Foundations for Query-based Runtime Monitoring of Temporal Properties over Runtime Models

Abstract

In model-driven engineering, runtime monitoring of systems with complex dynamic structures is typically performed via a runtime model capturing a snapshot of the system state: the model is represented as a graph and properties of interest as graph queries which are evaluated over the model online. For temporal properties, history-aware runtime models encode a trace of timestamped snapshots, which is monitored via temporal graph queries. In this case, the query evaluation needs to consider that a trace may be incomplete, thus future changes to the model may affect current answers. So far there is no formal foundation for query-based monitoring over runtime models encoding incomplete traces.

In this paper, we present a systematic and formal treatment of incomplete traces. First, we introduce a new definite semantics for a first-order temporal graph logic which only returns answers if no future change to the model will affect them. Then, we adjust the query evaluation semantics of a querying approach we previously presented, which is based on this logic, to the definite semantics of the logic. Lastly, we enable the approach to keep to its efficient query evaluation technique, while returning (the more costly) definite answers.

1 Introduction

Modern safety-critical systems, e.g., smart healthcare and autonomous transportation, consist of numerous interconnected technologies such as sensors, smart devices, and information systems [15]. These systems are human-in-the-loop and operate in highly dynamic environments [16]. Moreover, they are real-time, i.e., their safe operation depends on the timing of their actions, and missed deadlines for these actions may lead to hazardous situations [46]. These characteristics hinder complete quality assurance during the design of such systems and increase the uncertainty about their behavior at runtime. Consequently, their safe operation relies on formally precise Runtime Monitoring (RM) techniques [34], which are capable of handling the complex underlying structure and its dynamic [13] as well as timing constraints when monitoring the system behavior [4].

As shown by recent surveys [9, 52], in model-driven engineering, RM of systems with complex dynamic structures is typically performed via a (structural) Runtime Model (RTM) [12] capturing a snapshot of the system state: the model is represented as a graph of interacting components and properties of interest as graph queries which are evaluated over the model online; query matches constitute monitoring issues. For efficiency, the evaluation of graph queries is based on methods which afford incremental and change-driven evaluation [54], i.e., triggered only when changes to the RTM are relevant to a query.

For temporal properties, history-aware RTMs capture past changes to the model and their timing [11], thereby encoding a trace of timestamped snapshots. These RTMs are then monitored via the evaluation of temporal graph queries which specify the ordering and timing constraints that matches should satisfy. In this case, the query evaluation needs to consider that the trace encoded by the history-aware RTM may be incomplete, i.e., the execution may be ongoing, and hence future changes to the RTM may affect current query answers. So far there is no formal foundation for temporal-query-based RM over incomplete RTMs.

In our previous work, we presented a querying approach for the evaluation of temporal graph queries over history-aware RTMs named InTempo  [49]—see Section 2.3 for an overview and Fig. 1 for an illustration. InTempo advances the state-of-the-art by: enabling a formally precise answer set which pairs matches with their temporal validity, i.e., the set of all time points for which a match exists and satisfies a temporal property according to a first-order temporal graph logic; featuring sound methods for incremental and change-driven evaluation as well as the optional pruning of the RTM, i.e., the removal of temporally irrelevant history. Extensive experimental evaluation showed that our implementation of InTempo efficiently evaluated complex queries over considerably large models (approx. from 10K to 48M elements) [49]. The experimental evaluation included an RM application scenario, in which InTempo evaluated queries faster than an RTM-based tool and a tool from the related RM approach known as Runtime Verification (RV).

However, the formal foundation of InTempo assumes that the RTM encodes a complete trace. For the RM scenario, we equipped InTempo with a check that was applied to the answer set and, based on the timing constraint of the property, filtered matches that could be affected by future changes to the RTM. In this paper, we present a formal foundation for temporal-query-based RM over incomplete RTMs. The foundation entails the introduction of an answer set which formalizes the intuition behind the check and allows approaches like InTempo to maintain their efficiency while returning formally precise answers.

Specifically, our contributions are the following. First, we introduce a definite semantics for a temporal graph logic (Section 3), which only returns answers if they are definite, i.e., no future change to the RTM will affect them; we show that the definite semantics is sound. Then, we introduce a new definite answer set (Section 4) for the query language of InTempo which pairs matches with their definite temporal validity and invalidity. Compared to the original (non-definite) answer set, the definite answer relies on the time point on which a query is evaluated and thus requires the re-computation of the definite temporal validity and invalidity in each evaluation. The definite answer set is thus inefficient, i.e., not amenable to change-driven evaluation. However, we use this theoretical result to show that our last contribution, the effective answer set (Section 5), which essentially incorporates the check mentioned above, can return definite answers while relying on the original, and thus efficient, answer set.

