 
obtained using reduction for 
is not violated, this means that the considered TGS prefix 
satisfies the MTGC 
and therefore at least the empty continuation 
satisfies 
as well implying that the current global timepoint is no true violation. 
For our running example from Fig. 3 where the TGS 
has length 3, we observe that 
. This means that the optimistic on-the-fly analysis detects only one true violation at global timepoint 21 but the pessimistic on-the-fly analysis returns additionally a second violation at global timepoint 6 indicating that the MTGC 
may not be satisfied by all continuations, which indeed is the case for the TGS 
. When changing 
to 1 in Fig. 3b, the pessimistic on-the-fly analysis still generates the violation at global timepoint 6 but 6 is no true violation since the result R is then generated in time.
Based on Theorem 2, we obtain, as mentioned in Sect. 1, a three-valued interpretation of MTGL when using Procedure 1 (formalized using the operation 
) to generate optimistic and pessimistic violations. In this interpretation, the absence of a pessimistic violation t guarantees satisfaction, each optimistic violation t guarantees nonsatisfaction, and a pessimistic violation t that is no optimistic violation is an indifferent judgement on satisfaction.
Definition 14
(Three-valued Interpretation of MTGL). If 
is an MTGC, 
is a TGS of length at least 
, and 
is the prefix of length n of 
, then 
if 
, 
if 
, and 
otherwise.
From a practical point of view, Procedure 1 solves the satisfaction problem for three kinds of TGSs. Firstly, non-terminating systems can be analyzed throughout their entire runtime in an on-the-fly manner. Secondly, finite slices of TGSs generated by long-running systems can be analyzed in an offline manner producing pessimistic but no optimistic violations for cases where the ongoing evolution of the system may be admissible. Lastly, terminating systems where a Terminated node is added by the last timed span can be analyzed where pessimistic and optimistic violations coincide after the last step.
However, for formal specifications given by complex MTGCs, we intend to equip violations given by timepoints with human-readable explanations. For this purpose, we may use partial MTGC satisfaction trees following GC satisfaction trees from [25]. We expect that this would also permit an analysis of the causal dependencies among violations and their origins. For our running example, the violation at timepoint 21 has the pessimistic violation at timepoint 6 as an origin because the problematic task T connected to system S was freshly matched at timepoint 6 leading to the violated deadline at timepoint 21.
We implemented Procedure 1 in the tool AutoGraph [24], which supports GL and MTGL and relies on the constraint solver Z3 [16] for checking the satisfiability of ACs. For a high level of confidence, we applied extensive testing of the implemented functionality for diverse and deeply nested MTGCs also covering our running example. Overall, the implementation is promising and demonstrates the feasibility of our approach.
Related Work
Verification approaches for graph transformation systems are incomplete due to their expressiveness. For example, logics such as CTL and PTCTL can be applied to entire state spaces [6, 15] but have limited support for sequence properties relying on atomic propositions. Similarly, invariant verification [4, 23] as an example of static analysis considers graph sequences but only state invariants.
On-the-fly analysis of dynamic systems is used (before deployment) in testing and (after deployment) in specification-based monitoring using specifications given by temporal logics, automata with quantification, and rule-based systems [1]. These approaches are difficult to compare due to highly domain-specific requirements regarding expressiveness, efficiency, and usability. Logic-based approaches e.g. [11, 14] often lack support for key features of MTGL such as data elements, bindings, or metric bounds in temporal operators. A notable exception is the Metric First-Order Temporal Logic (MFOTL) [2], supported by the tool MonPoly, that represents a system state as a set of relations, supports the binding of elements and uses a point based rather than an interval based semantics as MTGL. Note that the encoding of MTGCs in MFOTL is highly technical and error-prone (similarly, the logic of nested graph conditions [9] is advantageous compared to FOL on graphs in graph centered scenarios). Finally, MonPoly imposes syntactic limitations on MFOTL conditions to ensure that provided conditions are satisfied/violated by a finite future.
