Formal testing of timed graph transformation systems using metric temporal graph logic
DOI: 10.1007/s10009-020-00585-w
© The Author(s) 2021
Published: 17 July 2021
Abstract
Embedded real-time systems generate state sequences where time elapses between state changes. Ensuring that such systems adhere to a provided specification of admissible or desired behavior is essential. Formal model-based testing is often a suitable cost-effective approach. We introduce an extended version of the formalism of symbolic graphs, which encompasses types as well as attributes, for representing states of dynamic systems. Relying on this extension of symbolic graphs, we present a novel formalism of timed graph transformation systems (TGTSs) that supports the model-based development of dynamic real-time systems at an abstract level where possible state changes and delays are specified by graph transformation rules. We then introduce an extended form of the metric temporal graph logic (MTGL) with increased expressiveness to improve the applicability of MTGL for the specification of timed graph sequences generated by a TGTS. Based on the metric temporal operators of MTGL and its built-in graph binding mechanics, we express properties on the structure and attributes of graphs as well as on the occurrence of graphs over time that are related by their inner structure. We provide formal support for checking whether a single generated timed graph sequence adheres to a provided MTGL specification. Relying on this logical foundation, we develop a testing framework for TGTSs that are specified using MTGL. Lastly, we apply this testing framework to a running example by using our prototypical implementation in the tool AutoGraph.
Keywords
Formal testing Typed attributed symbolic graphs Timed graph transformation Graph conditions Metric temporal graph logic1 Introduction
Software has become an intrinsic part of parallel embedded real-time systems, which need to realize increasingly advanced functionality with complex coordination behavior. The technical challenges for developing such embedded real-time systems with a high degree of parallelism, data dependencies, and timing constraints that must adhere to a given specification are manifold [25, 26, 37]. Moreover, formal verification of models of such complex systems is often infeasible since (a) fully automatic approaches fall short due to undecidability problems or the state-space explosion problem, whereas (b) manual verification approaches require additional expertise and an excessive amount of resources. Formal model-based testing approaches aim at providing a well-balanced tradeoff between the computational costs and the resulting degree of confidence in a broad spectrum of domains [18, 20, 35, 57].
Graph transformation with its visual notation is well-suited for modeling and developing complex dynamic systems where states can be represented by graphs [29]. For instance, rule-based graph transformation supports the modeling of distribution in decentralized systems, modifications of connectivity as in dynamically established collaborations, computations on values and subgraphs, as well as permits a reconfiguration of systems at runtime with powerful mechanisms for controlling rule applicability [67]. However, the expressiveness of graph transformation systems prevents fully automatic analysis due to undecidability in general. Moreover, the emerging behavior may be highly influenced by complex dependencies between rules of the transformation system, which results in a difficult and error-prone modeling phase.
To improve support for the described setting, we introduce a testing approach for timed graph transformation systems (TGTSs) (see Sect. 9 for a comparison with other TGTS formalisms). Well-established metric temporal logics such as MTL [60] relying on atomic propositions are insufficient for the specification of TGTSs when more complex metric temporal properties are to be expressed. In particular, we aim at expressing properties where graphs occurring at different points in time are to be related by their inner structure. Examples of such properties refer to substructures that are monitored over a period of time or check for the existence of nodes or edges with certain attribute values. To express such properties, we build upon graph logics [43, 78] where bindings for subgraphs is a first-class citizen.
A general overview of our approach is visualized in Fig. 1. We develop support for checking the satisfaction of a timed graph sequence obtained from a TGTS w.r.t. a formal specification given in the form of (a set of) conditions from MTGL. To this end, we verify encodings of higher-level operators such as delta-lock and delta-release into lower-level operators for iterated graph pattern matching. On the foundation of these theoretical results, we provide a formal testing approach for TGTSs by employing standard methods for generating diverse timed graph sequences from TGTSs using randomization to resolve nondeterminism. In particular, we provide (a) encodings for translating a condition \(\psi \) from MTGL into a condition \(\phi \) of BGL and (b) a folding operation for translating a finite timed graph sequence \(\pi \) into a single graph G preserving all information. We then verify that \(\pi \) satisfies \(\psi \) if and only if G satisfies \(\phi \), which allows for an efficient check of MTGL satisfaction for finite timed graph sequences by reducing this problem to the satisfaction checking problem. All these steps are supported by our prototypical implementation in the tool AutoGraph.
In order to demonstrate our approach, we make use of a running example. Specifically, we consider a model of a real-time operating system in which tasks are executed to produce results and consider the following metric temporal properties.
Example 1
-
\(\mathbf {P_{1}}\): Each task that is spawned in a system is eventually completed and thereby removed from the system within at most 10000 time units and produces a unique result with a value of \( ok \) and an id that equals the id of the task.
-
\(\mathbf {P_{2}}\): Each new result is obtained from a task with the same id that was spawned at most 10000 time units before and that was present since then.
-
\(\mathbf {P_{3}}\): Every task in a system runs at least once every 1000 time units until it terminates.
We now summarize our main contributions: (a) the integration of global variables in symbolic graphs as the formalism underlying the subsequent developments, (b) the definition of a suitable notion of (timed) graph transformation for symbolic graphs with adequate descriptive expressiveness, (c) the extensions of existing graph logics by introducing restriction and delta-based operators for improving the applicability by allowing to discard parts of matches using contexts, (d) the extension/adaptation of MTGL from [38, 81] described above that permits to express more complex metric temporal properties, and (e) the prototypical implementation of all notions and constructions relevant to our formal testing approach in the tool AutoGraph.
In the future, we envision to improve upon the following aspects of the introduced approach: (a) its effectiveness, by considering suitable additional operators, (b) its efficiency, by applying incremental pattern matching techniques for the generation of timed graph sequences from the TGTS at hand as well as for checking the satisfaction of conditions of MTGL, and (c) its applicability, by developing new means for presenting violations and for filtering definite and potential violations.
The remainder of this paper is organized as follows. In Sect. 2, we introduce the attribute logic AL (which relies on algebraic specifications as explained in more detail in “Appendix A”) which corresponds to attribute logics’ implementations in SMT solvers. Based on this attribute logic AL, we present our extension of symbolic graphs with global variables in Sect. 3 where attribute conditions are used to restrict attribute values occurring in the symbolic graphs. In Sect. 4, we present the basic graph logic BGL with a novel restriction operator. BGL conditions are then used as application conditions of (timed) graph transformation systems introduced in Sect. 5 where we also define the generation of (timed) graph sequences. As an intermediate step, we extend the graph logic BGL resulting in the graph logic GL by integrating a novel delta-based operator, which allows to preserve attribute values across the restriction and extension of matches, in Sect. 6. We then present MTGL in Sect. 7 with the novel metric temporal operators delta-lock and delta-release. The application to the formal testing scenario and details of our prototypical implementation in the tool AutoGraph are discussed in Sect. 8. Finally, Sect. 9 discusses related work and Sect. 10 concludes the paper with a summary and remarks on future work.
Also note the glossary on page 73 covering most symbols introduced throughout the paper.
2 Attribute logic AL
We provide an informal introduction of the attribute logic AL, which is used in the remainder of this paper to specify attribute values in symbolic graphs. In this section, we present the most relevant notations and refer to “Appendix A” for a detailed presentation. The logic AL is the finitary first-order many-sorted logic with equality as supported by standard SMT solvers such as Z3 [68]. Such solvers are shipped with support for sorts such as \(\mathsf {bool}\), \(\mathsf {int}\), \(\mathsf {real}\), and \(\mathsf {string}\) and standard operations on these sorts. For the remainder of this paper, we assume that the attribute conditions (ACs) of AL that are used can be handled by such SMT solvers. In particular, in our prototypical implementation discussed later on in Sect. 8, we rely on Z3 to simplify ACs, check satisfaction of ACs, and check satisfiability of ACs. As checking satisfiability is undecidable for AL, our implementation is ready to report ACs to the user for which Z3 is unable to return a result.
The set of all ACs containing free variables from a set \(X\subseteq \mathcal {X} \) is denoted \(\mathcal {S}^{{\textsf {AC} }} _{X} \) based on a universe \(\mathcal {X} \) of all variables. For example, the AC \(\gamma =\exists \{x\}.\;x\le y+2 \) is an AC over the variable set \(\{y\}\) because y is the only free variable of \(\gamma \). We denote the union of all supported datatypes containing all values by \(\mathcal {V} \). The satisfaction of an AC \(\gamma \) by a variable valuation is denoted \(\alpha \models _{\mathsf {AC}} \gamma \). Also, if there is such a variable valuation, \(\gamma \) is satisfiable denoted by \({\textsf {sat} }_{\exists } (\gamma ) \). Moreover, if \(\gamma \) is satisfied by each variable valuation, \(\gamma \) is tautological denoted by \({\textsf {sat} }_{\forall } (\gamma ) \). For example, the AC \(\gamma \) from above is tautological because, for each choice of a value for y (given by a variable valuation \(\alpha \)), there is a suitable choice of a value for x as well. Hence, \(\gamma \) can be simplified to the AC \(\top \).
3 Symbolic graphs
(Typed) symbolic graphs have been introduced in [71, 73, 74] in the context of graph transformation on these graphs. Symbolic graphs contain two sets of nodes and edges as usual for graphs but also two further sets of node attributes and edge attributes as in E-Graphs [29] where each node attribute and each edge attribute is connected to a node and an edge, respectively. In E-Graphs, these node attributes and edge attributes are connected to values. In symbolic graphs, node attributes and edge attributes are connected to variables and an AC is used to restrict the possible values for these variables. Note that node and edge attributes have a unique value in attributed graphs based on E-Graphs leading to a unique valuation for node and edge attributes but an AC of a symbolic graph can be satisfied by zero, one, or more different variable valuations.
Incorporating global graph variables, we first introduce the notion of plain symbolic graphs for the untyped case.3 See Fig. 2 (top left) for an example of a plain symbolic graph G.
Definition 1
-
\({G}{.}{{\textsf {N} }}\) of nodes,
-
\({G}{.}{{\textsf {E} }}\) of edges,
-
\({G}{.}{{\textsf {NA} }}\) of node attributes,
-
\({G}{.}{{\textsf {EA} }}\) of edge attributes,
-
\({G}{.}{{\textsf {XL} }} \subseteq \mathcal {X} \) of local variables, and
-
\({G}{.}{{\textsf {XG} }} \subseteq \mathcal {X} \) of global variables,
-
\({G}{.}{{\textsf {Var} }} =({G}{.}{{\textsf {XL} }} \cup {G}{.}{{\textsf {XG} }},{\textsf {type} }_{})\) contains the local and global variables where the function \({\textsf {type} }_{} \) assigns a sort to each variable,4
-
\({G}{.}{{\textsf {ac} }} \in \mathcal {S}^{{\textsf {AC} }} _{{G}{.}{{\textsf {XL} }} \cup {G}{.}{{\textsf {XG} }}} \) is an AC defined over the local and global variables, and
-
,
-
,
-
,
-
,
-
, and
-
-
\({G}{.}{{\textsf {X} }} ={G}{.}{{\textsf {XL} }} \cup {G}{.}{{\textsf {XG} }} \) is the set of local and global variables of a plain symbolic graph.
-
\({G}{.}{{\textsf {X} }}{\mathcal {V}} ={G}{.}{{\textsf {X} }} \cup \mathcal {V} \) is the set of local variables, global variables, and values of a plain symbolic graph.
Morphisms between plain symbolic graphs are given by maps between the corresponding sets of elements except for the global variables, which are mapped to the union of global variables and values of the target graph. Intuitively, plain symbolic graph morphisms may restrict/refine the ACs from the source graph to the target graph. This means that plain symbolic graph morphisms must not permit additional variable valuations satisfying the ACs, i.e., each variable valuation that satisfies the AC of the target graph must also satisfy the AC of the source graph where its variables are substituted according to the morphism. This is formally stated as \({\textsf {sat} }_{\forall } ({G_2}{.}{{\textsf {ac} }} \rightarrow {f}{.}{{\textsf {X} }} ({G_1}{.}{{\textsf {ac} }})) \) in the definition below. For example, a morphism where \({G_1}{.}{{\textsf {ac} }} =(x\ge 2)\) and \({G_2}{.}{{\textsf {ac} }} =(\bar{x}= 4)\) may map x to \(\bar{x}\) using the mapping \({f}{.}{{\textsf {X} }} \). A visualization of the required compatibility with the source and target functions for edges, node attributes, and edge attributes is given in Fig. 3.
Definition 2
-
,
-
,
-
,
-
,
-
, and
-
-
\({f}{.}{{\textsf {N} }} \circ {G_1{.}{\textsf {s} }_{\textsf {E} }}={G_2{.}{\textsf {s} }_{\textsf {E} }}\circ {f}{.}{{\textsf {E} }} \),
-
\({f}{.}{{\textsf {N} }} \circ {G_1{.}{\textsf {t} }_{\textsf {E} }}={G_2{.}{\textsf {t} }_{\textsf {E} }}\circ {f}{.}{{\textsf {E} }} \),
-
\({f}{.}{{\textsf {N} }} \circ {G_1{.}{\textsf {s} }_{\textsf {NA} }}={G_2{.}{\textsf {s} }_{\textsf {NA} }}\circ {f}{.}{{\textsf {NA} }} \),
-
\({f}{.}{{\textsf {XL} }} \circ {G_1{.}{\textsf {t} }_{\textsf {NA} }}={G_2{.}{\textsf {t} }_{\textsf {NA} }}\circ {f}{.}{{\textsf {NA} }} \),
-
\({f}{.}{{\textsf {E} }} \circ {G_1{.}{\textsf {s} }_{\textsf {EA} }}={G_2{.}{\textsf {s} }_{\textsf {EA} }}\circ {f}{.}{{\textsf {EA} }} \), and
-
\({f}{.}{{\textsf {XL} }} \circ {G_1{.}{\textsf {t} }_{\textsf {EA} }}={G_2{.}{\textsf {t} }_{\textsf {EA} }} \circ {f}{.}{{\textsf {EA} }} \),
-
\({f}{.}{{\textsf {XL} }} \) and \({f}{.}{{\textsf {XG} }} \) respect the sorts of the variables5 and
-
\(G_2\) has a more restrictive AC compared to \(G_1\), i.e., \({\textsf {sat} }_{\forall } ( {G_2}{.}{{\textsf {ac} }} \rightarrow {f}{.}{{\textsf {X} }} ({G_1}{.}{{\textsf {ac} }}) ) \).
-
Map of local and global variables6:
with \({f}{.}{{\textsf {X} }} ={f}{.}{{\textsf {XL} }} \cup {f}{.}{{\textsf {XG} }} \)
-
Map of local and global variables extended by identity map on values:
with \({f}{.}{{\textsf {X} }}_{\mathcal {V}} ={f}{.}{{\textsf {XL} }} \cup {f}{.}{{\textsf {XG} }} \cup {\textsf {id} } (\mathcal {V}) \)
-
Map of global variables that are mapped to values:
where A is some subset of \({G_1}{.}{{\textsf {XG} }} \)
with \({f}{.}{{\textsf {X} }}_{\textsf {GM} } ={f}{.}{{\textsf {XG} }} \cap ({G_1}{.}{{\textsf {XG} }} \times \mathcal {V})\)
-
Map of local variables and of global variables when no global variables are mapped to values:
If \({f}{.}{{\textsf {X} }}_{\textsf {GM} } =\varnothing \), then
with \({f}{.}{{\textsf {X} }}_{\textsf {P} } ={f}{.}{{\textsf {X} }} \cap ({G_1}{.}{{\textsf {X} }} \times {G_2}{.}{{\textsf {X} }})\)
The binary composition of two plain symbolic graph morphisms is defined as usual for all components except for the global variables. For global variables we extend the second map \({f_2}{.}{{\textsf {XG} }} \) by the identity function on values that then preserves the values that are generated by the first map \({f_1}{.}{{\textsf {XG} }} \).
Definition 3
-
\({f_3}{.}{{\textsf {N} }} ={f_2}{.}{{\textsf {N} }} \circ {f_1}{.}{{\textsf {N} }} \),
-
\({f_3}{.}{{\textsf {E} }} ={f_2}{.}{{\textsf {E} }} \circ {f_1}{.}{{\textsf {E} }} \),
-
\({f_3}{.}{{\textsf {NA} }} ={f_2}{.}{{\textsf {NA} }} \circ {f_1}{.}{{\textsf {NA} }} \),
-
\({f_3}{.}{{\textsf {EA} }} ={f_2}{.}{{\textsf {EA} }} \circ {f_1}{.}{{\textsf {EA} }} \),
-
\({f_3}{.}{{\textsf {XL} }} ={f_2}{.}{{\textsf {XL} }} \circ {f_1}{.}{{\textsf {XL} }} \), and
-
\({f_3}{.}{{\textsf {XG} }} =({f_2}{.}{{\textsf {XG} }} \cup {\textsf {id} } (\mathcal {V}))\circ {f_1}{.}{{\textsf {XG} }} \)
The typing of plain symbolic graphs is formalized using an additional plain symbolic graph morphism \(\tau \) that has a plain symbolic graph G as a source, a symbolic type graph \( TG \) as a target, and does not map any global variables of G to values (see Fig. 2 for an example of a typed symbolic graph, a symbolic type graph, a typing morphism, and the simplified notation for typed symbolic graphs that we use in the remainder of this paper).
Definition 4
(Typed Symbolic Graphs) If G and \( TG \) are plain symbolic graphs, is a plain symbolic graph morphism, and \(\tau \) does not map any global variables of G to values (i.e., \({\tau }{.}{{\textsf {X} }}_{\textsf {GM} } =\varnothing \)), then \((G,\tau )\) is a typed symbolic graph over a symbolic type graph \( TG \), written \((G,\tau )\in \mathbf {Graphs}_{ TG } \) or simply \((G,\tau )\in \mathbf {Graphs} \) when the type graph is clear from the context.
Morphisms between typed symbolic graphs are then assumed to preserve the typing for all graph elements except for global variables that are mapped to values (recall that the plain symbolic graph morphism ensures already that global variables cannot be matched to values of a different sort).
Definition 5
-
\({\tau _1}{.}{{\textsf {N} }} ={\tau _2}{.}{{\textsf {N} }} \circ {f}{.}{{\textsf {N} }} \),
-
\({\tau _1}{.}{{\textsf {E} }} ={\tau _2}{.}{{\textsf {E} }} \circ {f}{.}{{\textsf {E} }} \),
-
\({\tau _1}{.}{{\textsf {NA} }} ={\tau _2}{.}{{\textsf {NA} }} \circ {f}{.}{{\textsf {NA} }} \),
-
\({\tau _1}{.}{{\textsf {EA} }} ={\tau _2}{.}{{\textsf {EA} }} \circ {f}{.}{{\textsf {EA} }} \),
-
\({\tau _1}{.}{{\textsf {XL} }} ={\tau _2}{.}{{\textsf {XL} }} \circ {f}{.}{{\textsf {XL} }} \), and
-
for every \(x\in {G_1}{.}{{\textsf {XG} }} \) and \(y\in {G_2}{.}{{\textsf {XG} }} \) s.t. \({f}{.}{{\textsf {XG} }} (x)=y\) it holds that \({\tau _1}{.}{{\textsf {XG} }} (x)={\tau _2}{.}{{\textsf {XG} }} (y)\),
We define the binary composition of typed symbolic graph morphisms along the lines of the binary composition of plain symbolic graph morphisms.
Definition 6
(Binary Composition of Typed Symbolic Graph Morphisms) If , , and are typed symbolic graph morphisms, and \(f_3=f_2\circ _{{\textsf {p} }}f_1\) is the composition of plain symbolic graph morphisms \(f_2\) and \(f_1\), then \(f_3\) is the composition of typed symbolic graph morphisms \(f_2\) and \(f_1\), written \(f_3=f_2\circ f_1\).