The presented contributions are based on unpublished material from the doctoral thesis of the first author [47]. Section 2 reiterates preliminaries and InTempo, Section 6 discusses related work, and Section 7 concludes the paper.

Fig. 1.

An excerpt of the SHS metamodel from [49] (left) and an operational overview of the InTempo implementation where arrows denote input and output.

Running Example. As a running example we will use the Smart Healthcare System (SHS) introduced in [49]. Fig. 1 shows an excerpt of the SHS metamodel. An SHS is an envisioned smart medical environment [45], based on the service-based exemplar in [55], which supports clinicians in medical treatments by automating tasks via smart devices. In the context of an SHS, RM may be used to verify whether treatments comply with the requirements in a guideline, which typically contain timing constraints [17]. In the SHS, services are invoked by a main service called SHSService to collect measurements from patient sensors, i.e., PMonitoringService, or take medical actions via smart medical devices such as a smart pump, i.e., DrugService. The results of service invocations are tracked via monitoring probes (Probe) that are attached to Services. Probes are generated periodically or upon events in the real world. Each Probe has a status attribute whose value depends on the type of Service. Each Service has a pID attribute which identifies the patient for whom the Service is invoked. The MonitorableEntity is explained in Section 2.1.

We focus on a property P that tracks time between triage and admission, as often done in medical guidelines [39]; in the context of an SHS, these activities are represented by the invocation of a sensor service and a drug service, respectively: “When a sensor service is invoked for a patient, there should be a drug service invoked for the same patient within one minute and, until then, there should be no other sensor service invoked for the same patient.” The specific timing constraint is adjusted for the purpose of presentation. Assume an RTM that captures that a sensor service has just been invoked for a patient, but contains no drug invocation yet; for monitoring P, it is important to consider that a future state which contains the drug service invocation may follow in time; therefore, the present state does not yet violate P.

2 Preliminaries

In this section, we summarize preliminaries and the InTempo query language. An overview of the notation used in the paper is shown in Table 2 in Section A.

2.1 Formal Representation of Models and Queries

An RTM is typically represented as a graph, where system entities are captured by vertices, information about the entities by attributes, and relationships between entities by edges [14, 24, 25]. In this paper, for the formal representation of RTMs, we rely on the well-known typed graphs [20], i.e., graphs typed over a type graph which defines types of vertices, edges, and valid structures for typed graphs.

Definition 1

((typed) graph, (typed) graph morphism, type graph). A graph \(G=(G^{V},G^{E},s^G,t^G)\) consists of a set of vertices \(G^{V}\), a set of edges \(G^{E}\), a source function \(s^G: G^{E}\rightarrow G^{V}\), and a target function \(t^G: G^{E}\rightarrow G^{V}\). Given two graphs \(G=(G^{V},G^{E},s^G,t^G)\) and \(K=(K^{V},K^{E},s^K,t^K)\), a graph morphism \(f: G \rightarrow K\) is a pair of mappings \(f^V:G^V\rightarrow K^V,f^E:G^E\rightarrow K^E\) such that \(f^V \circ s^G = s^K \circ f^E\) and \(f^V \circ t^G = t^K\circ f^E\). A graph morphism \(f: G \rightarrow K\) is a monomorphism, denoted by \(\hookrightarrow \), if \(f^V\) and \(f^E\) are injective. A type graph is a distinguished graph \(TG=(TG^{V},TG^{E},s^{TG},t^{TG})\). A tuple (G, type) consisting of a graph G and a graph morphism \(type: G \rightarrow TG\) is called a typed graph. Given two typed graphs \(G^T=(G, type)\) and \(K^T=(K, type')\), a typed graph morphism \(f: G^T \rightarrow K^T\) is a graph morphism \(f': G \rightarrow K\) such that \(type' \circ f' = type\).