Logics such as MTGL and MFOTL can be directly applied in the context of runtime monitoring [1, 13]. A roadmap towards such an application using an extended subset of MTGL is presented in an informal way in [21, 22].
Conclusion and Future Work
We introduced an on-the-fly analysis procedure for the satisfaction of MTGCs by infinite TGSs (generated by non-terminating systems) and finite TGSs (generated by terminating systems or representing prefixes of infinite TGSs). The analysis procedure results in a three-valued interpretation of MTGL where unavoidable non-satisfaction is detected via optimistic violations and where potential non-satisfaction in the future is detected via pessimistic violations as soon as possible. The two sets of violations approximate the ground truth given by the set of true violations, which can only be determined by offline analysis for finite terminated TGSs. The on-the-fly analysis procedure including both sets of violations is supported by our extension of the tool AutoGraph.
In the future, we will (a) integrate the since operator into MTGL and the proposed analysis procedure, (b) improve applicability of our approach using more detailed violations, (c) improve the optimistic reduction by simplifying the reduced MTGC using the constraint solver approach from [24], (d) employ incremental GC checking to improve the on-the-fly checking performance, and (e) compare our approach to other tools such as MonPoly w.r.t. efficiency.
Footnotes
At each timepoint during the on-the-fly analysis, we return either no violation, only a pessimistic violation, or a pessimistic and an optimistic violation.
The solver Z3 [16] has support for checking satisfiability of ACs but is known to return indefinite results because satisfiability is undecidable for ACs of unrestricted form. While Z3 always succeeds for our running example, we handle this special case in our prototypical implementation by providing warnings to the user.
The partial function 
obtained as the reversal of the injective function 
does not replace variables in 
that are not mapped to by 
. For simplicity, we assume that G and 
have disjoint sets of variables.
is an AC based on 
and 
attributes stating that all nodes and edges in H are created and not yet deleted at timepoint x.
is an AC stating that the highest 
attribute value in H is x.
Note that the predicate 
is satisfied by construction.
Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - 241885098, 148420506, 158230677.
Contributor Information
Fabio Gadducci, Email: gadducci@di.unipi.it.
Timo Kehrer, Email: timo.kehrer@informatik.hu-berlin.de.
Sven Schneider, Email: sven.schneider@hpi.de.
Lucas Sakizloglou, Email: lucas.sakizloglou@hpi.de.
Maria Maximova, Email: maria.maximova@hpi.de.
Holger Giese, Email: holger.giese@hpi.de.
References
- 1.Bartocci E, Deshmukh J, Donzé A, Fainekos G, Maler O, Ničković D, Sankaranarayanan S. Specification-based monitoring of cyber-physical systems: a survey on theory, tools and applications. In: Bartocci E, Falcone Y, editors. Lectures on Runtime Verification; Cham: Springer; 2018. pp. 135–175. [Google Scholar]
- 2.Basin DA, Klaedtke F, Müller S, Zalinescu E. Monitoring metric first-order temporal properties. J. ACM. 2015;62(2):15:1–15:45. doi: 10.1145/2699444. [DOI] [Google Scholar]
- 3.Becker, B., Giese, H.: On safe service-oriented real-time coordination for autonomous vehicles. In: ISORC 2008, pp. 203–210. IEEE Computer Society (2008). 10.1109/ISORC.2008.13
- 4.Dyck J, Giese H. k-inductive invariant checking for graph transformation systems. In: de Lara J, Plump D, editors. Graph Transformation; Cham: Springer; 2017. pp. 142–158. [Google Scholar]