To ease presentation, we handle typing of symbolic graphs and symbolic graph morphisms implicitly, assume a fixed type graph, focus on symbolic graphs that are finite (i.e., symbolic graphs with a finite AC and finite sets of nodes, edges, node attributes, edge attributes, local variables, and global variables) unless stated otherwise, and refer in the following to typed symbolic graphs as symbolic graphs or simply graphs and to typed symbolic graph morphisms as morphisms. See also “Appendix C” for additional definitions and results.
We define two special kinds of morphisms. An inclusion morphism has only inclusions as components (see Definition 61). An identity morphism has only identities as components (see Definition 62).
We state in the following theorem that graphs and morphisms, as introduced here, together with composition and identity morphisms determine a category.
Theorem 1
(Category \(\mathbf {SymbGraphs} \)) If \( Ob \) is the class of graphs from Definition 4, \( Mor (A,B)\) is the set of morphisms of type from Definition 5, \(\circ \) is the binary composition of morphisms from Definition 6, and \({\textsf {id} } (A) \) is the unique identity morphism, then \(\mathbf {SymbGraphs} =( Ob , Mor ,\circ ,{\textsf {id} })\) is a category.
See page 58 for the proof of this theorem.
As the next step, we discuss several further notions and constructions for the category \(\mathbf {SymbGraphs} \).
The unique empty graph is denoted by \(\varvec{\varnothing } \), contains no graph elements, and has the trivial AC \({\varvec{\varnothing }}{.}{{\textsf {ac} }} =\top \). The empty graph \(\varvec{\varnothing } \) is initial in \(\mathbf {SymbGraphs}\) (see Lemma 3) but other graphs with no graph elements and a tautological AC are initial as well (see Lemma 2) as they are isomorphic to \(\varvec{\varnothing } \). We denote the unique initial morphism of type by \({\textsf {i} } (G) \).
Partially injective morphisms are used as match morphisms later (see also [33, Definition 7.3, p. 173] where almost injective morphisms have been introduced to be able to map variables noninjectively to values in an otherwise injective match). These morphisms have only injective components except for the component of global variables where they are permitted to map distinct global variables to the same value.
Definition 7
(Partially Injective Morphisms) If is a morphism with \(f=({f}{.}{{\textsf {N} }},{f}{.}{{\textsf {E} }},{f}{.}{{\textsf {NA} }},{f}{.}{{\textsf {EA} }},{f}{.}{{\textsf {XL} }},{f}{.}{{\textsf {XG} }})\), \({f}{.}{{\textsf {N} }} \), \({f}{.}{{\textsf {E} }} \), \({f}{.}{{\textsf {NA} }} \), \({f}{.}{{\textsf {EA} }} \), and \({f}{.}{{\textsf {XL} }} \) are injective, and for all \(x\in {A}{.}{{\textsf {XG} }} \) and \(y\in {A}{.}{{\textsf {XG} }} \) it holds that \({f}{.}{{\textsf {XG} }} (x)={f}{.}{{\textsf {XG} }} (y)\notin \mathcal {V} \) implies \(x=y\), then f is a partially injective morphism, written or \(f\in \mathcal {P} \).
A monomorphism in \(\mathbf {SymbGraphs}\) (also denoted by \({\textsf {mono} }(f)\) or \(f\in \mathcal {M} \)) is injective on all components and maps no global variables to a value (see Lemma 4). Obviously, every monomorphism is a partially injective morphism as well but not vice versa. An epimorphism in \(\mathbf {SymbGraphs}\) (also denoted by \({\textsf {epi} }(f)\) or \(f\in \mathcal {E} \)) is surjective on all components except for the global variables where \({f}{.}{{\textsf {XG} }} \) must map to all global variables of the target graph (see Lemma 5). An isomorphism of \(\mathbf {SymbGraphs}\) (also denoted by \({\textsf {isom} }(f)\)) is a monomorphism, an epimorphism, and source and target graphs must have equivalent ACs w.r.t. the mapping of their variables (see Lemma 6).
A cospan7 is jointly epimorphic in \(\mathbf {SymbGraphs}\) (denoted by \((f_1,f_2)\in \mathcal {E}' \)) when each graph element (i.e., excluding the set of values \(\mathcal {V} \)) of K is mapped to by \(f_1\) or \(f_2\) (see Lemma 7).
The further categorical notions and constructions in \(\mathbf {SymbGraphs}\) of coproducts describing the disjoint union of two graphs (see Lemma 13), pushouts describing the union of two graphs (see Lemma 9), pullbacks describing the intersection of two graphs (see Lemma 12), \(\mathcal {E} \text {-}\mathcal {P} \) -factorizations describing a decomposition of morphisms (see Lemma 8), and \(\mathcal {E}' \text {-}\mathcal {P} \) -pair-factorizations describing a decomposition of a cospan (see Lemma 15) are covered in “Appendix C”.
An AC inclusion morphism has only identities as components and has a source graph with the trivial AC \(\top \). Hence, every graph G induces an AC inclusion morphism of type by obtaining \(\bar{G}\) from G by setting the AC of G to \(\top \).
Definition 8
(AC Inclusion Morphisms) If is a morphism with \(f{=}({f}{.}{{\textsf {N} }},{f}{.}{{\textsf {E} }},{f}{.}{{\textsf {NA} }},{f}{.}{{\textsf {EA} }},\) \({f}{.}{{\textsf {XL} }}, {f}{.}{{\textsf {XG} }})\), \({f}{.}{{\textsf {N} }} \), \({f}{.}{{\textsf {E} }} \), \({f}{.}{{\textsf {NA} }} \), \({f}{.}{{\textsf {EA} }} \), \({f}{.}{{\textsf {XL} }} \), and \({f}{.}{{\textsf {XG} }} \) are identities, and \({\bar{G}}{.}{{\textsf {ac} }} =\top \), then f is the AC inclusion morphism for G, written \(f={\textsf {acInc} } (G) \).
Graphs in which each variable is restricted by an AC to a unique value are called grounded graphs and correspond straightforwardly to E-Graphs.
Definition 9
(Grounded Graphs) If \(G\in \mathbf {Graphs} \) is a graph and a unique variable valuation satisfies \({G}{.}{{\textsf {ac} }} \) (i.e., ), then G is a grounded graph, written \({\textsf {grounded} } (G) \).
In fact, each graph G induces a class of such grounded graphs \(G'\), which are obtained by a possible renaming of the graph elements and by restricting the AC of G such that the AC of \(G'\) is satisfied by a unique variable valuation. The renaming of the graph elements is given by a partially injective morphism that is an epimorphism (to ensure that e.g. no additional vertices are added) but no isomorphism in general.
Definition 10
(Induced Grounded Graphs) If \(G\in \mathbf {Graphs} \) is a graph, then is the class of all grounded graphs induced by G.
The notion of induced grounded graphs determines the semantics of a graph. Hence, graphs that induce an empty set of grounded graphs (i.e., graphs with an unsatisfiable AC) should be avoided and can be understood to be faulty.
Later in Sects. 4 and 6, we make use of the following operation \({\textsf {overlap} }\), which we adapt from [43] to symbolic graphs with global variables. The operation \({\textsf {overlap} }\) (see Fig. 4) computes a set of pairs of jointly epimorphic monomorphisms that are generated from a given span8 (f, m) of two monomorphisms. Each cospan \((m',f')\) in the returned set ensures that the square consisting of f, m, \(m'\), and \(f'\) commutes and that the common target graph K of \(m'\) and \(f'\) is minimal in the sense that all its elements are mapped to by either \(m'\) or \(f'\). Moreover, we require that the AC of K must be constructed in a way that restricts the variables in K only in the least way possible to be compatible with the two given morphisms f and m.9 Note that one of the constructed cospans is the pushout of (f, m): the graph K constructed in that case is minimal due to the universal property of a pushout stating that the pushout object K can be compatibly matched (possibly noninjectively) into every other overlapping graph \(\bar{K}\) as constructed by the operation \({\textsf {overlap} }\). Note that for later applications, we define the result of the operation \({\textsf {overlap} }\) to be a finite set S of cospans by characterizing first all suitable cospans \(S'\) and by then obtaining S as a finite representation of \(S'\) up to isomorphism. Note that in actual implementations, computing S and obtaining \(S'\) from S go hand in hand.
Definition 11
-
A, B, and C are graphs,
-
and are monomorphisms,
-
are jointly epimorphic monomorphisms,
-
\(m'\circ f=f'\circ m\), and
-
\({\textsf {sat} }_{\forall } ( {K}{.}{{\textsf {ac} }} \leftrightarrow ( {m'}{.}{{\textsf {X} }} ({B}{.}{{\textsf {ac} }}) \wedge {f'}{.}{{\textsf {X} }} ({C}{.}{{\textsf {ac} }}) ) ) \),
Moreover, if S is a uniquely defined representation of \(S'\) up to isomorphism,10 then \({\textsf {overlap} } (f,m) =S\).
4 Basic graph logic
Graph logics are used to specify different kinds of graphs in terms of their graph elements (for symbolic graphs these are nodes, edges, and their attributes). In the past, graph conditions (for labeled graphs) with attribute conditions but without nesting were introduced in [72] and were extended with operators from propositional logic in [70]. Moreover, graph conditions without attribute conditions but with nesting were introduced in [43] for various categories such as labeled graphs (based on a general definition of a weak adhesive HLR category \((C,\mathcal {M})\) with an \(\mathcal {M}\)-initial object). An integration of these two approaches that supports nesting as well as attribute conditions using symbolic graphs was presented in [82].
We now continue this line of research by extending the graph logic presented in [82] to obtain the basic graph logic BGL, which supports symbolic graphs, with the novel integration of global variables and a restriction operator. Note that BGL uses the first-order logic expressive logic AL for specifying attribute values. Moreover, when the type graph does not contain variables, BGL subsumes the logic of nested graph conditions from [43], which is as expressive as first-order logic on graphs [23] as shown in [43, 78]. However, we believe that BGL has an increased expressiveness compared to the logic from [82] since the integration of global variables can be understood as a lifting of the existential quantification of ACs to the graph level, which is unavailable for the first-order logic on graphs.11 Also, the integration of the restriction operator enhances applicability of the logic by increasing its descriptive expressiveness.
4.1 Graph conditions and satisfaction relation
The basic graph conditions (BGCs) of BGL feature the two propositional connectives \(\wedge \) (called \(conjunction \)) and \(\lnot \) (called \(negation \)) as well as the additional operators \(\exists \) (called \(exists \)) and \(\nu \) (called \(restrict \)) for extending and restricting matches into a symbolic graph (called host graph), respectively.
The \(exists \) operator requires an extension of a given match into the host graph by matching further graph elements (such as nodes and edges) or by describing attribute values of already matched variables more precisely. Hence, the \(exists \) operator extends a context that is given by the match.
The novel \(restrict \) operator allows to select a submatch of a given match, which matches fewer elements but matches these elements in the same way as the given match. Hence, the \(restrict \) operator shrinks a context that is given by the match.
The operators of BGL can be combined freely in BGCs with the requirement that \(exists \) and \(restrict \) operators must build upon the symbolic graph that represents the given context as usual. Technically, the operator \(exists \) describes the extension of a finite context graph H to a finite context graph \(H'\) via a monomorphism and the \(restrict \) operator describes the restriction of a finite context graph H to a finite context graph \(H'\) via a monomorphism .
Definition 12
-
\(\bar{\phi }=\wedge S \) and \(S\mathrel {\subseteq _{\mathsf {fin}}} \mathcal {S}^{\mathsf {BGC}} _{H} \).
-
\(\bar{\phi }=\lnot \phi \) and \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{H} \).
-
and \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{H'} \).
-
and \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{H'} \).
-
true: \(\top =\wedge \varnothing \)
-
false: \(\bot =\lnot \top \)
-
disjunction: \(\vee S =\lnot (\wedge \{\lnot \phi \mid \phi \in S\}) \)
-
universal quantification: \(\forall (f,\phi ) =\lnot \exists (f,\lnot \phi ) \)
In BGCs in our examples, for improved readability, we only use inclusions and employ the notation introduced below for their visualization.
Notation 1
(Morphisms in BGCs ) For a BGC , we visualize f by (a) all graph elements that are in \(H'-H\), (b) all graph elements that are connected to elements in \(H'-H\), (c) the set \(S_2-S_1\) of BGCs, if \({H}{.}{{\textsf {ac} }} =\wedge S_1 \) and \({H'}{.}{{\textsf {ac} }} =\wedge S_2 \), or otherwise the AC \({H'}{.}{{\textsf {ac} }} \), if it is not \(\top \), and (d) the set \({H'}{.}{{\textsf {XG} }}-{H}{.}{{\textsf {XG} }} \) of global variables, if it is not empty.
For a BGC , we visualize f by (a) all graph elements that are in \(H'\), (b) the AC \({H'}{.}{{\textsf {ac} }} \), if it is not \(\top \), and (c) the set \({H'}{.}{{\textsf {XG} }} \) of global variables, if it is not empty.
See Fig. 5 for an example of a BGC demonstrating the use of nesting and BGL operators not making use of attributes, Fig. 6 for an example of a BGC focusing on the attribute part in combination with the usage of the novel global variables, and Fig. 7 for an example of a BGC making use of the novel restrict operator.
The satisfaction relation for BGL is given below in the form of an inductive definition that relies on the inductive definition of BGCs. The definition follows [43, 82] for the operators \(conjunction \), \(negation \), and \(exists \). However, it also defines the satisfaction for the additional restrict operator and relies on partially injective morphisms that are allowed to map global variables to values. For the case when checking a graph against a BGC, the satisfaction relation is defined using the initial morphism and BGCs over the empty graph \(\varvec{\varnothing } \). This case depends on the satisfaction relation where a partially injective morphism , which represents a match of the current context graph H into the host graph G, is checked against a BGC over the graph H. For conjunction and negation, the satisfaction relation is defined as expected. For satisfaction of the BGC , the definition requires an extension of the match m (as in [43, 82]) in the form of a match that satisfies the subcondition \(\phi \) and that is consistent with f in the sense of the commutation condition \(m'\circ f=m\). This condition means (if f is an inclusion) that \(m'\) is defined as m for all elements in H and that \(m'\) has additional mappings for the elements that are in \(H'\) but not in H. This commutation condition also guarantees that the global variables in H/\(H'\) that are mapped by m/\(m'\) to values in \(\mathcal {V} \) are evaluated to these values throughout the satisfaction check for the entire subcondition \(\phi \). Finally, the satisfaction relation requires for the BGC that the restricted match satisfies the subcondition \(\phi \). Note that the satisfaction check for the exists operator may not succeed when there is no suitable extension match \(m'\) but that the restrict operator always succeeds in restricting the given match m to the match \(m\circ f\).
Definition 13
-
\(\bar{\phi }=\wedge S \) and \(\forall \phi \in S.\;m\models _{\mathsf {BGC}} \phi \).
-
\(\bar{\phi }=\lnot \phi \) and \(m\not \models _{\mathsf {BGC}} \phi \).
-
and there is s.t. \(m=m'\circ f\) and \(m'\models _{\mathsf {BGC}} \phi \).
-
and \(m\circ f\models _{\mathsf {BGC}} \phi \).
See Fig. 5, Fig. 6, and Fig. 7 for examples of satisfaction checks for BGCs. Moreover, a discussion on the inherent problems of BGL satisfaction checking and an operationalization of it is given in “Appendix B.”
4.2 Operation \({\textsf {shift} }\) and encoding of restrict
We adapt and extend the operation \({\textsf {shift} }\) from [32, pp. 15-16] and [82, Def. 17, p. 716] to our setting of symbolic graphs with global variables and the additional restrict operator.12 Intuitively, the operation \({\textsf {shift} }\) describes the propagation of a BGC over a morphism (which we assume to be a monomorphism here) preserving the semantics w.r.t. the satisfaction relation. The operation is commonly used as in [32] for propagating BGCs that restrict rule applicability in the context of graph transformation.13
Definition 14
-
\(\bar{\phi }=\wedge S \) and \(\bar{\phi }'=\wedge \{{\textsf {shift} } (m,\phi ) \mid \phi \in S\} \).
-
\(\bar{\phi }=\lnot \phi \) and \(\bar{\phi }'=\lnot {\textsf {shift} } (m,\phi ) \).
-
and
\(\bar{\phi }'{=}\vee \{\exists (f',{\textsf {shift} } (m',\phi )) \mid (m',f'){\in }{\textsf {overlap} } (f,m) \} \).
-
and \(\bar{\phi }'=\nu (m\circ f,\phi ) \).
In the following, we also adapt the standard soundness result for the \({\textsf {shift} }\) operation from [32, pp. 15-17] to our setting (see Fig. 8 for a visualization).
Theorem 2
(Soundness of \({\textsf {shift} }\) ) If is a monomorphism, is a partially injective morphism and \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{H} \) is a BGC, then \(m_2\circ m_1\models _{\mathsf {BGC}} \phi \) iff \(m_2\models _{\mathsf {BGC}} {\textsf {shift} } (m_1,\phi ) \).
See page 68 for the proof of this theorem.
We now provide the operation \({\textsf {enc} }_{\nu }\), which encodes the restrict operator using the other operators of BGL. This operation thereby shows that the novel restrict operator increases the descriptive expressiveness but not the expressiveness of the logic. Also, procedures for satisfaction checking must then not be developed for the entire logic but only for the fragment not using the restrict operator. The encoding relies on the operation \({\textsf {shift} }\) to replace instances of restrict operators. See Fig. 7 for an example of the application of the operation \({\textsf {enc} }_{\nu }\) .
As already motivated for the definition of the \({\textsf {shift} }\) operation above, the two perspectives of shifting a BGC forwards over a monomorphism and describing the condition BGC in the context restricted by f are symmetric.
Definition 15
-
\(\bar{\phi }=\wedge S \) and \(\bar{\phi }'=\wedge \{{\textsf {enc} }_{\nu } (\phi ) \mid \phi \in S\} \).
-
\(\bar{\phi }=\lnot \phi \) and \(\bar{\phi }'=\lnot {\textsf {enc} }_{\nu } (\phi ) \).
-
and \(\bar{\phi }'=\exists (f,{\textsf {enc} }_{\nu } (\phi )) \).
-
and \(\bar{\phi }'={\textsf {shift} } (f,\phi ) \).
We now state the correctness of this encoding.
Theorem 3
(Soundness of \({\textsf {enc} }_{\nu }\)) If \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{H} \) is a BGC and is a partially injective morphism, then \(m\models _{\mathsf {BGC}} \phi \) iff \(m\models _{\mathsf {BGC}} {\textsf {enc} }_{\nu } (\phi ) \).
See page 70 for the proof of this theorem.
The encoding operation \({\textsf {enc} }_{\nu }\) is also sound for graphs as a direct consequence of Theorem 3.
Corollary 1
(Soundness of \({\textsf {enc} }_{\nu }\) for Graphs) If \(\phi \in \mathcal {S}^{\mathsf {BGC}} _{\varvec{\varnothing }} \) is a BGC and \(G\in \mathbf {Graphs} \) is a graph, then \(G\models _{\mathsf {BGC}} \phi \) iff \(G\models _{\mathsf {BGC}} {\textsf {enc} }_{\nu } (\phi ) \).
See page 70 for the proof of this corollary.
Note that the encoding operation \({\textsf {enc} }_{\nu }\) may increase the size of a BGC drastically because the replacement condition is based on the set of graph overlappings computed by \({\textsf {shift} }\) via \({\textsf {overlap} }\) that grows exponentially with its inputs. We conclude that the operator restrict increases the descriptive expressiveness as it allows to state certain properties more concisely. The operation \({\textsf {enc} }_{\nu }\) is supported by our prototypical implementation in AutoGraph.
5 Graph transformation
The foundations of graph transformation following the double pushout (DPO) approach were developed decades ago and were extended to the attributed case later on. On the technical side, several existing tools including Agg [83], Groove [41], and Henshin [34] support attribute modifications.
-
\(\mathbf {R_{1}}\): The step relation can be implemented according to their formal definition without ad-hoc optimizations.14
-
\(\mathbf {R_{2}}\): The transformation steps are specified using a finite set of finite rules (having finite application conditions) to ensure the practical applicability of an implementation.
