1

2
DECLARE𝑑: a polytime LTLf fragment 59
60
3 61
4
Anonymous Author(s) 62
5
ABSTRACT phase used to extract Φ from a system 𝔖 [4]; these considerations 63
6 64
This paper considers a specific fragment of Linear Temporal Logic bridge temporal reasoning with artificial intelligence, as in both
7 65
for Finite traces, DECLARE𝑑, which, to the best of our knowledge, we can extract a specification from the data that can be used to
8 66
we prove for the first time to be a polytime fragment of LTLf . We determine decision problems. Under these assumptions, we are
9 67
derive this in terms of the following ancillary results: we propose then interested in a temporal description of such systems, when
10 68
a set of novel LTLf equivalence rules that, when applied to LTLf different runs are collected as logs 𝔖 and referred to as traces 𝜎 ∈ 𝔖.
11 69
specifications, lead to an equivalent specification which can be com- These are temporally ordered records of observed and completed
12 70
puted faster by any existing verified temporal artificial intelligence (or aborted) labelled activities. We are then interested in temporal
13 71
task. We also introduce the concept of temporal non-simultaneity, specifications expressible over a fragment of Linear Temporal Logic
14 72
prescribing that two activities shall never satisfy the same atom, and for Finite traces (LTLf ), where LTLf assumes that there is only one
15 73
temporal short-circuit, that occurs when a specification interpreted possible immediately following event to another and that the traces
16 74
in LTL would accept an infinitely long trace while, on LTLf , it can be of interest contain a finite number of events. The major difference
17 75
rewritten so to postulate the absence of certain activity labels. We between LTL [16] and LTLf is that, while the former might also
18 76
test these considerations over formal synthesis (Lydia), SAT-Solvers prescribe the need for traces of infinite length, the latter will discard
19 77
(AALTAF) and formal verification (KnoBAB) tools, where formal any temporal behaviour requiring such infinite traces to occur. This
20 78
verification can be also run on top of a relational database and can is evident from their procedural characterization through automata:
21 79
be therefore expressed in terms of relational query answering. We while LTL models can be expressed as Büchi automata, LTLf can be
22 80
show that all these benefit from the aforementioned assumptions, conveniently represented as NFAs only accepting finite traces [11].
23 81
as running their tasks over a rewritten equivalent specification will To the best of our knowledge, this paper studies these situations
24 82
improve their running times. for the first time and refers to them as temporal short-circuits:
25 83
26 Example 1. Let us assume to have a temporal specification Φ = 84
27
CCS CONCEPTS □(a ⇒ #c) ∧ □(c ⇒ #a): while the interpretation of the former 85
28 • Theory of computation → Equational logic and rewriting; in LTL accepts any trace either containing neither a-s nor c-s or 86
29 Logic and verification; Modal and temporal logics; Graph algo- accepting either (ac)𝜔 or (ca)𝜔 where 𝜔 is the first infinite ordinal, 87
30 rithms analysis; Database query processing and optimization the latter can never occur in LTLf , thus prescribing the absence of any 88
31 (theory); Database query languages (principles). a-s or c-s from the patterns. By interpreting Φ in LTLf , we can then 89
32 express it equivalently to □¬a ∧ □¬c (§3.2) while preferring the latter 90
33 KEYWORDS representation as it completely removes the need to check whether the 91
34 LTLf , Declare, Verified Artificial Intelligence, Equational logic and constraint leads to infinite behaviour never expressible in finite traces. 92
35 rewriting Declarative languages in the context of Business Process Man- 93
36 agement (BPM) such as Declare [15] ease the practitioners’ task to 94
ACM Reference Format:
37 understand complex log patterns of interest in a straightforward 95
Anonymous Author(s). 2023. DECLARE𝑑: a polytime LTLf fragment. In Pro-
38 way: by restricting the set of all the possible temporal behaviours of 96
ceedings of the 43rd ACM SIGMOD-SIGACT-SIGAI Symposium on Principles
39 of Database Systems, PODS. ACM, Santiago, Chile. ACM, New York, NY, USA, interest to the one in Table 1, we can conveniently extract compact 97
40 17 pages. https://doi.org/XYZ specifications in which conformance checking tasks determine the 98
41 abidance by the hospitalization procedures [18]. These specifica- 99
42 1 INTRODUCTION tions do not necessarily have to be hard-coded, but can be mined 100
43 from such logs [4]. For BPM, each event is associated with exactly 101
Verified Artificial Intelligence [2] calls for exact procedures ascer-
44 one single label [10] and, under the occasion that each event is also 102
taining whether a model of the system 𝔖 abides by the specifica-
tions in Φ through yes or no answers (𝔖 ⊨ Φ) when written in a
45 dataful and therefore associated with some data payload, we can al- 103
46 ways generate a finite set of mutually exclusive atoms partitioning 104
formalism for efficient computations, either for verifying the com-
47 the data space into non-overlapping intervals [5]. This ensures the 105
pliance of a system to a specification (formal verification [3]) or
48 theoretical possibility of defining atoms so an event will satisfy at 106
for producing a system abiding by a given specification (formal
49 most one of them. This evidence is also corroborated by data as rep- 107
synthesis [8]). This can be determined after a specification mining
50 resented in the real world: recent work on time series segmentation 108
51 Permission to make digital or hard copies of part or all of this work for personal or showed the possibility of representing a time series as a sequence 109
52 classroom use is granted without fee provided that copies are not made or distributed of dichotomous increase and non-increase events [13] as well as 110
for profit or commercial advantage and that copies bear this notice and the full citation
53 the transitioning of a system into distinct non-overlapping states 111
on the first page. Copyrights for third-party components of this work must be honored.
54 For all other uses, contact the owner/author(s). [17]. Furthermore, different types of malware can be distinguished 112
55 PODS 2024, June 9–15, 2024, Santiago, Chile just from the distinct name of the system calls being invoked at 113
56
© 2023 Copyright held by the owner/author(s). 114
ACM ISBN XYZ. the operative system level [6, 19]. As it is a common assumption
57 https://doi.org/XYZ in specification mining algorithms using Declare to return a finite 115
58 1 116
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

Table 1: DECLARE𝑑: our Declare’s subset of interest, where

117 𝐴 (and 𝐵) remark activation (and target) conditions. computing Φ𝑑′ is also smaller than the running time of 175
118 running such tasks over Φ (§6.2). 176
119 Exemplifying clause (𝑐𝑙 ) LTLf Semantics (J𝑐𝑙 K) 177
Graph Notation. (See §A) We denote a (finite) graph 𝐺 as a pair
120 Exists(𝐴) ♢𝐴 (𝑉 , 𝐸), where 𝑉 is a set of vertices and 𝐸 ⊆ 𝑉 2 is a set of directed 178
121 Absence(𝐴) □¬𝐴 179
Choice(𝐴, 𝐴′ ) ♢𝐴 ∨ ♢𝐴′ edges; to denote a vertex (or edge) set of a graph 𝐺, we use the nota-
122 NotCoExistence(𝐴, 𝐴′ ) ¬(♢𝐴 ∧ ♢𝐴′ ) tion 𝑉𝐺 (or 𝐸𝐺 ). Out𝐺 (𝑢) (or In𝐺 (𝑢)) is the set of the vertices reach- 180
ExlChoice(𝐴, 𝐴′ ) JChoice(A, A’)K ∧ JNotCoExistence(A, A’)K
123
RespExistence(𝐴, 𝐵) ♢𝐴 ⇒ ♢𝐵
able through the outgoing (or ingoing) edges for 𝑣 ∈ 𝑉𝐺 . Removing a 181
124
CoExistence(𝐴, 𝐵) JRespExistence(A, B)K ∧ JRespExistence(B, A)K vertex 𝑢 ∈ 𝑉𝐺 from a graph 𝐺 (𝑉𝐺− (𝑣)) requires also removing all the 182
125 Precedence(𝐴, 𝐵) ¬𝐵 W 𝐴 ingoing and outgoing edges from a graph while removing an edge 183
Response(𝐴, 𝐵) □(𝐴 ⇒ ♢𝐵)
126
Succession(𝐴, 𝐵) JPrecedence(A, B)K ∧ JResponse(A, B)K (𝑢, 𝑣) ∈ 𝐸𝐺 from such a graph (𝐸𝐺− (𝑢, 𝑣)) also requires removing 184
127 NegSuccession(𝐴, 𝐵) □(𝐴 ⇒ ¬♢𝐵) the nodes 𝑢 or 𝑣 if such removal nullifies the degree of such nodes. 185
128 ChainPrecedence(𝐴, 𝐵) □(#𝐴 ⇒ 𝐵) 186
ChainResponse(𝐴, 𝐵) □(𝐴 ⇒ #𝐵) ℘(𝑆) is the powerset of 𝑆. We represent a (hash)multimap 𝑓 associ-
129
ChainSuccession(𝐴, 𝐵) JChainPrecedence(B, A)K ∧ JChainResponse(A, B)K ating a single activity in Σ to a finite subset of Σ as a finite function 187
130 AltResponse(𝐴, 𝐵)
NegChainSuccession(𝐴, 𝐵)
□(𝐴 ⇒ #(¬𝐴 U 𝐵))
□(𝐴 ⇔ #¬𝐵)
𝑓 : Σ → ℘(Σ) where, for each 𝑥 ∈ Σ not being a key for the mul- 188
131
AltPrecedence(𝐴, 𝐵) JPrecedence(A, B)K ∧ □(𝐵 ⇒ #(¬𝐵 W 𝐴)) timap, we guarantee 𝑓 (𝑥) = ∅ and 𝑓 (𝑥) ≠ ∅ otherwise; an empty 189
132 AltSuccession(𝐴, 𝐵) JAltPrecedence(A, B)K ∧ JAltResponse(A, B)K multimap 𝑓 returns ∅ for each 𝑥 ∈ Σ. Del 𝑓 (𝑥) removes 𝑥 as a key of 190
133
the multimap while Put 𝑓 (𝑥, 𝑢) adds 𝑢 to the set of values associated 191
134
to 𝑥 in 𝑓 . Given 𝑉 a set of vertices and 𝜄 : |𝑉 | ↔ {0, . . . , |𝑉 | − 1} a 192
135 conjunction of specifications, it is quite common to return inconsis- bijection enumerating each vertex in 𝑉 to, a directed circulant graph 193
136 tent specifications under the temporal non-simultaneity axiom C𝐿𝑛,± on 𝑛 vertices has each vertex 𝑣 ∈ 𝑉 adjacent to the immedi- 194
137 (§3.3) when support metrics below 100% are considered for increas- ately preceding and 195
ing the algorithmic recall. Detecting this in advance will prevent  following vertices in 𝑉 in the order expressed
138
by 𝐿, i.e. 𝐸 C𝑛,± := (𝑢, 𝑣) ∈ 𝑉 2 ∃𝑘 ∈ 𝐿. 𝜄 (𝑣) = (𝜄 (𝑢) ± 𝑘) mod 𝑛 . 196
139 running any verified temporal artificial intelligence technique on 𝐿 197
𝑛,+
140 such specifications for the aforementioned practical scenarios, as Given this, we define C{1} as a cyclic graph representing exactly 198
𝑛,±
141 no trace will ever satisfy an inconsistent specification. one chain and C{0,...,𝑛−1} is a complete graph. 199
142 200
Example 2. Let us assume to have the following log 𝔖 = {acdefac, 2 BRIEF RELATED WORK
143 201
adcfeadad, acugac, addadduadd} As “a” appears in all traces, we
144
return ♢a (Exists(a) in Declare) as well as postulating that, when Formal Synthesis. Lydia2 [8] generates a DFA for a LTLf spec- 202
145
an a activity occurs in the log, this is immediately followed by c 50% ification Φ such that it will accept a trace 𝜎 iff. 𝜎 ⊨ Φ. The au- 203
146 thors efficiently do so by exploiting a compositional bottom-up 204
of the times (□(a ⇒ #c) or ChainResponse(a, c) in DECLARE𝑑
147 approach after rewriting a LTLf formula into an equivalent LDLf 205
with 50% support) and by the remaining 50% percent by 𝑑 (□(a ⇒
148 one. Automata operations are implemented using MONA for com- 206
#d) or ChainResponse(a, d)). Under the assumption of Axiom 1, the
149 pact representation. Benchmarks show the effectiveness of such an 207
occurrence of any “a” cannot possibly occur, thus rewriting the two
150 approach if compared to competing ones. By considering the effects 208
latter statements as □¬a. Still, this conflicts with the first occurrence
151 of specification rewriting in automata generation, we want to verify 209
clause, thus generating a globally un-satisfiable specification ⊥.
152 whether temporal short-circuit rewriting tasks are already occur- 210
153 This paper focuses on a further fragment of the aforementioned ring over Lydia while building the automaton instead of pursuing 211
154 declarative language, DECLARE𝑑 (Table 1), which is still affected the approach in §3.2 (see Lemma 1 vs. Corollary B.1). 212
155 by the aforementioned problem. These two preliminary definitions, 213
156 where the second is optional, alongside the determination of a set Formal Verification. KnoBAB3 [3] is a tool implementing the se- 214
157 of equivalence rules for DECLARE𝑑 (Figure 1) and the definition of mantics for LTLf operators into custom relational operators (xtLTLf ) 215
158 an algorithm for DECLARE𝑑 rewriting Φ𝑑 (§4) lead to our major providing a 1-to-1 mapping with the former. This was achieved 216
159 result, that our proposed algorithm runs in Poly(𝑛) (§5). In fact, by adequately representing all the traces in a log 𝔖 under a main 217
160 such algorithm1 will return ⊥ if the module has inconsistencies, ⊤ memory columnar representation. Its architecture stores all the 218
161 if this is detected trivially true, and a rewritten set of DECLARE𝑑 activities associated to traces’ events in an ActivityTable, which 219
162 clauses Φ𝑑′ when possible. As a byproduct of the previous result, is then sorted by increasing activity id in Σ, trace id, and event id. At 220
163 we show that such running times were not achieved by other tools loading time, the system also builds up a CountingTable, which de- 221
164 not running on the same fragment: termines the number of occurrences of each activity label per trace. 222
This architecture supports MAX-Sat queries, declarative confidence
165
• Our rewritten equivalent specification Φ𝑑′ speeds up the and support, and returning the traces satisfying a given clause
223
166 224
167
time of existing verified temporal artificial intelligence algo- alongside its associated activated and target conditions (𝜎 ⊨ Φ for 225
rithms (§2) if compared with their runtime over the original 𝜎 ∈ 𝔖). As this specification outperforms existing tools for formal
168
specification Φ𝑑 , thus proving that such algorithms do not verification, we take this as a computational model of reference for
226
169 227
support the notion of temporal short-circuit (§6.1). determining the computational complexity of formal verification
170 228
• Under temporal non-simultaneity, the time required for both tasks over given specifications Φ𝑑 in xtLTLf (see Lemma 2).
171 229
running a verified temporal artificial intelligence task and
172 2 https://github.com/whitemech/lydia 230
173 1 https://anonymous.4open.science/r/DECLAREd-B1BF 3 https://github.com/datagram-db/knobab 231
174 2 232
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