- 5.Ehrig H, Ehrig K, Prange U, Taentzer G. Fundamentals of Algebraic Graph Transformation. Heidelberg: Springer; 2006. [Google Scholar]
- 6.Ghamarian AH, de Mol M, Rensink A, Zambon E, Zimakova M. Modelling and analysis using GROOVE. STTT. 2012;14(1):15–40. doi: 10.1007/s10009-011-0186-x. [DOI] [Google Scholar]
- 7.Giese H. Modeling and verification of cooperative self-adaptive mechatronic systems. In: Kordon F, Sztipanovits J, editors. Reliable Systems on Unreliable Networked Platforms; Heidelberg: Springer; 2007. pp. 258–280. [Google Scholar]
- 8.Giese, H., Maximova, M., Sakizloglou, L., Schneider, S.: Metric temporal graph logic over typed attributed graphs. In: Hähnle and van der Aalst [10], pp. 282–298 (2019). 10.1007/978-3-030-16722-6_16
- 9.Habel A, Pennemann K. Correctness of high-level transformation systems relative to nested conditions. Math. Struct. Comput. Sci. 2009;19(2):245–296. doi: 10.1017/S0960129508007202. [DOI] [Google Scholar]
- 10.Hähnle R, van der Aalst W, editors. Fundamental Approaches to Software Engineering; Cham: Springer; 2019. [Google Scholar]
- 11.Havelund K, Peled D. Runtime verification: from propositional to first-order temporal logic. In: Colombo C, Leucker M, editors. Runtime Verification; Cham: Springer; 2018. pp. 90–112. [Google Scholar]
- 12.Koymans R. Specifying real-time properties with metric temporal logic. Real-Time Syst. 1990;2(4):255–299. doi: 10.1007/BF01995674. [DOI] [Google Scholar]
- 13.Leucker M, Schallhart C. A brief account of runtime verification. J. Log. Algebr. Program. 2009;78(5):293–303. doi: 10.1016/j.jlap.2008.08.004. [DOI] [Google Scholar]
- 14.Maler O, Nickovic D. Monitoring temporal properties of continuous signals. In: Lakhnech Y, Yovine S, editors. Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems; Heidelberg: Springer; 2004. pp. 152–166. [Google Scholar]
- 15.Maximova M, Giese H, Krause C. Probabilistic timed graph transformation systems. J. Log. Algebr. Meth. Program. 2018;101:110–131. doi: 10.1016/j.jlamp.2018.09.003. [DOI] [Google Scholar]
- 16.Microsoft Corporation: Z3. https://github.com/Z3Prover/z3
- 17.Neumann, S.: Modellierung und Verifikation zeitbehafteter Graphtransformationssysteme mittels Groove. Master’s thesis, University of Paderborn (2007)
- 18.Orejas F. Symbolic graphs for attributed graph constraints. J. Symb. Comput. 2011;46(3):294–315. doi: 10.1016/j.jsc.2010.09.009. [DOI] [Google Scholar]
- 19.Orejas, F., Lambers, L.: Symbolic attributed graphs for attributed graph transformation. ECEASST 30 (2010). http://journal.ub.tu-berlin.de/index.php/eceasst/article/view/405
- 20.Orejas F, Lambers L. Lazy graph transformation. Fundam. Inf. 2012;118(1–2):65–96. doi: 10.3233/FI-2012-706. [DOI] [Google Scholar]
- 21.Sakizloglou, L., Ghahremani, S., Brand, T., Barkowsky, M., Giese, H.: Towards highly scalable runtime models with history. In: SEAMS 2020. IEEE Computer Society (2020). (to appear)
- 22.Sakizloglou, L., Ghahremani, S., Brand, T., Barkowsky, M., Giese, H.: Towards highly scalable runtime models with history. Technical Report (2020). arxiv: 2004.03727
- 23.Schneider, S., Dyck, J., Giese, H.: Formal verification of invariants for attributed graph transformation systems based on nested attributed graph conditions. In: Gadducci, F., Kehrer, T. (eds.) ICGT 2020, LNCS. Springer, Heidelberg (2020). (to appear)
- 24.Schneider S, Lambers L, Orejas F. Automated reasoning for attributed graph properties. STTT. 2018;20(6):705–737. doi: 10.1007/s10009-018-0496-3. [DOI] [Google Scholar]
- 25.Schneider, S., Lambers, L., Orejas, F.: A logic-based incremental approach to graph repair. In: Hähnle and van der Aalst [10], pp. 151–167 (2019). 10.1007/978-3-030-16722-6_9