-
\(\mathbf {R_{3}}\): The step relation is symmetric to allow for analysis approaches where graph transformation rules are applied backwards.15
-
\(\mathbf {R_{4}}\): Rules may specify the nondeterministic choice of values for variables from a restricted set of values (as motivated by our running example presented in detail later on in Example 2).
-
\(\mathbf {R_{5}}\): The step relation does not accumulate junk elements in the graphs under transformation (which could (a) hamper the efficiency of an implementation when computing graph matchings and when checking the ACs of graphs for satisfiability and (b) prevent graphs to be isomorphic during state space generation resulting in intractably large or even infinite state spaces).16
Firstly, in [29, 33], an attributed graph is given by an E-Graph and a data algebra (for a fixed data signature) where node and edge attributes of the E-Graph are connected to elements of the carrier sets of the data algebra. Viable graph transformation steps are then specified using transformation rules where the E-Graphs in the transformation rules employ the term algebra and, hence, (node/edge) attributes are given by terms with variables. An application of a transformation rule then entails the assignment of the variables of the term algebra to elements of the data algebra of the graph to be transformed. However, in [29, 33], transformation rules cannot express that variables x and y may only be mapped when \(x=0\vee y=0\vee x=y\) is satisfied (cf. [71, Example 4, p. 21]) and we conjecture that an infinite application condition is required to restrict the assignment of the two variables in the required way. Hence, this approach does not simultaneously satisfy requirements R2 and R4.
Secondly, step relations for attributed graph transformation based on symbolic graphs (without global variables) have been introduced in [71, 73, 74] still following the DPO approach. A symbolic graph (without global variables) can be understood as an E-Graph where (node/edge) attributes are connected to a variable (as data elements) and where the values of these variables are then restricted by an additional (set of) constraints, which are given by first-order logic conditions defined over the terms of a term algebra using the variables of the E-Graph as free variables.18 This technique to specify attribute modifications has the advantage that conditional rule applications based on an AC \(x=0\vee y=0\vee x=y\) are directly specified in the AC of the transformation rule. However, there are some drawbacks w.r.t. the requirements above.
The subsequently introduced notion of attributed graph transformation satisfies the requirements R1–R5 from above suitably employing global variables. We then describe in Subsect. 5.2 and Subsect. 5.3 how this formalism can be used to cover also timed graph transformation systems21 using rules that increase the current global time in terms of a variable that is contained in the graph under transformation. Moreover, we provide an example of a timed graph transformation system, in which we delete variables and also make use of the nondeterministic generation of single valued attributes/variables.
5.1 Rules and steps for graph transformation
We adopt the DPO approach as in [29] where rules \(\rho \) consist of two monomorphisms and . These two monomorphisms describe the removal and addition of graph elements (for symbolic graphs, such elements are nodes, edges, node attributes, edge attributes, local variables, and global variables). On the one hand, all graph elements in L that \({\rho }{.}{{\textsf {del} }} \) does not map to are to be deleted. On the other hand, all graph elements in R that \({\rho }{.}{{\textsf {add} }} \) does not map to are to be added. To permit the DPO-based removal of variables (see explanations above and Fig. 9 for the comparison with [74]), we require that L, K, and R have an AC of \(\top \). To specify attribute modifications, a rule contains two maps and as well as an AC \({\rho }{.}{{\textsf {ac} }} \) on the set V. This set V contains unprimed and primed variables given by the variables originating from L and R. The correspondence between these two kinds of variables in V (i.e., between an unprimed x and its primed counterpart \(x'\)) is given via22\({{\rho }{.}{{\textsf {del} }}}{.}{{\textsf {X} }}_{\textsf {P} } \) and \({{\rho }{.}{{\textsf {add} }}}{.}{{\textsf {X} }}_{\textsf {P} } \). Moreover, we require that V is the coproduct (i.e., the disjoint union) of the two sets of variables via \({\rho }{.}{{\textsf {lX} }} \) and \({\rho }{.}{{\textsf {rX} }} \), written , which means that each variable in V can be associated unambiguously with a variable either in L or in R. Finally, we use BGCs \({\rho }{.}{{\textsf {lC} }} \) and \({\rho }{.}{{\textsf {rC} }} \) as application conditions on L and R, which further restrict rule application in Definition 18. See Fig. 11a for a visualization of the components of a rule.
Definition 16
-
L, K, and R are graphs,
-
,
-
are monomorphisms,
-
is a coproduct,
-
\({\rho }{.}{{\textsf {ac} }} \in \mathcal {S}^{{\textsf {AC} }} _{V} \) is an AC,
-
\({\rho }{.}{{\textsf {lC} }} \in \mathcal {S}^{\mathsf {BGC}} _{L} \),
-
\({\rho }{.}{{\textsf {rC} }} \in \mathcal {S}^{\mathsf {BGC}} _{R} \) are BGCs, and
-
\({L}{.}{{\textsf {ac} }} ={K}{.}{{\textsf {ac} }} ={R}{.}{{\textsf {ac} }} =\top \).
-
\({\rho }{.}{{\textsf {lG} }} =L\) is the left-hand side graph of the rule \(\rho \).
-
\({\rho }{.}{{\textsf {rG} }} =R\) is the right-hand side graph of the rule \(\rho \).
See Fig. 10a for an example of a rule with nontrivial graph modification, removal of variables, and variable modifications. In Fig. 10a, we use a notation for rules introduced below.
Notation 2
(Rules) In visualizations as in Fig. 10a, we depict the two morphisms and . We do not provide \({\rho }{.}{{\textsf {lX} }} \) and \({\rho }{.}{{\textsf {rX} }} \) because we visualize only rules where L and R have disjoint sets of variables already. For simplicity, we use unprimed variable names in L and K (e.g. the variable x in L and K in Fig. 10a) and primed variables in R (e.g. the variable \(x'\) in R in Fig. 10a). The AC \({\rho }{.}{{\textsf {ac} }} \) of \(\rho \) is depicted below the span \(({\rho }{.}{{\textsf {del} }},{\rho }{.}{{\textsf {add} }})\). If not explicitly depicted, both application conditions \({\rho }{.}{{\textsf {lC} }} \) and \({\rho }{.}{{\textsf {rC} }} \) are \(\top \).
The following definition introduces the special case of the identity rule for later use. It is to be applicable to any graph (with a satisfiable AC) and does not change the graph when being applied.
Definition 17
(Identity Rules) If \(\rho \in \mathcal {S}^{\mathsf {rules}} \) is a rule, \({\rho }{.}{{\textsf {del} }} ={\rho }{.}{{\textsf {add} }} ={\textsf {id} } (\varvec{\varnothing }) \), \({\rho }{.}{{\textsf {ac} }} =\top \), and \({\rho }{.}{{\textsf {lC} }} ={\rho }{.}{{\textsf {rC} }} =\top \), then \(\rho \) is the identity rule, written \(\rho ={\textsf {id} } \).
In the following, we introduce transformation steps for symbolic graphs based on the notion of a rule from above (see Definition 18 for the formal definition and Fig. 11b, Fig. 11c for accompanying visualizations).
In our definition, we follow [74] and permit graph transformation steps only between graphs G and H that have both satisfiable ACs since graphs with unsatisfiable ACs do not represent any grounded graphs (cf. Definition 10). However, in comparison to the approaches in [29, 74], we decompose the graph transformation step into a transformation stage for the graph part and a transformation stage for the AC part. This decomposition of the graph transformation step into two stages is achieved by pruning the AC of the graph G leading to a restricted graph \(\bar{G}\).
In the first transformation stage, we apply the DPO step as usual on \(\bar{G}\), the given rule \(\rho \), and using the match that is obtained by restricting the match from G to \(\bar{G}\) via the AC inclusion morphism \({\textsf {acInc} } (G)\). The graph \(\bar{H}\) obtained by application of this DPO step is then extended to a graph H by adding an AC to \(\bar{H}\) as discussed subsequently. Note that the graphs \(\bar{G}\), D, and \(\bar{H}\) have the AC \(\top \) due to this construction and that the pushout complement D exists uniquely according to Lemma 10 from Appendix C since we require that only the morphism d but not \(b_1\) can map global variables to values. Also, as usual for DPO-based transformation, we check whether the match \(m_1\) and the comatch (obtained by extending the restricted comatch from \(\bar{H}\) to H via the AC inclusion morphism \({\textsf {acInc} } (H)\)) satisfy the left and the right application conditions \({\rho }{.}{{\textsf {lC} }} \) and \({\rho }{.}{{\textsf {rC} }} \), respectively.
- (1)
We construct the coproduct of \({G}{.}{{\textsf {X} }} \) and \({H}{.}{{\textsf {X} }} \) to obtain a variable namespace where variables from G and H are not identified. We then construct and by adding the identity map \({\textsf {id} } (\mathcal {V}) \) to \(\bar{k}_1\) and \(\bar{k}_2\).24
- (2)
The coproduct \({\amalg } ({\rho }{.}{{\textsf {lX} }},{\rho }{.}{{\textsf {rX} }}) \) (from the rule \(\rho \)) induces (via its universal property) the map when X is chosen as a comparison object with the two maps and .
- (3)
We construct an AC \(\gamma _{ eq }\) over the variable namespace set X ensuring that all variables that are not matched by \(c_1\) (given by the set \({D}{.}{{\textsf {X} }}-{d}{.}{{\textsf {X} }} ({K}{.}{{\textsf {X} }})\)) have an equal value in G and H. For this purpose, we rename the variables in that set using the two functions and given by \(\sigma _1=k_1\,\circ \,{{\textsf {acInc} } (G)}{.}{{\textsf {X} }}_{\mathcal {V}} \,\circ \, {b_1}{.}{{\textsf {X} }}_{\mathcal {V}} \) and \(\sigma _2=k_2\circ {{\textsf {acInc} } (H)}{.}{{\textsf {X} }}_{\mathcal {V}} \circ {b_2}{.}{{\textsf {X} }}_{\mathcal {V}} \).
- (4)
We move the ACs \({\rho }{.}{{\textsf {ac} }} \) and \({G}{.}{{\textsf {ac} }} \) to the variable namespace set X by applying \(\sigma _{ VX }\) and \(k_1\). We then construct the AC \(\gamma \) over X as the conjunction of the three ACs that we constructed for the variables in X.
- (5)
To obtain the AC for the graph H from \(\gamma \), we first hide the unprimed variables that originate from G using existential quantification. The resulting AC \(\exists k_1({G}{.}{{\textsf {X} }}).\;\gamma \) has free variables that are contained in X and that originate from H. We revert the (injective) function \(k_2\) to obtain the partial function \({\textsf {rev} } (k_2) \), which is defined on the free variables of \(\exists k_1({G}{.}{{\textsf {X} }}).\;\gamma \). We then obtain the AC \({\textsf {rev} } (k_2) (\exists k_1({G}{.}{{\textsf {X} }}).\;\gamma )\) as an AC over the variables of H. Note that when G and H share variables (i.e., \({G}{.}{{\textsf {X} }} \cap {H}{.}{{\textsf {X} }} \ne \varnothing \)), this last step may involve an implicit renaming (\(\alpha \)-conversion25) of bound variables. Finally, we allow for a simplification of the obtained AC up to equivalence to ensure that our step relation defines resulting graphs up to isomorphism as usual. Also, applying equivalence here allows for the simplification of the AC, which may result in an AC where the added existential quantification is then removed.
- (6)
To ensure that the resulting graph H describes a nonempty set of grounded graphs, we check whether the AC of H computed before is satisfiable. This requirement also guarantees that the part of \({\rho }{.}{{\textsf {ac} }}\) that is supposed to restrict rule applicability by referring to variables in G is properly checked.
Definition 18
- (1)
-
\({\textsf {sat} }_{\exists } ({G}{.}{{\textsf {ac} }}) \),
-
\(\rho \in \mathcal {S}^{\mathsf {rules}} \) is a rule,
-
,
\(m_1\models _{\mathsf {BGC}} {\rho }{.}{{\textsf {lC} }} \),
-
,
\({\textsf {acInc} } (G) \circ c_1=m_1\),
-
,
,
,
-
,
,
\((c_2,b_2)~\text {is a pushout of}~({\rho }{.}{{\textsf {add} }},d) \),
-
,
\({\textsf {acInc} } (H) \circ c_2=m_2\),
-
\(m_2\models _{\mathsf {BGC}} {\rho }{.}{{\textsf {rC} }} \),
-
- (2)
-
,
,
,
-
is obtained by using the universal property of the coproduct \({\amalg } ({\rho }{.}{{\textsf {lX} }},{\rho }{.}{{\textsf {rX} }}) \),
-
\(\gamma _{ eq }=\wedge \{\sigma _1(x)= \sigma _2(x) \mid x\in {D}{.}{{\textsf {X} }}-{d}{.}{{\textsf {X} }} ({K}{.}{{\textsf {X} }})\} \)
where \(\sigma _1=k_1\circ {{\textsf {acInc} } (G)}{.}{{\textsf {X} }}_{\mathcal {V}} \circ {b_1}{.}{{\textsf {X} }}_{\mathcal {V}} \)
\(\quad \,\hbox {and}\,\, \sigma _2=k_2\circ {{\textsf {acInc} } (H)}{.}{{\textsf {X} }}_{\mathcal {V}} \circ {b_2}{.}{{\textsf {X} }}_{\mathcal {V}} \),
-
\(\gamma = \wedge \{ \sigma _{ VX }({\rho }{.}{{\textsf {ac} }}), k_1({G}{.}{{\textsf {ac} }}), \gamma _{ eq } \} \) is an AC,
-
\({\textsf {sat} }_{\forall } ( {H}{.}{{\textsf {ac} }} \leftrightarrow {\textsf {rev} } (k_2) (\exists k_1({G}{.}{{\textsf {X} }}) .\; \gamma ) ) \), and
-
\({\textsf {sat} }_{\exists } ({H}{.}{{\textsf {ac} }}) \),
-
The definition of steps above covers the general case as visualized in Fig. 11b. Note that the resulting diagram is no DPO diagram since e.g. \({L}{.}{{\textsf {ac} }} ={D}{.}{{\textsf {ac} }} =\top \) would require that \({G}{.}{{\textsf {ac} }} =\top \) as well. In our tool-based implementation, we can simplify the construction of \({H}{.}{{\textsf {ac} }} \) because we (a) do not change the name of variables that are not matched by \(c_1\), (b) use fresh names for preserved variables, and (c) use fresh names for created variables. In this case, we can assume that \(\gamma _{ eq }=\top \) and that \(k_1\) and \({\textsf {rev} } (k_2) \) do not need to be applied. For an example of a simple transformation step, consider Fig. 10b and Fig. 10c for the graph part and the AC part.
5.2 (Timed) graph transformation sequences
Definition 19
-
\(0\in B\) and imply that \(G=G_0\).
-
.
-
\(\Pi ^{\mathsf {fin}}_{G_0} =\{\pi \in \Pi _{G_0} \mid {\textsf {length} }(\pi ) \ne \infty \}\) is the class of all finite graph sequences over \(G_0\).
-
If \(\pi \in \Pi ^{\mathsf {fin}}_{G_0} \) is a finite graph sequence over \(G_0\) and \({\textsf {length} }(\pi ) =0\), then \(\pi \) is empty, written \(\pi =\lambda \) (for the empty word \(\lambda \)).
-
If \(\pi \in \Pi ^{\mathsf {fin}}_{G_0} \) is a finite graph sequence over \(G_0\), \({\textsf {length} }(\pi ) =n\), H is a graph, \(k\le n\), (\(k=0\) implies \(G_0=H\)), and (\(k>0\) implies ), then \(\pi \) starts with \(G_0\) and ends with H after k steps, written \(\pi ^{\mathsf {G}}(k) =H\).
-
If \(\pi \in \Pi ^{\mathsf {fin}}_{G_0} \) is a finite graph sequence over \(G_0\), \({\textsf {length} }(\pi ) =n\), and \(\pi ^{\mathsf {G}}(n) =H\), then \(\pi \) starts with \(G_0\) and ends with H, written \(\pi \in \Pi ^{\mathsf {fin}}_{G_0,H} \).
-
If \(\pi \in \Pi ^{\mathsf {fin}}_{G_0,H} \) is a finite graph sequence starting with \(G_0\) and ending with H, \({\textsf {length} }(\pi ) =n\), and \(\pi '=\{(n-(k+1),(r,\ell ))\mid (k,(\ell ,r))\in \pi \}\in \Pi ^{\mathsf {fin}}_{H,G_0} \) is the finite graph sequence starting with H and ending with \(G_0\) obtained from \(\pi \), then \(\pi '\) is the reversal of \(\pi \), written \({\textsf {rev} }(\pi ) =\pi '\).
In the following, we introduce timed graph sequences (TGSs) where each step consumes a positive amount of time. To operate on a TGS, we obtain the total time that has passed up to some point in the TGS by retrieving the total time from graphs in the TGS. For this purpose, we assume that the total time is stored in the graphs of the TGS e.g. in variables that are restricted by the ACs of the graphs. The total time stored in such a variable must then be increased in each graph transformation step by including such an increase in each rule of the timed graph transformation system. Note that graphs cannot occur more than once in a TGS because time must strictly increase but, apart from the stored total time, graphs may very well coincide as usual.27 In the definition below, we abstract from a particular encoding for the total time and assume a partial function \( time \) that returns a strictly increasing sequence of total timepoints from (the set of all real numbers greater or equal to 0), which diverges for infinite TGSs when being applied to the graphs in a TGS.
Definition 20
-
\(\pi \in \Pi _{G_0} \) is a graph sequence over \(G_0\),
-
is a partial function,
-
\( time (G_0) =0\),
-
\(\forall k<{\textsf {length} }(\pi ).\; time (\pi ^{\mathsf {G}}(k)) \ne {\textsf {undef} } \),
-
\(\forall 0<k<{\textsf {length} }(\pi ). \; time (\pi ^{\mathsf {G}}(k-1)) < time (\pi ^{\mathsf {G}}(k)) \), and
-
if \({\textsf {length} }(\pi ) =\infty \), then ,
-
\(\Pi ^{\mathsf {fin}, time }_{G_0} =\Pi ^{\mathsf {fin}}_{G_0} \cap \Pi ^{ time }_{G_0} \) is the set of all finite TGSs that start in \(G_0\).
-
\(\Pi ^{\mathsf {fin}, time }_{G_0,H} =\Pi ^{\mathsf {fin}, time }_{G_0} \cap \Pi _{G_0,H} \) is the set of all finite TGSs that start in \(G_0\) and end in H.
-
If \(\pi \in \Pi ^{\mathsf {fin}, time }_{G_0,H} \) is a finite TGS that starts in \(G_0\) and ends in H and \( time (H) =t\), then t is the duration of \(\pi \), written \({\textsf {dur} }(\pi ) =t\).
-
If \(\pi \in \Pi ^{ time }_{G_0} \) is a TGS starting in \(G_0\), is a total timepoint, \({\textsf {length} }(\pi ) =n\), \(k=\min \{k<n\mid time (\pi ^{\mathsf {G}}(k)) \ge t\} \cup \{n-1\mid n\ne \infty \}\), and \(\pi ^{\mathsf {G}}(k) =H\), then \(\pi \) is in the graph H at the total timepoint t and index k w.r.t. the partial function \( time \), written \(\pi ^{\mathsf {T}}(t) =H\) or \(\pi ^{\mathsf {T}}(t) =k\).
-
If \(\pi \) and \(\pi '\) are TGSs from \(\Pi ^{ time }_{G_0} \), \(t_1\) and \(t_2\) are total timepoints from , \(t_1\le t_2\), \(\pi ^{\mathsf {T}}(t_1) =k_1\), \(\pi ^{\mathsf {T}}(t_2) =k_2\), and \(\pi '=\{(k,x)\mid (k+k_1,x)\in \pi ,k+k_1\le k_2\}\), then \(\pi '\) is the TGS contained in \(\pi \) between the total timepoints \(t_1\) and \(t_2\) w.r.t. the partial function \( time \), written \(\pi ^{\mathsf {T}}(\{t_1,t_2\}) =\pi '\).