ChainResponse Rules (𝐺 cr )
233 SAT-Solvers. AALTAF4 [14] is a SAT-checker determining whether ChainResponse ( a, a ) ∧ Absence ( a ) ≡ Absence ( a )
291
234 an LTLf formula is satisfiable by generating a corresponding transi- ChainResponse ( a, a ) ∧ AltResponse ( a, a ) ≡ Absence ( a )
292
235 tion system where each state represents subformulæ of the original ChainResponse ( a, b ) ∧ NegChainSuccession ( a, b ) ≡ Absence ( a ) 293
236 LTLf specification while leveraging traditional SAT-solvers. Dif- Response Rules (𝐺 r ) 294
Response ( a, a ) ∧ Absence ( a ) ≡ Absence ( a )
237 ferently from KnoBAB, which determines whether traces in a log Response ( a, c ) ∧ ChainResponse ( a, b ) ≡ ChainResponse ( a, b ) 295
238 satisfy an LTLf specification expressed in algebraic terms (xtLTLf ) Response ( a, b ) ∧ Absence ( b ) ≡ Absence ( b ) ∧ Absence ( a ) 296
NegSuccession Rules (𝐺 ns )
239 or not, AALTAF is more general than this and determines whether 297
NegSuccession ( a, b ) ∧ Absence ( a ) ≡ Absence ( a )
240 no traces will ever satisfy a given specification, thus determining its NegSuccession ( a, b ) ∧ Absence ( b ) ≡ Absence ( b )
298
241 unsatisfiability, or whether there might exist a finite trace allowing NegSuccession ( a, b ) ∧ ChainResponse ( a, b ) ≡ Absence ( a ) 299
242 this. This paper will show that DECLARE𝑑 provides a polytime frag- NegSuccession ( a, b ) ∧ Response ( a, b ) ≡ Absence ( a ) 300
AltResponse Rules (𝐺 ar )
243 ment of LTLf for which our equational rewriting algorithm (§4) also AltResponse ( a, b ) ∧ Absence ( a ) ≡ Absence ( a ) 301
244 provides a decidable polyspace decision function for satisfiability AltResponse ( a, b ) ∧ ChainResponse ( a, b ) ≡ ChainResponse ( a, b ) 302
AltResponse ( a, b ) ∧ Absence ( b ) ≡ Absence ( b ) ∧ Absence ( a )
245 (see Theorem 1). AltResponse ( a, b ) ∧ NegSuccession ( a, b ) ≡ Absence ( a )
303
246 AltPrecedence Rules (𝐺 ap- ) 304
247 LTLf Modulo Theories. While LTLf is generally known as a de- □( b → # (¬b W 𝑎) ) ∧ Absence ( b ) ≡ Absence ( b ) 305
248 cidable language, most recent research [9] also consider decidable □( b → # (¬b W 𝑎) ) ∧ ChainResponse ( b, a) ≡ ChainResponse ( b, a) 306
fragments of LTLf also involving first-order logic arithmetic proper- RespExistence Rules (𝐺 re )
249 307
RespExistence ( a, b ) ∧ Exists ( a ) ∧ Absence ( b ) ≡ ⊥
250 ties. Differently from our proposed characterization, events are not 308
RespExistence ( a, b ) ∧ Exists ( a ) ≡ Exists ( a ) ∧ Exists ( b )
251 labelled as required when actions need to be ascertained. Further- RespExistence ( a, b ) ∧ Exists ( b ) ≡ Exists ( b )
309
252 more, none of the proposed decidable fragments with arithmetic RespExistence ( a, b ) ∧ Absence ( b ) ≡ Absence ( a ) ∧ Absence ( b ) 310
properties involves considerations on polytime complexity, while Choice Rules (𝐺 c )
253 311
Choice ( a, b ) ∧ Exists ( a ) ∧ Exists ( b ) ≡ Exists ( a ) ∧ Exists ( b )
254 still referring to polyspace complexity. Choice ( a, b ) ∧ Absence ( a ) ∧ Absence ( b ) ≡ ⊥ 312
Choice ( a, b ) ∧ Absence ( a ) ≡ Absence ( a ) ∧ Exists ( b )
255 313
Choice ( a, b ) ∧ Absence ( b ) ≡ Absence ( b ) ∧ Exists ( a )
256 3 PRELIMINARIES NotCoExistence Rules (𝐺 nce ) 314

We consider temporal specifications Φ𝑑 expressed in DECLARE𝑑

257 NotCoExistence ( a, b ) ∧ Absence ( a ) ≡ Absence ( a ) 315
258 NotCoExistence ( a, b ) ∧ Absence ( b ) ≡ Absence ( b ) 316
as a finite set of clauses from Table 1 being instantiated over a NotCoExistence ( a, b ) ∧ Exists ( a ) ∧ Exists ( b ) ≡ ⊥
finite set of possible activity labels Σ. By interpreting this as con-
259 317
NotCoExistence ( a, b ) ∧ Exists ( a ) ≡ Exists ( a ) ∧ Absence ( b )

junctive models [5], we can equivalently represent Φ𝑑 as the finite

260 NotCoExistence ( a, b ) ∧ Exists ( b ) ≡ Exists ( b ) ∧ Absence ( a ) 318
261 NotCoExistence ( a, b ) ∧ RespExistence ( a, b ) ≡ Absence ( a ) 319
conjunction of the LTLf semantics associated to such clauses, i.e. Precedence Rules (𝐺 p )
Φ ≡ 𝑐𝑙 ∈Φ𝑑 [[𝑐𝑙 ]]. We use both notations interchangeably. Proofs
262 Ó 320
Precedence ( a, b ) ∧ Absence ( a ) ≡ Absence ( a ) ∧ Absence ( b )
263 321
are postponed to the Appendix due to space limitations. Precedence ( a, b ) ∧ Absence ( b ) ≡ Absence ( b )
264 322
265 323
3.1 Rewriting Rules Figure 1: Some rewriting Rules for DECLARE𝑑 (§4.3)
266 324
267 Figure 1 identifies any possible rewriting of the DECLARE𝑑 clauses 3.2 Temporal Short-Circuit Rewriting 325
268 into Absence or Exists, while determining the effects of the latter Ó
A finite conjunction of LTLf statements 𝜑 := 𝑖 𝜑𝑖 leads to a tempo- 326
269 when interfering with the templates’ activation (𝐴) or target (𝐵) ral short-circuit if this can be rewritten as a finitary conjunction, 327
conditions. If available, we are also interested in rewriting rules to either 𝜑 ′ := 𝑗 □¬a 𝑗 or 𝜑 ′ := 𝑗 ♢a 𝑗 , for each distinct atom a 𝑗
270 Ó Ó 328
271 identify an inconsistency leading to an unsatisfiable specification freely occurring in 𝜑 when 𝜑 ′ is not syntactically equivalent to 𝜑. We 329
272 ⊥. We now consider rewriting rules not assuming the temporal apply a (temporal) short-circuit rewriting to a LTLf specifica- 330
273 non-simultaneity axiom, thus remarking on the possibility of en- tion Φ if we replace any sub-formula 𝜑 in Φ leading to a temporal 331
274 coding these in already-existing tools as an LTLf pre-processing short-circuit with 𝜑 ′ . 332
275 step without any further assumption. As AltPrecedence(a, b) can Short-circuits based on ChainResponse boil down to the absence 333
276 be rewritten as the LTLf expression associated to Precedence(a, b) of each of its atoms: 334
277 as well as □(b → #(¬b U a)), we named AltPrecedence rewrit- 335
Lemma 1. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, Φ′ := c𝑖 ∈𝐴 □¬c𝑖 is
Ó
278 ing rules only the ones related to this LTLf expression. Due to the 336
equivalent to Φ := □(c𝑛 ⇒ #c1 ) ∧
Ó
279 limited space, we omit the proofs, but the reader can easily verify 𝑖 ∈N □(c𝑖 ⇒ #c𝑖+1 ) in LTLf . 337
1≤𝑖<𝑛
280 their correctness by checking that both sides of the equivalences 338
281 generate the same automata5 . Such rewriting will streamline formal verification tasks: 339
282 In all the rules, we assume that a ≠ b where a, b ∈ Σ. Other Lemma 2. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, computing := Φ′ 340

c𝑖 ∈𝐴 □¬c𝑖 in lieu of Φ := □(c𝑛 ⇒ #c1 ) ∧

Ó Ó
𝑖 ∈N □(c𝑖 ⇒ #c𝑖+1 )
283 rewriting rules (Lemma B.4) are implicitly assumed in forthcom- 341
284 ing algorithmic subroutines (Section 4.1) and while loading and 1≤𝑖<𝑛 342
always leads to a positive average speed-up.
285 indexing specifications (Algorithm 2). 343
286 After representing all the ChainResponse(a, c) in a input spec- 344
287 ification as a graph 𝐺 cr with edge a → c ∈ 𝐸𝐺 cr and nodes 345
288 4 https://github.com/lijwen2748/aaltaf a, c ∈ 𝑉𝐺 cr , we can show as a corollary of the first lemma that 346
289 5 An on-line tool is available here: http://ltlf2dfa.diag.uniroma1.it/ this boils down to removing all circuits appearing over some nodes 347
290 3 348
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

𝛽 cr ⊆ 𝑉𝐺 cr and rewriting such clauses as ( 𝑣 ∈𝛽 cr Absence(𝑣)) ∧

Ó
349 Algorithm 1 Algorithmic Subroutines for our specification rewriter 407
( 𝑢→𝑣 ∈𝐸𝐺 cr ChainResponse(𝑢, 𝑣)) in polytime on the size of Φ (Corol-
Ó
350 1: function Ex(𝑥):= 𝐹 ← Put𝐹 (𝑥, true); return |𝐹 (𝑥)| = 1 408
351 𝑢,𝑣∉𝛽 cr 2: function Abs(𝑥):= 𝐹 ← Put𝐹 (𝑥, false); return |𝐹 (𝑥)| = 1 409
352 lary B.1). We can infer similar lemmas for AltResponse in terms 3: function Clear(𝑥):= 410
of rewriting such resulting temporal short-circuits to absences 4: V𝐺− (𝑥); V − (𝑥); V − (𝑥); V − (𝑥); V − (𝑥); V − (𝑥)
353 cr 𝐺 ar 𝐺 ncs 𝐺r 𝐺 ns 𝐺 re 411
(Lemma B.2) thus resulting in time speed-up (Corollary B.3). 5: for all 𝑏 ∈ Out𝐺 ch (𝑥) do if not Ex(𝑏) then return false
354 412
6: for all 𝑏 ∈ In𝐺 ch (𝑥) do if not Ex(𝑏) then return false
355 7: V𝐺− (𝑥) 413
ch

