DeepAI

On the Complexity of Verification of Time-Sensitive Distributed Systems: Technical Report

This paper develops a Multiset Rewriting language with explicit time for the specification and analysis of Time-Sensitive Distributed Systems (TSDS). Goals are often specified using explicit time constraints. A good trace is an infinite trace in which the goals are satisfied perpetually despite possible interference from the environment. In our previous work (FORMATS 2016), we discussed two desirable properties of TSDSes, realizability (there exists a good trace) and survivability (where, in addition, all admissible traces are good). Here we consider two additional properties, recoverability (all compliant traces do not reach points-of-no-return) and reliability (the system can always continue functioning using a good trace). Following (FORMATS 2016), we focus on a class of systems called Progressing Timed Systems (PTS), where intuitively only a finite number of actions can be carried out in a bounded time period. We prove that for this class of systems the properties of recoverability and reliability coincide and are PSPACE-complete. Moreover, if we impose a bound on time (as in bounded model-checking), we show that for PTS the reliability property is in the Π_2^p class of the polynomial hierarchy, a subclass of PSPACE. We also show that the bounded survivability is both NP-hard and coNP-hard.

• 10 publications
• 2 publications
• 8 publications
• 8 publications
• 9 publications
12/17/2019

LTLf Synthesis with Fairness and Stability Assumptions

In synthesis, assumptions are constraints on the environment that rule o...
06/07/2022

Software Verification of Hyperproperties Beyond k-Safety

Temporal hyperproperties are system properties that relate multiple exec...
04/22/2020

Efficient Trace Encodings of Bounded Synthesis for Asynchronous Distributed Systems

The manual implementation of distributed systems is an error-prone task ...
09/03/2020

A small-step approach to multi-trace checking against interactions

Interaction models describe the exchange of messages between the differe...
10/31/2020

Analysis and Reliability of Separable Systems

The operation of a system, such as a vehicle, communication network or a...
01/30/2019

A Constructive Equivalence between Computation Tree Logic and Failure Trace Testing

The two major systems of formal verification are model checking and alge...
01/19/2021

The Complexity of Monitoring Hyperproperties

We study the runtime verification of hyperproperties, expressed in the t...

1 Introduction

In our previous work [16], we considered the verification of Time-Sensitive Distributed Systems (TSDS) motivated by applications with autonomous drones performing surveillance of an area. The drones must always collectively have recent pictures, i.e., at most M time units old, of certain strategic locations. In attempting to achieve this goal, the drones consume energy and must return to the base station to recharge their batteries. In addition, the environment may interfere as there may be winds that move the drone in a certain direction, or other flying objects may block a drone’s path.

In [16] we considered two verification properties, realizability and survivability. Here we introduce two more properties, reliability and recoverability. Let us explain all four properties in a little more detail. The realizability problem consists of checking, whether under the given time constraints, the specified system can achieve the assigned goal, e.g., always collect recent pictures of the sensitive locations. In many settings, the drones themselves or the environment may behave non-deterministically. For example, if a drone wants to reach a point in the northeast, it may initially move either north or east, both being equally likely. Similarly, there could be wind at a particular location, causing any drone under the influence of the wind to move in the direction of the wind. A stronger property, survivability, accounts for such nondeterminism and tests whether the specified system can achieve the assigned goal for all possible outcomes (of drone actions and environmental influences). The properties of realizability and survivability represent the two extremes w.r.t. requirements placed on a system. A system that is realizable can achieve the designed goal in some way. A system that satisfies survivability will always achieve the goal, under all circumstances. In some cases, realizability may not be satisfactory, while in others, survivability may be too costly or unattainable. For such systems, intermediate solutions are of interest.

To model such intermediate requirements in system design, in this paper we introduce additional properties, namely reliability  and recoverability. In order to ensure system goals, drones should always be able to function. In particular, drones should always be able to come back to recharge, both in terms of distance and energy. In other words, drones should never go too far and reach so-called points-of-no-return where it may no longer be possible to safely return to home base. Engineers should strive to program drones to avoid reaching points-of-no-return. This property is referred to as recoverability.

A system satisfies reliability if the system is always able to successfully continue its expected performance, i.e., the system never gets stuck. For example, drones should always be able to ensure the system goals, regardless of the disturbances they have experienced in the environment. At any point in time, after the drones have successfully monitored sensitive locations for a certain period of time, they should be able to find a way to continue with their good performance. For example, considering possible technical failures and maintenance of the drones, it may be necessary for engineers to call in additional drones to collectively provide up-to-date images of the entire area of interest.

Following [16], we focus on a class of systems called Progressing Timed Systems (PTS), which are specified as timed multiset rewriting theories. In a PTS, only a finite number of actions can be carried out in a bounded time interval. In addition to formalizing the properties, we show that the following relations hold for PTS:

 Survivability ⟹ Reliability ⟺ Recoverability ⟹ Realizability .

In their spirit, these properties seem similar to safety and liveness properties [1]

or a combination of these properties. However, it is not straightforward to classify them in these terms. The properties we consider, defined in Section

4.3, contain an alternation of quantifiers, which makes it more challenging to formally represent them as a combination of safety and liveness properties [1].

In our previous work [20, 19, 15, 18], we proposed a timed Multiset Rewriting (MSR) framework for specifying compliance properties similar to quantitative safety properties [1, 6] and investigated the complexity of a number of decision problems. These properties were defined over sets of finite traces, i.e., executions of a finite number of actions. The above properties, on the other hand, are defined over infinite traces.

