The Thirty-Third AAAI Conference on Artificial Intelligence (AAAI-19)

Approximate Stream Reasoning with Metric Temporal Logic under Uncertainty

Daniel de Leng, Fredrik Heintz Department of Computer and Information Science Linkoping¨ University, 581 83 Linkoping,¨ Sweden daniel.de.leng, fredrik.heintz @liu.se { }

Abstract works by incrementally taking states from a state sequence and computing a new formula that incorporates this state Stream reasoning can be defined as incremental reasoning information using syntactic rewriting. If the new formula over incrementally-available information. The formula pro- gression procedure for Metric Temporal Logic (MTL) makes holds over the unseen remainder of the state sequence, then use of syntactic formula rewritings to incrementally evaluate the original formula is guaranteed to hold over the complete formulas against incrementally-available states. Progression state sequence. Consequently, the evaluation of an MTL for- however assumes complete state information, which can be mula through progression is linear in the size of the formula, problematic when not all state information is available or can but the formula may grow exponentially due to the rewrit- be observed, such as in qualitative spatial reasoning tasks or ings. A key advantage is that we may terminate the proce- in robotics applications. In those cases, there may be uncer- dure once a formula is determined to be true or false, without tainty as to which state out of a set of possible states repre- having to consider the potentially infinite state sequence. sents the ‘true’ state. The main contribution of this paper is One key assumption for progression is that the states re- therefore an extension of the progression procedure that ef- ficiently keeps track of all consistent hypotheses. The result- ceived are complete, i.e. all propositions have a truth value ing procedure is flexible, allowing a trade-off between faster assigned to them. Essentially, progression requires every but approximate and slower but precise progression under un- state to provide a complete ‘snapshot’ of the world. This as- certainty. The proposed approach is empirically evaluated by sumption is however unreasonable in many applications for considering the time and space requirements, as well as the which acquiring such a snapshot is not feasible, e.g. robots impact of permitting varying degrees of uncertainty. relying on local sensor data. The main contribution of this paper is therefore an approximate progression procedure for 1 Introduction path checking with partial states, allowing for a trade-off be- tween precision and space requirements. We also consider Temporal logics allow us to make statements about propo- the impact of knowledge concerning the probabilities of in- sitions across time, making them powerful in areas such dividual states in cases where there is uncertainty. This pa- as runtime verification. Metric Temporal Logic (MTL) by per is a companion paper to our earlier work (de Leng and (Koymans 1990) extends the expressiveness of the well- Heintz 2018), which laid some of the groundwork we ex- known Linear Temporal Logic (LTL) (Emerson 1990) by pand upon here. adding metric intervals for the temporal operators. The ex- The key motivation behind supporting progression with tension makes it possible to describe bounded intervals for multiple hypotheses is not just limited to the possibility logical formulas, further enhancing their use in practical that we receive partial states—reasoning with background applications. MTL thus makes it possible to precisely de- knowledge can by itself lead to incomplete information. scribe complex temporal statements that go beyond the ab- For example, the Region Connection Calculus with eight solutes of the LTL temporal operators. This makes MTL a jointly exhaustive pairwise disjoint (JEPD) relations known useful tool in realtime applications such as robotics. While as RCC-8 by (Randell, Cui, and Cohn 1992) uses qualita- model checking for MTL has been shown to be undecid- tive reasoning based on composition tables that allow us to able (Alur, Feder, and Henzinger 1996), we focus on the reduce the uncertainty between the qualitative spatial rela- computationally simpler task of path checking, in which we tions that may exist between regions, without narrowing this check whether a given path satisfies a formula. In this pa- relation down to precisely one spatial relation. This effec- per, we take a stream reasoning approach to path check- tively means we acquire multiple consistent models, any of ing, which uses incremental reasoning over incrementally- which could be the ‘true’ model, and all of which are valid available information. hypotheses. The syntactic rewriting technique used is known as pro- The remainder of this paper is organized as follows. In gression (Bacchus and Kabanza 1996; 1998). Progression Section 2 we consider some of the related work on progres- Copyright c 2019, Association for the Advancement of Artificial sion and partiality. We then give an overview of the prelimi- Intelligence (www.aaai.org). All rights reserved. naries concerning MTL and progression, including the nota-