356
3.3 Temporal Non-Simultaneity 8: for all 𝑏 ∈ Out𝐺 p (𝑥) do 414
9: if not Abs(𝑥) then return false else E𝐺 − (𝑥, 𝑏)
p
357 Axiom 1 (Temporal Non-Simultaneity). Given the set of all the 415
358 possible activity labels Σ, we prescribe that no distinct activity could 10: return true
416
359 occur simultaneously in the same instant of time. This can be expressed 11: function Reduce★(𝑥):= 417
360 as ∀a, b ∈ Σ.a ≠ b ⇒ □(a ∧ b ⇒ ⊥). 12: visited ← ∅
418
13: toremove ← {𝑥 }
361
As we assume a finite set of activity labels Σ to be fully known 14: while toremove ≠ ∅ do 419
362 15: 𝑥 ← Pop(toremove) 420
from our specification or data, we can represent this axiom as an 16: if 𝑥 ∈ visited then continue else visited ← visited ∪ {𝑥 }
363
extension of the properties Φ to be checked as a new property 17: if not Abs(𝑥) or not Clear(𝑥) then return false 421
toremove ← toremove ∪ In𝐺 ★ (𝑥)
364
Φ↓Σ := Φ ∧ a,b∈Σ □(a ∧ b ⇒ ⊥). As prior approaches using LTLf 422
Ó 18:
19: if ★ = ch then
365 a≠b toremove ← toremove ∪ Out𝐺 ★ (𝑥)
423
366 did not consider this assumption, Φ should be directly stated as 20:
21: for all 𝑦 ∈ toremove do: if not Expandre (𝑦) then return false 424
367 Φ↓Σ for both Lydia and AALTAF. On the other hand, our solver 22: return true 425
368 Reducer only takes Φ𝑑 as it works under such an axiom. KnoBAB 23: return true
426
369 automatically assumes that each distinct activity label is different 24: function Reducep (𝑥) override := 427
from the rest, thus entailing an implicit semantic difference between 25: visited ← ∅
370 428
26: toremove ← {𝑥 }
371 different types of events. 27: while toremove ≠ ∅ do 429
372 28: 𝑥 ← Pop(toremove) 430
Rewriting Rules. We can identify that the following rewriting 29: if 𝑥 ∈ visited then continue else visited ← visited ∪ {𝑥 }
373
rule holds for c ≠ b in Σ, as we can never have an event being 30: if not Abs(𝑥) or not Clear(𝑥) then return false 431
toremove ← toremove ∪ Out𝐺 p (𝑥)
374
labelled with both c and b after the same occurring event: 31:
− (𝑥)
432
32: V𝐺 p
375 433
376
[ChainResponse(a, b) ∧ ChainResponse(a, c)] ↓Σ ≡ Absence(a) 33: return true
434
377 Temporal Short-Circuit Rewriting. We now consider temporal 34: function Expandre (𝑥):= 435
378 35: visited ← ∅
short-circuit rewriting rules that only hold under temporal non- 36: torexpand ← {𝑥 }
436
379 simultaneity. For a ≠ b in Σ, as any b shall always occur after the 37: while torexpand ≠ ∅ do 437
380 first occurring a for Response, we can express it as: 38: 𝑥 ← Pop(toremove) 438
39: if 𝑥 ∈ visited then continue
381 439
□(a → ♢b)↓Σ ≡ □(a → #♢b) 40: visited ← visited ∪ {𝑥 }
− (𝑥)
382 41: if not Ex(𝑥) then return false else V𝐺 ch
440
383 Due to this, we need to discard the eventuality that |𝐴| = 1, as 42: − (𝑢, 𝑥)
for all 𝑢 ∈ In𝐺 re (𝑥) do: E𝐺 re 441
𝐺 (a → ♢a) is, on the other hand, trivially true and leads to no 43: for all 𝑢 ∈ In𝐺 ns (𝑥) do: if not Abs(𝑢) or not Clear(𝑢) return false
384 442
44: for all 𝑢 ∈ Out𝐺 re (𝑥) do
385 temporal short-circuit. 45: if (true ∉ 𝐹 (𝑢)) then torexpand ← torexpand ∪ {𝑢} 443
V𝐺− (𝑥)
Lemma 3. Given 𝐴 = { c1, c2, . . . h, c𝑛 } ⊆ Σ with |𝐴| = 𝑛 > 2, Φ′
46: re
386 444
:=
Φ
387 Ó Ó 445
c𝑖 ∈𝐴 □¬c𝑖 is equivalent to := □(c 𝑛 ⇒ ♢c 1 ) ∧ 𝑖 ∈N □(c𝑖 ⇒
388 1≤𝑖<𝑛 446
i
temporal short-circuit rewriting (§4.4) before returning the rewrit-
389 ♢c𝑖+1 ) in LTLf . 447
390 ↓Σ ten specification Φ𝑑′ from the edges remaining from 𝐺 ★ and values 448
in an 𝐹 map storing Absence and Exists clauses. Upon detecting
Lemma 4. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ with
391 449
392 h |𝐴| = 𝑛 > 2, the joint satisfaction of an Absence(x) and Exists(x) for an activ- 450
computing Φ′ := c𝑖 ∈𝐴 □¬c𝑖 in lieu of Φ := □(c𝑛 ⇒ ♢c1 ) ∧
Ó
393 ity label x, we immediately detect an inconsistency for which we 451
return ⊥. If the resulting specification appears to be empty in spite
Ó i
𝑖 ∈N □(c𝑖 ⇒ ♢c𝑖+1 )
394 always leads to a positive average speed- 452
395 1≤𝑖<𝑛 ↓Σ of no inconsistency being detected, we then obtain a trivially true 453
396
up. specification ⊤. Otherwise, we return a rewritten specification Φ𝑑′ . 454
397 455
398 4 REDUCER: EQUATIONAL REWRITING 4.1 Algorithmic Subroutines 456
399 The Reducer algorithm for rewriting Φ𝑑 into Φ𝑑′ proceeds as fol- Algorithm 1 shows crucial algorithmic subroutines ensuring to 457
400 lows: after showing the subroutines for removing redundant clauses propagate the detection of an absence/presence of an activity label 458
401 from the specification while propagating the detection of an incon- while dealing with clauses 𝑐𝑙 derivable from the input specification 459
402 sistency towards the function call chain (§4.1), we outline how a Φ𝑑 clauses of the specification. 460
403 specification Φ𝑑 can be efficiently loaded as a collection of graphs Let 𝐹 be a finite multimap associating each activity label a ∈ Σ 461
404 𝐺 ★ for each DECLARE𝑑 template ★ for clause indexing (§4.2). After to a set of booleans, where true (and false) denotes that Exists(a) 462
405 applying the aforementioned equivalence rules (§4.3), we apply the (and Absence(a)) can be inferred from the specification. If both 463
406 4 464
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

465 Exists(a) and Absence(a) are entailed, we deem the overall speci- Algorithm 2 Loading binary clauses in primary memory 523
466 fication as inconsistent, for which we will return ⊥. Ex in L. 1 (and 1: function SpecificationLoading(Φ) 524
2: match each 𝑥 ∈ Φ with
467 Abs in L. 2) returns false whether the addition of Exists (or an 3: case Exists(a): if not Ex(a) then return ⊥
525
468 Absence) to a specification makes it explicitly inconsistent. 4: case Absence(a): if not Abs(a) then return ⊥ 526
469 Clear at L. 3 removes all the clauses in which activation con- 5: case ChainPrecedence(a, b): E𝐺 + (a, b) 527
cp

470 dition 𝑥 would never occur per Absence(𝑥). For Choice(x, b), this 6: +
case ChainResponse(a, b): E𝐺 cr (a, b); E𝐺 + (a, b) 528
r
+ (a, b)
471 triggers the generation of Exists(b) which, in turn, might lead to 7: case Response(a, b) s.t. a ≠ b: E𝐺 r 529
+ (a, b)
472 an inconsistent specification (L. 5 and 6). For Precedence(x,b), the 8: case Precedence(a, b) s.t. a ≠ b: E𝐺 p 530
RespExistence(a, b) a ≠ b: + (a, b)
473 absence of the activation requires Absence(b), which is then in turn 9: case s.t. E𝐺 re 531
474 added while testing for the specification’s inconsistency (L. 9). The 10: case NegSuccession(a, b) : 532
11: if a = b then
475 function returns true if the specification is not currently detected 12: if not Abs(a) then return ⊥
533
476 as inconsistent (L. 10). 13: else 534
+ (a, b);
477 Reduce at L. 11 can be applied to templates ★ such as Chain- 14: E𝐺 ns 535
+
478 Response, Response, and AltResponse for implementing a cas- 15: case NegChainSuccession(a, b) : E𝐺 ncs (a, b) 536
479 cade effect upon the specification supporting Absence(x) by also 16: case Succession(a, b) s.t. a ≠ b: 537
17: E𝐺+ (a, b); E+ (a, b)
r 𝐺p
480 requiring that the associated activations should be absent from 538
18: case CoExsteince(a, b) s.t. a ≠ b:
481 the specification (L. 18). We return true if no inconsistency was 19: E𝐺+ (a, b); E+ (b, a)
re 𝐺 re
539
482 detected, and false otherwise. This idea was revised so as to be 20: case ChainSuccession(a, b): 540
+ (a, b); E+ (a, b); E+ (b, a)
483 applied to Precedence (L. 24): for this, the absence of the activation 21: E𝐺 cr 𝐺r 𝐺 cp 541
484 triggers the necessity of the second argument to be absent as well, 22: case AltPrecedence(a, b) s.t. a ≠ b: 542
+ +
23: E𝐺 ap- (b, a); E𝐺 p (a, b)
485 thus enforcing to visit the graph towards the outgoing edges (L. 31). 543
24: case AltResponse(a, b) :
486 We also ensure to remove all the vertices and edges associated with 25: if a = b then 544
487 𝑥 (L. 32). 26: if not Abs(a) then return ⊥ 545
488 Dually, Expandre works by recursively applying the head from 27: else
+ (a, b); E+ (a, b)
546
28: E𝐺 r 𝐺 ar
489 the tail of the RespExistence clauses upon the request that an 547
29: case AltSuccession(a, b) :
490 event 𝑥 shall exist in the data (L. 45). As this trivially exists, we 30: if a = b then
548
491 remove all the clauses having this condition in the head of such rules 31: if not Abs(a) then return ⊥ 549
+ (a, b); E+ (a, b); E+ +
492 (L. 42) while, if 𝑥 appears as a second argument of a NegSuccession(u, x), 32: else E𝐺 r 𝐺p 𝐺 ap- (b, a); E𝐺 ar (a, b)
550
493 we still postulate for the absence of 𝑢 from the specification (L. 43). 33: case Choice(a, b): 551
34: if a = b then
494 552
35: if not Ex(a) then return ⊥
495 + (min{a, b}, max{a, b}) 553
36: else E𝐺 ch
496 554
37: case ExclChoice(a, b):
497 38: if a = b then return ⊥ 555
4.2 Specification Loading as Graphs 39: E𝐺+ (min{a, b}, max{a, b})
498 ch 556
+
40: E𝐺 nco (min{a, b}, max{a, b})
499 Algorithm 2 shows the process of loading and indexing the clauses 557
case NotCoExistence(a, b):
from Φ𝑑 in primary memory.
41:
500 558
42: if a = b then
501 We add Absence and Exists in map 𝐹 ; at this stage, the specifi- 43: if not Abs(a) then return ⊥ 559
+
502 cation is deemed inconsistent (returning ⊥) if a given activity label 44: else E𝐺 nce (min{a, b}, max{a, b}) 560
503 a is required to both appear and be absent from each trace. 561
504 Binary clauses ★(a, b) are loaded as edges (a, b) of a graph 𝐺 ★ 562
505 where 𝑉𝐺 ★ ⊆ Σ. Clauses being the conjunction of other clauses 4.3 Applying Equational Rewriting 563
506 are then rewritten into their constituents; AltPrecedence(a, b) Equational rewriting for rules in Figure 1 is run as follows: we 564
507 is rewritten into Precedence(a, b), to be stored in an edge (a, b) consider each graph in order of appearance in §3.1 and we iterate 565
508 for 𝐺 p , and □(b → #(¬b W a)), to be stored in an edge (b, a) over its edges. For each of these, we detect their match with one 566
509 for 𝐺 ap- . For binary clauses entailing the universal truth ⊤ when of the cases appearing in the first binary clause ★(a, b) on the left- 567
510 both arguments are associated with the same activity label (e.g., hand side of the formula, and we look up for the occurrence of any 568
511 Response), we avoid inserting this clause as an edge. For other clause appearing in the same hand-side. 569
512 clauses (e.g., AltResponse, L. 26), this same situation might be If the condition described by the left-hand side is then reflected 570
513 rewritten as the absence of a specific activity label which, if leading by the specification represented by edges for graphs 𝐺 ★ and 𝐹 , we 571
514 to an inconsistency, also immediately ensures to return an empty determine the rewriting strategy depending on the definition of the 572
515 specification. Conversely, a Choice having both arguments being right-hand side. If the latter is ⊥, we immediately return it and detect 573
516 the same boils down to an Exists, which is also added in place of an unsatisfiable model. Also, we remove any edge (a, b) from 𝐺 ★ if 574
517 Choice (L. 35), while we might never have an ExclChoice where ★(a, b) does not appear on the right-hand side of the formula, and 575
518 both arguments are the same (L. 38). For clauses being symmetric we add any edge †(a, b) in 𝐺 † not appearing on the left-hand side. 576
519 (e.g., Choice), we avoid duplicated entries by preferring only one If an Exists(a) (or Absence(a)) appears only on the right-hand 577
520 of the two equivalent writings (e.g., Choice(a,b) over Choice(b,a) side, we add it by invoking Ex(a) (or Abs(a)), while immediately re- 578
521 for a ⪯ b, L. 36). turning an empty specification if an inconsistency is detected while 579
522 5 580
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

581 doing so. These methods are also changed according to the interde- given Lemmas B.4 to B.6 and Corollary B.4, we have that each 639
582 pendencies across templates: e.g., the generation of new Exists(𝑥) previous subsection in §4 describes a polytime procedure. The 640
583 for RespExistence rules triggers Expandre (𝑥) instead, and the composition of each single non-mutually-recursive sub-routine 641
584 Absence(𝑥) for NotCoExistence invokes Reducech (𝑥) which, in terminates and leads to a polytime decision function. 642
585 turn, will also call for Expandre (𝑥) as per Algorithm 1; Absence(𝑥) Last, we discuss the correctness of the resulting procedure. If 643
586 for RespExistence will call for Reducere (𝑥). Similar considera- Φ𝑑 in input were a tautology, all the clauses in the original spec- 644
587 tions can be provided for other templates and rules. This process ification would have been cancelled out as they would have triv- 645
588 does not clear out clauses, as we at least fill in 𝐹 , from which we ially held, thus providing no further declarative clause to be re- 646
589 are also returning Exists or Absence for Φ𝑑′ . turned (Lemma B.7). If, on the other hand, any inconsistency was 647
590
After applying the rules on a single graph 𝐺 † , we then iterate detected, the computation would have stopped before returning 648
591
over all the activities 𝑥 required to be absent by the specification the reduced specification, thus ignoring all the remaining rewrit- 649
592
(false ∈ 𝐹 (𝑥)), for which we run all the Reduce★ (𝑥) methods ing steps (Lemma B.8). If neither of the previous cases holds, we 650
593
and Clear(𝑥), through which we propagate the effect of requiring have then by exclusion a satisfiable specification Φ𝑑 which is also 651
594
the absence of a specific activity label to all the clauses in the rewritten into an equivalent specification Φ𝑑′ under Axiom 1. □ 652
595 653
specification. If, while doing so, any inconsistency is detected by
596
returning a false, we immediately return ⊥ (see Lemma B.8). 6 EMPIRICAL EVALUATION 654