The transition to properties over infinite traces leads to many challenges, as one can easily fall into undecidable fragments of verification problems. The main challenge is to identify the syntactic conditions on specifications so that the verification problems fall into a decidable fragment and, at the same time, that interesting examples can be specified.

The remainder of the paper is organized as follows:

• Following [16], in Section 2 we discuss Progressing Timed Systems (PTS). In Section 3 we illustrate its expressiveness by encoding a simplified drone example as a PTS.

• In Section 4 we define a language for specifying the relevant quantitative temporal properties of timed systems used to define the properties of realizability, reliability, recoverability and survivability.

• In Section 5 we then formally compare the expressiveness of these properties.

• Section 6 investigates the complexity of verification problems that involve the above properties. While these problems are undecidable in general [20], we show that they are PSPACE-complete for PTSes. We also show that, when we bound time (as in bounded-model checking), realizability of PTSes is NP-complete, survivability is in the class of the polynomial hierarchy and the reliability is in the class of the polynomial hierarchy [28]. The upper bound results regarding realizability and survivability were obtained in [16], while here we obtain new complexity results for the lower bound complexity results for the -time bounded survivability and the complexity results relating to reliability from Section 6.

• We also provide a discussion on related and future work, Section 7.

Relation to our previous work

This technical report considerably extends the conference paper [16]. It also updates and subsumes the technical report [17]. For ease of reference, we include some of the material from [16, 17]. All the material involving properties of reliability and recoverability is new, including the investigation of the relations among all four properties from Section 5, the complexity results relating to reliability from Section 6, and the lower bound complexity results for -time bounded survivability are new.

2 Multiset Rewriting Systems

Assume a finite first-order typed alphabet, , with variables, constants, function and predicate symbols. Terms and formulas are constructed as usual (see [10]) by applying symbols of correct type (or sort).

Definition 1 (Fact)

If is a predicate of type , where is the type for propositions, and are terms of types , respectively, then is a fact. A fact is ground if it contains no variables.

We assume that the alphabet contains the constant denoting zero and the function denoting the successor function. Whenever it is clear from the context, we write for and for .

In addition, we allow an unbounded number of fresh values [5, 9] to be involved.

In order to specify timed systems, we attach a timestamp to each fact.

Definition 2 (Timestamped Fact)

Timestamped facts are of the form , where is a fact and is a natural number called timestamp.

Note that timestamps are not constructed by using the successor function. To obtain the complexity results, we use a symbolic representation of the problems and abstractions that can handle unbounded time values. For more insight see discussion after Definition 7.

There is a special predicate symbol with arity zero that is used to represent global time.

For simplicity, we often just say facts instead of timestamped facts. Also, when we want to emphasize the difference between a fact and a timestamped fact , we say that is an untimed fact.

Definition 3 (Configuration)

A configuration is a finite multiset of ground timestamped facts,    with a single occurrence of a fact.
Given a configuration containing , we say that a fact in is a future fact if its timestamp is greater than the global time , i.e., if  . Similarly, a fact in is a past fact if  , and a fact in is a present fact if  .

Configurations are to be interpreted as states of the system. Consider the following configuration where the global time is 4:

 S1={Time@4,Dr(d1,1,2,10)@4,Dr(d2,5,5,8)@4,P(p1,1,1)@3,P(p2,5,6)@0}

Fact denotes that drone is at position at time with energy units left in its battery; fact denotes that a point to be monitored is at position and that the last picture of it was taken at time . Thus, the above configuration denotes a scenario with two drones located at positions and and with 10 and 8 energy units, and with two points to be monitored at positions and , where the former was last photographed at time and the latter at time 0.

Using variables, including time variables, we are able to represent (sets of) configurations of particular form. For example,

 Time@(T+D),Dr(X,5,6,Y)@(T+D),P(p2,5,6)@T

specifies that some drone with energy units is currently at the position and that the point of interest at position was last photographed time units ago. This holds for any configuration containing the above facts for some instantiation of the variables and .

Configurations are modified by multiset rewrite rules which can be interpreted as actions of the system. There is only one rule, , which represents how global time advances

 Time@T⟶Time@(T+1) (1)

where is a time variable denoting the global time. With an application of a rule, a configuration representing the state of a system at time  , is replaced with the configuration  representing the system at time  .

The remaining rules are instantaneous, since they do not modify global time, but may modify the remaining facts of configurations (those different from ). Instantaneous rules have the form:

 (2)

where are natural numbers,   are timestamped facts, possibly containing variables, and is the guard of the rule which is a set of constraints involving the time variables that appear as timestamps of facts in the pre-condition of the rule, i.e., the variables  . The facts and are all different from the fact and are variables that do not appear in .

Constraints may be of the form:

 T>T′±d or T=T′±d (3)

where and are time variables, and is a natural number.

Here and throughout the rest of the paper, the symbol stands for either or , i.e., constraints may involve addition or subtraction.

We use to denote the disjunction of and . All variables in the guard of a rule are assumed to appear in the rule’s pre-condition.

Finally, the variables that are existentially quantified in a rule (Eq. 2) are to be replaced by fresh values, also called nonces in the protocol security literature [5, 9]. As in our previous work [14], we use nonces whenever unique identification is required, for example for drone identification.