2760 tion used in this paper, in Section 3. Section 4 discusses the Algorithm 1: Classical Progression theory behind stochastic partial-state progression, followed 1 function PROGRESS(φ, si): by an overview of the related procedure in Section 5. An em- 2 if φ = φ ∨ φ then pirical evaluation of the procedure is presented in Section 6. 1 2 3 return PROGRESS(φ1, si) ∨ PROGRESS(φ2, si) Finally, the paper concludes with Section 7 with a summary 4 else if φ = ¬φ1 then and a discussion of future work. 5 return ¬PROGRESS(φ1, si) 6 else if φ = φ1 UI φ2 then 7 if I < 0 then 2 Related Work 8 return ⊥ 9 else if 0 ∈ I then 10 return PROGRESS(φ2, si) ∨ (PROGRESS(φ1, si) ∧ Partial-state progression is a useful technique when consid- φ1 UI−∆ φ2) ering applications such as safe robotics. Progression vari- 11 else ants have for example been used for execution monitor- 12 return PROGRESS(φ1, si) ∧ φ1 UI−∆ φ2 ing (Kvarnstrom,¨ Heintz, and Doherty 2008) in autonomous 13 end UAV applications, in which path-checking of MTL formu- 14 else las was used to check whether the execution of a plan is in 15 if φ ∈ si then accordance with expectations. 16 return > 17 else More recently, Desi et al. (Desai, Dreossi, and Seshia 18 return ⊥ 2017) focused on a combination of model checking and 19 end runtime verification for making formal safety guarantees in 20 end robot software, where they make use of Signal Temporal Logic (STL) as a language for formalizing logical state- ments. STL is similar to MTL in extending the temporal op- erators from LTL to range over time intervals, but instead of 3 Classical Progression for MTL propositions it considers inequality checks over quantitative MTL is an extension of LTL with temporal operators rang- signals. While we focus on binary MTL statements, partial- ing over intervals. We denote the set of all MTL proposi- state progression could be extended to work with STL given tional symbols by . We define a state s to be a set of that the extra information in STL statements can be utilized. true propositions, andP its complement ⊆s to P denote the set P\ The recent work by Adolf et al. (Adolf et al. 2017) of false propositions. A state thus models complete informa- on stream runtime monitoring in unmanned aircraft sys- tion. Since we are interested in temporal reasoning, we con- tems further shows the need for and interest in the abil- sider sequences of states called streams. A stream is denoted by a total ordering ρ = (s , t ), (s , t ),... for states si, ity to monitor robot systems during runtime for debugging { 0 0 1 1 } time-stamps ti N, and time-points i N.A stream prefix and the monitoring of safety restrictions. Progression of ∈ ∈ is denoted by ρ≤τ = (s, t) t τ . MTL formulas has also been used for monitoring purposes. { | ≤ } For example, Basin et al. (Basin, Bhatt, and Traytel 2017; An MTL-formula is well-formed iff it adheres to the MTL Basin, Krstic,´ and Traytel 2017) proposed an MTL (and re- syntax: lated Metric Dynamic Logic; MDL) monitor for complex Definition 1 (MTL Syntax). The syntax for MTL is as fol- event processing which is almost event-rate independent, lows for atomic propositions p , temporal intervals meaning it can handle a dense stream with high quantities I [0, ], and well-formed formulas∈ P (wffs) φ and ψ: of events occuring within fixed time intervals. ⊆ ∞ p φ φ ψ φ I ψ Our approach makes it possible to keep track of the prob- | ¬ | ∨ | U In this paper we also make use of connectives , , ability of partial-state progression having ended up in some {∧ → ↔} MTL formula given a partially-observed incomplete state se- with their classical semantics, as well as the temporal oper- = = quence. This is somewhat related to the recent work by Med- ators ‘eventually’ ♦I φ def I φ and ‘always’ I φ def >U = hat et al. (Medhat et al. 2016), who proposed absolute and ♦I φ, and verdicts ‘true’ def p p and ‘false’ ¬ =¬ > ∨ ¬ relative ‘counting quantifiers’, allowing them to express and def . Lastly, the temporal operator intervals may be ⊥omitted for¬> cases where I = [0, ]. monitor constraints that concern a lower or upper bound on ∞ a certain number or percentage of instances. Their approach Definition 2 (MTL semantics). The semantics of MTL are differs from ours in that they extend LTL with counting defined recursively for a wff φ and a stream ρ at time ti: quantifiers whereas our probability mass exists at the meta- ρ, ti = p iff p si for p logic level. The ability to consider the probability of having | ∈ ∈ P ρ, ti = φ iff ρ, ti = φ ended up in some MTL formula is also potentially useful | ¬ 6| in dealing with multiple consistent interpretations when per- ρ, ti = φ ψ iff ρ, ti = φ or ρ, ti = ψ | ∨ | | forming qualitative spatial reasoning tasks. The combination ρ, ti = φ [δ1,δ2] ψ iff tα [ti + δ1, ti + δ2]: of a temporal logic and qualitative spatial reasoning for run- | U ∃ ∈ ρ, tα = ψ and tβ [ti, tα): ρ, tβ = φ time verification tasks is also related to the recent work by | ∀ ∈ | Nenzi et al. (Nenzi et al. 2015), who extended STL to con- The goal of path checking is to determine whether a sider spatial information. well-formed MTL formula φ is satisfied by the suffix of