We determine a set of activity labels Σ from the Cybersecurity

597 655

dataset [6] and by creating 8 distinct subsets 𝐴1, . . . , 𝐴8 ⊆ Σ of

598 4.4 Applying Short-Circuit Rewriting 656
599 657
This further algorithmic step is run after running the AltPrecedence size |𝐴𝑖 | = 2𝑖 such that 𝐴𝑖 ⊂ 𝐴 𝑗 for each 1 ≤ 𝑖 < 𝑗 ≤ 8. We then
600 658
Rules and before running the RespExistence ones, thus potentially consider each 𝐴𝑖 as a set of vertices for which we instantiate a
601 659
reducing the number of clauses to be considered due to the absence complete graph, a cyclic graph representing a chain, and a circulant
602 |𝐴𝑖 |,± 660
603
of a specific activity label. graph C{0,1,2,3} . Given each of these graphs 𝑔, we then generate a 661
We prefer to detect the existence of a circuit 𝑣 𝛼 1 → · · · → 𝑣 𝛼𝑛 → specification Φ𝑖 for each of these 𝐴𝑖 by interpreting each edge
𝑐,𝑔
604 662
𝑣 𝛼 1 of length 𝑛 + 1 through a DFS visit of the graph with back-edge
605 (𝑎, 𝑏) ∈ 𝐴𝑖2 in the generated graph as a declarative clause: 663
detection [7]. Once we detect a circuit, we generate Absence(𝑣 𝛼𝑖 )
606 664
clauses for each node 𝑣 𝛼𝑖 in it, while removing such nodes from the • c=ChainResponse: ChainResponse(a, b)
607 665
graph. The latter operation is efficiently computed by creating a • c=Precedence: Precedence(a, b)
608 666
view over such a graph through an absence set 𝑅 which will contain • c=Response: Response(a, b)
609 667
all of the nodes in the circuit being removed. Then, for each graph • c=RespExistence+Exists: RespExistence(a, b)
610 668
traversal, we avoid starting the visit from nodes in 𝑅 and we avoid • c=RespExistence+ExclChoice+Exists: RespExistence(a, b),
611 669
traversing edges leading to nodes in 𝑅. This avoids extremely costly ExclChoice(a, b)
612 670
graph restructuring operations. As by construction we cannot have For the last two cases, we also add a clause Exists(u) for u =
613 671
a single non-connected node as each clause is represented by one min 𝐴𝑖 . Given the same 𝐴𝑖 and 𝑢, we also generate two other speci-
614 672
fications Φ𝑖 where clauses are instead generated for each activity
single edge, if at the end of this reduction process we obtain nodes 𝑐,𝑔
615 673
with zero degrees, such nodes were previously connected to nodes label a ∈ 𝐴𝑖 :
616 674
belonging to cycles and that were therefore also part of cycles: those
617 • c=(Chain+Alt)Response: ChainResponse(a, a), 675
also constitute Absence clauses.
618 AltResponse(a, a) 676
For all the novel Absence(a) clauses being inserted in the speci-
619 • c=ChainResponseAX : ChainResponse(u, a). 677
fication in lieu of the detected temporal short-circuits, we also run
620 678
all the available Reduce★(𝑥) methods as well as Clear(𝑥), thus We then expect that, if any of the aforementioned verified tempo-
621 679
ensuring a cascading effect removing the remaining clauses that ral artificial intelligence tasks provide no LTLf or Declarative rule
622 680
will never be activated while keeping searching for inconsistencies rewriting as per this paper, running any verified temporal artificial
623 |𝐴𝑖 |,± 681
intelligence task over a Φ𝑖 being generated from 𝑔 = C{0,...,|Σ
𝑔,𝑐
via sub-routine calls.
624 𝑖| −1} 682
𝑔′ ,𝑐 |𝐴𝑖 |,±
625
5 DECLARE𝑑, A POLY(|Φ𝑑 |)-TIME SAT-SOLVER will take more time than running it over a Φ𝑖 where 𝑔′ = C{0,1,2,3} , 683
626 𝑔′′ ,𝑐 684
627 This section is mainly to prove that satisfiability in DECLARE𝑑 can which in turn will take more time than running a specification Φ𝑖 685
|𝐴 |,+
628 be carried out in polytime over the size of the original specification generated over 𝑔′′ = C{1}𝑖 . This last consideration also includes 686
629 |Φ𝑑 |; this strengthens the previous informal results over confor- the aforementioned rewriting task in its worst-case scenario. As 687
we are expecting that, for each 𝑐, each of these Φ𝑖 for any of such
mance checking provided over KnoBAB over such a fragment. We 𝑐,𝑔
630 688
631 twin this result with the overall algorithmic correctness. graphs 𝑔 will be then always rewritten into the same specification 689
632
Theorem 1. The Reducer specification rewriting process is a de- Φ𝑖′𝑐 , we are expecting to have similar running times for each rewrit- 690
633
cidable SAT-Solver for DECLARE𝑑 running in Poly(|Φ𝑑 |)-time. ten specification, as we expect the running time in the latter to be 691
634 dependant on the number of atoms/vertices and not on the number 692
635 Proof. The main lemmas supporting this proof are reported in of clauses as the former. 693
636 the appendix due to the lack of space. First, we need to prove that Each of these generated specifications is then fed to our rewrit- 694
637 the previous section describes an always-terminating computation: ing algorithm, which returns the specification in both the LTLf 695
638 6 696
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

697 6.1 Rule Rewriting without Temporal 755

698 Non-Simultaneity 756
699 757
We now consider all the resulting specifications being generated
700 758
except Response and ChainResponseAX, which are discussed in the
701 759
next subsection as they assume the temporal non-simultaneity
702 760
axiom. The ones here discussed are a mere application of temporal
703 761
short-circuit rewriting. Therefore, this section aims at remarking
704 762
on the generality of our result, which can be shown even without
705 763
assuming Axiom 1.
706 764
Each plot in Figure 2 is grouped by 𝑐 and the black solid line
refers to the time required for the solver to generate Φ𝑑 𝑖′𝑐 from
707 765
708 766
Φ𝑑 𝑖 in milliseconds. Missing data points refer to data points not
𝑐,𝑔
709 767
710
being collected as the solutions went out of primary memory. For 768
711
both Lydia and AALTAF, we consider running those over both 769
the non-rewritten specification Φ𝑖 as well as over the rewritten
Figure 2: Comparing the specification reducer’s running time 𝑐,𝑔
712 770
with the ones of Lydia and AALTAF running over Φ𝑖 vs.
𝑐,𝑔
713
one Φ𝑖 (LYDIA(R) and AALTAF(R) in Figure 2). In its worst-case
′𝑐
771
running over Φ𝑖 (LYDIA(R) and AALTAF(R) respectively).
′𝑐
scenario, Reducer has a running time comparable to AALTAF over
714 772
715
the non-reduced specification while, in the best-case scenario, it 773
716
has a running time inferior or comparable to AALTAF over the 774
717
rewritten specification. This ensures that running our solver as a 775
718
pre-processing mechanism can benefit existing verified temporal 776
719
artificial intelligence algorithms. 777
720
Given these experiments, such tools did not support our sug- 778
721
gested rewriting rules. Otherwise, the tasks’ running time on the 779
original specification Φ𝑖 would have been comparable to the one
𝑐,𝑔
722 780
723
for Φ𝑖 plus the running time for Reducer. Since experimental evi-
′𝑐
781
dence suggests that the running time for Φ𝑖 is always greater than
𝑐,𝑔
724 782
725 the one for Φ𝑖 , we have thus empirically demonstrated both the
′𝑐
783
726 novelty and necessity of these rewriting rules in the aforementioned 784
727 tools. 785
728 Figure 3 shows the benchmarks for the formal verification task 786
729 running on KnoBAB. This plot was separated from the rest to 787
730 improve the plot’s readability. Even in this scenario, the formal 788
731 verification task over the reduced specification comes, in the worst 789
732 Figure 3: Comparing different running times of KnoBAB case scenario, with a running time comparable to the one over the 790
733 over Φ𝑑 (False) vs. Φ𝑑′ (True). original specification while, in the best case scenario, we have a 791
734 speed-up of seven orders of magnitude, as all the tasks requiring 792
735 the access to the ActivityTable are rewritten into clauses that can 793
representation required by Lydia and AALTAF and the declara-
736 leverage the sole CountingTable. This also remarks that the query 794
tive specification for KnoBAB. We discard parsing and query plan
737 plan minimisation strategy cannot satisfactorily outperform any 795
generation times for each solution: running times for Lydia only
738 declarative specification pre-processing strategy, leading to a re- 796
considered the time required for generating the DFA from the LTLf
739 sulting reduced specification, as its associated running time would 797
formula as per their internal main-memory representation. For the
740 have had a comparable running time otherwise. 798
formal verification task run in KnoBAB as a relational database
741 query, we consider a sample of 9 traces from the original log over 799
742 which we run the generated specifications. To alleviate potential 800
743
6.2 Rule Rewriting requiring Temporal 801
out-of-memory issues, we test the specifications in batches of 10 at
744 Non-Simultaneity 802
a time, thus sacrificing greater query plan minimization with the
745 certainty of completing the computation without out-of-memory We now consider rewriting rules assuming the temporal non-simul- 803
746 errors. On the other hand, the two aforementioned tools do not re- taneity axiom. For this, we then need to compare the running time 804
𝑐,𝑔
747 quire a log to work, for which it is sufficient to have a specification. for (Φ𝑖 )↓𝐴𝑖 where the axiom is grounded over the finite set of 805
748 The dataset for specifications and logs is available online6 . activity labels 𝐴𝑖 to the one resulting from the rewriting process 806
by Φ𝑐𝑖 ′ . In Figure 4, we give running times for Φ𝑖 for detecting
𝑐,𝑔
749 Due to the lack of space, we present a condensed version of the 807
750 benchmarks, while §C gives more extensive plots. any additional overheads being implied by the instantiation of the 808
751 axiom over the atoms in 𝐴𝑖 . If both Lydia and AALTAF supported 809
𝑐,𝑔
752 6 https://drive.google.com/drive/folders/1EK44vwSBVdz_ LTLf rewriting rules as per this paper, carrying a task over (Φ𝑖 )↓𝐴𝑖 810
753 A17XZintDP1eeEoBh53Q?usp=sharing
′
would have a comparable running time to Φ𝑐𝑖 , while a considerable 811
754 7 812
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

one for Φ𝑖 while, in the worst-case scenario, they increase their

𝑐,𝑔
813 871
814 computational gap proportionally to the increase of the number 872
815 of clauses. Still, the tasks running over Φ𝑐𝑖 ′ are consistently out- 873
𝑐,𝑔
816 performing the same tasks running in (Φ𝑖 )↓𝐴𝑖 while also guar- 874
817 anteeing to minimise the out-of-memory exceptions. In the case 875
818 of AALTAF, these are then completely nullified. Similar consider- 876
819 ations can be drawn for running formal specification tasks over 877
820 the 9 traces sampled from our Cybersecurity scenario, Figure 5 878
821 shows that running Φ𝑑 𝑖′ gives speed-ups between 3 and 7 orders of 879
822 magnitude by consistently exploiting the CountingTable instead of 880
823 the ActivityTable if compared to the running times for the original 881

specification Φ𝑑 𝑖 .
824 𝑐,𝑔 882
825 883
826 884
827
7 CONCLUSION AND FUTURE WORKS 885
828 This paper showed for the first time the existence of a polytime 886
829 fragment of LTLf , DECLARE𝑑 by simply circumscribing the tempo- 887
830 ral expressiveness of the language. This was possible by observing 888
831 differences between LTLf and LTL and, to some extent, assuming 889
832 mutually exclusive conditions across events. We, therefore, design 890
833 Figure 4: Comparing the specification reducer’s running time a scalable SAT-Solver working under equational rewriting, thus 891
with the ones of Lydia and AALTAF running over Φ𝑖 vs.
𝑐,𝑔
834 rewriting a temporal specification into an equivalent and more 892
835 running over Φ𝑖 (LYDIA(R) and AALTAF(R) respectively)
′𝑐
tractable rewritten temporal specification Φ𝑑′ . Future works will 893
𝑐,𝑔
836 and the grounded representation (Φ𝑖 ) ↓𝐴 (LYDIA+AX and analyse DECLARE𝑑’s time complexity by also considering first- 894
𝑖
837 AALTAF+AX respectively). order arithmetic conditions [9]. Experiments on Lydia remarked 895
838 that the latter does not support adequate rewriting for internal for- 896
𝑐,𝑔
839 mula minimisation as computing (Φ𝑖 )↓𝐴𝑖 is always slower than 897
840 Φ𝑖′𝑐 : no algebraic rewriting is considered, as the minimisation steps 898
841 are only performed while composing the DFA and never at the LTLf 899
842 level. Running Lydia on Φ𝑖′𝑐 significantly improves the running time 900
843 for temporal formal synthesis. Future works will assess whether 901
844 the construction of the DFA over the alphabet {{c}|c ∈ Σ} ∪ {∅} 902
845 instead of ℘(Σ) per Axiom 1, where ∅ denotes any other atom not 903
846 in Σ, will boost the algorithm. We will also consider using graph 904
847 equi-joins in lieu of product construction for conjunction of states, 905
848 as the former technique already proved to be more efficient than 906
849 traditional automata composition for DFA generation over Φs [1]. 907
850 Experiments on AALTAF showed it does not exploit rewriting 908
𝑐,𝑔
851 rules as introduced in this paper: computing (Φ𝑖 )↓𝐴𝑖 is also more 909
costly than Φ𝑖 , and the computation over Φ𝑖′𝑐 as generated by our
𝑐,𝑔
852 910

solver is always faster than computing either (Φ𝑖 )↓𝐴𝑖 or Φ𝑖 , thus

853 𝑐,𝑔 𝑐,𝑔 911
854 remarking the benefit of our approach in rewriting the formula. 912
855 Future works will consider generalising the rewiring rules here 913
856 defined for DECLARE𝑑, a fragment of LTLf , so as to be implemented 914
857 in any LTLf tool considering such a rewriting step. 915
858 Last, our tool also proved to be beneficial as a specification pre- 916
Figure 5: Comparing different running times of KnoBAB
859
over Φ𝑑 (False) vs. Φ𝑑′ (True). processing step for optimising formal verification tasks over rela- 917
860 tional databases, as computing Φ𝑑′ is always faster than computing 918
overhead for computing (Φ𝑖 )↓𝐴𝑖 if compared to Φ𝑖 denotes that
𝑐,𝑔 𝑐,𝑔
861 Φ𝑑 . Future work will consider defining a query plan optimisation 919
862 the additional rules coming from the instantiation to the axiom strategy not only by computing each shared sub-expression within 920
863 provide a significant computational burden rather than helping in a given specification once, but also implementing suitable algebraic 921
864 simplifying the specification. rewriting rules while supporting Axiom 1. 922
865 This set of experiments confirms all our previous observations 923
866 from the previous set-up regarding comparisons between our spec- 924
867 ification rewriting strategy and the existing verified temporal arti-
REFERENCES 925
[1] Giacomo Bergami. 2023. Fast Synthetic Data-Aware Log Generation for Temporal
868 ficial intelligence tasks. We observe that, in the best-case scenario, Declarative Models. In Proceedings of the 6th Joint Workshop on Graph Data
926
𝑐,𝑔
869 such tasks exhibit a running time for (Φ𝑖 )↓𝐴𝑖 comparable to the Management Experiences & Systems (GRADES) and Network Data Analytics (NDA) 927
870 8 928
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