Let     and     be multisets of timestamped facts. A rule    can be applied to a configuration if there is a ground substitution such that     and that   is true. The resulting configuration is

 ((S∖W)∪W′)σ ,

where variables are fresh. More precisely, given a rule , an instance of a rule is obtained by substituting constants for all variables appearing in the pre- and post-condition of the rule. This substitution applies to variables appearing in terms inside facts, to variables representing fresh values, and to time variables used to specify timestamps of facts.

An instance of an instantaneous rule can only be applied if all the constraints in its guard are satisfied. For example, since  (when instantiating as the timestamp of the fact  ) rule

is applicable to configuration

 { Time@5,Dr(d1,1,2,10)@5,Dr(d2,5,6,7)@5,P(p1,1,1)@3,P(p2,5,6)@0 },

resulting in configuration

 { Time@5,Dr(d1,1,2,10)@5,Dr(d2,5,6,6)@6,P(p1,1,1)@3,P(p2,5,6)@5 },

but it is not applicable to the following configuration

 { Time@5,Dr(d1,1,2,10)@5,Dr(d2,5,5,8)@5,P(p1,1,1)@3,P(p2,5,6)@4 }

because there are no facts in the configuration such that its timestamp satisfies the given constraint, , involving the global time . Namely,   and  .

Following [9] we say that a timestamped fact is consumed by a rule if that fact occurs more times on the left side than on the right side of the rule . A timestamped fact is created by some rule if this fact occurs more times on the right side than on the left side of the rule . Hence, facts are consumed by rule (Eq. 2) while facts are created by this rule. Note that a fact can appear in a rule with different timestamps, but for the above notions we count instances of the same timestamped fact . In a rule, we usually color red the consumed facts and blue the created facts.

Remark 1

Using constraints we are able to formalize time-sensitive properties and problems that involve explicit time requirements. The set of constraints may, however, be empty, i.e., rules may have no constraints attached.

We write   for the one-step relation where the configuration is rewritten into using an instance of rule . For a set of rules , we define    to be the transitive reflexive closure of the one-step relation on all rules in . We omit the subscript  , when it is clear from the context, and simply write  .

Note that due to the nature of multiset rewriting, there are various aspects of non-determinism in the model. For example, different actions and even different instantiations of the same rule may apply to the same configuration , leading to different resulting configurations .

Definition 4 (Timed MSR System)

A timed MSR system is a set of rules containing only instantaneous rules (Eq. 2) and the rule (Eq. 1).

A trace of a timed MSR system is constructed by a sequence of its rules. In this paper, we consider both finite and infinite traces. A finite trace of a timed MSR system starting from an initial configuration is a sequence

 S0⟶S1⟶S2⟶⋯⟶Sn

and an infinite trace of starting from an initial configuration is a sequence

 S0⟶S1⟶S2⟶⋯⟶Sn⟶⋯

where for all  ,    for some . When a configuration apperas in a trace we write  .

We will pay particular attention to periods of time represented by traces. Since time advances by one unit of time per rule, a finite (infinite) number of rules in a trace represents a finite (infinite) time period. One can easily imagine traces containing a finite number of rules and an infinite number of instantaneous rules. Such traces would represent an infinite number of actions performed in a finite time interval. In this paper we are not interested in such traces and focus on so called infinite time traces.

Definition 5 (Infinite Time Trace)

A trace of a timed MSR is an  infinite time trace  if the time tends to infinity in , i.e., such that   and  .

Since in any trace, the global time ticks in single time units, it follows immediately that any infinite time trace is an infinite trace, and it contains an infinite number of rules.

We have shown in our previous work [21, 14, 20, 15, 18] that problems involving MSR, such as checking whether a configuration can be reached, are undecidable if no further restrictions are imposed. These problems are undecidable already when considering only finite traces. However, these problems are decidable for balanced MSR systems [21, 20] that assume an upper-bound, , on the size of facts formally defined below.

Definition 6 (Balanced System)

A timed MSR system is balanced if for all instantaneous rules , creates the same number of facts as it consumes, i.e., the instantaneous rules are of the form:

 Time@T,W,F1@T′1,…,Fn@T′n ∣ C ⟶  ∃→X. [ Time@T,W,Q1@(T+d1),…,Qn@(T+dn)] . (4)

By consuming and creating facts, rewrite rules can increase and decrease the number of facts in configurations throughout a trace. However, in balanced MSR systems, rule application does not affect the number of facts in a configuration. That is, enabling configuration has the same number of facts as the resulting configuration. Hence, the number of facts in configurations is constant throughout a trace.

Definition 7 (Size of a Fact)

The size of a timestamped fact , written is the total number of alphabet symbols appearing in .

For instance, . For our complexity results, we assume a bound, , on the size of facts. Without this bound (among other restrictions), any interesting decision problem is shown undecidable by encoding the Post correspondence problem [9]. Note that the value of the timestamp is not considered in the size of facts. For the complexity results, the (unbounded) time values of timestamps are handled using the abstractions and the symbolic representation of the problems.

2.1 Progressing Timed Systems

Following [16], we discuss a particular class of timed MSR systems, called progressing timed MSR systems (PTSes), in which only a finite number of actions can be carried out in a bounded time interval. This is a natural condition for many systems, similar similar to the finite-variability assumption used in the temporal logic and timed automata literature.

Definition 8 (Progressing Timed System)

A timed MSR system is a progressing timed MSR system (PTS) if is balanced and for all instantaneous rules :

• Rule creates at least one fact with timestamp greater than the global time, i.e., in (Eq. 2),     for at least one  ;

• Rule consumes only facts with timestamps in the past or at the current time, i.e., in (Eq. 2), the set of constraints   contains the set

 Cr={ T≥T′i∣Fi@T′i, 1≤i≤n } .