2761 ρ starting at time-stamp t, written as ρ, t = φ. It differs A complete prefix is defined as a sequence of complete | from model checking in that the formula is only checked states up to and including time-point n N, where we can against one path starting from time-stamp t, rather than describe the probability of randomly drawing∈ such a prefix for every stream suffix satisfied by the model. In this pa- by n per, we focus on progression (Bacchus and Kabanza 1996; Y 1998) with streams of incomplete states as our method for P [S≤n = ρ≤n] = P [Si = si] path checking. We refer to their works for a detailed de- i=0 scription of the PROGRESS procedure, an updated version due to the time-independence of the state universe. of which is listed in Algorithm 1, taking into account the no- A sequence of incomplete states—represented as a set of tation used in this paper. In the remainder of this paper, we disjunctive complete prefixes—is called an incomplete pre- shorten PROGRESS to PROG for equations and assume ∆, fix, denoted by ρb≤n. We denote the probability of drawing which denotes the time between states, to be constant. One incomplete prefixes from ρb≤n for n N by important result we rely on in this work is the correctness ∈ P [S≤n = ρ≤n] I(ρ≤n ρb≤n) result for PROGRESS: P [S≤n = ρ≤n ρ≤n] = h ∈ i . | b P 0 Theorem 1 PROGRESS 0 P S≤n = ρ≤n (Correctness of (Bacchus and Ka- ρ≤n∈ρb≤n banza 1996; 1998)). The PROGRESS procedure is correct; Prefixes and Extensions ρ, ti = φ iff ρ, ti = PROG(φ, si) | +1 | for streams ρ, time-points i, and wffs φ. We refer to the repeated application of PROGRESS to a com- plete prefix ρ≤n as prefix progression: 4 Stochastic Partial-State Progression Definition 4 (Prefix Progression). We denote the repeated Recall that we want to perform progression over streams that application of PROGRESS to an initial formula φ, called may contain incomplete states. To perform ρ-progression, prefix progression, by ρ φ n n−1 we need a stream and a wff . We will assume that a stream PROG (φ, ρ) = PROG(PROG (... ), sn), generator can be described stochastically, using a time se- quence of stochastic variables. If we wish to assume that ρ where n N . For base-case n = 0 we use 0 ∈ ∪ {∞} is based on a stationary distribution, these stochastic vari- PROG (φ, ρ) = φ. ables would be equivalent across time-points. Because the MTL semantics is defined over infinite- length streams, we sometimes need to consider the probabil- State Universe ity of an incomplete prefix ρb≤n being a model for an MTL Streams are composed of states, which we now assume can statement φ at time t0. Since ρb≤n is an incomplete prefix for be incomplete. We denote incomplete states and their asso- values of n N, we extend it to an incomplete stream by ciated incomplete streams using the hat-notation, i.e. s 2P appending fully-unknown∈ states, which we denote by super- b ⊆ denotes an incomplete state and ρ = ρ1, . . . , ρN denotes script : b { } ∞ an incomplete stream. An incomplete state sb may be in- ∞  P ρ = ρ≤n (2 , ti) i > n . terpreted as being in DNF, i.e. as a disjunction over the b≤n b ∪ | contained-within complete states. Likewise, all ρ ρbare ex- We use the same notation for fully-known prefixes ρ≤n, ∈ ∞ clusively composed of complete states, denoting all permu- where the result is denoted by ρ≤n representing an incom- tations of the incomplete states. With the notation in place, plete stream. we can now define the aforementioned time-independent Lemma 1 (Correctness of Prefix Progression). The appli- stochastic variable as the state universe. cation of progression over prefixes is correct relative to the Definition 3 (State Universe). The set of states 2P is asso- semantics of MTL: ciated with a time-independent stochastic variable Sn rep- ρ ρ ∞ [ρ, t = φ] PROGn(φ, ρ ) = resenting the state universe at time-point n N: ≤n 0 iff ≤n ∈ ∀ ∈ | > Sn Discrete(θn), for wff φ, prefix ρ≤n, and any time-point n N. ∼ ∈ |2P |−1 where θn = θn,j represents a probability mass Proof. Considering both directions separately: { }j=0 ∞ function (pmf) using vector-notation. ( ) Assume that for all ρ ρ≤n, it holds that ρ, t0 = ⇒ ∈ | P [S = s ] = θ φ. By applying Theorem 1 n times, we obtain ρ, tn = We write n j n,j to denote the probability of n n | PROG (φ, ρ≤n). Let us denote PROG (φ, ρ≤n) = ψ. Then drawing a state at time-point n N. The probability of com- 0 s ∈ s it must be the case that ρ , tn = ψ for all possible complete plete states given observed incomplete states bn is denoted 0 | by streams ρ that could be constructed from infinite sequences P [S = s] (s s ) of incomplete states. So it must be the case that ψ is a tau- [S = ] = n I bn n P n s sbn P ∈ 0 , tology, hence PROG (φ, ρ≤n) = . | s0∈s P [Sn = s ] n > bn ( ) Assume that PROG (φ, ρ≤n) = . Since this is a tau- ⇐ > n where I is a boolean indicator function (similar to Iverson’s tology, it is therefore the case that ρ, tn = PROG (φ, ρ≤n) bracket notation) such that for all streams ρ ρ ∞ . From Theorem| 1 it then follows  ∈ ≤n 1 if x is true, that ρ ρ ∞ [ρ, t = φ]. I(x) = ∀ ∈ ≤n 0 | 0 if x is false.