−
929 (Seattle, WA, USA) (GRADES & NDA ’23). Association for Computing Machinery, V𝐺 (𝛼) := (𝑉𝐺 \{𝛼 }, {(𝑢, 𝑣) ∈ 𝐸|𝑢 ≠ 𝛼 ∧ 𝑣 ≠ 𝛼 }) 987
New York, NY, USA, Article 7, 9 pages. −
930
[2] Giacomo Bergami. 2024. Streamlining Temporal Formal Verification over Colum-
E𝐺 (𝛼, 𝛽) := 988
931 989
nar Databases. Information 15, 1 (2024). https://doi.org/10.3390/info15010034 (𝑉𝐺 \{𝑢 |(𝛼, 𝛽) ∈ 𝐸𝐺 ∧ (𝑢 = 𝛼 ∨ 𝑢 = 𝛽) ∧ Deg𝐺 (𝑢) = 1},
932 [3] Giacomo Bergami, Samuel Appleby, and Graham Morgan. 2023. Quickening 990
933
Data-Aware Conformance Checking through Temporal Algebras. Inf. 14, 3 (2023), {(𝑢, 𝑣) ∈ 𝐸𝐺 |𝑢 ≠ 𝛼 ∧ 𝑣 ≠ 𝛽}) 991
173.
934 [4] Giacomo Bergami, Samuel Appleby, and Graham Morgan. 2023. Specification 992
935 Mining over Temporal Data. Computers 12, 9 (2023). A.2 Multimap Operations 993
[5] Giacomo Bergami, Fabrizio Maria Maggi, Andrea Marrella, and Marco Montali.
(
936
2021. Aligning Data-Aware Declarative Process Models and Event Logs. In ∅ 𝑦 =𝑥 994
Del 𝑓 (𝑥) := 𝑦 ↦→
937 Business Process Management, Artem Polyvyanyy, Moe Thandar Wynn, Amy 𝑓 (𝑦) 𝑦 ≠ 𝑥 995
938 Van Looy, and Manfred Reichert (Eds.). Springer International Publishing, Cham, ( 996
939
235–251. 𝑓 (𝑥) ∪ {𝑣 } 𝑦 = 𝑥 997
[6] Ferhat Ozgur Catak, Javed Ahmed, Kevser Sahinbas, and Zahid Hussain Khand. Put 𝑓 (𝑥, 𝑣) := 𝑦 ↦→
940 2021. Data augmentation based malware detection using convolutional neural 𝑓 (𝑦) 𝑦 ≠𝑥 998
941
networks. PeerJ Computer Science 7 (Jan. 2021), e346. 999
[7] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein.
942 2009. Introduction to Algorithms, 3rd Edition. MIT Press. B PROOFS 1000
943 [8] Giuseppe De Giacomo and Marco Favorito. 2021. Compositional Approach to 1001
Translate LTLf/LDLf into Deterministic Finite Automata. Proceedings of the B.1 Lemmas for Short-Circuit Rewriting
944 1002
International Conference on Automated Planning and Scheduling 31, 1 (May 2021), The following rewriting lemmas will heavily rely upon the algo-
945 122–130. 1003
[9] Luca Geatti, Alessandro Gianola, Nicola Gigante, and Sarah Winkler. 2023. De- rithm outlined in [11] for generating an NFA out of a temporal
946 1004
cidable Fragments of LTLf Modulo Theories. In ECAI, K Gal and et al. (Eds.). specification Φ. We will use this algorithm to prove that, upon apply-
947 [10] Giuseppe De Giacomo, Fabrizio Maria Maggi, Andrea Marrella, and Fabio Patrizi. 1005
2017. On the Disruptive Effectiveness of Automated Planning for LTLf -Based
ing this algorithm and minimising the resulting non-deterministic
948 1006
Trace Alignment. In Proceedings of the Thirty-First AAAI Conference on Artificial automaton, we will obtain automata equivalently expressing the
949 1007
Intelligence, February 4-9, 2017, San Francisco, California, USA, Satinder Singh total absence of the activity labels being represented within the
950 and Shaul Markovitch (Eds.). AAAI Press, 3555–3561. https://doi.org/10.1609/ 1008
aaai.v31i1.11020 specification. Please also observe that we provide generic proofs
951 1009
[11] Giuseppe De Giacomo, Riccardo De Masellis, and Marco Montali. 2014. Reasoning for each of the following lemmas, not necessarily requiring that all
952 1010
on LTL on Finite Traces: Insensitivity to Infiniteness. In Proceedings of the Twenty- the activity labels in 𝐴 ⊆ Σ shall be considered mutually exclusive.
953 Eighth AAAI Conference on Artificial Intelligence, July 27 -31, 2014, Québec City, 1011
Lemma 1. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, Φ′ := c𝑖 ∈𝐴 □¬c𝑖 is
Québec, Canada, Carla E. Brodley and Peter Stone (Eds.). AAAI Press, 1027–1033. Ó
954 1012
https://doi.org/10.1609/aaai.v28i1.8872
equivalent to Φ := □(c𝑛 ⇒ #c1 ) ∧
Ó
955 [12] John Harrison. 2009. Handbook of Practical Logic and Automated Reasoning. 𝑖 ∈N □(c𝑖 ⇒ #c𝑖+1 ) in LTLf . 1013
956 Cambridge University Press. https://doi.org/10.1017/CBO9780511576430 1≤𝑖<𝑛 1014
957
[13] Xu Huo, Kuangrong Hao, Lei Chen, Xue song Tang, Tong Wang, and Xin Cai. Proof. Please observe that the following proof works indepen- 1015
2022. A dynamic soft sensor of industrial fuzzy time series with propositional
958 linear temporal logic. Expert Systems with Applications 201 (2022), 117176. dently from the non-simultaneity axiom: as we will show, the acti- 1016
959 [14] Jianwen Li, Geguang Pu, Yueling Zhang, Moshe Y. Vardi, and Kristin Y. Rozier. vation of at least one condition in 𝐴 will require to verify all the 1017
2020. SAT-based explicit LTLf satisfiability checking. Artificial Intelligence 289
960
(2020), 103369.
requirements in the specification indefinitely, thus never leading 1018
961 [15] Maja Pesić, Helen Schonenberg, and Wil M.P. van der Aalst. 2007. DECLARE: Full to an acceptance state. So, we now prove this for 𝐴 not necessarily 1019
962 Support for Loosely-Structured Processes. In 11th IEEE International Enterprise containing mutually exclusive activity labels. 1020
Distributed Object Computing Conference (EDOC 2007). 287–287.
963 [16] Amir Pnueli. 1977. The temporal logic of programs. In 18th Annual Symposium For this, let us define an atom substitution function 𝜌 as [𝑐𝑖 ↦→ 1021
964 on Foundations of Computer Science (sfcs 1977). 46–57. https://doi.org/10.1109/ 𝑐 (𝑖+1 mod |Σ| ) ] 1≤𝑖 ≤𝑛 indicating the next required atom to follow 1022
965
SFCS.1977.32 according to the formula requirements. The generic formula for a 1023
[17] Chengyu Wang, Kui Wu, Tongqing Zhou, and Zhiping Cai. 2023. Time2State:
966 An Unsupervised Framework for Inferring the Latent States in Time Series Data. ChainResponse temporal short-circuit leads to the NFA that can 1024
967 Proc. ACM Manag. Data 1, 1, Article 17 (may 2023), 18 pages. be constructed as follows: an initial state 𝑞 0 being also the sole 1025
[18] Haifeng Xu, Jianfei Pang, Xi Yang, Jinghui Yu, Xuemeng Li, and Dongsheng Zhao. Ó
968
2020. Modeling clinical activities based on multi-perspective declarative process
acceptance state, having a self-loop for a∈𝐴 ¬a, a sink falsehood 1026
969 mining with openEHR’s characteristic. BMC Medical Informatics and Decision state ⊥ having a self-loop as the only outgoing edge with the uni- 1027
970 Making 20, 14 (15 Dec 2020), 303. https://doi.org/10.1186/s12911-020-01323-7 versal truth formula ⊤; for each 𝑆 ∈ ℘(𝐴)\{∅}, we generate a new 1028
[19] Ahmet Faruk Yazi, Ferhat Özgür Çatak, and Ensar Gül. 2019. Classification of
971 Methamorphic Malware with Deep Learning(LSTM). In 27th Signal Processing 1029
972 and Communications Applications Conference, SIU 2019, Sivas, Turkey, April 24-26, 1030
973
2019. IEEE, 1–4. c1 c1 ∧ c2 1031
Appendix c1
974 c1 ∧ c2 c1 ∧ ⊤ 1032
c1 ∧ c2 c2 c2
975 1033
A FORMAL DEFINITION
976 c1 ∨ c2 1034
977 We now provide the formal definition of some operators that were start 0 c2 c1 c1 ∧ c2 ⊥ 1035
978 given informally at the end of the Introduction. c2 1036
∧
979
c2 c1 c1 1037
980 A.1 Graph Operations 1038
981 Out𝐺 (𝑢) := { 𝑣 ∈ 𝑉𝐺 | (𝑢, 𝑣) ∈ 𝐸𝐺 } c2 1039
982 In𝐺 (𝑣) := { 𝑢 ∈ 𝑉𝐺 | (𝑢, 𝑣) ∈ 𝐸𝐺 } 1040
983 1041
Deg𝐺 (𝑣) := |Out𝐺 (𝑣)| + |In𝐺 (𝑣)| Figure 6: Representation of the NFA associated to Φ𝑑 =
984 + 1042
E𝐺 (𝛼, 𝛽) := (𝑉𝐺 ∪ {𝛼, 𝛽}, 𝐸𝐺 ∪ {(𝛼, 𝛽)}) {ChainResponse(c𝑖 , c𝑖+1 mod 2 )}𝑖 ∈ {1,2} before minimisation for
985 1043
Lemma 1.
986 9 1044
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

state 𝑆 associated to the formula 𝑆𝜙 = 𝑆𝜙+ ∧ 𝑆𝜙− with 𝑆𝜙+ = a∈𝑆 a

Ó
1045 1103

∇1 , ∇2 , ∇ 3 Φ
and 𝑆𝜙− := a∈𝐴\𝑆 ¬a , describing the actions that were performed
1046
Ó 1104
1047 1105
to each this system state. For each of these, where we outline the
1048 1106
following edges:
1049 1107
𝑆𝜙
1050 • an edge 𝑞 0 −−→ 𝑆: this requires that, as soon as at least 1108
1051 one of the activities in 𝐴 is run, then we need to follow the

⇒ #♢c𝑖+1 mod 3 ) before minimisation for Lemma B.1.

1109
1052 requirements associated to the specification; 1110
1053 ¬(𝜌𝑆𝜙+ ) 1111
1054 • an edge 𝑆 −−−−−−→ ⊥: this requires that, as soon as we miss 1112
1055 one of the transition conditions requiring that each of the 1113
1056 activities being true in 𝑆 should then immediately move 1114
1057 to the immediately following activities 𝜌𝑆, we then violate 1115
1058 the specification; 1116
𝑇𝜙
1059 • for each 𝑇 ∈ ℘(𝐴)\{∅}, we define a new edge 𝑆 −−→ 𝑇 if 1117
1060 𝜌𝑆 ⊆ 𝑇 : we connect each of such states not only to the 1118
1061 immediately following actions as per 𝜌, but we also assume 1119
1062 that further activation conditions must hold. 1120
∇2 , ∇3 , Φ

1063 1121
Please observe that, as soon as all the activities in 𝐴 are activated,
1064 1122
all are then required to be always true, thus having that the state
1065 1123
𝐴 will have as outgoing edges its self-loop, prescribing that all the
1066 1124
conditions in 𝐴 must hold, and a transition towards ⊥ as soon as at
1067 1125
least one of these conditions are no more satisfied. After minimising
1068 1126
this DFA, we can observe that we obtain 𝑞 0 , still an initial acceptance
1069 1127
state retaining its self-loop, and ⊥, also retaining its self-loop while
1070 Ô 1128
having an edge labelled as a∈𝐴 𝑎 coming from 𝑞 0 , thus entailing a
1≤𝑖 ≤3 □(c𝑖
∇ 1 , ∇2 , Φ

∇ 1 , ∇3 , Φ

1071 1129
DFA accepting only the traces where none of the atoms in 𝐴. Thus,
1072 1130
we proved the correctness of our reduction into a conjunction of
1073 1131
DECLARE𝑑 absences for each activity label in 𝐴.
1074 1132
As the number of states is in 𝑂 (|℘(𝐴)|), the generation of the
Ó

1075 1133
Figure 7: Representation of the NFA associated to Φ =

automaton will take at least exponential time over the size of the
1076 1134
ChainResponse short-circuit, also corresponding to the size of 𝐴 ⊆
Σ.
1077 1135
□
1078 1136
1079 Lemma B.1. Given 𝐴 = { c1, c2h, . . . , c𝑛 } ⊆ Σ with |𝐴| > 2, Φ′ := 1137

c𝑖 ∈𝐴 □¬c𝑖 is equivalent to Φ := □(c𝑛 ⇒ #♢c1 ) ∧

Ó Ó
𝑖 ∈N □(c𝑖 ⇒
1080 1138
1081 i 1≤𝑖<𝑛 1139
1082 #♢c𝑖+1 ) in LTLf . 1140
1083 1141
1084 Proof. Differently from the previous proof, where the NFA au- 1142
∇3 , Φ