For the sake of readability, from this point on we assume that for all rules the set of their constraints implicitly contains the set  , as shown in Definition 8, and do not always write   explicitly in our specifications.

The following rule, which denotes the action of a drone taking a photo of a point of interest, is an example of a rule in a PTS:

Note that the constraint is used to prevent drones from repeatedly photographing the same point of interest at the same time to save energy. Also, the created future fact prevents the same drone from performing the same action in the same time unit.

The following proposition [16] establishes a bound on the number of instances of instantaneous rules appearing between two consecutive instances of rules in a trace of a PTS. This bound is then used to formalize the intuition that PTSes always move things forward.

Proposition 1

Let be a PTS, an initial configuration and the number of facts in . For all traces of starting from , let

 Si⟶TickSi+1⟶⋯⟶Sj⟶TickSj+1

be any subtrace of   with exactly two instances of the rule, one at the beginning and the other at the end. Then  .  [16]

Proof

The statement easily follows from Definition 8. Let be an arbitrary trace in and

 Si⟶TickSi+1⟶⋯⟶Sj⟶TickSj+1

an arbitrary subtrace of with exactly two instances of the rule. All the rules between rules in the above subtrace are instantaneous.

Since is a PTS, the application of any instantaneous rule creates at least one future fact and consumes at least one present or past fact. In other words, an application of an instantaneous rule reduces the total number of past and present facts in the configuration.

Since the system is balanced, all the above configurations have the same number of facts, . Recall also that the fact does not change when the instantaneous rules are applied. Thus, since there are at most present or past facts different from in any , , a series of at most instantaneous rules can be applied between two rules. ∎

According to the above statement, in a PTS an unbounded number of instantaneous rules cannot be applied in a bounded interval of time. Also, from the above result we can conclude that infinite traces in PTSes represent infinite time periods. In particular, this means that in traces of PTSes there are no phenomena similar to Zeno paradox. This is stated in the following proposition.

Proposition 2

Let be a PTS. All infinite traces of are infinite time traces, i.e., traces where time tends to infinity.  [16]

Proof

Assume that in some infinite trace of a PTS the current time does not exceed some value . Then, since timestamps are natural numbers, and time advances by a single time unit, there are at most time ticks in .

According to Proposition 1 there are at most instantaneous rules between any rule and the next rule in .

Consequently, in total, there are at most rules in , i.e. is a finite trace. Contradiction. ∎

Finally, notice that the PTS model has many syntactic conditions, e.g., balanced condition (Definition 6), the form of time constraints (Eq. 3), the form of instantaneous rules (Eq. 2). Each of these conditions has been carefully developed. As we have shown in our previous work [20], relaxing any of these conditions leads to undecidability of important verification problems, such as the reachability problem, over finite traces. Clearly, these conditions are also needed for infinite traces.

The additional challenge in allowing infinite traces is to make sure that time advances in such a way that traces represent arbitrarily large time periods. Our definition of PTS is a simple and elegant way to enforce this. Moreover, as we show in Section 3, it is still possible to specify many interesting examples with our PTS model, including our motivating example, and still prove the decidability of our verification problems involving infinite traces (Section 6).

3 Programming Drone Behavior using PTS

Following [16], Figure 1 depicts the macro rules of our motivating scenario where drones are moving on a fixed grid of size , have at most energy units and take pictures of some points of interest. We assume that there are such points , where is fixed, a base station is at position , and that the drones should regularly take pictures so that all pictures are recent. That is, at any time, each of the points of interest should have been photographed in the last time units, for some given .

Clearly if drones non-deterministically choose to move in some direction without a particular strategy, they will fail to achieve the assigned goal. A strategy of a drone can be specified using time constraints.

For this example, the strategy would depend on the difference , for , specifying the elapsed time since the last picture of the point was taken. This can be specified with the following set of time constraints:

 T(d1,…,dn)={ T−T1=d1,…,T−Tn=dn }

where for all we instantiate by values in .

For example, the macro rule with   in Figure 1 is replaced by the set of rules:

where returns a tautology or an unsatisfiable constraint depending on the desired behavior of the drone.

Finally, macro rules for moving the drone, taking a picture, charging, and macro specifying winds are similarly defined.

While most of the rules have the expected result, we only explain the click and wind rules. The click rule is applicable if the drone is at the position of some point of interest. If applied, the timestamp of the fact is updated to the current time . The wind rule is similar to the move rules moving the drone to some direction, but does not cause the drone to consume its energy.

In our implementation in [16] we used a more sophisticated approach described in [31] using soft-constraints to specify a drone’s strategy. It can be translated into a PTS that incorporates the strategy described above.

Other Examples

Besides examples involving drones, other exampels also seem to be progressing. For example, in our previous work [20], we specify a monitor for clinical trials using our timed MSR system framework with discrete time. This specification is progressing.

There are a number of other examples which we have been investigating and that are progressing. For example,  [30] models a simplified version of a package delivery systems inspired by Amazon’s Prime Air service, and  [31] models a patrolling bot which moves from one point to another. All these examples seem to be progressing.

4 Quantitative Temporal Properties

Following [16], we begin the Section 4.1 by discussing critical configurations, a language used to define desirable properties of systems. This is a key concept in our framework, used to describe explicit timing constraints that a system should satisfy. In Section 4.2 we discuss lazy time sampling, which is a condition on traces that intuitively enforces that systems react at the expected time. Then in Section 4.3, we discuss a number of verification problems.