2762 p p , ∅ p , ∅ p , ∅ p , ∅ p , ∅ start φ0 {{ }} φ1 {{ } } φ2 {{ } } φ3 {{ } } φ4 {{ } } φ5 {{ } } ⊥

p, q , q , ∅ p , q , p, q , ∅ {{ } { } } {{ } { } { } } p, q , q {{ } { }}

Figure 1: Progression graph for (p ( q)), where vertices represent formulas and edges represent sets of states.  → ♦[0,5]

Progression Graphs Definition 5 (Progression Graph). A progression graph is Given a potentially-incomplete stream, the repeated applica- a directed graph Gn(φ) = (φ, V, E, mn) at time-point n PROGRESS consisting of a wff φ, a set of formulas V for which φ V , tion of the procedure to an MTL formula using ∈ all possible states yields a potentially large set of formulas in a set of directed labelled transitions the limit, which can be bounded through the use of formula E = (v, v0, s) V V 2P PROG(v, s) = v0 , simplification. We used elimination of conjunctions and dis- ∈ × × | junctions with verdicts as children, as well as temporal sub- and a probability mass function mn : V [0, 1] describing a probability distribution over formulas in→v V defined as sumptions, as these patterns commonly arise from the ap- ∈ plication of the progression procedure. These simplification X mn(v) = P [S≤n = ρ≤n ρ≤n] rules are shown below: | b ρ≤n∈ρb≤n φ φ n
∧ > ⇒ I(PROG (φ, ρ≤n) = v) , φ ∧ ⊥ ⇒ ⊥ φ and m0(φ) = 1 corresponds to the base-case. ∨ > ⇒ > φ φ The values of the probability mass at any given time- ∨ ⊥ ⇒ point thus depend on the observed incomplete stream pre- φ φ φ [i,j] ∧ [i,k] ⇒ [i,max(j,k)] fix and the state universe. Finally note that, albeit struc- φ φ φ turally similar to deterministic timed automata (Alur and [i,j] ∨ [i,k] ⇒ [i,min(j,k)] φ ψ φ ψ φ ψ Dill 1994), progression graphs instead are used to push prob- U[i,j] ∧ U[i,k] ⇒ U[i,min(j,k)] ability mass between formulas and consequently lack the no- φ ψ φ ψ φ ψ U[i,j] ∨ U[i,k] ⇒ U[i,max(j,k)] tion of clocks or accepting states. Note that the simplification rules for φ follow directly ♦[i,j] Partial-State Progression from [i,j] φ. As> a U concrete example, consider the formula φ = The interpretation of a progression graph has thus far been

0  p ♦[0,5] q . This formula contains two propositions grounded in incomplete prefixes. Combined with the fact p and→q, which gives four possible states. Repeatedly apply- that the structure of the progression graphs are grounded ing progression for all of these four states yields the follow- in the classical progression procedure, we can ground the ing resulting formulas: interpretation of progression graphs in the MTL semantics as well. Specifically, the probability mass component of φi = ( q) φ for i [1, 5], ♦[0,5−i] ∧ 0 ∈ progression graphs allows us to quantify the probability of together with verdict . By representing these formulas as meta-logical statements concerning the semantic entailment vertices and connecting⊥ them with sets of states, we obtain relation between incomplete streams and MTL formulas. the graph shown in Figure 1. The graph connections are de- Definition 6 (Model Probability for Incomplete Prefixes). signed such that for each edge (φ, ψ, s) it is the case that ∞ The probability of an extended incomplete prefix ρb≤n for PROG( ) = φ, s ψ, thereby allowing the graph structure to time-point n N being a model for an MTL statement φ graphically encode the formula progression procedure. For a ∈ ∞ at time t0 is denoted by: P [ρ≤n, t0 = φ]. fully-known stream, progression would correspond to tran- b | Lemma 2 sitions between formulas such that we can only be in one (Correctness of Model Probability for Incomplete . The model probability for an incomplete prefix is given formula at any given time. It also allows us to go be- Prefixes) determined by: yond standard progression by considering a stochastic in-  terpretation, where we associate a probability mass mn with ∞ X P [ρ , t = φ] = P [S≤n = ρ≤n ρ≤n] every formula in the graph. The meaning of probability mass b≤n 0 | | b ρ ∈ρ in vertices at some time-point n is the probability of pro- ≤n b≤n  gression having ended up in those associated formulas by ∞
I ρ ρ≤n [ρ, t0 = φ] . time-point n, given an incomplete stream. When a graph is ∀ ∈ | first initialized, all probability mass therefore resides in the Proof. We have to consider three cases: (1) all streams ∞ vertex associated with the original formula. within ρb≤n are models of φ at time t0; (2) none are models