Consider Fig. 15a where the partial function \( time \) can be defined to extract the value of the \(\text {time} \) attribute of the node S. Hence, the total time would be increased by 1, 100, 1, and 100 in the depicted spans.
5.3 (Timed) graph transformation systems
We now connect the notion of steps introduced in Definition 18 with the notion of (timed) graph sequences from above by means of (timed) graph transformation systems that generate (timed) graph sequences.
Graph transformation systems, which contain a finite set of finite rules R and a finite initial graph G, are introduced in the following definition.
Definition 21
(Graph Transformation Systems) If R is a finite set of finite rules from \(\mathcal {S}^{\mathsf {rules}} \) and \(G\in \mathbf {Graphs} \) is a finite graph, then \( S =(R,G)\) is a graph transformation system, written \( S \in \mathcal {S}^{\mathsf {gts}} \).
The graph sequences that can be derived from the initial graph of a graph transformation system are those graph sequences in which each span of morphisms can be justified by a step using one of the rules in R of the graph transformation system.
Definition 22
-
\( S =(R,G)\in \mathcal {S}^{\mathsf {gts}} \) is a graph transformation system,
-
\(\pi \in \Pi _{G} \) is a graph sequence over G, and
-
for every \(k<{\textsf {length} }(\pi ) \) there is some step label \(\varsigma \in \mathcal {S}^{\mathsf {steps}} \) s.t. is a step, is a span of morphisms, and \({\varsigma }{.}{{\textsf {rule} }} \in R\) is a rule,
Similarly to graph transformation systems, timed graph transformation systems contain a finite set of finite rules R and a finite initial graph G. As an additional component, timed graph transformation systems contain a partial function \( time \) for extracting the current global time from the derived graphs.
Definition 23
(Timed Graph Transformation Systems) If R is a finite set of finite rules from \(\mathcal {S}^{\mathsf {rules}} \), \(G\in \mathbf {Graphs} \) is a finite graph, and is a partial function, then \( S =(R,G, time )\) is a timed graph transformation system, written \( S \in \mathcal {S}^{\mathsf {tgts}}_{ time } \).
The timed graph sequences of timed graph transformation systems are constructed as for graph transformation systems above. Recall that the partial function \( time \) is only used for postprocessing of already derived TGSs.
Definition 24
(Semantics of Timed Graph Transformation Systems) If \( S =(R,G, time )\in \mathcal {S}^{\mathsf {tgts}}_{ time } \) is a timed graph transformation system \(\pi \in \mathcal {S}^{\mathsf {gts\cdot s}}_{(R,G)} \) is a graph sequence of the graph transformation system (R, G), and \(\pi \in \Pi ^{ time }_{G} \), then \(\pi \) is a TGS of S, written \(\pi \in \mathcal {S}^{\mathsf {tgts\cdot s}}_{S} \).
With these definitions in place, we now present an example of a timed graph transformation system that is used in Sect. 7 and Sect. 8 later on.
Example 2
(Running Example of a Timed Graph Transformation System for Task Execution and Scheduling) For this example of a timed graph transformation system, we use the type graph \( TG \) from Fig. 12a, the initial graph \(G_0\) from Fig. 12b, and the rules from Fig. 13 and Fig. 14. In this example, we slightly adapt our visual notation for rules. We use the same unprimed variable names (such as x) in the graphs L, K, and R when the AC of the rule requires that the variable remains unchanged (in the sense of \(x'= x \) for \(x'\in {R}{.}{{\textsf {X} }} \)), instead of distinguishing between unprimed and primed variables as stated in Notation 2. The partial function \( time \) is defined to extract the value of the local variable \(x_{ tp }\) connected to the unique time attribute of the unique system contained in each derived graph. The value of this local variable \(x_{ tp }\) is increased by each rule application. See Fig. 15a for an example of a TGS generated from this timed graph transformation system. In this TGS two tasks with the same id are executed sequentially leading to duplicate result nodes because the result node of the first task is not consumed before the second task is finished (see also Fig. 34 on page 47 where the presence of such a result node with the same id is excluded in the application condition).
6 Graph logic
We now extend the basic graph logic BGL from Sect. 4 with the novel operator \(\Delta \) (called delta) that relies on so-called restriction-extension patterns to obtain the graph logic GL. The notions of restriction-extension patterns and rules from Definition 16 are technically identical but the two morphisms \({\rho }{.}{{\textsf {del} }} \) and \({\rho }{.}{{\textsf {add} }} \) are referred to by \({\rho }{.}{{\textsf {res} }} \) and \({\rho }{.}{{\textsf {ext} }} \) instead.
Definition 25
-
L, K, and R are graphs,
-
,
-
are monomorphisms,
-
is a coproduct,
-
\({\rho }{.}{{\textsf {ac} }} \in \mathcal {S}^{{\textsf {AC} }} _{V} \) is an AC,
-
\({\rho }{.}{{\textsf {lC} }} \in \mathcal {S}^{\mathsf {BGC}} _{L} \),
-
\({\rho }{.}{{\textsf {rC} }} \in \mathcal {S}^{\mathsf {BGC}} _{R} \) are BGCs,28 and
-
\({L}{.}{{\textsf {ac} }} ={K}{.}{{\textsf {ac} }} ={R}{.}{{\textsf {ac} }} =\top \).
-
\({\rho }{.}{{\textsf {lG} }} =L\) is the left-hand side graph of the restriction-extension pattern \(\rho \).
-
\({\rho }{.}{{\textsf {rG} }} =R\) is the right-hand side graph of the restriction-extension pattern \(\rho \).
The delta operator of GL combines restriction and extension as in the restrict and exists operators of BGL. While the delta operator does not increase the expressiveness, as shown by encoding the delta operator later on using BGL operators only, it certainly increases the descriptive expressiveness of GL compared to BGL because properties can be stated using exponentially smaller conditions when using the delta operator. Note that the operator restrict has been added to BGL for the same reason of improving its applicability by allowing for more concise conditions. In particular, the delta operator permits to first restrict a current match and then to extend the restricted match in a way such that attribute values from before the restriction can be used to specify the extension. The similar coupling of removal and addition is also a major benefit of span-based DPO graph transformation, which allows to add graph elements and to specify the AC of the resulting graph on the basis of the context established by the removal of graph elements.
Definition 26
- \(\bullet \):
-
\(\bar{\phi }=\wedge S \) and \(S\mathrel {\subseteq _{\mathsf {fin}}} \mathcal {S}^{\mathsf {GC}} _{H} \).
- \(\bullet \):
-
\(\bar{\phi }=\lnot \phi \) and \(\phi \in \mathcal {S}^{\mathsf {GC}} _{H} \).
- \(\bullet \):
-
and \(\phi \in \mathcal {S}^{\mathsf {GC}} _{H'} \).
- \(\bullet \):
-
and \(\phi \in \mathcal {S}^{\mathsf {GC}} _{H'} \).
- \(\bullet \):
-
\(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \),
- \(\bullet \):
-
\(\rho \in \mathcal {S}^{\mathsf {REP}} \) is a restriction-extension pattern,
- \(\bullet \):
-
\({\rho }{.}{{\textsf {lG} }} =H\),
- \(\bullet \):
-
\({\rho }{.}{{\textsf {rG} }} =H'\), and
- \(\bullet \):
-
\(\phi \in \mathcal {S}^{\mathsf {GC}} _{H'} \) is a GC over \(H'\).
-
true: \(\top =\wedge \varnothing \)
-
false: \(\bot =\lnot \top \)
-
disjunction: \(\vee S =\lnot (\wedge \{\lnot \phi \mid \phi \in S\}) \)
-
universal quantification: \(\forall (f,\phi ) =\lnot \exists (f,\lnot \phi ) \)
-
delta-forall: \(\Delta ^{\mathsf {A}}(\rho ,\phi ) =\lnot (\Delta ^{}(\rho ,\lnot \phi )) \)
-
delta-exists29: \(\Delta ^{\mathsf {E}}(\rho ,\phi ) =\Delta ^{}(\rho ,\phi ) \)
See Fig. 16a for an example of a GC where we employ the following notation for restriction-extension patterns occurring in GCs.
Notation 3
(Restriction–Extension Patterns in GCs) We adapt our notation for BGCs from Notation 1 as follows. For the delta operator, we depict a GC \(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \) in three compartments separated by vertical lines assuming that \({\rho }{.}{{\textsf {res} }} \) and \({\rho }{.}{{\textsf {ext} }} \) are inclusion morphisms. We depict the morphism \({\rho }{.}{{\textsf {res} }} \), by employing the notation for monomorphisms used in a restrict operator, in the first compartment. We depict the morphism \({\rho }{.}{{\textsf {ext} }} \), by employing the notation for monomorphisms used in an exists operator, in the second compartment. Lastly, we depict \({\rho }{.}{{\textsf {ac} }}\) in the third compartment. If \({\rho }{.}{{\textsf {res} }} \) or \({\rho }{.}{{\textsf {ext} }} \) is an identity morphism, we denote this by \({\textsf {id} } \). If \({\rho }{.}{{\textsf {res} }} \) is an initial morphism from the empty graph, we denote this by \(\varvec{\varnothing } \). If \({\rho }{.}{{\textsf {res} }} \) or \({\rho }{.}{{\textsf {ext} }} \) is not an inclusion morphism or one of the application conditions \({\rho }{.}{{\textsf {lC} }}\) or \({\rho }{.}{{\textsf {rC} }}\) is not \(\top \), we use our more general notation for rules from Notation 2.
The definition of the satisfaction relation of GL follows the definition of the satisfaction relation of BGL when the GC uses the conjunction, negation, exists, or restrict operators. For the additional operator delta, we proceed as for restrict and exists to obtain for a given match a resulting match . We then check in addition whether the AC \({\rho }{.}{{\textsf {ac} }}\) is satisfied by the host graph once it is translated using m and \(m'\) to the namespace given by the variables of the graph. See Fig. 16c where we give an example for checking GC satisfaction.
Definition 27
- \(\bullet \):
-
\(\bar{\phi }=\wedge S \) and \(\forall \phi \in S.\;m\models _{\mathsf {GC}} \phi \).
- \(\bullet \):
-
\(\bar{\phi }=\lnot \phi \) and \(m\not \models _{\mathsf {GC}} \phi \).
- \(\bullet \):
-
and there is s.t. \(m=m'\circ f\) and \(m'\models _{\mathsf {GC}} \phi \).
- \(\bullet \):
-
and \(m\circ f\models _{\mathsf {GC}} \phi \).
- \(\bullet \):
-
\(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \) and there is some s.t.
- \(\bullet \):
-
\(m\circ {\rho }{.}{{\textsf {res} }} =m'\circ {\rho }{.}{{\textsf {ext} }} \),
- \(\bullet \):
-
\(m\models _{\mathsf {BGC}} {\rho }{.}{{\textsf {lC} }} \),
- \(\bullet \):
-
\(m'\models _{\mathsf {BGC}} {\rho }{.}{{\textsf {rC} }} \),
- \(\bullet \):
-
maps to the set V of variables over which \({\rho }{.}{{\textsf {ac} }} \) is defined,
- \(\bullet \):
-
is the unique mapping induced by the universal property of the coproduct of the restriction-extension pattern where we use the two maps \({m}{.}{{\textsf {X} }} \) and \({m'}{.}{{\textsf {X} }} \) leading to the set \({G}{.}{{\textsf {X} }} \cup \mathcal {V} \) for comparison,
- \(\bullet \):
-
\({\textsf {sat} }_{\forall } ({G}{.}{{\textsf {ac} }} \rightarrow \sigma _{ VG }({\rho }{.}{{\textsf {ac} }})) \), and
- \(\bullet \):
-
\(m'\models _{\mathsf {GC}} \phi \).
Also, if \(\bar{\phi }\in \mathcal {S}^{\mathsf {GC}} _{\varvec{\varnothing }} \) and \({\textsf {i} } (G) \models _{\mathsf {GC}} \bar{\phi } \), then \(G\models _{\mathsf {GC}} \bar{\phi } \).
Note that the graph H in Definition 26 above must have the AC \(\top \) for the delta operator according to the definition of restriction-extension patterns above. Hence, the delta operator must be combined with the other operators exists and restrict with care. That is, can only be a valid GC when \({\rho }{.}{{\textsf {res} }} \) has the codomain H and \({H}{.}{{\textsf {ac} }} =\top \).
We now introduce an encoding operation \({\textsf {enc} }_{\Delta }\) for the translation of GCs into equivalent BGCs to show that BGL is as expressive as GL (the reverse direction holds trivially because all BGCs are GCs and the satisfaction relations of BGL and GL agree on the BGL operators). Note that this encoding operation results, as for the encoding of the restrict operator in Definition 15, in an exponential blowup of the size of the condition at hand due to the usage of the operation \({\textsf {overlap} }\) from Definition 11.
The encoding of the delta operator is similar to the equivalence of span-based and cospan-based DPO transformations as follows. In the cospan-based DPO approach [30], rules are given by cospans instead of spans as in the more common span-based DPO approach in [29]. Both approaches are equivalent [30] because equivalent span rules and cospan rules are constructed from each other using the pullback and pushout of the cospan rules and span rules, respectively. Intuitively, cospan rules describe the addition of graph elements using \(\ell \) and then the removal of graph elements using r, which is the reverse interpretation compared to span rules. That is, the order of addition and removal of graph elements is swapped between the two approaches. See Fig. 17 for an example of the pushout/pullback-based conversion between span rules and cospan rules that are equivalent w.r.t. DPO transformation.
Similarly, when applying our operation \({\textsf {enc} }_{\Delta }\) defined below to a GC \(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \), we want to exchange the restriction \({\rho }{.}{{\textsf {res} }} \) and the extension \({\rho }{.}{{\textsf {ext} }} \) to be able to use first the operator exists and then the operator restrict afterwards. The described exchange is needed because when the restrict operator is used first, we lose information about values of variables that are dropped from the match. This information would then be missing when extending the match afterwards using the exists operator. For the GC \(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \), we have the span \(({\rho }{.}{{\textsf {res} }},{\rho }{.}{{\textsf {ext} }})\) given but construct all overlappings \(K'\) (see Fig. 18) instead of only computing the pushout of \(({\rho }{.}{{\textsf {res} }},{\rho }{.}{{\textsf {ext} }})\), which is one of these overlappings. All constructed overlappings are needed because the GC satisfaction relation permits that graph elements that were removed from the match according to \({\rho }{.}{{\textsf {res} }}\) are rematched for \({\rho }{.}{{\textsf {ext} }}\) afterward. In comparison, deleted and then created graph elements are assumed to be different by default in DPO graph transformation. See Fig. 17 for an example where all overlappings are created for a span rule. An example for \({\textsf {enc} }_{\Delta }\) for the case without ACs is given in Fig. 19.
Definition 28
- \(\bullet \):
-
\(\bar{\phi }=\wedge S \) and \(\bar{\phi }'=\wedge \{{\textsf {enc} }_{\Delta } (\phi ) \mid \phi \in S\} \).
- \(\bullet \):
-
\(\bar{\phi }=\lnot \phi \) and \(\bar{\phi }'=\lnot {\textsf {enc} }_{\Delta } (\phi ) \).
- \(\bullet \):
-
and \(\bar{\phi }'=\exists (f,{\textsf {enc} }_{\Delta } (\phi )) \).
- \(\bullet \):
-
and \(\bar{\phi }'=\nu (f,{\textsf {enc} }_{\Delta } (\phi )) \).
- \(\bullet \):
-
\(\bar{\phi }=\Delta ^{}(\rho ,\phi ) \),
the set S used below contains all cospans of the form that satisfy the following items:- \(\bullet \):
-
for the graph part:
- \(\bullet \):
-
,
- \(\bullet \):
-
are monomorphisms,
- \(\bullet \):
-
is an overlapping,
- \(\bullet \):
-
for the AC part:
- \(\bullet \):
-
,
- \(\bullet \):
-
are maps identifying the variables in the coproduct V,
- \(\bullet \):
-
is the unique mapping induced by the universal property of the coproduct of the restriction-extension pattern where \((\ell ',r')\) are used for comparison,
- \(\bullet \):
-
is an AC inclusion morphism, and
- \(\bullet \):
-
\({K''}{.}{{\textsf {ac} }} =\sigma ({\rho }{.}{{\textsf {ac} }})\) and
for the application conditions \({\rho }{.}{{\textsf {lC} }} \) and \({\rho }{.}{{\textsf {rC} }} \).30
We now state that the translation of GCs into BGCs is sound w.r.t. the corresponding satisfaction relations.
Theorem 4
(Soundness of \({\textsf {enc} }_{\Delta }\)) If \(\phi \in \mathcal {S}^{\mathsf {GC}} _{H} \) is a GC and is a partially injective morphism, then \(m\models _{\mathsf {GC}} \phi \) iff \(m\models _{\mathsf {BGC}} {\textsf {enc} }_{\Delta } (\phi ) \).
See page 70 for the proof of this theorem.
The encoding operation \({\textsf {enc} }_{\Delta }\) is also sound for graphs as a direct consequence of Theorem 4.
Corollary 2
(Soundness of \({\textsf {enc} }_{\Delta }\) for Graphs) If \(\phi \in \mathcal {S}^{\mathsf {GC}} _{\varvec{\varnothing }} \) is a GC and \(G\in \mathbf {Graphs} \) is a graph, then \(G\models _{\mathsf {GC}} \phi \) iff \(G\models _{\mathsf {BGC}} {\textsf {enc} }_{\Delta } (\phi ) \).
See page 72 for the proof of this corollary.
We conclude from this corollary that the operation \({\textsf {enc} }_{\Delta }\) can be used to translate the GC satisfaction problem into a BGC satisfaction problem. The operation \({\textsf {enc} }_{\Delta }\) is supported by our prototypical implementation in AutoGraph. Recall that satisfaction checking for the resulting BGC is also supported as well in AutoGraph by means of the encoding operation \({\textsf {enc} }_{\nu }\) (see Sect. 4) and \({\textsf {check} }_{\textsf {BGC} }\) (see “Appendix B”).
7 Metric temporal graph logic
We extend the graph logic GL for specifying graphs from before to the metric temporal graph logic MTGL for specifying TGSs. The integration of graph pattern matching from GL using the delta operator and the additional metric temporal operators allows for the formalization of more advanced metric temporal properties compared to [38, 81].
As a main concept, we first introduce an operation for propagating a given match (also called binding) of a graph into a given TGS at one timepoint to a graph in that sequence at another timepoint. This propagation is limited by evolution patterns used in conditions of MTGL for specifying modifications carried out in subsequences of the TGS at hand. Such a propagation of a match entails its partial preservation, its extension, and its restriction over several timed spans where values matched at the start and end of such a subsequence can be compared. We discuss this propagation operation in Subsect. 7.1. Afterwards in Subsect. 7.2, we introduce the syntax and semantics of MTGL relying on this operation for match propagation.
7.1 Propagation of matches over timed graph sequences
To introduce the propagation of matches over TGSs, we first introduce the operation admissible-comatches. This operation takes a graph transformation span ,31 a match , and a (so-called) evolution pattern \(\theta \) with left- and right-hand side graphs L and R as inputs and then checks whether the changes given by the graph transformation span \((\ell ,r)\) are permitted by the evolution pattern \(\theta \) and returns a set of corresponding matches . In particular, the operation \({\textsf {admissible-comatches}}\) restricts the given match \(m_1\) according to the evolution pattern \(\theta \) (similarly to the BGC operator restrict), checks whether at least the deletions specified in the evolution pattern \(\theta \) are performed, checks whether at least the additions specified in the evolution pattern \(\theta \) are performed, and determines an extended match \(m_2\) according to the evolution pattern \(\theta \) (similarly to the BGC operator exists). That is, an evolution pattern describes that certain elements of the given match are not relevant, describes that certain elements must have been deleted and added, and that certain elements must be matchable.