Type graphs can be extended to support the well-known concepts of inheritance and multiplicities from the object-oriented paradigm [53]. Moreover, typed graphs can be extended by vertex and edge attributes, each associated with a data type, i.e., a character string, an integer, a real number, or a boolean, to obtain typed attributed graphs [20]. Attribute assignments assign data-type-compatible values to attributes, and attribute constraints, i.e., a boolean expression over attribute values, restrict the possible assignments. Our contributions rely on such graphs, defined in detail in our prior work [50]; to avoid the complication of presentation, here we omit these extensions from our definitions.

Fig. 2.

Patterns for the SHS (left) and the GDN N for the query \((n, \lnot \psi _P)\).

The metamodel in Fig. 1 may be seen as an informal representation of the type graph of the SHS, where only vertices have attributes. Correspondingly, the RTM \(G_7\) in Fig. 3 is an informal representation of a typed attributed graph. We henceforth refer to typed attributed graphs simply as graphs or patterns. The RTM \(G_7\) contains assignments, which assign values to attributes, e.g., \(\texttt {pm}_{1}.{pID}=1\). The representation of the textual statements in property P of the running example by patterns is illustrated in Fig. 2: The invocation of a sensor service is captured in patterns \(n_1\) and \(n_{1.1}\), and the invocation of a drug service is captured in \(n_{1.2}\); constraints are illustrated between braces, e.g., \(n_{1.1}\) requires that the values for pID of pm and pm2 are equal; vertices with the same label refer to the same vertex in the queried RTM.

We assume that the system is instrumented to generate (instantaneous) events upon changes to its state, and identify the system execution with a possibly infinite sequence of such events. The system has a clock whose time domain is the set of non-negative real numbers \(\mathbb {R}^+_0\), and uses the clock to timestamp events. We refer to an element of the time domain as a time point. Intuitively, an (execution) trace \(h_\tau \) of a system with respect to an event at time point \(\tau \) is the sequence of all observed events in the execution from its beginning, i.e., time point 0, up to and including \(\tau \). For brevity, we group all changes with the same time point in one event. However, we require that no event groups an infinite amount of changes, thereby ruling out Zeno behaviors—in the use-cases of interest, all traces will eventually terminate and differences between measurements cannot become infinitely small. We denote the time point at position i of \(h_{\tau }\) by \(\tau _i\), with \(i \in \mathbb {N}^+\).

For a model-based representation of a trace \(h_\tau \), we rely on a Runtime Model with History (RTM\(^\textrm{H}\)) [49]. An RTM\(^\textrm{H}\) H is a distinguished RTM where the following conditions hold. All vertices in H have a distinguished creation timestamp cts and a deletion timestamp dts to which a value is assigned—therefore in Fig. 1, all vertices inherit from the MonitorableEntity.¹ When a vertex is created, the time point of creation is assigned to cts and the value \(\infty \) is assigned to the dts; the dts value changes when the vertex is deleted in the modeled system. As a vertex cannot have been deleted prior to its creation or deleted simultaneously to its creation, the value of dts, if not \(\infty \), has to be larger than the value of cts.

Fig. 3.

Snapshots as RTMs (\(G_*\)) and traces as RTMH instances (\(H_{[*]}\)).

An \(h_\tau \) can be transformed to an RTM\(^\textrm{H}\) H based on a mapping \(\mathcal {E}\) from the set of all possible events to corresponding graph modifications [48]; to capture the period covered by H in this case, we denote it by \(H_{[\tau ]}\). Each trace continuation \(h_{\tau '}\) that is yielded by an event at time point \(\tau '\) with \(\tau '>\tau \) can be similarly transformed to a \(H_{[\tau ']}\) by applying the changes in the event at \(\tau '\) to \(H_{[\tau ]}\); we refer to \(H_{[\tau ']}\) as a new version of \(H_{[\tau ]}\). This process generates a trace of RTMs \(h^H_{\tau '}\), called an RTM\(^{ H}\)-trace, which mirrors \(h_\tau '\); we refer to members of \(h^H_{\tau '}\) as instances of the RTM\(^\textrm{H}\). Formally, an \(H_{[\tau ]}\) is a compact representation of a timed graph sequence [26], i.e., a sequence of timestamped graphs where additions and deletions between two consecutive graphs are represented by morphisms. As an example of an RTM\(^\textrm{H}\), see \(H_{[5]}\) in Fig. 3 which contains all changes in events up to time point 5; \(H_{[5]}\) represents the timed graph sequence \(G_2G_4G_5\) (left in Fig. 3; morphisms are omitted). A new event at time point 7 which contains the deletion of d1, and the addition of pm2 is transformed into \(H_{[7]}\); this RTM represents the sequence \(G_2G_4G_5G_7\). If \(\tau \) in \(h_{\tau }\), \(h^H_{\tau }\), or \(H_{[\tau ]}\) is irrelevant, we omit it.