4.1 Critical Configurations and Compliant Traces

Critical configurations specifications are used for specifying bad configurations that should be avoided by a system.

Definition 9 (Critical Configuration)

Critical configuration specification is a set of pairs

 CS={ ⟨S1,C1⟩,…,⟨Sn,Cn⟩ } .

Each pair    is of the form:

 ⟨ {F1@T1,…,Fpj@Tpj},Cj ⟩

where are time variables, are facts (possibly containing variables) and is a set of time constraints involving only the variables .

Given a critical configuration specification, , we classify a configuration as critical w.r.t. if for some , there is a grounding substitution, , such that:

• ;

• All constraints in are satisfied.

The substitution application () is defined as usual [10], i.e., by mapping time variables in to natural numbers, nonce names to nonce names (renaming of nonces), and non-time variables to terms. Notice that nonce renaming is assumed, since the particular nonce name should not matter for classifying a configuration as critical. Nonce names cannot be specified in advance, since they are freshly generated in a trace, i.e., during the execution of the process being modelled.

Example 1

We can specify usual safety conditions which do not involve time. For example, a drone should never run out of energy. This can be specified by using the following set of critical configuration specification:

 { ⟨ {Dr(Id,X,Y,0)@T},∅ ⟩∣Id∈{d1,d2},X∈{0,…,xmax},Y∈{0,…,ymax} } .
Example 2

The following critical configuration specification specifies a quantitative property involving time:

 { ⟨ {P(p1,x1,y1)@T1,Time@T},{T>T1+M} ⟩,……,⟨ {P(pn,xn,yn)@Tn,Time@T},{T>Tn+M} ⟩ } .

Together with the specification in Figure 1, this critical configuration specification specifies that the last pictures of all points of interest  ( i.e., located at  ) should have timestamps no more than time units old.

Example 3

Let the facts and denote, respectively, that at time the drone entered the base station located at to recharge, and that the station is empty. Moreover, assume that only one drone may be positioned in a station to recharge, which would be specified by adding the following rules specifying the drone landing and take off:

Then, the critical configuration specification

 { ⟨{St(Id,X,Y)@T1,Time@T},{T>T1+M1}⟩∣Id∈{d1,d2}}

specifies that one drone should not remain in a base station for too long (more than time units) preventing other drones to charge.

Example 4

Fresh values may be useful in specifying various critical configurations which may involve identification, history of events or communication protocols. For example, drones may communicate between themselves to coordinate their flights. They may also use cryptographic protocols with other agents in the system, e.g., to send pictures of points of interest to be stored on the system data base. Such applications and requirements are easily formalized using fresh values.
For example, drones must be uniquely identified, i.e., should not have the same :

 { ⟨ {Dr(Id,X,Y,E)@T, {Dr(Id,X′,Y′,E′)@T′},∅ ⟩} .

Also, in case recharging of batteries is separately managed and billed, even visits to the recharge stations should be uniquely identified for correct billing. Similarly, pictures of points of interest may require identification for documentation. In that case, rules given in Figure 1 can easily be modified to include fresh values, e.g., by replacing facts with facts in all rules, and including creation of fresh value in the rule involving constraint.

Definition 10 (Compliant Trace)

A trace of a timed MSR system is compliant w.r.t. a given critical configuration specification if does not contain any configuration that is critical w.r.t. .

Note that if the critical configuration specification is empty, no configuration is critical, i.e., all traces are compliant.

For simplicity, when the corresponding critical configuration specification is clear from the context, we will elide it and use terminology critical configuration. Also, when it is clear from the context, we often elide the timed MSR system and the critical configuration specification with respect to which we consider critical configurations, and simply say that a trace is compliant.

4.2 Time Sampling

Following [16], in order to define sensible quantitative verification properties, we need to assume some conditions on when the Tick rule is applicable. Otherwise, any MSR system allows traces containing only instances of rules:

 S1⟶TickS2⟶TickS3⟶TickS4⟶Tick⋯

In such a trace, the system never acts to avoid critical configurations and would easily contain a critical configuration , related to some constraint , involving global time and sufficiently large .

Imposing a time sampling is one way to avoid such traces where the time simply ticks. Time sampling is used, for example, in the semantics of verification tools such as Real-Time Maude [26]. In particular, time sampling dictates when the rule must be applied and when it cannot be applied. Such a treatment of time is used for both dense and discrete times in searching and model checking timed systems.

Definition 11 (Lazy Time Sampling (l.t.s.))

A (possibly infinite) trace of a timed MSR system uses lazy time sampling if for any occurrence of the rule in , no instance of any instantaneous rule in can be applied to the configuration .

In lazy time sampling instantaneous rules are given a higher priority than the rule. Under this time sampling, a drone should carry out one of the rules in Figure 1

at each time while time can only advance when all drones have carried out their actions for that moment. This does not mean, however, that the drones will satisfy their goal of always having recent pictures of the points of interest as this would depend on the behavior of the system,

i.e., the actions carried out by the drones.

In the remainder of this paper, we focus on the lazy time sampling. We leave it to future work to investigate whether similar results hold for other time sampling schemes.

4.3 Verification Problems

Four properties are discussed in this section: Realizability and Survivability from [16] and the new properties of reliability and recoverability. Figure 2 illustrates these properties, which we define below. Since the names of the properties sound similar in English, we also introduce one-letter names for the properties for better readability and differentiation.