This idea is similar to the concept of covariance and contravariance in programming languages. For example, an abstract function (e.g. contained in a Java interface) can be implemented by a concrete function (e.g. in a class implementing the interface) when \(f'\) permits at least the elements of A (i.e., \(A\subseteq A'\)) and when \(f'\) returns at most the elements of B (i.e., \(B'\subseteq B\)). In comparison, we require, informally speaking, that the actual deletions of the graph transformation span \((\ell ,r)\) are contained in the deletions specified in the evolution pattern \(\theta \) and that the additions specified in the evolution pattern \(\theta \) are contained in the actual additions of the graph transformation span \((\ell ,r)\).
Moreover, double pullback (DPB) graph transformation steps [46–49] permit deletions and additions beyond the deletions and additions carried out for a rule when applying a DPO graph transformation step. We compare our formalization and DPB-based graph transformation after Definition 30.
Definition 29
-
\(L_1\), \(L_2\), K, \(R_2\), and \(R_1\) are graphs,
-
,
-
,
-
,
-
are monomorphisms,
-
is a coproduct,
-
\({\theta }{.}{{\textsf {ac} }} \in \mathcal {S}^{{\textsf {AC} }} _{V} \) is an AC,
-
\({\theta }{.}{{\textsf {lC} }} \in \mathcal {S}^{\mathsf {BGC}} _{L_1} \),
-
\({\theta }{.}{{\textsf {rC} }} \in \mathcal {S}^{\mathsf {BGC}} _{R_1} \) are BGCs,32 and
-
\({L_1}{.}{{\textsf {ac} }} ={L_2}{.}{{\textsf {ac} }} ={K}{.}{{\textsf {ac} }} ={R_2}{.}{{\textsf {ac} }} ={R_1}{.}{{\textsf {ac} }} =\top \).
-
\({\theta }{.}{{\textsf {lG} }} =L_1\) is the left-hand side graph of \(\theta \).
-
\({\theta }{.}{{\textsf {rG} }} =R_1\) is the right-hand side graph of \(\theta \).
For concrete examples of evolution patterns, we employ the following notation as used in the top row of Fig. 21.
Notation 4
(Evolution Patterns) We adapt the notation for rules from Notation 2 to a notation for evolution patterns as follows. We depict the morphisms , , , and of the evolution pattern. We do not provide \({\theta }{.}{{\textsf {lX} }} \) and \({\theta }{.}{{\textsf {rX} }} \) because we visualize only evolution patterns where \(L_1\) and \(R_1\) have disjoint sets of variables already. For simplicity, we use unprimed variable names in \(L_1\), \(L_2\), and K and primed variables in \(R_2\) and \(R_1\). The AC \({\theta }{.}{{\textsf {ac} }} \) is depicted below the four morphisms. If not explicitly given, both application conditions \({\theta }{.}{{\textsf {lC} }} \) and \({\theta }{.}{{\textsf {rC} }} \) are \(\top \).
We now introduce the operation admissible-comatches, which obtains the resulting set of comatches by constructing a diagram for each of them. Each of these diagrams is an adaptation of the diagram required for graph transformation steps from Definition 18. For this purpose, we assume a given graph transformation span , a given evolution pattern \(\theta \), and a given match . See Fig. 21 for an example where only the presented diagram is constructed resulting in a single comatch \(m_2\).
In the first stage (focusing on the graph part; see Fig. 22 for a visualization), we construct a diagram with four squares that are related to the four components \({\theta }{.}{{\textsf {res} }} \), \({\theta }{.}{{\textsf {del} }} \), \({\theta }{.}{{\textsf {add} }} \), and \({\theta }{.}{{\textsf {ext} }} \) of the evolution pattern \(\theta \). The first square describes the match restriction based on \({\theta }{.}{{\textsf {res} }} \). The second and third squares describe the checks whether at least the deletions and additions specified by \({\theta }{.}{{\textsf {del} }} \) and \({\theta }{.}{{\textsf {add} }} \) have been performed in the given graph transformation span. The fourth square describes the extension to a match according to \({\theta }{.}{{\textsf {ext} }} \). The permission to delete and add elements beyond what is specified in \({\theta }{.}{{\textsf {del} }} \) and \({\theta }{.}{{\textsf {add} }} \) is implemented in the second and third square by checking whether the minimal changes (computed using pushout complement and pushout) can be embedded into the given graph transformation span (cf. the triangles \(a_1\circ d_2=b_1\) and \(e_2\circ a_2=b_2\) in Fig. 22).
In the second stage (focusing on attributes; see Fig. 23 for a visualization), we check whether the attribute values have changed from G to H in a way compatible with the AC \({\theta }{.}{{\textsf {ac} }} \) of the given evolution pattern \(\theta \). To this end, we construct for the diagram that was constructed in the first stage a common variable namespace for G and H as for the notion of steps and then check whether \({\theta }{.}{{\textsf {ac} }} \) is implied by the ACs of G and H.
- (1)
As for steps, the graph G is restricted to obtain \(\bar{G}\) using the AC inclusion morphism \({\textsf {acInc} } (G) \).
- (2)
The match is obtained as the restriction of the match w.r.t. and \({\textsf {acInc} } (G) \).
- (3)
The pushout complement of and \(c_1\) is constructed leading to the graph A and morphisms and .
- (4)
To check that deletes at least the elements that have to be deleted according to \({\theta }{.}{{\textsf {del} }} \), we check whether D is contained in A using a monomorphism that must be compatible with \(a_1\) and \(b_1\).
- (5)
The morphism \(d_1\) constructed before is restricted to a morphism w.r.t. the restriction \(d_2\).
- (6)
The pushout of the two morphisms and d is constructed leading to the graph B and morphisms and .
- (7)
To check that adds at least the elements that have to be added according to \({\theta }{.}{{\textsf {add} }} \), we check whether B is contained in \(\bar{H}\) using a monomorphism that must be compatible with \(a_2\) and \(b_2\).
- (8)
The restricted comatch is then obtained by composition of \(e_1\) and \(e_2\).
- (9)
As for steps, the graph \(\bar{H}\) is the restriction of the graph H obtained using the AC inclusion morphism \({\textsf {acInc} } (H) \).
- (10)
Finally, is a resulting comatch that is a suitable extension of the restricted comatch \(c_2\) w.r.t. and \({\textsf {acInc} } (H) \).
We now formalize these explanations to construct admissible comatches \(m_2\) in the following definition. See Fig. 22 and Fig. 23 for accompanying visualizations.
Definition 30
- (1)
-
\(\theta \in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern,
-
,
\(m_1\models _{\mathsf {BGC}} {\theta }{.}{{\textsf {lC} }} \),
-
,
\({\textsf {acInc} } (G) \circ c_1=m_1\circ {\theta }{.}{{\textsf {res} }} \),(items (1)+(2))
-
,
,
\((c_1,a_1)\) is a pushout of \(({\theta }{.}{{\textsf {del} }},d_1)\),(item (3))
-
,
\(a_1\circ d_2=b_1\),(item (4))
-
,
\(d_2\circ d=d_1\),(item (5))
-
,
,
\((e_1,a_2)\) is a pushout of \(({\theta }{.}{{\textsf {add} }},d)\),(item (6))
-
,
\(e_2\circ a_2=b_2\),(item (7))
-
,
\(e_2\circ e_1=c_2\),(item (8))
-
,
\({\textsf {acInc} } (H) \circ c_2=m_2\circ {\theta }{.}{{\textsf {ext} }} \),(items (9)+(10))
-
\(m_2\models _{\mathsf {BGC}} {\theta }{.}{{\textsf {rC} }} \),
-
- (2)
-
,
,
,
-
is obtained by using the universal property of the coproduct \({\amalg } ({\theta }{.}{{\textsf {lX} }},{\theta }{.}{{\textsf {rX} }}) \),
-
\(\gamma = k_1({G}{.}{{\textsf {ac} }})\wedge k_2({H}{.}{{\textsf {ac} }}) \rightarrow \sigma _{ VX }({\theta }{.}{{\textsf {ac} }}) \) is an AC, and
-
\({\textsf {sat} }_{\forall } (\gamma ) \),
-
Note that, using the DPB approach mentioned above, we could alternatively construct such that \(({\theta }{.}{{\textsf {del} }},d)\) is a pullback of \((c_1,b_1)\) and by constructing such that \(({\theta }{.}{{\textsf {add} }},d)\) is a pullback of \((c_2,b_2)\). A similar correspondence between DPO and DPB graph transformation has been presented e.g. in [48] where additional deletions are applied before the pushout complement is constructed. However, we believe that the definition above (albeit being more verbose) explains the construction of d and \(c_2\) more clearly by relying on the standard constructions for pushout complements and pushouts (the alternative DPB-based formalization requires the construction of pullback complements and pullbacks for the special case when three of the four morphisms are given already) and by presenting the additional deletions and additions using the two triangles explicitly.
We use this definition of admissible cospans below to propagate a match over the spans of a finite graph sequence for a given evolution pattern and a match of the left-hand side graph of the evolution pattern into the first graph of the given sequence. For this purpose, we now define the derived span of a graph sequence using the iterated pullback construction (cf. [31, Definition 4.1, p. 44]). This construction allows to contract a given finite graph sequence into a graph sequence of length one by forgetting about all interior steps of the sequence but preserving the relationship between elements of the first and the last graph of that sequence.33 See Fig. 24 and Fig. 25a for a general visualization and an exemplary computation of a derived span.
Definition 31
-
\({\textsf {length} }(\pi ) =0\) and \((\ell ,r)=({\textsf {id} } (G_0),{\textsf {id} } (G_0))\).
-
\({\textsf {length} }(\pi ) =1\) and \((\ell ,r)=\pi (0)\).
-
\({\textsf {length} }(\pi ) =2\), \(\pi (0)=(\ell _0,r_0)\), \(\pi (1)=(\ell _1,r_1)\), \((r_0',\ell _1')~\text {is a pullback of}~(r_0,\ell _1) \), and \((\ell ,r)=(\ell _0\circ r_0',r_1\circ \ell _1')\).
-
\({\textsf {length} }(\pi ) >2\) and \((\ell ,r)= {\textsf {derivedSpan} }(\{(0,{\textsf {derivedSpan} }(\{(0,\pi (0)),(1,\pi (1))\})), (1,{\textsf {derivedSpan} }(\{(n,x)\mid (n+2,x)\in \pi \}))\})\).
We now define the propagation of a match over a finite graph sequence for a given evolution pattern by obtaining the admissible comatches for the derived span computed for the given graph sequence. See Fig. 25b for an example of a match propagation over the derived span from Fig. 25a.
Definition 32
-
\(\pi \in \Pi ^{\mathsf {fin}}_{G_0,H} \) is a finite graph sequence that starts in \(G_0\) and that ends in H,
-
\({\textsf {derivedSpan} }(\pi ) =(\ell ,r)\) is the derived span of \(\pi \),
-
\(\theta \in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern,
-
is a match of the left-hand side graph of the evolution pattern \(\theta \) into the starting graph \(G_0\) of \(\pi \),
-
is a match of the right-hand side graph of the evolution pattern \(\theta \) into the ending graph H of \(\pi \), and
-
\(m_2\in {\textsf {admissible-comatches}}{((\ell ,r)},{m_1},{\theta })\),
Note that the definition of a propagated match can be used also in the reverse direction by reversing the rule and the graph sequence beforehand.
We now extend the propagation of matches to the case where a match is to be propagated over a subsequence of a TGS identified by two total timepoints. That is, given a TGS \(\pi \) that contains the TGS \(\pi '\) between two provided timepoints \(t_1\) and \(t_2\) where \(\pi '\) starts with graph G and ends with graph H, we want to propagate a match of L into G over the timed spans of \(\pi '\) into a match of a graph R into H. Reusing the match propagation defined above based on evolution patterns, this propagation may result in an empty set of matches when matched elements are deleted by the timed spans between \(t_1\) and \(t_2\). This time-based propagation operation is crucial for MTGL where we want to check e.g. whether a matched element also existed earlier (for the case when \(t_2<t_1\)) or exists later (for the case of \(t_2>t_1\)) in the given TGS \(\pi \). For the semantics of MTGL later on, we not only check for the existence of a suitable propagated match but also obtain the resulting matches of R into the graph in \(\pi \) at timepoint \(t_2\) to evaluate further conditions based on these resulting matches.
Definition 33
-
\(\pi \) and \(\pi '\) are TGSs from \(\Pi ^{ time }_{G_0} \),
-
\(\theta \in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern,
-
\({\theta }{.}{{\textsf {lG} }} =L\),
-
\({\theta }{.}{{\textsf {rG} }} =R\),
-
\(t_1\) and \(t_2\) are total timepoints from ,
-
if \(t_1\le t_2\), then \(\pi '=\pi ^{\mathsf {T}}(\{t_1,t_2\}) \),
-
if \(t_1>t_2\), then \(\pi '={\textsf {rev} }(\pi ^{\mathsf {T}}(\{t_1, t_2\})) \),
-
,
-
are monomorphisms, and
-
\(m_2\in {\textsf {PM} } (\pi ',m_1,\theta ) \) is a propagated match,
Consider again Fig. 25a where the partial function \( time \) extracts the current time from the \(\text {id} \) attribute of node a. Then, Fig. 25b provides an example of a time-based propagation of the match \(m_1\) to the match \(m_2\) from the timepoint \(t_1=0\) (for the graph \(G_0\)) to the timepoint \(t_2=4\) (for the graph \(G_2\)).
7.2 Syntax and semantics of MTGL
We introduce the metric temporal graph logic (MTGL) with its syntax and semantics after a brief introduction of design choices.
Propositional temporal logics such as the linear temporal logic (LTL) can be defined on the foundation of labeled transition systems (S, R, L) containing a set of states S, a binary step relation \(R\subseteq S\times S\), and a labeling function assigning a set of atomic propositions to each state. The conditions of such temporal logics then express properties that are to be satisfied by a given path of that labeled transition system. In particular, LTL allows to express (a) state properties based on elements of \( AP \) and propositional operators such as negation and conjunction as well as temporal operators to express (b) sequence properties based on the next operator stating that an LTL condition is satisfied in the next state and the until operator stating that an LTL property \(\phi _2\) is satisfied at some later state in the given path and that all states visited in between satisfy another LTL property \(\phi _1\). Further operators such as eventually and globally can be derived from the given operators.
Other temporal logics feature (a) operators that refer to earlier states using the operators previous and since (corresponding to the next and until operators), (b) metric temporal operators such as the metric-until operator that are then equipped with an interval describing the relative time at which the condition \(\phi _2\) has to be satisfied in the future,34 and (c) combinations of (a) and (b) such as in the metric temporal logic (MTL) [60].
The use of atomic propositions in propositional temporal logics limits their expressiveness on the one hand but allows in some cases for the development of model checking approaches on the other hand [8]. In contrast, nonpropositional temporal logics do not make use of atomic propositions and may be defined on the more general Kripke frames where the labeling function of labeled transition systems is omitted. The goal of these logics is to express properties that cannot be expressed in propositional (metric) (temporal) logics. Such additional properties then refer to the content of states, which are given in our context by graphs in a TGS. For example, a particular element of such a graph may be tracked across multiple states. Other examples of nonpropositional (metric) temporal logics have been discussed e.g. in [9] (\(\mu \mathcal {G}2\): a combination of the \(\mu \)-calculus and second-order graph logic for labeled graphs) and [13] (metric temporal first-order logic (MFOTL): a combination of first-order logic using relations to store information and MTL).
We now introduce MTGL as a nonpropositional metric temporal logic where graphs are handled as first-class citizens meaning that conditions of MTGL directly contain graphs and graph morphisms as in BGL and GL instead of using encodings as in \(\mu \mathcal {G}2\) and MFOTL.
MTGL supports the two metric temporal operators \({\textsf {U} } \) (called until) and \({\textsf {S} } \) (called since) mentioned above. These two operators are, however, derived operators in our logic because we cover both of them using the operator (called delta-lock). That is, delta-lock can be parameterized to behave like until or since. The nonpropositional character of MTGL is given by the use of matches of graphs from conditions of MTGL into the graphs of the TGS at hand. These matches are then propagated (as introduced in the previous subsection) over spans of the TGS allowing to express (using evolution patterns) conditions on how matched parts change over time. In particular, matches into graphs of the TGS are propagated forwards/backwards in the TGS for the until /since operator.
Moreover, MTGL supports the operator \(\boxdot \) (called delta-release), which is used in combination with delta-lock. For example, the special case of the until operator requires a propagation of a match m into a graph G of the TGS forwards resulting in a match \(m'\) but this forwards propagation alone only transfers information forwards. With delta-release, we allow to express statements that result in an additional backward propagation of \(m'\) into a match \(m''\) into the original graph G. The additional propagation of match \(m'\) allows to express statements at graph G based on graph elements and attributes matched by \(m'\).
Compared to [38, 81], we now additionally support conditions referring to the past but also handle the central capabilities of MTGL (binding of graph elements and comparison of attribute values) at a more fundamental level using evolution patterns and the delta-release operator, which leads to an increased expressiveness.
In MTGL, we specify sets of timepoints using ACs in the form of duration specifications, which have a single free variable \(\tau \in \mathcal {X} \) of sort \(\mathsf {real} \). The semantics of a duration specification \(\gamma \) is given by the set of all reals that satisfy \(\gamma \). For example, the interval \(I=[2,4)\) can be represented using \(\gamma =(2\le \tau )\wedge (\tau < 4) \) for which \({\textsf {sem} }(\gamma ) =I\). Moreover, for shifting of a duration specification, we formalize the statement \(\bar{x}\in {\textsf {sem} }(\gamma ) +\bar{y}\) where \(\bar{x}\) and \(\bar{y}\) are reals from \(\mathbf {R} \) using ACs. For this purpose, we represent \(\bar{x}\) and \(\bar{y}\) by variables x and y of sort \(\mathsf {real} \) and define an AC on these two variables. The resulting AC \(\gamma '\) then restricts x and y analogously to the statement \(\bar{x}\in {\textsf {sem} }(\gamma ) +\bar{y}\) above. For example, \(\bar{x}\in [2,4)+\bar{y}\) is represented using the AC \(\gamma =\exists \tau .\;x=\tau + y \wedge (2\le \tau )\wedge (\tau < 4) \).
Definition 34
(Duration Specification) If \(\tau \in \mathcal {X} \) is a variable, \({\textsf {sort} }_{} (\tau ) =\mathsf {real} \), and \(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{\{\tau \}} \) is an AC that has only \(\tau \) as a free variable, then \(\gamma \) is a duration specification, written \(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{{\textsf {DS} }(\tau )} \) or \(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{{\textsf {DS} }} \).
-
induced semantics:
\({\textsf {sem} }(\gamma ) =\{x\in \mathbf {R} \mid \{\tau \mapsto x\}\models _{\mathsf {AC}} \gamma \}\) where \(\{\tau \mapsto x\}\) denotes the variable valuation that maps \(\tau \) to x.
-
shifting of a duration specification:
If x and y are variables from \(\mathcal {X} \),
then \({\textsf {shift} }_{\textsf {DS} } (\gamma ,x,y) =( \exists \tau .\;x=\tau + y \wedge \gamma )\in \mathcal {S}^{{\textsf {AC} }} _{\{x,y\}} \).
Note that many other metric temporal logics already impose the restriction that sets of timepoints must be specified by means of certain kinds of intervals. These logics thereby describe already on the syntax-level restrictions under which model checking of their conditions is decidable (see [19] for a survey on the expressiveness and algorithmic results for several metric temporal logics).
A limitation of the \(delta{\text {-}}{}lock \) operator is that the satisfaction checks required for this operator (i.e., the check of \((\theta _1,\psi _1)\) for all timepoints between t and \(t+\delta \) and the check of \((\theta _2,\psi _2)\) at timepoint \(t+\delta \)) are executed in isolation from each other. This means that desired commonalities between these satisfaction checks in terms of matched graph elements and values of matched attributes require additional techniques.
Example 3
-
Property: At the current timepoint, there is a node \(c{\text {:C}}\) that will be connected to a node of type :A with an id attribute of 1 within at most 120 time units and until then, there is always a node of type :B with an id attribute of 1 connected to the node c.