2.2 Metric Temporal Graph Logic

For the specification and analysis of temporal properties in temporal queries, InTempo relies on the Metric Temporal Graph Logic (MTGL) [26, 50]. MTGL builds on Nested Graph Conditions (NGCs) [27] and Metric Temporal Logic (MTL) [35] to enable the formulation of Metric Temporal Graph Conditions (MTGCs). The language of NGCs can formulate requirements that are as expressive as first-order logic on graphs [18], as shown in [27, 44], and constitutes as such a natural formal foundation for pattern-based queries. As NGCs, MTGCs support bindings, i.e., morphisms between patterns which bind elements in outer conditions to inner (nested) conditions, and are therefore able to track the evolution of a given binding in a sequence of graphs separately to other bindings.

In the following definition of MTGL, we focus on a subset of MTGL operators which contains the metric, i.e., interval-based, temporal operators until (\(\textrm{U}_I\), with I an interval in \(\mathbb {R}_{0}^{+}\)) and its dual since (\(S_I\)) from MTL. The existential quantifier features a binding between the patterns n and \(\hat{n}\).

Definition 2

(metric temporal graph conditions). Let n,\(\hat{n}\) be patterns and \(f: n \hookrightarrow \hat{n}\) a binding. Moreover, let I be an interval in \(\mathbb {R}_{0}^{+}\). Then \(\psi \) is a Metric Temporal Graph Condition (MTGC) over n defined as follows.

In the remainder, we abbreviate \(\exists (f, {true })\) by \(\exists \, f\) and, when the domain of f is clear from the context, \(\exists (f : n \hookrightarrow \hat{n}, \phi _{\hat{n}})\) by \(\exists (\hat{n}, \phi )\). Other abbreviations, e.g., disjunction (\(\vee \)), eventually (\(\lozenge _I\)) can be defined as usual.

Based on the patterns in Fig. 2, property P from the running example can be reformulated into “given a binding for \(n_1\) at a time point \(\tau \), at least one binding for \(n_{1.2}\) is found at some time point \(\tau ' \in [\tau , \tau + 60]\), i.e., at most 60 seconds later; in addition, at each time point \(\tau '' \in [\tau , \tau ')\) in between, no binding for \(n_{1.1}\) is present.” In MTGL, this property is captured by the MTGC \(\psi _P := \lnot \exists \, (n_1 \hookrightarrow n_{1.1}, {true }) \,\textrm{U}_{[0,60]}\, \exists \, (n_1 \hookrightarrow n_{1.2}, {true })\), or, abbreviated, \(\lnot \exists n_{1.1} \,\textrm{U}_{[0,60]}\, \exists n_{1.2}\). The system is assumed to track time in seconds; vertices s and pm from \(n_1\) are bound in the patterns \(n_{1.1}\) and \(n_{1.2}\), i.e., all patterns refer to the same s and pm.

MTGL reasons over (finite) timed graph sequences. However, MTGCs can also be equivalently checked over a graph with history [26], which here corresponds to an RTM\(^\textrm{H}\). In the following, we define the semantics of the satisfaction relation of MTGL based on an RTM\(^\textrm{H}\).

Definition 3

(satisfaction of metric temporal graph conditions over an RTM). Let H be an RTM\(^{H}\), n a pattern, and \(m: n \hookrightarrow H\) a binding. Moreover, let \(\tau \) be a time point in \(\mathbb {R}_{0}^+\) and \(\psi \) be an MTGC over n. Then m in H satisfies \(\psi \) at \(\tau \), written \((H, m, \tau ) \models \psi \), if \(\text {max}_{e \in E} e.cts \le \tau < \text {min}_{e \in E} e.dts \), with E the vertices of m, and one of the following cases applies.

• \(\psi = {true } \).

• \(\psi =\lnot \chi \) and \((H, m, \tau ) \not \models \chi \).

• \(\psi =\chi \wedge \omega \), \((H, m, \tau ) \models \chi \), and \((H, m, \tau ) \models \omega \).