1085 tomaton could have been greatly simplified due to the involvement 1143
1086 of # within the construction, the proof for this lemma needs to be 1144
1087 handled with greater care. Before starting, we remind the reader 1145
1088 of the special temporal properties holding in LTLf : □𝜙 = 𝜙 ∧ #□𝜙, 1146
1089 □(𝜙 ∧ 𝜙 ′ ) = □𝜙 ∧ □𝜙 ′ , and ♢𝜙 = 𝜙 ∨ #♢𝜙. 1147
1090 The activation of a 𝑖-th clause at any state 𝑆 while constructing 1148
1091 the NFA by 𝑐𝑖 ∈ 𝐴 “generates” the corresponding target condition to 1149
1092 be met ∇𝑖 := ♢(𝑐 (𝑖+1 mod |𝐴| ) ) expressed as ∇𝑖 ≡ (𝑐 (𝑖+1 mod |𝐴| ) ∨ 1150
∇1 , Φ

∇2 , Φ

1093 #∇𝑖 ) by the special temporal property of the eventuality operator. 1151
1094 By running [11], we also generate 2 |𝐴| states, where the sole initial 1152
1095 and acceptance state associated to Φ, and the other states 𝑆 are 1153
1096 associated to the formulæ in S = {𝑆 ′ ∪ {Φ}|𝑆 ′ ∈ ℘({∇𝑖 |c𝑖 ∈ 1154
c
ab
c

1097 𝐴})\{∅}}, none of which is an accepting state. No explicit falsehood 1155

ab

1098 sink state is present, as the invalidation of one of the ∇𝑖 will actually 1156
Φ

1099 require never having an event c𝑖+1 mod |𝐴| , for which we would 1157
1100 1158
start

1101 1159
1102 10 1160
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

1161 still transit across non-accepting states in S indefinitely. We then As we can observe from the former transitions, once one trace 1219
1162 identify theÓfollowing transitions among such states: event satisfies a condition in 𝐴, we will always navigate towards 1220
1163 c𝑖 ∈𝐴 ¬c𝑖 states in S without ever having the possibility of going back to the 1221
(1) Φ −−−−−−−−→ Φ: if none of the clauses is activated, we trigger
1164 initial and sole accepting state Φ, as we must perennially guarantee 1222
no activation condition c𝑖 leading into a ∇𝑖 target require-
1165 that the conditions in 𝐴 shall be eventually satisfied in turns, thus 1223
ment to be met; we, therefore, persist on the same initial
1166 entailing that no finite trace will ever satisfy such conditions. As 1224
accepting state.
1167 Ó Ó the number of states required for generating these formulae is 1225
∇𝑖 ∈𝑆 c𝑖 ∧ ∇ 𝑗 ∉𝑆 ¬c 𝑗
1168
(2) Φ −−−−−−−−−−−−−−−−−→ 𝑆 for each 𝑆 ∈ S: when at least one therefore exponential in the size of both Φ and 𝐴 as |Φ| = |𝐴| 1226
1169
activity label in Φ activates one clause, we transit to a state by construction, by assuming that the most efficient algorithm 1227
1170
representing the activation of the specific clause. for generating such automaton from the LTLf specification will 1228
1171 𝐹 take at least a time comparable to the size of the graph without 1229
(3) 𝑆 −→ 𝑆 for each 𝑆 ∈ S: for remaining in the same state, we
1172 any additional computation overhead, we therefore have that such 1230
require that no other condition 𝑐𝑖 not appearing as ∇𝑖 ∈ 𝑆
1173 algorithm will take at least an
 exponential time on the size of the 1231
shall be activated, otherwise, we will be transiting towards 
1174
another state. Furthermore, we require that the activation of specification, thus in 𝑜 2 |𝐴| . 1232
1175 1233
1176
any 𝑐𝑖+1 mod |𝐴| for which both ∇𝑖+1 mod |𝐴| and ∇𝑖 appear Similarly to the previous lemma, even in this scenario, the min-
1234
in 𝑆 should also require the activation of the activity 𝑐𝑖 as, imisation of such automaton will lead to one being equivalent to
1177 1235
1178
otherwise, we will reduce the number of ∇𝑖 , thus ending the one predicate the absence of all the activities in 𝐴.
1236
into a state containing a subset of activated conditions: this □
1179 1237
is enforced by the construction of Φ. Given this, we obtain
Lemma 3. Given 𝐴 = { c1, c2, . . . h, c𝑛 } ⊆ Σ with |𝐴| = 𝑛 > 2, Φ′
1180 1238
the following formulation for 𝐹 : :=
1181 1239
c𝑖 ∈𝐴 □¬c𝑖 is equivalent to Φ := □(c𝑛 ⇒ ♢c1 ) ∧
Ó Ó
𝑖 ∈N □(c𝑖 ⇒
Û Û
1182 (c𝑖+1 ⇒ c𝑖 ) ∧ ¬c 𝑗 1≤𝑖<𝑛
1240
i
1183 ∇𝑖+1 mod |𝐴| ,∇𝑖 ∈𝑆 ∇ 𝑗 ∉𝑆 1241
♢c𝑖+1 ) in LTLf .
1184 Ó ↓Σ 1242
Please observe that we do not require that ∇𝑖+1 mod |𝐴| ∉𝑆,∇𝑖 ∈𝑆 (c𝑖 )
1185 1243
should also hold, as the eventuality of the condition for the Proof. It derives as a corollary from Lemma B.1, which holds
1186 1244
target condition does not strictly require that such condi- independently from the non-simultaneity axiom. □
1187 1245
tion must immediately hold in a subsequent step, so either
Lemma B.2. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, Φ′ := c𝑖 ∈𝐴 □¬c𝑖
Ó
1188 1246
the possibility of 𝑐𝑖 being still activated or its opposite are
is equivalent to Φ := □(c𝑛 ⇒ #(¬c𝑛 Uc1 )) ∧
Ó
1189 𝑖 ∈N □(c𝑖 ⇒ 1247
both considered. 1≤𝑖<𝑛
1190 𝐹
→ {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪ {Φ} with 𝑆 ′ ⊂ 𝑆 ′′ : we
(4) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪ {Φ} − #(¬c𝑖 Uc𝑖+1 )) in LTLf . 1248
1191 1249
1192
need to ensure that the conditions appearing only in 𝑆 ′′ Proof. We proceed similarly to the previous lemma where now, 1250
1193
are newly activated, while the ones being active in 𝑆 ′ shall due to the adoption of the Until operator, we change the definition 1251
1194
be kept active in 𝑆 ′′ ; given this, we obtain the following 𝐹 : of ∇𝑖 per its special property as follows: 1252
1195 Û Û ∇𝑖 := c𝑖+1 mod |𝐴| ∨ (¬c𝑖 ∧ ¬c𝑖+1 mod |𝐴| ∧ #∇𝑖 ) 1253
𝑐𝑖 ∧ ­ ¬𝑐𝑖 ®
© ª
1196 1254
prescribing that in any subsequent step c𝑖 can never occur until the
1197 𝑖 ∈𝑆 ′′ \𝑆 ′ ∪ «𝑖 ∈ {1,...,|𝐴| }\(𝑆∪𝑆 ′ ) 1255
{ 𝑗 | ( 𝑗=1∧|𝐴| ∈𝑆 ′ )∨( 𝑗≠1∧𝑗 −1∈𝑆 ′ ) }
¬ first occurrence of c𝑖+1 mod |𝐴| . Furthermore, similarly to the Chain-
1198 1256
𝐹 Response case, we add a falsehood sink state, towards each state
1199
(5) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪ {Φ} −→ {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪ {Φ} with ⊃ this 𝑆′ 𝑆 ′′ : will transit upon violation of the conditions prohibited by ∇𝑖 . In fact,
1257
1200 1258
transition can only occur if, by attempting to consume ∇𝑖 this lemma restricts the expected behaviour in the former lemma,
1201
with 𝑖 ∈ 𝑆 ′ by executing an action c𝑖+1 mod |𝐴| , this leads to as we now prescribe that c𝑖 , once activating a clause thus adding
1259
1202
generating ∇𝑖+1 mod |𝐴| appearing in 𝑆 ′′ ∩ 𝑆 ′ or, otherwise, ∇𝑖 to a state, cannot occur before the occurrence of c𝑖+1 mod |𝐴|
1260
1203 1261
we would have transited towards another state. This then or, otherwise, we have to transit towards a never-accepting sink
1204 1262
provides a restriction of the states towards which we can falsehood state. Consequently, except for the sink falsehood state, I
1205 1263
transit and the states that can move backwards. 𝐹 can be could loop over any other state only if none of the activities in 𝐴 are
1206 1264
then defined as: considered. We now stress the main differences from the definition
1207 Û Û 1265
1208
c𝑖+1 mod |𝐴| ∧ ¬𝑐𝑖 of the transition functions if compared with the previous lemma:
Ó 1266
𝑖 ∈𝑆 ′ , 𝑖 ∈ {1,...,|𝐴| }\(𝑆 ′′ ∪𝑆 ′ ) c𝑖 ∈𝐴 ¬c𝑖
1209
𝑖+1 mod |𝐴| ∈𝑆 ′ ∩𝑆 ′′ (1) Φ −−
Ó
−−−−−−→ÓΦ: Same as per the previous lemma. 1267
1210 ∇𝑖 ∈𝑆 c𝑖 ∧ ∇ 𝑗 ∉𝑆 ¬c 𝑗 1268
1211 (6) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪{Φ} −
𝐹
→ {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪{Φ} with 𝑆 ′ ≠ 𝑆 ′′ : otherwise, (2) Φ −−−−−−−−−−−−−−−−−→ 𝑆 for each 𝑆 ∈ S: Same as per the 1269
1212 𝐹 previous lemma. 1270
we can transit {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪ {Φ} − → {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪ {Φ} with 𝐹
1213
𝑆 ′ ≠ 𝑆 ′′ at the following conditions: for each 𝑗 ∈ 𝑆 ′ , either (3) 𝑆 −
→ 𝑆 for each 𝑆 ∈ S: As per previous observation, this is 1271
Ó
1214
( 𝑗 + 1 mod |𝐴|) ∈ 𝑆 ′′ or 𝑗 ∈ 𝑆 ′′ . If those conditions had not now changed to 𝐹 = c𝑖 ∈𝐴 ¬c𝑖 , as performing none of the 1272
1215 states that are recorded in 𝐴 is the only possible way not 1273
been met, given the previous considerations, it would not
1216 to transit into any other state. 1274
have been possible to transit exactly between these two
1217 1275
states.
1218 11 1276
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

𝐹
→ {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪ {Φ} with 𝑆 ′ ⊂ 𝑆 ′′ : Same as

⊥
1277 (4) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪ {Φ} − 1335
1278 per previous lemma. 1336
1279 𝐹 1337
→ {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪{Φ} with 𝑆 ′ ⊃ 𝑆 ′′ . This type

∇1 , ∇2 , ∇ 3 , ∇4 , Φ
(5) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪{Φ} −
1280 1338

xx∈A
of transition never occurs similarly to Lemma 1. Without
1281 V 1339
any loss of generality, let us assume that 𝑆 ′ = {𝑖, 𝑗, 𝑘 } and
1282 1340
𝑆 ′′ = {𝑖, 𝑗 } as in the previous lemma: allowing such transi-

Figure 8: Representation of the NFA associated to Φ = {AltResponse(c𝑖 , c𝑖+1 mod 4 )}1≤𝑖 ≤4 before minimisation for Lemma B.2.
1283 1341
tion would require to have an event abiding by c𝑘+1 mod |𝐴|
1284 1342
for which either 𝑖 = 𝑘 + 1 mod |𝐴| or 𝑗 = 𝑘 + 1 mod |𝐴|.
1285 1343
The only possible way to make this admissible is to make
1286 1344
∇ 2 , ∇3 , ∇4 , Φ
also ∇𝑖 (or ∇ 𝑗 ) move with a corresponding c𝑖+1 mod |𝐴| (or
1287 1345
x
c 𝑗+1 mod |𝐴| ) action; still, this would have contradicted the
x∈A
V
1288 1346
assumption that 𝑖 and 𝑗 are not moving, and therefore this
1289 1347
action would either violate ∇𝑖 or ∇ 𝑗 , which is then impos-
1290 1348
sible. Therefore, executing any of the activation conditions
∇1 , ∇3 , ∇4 , Φ
∇1 , ∇2 , ∇ 3 Φ

1291 1349
c𝑖 for 𝑖 ∈ 𝑆 ′ being explicitly prohibited by the correspond-
x

x
x∈A

x∈A
1292 1350
ing ∇𝑖 will just move the current source state of interest
V

1293 1351
towards the sink falsehood state.
1294 𝐹 1352
1295
(6) {∇ 𝑗 } 𝑗 ∈𝑆 ′ ∪ {Φ} − → {∇ 𝑗 } 𝑗 ∈𝑆 ′′ ∪ {Φ} with 𝑆 ′ ≠ 𝑆 ′′ : oth- 1353
∇1 , ∇ 2 , ∇4 , Φ

erwise, as observed in the previous point, we can move

x x∈A

1296 1354
towards a new state by either consuming a c𝑖+1 mod |𝐴|
V

1297 1355
1298
with 𝑖 ∈ 𝑆 ′ leading to an 𝑖 + 1 mod |𝐴| ∈ 𝑆 ′′ , or by ensur- 1356
1299
ing a c 𝑗+1 mod |𝐴| with 𝑗 + 1 mod |𝐴| ∈ 𝑆 ′′ \𝑆 ′ and 𝑗 ∉ 𝑆 ′ 1357
1300
for not violating an already-activated condition. Overall, 1358
1301
we can observe that this leads to never transiting from a 1359
1302
state containing more activation conditions towards one 1360
1303
containing less than those, at any rate. 1361
Under all the remaining circumstances, we transit from 𝑆 towards
∇3 , ∇4 , Φ