Secondly, we demonstrate in the following example a problem for sharing certain bindings among satisfaction checks at different timepoints. This problem is resolved subsequently using the additional MTGL operator delta-release. In the example, graph elements and values of attributes that are additionally matched at timepoint \(t+\delta \) by \((\theta _2,\psi _2)\) are not available when checking \((\theta _1,\psi _1)\) at the timepoints between t and \(t+\delta \).
Example 4
-
Property: There is a node \(c{\text {:C}}\) that is connected to a node \(a{\text {:A}}\) with an id attribute within at most 120 time units and until then, there is always a node \(b{\text {:B}}\) with an id attribute equal to the id attribute of the node a and the node b is connected to the node c.
To specify properties as in the latter example, we employ the \(delta{\text {-}}{}release \) operator \(\boxdot (\theta ,\psi ) \), which has no counterpart in logics such as MTL without binding capabilities. The operator \(delta{\text {-}}{}release \) is used to specify, similarly to the left-hand side argument \((\theta _1,\psi _1)\) of the \(delta{\text {-}}{}lock \) operator, a property \((\theta ,\psi )\) that has to be satisfied in the obtained interval between t and \(t+\delta \). While the left-hand side argument \((\theta _1,\psi _1)\) of the \(delta{\text {-}}{}lock \) operator is checked for the TGS in the interval from the current time point t to the timepoint \(t+\delta \), the argument of the \(delta{\text {-}}{}release \) operator is checked in the reverse direction starting with a context graph established at the timepoint \(t+\delta \).
Derived operators for MTGL
Name | Abbreviation | Expansion |
---|---|---|
restrict |
|
|
deletion |
|
|
exists-addition |
|
|
forall-addition |
| \(\lnot \oplus ^{ \kappa }_{ \gamma }( f , \bar{\gamma }, \lnot \psi ) \) |
exists |
|
|
forall |
| \(\lnot \exists ^{ \kappa }_{ \gamma }( f , \bar{\gamma }, \lnot \psi ) \) |
until | \((\theta _1,\psi _1)\mathrel {{\textsf {U} } ^{\kappa }_{\gamma }}(\theta _2,\psi _2) \) |
|
eventually | \(\lozenge ^{\kappa }_{\gamma }(\theta ,\psi ) \) |
|
globally | \(\square ^{\kappa }_{\gamma }(\theta ,\psi ) \) | \(\lnot \lozenge ^{ \kappa }_{ \gamma }( \theta , \lnot \psi ) \) |
since | \((\theta _1,\psi _1)\mathrel {{\textsf {S} } ^{\kappa }_{\gamma }}(\theta _2,\psi _2) \) |
|
once | \(\blacklozenge ^{\kappa }_{\gamma }(\theta ,\psi ) \) |
|
historically | \(\blacksquare ^{\kappa }_{\gamma }(\theta ,\psi ) \) | \(\lnot \blacklozenge ^{ \kappa }_{ \gamma }( \theta , \lnot \psi ) \) |
forall-matches |
|
|
We now introduce the syntax of MTGL by formally defining its MTGCs.
Definition 35
- \(\bullet \):
-
\(\bar{\psi }=\wedge S \) and \(S\mathrel {\subseteq _{\mathsf {fin}}} {\mathcal {S}}_{n, {H}}^{\mathsf {MTGC}}\).
- \(\bullet \):
-
\(\bar{\psi }=\lnot \psi \) and \(\psi \in {\mathcal {S}}_{n, {H}}^{\mathsf {MTGC}}\).
- \(\bullet \):
-
,
- \(\bullet \):
-
\(\theta _1\in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern with the left-hand side graph \({\theta _1}{.}{{\textsf {lG} }} =H\) and the right-hand side graph \({\theta _1}{.}{{\textsf {rG} }} =H_1'\),
- \(\bullet \):
-
\(\psi _1\in {\mathcal {S}}_{n, {H_1'}}^{\mathsf {MTGC}}\) is an MTGC over \(H_1'\) of the same depth n,
- \(\bullet \):
-
\(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{{\textsf {DS} }} \) is a duration specification,
- \(\bullet \):
-
\(\kappa \in \{\mathsf {E},\mathsf {N},\mathsf {C} \}\) is a search restriction specifier,
- \(\bullet \):
-
\(\theta _2\in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern with the left-hand side graph \({\theta _2}{.}{{\textsf {lG} }} =H\) and the right-hand side graph \({\theta _2}{.}{{\textsf {rG} }} =H_2'\), and
- \(\bullet \):
-
\(\psi _2\in {\mathcal {S}}_{n+1, {H_2'}}^{\mathsf {MTGC}}\) is an MTGC over \(H_2'\) with increased depth \(n+1\).
- \(\bullet \):
-
\(\bar{\psi }=\boxdot (\theta ,\psi ) \),
- \(\bullet \):
-
\(n>0\) indicates at least one enclosing delta-lock operator to which \(\bar{\psi }\) refers to,
- \(\bullet \):
-
\(\theta \in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern with the left-hand side graph \({\theta }{.}{{\textsf {lG} }} =H\) and the right-hand side graph \({\theta }{.}{{\textsf {rG} }} =H'\), and
- \(\bullet \):
-
\(\psi \in {\mathcal {S}}_{n-1, {H'}}^{\mathsf {MTGC}}\) is an MTGC over \(H'\) with decreased depth \(n-1\).
-
\({\mathcal {S}}_{H}^{\mathsf {MTGC}}={\mathcal {S}}_{0, H}^{\mathsf {MTGC}}\) contains the MTGCs of depth 0.
-
true: \(\top =\wedge \varnothing \).
-
false: \(\bot =\lnot \top \).
-
disjunction: \(\vee S =\lnot (\wedge \{\lnot \psi \mid \psi \in S\}) \).
Note that in the definition above, we only permit occurrences of the \(delta{\text {-}}{}release \) operator in the right-hand side argument of the \(delta{\text {-}}{}lock \) operator. Moreover, we use a depth parameter \(n\in \mathbf {N} \) for the number of open \(delta{\text {-}}{}lock \) calls to ensure that the number of \(delta{\text {-}}{}release \) calls does not exceed the number of \(delta{\text {-}}{}lock \) calls (i.e., to ensure that each instance of the \(delta{\text {-}}{}release \) operator has an enclosing instance of the \(delta{\text {-}}{}lock \) operator). The use of this depth parameter guarantees in the semantics of MTGL (as explained in more detail below) that whenever an instance of the \(delta{\text {-}}{}release \) operator is checked, a timepoint specifying the origin of a previous instance of the \(delta{\text {-}}{}lock \) operator is available.
The formalization of the properties from Example 3 and Example 4 is given in Fig. 27b and Fig. 27d, respectively, where we use the notation introduced subsequently.
Notation 5
(Evolution Patterns in MTGCs) We adapt our notation for GCs from Notation 3 as follows. For the delta-lock and delta-release operators, we depict the evolution patterns in five compartments separated by vertical lines assuming that \({\theta }{.}{{\textsf {res} }} \), \({\theta }{.}{{\textsf {del} }} \), \({\theta }{.}{{\textsf {add} }} \), and \({\theta }{.}{{\textsf {ext} }} \) are inclusion morphisms. We depict the morphisms \({\theta }{.}{{\textsf {res} }} \) and \({\theta }{.}{{\textsf {del} }} \), by employing the notation for monomorphisms used in a restrict operator, in the first and second compartment, respectively. We depict the morphisms \({\theta }{.}{{\textsf {add} }} \) and \({\theta }{.}{{\textsf {ext} }} \), by employing the notation for monomorphisms used in an exists operator, in the third and fourth compartment, respectively. Lastly, we depict \({\theta }{.}{{\textsf {ac} }}\) in the firth compartment. If one of the monomorphisms is an identity morphism, we denote this by \({\textsf {id} } \). If \({\theta }{.}{{\textsf {res} }} \) or \({\theta }{.}{{\textsf {del} }} \) is an initial morphism from the empty graph, we denote this by \(\varvec{\varnothing } \). If one of the monomorphisms is not an inclusion morphism or one of the application conditions \({\theta }{.}{{\textsf {lC} }}\) or \({\theta }{.}{{\textsf {rC} }}\) is not \(\top \), we use our more general notation for evolution patterns from Notation 4.
-
restrict:
Restriction of the current match according to the monomorphism f. Note that there is no dual operator because the restriction is unique. Moreover, we only permit the search restriction specifier \(\kappa =\mathsf {E} \) for this operator because the restriction is always possible.
-
deletion:
Deletion of matched graph elements according to the monomorphism f. Note that there is no dual operator because the deletion is unique.
-
exists-addition:
Addition and matching of further graph elements according to the monomorphism f.
-
forall-addition:
The operator that is dual to the exists-addition operator considering all additions.
-
exists:
Extension of the current match according to the monomorphism f.
-
forall:
The operator that is dual to the exists operator considering all extensions.
-
until: \((\theta _1,\psi _1)\mathrel {{\textsf {U} } ^{\kappa }_{\gamma }}(\theta _2,\psi _2) \)
The standard until operator known from other metric temporal logics such as MTL. The operator requires in addition that the duration specification describes only positive delays \(\delta \).
-
eventually: \(\lozenge ^{\kappa }_{\gamma }(\theta ,\psi ) \)
The standard eventually operator known from other metric temporal logics such as MTL. It is a simple case of the until operator with a neutral left-hand side argument.
-
globally: \(\square ^{\kappa }_{\gamma }(\theta ,\psi ) \)
The operator that is dual to the eventually operator considering all future timepoints that are compatible with \(\gamma \).
-
since: \((\theta _1,\psi _1)\mathrel {{\textsf {S} } ^{\kappa }_{\gamma }}(\theta _2,\psi _2) \)
The standard since operator known from other metric temporal logics such as MTL. The operator requires in addition that the duration specification describes only negative delays \(\delta \).
-
once: \(\blacklozenge ^{\kappa }_{\gamma }(\theta ,\psi ) \)
Similar operator to eventually for the past. It is a simple case of the since operator with a neutral left-hand side argument.
-
historically: \(\blacksquare ^{\kappa }_{\gamma }(\theta ,\psi ) \)
Similar operator to globally for the past. The operator that is dual to the once operator considering all past timepoints that are compatible with \(\gamma \).
-
forall-matches: \(\kappa =\mathsf {A} \)
The additional search restriction specifier \(\mathsf {A} \) (called \(forall{\text {-}}{}matches \)) results in a dual operator compared to the search restriction specifier \(\mathsf {E} \).
-
As a special case, the satisfaction relation is defined for an MTGC \(\bar{\psi }\) over the empty graph of depth 0, a TGS \(\pi \in \Pi ^{ time }_{G} \), the empty word \(\lambda \) of timepoints used for the delta-release operator, the initial checking time \( time (G) =0\), and the initial match \(m={\textsf {i} } (G) \) representing an empty binding.
-
For the general case, the satisfaction relation is defined for an MTGC \(\bar{\psi }\) over a graph H of depth n, a TGS \(\pi \in \Pi ^{ time }_{G} \), a word \( ts \) of n timepoints from , a current checking time , and a match representing the current binding. Hence, timepoints may not exceed the duration of the TGS in both cases.
The satisfaction relation of MTGL is defined as the satisfaction relation of GL for the operators conjunction and negation and also covers the two additional operators delta-lock and delta-release.
Definition 36
- \(\bullet \):
-
\(\bar{\psi }=\wedge S \) and \(\forall \psi \in S.\;(\pi , ts ,t,m)\models _{\text {MTGC}} \psi \).
- \(\bullet \):
-
\(\bar{\psi }=\lnot \psi \) and \((\pi , ts ,t,m)\not \models _{\text {MTGC}} \psi \).
- \(\bullet \):
-
and there are \(\delta \in {\textsf {sem} }(\gamma ) \) and35\(\tilde{m}\in {\textsf {PM} } (\pi ,t,t+\delta ,m,\theta _2) \) s.t.
- \(\bullet \):
-
\((\pi , ts \cdot t,t+\delta ,\tilde{m})\models _{\text {MTGC}} \psi _2 \),36
- \(\bullet \):
-
if \(\kappa =\mathsf {N} \),
I is an interval37 over ,
\(I=[0,t+\delta )\) if \(\delta \ge 0\),
and \(I=(t+\delta ,\infty )\) if \(\delta <0\),
then each
satisfies \({\textsf {PM} } (\pi ,t+\delta ,t',\tilde{m},{\textsf {id} }) =\varnothing \),38
- \(\bullet \):
-
if \(\kappa =\mathsf {C} \),
then each \(\delta '\in ((\delta ,0]\cup [0,\delta ))\cap {\textsf {sem} }(\gamma ) \)
satisfies \({\textsf {PM} } (\pi ,t,t+\delta ',m,\theta _2) =\varnothing \),39 and
- \(\bullet \):
-
for each \(\delta '\in (\delta ,0]\cup [0,\delta )\)
there is \(\tilde{m}\in {\textsf {PM} } (\pi ,t,t+\delta ',m,\theta _1) \)
s.t. \((\pi , ts ,t+\delta ',\tilde{m})\models _{\text {MTGC}} \psi _1 \).40
- \(\bullet \):
-
\(\bar{\psi }=\boxdot (\theta ,\psi ) \), \( ts = ts' \cdot t'\), and
for each \(t''\in [t',t)\cup (t,t']\)
there is \(\tilde{m}\in {\textsf {PM} } (\pi ,t,t'',m,\theta ) \)
s.t. \((\pi , ts ',t'',\tilde{m})\models _{\text {MTGC}} \psi \).41
Also, if \(\bar{\psi }\in {\mathcal {S}}_{\varvec{\varnothing }}^{\mathsf {MTGC}}\) and \((\pi ,\lambda ,0,{\textsf {i} } (G))\models _{\text {MTGC}} \bar{\psi } \), then \(\pi \models _{\text {MTGC}} \bar{\psi } \).
For our running example, see Fig. 15 for a TGS \(\pi \), which does not satisfy the MTGC \(\psi _1\) from Fig. 28a. The TGS \(\pi \) does not satisfy \(\psi _1\) because, for the node \(T_2\) of type :Task created at the timepoint 102 with \(\text {id}\) attribute 1, there is not eventually a unique node R of type \({\text {:Result}}\) with \(\text {id}\) attribute 1 and \(\text {value} \) attribute \( ok \). Indeed, the node \(R_2\) is the only node of type \({\text {:Result}}\) that is created in the described timepoint interval with the \(\text {id}\) attribute 1 of the node \(T_2\) and \(\text {value} \) attribute \( ok \) but there is the additional node \(R_1\) of type \({\text {:Result}}\) with the \(\text {id}\) attribute 1, which invalidates uniqueness. Basically, the absence of such nodes of type \({\text {:Result}}\) generated from previous tasks is not ensured using an application condition in the rule \(\rho _{ SpawnTask }\) in Fig. 13a. The error occurs when an old result is not yet removed using the rule \(\rho _{ ConsumeResult }\) and is more likely in real systems when the set of admissible \(\text {id}\) attributes is small42 or when they are chosen in a deterministic order.
Metric temporal logics vary not only in their selection of operators (such as until and since) and the underlying data structures for states (such as graphs, relations, and sets of atomic proposition) but also in their interpretation of how continuous time is related to discrete steps. In [75] two basic alternative kinds of semantics are discussed. On the one hand, point-based semantics such as in MFOTL [13] (also see [4, 5, 51, 53, 54, 84]) quantify for the metric temporal operators over the countable set of timepoints in a dense-time interval that are associated to the events that alter the state, which means that, effectively, only discrete steps are considered that are associated with a continuous variable representing the current global time. On the other hand, interval-based semantics such as in MTGL (also see [3, 6, 52, 77]) quantify for the metric temporal operators over all timepoints in the entire dense-time interval. As argued in [75], a common reason for using the point-based semantics is that MTL satisfiability is decidable for the point-based semantics but not for the interval-based semantics. However, while deciding MTGL satisfiability is generally also of interest to exclude unsatisfiable MTGC -based specifications, it is not our focus as of now.
By means of the example in Fig. 29, we now discuss the general difference between point-based and interval-based semantics. The TGS \(\pi \) from Fig. 29a satisfies the MTGC \(\psi \) from Fig. 29b when \(\delta \le 6\) because the node of type :A can be matched at global time 4, which permits to wait for the required node of type \({\text {:B}}\) for 4 further time units until global time 8. In comparison, when the corresponding TGS and the corresponding condition in MFOTL are considered, it turns out that \(\delta \le 4\) is required for satisfaction because the point-based semantics of MFOTL can only jump to the global time 2 for matching the node of type :A. Hence, as also mentioned in [75], point-based semantics takes the perspective of specifying events whereas interval-based semantics takes the perspective of specifying states.
7.3 Folding of timed graph sequences
We now introduce the operation \({\textsf {Fold} }^{\textsf {tgs} } \) for translating TGSs that contain only grounded graphs (where each variable has a unique value) into a single graph, which is called graph with history (GH). This GH contains for each node and edge occurring in the TGS the total timepoint when it was created and, if it was deleted, the total timepoint when it was deleted. To capture these total timepoints, we use additional \(\text {cts} \) (creation timestamp) and \(\text {dts} \) (deletion timestamp) attributes of sort \(\mathsf {real} \).43 See Fig. 12a where we have added such attributes in the type graph already for our running example. Furthermore, for our running example, we obtain the GH in Fig. 15b from the TGS given in Fig. 15a. Note that, in comparison to the notion of a derived span (see Definition 31), which drops all interior information contained in a graph sequence or a TGS, we now want to collect all this interior information into the resulting GH.
Definition 37
-
\( TG \) is a type graph where all nodes and edges have attributes \(\text {cts} \) and \(\text {dts} \) of sort \(\mathsf {real} \),
-
\(G_H\in \mathbf {Graphs} \) is a graph typed over \( TG \),
-
each node and edge in \(G_H\) has unique attributes \(\text {cts} =x\) and \(\text {dts} =y\) satisfying \(0\le x \) (since the global time is assumed to start at 0) and \(y=-1 \) or \(x< y \) (since graph elements are either not yet deleted or are deleted after they have been created),
-
for each edge e in \(G_H\), the value of the \(\text {cts} \) attributes of the source and the target nodes of e is less or equal than the \(\text {cts} \) attribute of e,
-
for each edge e in \(G_H\), the value of the \(\text {dts} \) attributes of the source and the target nodes of e is greater or equal than the \(\text {dts} \) attribute of e,
To fold a finite TGS, we first obtain a GH from the first graph of a TGS.
Definition 38
-
adding the attribute \(\text {cts} =0\) to all nodes in G,
-
adding the attribute \(\text {dts} =-1\) to all nodes in G,
-
adding the attribute \(\text {cts} =0\) to all edges in G, and
-
adding the attribute \(\text {dts} =-1\) to all edges in G,
Note that the inclusion morphism identifies the elements of the graph G in its GH \(G'\).
We now define the operation that folds a single span for a given monomorphism into a monomorphism where \(G'\) and \(H'\) are GHs of G and H, respectively. The resulting monomorphism \(m'\) is obtained as follows. For nodes and edges freshly added by r, we add \(\text {cts}\) attributes set to the current global time (extracted from H) and add \(\text {dts}\) attributes initially set to \(-1\) (denoting that these elements have not yet been deleted). Moreover, for nodes and edges freshly deleted by \(\ell \), we add \(\text {dts}\) attributes set to the current global time (extracted from H) and remove the \(\text {dts} =-1\) attributes previously included. Note that the following definition does not depend on the syntactic representation of the ACs of graphs (which we want to handle up to equivalence). Instead, we wrap ACs of graphs in additional quantification and conjunction and silently assume that such ACs of graphs are simplified as in our exemplary application in Fig. 15. See Fig. 30 for an accompanying visualization.