• \(\psi =\exists (f: n \hookrightarrow \hat{n}, \chi )\) and there exists \(\hat{m}: \hat{n} \hookrightarrow H\) such that \(\hat{m} \circ f = m \) and \((H, \hat{m}, \tau ) \models \chi \).

• \(\psi = \chi \,\textrm{U}_I \omega \) and there exists \(\tau '\) with \(\tau '-\tau \in I\) such that \((H, m,\tau ') \models \omega \) and for all \(\tau '' \in [\tau , \tau ')\) \((H, m, \tau '') \models \chi \).

• \(\psi = \chi \,\textrm{S}_I \omega \) and there exists \(\tau '\) with \(\tau -\tau ' \in I\) such that \((H, m,\tau ') \models \omega \) and for all \(\tau '' \in (\tau ', \tau ]\) \((H, m, \tau '') \models \chi \).

Intuitively, a binding m for n in the RTM H satisfies the MTGC \(\exists (f: n \hookrightarrow \hat{n}, \chi )\) at time point \(\tau \) if (i) all elements of m are already created but not yet deleted at \(\tau \), and (ii) there exists a binding \(\hat{m}\) for \(\hat{n}\) in H such that \(\hat{m}\) is compatible with m, i.e., respects the binding between the two patterns captured in \(n \hookrightarrow \hat{n}\), and \(\hat{m}\) satisfies the MTGC \(\chi \) at \(\tau \). The intuition behind \({true } \), negation, conjunction, until, and since is the usual.

2.3 InTempo: Query Language and Overview of Operation

InTempo introduces a query language, henceforth referred to as \(\mathcal {L}\), which has two distinguishing features: it enables the formulation of ordering and temporal constraints in MTGL, i.e., as an MTGC, thereby enabling formal precision in checking whether matches satisfy those constraints; it computes the period for which a match satisfies an MTGC, thereby enabling practical query evaluations, as the query does not have to be evaluated for each time point of interest. We summarize core concepts of graph queries and \(\mathcal {L}\) below.

In its plainest form, a graph query is characterized by a pattern n. A match for this query is a binding from n to a queried graph which preserves structure and type. \(\mathcal {L}\) allows for the specification of temporal graph queries, i.e., queries of the form \((n, \psi )\) with \(\psi \) an MTGC over n, whereby matches for n in an RTM\(^\textrm{H}\) H need to satisfy the temporal requirement captured in \(\psi \). Based on the running example, the query \((n_1, \lnot \psi _P)\), searches H for matches for \(n_1\), i.e., sensor services, which falsify \(\psi _P\).

Vertices in H have lifespans, defined by their cts and dts. Similarly, a match m in H is valid only if there is a non-empty interval \(\lambda ^m=\cap _{e \in E} [e.cts , e.dts )\), with E the vertices of m, called the lifespan of a match. According to its definition, the values of regular attributes in H cannot change and, hence, cannot affect \(\lambda ^m\). In the special case where the pattern of a query is the empty graph \(\varnothing \), an (empty) match m is always found with \(\lambda ^m=\mathbb {R}\). Temporal logics that reason over intervals, such as MTGL, are capable of deciding the truth value of a property for the entire time domain; in InTempo, the set of time points satisfying a property is called the satisfaction span and defined as \(\mathcal {Y}(m, \psi )=\{ \tau \, | \, \tau \in \mathbb {R}\wedge (H, m, \tau ) \models \psi \}\) with \(\psi \) an MTGC. The temporal validity \(\mathcal {V} (m, \psi )\) is equal to \(\lambda ^m \cap \mathcal {Y}(m, \psi )\) and defined as the period for which m exists in H and satisfies \(\psi \).

The following computation, called the satisfaction computation \(\mathcal {Z}\) of m for \(\psi \), soundly computes \(\mathcal {Y}\), as shown in [49]. The computation relies on interval operations defined as usual [see 41]: Let k, z be intervals; then \(k \oplus z = [\ell (k)+\ell (z),r(k)+r(z)]\), \(k \ominus z = [\ell (k)-r(z),r(k)-\ell (z)]\) with \(\ell (k)\) and r(k) the left and right end-point of k, respectively. We denote the unions \(\ell (k) \cup k\) by \(^{+}k\), and \(k\cup r(k)\) by \(k^{+}\); when \(r(k)=\infty \), \(k^{+}=k\). The interval k is overlapping z when \(k\cap z\not =\emptyset \) and adjacent to z when \(k\cap z=\emptyset \) but \(k\cup z\) is an interval.