The first property we discuss is realizability. It guarantees that the given system can achieve the assigned goal under the given time constraints and design specifications, e.g., that drones can repeatedly collect up-to-date images of the sensitive locations.

Realizability is useful for increasing confidence in a specified system, since a system that is not realizable cannot accomplish the given tasks (specified by a critical specification) and the designer would therefore have to reformulate it.

However, if a system is shown to be realizable, the trace, , that proves realizability could also provide insights into the sequence of actions that lead to accomplishment of the specified tasks. This can be used to refine the specification and reduce possible non-determinism.

Definition 12 (Realizability / Z property)

A timed MSR system satisfies realizability with respect to an initial configuration , a critical configuration specification and the l.t.s. if there exists a compliant infinite time trace from that uses the l.t.s. 111 For simplicity, in the rest of the paper, for properties of systems and configurations, we will not always explicitly state the critical configuration specification, initial configuration, and/or time sampling with respect to which the property is considered. For example, when it is clear from the context, we simply say that a system satisfies  property or is realizable.
Also, when for a property of an MSR we only consider traces that use lazy time sampling, we also say that uses the lazy time sampling.
[16]

The  property of a timed MSR w.r.t. and l.t.s. can be expressed using the formula:

 FZ~{}(T,S0):=∃t∈TT,S0.[t∈TTtime∩T% Tlts∩TTc],

where   is the set of all traces of starting from ,   is the set of all infinite time traces of ,   is the set of all traces of that use the l.t.s. and   is the set of all traces of compliant w.r.t. .

Open distributed systems are inherently non-deterministic due to, e.g., the influence of the environment with winds. Therefore, it is important to know whether the system can avoid critical configurations despite non-determinism. We call this property survivability.

Definition 13 (Survivability / S property)

A timed MSR satisfies survivability w.r.t. an initial configuration , a critical configuration specification and the l.t.s. if it satisfies realizability with respect to , , and the l.t.s. and if all infinite time traces from that use the l.t.s. are compliant. [16]

Using the above notation, the  property of a timed MSR can be expressed with:

 FS~{}(T,S0):=FZ~{}(T,S0)∧∀t∈TT,S0.[t∈TTtime∩TTlts⇒t∈TTc].

Although survivability is a desirable property, much more so than realizability, it can sometimes be a rather severe requirement for a system, or even unachievable. Hence, when designing a system, one may want to compromise and consider less demanding properties. For example, one may want to avoid configurations that appear as “dead-ends”, i.e., configurations that necessarily lead to critical configurations. We call such configurations points-of-no-return. For example, drones should not fly so far that it is no longer possible to reach a recharging station due to energy consumption.

Definition 14 (Point-of-No-Return)

Given a timed MSR system , a configuration is called a point-of-no-return with respect to a critical configuration specification and the l.t.s. if is not critical with respect to , and if all infinite traces of starting with and using the l.t.s. are not compliant with respect to .

The set of all configurations that are points-of-no-return of a timed MSR , , can be described as   where   is the set of all critical configurations of and   is the set of all infinite traces of .

There exists no compliant infinite trace from a point-of-no-return that uses the l.t.s. A point-of-no-return  itself is not critical, but must eventually lead to a critical configuration on every infinite trace that uses the l.t.s. Therefore, configurations such as points-of-no-return are not desirable w.r.t. goal achievement, i.e., points-of-no-return should be avoided when searching for (infinite) compliant traces.

Remark 2

A point-of-no-return  represents the system that still satisfies the required conditions, but it will inevitably fall into a bad state where this is no longer the case. Therefore, to better distinguish between points-of-no-return  and critical configurations, the condition that a point-of-no-return is not critical is included in the definition.

Using the notion of points-of-no-return, we introduce new properties of our systems.

Definition 15 (Recoverability / V property)

A timed MSR system , satisfies recoverability with respect to an initial configuration , a critical configuration specification and the l.t.s. if it satisfies realizability with respect to , and the l.t.s. and if no point-of-no-return  is reachable from on a compliant trace that uses the l.t.s. That is, if a configuration is reachable from on a compliant trace that uses the l.t.s., then is not a point-of-no-return.

The  property of a timed MSR can be expressed with the following formula:

 FV~{}(T,S0):=FZ~{}(T,S0)∧[∀t∈TT,S0∩TTc∩TTlts.∀S∈t.S∉CTpon].

Configurations that are points-of-no-return should be avoided. For example, a drone may enter an area where it may end up with empty batteries due to frequent high winds. Such points should be avoided. In fact, with the  property we want to ensure that all finite compliant traces from the initial configuration that use the l.t.s. can be extended to infinite compliant traces that use the l.t.s.

Next, with the reliability property, we want to ensure that as long as one follows a compliant trace, there is a way to extend the trace to a compliant infinite time trace. In our drone scenario, a reliable system should be designed so that as long as the drones follow instructions, including rules for flying in high winds, there is always a way for the drones to avoid critical configurations.

Definition 16 (Reliability / L property)

A timed MSR system satisfies reliability with respect to an initial configuration , a critical configuration specification , and the l.t.s. if it satisfies realizability with respect to , , and the l.t.s. and if for any configuration reachable from on a compliant trace that uses the l.t.s., there exists a compliant infinite time trace from that uses the l.t.s.