2763 of φ, or; (3) some are models and some are not models. In or- maps, hence the bracket notation. The initial graph is com- der for a prefix to be a model, all of its extensions to infinite- posed of a single vertex representing the original formula length streams must be models. Additionally, there are po- φ to be progressed, with the initial probability mass fully tentially many complete prefixes within the incomplete pre- contained within this vertex, i.e. mb 0[φ] = m0(φ) = 1; sub- fix ρ≤n. The probability P [S≤n = ρ≤n ρ≤n] corresponds sequent approximations may deviate from the true pmf. The b | b to the probability of drawing a prefix ρ≤n from a distribution ttl for the singular vertex is initially assumed to be MAX TTL. over ρb≤n. The sum of all of these probabilities sums up to 1. The usage of probability mass over time makes it possible However, we only want to consider those prefixes which are to track the probability of different progressed formulas, in- models of φ at time t0. Therefore, we use the indicator func- cluding the two different verdicts, over the course of pro- tion to eliminate the probabilities of prefixes which are not gression of an incomplete stream ρb. In subsequent calls to models of φ at time t0, thereby excluding prefixes following PPROGRESS, the probability mass from the previous iter- cases (2) and (3) while keeping those following (1). ation becomes a new starting point. The procedure iterates over the set of formulas V and checks the outgoing edges. From Lemma 2, we are able to show that the probability If the formula has not yet been expanded, it performs the mass for verdict vertices is sound by considering the specific classical PROGRESS procedure to generate and created di- cases of formulas and . > ⊥ rected edges to product formulas for all possible states. It Theorem 2 (Soundness of Partial-State Progression). Given then redistributes the probability mass from the parent for- a probabilistic progression graph Gn(φ) for the progression mula to the reachable child formulas in accordance with the of a wff φ starting at time t0 using a partially-observed in- probability distribution over states: a child is reachable iff complete stream described by a prefix ρb≤n with n N: there exists an edge label that is a member of the input state ∈ s. Finally, PPROGRESS can delete vertices and leak their  ∞  b mn( ) = P ρ , t0 = φ , associated probability mass when the MAX NODES value is > b≤n |  ∞  exceeded. The sorting operation in line 24 of Algorithm 2 is mn( ) = P ρ , t = φ . ⊥ b≤n 0 6| intended to illustrate a sorting which orders the set of ver- Proof. From the definition of probability mass, we obtain: tices by ttl first and probability mass second, thus prioritiz- ing those vertices with a low ttl and probability mass for X mn( ) = P [S≤n = ρ≤n ρ≤n] deletion. At the end of each call to PPROGRESS, the result- > | b ρ≤n∈ρb≤n ing progression graph is returned. n
As illustrated, keeping track of mn is possible by apply- I(PROG (φ, ρ≤n) = ) . > ing incremental updates to the pmf based on incrementally- Per Lemma 1, the indicator is subject to the equivalence observed incomplete states. The form of these incremental n ∞ updates is obtained by utilizing the temporal independence I(PROG (φ, ρ≤n) = ) = I( ρ ρ≤n [ρ, t0 = φ]). > ∀ ∈ | of the state universe: By substituting the indicator we can thus rewrite mn( ) to Lemma 3 (Incremental Updates). An (unapproximated) up- > from to given an incomplete state , where X  date mn−1 mn sbn mn( ) = P [S≤n = ρ≤n ρ≤n] n N, follows the relationship > | b ∈ ρ≤n∈ρb≤n X ( ) = ( 0) [S = ]
∞
 mn v mn−1 v P n s sbn I ρ ρ≤n [ρ, t0 = φ] , 0 | ∀ ∈ | (v ,v,s)∈E  ∞  which is equivalent to P ρ≤n, t0 = φ per Lemma 2. The for a (fully-expanded) progression graph G (φ) = b | n proof for mn( ) follows analogously. (φ, V, E, m ). ⊥ n 5 An Approximation Procedure Proof. We need to show that the full update from Defini- One problem with progression graphs of formulas with large tion 5 for time-point n is equivalent to the full update for temporal intervals is that they have a tendency of ‘blowing time-point m = n 1 followed by an incremental update up’, thereby requiring a lot of space. To combat this, we at time-point n as shown− in the above relationship. By plug- build upon our pre-existing approaches to partial-state pro- ging Definition 5 into the incremental update rule, we get gression (de Leng and Heintz 2018) that sought to tackle the problem of high space requirements by trading accuracy for X X  space consumption, called leaky partial-state progression— P [S≤m = ρ≤m ρb≤m] 0 | but which does not handle probability distributions over a (v ,v,s)∈En ρ≤m∈ρb≤m state universe, as we have in this work. !  Our proposed procedure combining our stochastic state m 0 I(PROG (φ, ρ≤m) = v ) P [Sn = s sn] . universe with a leaky progression graph is shown in Algo- | b rithm 2, using approximations of the probability mass mn, denoted by mb n, implemented as a map. Similarly, ttl (time- The inner sum ranging over ρ≤m ρb≤m can be rewritten to-live) and expanded are assumed to be implemented as to instead range over paths in the graph,∈ which incorporates

