Allen Linear Temporal Logic Translation to LTL and Monitor Synthesis Grigore Rosu (University of Illinois at U-C) Saddek Bensalem (VERIMAG)
2 On Temporal Reasoning Allen temporal algebra/logic (ATL): Allen’84 –One of the “best established formalism for temporal reasoning” (in AI) – Krokhin et al.’03 (J. of ACM) Linear temporal logic (LTL): Pnueli’77 –One of the best-established formalisms in verification Between the two, so far … –No rigorous connection –No attempt to “systematically reuse” good features of one in the context of the other (visual representation, formal verification, monitoring, etc.)
3 Overview Recall Allen temporal algebra/logic and LTL Define Allen linear temporal logic (ALTL) Translate ALTL into LTL –NP completeness of ALTL satisfiability Monitor ALTL Conclusion Future work
4 Allen Temporal Algebra/Logic (ATL) Framework dealing with incomplete relative temporal information –Event A is before or overlaps event B Very used in AI planning Interval taken as primitive temporal quantity 13 basic binary relations on intervals ATL formula (aka compatibility) –boolean (finite) combination of such relations ATL models are (dense) total orders –Intervals interpreted as convex subsets
5 ATL: Basic Interval Relations (I) Equals(i,j) Before(i,j) or After(j,i) Meets(i,j) or MetBy(j,i) i j i j i j Exactly the same timepoints There are some timepoints between i and j There are no timepoints between i and j
6 ATL: Basic Interval Relations (II) Overlaps(i,j) or OverlappedBy(j,i) Contains(i,j) or During(j,i) Starts(i,j) or StartedBy(j,i) Ends(i,j) or EndedBy(j,i) i j i j ij i j
7 ATL Models Total orders (T,<), dense or discrete Intervals interpreted as convex subsets – : Intervals → Convex(T) –C Convex(T) iff (x,y) C when x < y in C Model (T,<, ) satisfies Overlaps(i,j) iff (i) ∩ (j) ≠ and x (j), y (i), x < (i), (j) < y (i) (j) x y
8 ATL in Practice Extensively used in AI planning to reason about concurrency and temporal extent; very visual Intervals can express both action instances and states of attributes (state variables); aka tokens Example: McCarthy’s Monkey/Banana
9 NASA Ames GROMIT Model Exploration rover
10 DDL: A Formal ATL Language Domain-Description Language (DDL) in AI planning –NASA Remote Agent, EUROPA; used for plan synthesis GROMIT model has >1500 DDL lines of ATL spec:
11 ATL: Known Results and Evidence Allen introduced it in ’84; no theorems NP-complete satisfiability (Vilain,Kautz,Beek’89) –Not hard, but intricate Much research in tractable fragments –18 tractable subalgebras (Krokhin,Jeavons,Jonsson’03 – J.ACM) Evidence –Visual and intuitive formalism –Easy to comprehend and explain –Large specifications relatively manageable
12 Linear Temporal Logic (LTL) Pnueli introduced it in ’77 Sistla, Clarke ’85 –PSPACE-complete satisfiability –LTL□ is NP-complete Extensively used in verification, temp. DB Calvanese, De Giacomo, Vardi ’02 –Propose LTL as a formalism for AI planning Yet, no formal connection between ATL and LTL has been investigated –we could use LTL verification tools and techniques in AI planning, a domain lacking but in need of them …
13 From ATL to LTL (I) Step 1 Relate models: –Define Allen Linear Temporal Logic (ALTL), whose models are -sequences, like in LTL Theory: –Same complexity as the dense variant Practice: –Care needed to generate at least one timepoint in each non-empty interval fragment
14 From ATL to LTL (II) Step 2 Encode membership to intervals: –Add an atomic predicate i for each interval i Step 3 Enforce “interval behavior” (no “gaps”) –Non-emptiness: i for each interval i –Convexity: ( ( i ( i i ))) j jj jj j
15 From ATL to LTL (III) Step 4 Encode interval relations; e.g.: Overlaps(i,j) ( j i ( j i ( j i ))) i j j i j i j i
16 From ATL to LTL: Theoretical Aspects Recent works in ATL, including the DDL language, work with an extended ATL –Add predicates and new relations Holds(p,i) and Occurs(p,i) –New satisfiability is obviously still NP-hard Extends propositional calculus Holds and Occurs can also be translated in LTL –Holds(p,i) is □ ( i p) –Occurs(p,i) is (p i ) Four steps above give us –A reduction from ATL to LTL□, the latter NP-complete Therefore, the extended ATL is NP-complete
17 From ATL to LTL: Practical Aspects Implemented the four transformation steps above as a term rewrite system, in Maude –[go to example in technical report] –Unfortunately, resulting LTL formulae are large and hard to understand … But, at least in principle, one can now 1)Use formal verification techniques in domains, e.g., AI planning, whose requirements use ATL 2)Use ATL to specify system requirements and then formally verify them
18 Monitoring ATL (I) Importance of monitoring in autonomous systems cannot be overestimated: –Even if a plan is proved to satisfy its spec, many factors can lead to violations of reqs: terrain, power, hardware We know how to monitor LTL “efficiently” –Monitors based on (non-deterministic) Buchi automata Can we use our ATL-to-LTL translation and then use LTL monitors to monitor ATL? –Buchi automata generation appears to be a bottle-neck –ATL-to-LTL-to-Buchi applied on the Monkey formula yields several thousand nodes and ~ 60,000 edges (Oddoux&Gastin LTL2Buchi)
19 Specialized Monitoring Algorithm for ATL Idea: divide-and-conquer –Monitor each temporal relation “individually” –Combine the results within the “big-picture” –Check for satisfiability “from time to time” Algorithm: Suppose ATL formula (r 1, r 2, …, r n ) – is a boolean formula … where –r 1, r 2, …, r n regarded as “dynamic” variables; they may become true/false during monitoring –At each event, recalculate the “truth status” of variables Maintain a “little” monitor for each –At critical timepoints, check satisfiability of
20 Monitors for Interval Relations Overlaps(j,i) j i There are also “little monitors” ensuring that intervals are non-empty and contiguous …
21 GROMIT Experiment Applied the ATL monitor synthesis algorithm above on NASA Ames’ GROMIT specification ATL formula has more than 100 interval relations We did not have access to the execution platform, but were provided 100 execution traces, each containing several hundred events Both monitor synthesis and checking took negligible time –However, for each trace, we checked for satisfiability only once, at the end
22 Conclusion Defined Allen linear temporal logic (ALTL) Translated ALTL into LTL –NP completeness of (extended) ALTL satisfiability –Allows using LTL tools and techniques in domains that prefer (or cannot avoid) ATL specifications Explored monitoring problem for ATL –Showed that “blind use” of LTL monitors can be inefficient –Presented efficient, specialized ATL monitoring algorithm
23 Future Work, Questions … ATL is a “sugared fragment” of LTL –Monitoring ATL directly is more effective … –Can ATL (instead of general LTL) be used in certain particular system verification efforts? Visual, easy! Formal verification techniques for ATL? –Theorem proving, model checking Extend ATL with repetition? Monitor it? There are many other interval logics (e.g., ITL, MTL) –Monitor synthesis for these?