1304 1362
x x∈A

1305 the falsehood sink state. Similarly, as in the previous construction, 1363
V

1306 we can observe that any algorithm generating such a graph before 1364
∇1 , ∇2 , Φ

∇2 , ∇4 , Φ
x

x
x∈A

x∈A

1307 minimisation will take an exponential time on the size of both the 1365
V

1308 specification Φ and 𝐴. □ 1366

1309 1367
1310 B.2 Computational Complexity 1368
∇ 1 , ∇3 , Φ

∇ 2 , ∇3 , Φ
x

x
x∈A

x∈A

1311 While considering the computational complexity associated with 1369

V

1312 formal verification tasks, we assume the KnoBAB computational 1370

∇ 1 , ∇4 , Φ

x∈A x

1313 model, where the entire set of traces within a log is considered, and 1371
V

1314 each trace is not necessarily computed one at a time. Therefore, we 1372
1315 interpret the LTLf computation for each trace in the log regarding 1373
1316 the associated xtLTLf operators in KnoBAB [3]. 1374
1317 1375
Lemma 2. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, computing := Φ′
1318 1376
c𝑖 ∈𝐴 □¬c𝑖 in lieu of Φ := □(c𝑛 ⇒ #c1 ) ∧
Ó Ó
𝑖 ∈N □(c𝑖 ⇒ #c𝑖+1 )
1319 1≤𝑖<𝑛 1377
1320 always leads to a positive average speed-up. 1378
x
∇4 , Φ

x∈A

1321 1379
V

Proof. Given ||𝔖|| the number of all the events in the log ob-
1322 1380
tained by summing up all the trace lengths in 𝔖, ||𝔖|| denotes the
1323 1381
number of all the events in the entire log in all traces. We also
1324 1382
denote #a as the number of all the events in 𝔖 having “a” as an
x

x
∇1 , Φ

∇3 , Φ
x∈A

x∈A

1325 1383
V

activity label.
abcd

1326 1384
Using KnoBAB as a computational model for computing LTLf
1327 1385
via xtLTLf , we can determine 𝜎, 𝑡 ⊨ #c𝑖 in #c𝑖 time. As the number
cd

1328 1386
cd

of all the events not being c𝑖 in 𝔖 is ||𝔖|| − #c𝑖 , computing 𝜎, 𝑡 ⊨ ¬c𝑖

ab
ab

x∈A x
∇2 , Φ

1329 1387
requires ||𝔖|| − #c𝑖 time. Under the KnoBAB intermediate result
V

1330 1388
representation assumption, all the intermediate results from xtLTLf
abcd

1331 1389
Φ

expressions are pre-sorted by trace id and temporal position, we

1332 1390
start

1333 1391
1334 12 1392
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

1393 can compute either 𝜎, 𝑡 ⊨ 𝜑 ∧ 𝜑 ′ or 𝜎, 𝑡 ⊨ 𝜑 ∧ 𝜑 ′ in at most |𝜑 | + Proof. We use the proof for Lemma 2 as a calque for this 1451
1394 |𝜑 ′ | time. Per each clause occurring in the specification, we are other speed-up analysis, where we only have to change 𝜙 to c𝑖 ⇒ 1452
1395 interested in computing 𝜙 = c𝑖 ⇒ #c𝑖+1 mod |𝐴| . We can then 𝜙 as ♢c𝑖+1 mod |𝐴| thus focussing our analysis on 𝜎, 𝑡 ⊨ 𝜙: this can be 1453
1396 (¬c𝑖 )∨(c𝑖 ∧#c𝑖+1 mod |𝐴| ): as we observe that the next #𝜑 operator then equivalently expressed as 𝜎, 𝑡 ⊨ ¬c𝑖 ∨ (c𝑖 ∧ ♢c𝑖+1 mod |𝐴| ), 1454
1397 provides a linear scan of the input operator, this computation can be where 𝜑 ∧ ♢𝜑 ′ is computed using a specific derived operator taking 1455
1398 carried out in an overall ||𝔖||(
−#c( 𝑖 +
(𝑖 + 2#c
(#c 𝑖+1 mod |𝐴| generating, |𝜑 ||𝜑 ′ | log |𝜑 ′ | time. For each clause, this leads to ||𝔖||−#c𝑖 + #c𝑖 · 1456
1399 in the worst case scenario, data in the size of ||𝔖||. Furthermore, #c𝑖+1 mod |𝐴| log #c𝑖+1 mod |𝐴| time per clause computing 𝜙 return- 1457
1400 we observe that computing this for each clause in Φ leads to a ing, in the worst case scenario, ||𝔖|| events; all the clauses take at 1458
1401 total time of |𝐴|||𝔖|| + 2||𝔖||. Therefore, computing 𝜎, 𝑡 ⊨ □𝜙 as most ||𝔖|(|𝐴| − 1) + ||𝔖||𝑘 log 𝑘 time to compute this expression by 1459
1402 an xtLTLf operator over all events satisfying 𝜎, 𝑡 ⊨ 𝜙 will take assuming 𝑘 ≃ #c1 ≃ · · · ≃ #c |𝐴| ≃ ||𝔖||/|𝐴|. As in the previous Lemma, 1460
1403 at most ||𝔖|| log ||𝔖|| per clause, thus adding up to |𝐴|||𝔖|| log ||𝔖||. the computation of the associated □ operator for each □𝜙 per each 1461
1404 Furthermore, the cost of computing the conjunction among the of the |𝐴| clauses will take at most |𝐴|||𝔖|| log ||𝔖|| time. The time 1462
1405 result of all such clauses adds up to |𝐴|||𝔖|| in its worst-case scenario. for computing Φ′ is also 2𝑙𝑒 as per the previous Lemma. As the 1463
1406 On the other hand, computing each □¬c𝑖 in the resulting spec- ratio between the running time of Φ is strictly greater than Φ′ , we 1464
1407 ification Φ′ requires KnoBAB to check in the counting table for always obtain a speed-up at least proportional to the size of the log 1465
1408 each trace that c𝑖 occurs zero times with a linear scan; thus, Φ′ can and traces for 𝑙 := ||𝔖|| > 0 and 𝑒 := |𝐴| > 0: 1466
1409 be computed in 2|𝐴||𝔖| time, as we also need to encompass the 1 𝑘 log 𝑘 1467
time required for computing the disjunction between all the data 𝑙 (𝑒 − 1) + 𝑙𝑘 log 𝑘 + 𝑙𝑒 log 𝑙 + 𝑙𝑒 1 − + 𝑒 + log 𝑙 + 1
𝑒
1410 = ≥1 1468
1411 being computed per traces. For 𝑙 := ||𝔖|| > 0 and 𝑒 := |𝐴| > 0, we 2𝑙𝑒 2 1469
1412 therefore obtain always a speed-up: Thus entailing an always positive speed-up for formal verification 1470
tasks for sufficiently large 𝑘, 𝑙, 𝑒 → ∞. □
1413 𝑙𝑒 (1 + 𝑒2 ) + 𝑙𝑒 log 𝑙 + 𝑙𝑒 2 1471
≥ 1 ⇔ + log 𝑙 ≥ 0
1414
2𝑙𝑒 𝑒 Corollary B.2. We can rewrite Φ𝑑 containing a Response short- 1472
1415
□ circuit in polytime on the size of Φ𝑑 . 1473
1416 1474
1417 Corollary B.1. We can rewrite Φ𝑑 containing a ChainResponse Proof. This can be considered a further corollary of Corol- 1475
1418 short-circuit in polytime on the size of Φ𝑑 . lary B.1, as both the graph visit and construction phase are com- 1476
1419 pletely independent of the nature of the clause, which is completely 1477
Proof. Given the construction sketched in §3.2, the best case
neglected and sketched in terms of mutual dependencies across
scenario for Φ constitutes in Φ containing exactly one single Chain-
1420 1478
activity labels through a dependency graph. Similar conclusions
Response circuit, for which we obtain a graph 𝐺 cr representing
1421 1479
1422 then hold, also in terms of time complexity for the graph visit. □ 1480
itself a cycle of size |Φ|. By adopting a DFS visit for detecting a cycle,
we take 𝑂 (𝑉 + 𝐸) to recognize the whole graph 𝐺 cr as a cycle. Lemma B.3. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ, computing Φ′
1423 1481
:=
In the worst-case scenario, Φ contains a conjunction of clauses c𝑖 ∈𝐴 □¬c𝑖 in lieu of Φ := □(c𝑛 ⇒ #(¬c𝑛 Uc1 )) ∧
1424 Ó Ó 1482
𝑖 ∈N □(c𝑖 ⇒
1425 Ó cr . 1≤𝑖<𝑛 1483
a,c∈Σ ChainResponse(a, c) leading to a fully connected graph 𝐺
1426 a≠c #(¬c𝑖 Uc𝑖+1 )) always leads to a positive average speed-up. 1484
1427
Within this scenario, the worst-case scenario for detecting a cycle 1485
is detecting a cycle of size 2 after fully visiting 𝐺 cr . After doing so, Proof. We can exploit a similar formulation as per Lemma 2 and
1428 1486
we remove the two nodes from 𝐺 cr and repeat the visit over such a Lemma 4, where we now only need to consider that ¬c𝑖 Uc𝑖+1 mod |𝐴|
1429 1487
reduced graph. If we always assume to detect cycles of size 2 for each will come at the cost of (||𝔖|| − #c𝑖 ) 2 #c𝑖+1 mod |𝐴| . This computa-
1430 1488
|𝑉 cr | tion will generate at most data in the size of ||𝔖|| − #c𝑖 , as the
1431 visit, we will end up running 2 visits of the graph, and the overall 1489
Í |𝑉 cr |/2 cr latter data within the first operand of the Until will also contain
1432 time complexity becomes 𝑖=0 (|𝑉 | − 2𝑖 + (|𝑉 cr | − 2𝑖) 2 ) ∈ the events satisfying the condition in the second argument, thus
1490
1433 cr
𝑂 (|𝑉 | ).3 1491
leading to an additional ||𝔖|| − #c𝑖 cost for computing the associated
1434 □ # operator. As the previous clauses, in the worst case scenario
1492
1435 1493
As a further corollary from this, we immediately deduce that our each clause will take (||𝔖|| − #c𝑖 ) 2 #c𝑖+1 mod |𝐴| + ||𝔖|| − #c𝑖 to com-
1436 1494
strategy from §4.4 is far way more efficient than generating a DFA pute and, when considering all the clauses so far, this adds up
1437 1495
||𝔖|| 2
 
1438 associated with a formula for then minimising it as in Lemma 1, as to ||𝔖|| 3 1 − |𝐴| + ||𝔖||(|𝐴| − 1) for each clause by considering 1496
1439 in the best case scenario we still have to generate an exponential #c𝑖 ≃ #c𝑖+1 mod |𝐴| ≃ ||𝔖||/|𝐴|. 1497
1440 number of states in the size of 𝐴, while in our proposed approach we So, as this increases the overall time complexity for each clause, 1498
1441 do not. This is possible as our current envisioned approach assumes we also obtain as per Lemma 4 an always positive speed-up. □ 1499
1442 Lemma 1 to hold without needing to go through the aforementioned 1500
exponential construction algorithm. Corollary B.3. We can rewrite Φ𝑑 containing an AltResponse
1443 1501
short-circuit in polytime on the size of Φ𝑑 .
1444 Lemma 4. Given 𝐴 = { c1, c2, . . . , c𝑛 } ⊆ Σ with h |𝐴| = 𝑛 > 2,
1502
1445
computing Φ′ := c𝑖 ∈𝐴 □¬c𝑖 in lieu of Φ := □(c𝑛 ⇒ ♢c1 ) ∧ Proof. As per Corollary B.2, the goal is closed similarly to 1503
Ó
1446
Ó i Lemma B.1 due to the same way the graph is constructed inde- 1504
1447 𝑖 ∈N □(c𝑖 ⇒ ♢c𝑖+1 ) always leads to a positive average speed- pendently from its associated LTLf semantics. □ 1505
1≤𝑖<𝑛 ↓Σ
1448 up. 1506
1449 1507
1450 13 1508
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

1509 B.3 Decidability DECLARE𝑑 clause is attempted to be generated, we ensure 1567

1510
We now prove the lemmas dealing with DECLARE𝑑’s decidability. that this will not trigger another rewriting annihilating 1568
1511 some RespExistence clauses (∀𝑎, 𝑏 ∈ Σ. RespExistence(𝑎, 𝑏)∧ 1569
Lemma B.4. The sub-routines in Algorithm 1 always terminate.
1512 Exists(𝑎) ≡ Exists(𝑎) ∧ Exists(𝑏), Line 45). Similarly 1570
1513 Proof. We now analyse each declared sub-routine. Before doing to the previous steps, we are not adding information in the 1571
1514 so, we observe that no rule generates activity labels that are not graph 𝐺 re that we are traversing, rather than removing 1572
1515 originally considered within the original specification Φ𝑑 , thus those, thus ensuring to avoid unnecessary re-computations 1573
1516 ensuring that the computation will always terminate. Given Σ the over the same activity label 𝑥 ∈ Σ. Furthermore, we re- 1574
1517 set of all the activity labels occurring in the original specification move any occurrence of a Choice clause that might be 1575
1518 Φ𝑑 , we can only have |Σ| distinct calls to these functions and, given trivialised by the existence of 𝑥 (∀𝑎, 𝑏 ∈ Σ. Choice(𝑎, 𝑏) ∧ 1576
1519 that no rule in both Figure 1 and temporal short-circuit rewriting (Exists(𝑎)∨Exists(𝑏)) ≡ (Exists(𝑎)∨Exists(𝑏)), Line 1577
1520 generates novel activity labels not occurring in the formula, we 41) as well as checking whether the existence of 𝑥 might 1578
1521 are never expecting having |dom(𝐹 )| > |Σ|, thus ensuring the lead to inconsistencies related to the required absence of 1579
1522 non-divergence of our computation. This assumption (A1) is then the label expressed in the target condition at Line 43: 1580

∀𝑎, 𝑏 ∈ Σ. NegSuccession(𝑎, 𝑏) ∧ Exists(𝑎) ≡ Absence(𝑏)