2764 Algorithm 2: Approximate Partial-State Progression procedure. If MAX NODES and MAX TTL are both set to infin- ity, the approximated probability mass will match the actual 1 function PPROGRESS(Gn, ttl, expanded, s): b probability mass for each vertex. We can now show the cor- 2 G ← (V ,E , [ ]) n+1 n n rectness of the PPROGRESS procedure: 3 foreach v ∈ Vn do 4 ttl[v] ← ttl[v] − 1 Theorem 3 (Correctness of PPROGRESS). For every pro- 5 if m [v] > 0 then b n gression graph Gn−1, PPROGRESS produces an approxi- 6 if ¬expanded[v] then P mated pmf mn[v] such that 7 foreach s ∈ 2 do b 0 8 v ← PROGRESS(v, s, ∆) mn(v) [mn[v], mn[v] + `n], 0 b b 9 if v 6∈ V then ∈ 0 where = 1 P [ ] denotes the leaked probability 10 Vn+1 ← Vn+1 ∪ {v } `n v∈V mb n v 0 − 11 ttl[v ] ← MAX TTL mass. 0 12 expanded[v ] ← false Proof. Algorithm 2 starts with an expansion phase on lines 13 end 0 3–23, followed by a shrinking phase on lines 24–34. During 14 En+1 ← En+1 ∪ {(v, v , s)} 15 expanded[v] ← true expansion, lines 6–17 perform the actual expansion task on the graph, whereas lines 18–21 perform the incremental up- 16 end date from Lemma 3. Note that the incremental updates for 17 end 0 non-zero probability mass utilize only children of these as- 18 foreach (v, v , s) ∈ En+1 do 0 0 sociated vertices, which are provided through the expansion 19 mb n+1[v ] ← mb n+1[v ]+mb n[v]×P [Sn = s | sb] 0 20 ttl[v ] ← MAX TTL of non-zero probability mass nodes prior to performing the m [φ] = m (φ) 21 end incremental updates. This means that b n n when `n = 0, which is the case whenever MAX NODES V after 22 end ≥ | | 23 end the expansion phase but before the shrinking phase. For the case when MAX NODES < V after the expansion phase but 24 while |sort(Vn+1)| > MAX NODES do | | 25 v ← head(Vn+1) before the shrinking phase, the shrinking phase will delete 26 mn+1[v] ← nil vertices—and leak their associated probability mass—until 27 ttl[v] ← nil MAX NODES = V . That means that the probability mass for | | 28 expanded[v] ← nil any formula φ at time-point n will be at least mn[φ] and at 0 b 29 foreach (v , v, s) ∈ En+1 do most mn[φ] plus all of the leaked mass `n. 0 b 30 expanded[v ] ← false 31 end 6 Empirical Evaluation 32 Vn+1 ← Vn+1 \{v} 0 0 33 En+1 ← En+1 \{(w, w , s) ∈ En+1 | w = v ∨ w = v} The PPROGRESS procedure detailed in Algorithm 2 was 1 34 end implemented in Java and used for empirical evaluation. 35 return Gn+1, ttl, expanded We performed our experiments using a fourth-generation In- tel Xeon E5-1650 CPU (6 cores, 12 threads) with 50GiB of RAM allocated to the JVM. All experiments presume a uniformly-distributed stream universe. the indicator function:

X X   Time and Space Requirements P [S≤m = ρ≤m ρ≤m] | b We first compare the runtime and space requirements given (v0,v,s)∈E (φ,v0)∈Em ! a formula and a stream for varying values for the parame- ters MAX TTL and MAX NODES. Table 1 shows an empirical P [Sn = s sn] . | b comparison of the approaches for a formula φ = p p


We can now collapse the two sums into one sum ranging  ¬ → ♦[0,100] [0,10] over paths from φ to v, appending the incomplete state sb to and a stream in which 80% of the samples are p and the the incomplete stream ρ to obtain ρ : b≤m b≤n remaining samples are unknown, i.e. p , ∅ . Formula φ X is chosen because it is a member of{{ the} class} of response (P [S≤n = ρ≤n ρb≤n]) . | formulas—denoted by the pattern I (φ J ψ)—which (φ,v)∈En  ♦ is a formula class most commonly observed→ in runtime veri- Plugging the indicator function back in we then obtain fication (Dwyer, Avrunin, and Corbett 1999). We marked the X n
best significant results in bold-face. To ensure a fair compar- P [S≤n = ρ≤n ρ≤n] I(PROG (φ, ρ≤n) = v) , | b ison, the choices for MAX NODES limit the leaked mass to at ρ≤n∈ρb≤n most 1% of the total probability mass. For the formula φ this which matches Definition 5 for m (v). corresponds to MAX NODES 175 at a step-size of 25. n ≥ The MAX NODES and MAX TTL values act as parameters 1The jprogress implementation is available at https:// that allow us to adjust the precision of the PPROGRESS github.com/dnleng/jprogress.