Definition 39
-
is a monomorphism,
-
is a span,
-
\(N_2={m}{.}{{\textsf {N} }} ({G}{.}{{\textsf {N} }}-{\ell }{.}{{\textsf {N} }} ({D}{.}{{\textsf {N} }}))\) contains the nodes that are removed by \(\ell \),
-
\(E_2={m}{.}{{\textsf {E} }} ({G}{.}{{\textsf {E} }}-{\ell }{.}{{\textsf {E} }} ({D}{.}{{\textsf {E} }}))\) contains the edges that are removed by \(\ell \),
-
\(D'\) is obtained from \(G'\) resulting in some monomorphism and an inclusion satisfying \(m\circ \ell =b_1\circ d\) by
- (1)
setting the set of variables V to be empty,
- (2)
removing the \(\text {dts} =-1\) attributes from nodes and edges in \(N_2\) and \(E_2\) while adding the local variables that are connected to these attributes to V, and
- (3)
setting \({D'}{.}{{\textsf {ac} }} \) to \(\exists V.\;{G'}{.}{{\textsf {ac} }} \) to adapt the AC according to the removal of the variables in V,
- (1)
-
that adds the elements freshly added by r to \(D'\) resulting in the graph X,
-
\( time (H) =t\) is the current global time of H,
-
\(N_1={\bar{m}}{.}{{\textsf {N} }} ({H}{.}{{\textsf {N} }}-{r}{.}{{\textsf {N} }} ({D}{.}{{\textsf {N} }}))\) contains the nodes that are added by r,
-
\(E_1={\bar{m}}{.}{{\textsf {E} }} ({H}{.}{{\textsf {E} }}-{r}{.}{{\textsf {E} }} ({D}{.}{{\textsf {E} }}))\) contains the edges that are added by r,
-
\(H'\) is obtained from X resulting in some monomorphisms and satisfying \(m'=b_3\circ \bar{m}\) by
- (1)
setting the set of ACs S to be empty,
- (2)
adding the attributes \(\text {cts} =t\) and \(\text {dts} =-1\) with fresh local variables to all nodes and edges in \(N_1\) and \(E_1\) while inserting the used ACs into S,
- (3)
adding the attribute \(\text {dts} =t\) with a fresh local variable to all nodes and edges in \(b_2(N_2)\) and \(b_2(E_2)\) while inserting the used ACs into S, and
- (4)
setting \({H'}{.}{{\textsf {ac} }} \) to some AC that is equivalent to \({X}{.}{{\textsf {ac} }} \wedge (\wedge S) \),
- (1)
Finally, we define the iterated folding of an entire finite TGS using the operations \({\textsf {Fold} }^{\textsf {1st} }\) and \({\textsf {Fold} }^{\textsf {span} }\).
Definition 40
-
\({\textsf {length} }(\pi ) =0\) and \(m'=m\).
-
\({\textsf {length} }(\pi ) >0\) and \(m'={\textsf {Fold} }^{\textsf {tgs} } ({\textsf {Fold} }^{\textsf {span} } (m,\pi (0)), \{(k,x)\mid (k+1,x)\in \pi \})\).
Since the operation \({\textsf {Fold} }^{\textsf {span} }\) above also constructs a span from the GH \(G'\) to the GH \(H'\), we can observe that the incremental folding executed by \({\textsf {Fold} }^{\textsf {tgs} } \) straightforwardly results in the construction of a TGS \(\pi '\) of GHs where the ith GH in \(\pi '\) corresponds to the folding of the prefix of \(\pi \) of length i.
See Fig. 15b for an example of a GH that is obtained from the TGS given in Fig. 15a using \({\textsf {Fold} }^{\textsf {tgs} }\).
7.4 Encoding of MTGL in GL
The problem of satisfaction checking for metric temporal logics is far more difficult than for temporal logics because the intervals during which elements are alive (i.e., during which atomic proposition are satisfied) must be checked w.r.t. the intervals provided in the condition. Moreover, this problem is especially difficult when operators such as until or since are nested. This observation is also true for the case for MTGL where a procedure for checking the satisfaction of a given MTGC by a TGS is difficult for nested delta-lock operators. To obtain an effective and suitably efficient procedure for MTGL satisfaction checking, we now continue by presenting an encoding in the form of the operation , which translates MTGCs into GCs.44 In the context of our general approach (cf. Fig. 1), we define such that it is compatible with the operation \({\textsf {Fold} }^{\textsf {tgs} }\) from Definition 40. To this end, we provide support for MTGL satisfaction checking via the two operations \({\textsf {Fold} }^{\textsf {tgs} }\) and that simplify the satisfaction checking problem to the setting of GL for which we can then employ tool support or apply the further encodings \({\textsf {enc} }_{\Delta }\) and \({\textsf {enc} }_{\nu }\) if desired. That is, instead of checking satisfaction for a given MTGC \(\psi \) and a given TGS \(\pi \), we check whether the GH obtained from \(\pi \) using \({\textsf {Fold} }^{\textsf {tgs} }\) satisfies the GC \(\phi \) obtained by applying to \(\psi \). For our running example, we have applied the operation \({\textsf {Fold} }^{\textsf {tgs} }\) to the TGS given in Fig. 15a to obtain the GH from Fig. 15b.
The operation relies on the fact that the GH obtained from folding a TGS contains for each node/edge occurring in the TGS so far the timepoints of creation and (if it was deleted) deletion using additional \(\text {cts}\) and \(\text {dts}\) attributes. We subsequently refer to the variables that are connected to the \(\text {cts}\) and \(\text {dts}\) attributes of a node/edge \(\alpha \) using \(x_{c,\alpha }\) and \(x_{d,\alpha }\), respectively. For our running example, the type graph \( TG \) containing such \(\text {cts}\) and \(\text {dts}\) attributes is given in Fig. 12a.
The GC that is obtained using the operation from an MTGC encodes the checks for MTGL operators according to the semantics of MTGL from Definition 36 using additional global variables for quantifying over observation timepoints. Moreover, additional ACs that refer to the \(\text {cts}\) and \(\text {dts}\) attributes are used to ensure that all additionally matched elements have been created and not yet deleted w.r.t. a timepoint or, alternatively, that elements that are no longer matched have been deleted before a timepoint when this is required.
We now introduce four minor operations used in the operation later on.
The operation \({\textsf {alive} }\) returns for a graph H an AC. The graph H is part of the GC obtained below using for a given MTGC and the AC obtained using \({\textsf {alive} }\) is then part of the AC of H. The purpose of the generated AC is that when the operation \({\textsf {Fold} }^{\textsf {tgs} }\) generates a GH for a given TGS \(\pi \), then H can only be matched to graph elements of that GH for a given global time represented by a variable x when each matched graph element exists in the graph of \(\pi \) at the global time stored in x. That is, the AC ensures that all of the matched nodes/edges have been created before the timepoint given by x and that none of them has been deleted before the timepoint given by x.
Definition 41
(Operation \({\textsf {alive} }\)) If H is a graph where \(x_{c,\alpha }\) and \(x_{d,\alpha }\) denote the local variables connected to the \(\text {cts}\) and \(\text {dts}\) attribute of a node/edge \(\alpha \in {H}{.}{{\textsf {N} }} \cup {H}{.}{{\textsf {E} }} \) of H and x is a global variable of sort \(\mathsf {real}\) contained in H, then \({{\textsf {alive} }(x,H)} = \wedge \{x_{c,\alpha }\le x \wedge (x_{d,\alpha }=-1 \vee x< x_{d,\alpha } ) \mid \alpha \in {H}{.}{{\textsf {N} }} \cup {H}{.}{{\textsf {E} }} \} \).
The operation \({\textsf {earliest} }\) is used in a similar way for a graph H and returns also an AC to be used in H. The difference is that the AC generated by \({\textsf {earliest} }\) ensures that none of the matched graph elements existed before the global time given by the variable x. That is, one of the matched graph elements called \(\alpha \) must have been created at the timepoint given by x and none of the other graph elements \(\beta \) must have been created after that timepoint. This AC thereby ensures that the graph H could not have been matched to the same elements at an earlier timepoint because the graph element \(\alpha \) could not have been matched earlier. The AC generated by \({\textsf {earliest} }\) in this way is used in when encoding an MTGC using the search restriction specifier new-match.
Definition 42
(Operation \({\textsf {earliest} }\)) If H is a graph where \(x_{c,\alpha }\) and \(x_{d,\alpha }\) denote the local variables connected to the \(\text {cts}\) and \(\text {dts}\) attribute of a node/edge \(\alpha \in {H}{.}{{\textsf {N} }} \cup {H}{.}{{\textsf {E} }} \) of H and x is a global variable of sort \(\mathsf {real}\) contained in H, then \({{\textsf {earliest} }(x,H)} =\vee \{\wedge (\{x_{c,\alpha }=x\}\cup \{x\ge x_{c,\beta } \mid \beta \in S-\{\alpha \}\}) \mid \alpha \in {H}{.}{{\textsf {N} }} \cup {H}{.}{{\textsf {E} }} \} \).
For our running example, see Fig. 32 for the GC that results from applying the operation , which is introduced in the following, to the MTGC from Fig. 28a where we make use of ACs including the operations \({\textsf {alive} }\) and \({\textsf {earliest} }\). Note that, to simplify notation, we also apply \({\textsf {alive} }\) and \({\textsf {earliest} }\) by just providing a set of graph elements instead of an entire graph.
The operation \({\textsf {ruleAdd} }\) creates a restriction-extension pattern by adding a set of global variables V, by adding a further global variable x, and by requiring the satisfaction of an AC \(\gamma \). Also, the restriction-extension pattern additionally subsumes a given context graph H and its AC states that the variables in V remain unchanged. Restriction-extension patterns constructed using \({\textsf {ruleAdd} }\) are used to quantify over the additional global variable x that represents an observation timepoint in the satisfaction relation of MTGL (see Definition 36).
Definition 43
-
\(H\in \mathbf {Graphs} \) is a graph,
-
\(V\cup \{x\}\subseteq \mathcal {X} \) are variables,
-
\(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{V\cup \{x\}\cup {H}{.}{{\textsf {X} }}} \) is an AC,
-
\(\bar{H}\) is derived from H by
setting \({\bar{H}}{.}{{\textsf {XG} }} ={H}{.}{{\textsf {XG} }} \cup V\),
-
\(\bar{H}'\) is derived from \(\bar{H}\) by
setting \({\bar{H}'}{.}{{\textsf {XG} }} ={\bar{H}}{.}{{\textsf {XG} }} \cup \{x\}\),
-
\(\rho \in \mathcal {S}^{\mathsf {REP}} \) is a restriction-extension pattern,
-
\({\rho }{.}{{\textsf {res} }} ={\textsf {id} } (\bar{H}) \),
-
\({\rho }{.}{{\textsf {ext} }} ={\textsf {inc} } (\bar{H},\bar{H}') \),
-
\({\rho }{.}{{\textsf {ac} }} =\wedge (\{\gamma \}\cup \{{\theta }{.}{{\textsf {lX} }} (y)= {\theta }{.}{{\textsf {rX} }} (y) \mid y\in V\}) \), and
-
\({\rho }{.}{{\textsf {lC} }} ={\rho }{.}{{\textsf {rC} }} =\top \) are application conditions,
For our running example, the application of the operation \({\textsf {ruleAdd} }\) results in the restriction-extension patterns used in lines 2 and 4 of the GC from Fig. 32. The restriction-extension pattern used in line 2 in this resulting GC states that (due to the negation in the beginning of the line) the subcondition should be satisfied for every value of the additional global variable \(x_1\) that satisfies the AC \(x_0\le x_1 \). Herein, the global variable \(x_0\) represents the current observation timepoint given by the variable t in Definition 36. Moreover, the AC \(x_0\le x_1 \) represents the statement that the new observation timepoint (called \(t'\) in Definition 36) must be one of the values described by the duration specification used in the MTGC, which is \([0,\infty )\) in this case. The restriction-extension pattern in line 4 of Fig. 32 states that there is a timepoint represented by \(x_2\) at most 10000 time units in the future measured from the previous observation timepoint represented by \(x_1\).
The operation \({\textsf {ruleExt} }\) takes an evolution pattern \(\theta \) and generates a restriction-extension pattern \(\rho \) from it by adding the variables contained in a set V as global variables.45 Moreover, the AC of the resulting restriction-extension pattern additionally requires the satisfaction of a given AC \(\gamma \) and that the variables in V remain unchanged. Finally, the components \({\rho }{.}{{\textsf {res} }} \) and \({\rho }{.}{{\textsf {ext} }} \) are obtained by composing \({\theta }{.}{{\textsf {del} }} \) and \({\theta }{.}{{\textsf {res} }} \) for \({\rho }{.}{{\textsf {res} }} \) and by composing \({\theta }{.}{{\textsf {add} }} \) and \({\theta }{.}{{\textsf {ext} }} \) for \({\rho }{.}{{\textsf {ext} }} \) where we note that the checks regarding the addition and deletion of graph elements is covered by the ACs generated in .
Definition 44
- \(\bullet \):
-
\(\theta \in \mathcal {S}^{\mathsf {EP}} \) is an evolution pattern,
- \(\bullet \):
-
\(\rho \in \mathcal {S}^{\mathsf {REP}} \) is a restriction-extension pattern,
- \(\bullet \):
-
\({\theta }{.}{{\textsf {lG} }} =H\) is the left-hand side graph of \(\theta \),
- \(\bullet \):
-
\({\theta }{.}{{\textsf {rG} }} =H'\) is the right-hand side graph of \(\theta \),
- \(\bullet \):
-
\(V\subseteq \mathcal {X} \) are variables,
- \(\bullet \):
-
\(\gamma \in \mathcal {S}^{{\textsf {AC} }} _{V\cup {H'}{.}{{\textsf {X} }}} \) is an AC, and
- \(\bullet \):
-
\(\rho \) is derived from \(\theta \) by
- \(\bullet \):
-
adding V to the sets of global variables in each of the contained graphs,
- \(\bullet \):
-
by setting \({\rho }{.}{{\textsf {ac} }} = \wedge (\{{\theta }{.}{{\textsf {ac} }},\gamma \} \cup \{{\theta }{.}{{\textsf {lX} }} (y)= {\theta }{.}{{\textsf {rX} }} (y) \mid y\in V\}) \),
- \(\bullet \):
-
by setting \({\rho }{.}{{\textsf {res} }} ={\theta }{.}{{\textsf {res} }} \circ {\theta }{.}{{\textsf {del} }} \), and
- \(\bullet \):
-
by setting \({\rho }{.}{{\textsf {ext} }} ={\theta }{.}{{\textsf {add} }} \circ {\theta }{.}{{\textsf {ext} }} \),
For our running example, the application of the operation \({\textsf {ruleExt} }\) results in the restriction-extension patterns used in lines 3, 5, and 7 of the GC from Fig. 32 by adapting the three evolution patterns used in the MTGC from Fig. 28a.
We now introduce the operation , which proceeds by first creating a restriction-extension pattern to existentially quantify a global variable \(x_0\) denoting the initial current observation timepoint with an initial value of 0. We then apply the inductive operation , which is parameterized by (a) a word of global variables representing the return addresses for the delta-release operator (which is initially empty), (b) a global variable \( x_{outer} \) representing the timepoint t in the satisfaction relation (which is initially \(x_0\)), and (c) a set of global variables V that occur in a particular part of the resulting GC (which is initially \(\{x_0\}\)).
Definition 45
- \(\bullet \):
-
conjunction:
-
\(\psi =\wedge S \) and
-
.
- \(\bullet \):
-
negation:
- \(\bullet \):
-
\(\psi =\lnot \bar{\psi } \) and
- \(\bullet \):
-
.
- \(\bullet \):
-
delta-lock:
- \(\bullet \):
-
input metric temporal graph condition \(\psi \):
- \(\bullet \):
-
,
- \(\bullet \):
-
\({\theta _1}{.}{{\textsf {lG} }} ={\theta _2}{.}{{\textsf {lG} }} =H\),
- \(\bullet \):
-
\({\theta _1}{.}{{\textsf {rG} }} =H_1'\),
- \(\bullet \):
-
\({\theta _2}{.}{{\textsf {rG} }} =H_2'\),
- \(\bullet \):
-
restriction-extension pattern \(\rho _2'\):
- \(\bullet \):
-
\(x_2\notin V\),
- \(\bullet \):
-
\(\rho _2'={\textsf {ruleAdd} } (H,V,x_2,{\textsf {shift} }_{\textsf {DS} } (\gamma ,x_2, x_{outer} )) \),
- \(\bullet \):
-
restriction-extension pattern \(\rho _2''\):
- \(\bullet \):
-
\(\gamma _2''={{\textsf {alive} }(x_2,H_2')} \wedge (\mathsf {if~} \kappa =\mathsf {N} \mathsf {~then~} {{\textsf {earliest} }(x_2,H_2')} \mathsf {~else~} \top ), \)
- \(\bullet \):
-
\(\rho _2''={\textsf {ruleExt} } (\theta _2,V\cup \{x_2\},\gamma _2'') \),
- \(\bullet \):
-
graph condition \(\phi _2\):
- \(\bullet \):
-
,
- \(\bullet \):
-
restriction-extension pattern \(\rho _1'\):
- \(\bullet \):
-
\(x_1\notin V\),
- \(\bullet \):
-
\(\gamma _1= x_2< x_1 \wedge x_1\le x_{outer} \),
- \(\bullet \):
-
\(\gamma _2= x_{outer} \le x_1 \wedge x_1< x_2 \),
- \(\bullet \):
-
\(\rho _1'={\textsf {ruleAdd} } (H,V\cup \{x_2\},x_1,\gamma _1\vee \gamma _2) \),
- \(\bullet \):
-
restriction-extension pattern \(\rho _1''\):
- \(\bullet \):
-
\(\rho _1''={\textsf {ruleExt} } (\theta _1,V\cup \{x_2,x_1\},{{\textsf {alive} }(x_1,H_1')}) \),
- \(\bullet \):
-
graph condition \(\phi _1\):
- \(\bullet \):
-
,
- \(\bullet \):
-
restriction-extension pattern \(\bar{\rho }_2'\):
- \(\bullet \):
-
\(\bar{x}_2\notin V\),
- \(\bullet \):
-
\(\bar{\gamma }_1= x_2< \bar{x}_2 \wedge \bar{x}_2\le x_{outer} \),
- \(\bullet \):
-
\(\bar{\gamma }_2= x_{outer} \le \bar{x}_2 \wedge \bar{x}_2< x_2 \),
- \(\bullet \):
-
\(\bar{\gamma }_3= (\bar{\gamma }_1\vee \bar{\gamma }_2) \wedge {\textsf {shift} }_{\textsf {DS} } (\gamma ,\bar{x}_2, x_{outer} ) \),
- \(\bullet \):
-
\(\bar{\rho }_2'={\textsf {ruleAdd} } (H,V\cup \{x_2\},\bar{x}_2,\bar{\gamma }_3) \),
- \(\bullet \):
-
restriction-extension pattern \(\bar{\rho }_2''\):
- \(\bullet \):
-
\(\bar{\rho }_2''={\textsf {ruleExt} } (\theta _2,V\cup \{x_2,\bar{x}_2\},{{\textsf {alive} }(\bar{x}_2,H_2')}) \),
- \(\bullet \):
-
graph condition \(\bar{\phi }_2\):
- \(\bullet \):
-
, and
- \(\bullet \):
-
output graph condition \(\phi \):
- \(\bullet \):
-
\(\phi = \Delta ^{\mathsf {E}}(\rho _2', \Delta ^{\mathsf {E}}(\rho _2'',\phi _2) \wedge \Delta ^{\mathsf {A}}(\rho _1',\Delta ^{\mathsf {E}}(\rho _1'',\phi _1)) \wedge \bar{\phi }_2 ) \).