1523 transferred to each call of the following functions: 1581
1524 1582
Ex(𝑥): This function takes note that the specification requires, at
1525 Similarly to the other sub-routines, this function is gradu- 1583
some point of the rewriting, that 𝑥 shall exist anytime in a
1526 ally reducing the number of the clauses which are poten- 1584
trace; this mainly updates a hashmap 𝐹 and immediately
1527 tially rewritten in Exists/Absence: due to (A1), this proce- 1585
returns a boolean value determining whether this is also
1528 dure is also guaranteed to terminate. 1586
associated to an absence, for which then 𝐹 will be associated
1529 Reduce★(𝑥) for ★ = ch: This provides a restriction to the case 1587
to two distinct values instead of one. Therefore, this trivially
1530 ★ ≠ ch inasmuch as the activity labels in toremove are not 1588
terminates.
1531 visited from the stack, rather than being used for calling 1589
Abs(𝑥): This function is the exact dual of the previous one, as
1532 Expandre which, in turn, is also a terminating function. 1590
it predicates the absence of an event associated with an
1533 Overall, Reduce is always terminating independently from 1591
activity label 𝑥. Even in this case, this function always
1534 ★. 1592
terminates.
1535
Clear(𝑥): This function calls only other functions for removing Overall, we conclude that each of the sub-routines is guaranteed to 1593
1536
vertices and edges from a graph associated with a clause terminate while also guaranteeing to reduce the information being 1594
1537
template, which functions are non-recursive and trivially stored in the graphs associated with each declarative template. □ 1595
1538 1596
terminating. Furthermore, this function only reduces the Lemma B.5. The computation allowing the expansion of some
1539 1597
previously loaded and indexed information, except for the DECLARE𝑑 clauses while loading those in the appropriate graphs
1540 1598
clauses associated with calls to Ex(x) and Abs(x), used to 𝐺 ★ for each template ★ terminates (Algorithm 2).
1541 1599
detect inconsistencies within the temporal specification.
1542
Reduce★(𝑥) for ★ ≠ ch: This function mainly describes an itera- Proof. First, as the Φ𝑑 set is always finite under the assumption 1600
1543
tive backward DFS visit over a 𝐺 ★ graph with ★ ≠ p using that this algorithm works by loading specification as written in 1601
1544
toremove as a stack by traversing all the edges in the graph a computer, then this algorithm will always take a finite time to 1602
1545
backwards from 𝑥; we avoid in-definitively traversing loops iterate over all the finite set of DECLARE𝑑 clauses being repre- 1603
1546
in the graph by remembering which nodes were already sented in the specification. Next, each invocation to Ex and Abs 1604
1547
visited and popped from the aforementioned stack (vis- is guaranteed to terminate due to Lemma B.4. Furthermore, while 1605
1548
ited). This call jointly with Clear(𝑥) ensures that no clause graphs are instantiated by adding edges (and therefore the corre- 1606
1549
containing 𝑥 ∈ Σ as an activity label will be returned in sponding nodes if missing), we are never traversing those. As per 1607
1550
the resulting specification, as this function will remove all previous considerations, at this stage we also consider expansion 1608
1551
the vertices representing the activity label 𝑥. Henceforth, rules rewriting some of the given clauses in Φ as other clauses. 1609
1552
even this function does not generate new data jointly with As this expansion does not trigger any further rewriting rule in 1610
1553
A1. Overall, the algorithm is then guaranteed always to Figure 1, we are simply adding new clauses without being stuck in 1611
1554
terminate. never-ending cycles. This also goes hand in hand with (A1) from 1612
1555
Reducep (𝑥): we can draw similar considerations as the previous the previous lemma, as we generate clauses without inferring new 1613
1556
algorithm, as the main difference is merely in the direction activity labels not in the original specification. Therefore, even this 1614
1557
of the graph visit: we are now traversing the edges forward algorithmic step is guaranteed to terminate in at least linear time 1615
1558
instead than in reverse (∀𝑎, 𝑏 ∈ Σ. Precedence(𝑎, 𝑏) ∧ concerning the specification size, 𝑜 (|Φ𝑑 |). □ 1616
1559 1617
Absence(𝑎) ≡ Absence(𝑎) ∧ Absence(𝑏), Line 45 also in Corollary B.4. The computation of short-circuit rewriting is guar-
1560
Figure 1). Vertices from the 𝐺 p are also explicitly covered anteed to terminate in a polytime over the size of the original specifi-
1618
1561 1619
in this function (L. 32), as this is not considered as part of cation.
1562 1620
Clear(𝑥); this ensures that this function cannot be called
1563
with the same argument 𝑥. Proof. This can be seen as a further corollary of Corollary B.1, 1621
1564 Expandre (𝑥): Notwithstanding that this function is the dual of Corollary B.2, and Corollary B.3: as the composition of distinct 1622
1565 the previous, this works similarly: when a new Exists(𝑥) 1623
1566 14 1624
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

1625 terminating function calls leads to an overall terminating compu- a rewriting rule leading to ⊥, and (iii) at loading time. This proof 1683
1626 tation, we guarantee that all the short-circuit rewritings lead to a follows from the assumption that no further inconsistency can be 1684
1627 terminating computation in polytime over the size of the original detected from the described rules and algorithms. 1685
1628 specification, Φ𝑑 . □ The first scenario requires checking, each time a new Absence(x) 1686
1629 or Exists(x) clause is generated, to always check for (i) while 1687
Lemma B.6. The computation of the rewriting rules leads to a ter-
1630 ensuring that the detection of (i) is propagated through the function 1688
minating procedure.
1631 call chain. The second condition requires iterating over all the edges 1689
1632 Proof. Last, we consider the termination for the procedure and correctly detecting the conditions leading to ⊥ from Figure 1 1690
1633 sketched in §4.3. In the worst case scenario, we are never gen- while applying the rewriting rules as per §4.3: the return of ⊥ in 1691
1634 erating an inconsistency, thus never abruptedly terminating the this occasion is described in this section. The third scenario is as 1692
1635 procedure by returning an inconsistent ⊥ specification. If no rewrit- described in Algorithm 2. We close the two last sub-goals as we 1693
1636 ing rule is ever triggered, we then simply iterate over all the edges covered all the possible cases leading to a direct inconsistency. 1694
1637 of the graphs 𝐺 ★ for each template ★ without triggering any of the This leads to then proving the remaining first sub-goal. First, we 1695
1638 past functions. Furthermore, the iteration over the domain of 𝐹 will can prove that detecting an inconsistent specification is propagated 1696
1639 be always be the same. Therefore, no additional overhead is intro- backwards given the function call stack. Let us now focus on the sub- 1697
1640 duced and the procedure terminates. On the other hand, we trigger routines in Algorithm 1: we observe that Abs/Ex returns false when 1698
1641 at least one rewriting rule that, per the (A1) assumption, never a specification is being detected as inconsistent, while all the other 1699
1642 generates a clause containing an activity label that was not present sub-routines in the same Algorithm immediately return false upon 1700
1643 in Σ: under this, all the previous functions are also guaranteed not calling any of the other functions when at least one call detects such 1701
1644 to generate more information than the one being available in Σ. an inconsistency. As the generation of Absence(x) or Exists(x) is 1702
1645 Furthermore, this computation never generates new edges to be vis- also achieved by calling the previous functions, we always ensure 1703
1646 ited, as the only expansion phase occurs as described in Lemma B.5. that any potential inconsistency is detected. Furthermore, the code 1704
1647 At most. we trigger the deletion of edges from the graph that we are guarantees that any call to Reduce and Clear returning false im- 1705
1648 currently generating or the generation of novel Exists/Absence mediately returns ⊥: this in fact holds as the respective functions 1706
1649 clauses, but we never generate other clauses. Furthermore, the guarantee that explicit application of the rewriting rules involv- 1707
1650 graphs are mainly depleted after iterating over the edges, by in- ing each clause that we know per Absence(𝑥) that will be never 1708
1651 voking Reduce or Clear functions for each 𝑥 s.t. 𝐹 (𝑥) = false activated, thus guaranteeing an a posteriori rewriting of the specifi- 1709
1652 after the aforementioned edge iteration. Even in this scenario, the cation even after scanning all of the clauses associated to the same 1710
1653 computation is guaranteed to converge. □ template as per §4.3. For NotCoExistence, we also guarnatee that 1711
1654 this detection occurs by directly calling Reducech instead, thus also 1712
1655 B.4 Correctness leading to the generation of Exists clauses. Dually, this also holds 1713
1656
Lemma B.7. If the specification is a tautology, then the formula is for the generation of new Exists(𝑥) rules, which are then leading 1714
1657
completely rewritten into ⊤. to the invocation of the Expandre (𝑥) sub-routine which, in turn, is 1715
1658 also checking for Ex(𝑥). Thus we can observe that our algorithm 1716
1659 Proof. Algorithm 2 is the only part detecting trivially-holding guarantees that all of the rules are properly expanded as well as 1717
1660 conditions: this occurs all the time that an edge is not added in 𝐺 ★ always updating on the current state for the existence/absence of 1718
1661 for a clause with the template ★ while invoking neither Abs nor inconsistencies, thus leading to correctly detecting an inconsistency 1719
1662 Ex, as these would otherwise trigger the generation of Absence if any. As the rewriting rules provide all the possible combinations 1720
1663 and Exists clauses at the end of the computation. In fact, any fur- for which the absence or the presence of specific activity labels 1721
1664 ther clause rewriting resulting from applying the rewriting rules as might generate further activation or target conditions, we immedi- 1722
1665 described in §4.3 always invokes one of the two former functions, ately ensure to return an inconsistent specification upon detection 1723
1666 thus not necessarily guaranteeing that an empty specification will given the rewriting rules completely describing the language. □ 1724
1667 be returned. Therefore, the aforementioned algorithm is the only 1725
1668 point in the code where the non-insertion of clauses jointly with Last, we also provided some unit tests for ensuring, to the best 1726
1669 the lack of the invocation of Abs/Ex might lead to the generation of our knowledge, the correctness of the implemented solution: 1727
1670 of an empty specification. As the clauses that were not inserted in https://anonymous.4open.science/r/DECLAREd-B1BF/tests.cpp. 1728
1671 the specification were actually trivially true, if we obtain a specifi- 1729
1672 cation with empty graphs and an empty 𝐹 , we infer that the overall C DETAILED BENCHMARKS 1730
1673 specification is also trivially true. Therefore, in this situation, we This section provides the aforementioned benchmarks in a greater 1731
1674 return ⊤ as a resulting Φ′ for Φ𝑑′ . □ size, so as to better remark the running times associated with each 1732
1675 single algorithm. As in the main paper, missing data points for 1733
Lemma B.8. If the specification is unsatisfiable, then the computa- specific 2𝑖 values of |Σ| refer to missing data points due to out-of-
1676 1734
tion abruptedly terminates while returning ⊥ memory issues while dealing with the automaton representation
1677 1735
1678 Proof. We observe that we detect the specification as unsatisfi- of the LTLf formula. Figure 9 provides all the running times for the 1736
1679 able only under three circumstances, whether (i) ∃𝑥 ∈ dom(𝐹 ).|𝐹 (𝑥)| = reducer, while Figure 10 andFigure 11 refers to the running time 1737
1680 2, thus implying by algorithmic construction that the absurd condi- of the formal synthesis (Lydia) and SAT-Checker (AALTAF) tasks 1738
1681 tion Absence(x) ∧ Exists(x) should hold, (ii) whether we trigger over different specifications representations. 1739
1682 15 1740
 PODS 2024, June 9–15, 2024, Santiago, Chile Anon.

1741 1799
1742 1800
1743 1801
1744 1802
1745 1803
1746 1804
1747 1805
1748 1806
1749 1807
1750 1808
1751 1809
1752 1810
1753 1811
1754 1812
1755 1813
1756 1814
1757 1815
1758 1816
1759 1817
1760 Figure 9: Running times for rewriting Φ𝑑 as Φ𝑑′ 1818
1761 1819
1762 1820
1763 1821
1764 1822
1765 1823
1766 1824
1767 1825
1768 1826
1769 1827
1770 1828
1771 1829
1772 1830
1773 1831
1774 1832
1775 1833
1776 1834
1777 1835
1778 1836
1779 1837
Φ𝑖 (LYDIA), Φ𝑖′𝑐 (LYDIA(R)) and
𝑐,𝑔 𝑐,𝑔
1780
Figure 10: Running times for Lydia for both (Φ𝑖 )↓Σ (LYDIA+AX) 1838
1781 1839
Received 20 February 2007; revised 12 March 2009; accepted 5 June 2009
1782 16 1840
1783 1841
1784 1842
1785 1843
1786 1844
1787 1845
1788 1846
1789 1847
1790 1848
1791 1849
1792 1850
1793 1851
1794 1852
1795 1853
1796 1854
1797 1855
1798 1856
 DECLARE𝑑 : a polytime LTLf fragment PODS 2024, June 9–15, 2024, Santiago, Chile

1857 1915
1858 1916
1859 1917
1860 1918
1861 1919
1862 1920
1863 1921
1864 1922
1865 1923
1866 1924
1867 1925
1868 1926
1869 1927
1870 1928
1871 1929
1872 1930
1873 1931
1874 1932

Φ𝑖 Φ𝑖′𝑐
𝑐,𝑔 𝑐,𝑔
1875 Figure 11: Running times for AALTAF for both (AALTAF), (AALTAF(R)) and (Φ𝑖 )↓Σ (AALTAF+AX) 1933
1876 1934
1877 1935
1878 1936
1879 1937
1880 1938
1881 1939
1882 1940
1883 1941
1884 1942
1885 1943
1886 1944
1887 1945
1888 1946
1889 1947
1890 1948
1891 1949
1892 1950
1893 1951
1894 1952
1895 1953
1896 1954
1897 1955
1898 1956
1899 1957
1900 1958
1901 1959
1902 1960
1903 1961
1904 1962
1905 1963
1906 1964
1907 1965
1908 1966
1909 1967
1910 1968
1911 1969
1912 1970
1913 1971
1914 17 1972