2765 MAX TTL MAX NODES Avg Duration (sec) 2σ Iterations Max Size Median Size Avg Density 143.996 ±3.040 226,867 15,706 15,706 0.024 ∞5 ∞ 125.709 ±1.275 226,867 11,851 1,162 0.243 1 ∞ 91.166 ±3.778 226,867 4,074 335 0.665 250∞ 126.553 ±5.529 226,863 3,858 3,726 0.099 ∞5 250 117.505 ±2.002 226,863 3,855 1,163 0.254 1 250 90.815 ±5.372 226,863 3,722 335 0.665 225 124.171 ±3.669 226,295 3,480 3,352 0.110 ∞5 225 114.861 ±2.248 226,295 3,480 1,164 0.259 1 225 91.011 ±3.353 226,295 3,361 335 0.665 200 116.160 ±5.039 225,644 3,105 2,978 0.124 ∞5 200 112,212 ±1.590 225,644 3,105 1,165 0.266 1 200 90.385 ±2.361 225,644 2,999 335 0.665 175 112.549 ±3.431 222,599 2,730 2,604 0.142 ∞5 175 107.680 ±2.083 222,599 2,730 1,164 0.277 1 175 89.174 ±3.119 222,599 2,653 335 0.665 ± Table 1: Experimental results for φ using a stream with P [sb = p ] = 0.8 and P [sb = p , ∅ ] = 0.2, terminating when 99% of mass resides in verdict nodes. The table shows the total{{ duration}} of progression (averaged{{ } } over ten runs, showing the 95% probability interval), number of progression calls until termination, maximum combined formula size, median combined formula size, and average mass density in terms of non-zero-mass nodes relative to the total number of nodes.

As expected, the time results show a correlation between 1 0.4 the size of the progression graphs and the number of iter- 0.6 ations required until termination. As the size of the graph 0.8 decreases, so does the time it takes to perform a progres- 0.8 1.0 sion, with MAX TTL being more influential than MAX NODES under the 1% maximum loss constraint. The procedure con- sequently performs best with parameters MAX TTL = 1 0.6 and MAX NODES = 175, followed closely by the param- eter sets for which MAX TTL = 1. For the space usage, we observe that the maximum combined size of the for- 0.4 mulas in the graph decreases together with MAX TTL and MAX NODES. This behavior is expected as the vertices in the progression graph directly correspond to progressable for- 0.2 mulas, and these constraints limit the number of such ver- Leaked Probability at Termination tices. We likewise also observe the median size and average density decrease and increase, respectively, as the MAX TTL 0 20 40 60 80 100 120 140 160 180 and MAX NODES decrease. The minimum median size ob- MAX_NODES served is 335, which appears to be the most commonly ob- served graph size measured in the length of the contained formulas. The average density results also show how con- Figure 2: Verdict probability at termination for φ using a stream with P [s = p , ∅ ] 0.4, 0.6, 0.8, 1.0 . straints on the time-to-live and the maximum number of b {{ } } ∈ { } vertices positively impacts the utilization of vertices in the progression graph. However, there is a balance between a high density requiring potentially many time-costly updates duces P [sb = p ] = 1 r and P [sb = p , ∅ ] = r. to the structure of the graph; and a low density requiring We again use the{{ formula}} φ−for a fair comparison.{{ } } more space on average. Figure 2 shows the leaked probability for varying degrees of incompleteness in the produced streams. The graph for Sensitivity to Partiality the ‘false’ verdict would be the inverse of Figure 2. We Next, we look into the sensitivity to partiality of the pro- can again observe⊥ the dual nature of leaked mass versus posed graph-based partial-state progression techniques. In verdicts. Additionally, we can observe a varying sensi- particular, we are interested in the effect of the quality of tivity⊥ to increasing the probability of incomplete states. As a stream on the evaluation of a formula. Thus far, we have the number of incomplete states in a stream increases (due used stream generators for which P [s = p ] = 0.8 and to their probability of occurring increasing), the inclination b {{ }} P [sb = p , ∅ ] = 0.2. In these experiments, we instead of the associated plots increases as well. We can observe let these{{ probabilities} } vary from r [0.4; 1.0] with a step- an increase of incompleteness lead to a faster decrease of size of 0.2. The resulting stream generator∈ consequently pro- leaked probability as the value of MAX NODES increases. This