The  property of a timed MSR can be expressed with the following formula:

A timed MSR system that satisfies the  property represents a system that is always able to avoid points-of-no-return. Such a system satisfies the  property, but it may not satisfy the  property. Indeed, the class of systems satisfying the  property is a proper superclass of the class of systems satisfying the  property. Systems satisfying the  property also satisfy the  property, while the class of systems satisfying the  property  is a proper superclass of the class of systems satisfying the  property. We present these results in Section 5, for general MSR systems and PTSes.

4.3.1 Time-Bounded Versions of Verification Problems

Motivated by bounded model checking, we also investigate the time-bounded versions of the above problems. Instead of infinite traces, in time-bounded versions of the verification problems we consider traces that have exactly a fixed number of occurrences of Tick rules. Time bounded version of realizability and survivability were introduced in [16], while time bounded version of reliability is novel here.

Definition 17 (n-Time Realizability / n-Z property)

A timed MSR system satisfies - property with respect to the l.t.s., a critical configuration specification , and an initial configuration if there exists a compliant trace, , from that uses the l.t.s. such that global time advances by exactly time units in . [16]

Definition 18 (n-Time Survivability / n-S property)

A timed MSR system satisfies -time survivability property with respect to the l.t.s., a critical configuration specification and an initial configuration if it satisfies - property and if all traces with exactly instances of the rule starting with and using the l.t.s. are compliant.

Analogously, we define the -time bounded version of the reliability problem. We consider all compliant traces covering at most time units, and extend them to compliant traces over exactly time units.

Definition 19 (n-Time Reliability/ n-L property)

A timed MSR system satisfies -time reliability with respect to an initial configuration , a critical configuration specification , and the l.t.s. if it satisfies - property with respect to , , and the l.t.s. and if for any configuration , reachable from on a compliant trace that uses the l.t.s. and has at most instances of the rule, there exists a trace that uses the l.t.s. such that:

1. extends ;

2. is compliant;

3. has exactly instances of the rule.

Since the notion of a point-of-no-return is defined to be inseparable from infinite traces, it is not appropriate for the time-bounded version of the verification problems. That is, time-bounded version of the recoverability system problem makes little sense. Moreover, as we show in Section 5, for PTSes problems of reliability and recoverability coincide. Hence, we do not consider the bounded version of recoverability problem separately.

5 Relations Among Properties of Timed MSR

In this section we formally relate all the different properties defined in Section 4.3.

In order to compare these properties we review the machinery introduced in our previous work [20] called -representations. This machinery is also used in Section 6 to obtain complexity results for the corresponding verification problems.

5.1 δ-representations

Some of our results, for a given timed MSR , an initial configuration and a critical configuration specification , will mention the value which is an upper-bound on the natural numbers appearing in , and . The value of can be inferred syntactically by simply inspecting the timestamps of , the values in timestamps of rules (which are of the form  ) and constraints in and (which are of the form , and  ). For example, the for the specification in Figure 1.

For our results we assume a bound on the size of facts. For example, in our specification in Figure 1, we can take the bound  .

Notice, however, that we do not always impose an upper bound on the values of timestamps. Also, we allow an unbounded number of fresh values to appear in a trace.

Definition 20

Let   be a configuration of a timed MSR written in canonical way where the sequence of timestamps is non-decreasing. (For the case of equal timestamps, we sort the facts in alphabetical order, if necessary.) The -representation of for a given is

 δS,Dmax=[ Q1,δQ1,Q2,Q2,…,Qn−1,δQn−1,Qn,Qn ] .

Here, for a given natural number ,    is the truncated time difference of two timed facts   and   with , defined as follows:

 δP,Q={t2−t1,  provided  t2−t1≤Dmax∞,  otherwise  .

For simplicity, when is clear from the context, we sometimes write instead of  .

In our previous work [19, 20], we showed that a -representation is an equivalence class on configurations. Namely, for a given , we declare and equivalent, written  , if and only if their -representations are exactly the same, up to nonce renaming, i.e., where is a bijection on the set of nonce names.

This equivalence relation is well-defined with respect to time constrains, i.e.,  configurations that have the same -representation satisfy exactly the same set of constraints. Here, when saying that configurations satisfy the same constraint, we implicitly mean that time variables of the constraint refer to the same facts in both configurations. Therefore, we can say that a -representation satisfies a constraint or does not. Similarly, we say that a -representation is critical iff it is the -representation of a critical configuration.

Also, the equivalence among configurations is well-defined with respect to application of rules, i.e.,  application of rules on -representations is unambiguous. Therefore we can consider traces over -representations. For details on the concrete procedure of how to apply a rule on a given -representation see [20, Section 4.3].

We naturally extend the notion of a compliant trace and say that a trace over -representations is compliant iff it does not contain any critical -representation. Also, we say that a trace over -representations uses the l.t.s. if rule is applied to a -representation in that trace only when no instantaneous rule is applicable.

Moreover, in [20, Theorem 4.1] we have shown that there is a bisimulation between (compliant) traces over configurations and (compliant) traces over their -representations in the following sense:      iff    .

When considering concrete problems and corresponding bisimulations, the bound is inferred from numerical values appearing in the problem specification. This ensures that all configurations in traces are future bounded, i.e., do not contain facts such that . This is important for faithful representation of time advances. For more details see [20, Section 4.3].

For self-containment of the paper, in the proof of the following result from [16] we present main proof ideas used in [20] and, moreover, we additionally address the l.t.s.