- \(\bullet \):
-
delta-release:
- \(\bullet \):
-
input metric temporal graph condition \(\psi \):
- \(\bullet \):
-
\(\psi =\boxdot (\bar{\theta },\bar{\psi }) \),
- \(\bullet \):
-
\({\bar{\theta }}{.}{{\textsf {lG} }} =H\),
- \(\bullet \):
-
\({\bar{\theta }}{.}{{\textsf {rG} }} =H'\),
- \(\bullet \):
-
\( xs = xs' \cdot x_{last} \),
- \(\bullet \):
-
restriction-extension pattern \(\bar{\rho }'\):
- \(\bullet \):
-
\(x\notin V\),
- \(\bullet \):
-
\(\gamma _1= x_{last} \le x \wedge x< x_{outer} \),
- \(\bullet \):
-
\(\gamma _2= x_{outer} < x \wedge x\le x_{last} \),
- \(\bullet \):
-
\(\bar{\rho }'={\textsf {ruleAdd} } (H,V,x,\gamma _1\vee \gamma _2) \),
- \(\bullet \):
-
restriction-extension pattern \(\bar{\rho }''\):
- \(\bullet \):
-
\(\bar{\rho }''={\textsf {ruleExt} } (\bar{\theta },V\cup \{x\},{{\textsf {alive} }(x,H')}) \),
- \(\bullet \):
-
graph condition \(\bar{\phi }\):
- \(\bullet \):
-
, and
- \(\bullet \):
-
output graph condition \(\phi \):
- \(\bullet \):
-
\(\phi = \Delta ^{\mathsf {A}}(\bar{\rho }', \Delta ^{\mathsf {E}}(\bar{\rho }'',\bar{\phi }) ) \).
For our running example, see again Fig. 32 for the encoding of the MTGC from Fig. 28a using . Note that all usages of the delta-lock operator in the given MTGC have a trivial left-hand side argument. Hence, when applying the operation , we observe that the GC \(\Delta ^{\mathsf {A}}(\theta _1',\Delta ^{\mathsf {E}}(\theta _1'',\phi _1)) \) is trivially satisfied because \(\phi _1\) is equivalent to \(\top \). To simplify the presentation, we have omitted these additional trivial subconditions in Fig. 32. Also note that the two negation operators in lines 2 and 4 originate from the universal quantification in the given MTGC.
We now state the soundness of the encoding operation defined above.
Theorem 5
(Soundness of ) If \(\pi \in \Pi ^{\mathsf {fin}, time }_{G,H} \) is a finite TGS starting in G and ending in H, is the GH obtained from folding \(\pi \), \(\psi \in {\mathcal {S}}_{0, \varvec{\varnothing }}^{\mathsf {MTGC}}\) is an MTGC, and is the GC obtained from encoding \(\psi \), then \(\pi \models _{\text {MTGC}} \psi \) iff \(H'\models _{\mathsf {GC}} \phi \).
See page 72 for the proof of this theorem.
We conclude from this theorem that the two operations \({\textsf {Fold} }^{\textsf {tgs} }\) and can be used together to translate the MTGC satisfaction problem into a GC satisfaction problem. Moreover, we can apply \({\textsf {enc} }_{\Delta }\) (see Corollary 2) and \({\textsf {enc} }_{\nu }\) (see Corollary 1) to translate the GC satisfaction checking problem into a BGC satisfaction checking problem. The operations , \({\textsf {enc} }_{\Delta }\), and \({\textsf {enc} }_{\nu }\) as well as BGC satisfaction checking (see Corollary 3) are supported by our prototypical implementation in AutoGraph.
8 Application to formal testing
We now introduce a formal testing approach for the formalism of timed graph transformation systems46 introduced in Sect. 5.
As motivated in Sect. 1, timed graph transformation systems are highly expressive, which makes them a good fit for the modeling of behavior in a diverse range of contexts. However, the expressiveness (and the fact that several rules may be applied nondeterministically also using different matches for a selected rule) comes with the burden that the validity of a timed graph transformation systems (i.e., that the actual behavior of the timed graph transformation system corresponds to the intended behavior) is often not as obvious as desirable. Formal specifications may then be used to describe intended behavior (i.e., describing scenarios that should be realizable in terms of TGSs) as well as unintended behavior (i.e., describing when a TGS is not part of the intended behavior). We introduced MTGL in Sect. 7 for the specification of intended/unintended behavior. In particular, we have formalized three properties in Fig. 28 that describe unintended behavior.
-
The inputs of the procedure:
The first input given by the node marked a is the type graph that is used for all graphs and logical conditions throughout the test. Also, the second input given by the node marked b is the TGTS S under test with its rule set R, the initial graph \(G_0\), and the operation \( time \) for extracting the current global time from a graph. Finally, the third input given by the node marked c is the MTGC \(\psi \) that is used as a specification of expected behavior.
-
Step 1 (Encode the input MTGC to BGC):
We apply the encoding operations from the previous sections to the provided MTGC in an offline fashion to obtain the resulting BGC \(\phi \) given by the node marked 1. The used encoding operations are from Definition 45 to encode an MTGC into a GC, \({\textsf {enc} }_{\Delta } \) from Definition 28 to encode a GC into a BGC, and \({\textsf {enc} }_{\nu } \) from Definition 15 to remove restrict operators from the BGC.
-
Step 2 (Fold the initial graph):
As a corresponding step to the applied encoding from step 1, we fold the initial graph from the provided TGTS into a graph with history given by the node marked 2 using the operation \({\textsf {Fold} }^{\textsf {1st} }\) from Definition 38. The resulting graph with history is represented by a monomorphism in the visualization (for \(i=0\)), which has the initial graph \(G_0\) as a source graph and the first graph with history \( GH _0\) as a target graph.
-
Step 3 (Check satisfaction for TGS given by GH):
We check in the node marked 3 whether the current graph with history represented by satisfies the encoded MTGC \(\psi \) in the form of the BGC \(\phi \). To ease the presentation of the testing procedure, we abstract here from additional information that may be stored, adapted, and reused in subsequent checks by techniques employed for incremental satisfaction checking. These incremental satisfaction checking techniques aim at reducing the computational cost for checking such that the computation cost depends in the average case on the size of the last change of the graph with history but not of the graph with history. An example is given by satisfaction trees [80] that record all morphisms used in the satisfaction check for reuse after the host graph has been adapted.
When the current graph with history \( GH _i\) does not satisfy the BGC, we collect the monomorphism m in a set of violations V in the node marked d.
Independently from the outcome of the performed satisfaction check, we also use the monomorphism m for the subsequent analysis and pass it to the next step for this purpose.
-
Step 4 (Extend the TGS):
In the step generation engine, which is given by the node marked 4, we adapt the graph \(G_i\) from the monomorphism (recall that this monomorphism represents how the current graph \(G_i\) is contained in the graph with history \( GH _i\)). Technically, we generate a (possibly empty) sequence of spans according to the graph transformation steps introduced in Definition 18 and forward these spans then to the node marked 5.
However, this step is complicated by the fact that the step relation of (timed) graph transformation systems is usually not deterministic because (a) several rules may be applicable, (b) each of these rules may be applicable using multiple matches, and (c) different values may be generated by steps using the same rule and match (using global variables that must be matched to values as in the rule from Fig. 13a). The last of these points about attribute values also pertains to the increase of time: in our running example, time is increased by 1 time unit or 100 time units in each rule but, in general, rules may increment time only restricted to certain values from as in other formalisms such as timed automata.
For a complete analysis procedure, we generate all these steps and forward each of these steps to the node marked 5 resulting in a breadth-first-search generation and testing of the state space. However, for completeness, we require that each graph visited has only a sufficiently small number of successor graphs reachable by steps (i.e., we have the general assumption that the step relation is at least finitely branching).
When a complete analysis is not desired (e.g. when fewer but longer TGS are to be considered instead of more and shorter TGSs) or when the rules of the TGTS result in too many successor graphs, we (a) apply standard techniques for selecting a subset of the steps w.r.t. the graph modifications using randomization47 and (b) resort to a sampling approach that selects a suitable small and finite set of attribute modifications (including the advancement of time).48 Such approaches based on randomization are already used for various probabilistic, timed, probabilistic timed, and stochastic graph transformation systems [15, 39, 42, 50, 61, 69] where nondeterminism is partially resolved using randomization already.
-
Step 5 (Fold the derived step into GH):
We adapt the current graph with history \( GH _i\) represented by the monomorphism to a step given by a span using the operation \({\textsf {Fold} }^{\textsf {span} } \) from Definition 39 in the node marked 5. This operation adapts the graph with history \( GH _i\) contained in the monomorphism resulting in a monomorphism of type . This latter monomorphism is then forwarded to the node marked 1 and is then used afterwards in step 3 where the testing procedure continues.
-
The outputs of the procedure: The set V of violations contained in the node marked d is returned to the user. As future work, we aim at improving the degree of information contained in a violation to improve usability of the testing procedure. To this end, we intend to reuse satisfaction trees [80] also mentioned above in the context of incrementally checking the BGC \(\phi \). However, this approach requires the adaptation of satisfaction trees to the category of symbolic graphs with global variables introduced in Sect. 3. The additional degree of information would precisely characterize the parts of the BGC that are satisfied and those that are not satisfied describing the nature of the violation and its origin (i.e., the earliest step in the TGS that led to the violation) in more detail.
AutoGraph uses the SMT solver Z3 for checking satisfiability of ACs and Z3 always determined a definite result when applying our implementation on the running example. Moreover, AutoGraph uses Z3 to simplify the AC of graphs obtained from graph transformation to speed up the generation of subsequent steps. As of now, we are satisfied with the capabilities of Z3 and, hence, we do not plan to integrate further SMT solvers, which could impose additional costs when these SMT solvers do not provide Java interfaces as available for Z3.
In the future, we intend to provide an integration with state of the art techniques for incremental graph pattern matching [11, 16, 17, 21, 40, 55, 80] to further improve efficiency of our model-based testing approach for scenarios with large graphs and many graph transformation steps.
-
Example 2 on page 22 introduced the TGTS where its type graph, initial graph, and rules are given in Fig. 12, Fig. 13, and Fig. 14.
-
Fig. 15a on page 21 contains a TGS for that TGTS and Fig. 15b on page 21 contains the folding of this TGS into a graph with history.
-
Example 1 on page 2 introduced the informal specification for this running example in the form of three properties that are assumed to be satisfied. These three properties are later presented in Fig. 28 on page 38 in the form of MTGCs. In particular, the first property \(\mathbf {P}_{\mathbf{1}}\) formalized in Fig. 28a was later also reduced to a GC in Fig. 32.
-
Violation 1 obtained after step 1: No suitable result node is (yet) found for node \(T_1\) in the graph with history.
-
Violation 2 obtained after step 3: No suitable result node is (yet) found for node \(T_2\) in the graph with history.
-
Violation 3 obtained after step 4: Each result node that can be found is not unique.
When inspecting the rules of the TGTS, we realize that the rule \(\rho _{ SpawnTask }\) from Fig. 13a needs to be modified such that the id that is used for the task to be created is also not in use by some result attached to the system. The repaired rule \(\rho _{ SpawnTaskRepaired }\) is given Fig. 34. This test-driven repair of the TGTS from the running example concludes our demonstration of the testing procedure.
9 Related work
Support for MTGL features in related work
The testing of real-time systems against specifications on the basis of temporal logics is an active field of research for over three decades. A standard approach for extending temporal logics to the real-time setting is to replace the temporal operators such as until and since [52] with time-constrained versions. Prominent examples are MTL [60] and the MetricIntervalTL [52]. Timed temporal logics vary by relying on timed sequences over a dense- or discrete-time domain and by assuming that the system is observed at every instant in time (interval-based) or whether there is only (possibly finitely many) number of observations resulting from change events (point-based) [75]. These aspects influence the applicability of the logic [14] and impact decidability (a complete overview is beyond the scope of this paper, cf. [3, 6, 19, 52, 75, 77] but also see our discussion at the end of Subsect. 7.2).
-
Graph Based: The use of MTGL enables the direct specification of properties based on graphs occurring in a timed graph sequence without the need for additional encodings.
-
Temporal Operators: The operators of MTGL can be used to express temporal conditions about the past and future graphs relative to a given timepoint in a timed graph sequence.
-
Metric Restrictions: The operators of MTGL for specifying temporal operators are also equipped with ACs for specifying timepoints at which a condition is to be satisfied.
-
Use of Bindings: The operators and the semantics of MTGL employ graph bindings to express how a certain previously matched subgraph evolves over a fragment of the timed graph sequence.
-
Formalization: The syntax and semantics of MTGL as well as the steps of the testing approach are given by formal definitions and are supported by the required theorems.
In the interest of brevity, we first restrict our considerations to related work that allows for the specification of the temporal behavior of a graph-based system.
In [56], the Computation Tree Logic (CTL) [22] is employed for the specification of graph transformation systems (GTSs) where tool-support in the form of the tool Groove [36, 41] is used to generate the finite state space of the GTS at hand. However, CTL relies on atomic proposition and therefore does not support binding as in MTGL. Instead, some form of graph conditions must be used to assign atomic propositions to graphs. In comparison, CTL as a branching-time logic can express properties beyond the linear-time properties definable using MTGL and it was later extended into the metric temporal logic TCTL [1].
In [27], as an extension of the earlier work [15] also pertaining to time, invariants expressed using a restricted kind of graph conditions are verified for a GTS with a possibly infinite state space. In [76], the validity of given pre-/postconditions given in the form of nested graph conditions is verified using the tool Enforce for a graph program that controls the order of rule applications of a GTS. In [10, 59], temporal properties for GTS with infinite state space are checked using the tool Augur2. However, these approaches make use of temporal specifications in which metric aspects cannot be expressed and in which temporal aspects do not refer to bindings of graph elements. Also note that they do not adopt the perspective of past/future that is common in metric temporal logics.
In [66, 67], the satisfaction of graph-based probabilistic timed CTL properties is checked where the tool Henshin [7, 34] is used to generate the finite state space of a GTS and where the tool Prism [62] is used to model-check translations of the given properties. This approach does neither support binding nor properties that refer to the past, as with the other tools based on CTL. Also note that Prism has limited support for PTCTL in terms of the kind of properties that can be verified.
We now continue with related approaches not considering graphs as first-class citizens but which are applicable to graph-based systems using suitable encodings (hence the partial support for graphs in Table 2) and where, moreover, bindings of subgraphs can be used in the specifications.
To begin with, in [9] a nonmetric temporal logic has been introduced. An encoding operation is then defined for a fragment of that logic returning Petri net formulas, which are then checked against a Petri net representation of a graph transformation system over labeled graphs. This encoding-based approach is thereby similar to our encoding-based approach for MTGL from Subsect. 7.4. Limitations of this Petri net-based approach are that (a) the graphs must be encoded using first- or second-order logical formulas, (b) time and attributes are not handled, (c) the graph transformation rules may not merge/delete nodes and may not preserve matched edges, and (d) only future temporal operators are included. However, the presented approach also employs a notion of bindings to track graph elements over graph transformation steps and supports the analysis of the entire state space, whereas we focus on single TGS.
In general, we note that the field of runtime monitoring (RM), also known as oracle-based testing [65], is also concerned with testing by checking sequences of states/events against a temporal specification. In contrast to our approach presented here for the testing of TGTS, RM as a field of research abstracts from the problem of generating sequences. In RM, properties are often specified using temporal logics, automata with quantification, and rule-based systems [12]. In general, the various RM techniques are difficult to compare as mentioned in [45] because of different application domains of RM have specific requirements regarding expressiveness, efficiency, and usability.
In [13], the metric temporal logic (MTL) was extended with binding capabilities to the metric first-order temporal logic (MFOTL) for application in the context of RM. MFOTL, which is supported by the tool MonPoly, assumes that the state of a system is represented by a set of relations, which are then adapted according to the event stream. MFOTL supports bindings referring to parts of the relations and has support for stating conditions on both future and past using operators with metric bounds. Also, the representation of states using relations in MFOTL permits the encoding of graphs-based states and properties. However, such encodings should be formally verified as in this paper and automatically performed since manual encoding is error-prone resulting in much bigger and more complex conditions of MFOTL. In comparison to MTGL with its interval-based semantics, the semantics of MFOTL is point-based which leads to different interpretations of the same dense-time executions, as exemplified at the end of Subsect. 7.2. MonPoly partially supports MFOTL since it imposes syntactic limitations on admissible conditions.
In [44], the quantified temporal logic (QTL) is introduced, which supports bindings and state representation similarly to MFOTL. However, as of now, it supports only properties referring to the past, does not support metric bounds in its temporal operators, and has a point-based semantics as MFOTL.
In [58], a visual, informal notation for the specification of temporal properties involving metric aspects and graph bindings was introduced. However, the notation lacks a formalization and the developed tool support is no longer available.
Finally, compared to our previous work on MTGL in [38, 81], we have considerably extended the expressiveness of MTGL by introducing operators for expressing properties on the past and that handle the binding of subgraphs as well as attribute value comparisons at a deeper level.
In conclusion, as depicted in Table 2, existing approaches with a formal semantics provide no or only partial support for metric aspects, bindings, or the concise statement of conditions by means of native graph support.
Thereby, our graph-based logic MTGL for graph-based systems complements existing approaches since (a) it eases usability in graph-based contexts similarly to the usage of GCs that are favored over first-order logic in these contexts, (b) it enables further developments and combinations with other graph-based techniques such as those in [82], and, (c) as to be shown by future tool-based evaluations, it can be expected that domain-specific tools for checking MTGL conditions are more efficient compared to general-purpose tools such as shown analogously for GCs in [76].
As related work for the formalism of TGTS, we consider, besides our discussion of lazy graph transformation [71, 73, 74] from Sect. 5, [15, 39, 67, 69] where timed behavior is defined on top of graph transformation systems using timed automata concepts such as clocks, guards, invariants, and clock resets. As a consequence, these approaches are able to provide translations into (probabilistic) timed automata (when their state spaces are finite) that can be checked using techniques relying on symbolic, zone-based representations for clock values [24, 63, 64]. However, for the testing approach presented here, we are not forced to implement such a restrictive specification of the advancement of time.
10 Conclusion
To improve available support for model-based development of a wide variety of systems that must adhere to a given specification, we introduced a test-based approach for the modeling formalism of timed graph transformation systems (TGTSs). These TGTSs have sufficient expressive power to cover many timed dynamic systems of interest with varying traits that complicate analysis such as a high degree of parallelism, data dependencies, and timing constraints. Fully automatic analysis techniques cannot be developed for Turing complete modeling formalisms such as TGTSs and, hence, formal testing of such systems becomes an attractive alternative approach to increase confidence in a particular model for cases in which manual or semi-automatic verification is not feasible at acceptable costs.
The formal testing approach for TGTSs introduced here is based on the specification formalism of the metric temporal graph logic (MTGL) that we considerably extended here for that purpose. This logic is already in its current increment well-suited for expressing a wide variety of properties on timed graph sequences (TGSs) as generated by TGTSs. In particular, (a) it relies on graph binding techniques to relate subgraphs and attribute values occurring at different points in time in a TGS, (b) permits to reason about the (non)existence as well as addition and deletion of graph elements, and (c) has support for controlling the subgraphs that are used when considering the continuous satisfaction of conditions over time in both directions (future and past). The capability to express properties based on the binding of subgraphs allows to express more advanced properties compared to other metric temporal logics relying on atomic propositions alone.
The provided testing approach is implemented in AutoGraph and applied to a running example of a TGTS and a formal specification given in the form of three conditions of MTGL.
To improve efficiency of our prototypical implementation of the presented testing approach, we (a) will incorporate current developments for incremental and localized satisfaction checking of graph conditions to improve performance and (b) envision operations for offline simplification of the graph conditions to be checked during testing. Moreover, to improve effectiveness, we (a) intend to adapt the fundamental notion of TGSs to permit steps that do not advance time and (b) will extend MTGL to a branching time logic to specify and analyze generated timed state spaces. Finally, to improve applicability, we (a) intend to represent violations of the specification using more details and to filter those violations that cannot be resolved by steps occurring in later steps of the TGS at hand and (b) develop further metric temporal operators for MTGL that are desirable for the specification of properties such as aggregation operations for values occurring in the TGS. Lastly, we will compare our implementation with other formal analysis tools available regarding semantics, efficiency, and expressiveness of modeling and specification formalisms.
Acknowledgements
We would like to express our great appreciation for the insightful comments made by the anonymous reviewers, which helped to improve our contribution considerably.
Open AccessThis article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.