2766 is expected behavior because there are now more progres- Alur, R.; Feder, T.; and Henzinger, T. A. 1996. The ben- sion traces of φ that result in the early falsification of the efits of relaxing punctuality. Journal of the ACM (JACM) formula. The results show that the degree of incompleteness 43(1):116–146. of a stream has a non-trivial impact on the result of progres- Bacchus, F., and Kabanza, F. 1996. Planning for temporally sion and affects the choice of MAX NODES. extended goals. In Proceedings of the 13th AAAI conference of Artificial Intelligence, 1215–1222. 7 Conclusions and Future Work Bacchus, F., and Kabanza, F. 1998. Planning for tempo- Annals of Mathematics and Artificial We have presented an approximate graph-based extension rally extended goals. Intelligence of the original MTL progression procedure (Bacchus and 22(1-2):5–27. Kabanza 1996; 1998) to handle stochastic state information. Basin, D.; Bhatt, B. N.; and Traytel, D. 2017. Almost event- The PPROGRESS procedure is shown to correctly reflect the rate independent monitoring of Metric Temporal Logic. In probabilities of the verdicts and given an MTL formula Proceedings of the 23rd International Conference on Tools using an incremental update> mechanism.⊥ The procedure ad- and Algorithms for the Construction and Analysis of Sys- ditionally allows for a trade-off between accuracy and space tems, 94–112. requirements, by leaking probability mass from certain for- Basin, D.; Krstic,´ S.; and Traytel, D. 2017. Almost event- mulas based on their time-to-live and amount of contained rate independent monitoring of Metric Dynamic Logic. In probability mass. Our empirical evaluation illustrates this Lahiri, S., and Reger, G., eds., Proceedings of the 17th In- trade-off and the impact on both accuracy and space require- ternational Conference on Runtime Verification, 85–102. ments. Brenton, C.; Faber, W.; and Batsakis, S. 2016. Answer For future work, we are interested in a number of exten- set programming for qualitative spatio-temporal reasoning: sions and applications. The stream universe is subject to a Methods and experiments. In Technical Communications of number of strict assumptions we would like to relax in future the 32nd International Conference on Logic Programming, work. In this paper we assume the state universe to be given; volume 52, 4:1–4:15. in future work we wish to consider learning the probability de Leng, D., and Heintz, F. 2018. Partial-state progression distribution over the state universe through observation. Ad- Pro- PPROGRESS MAX NODES for stream reasoning with metric temporal logic. In ditionally, the procedure utilizes a ceedings of the 16th International Conference on Principles parameter which to a large degree determines the amount of of Knowledge Representation and Reasoning, 633–634. probability that will be leaked. It would be interesting to see if we could predict suitable values for MAX NODES before- Desai, A.; Dreossi, T.; and Seshia, S. A. 2017. Combining hand given a formula, in order to minimize the leaked prob- model checking and runtime verification for safe robotics. In ability at termination. In a similar light, we want to perform Proceedings of the 17th International Conference on Run- more detailed empirical evaluations for classes of MTL for- time Verification, 172–189. mulas. Finally, we are interested in looking further into the Dwyer, M. B.; Avrunin, G. S.; and Corbett, J. C. 1999. Pat- application of background theories, specifically ASP-based terns in property specifications for finite-state verification. reasoning. This is motivated by the versatility of ASP-based In Proceedings of the 21st international conference on Soft- reasoning, which has been shown (Brenton, Faber, and Bat- ware engineering, 411–420. ACM. sakis 2016) to be able to perform spatial reasoning in RCC- Emerson, E. A. 1990. Temporal and modal logic. In Formal 8. We believe that the presented results together with the Models and Semantics. Elsevier. 995–1072. potential extensions demonstrates the usefulness of this line Koymans, R. 1990. Specifying real-time properties with of partial-state progression, which is particulary beneficial Metric Temporal Logic. Real-Time Systems 2(4):255–299. to the area of stream reasoning. Kvarnstrom,¨ J.; Heintz, F.; and Doherty, P. 2008. A temporal logic-based planning and execution monitoring system. In Acknowledgments Proceedings of the 18th International Conference on Auto- This work is partially supported by grants from the National mated Planning and Scheduling, 198–205. Graduate School in Computer Science, Sweden (CUGS). Medhat, R.; Bonakdarpour, B.; Fischmeister, S.; and Joshi, We would like to thank Mattias Tiger for the valuable dis- Y. 2016. Accelerated runtime verification of LTL specifi- cussions which helped improve the notation used in this pa- cations with counting semantics. In Proceedings of the 16th per, and the reviewers for their insightful comments. International Conference on Runtime Verification, 251–267. Nenzi, L.; Bortolussi, L.; Ciancia, V.; Loreti, M.; and References Massink, M. 2015. Qualitative and quantitative monitoring of spatio-temporal properties. In Proceedings of the 15th Adolf, F.-M.; Faymonville, P.; Finkbeiner, B.; Schirmer, S.; International Conference on Runtime Verification, 21–37. and Torens, C. 2017. Stream runtime monitoring on UAS. In Proceedings of the 17th International Conference on Run- Randell, D.; Cui, Z.; and Cohn, A. 1992. A spatial logic time Verification, 33–49. based on regions and connection. In Proceedings of the 3rd International Conference on Principles of Knowledge Rep- Alur, R., and Dill, D. L. 1994. A theory of timed automata. resentation and Reasoning, 165–176. Theoretical Computer Science 126(2):183–235.

2767