Proposition 3

For any timed MSR , a critical configuration specification and an initial configuration the equivalence relation between configurations is well-defined with respect to the rules of the system (including time advances), the l.t.s. and critical configurations.
Namely, to any compliant trace starting from the given initial configuration corresponds a compliant trace over -representations starting from . In particular, a trace over configurations uses the l.t.s. iff the corresponding trace over -representations uses the l.t.s.  [16]

Proof

We firstly show that application of rules on -representations is independent of the choice of configuration from the same class. Assume and are equivalent configurations, and assume that is transformed to by means of a rule , as shown in the diagram below. Recall that equivalent configurations satisfy the same set of constraints. Hence, the rule  is applicable to and will transform into some :

 S1→αS′1⫼S2→α S′2

It remains to show that is equivalent to . We consider the two types of rules for , namely, time advances and instantaneous rules.

Let the time advance transform into , and to . Since only the timestamp denoting the global time in is increased by 1, and the rest of the configuration remains unchanged, only truncated time differences involving change in the resulting -representations. Because of the equivalence , for a fact in with , and , we have with , and in as well. Therefore, we have

 δP,Time={t+1,  provided  t+1≤Dmax∞,  otherwise

both in and . On the other hand, for any future fact with in and in , we get in both and . Therefore, and are equivalent. Recall that since all configurations in the trace are future bounded, , so is well-defined.

The reasoning for the application of instantaneous rules is similar. Each created fact in and is of the form and , where and represent global time in and , respectively. Therefore each created fact has the same difference, , to the global time in the corresponding configuration. This implies that the created facts have the same truncated time differences to the remaining (unchanged) facts. Namely,  ,  hence for , and  with  ,

 δR,P=δTime,P−δTime,R .

Notice here that because all configurations are future bounded, so the above difference is well-defined (finite). Similarly, when  ,

 δP,R=δTime,R−δTime,P .

Hence and are equivalent. Therefore, application of rules on -representations defined through corresponding configurations is well-defined, i.e., the abstraction of configurations to -representations w.r.t. application of rules is complete.

The abstraction is also sound. Namely, from a compliant trace over -representations, we can extract a concrete compliant trace over configurations. Although any given -representation corresponds to an infinite number of configurations, for a given initial configuration , we have the initial -representation  . The existence of a trace over configurations corresponding to the given (possibly infinite) trace over -representations is then easily proven by induction.

Since equivalent configurations satisfy the same set of constraints, is a critical configuration if and only if is a critical configuration, i.e.,  if and only if is critical. By induction on the length of the (sub)trace, it follows that, given a timed MSR and a critical configuration specification , any (possibly infinite) trace over configurations is compliant if and only if the corresponding trace over -representations is compliant.

Notice that, using the l.t.s. in a trace , rule is applied to some in if and only if no instantaneous rule can be applied to . Since and its -representation, , satisfy the same set of constraints, it follows that rule is applied to iff  rule is applied to . Hence, a trace over configurations uses the l.t.s. iff the corresponding trace over -representations uses the l.t.s. ∎

Following the above result, in the case of balanced timed MSRs, we can work on traces constructed using -representations. Moreover, the following lemma [16] establishes a bound on the number of different -representations.

Lemma 1

[16] Let be a timed MSR constructed over a finite alphabet with predicate symbols and constant and function symbols. Let be the number of facts in the initial configuration , an upper-bound on the size of the facts, a critical configuration specification and an upper-bound on the numerical values of , and .
The number of different -representations, denoted by , is such that

 LΣ(m,k,Dmax)≤(Dmax+2)(m−1)Jm(E+2mk)mk.

5.2 Time-Bounded v.s. Unbounded Verification Problems for Timed MSR

It is obvious, by definition, that the  property implies the - property. We now show that for a sufficiently large , the converse implication also holds, i.e., the - property implies the  property. The same implications hold for the other properties.

Proposition 4 (Realizability v.s. n-Time Realizability)

Let be a timed MSR that uses the l.t.s., an initial configuration and a critical configuration specification. Then,   satisfies the  property   iff   , satisfies the - property.

Moreover, there exists such that if   satisfies the - property, then   satisfies the  property. (In particular, the above claim holds for .

Proof

Per definition, the  property implies the - property for any .

We now prove the second statement. The first statement then easily follows.

From Proposition 3 it follows that for the above problems we can consider traces constructed over -representations. As per Lemma 1, the number of different -representations is bounded by  , where is the number of facts in , is an upper-bound on the size of facts and is an upper-bound on the numeric values of and .

Assume satisfies the - property, where  . Then, there is a compliant trace from that uses the l.t.s. and contains exactly rules. Trace contains a series of instantaneous rules separated by rules. That is, contains blocks of -representations, formed at each of the instances of rules in . Since there are at most different -representations in , at least one -representation appears in two blocks. Therefore, a subtrace between the two appearances of contains a rule,  , and represents a loop in .

The above subtrace is compliant, uses the l.t.s. and contains a rule. Repeating this loop indefinitely results in a compliant infinite time trace that uses the l.t.s. The resulting trace shows that satisfies the  property. ∎

Proposition 5 (Survivability v.s. n-Time Survivability)

Let be a timed MSR that uses the l.t.s., an initial configuration and a critical configuration specification. Then,   satisfies the  property   iff   , satisfies the - property.
Moreover, there exists such that if   satisfies the - property, then   satisfies the  property.

Proof

Assume that   satisfies the - property, where . Hence, all traces with ticks are compliant. Assume is does not satisfy the  property. Then there is an infinite time trace from that uses the l.t.s. which is not compliant, i.e., there is a critical configuration in . Because   satisfies the -