Definition 4

(satisfaction computation \(\mathcal {Z}\)). Let \(n, \hat{n}\) be patterns and \(\psi , \chi , \omega \) be MTGCs. Moreover, let m be a match for n in an RTM H, and \(\hat{M}\) a set of matches for \(\hat{n}\) that are compatible with the (enclosing) match m. The satisfaction computation \(\mathcal {Z}(m, \psi )\) is recursively defined as follows.

$$\begin{aligned} \mathcal {Z}(m, {true }) = \mathbb {R} \end{aligned}$$

(1)

$$\begin{aligned} \mathcal {Z}(m, \lnot \chi )= \mathbb {R} \setminus \mathcal {Z}(m, \chi ) \end{aligned}$$

(2)

$$\begin{aligned} \mathcal {Z}(m, \chi \wedge \omega )= \mathcal {Z}(m, \chi ) \cap \mathcal {Z}(m, \omega ) \end{aligned}$$

(3)

$$\begin{aligned} \mathcal {Z}(m,\exists (\hat{n}, \chi )) = \bigcup \limits _{\hat{m} \in {\hat{M}}} \lambda ^{\hat{m}} \cap \mathcal {Z}(\hat{m}, \chi ) \end{aligned}$$

(4)

$$\begin{aligned} \mathcal {Z}(m,\chi \textrm{U}_I \omega )= {\left\{ \begin{array}{ll} \bigcup \limits _{i \in \mathcal {Z}(m, \omega ),\, j \in J_i} j \cap \big ((j^{+} \cap i) \ominus I\big ) &{} \text {if } 0 \, \not \in I \\ \bigcup \limits _{i \in \mathcal {Z}(m, \omega )} i \, \cup \bigcup \limits _{ j \in J_i} j \cap \big ((j^{+} \cap i) \ominus I\big ) &{} \text {if } 0 \, \in I \end{array}\right. }\end{aligned}$$

(5)

$$\begin{aligned} \mathcal {Z}(m,\chi \textrm{S}_I \omega )= {\left\{ \begin{array}{ll} \bigcup \limits _{i \in \mathcal {Z}(m,\omega ),\, j \in J_i} j \cap \big ((^{+}j \cap i) \oplus I\big ) &{} \text {if } 0 \, \not \in I \\ \bigcup \limits _{i \in \mathcal {Z}(m,\omega )} i \, \cup \bigcup \limits _{ j \in J_i} j \cap \big ((^{+}j \cap i) \oplus I\big ) &{} \text {if } 0 \, \in I \end{array}\right. } \end{aligned}$$

(6)

with \(J_i\) the set of all intervals in \(\mathcal {Z}(m, \chi )\) that are either overlapping or adjacent to some \(i\in \mathcal {Z}(m, \omega )\).

The intuition behind the equations for true, negation, and conjunction is clear. Regarding exists, the satisfaction span is the union of the temporal validity of all matches \(\hat{m}\) for \(\hat{n}\) which are compatible with m. Regarding until, if \(0 \not \in I\), the satisfaction includes every time point \(\tau \) in the intersection of some \(i' \in Z(m,\omega )\) with a \(j' \in \mathcal {Z}(m,\chi )\) for which a time point \(\tau ' \in i'\) occurs within I. Furthermore, \(j'\) needs to overlap \(i'\), e.g., \(j' = [1, 3]\), \(i' = [2, 4]\) or be adjacent to \(i'\), e.g., \(j' = [1, 2)\), \(i' = [2, 4]\). If \(j'\) and \(i'\) are adjacent, during the computation j becomes right-closed to ensure that their intersection produces a non-empty set. If \(0 \in I\), then, according to Definition 3, it may be that \(j'\) is empty, i.e., does not exist, and until is satisfied by every \(i' \in \mathcal {Z}(m,\omega )\). Therefore, the computation includes every \(i'\) and remains unchanged otherwise. The intuition behind since is analogous.

The intersection of two intervals is always an interval, whereas the union of two intervals may result in disjoint sets. Hence, technically \(\mathcal {Z}\) and \(\mathcal {V}\) are interval sets which may contain disjoint or empty intervals.

We define below the answer set \(\mathcal {T}\) for a query in \(\mathcal {L}\).

Definition 5

(query answer set \(\mathcal {T}\)). Given a pattern n, an MTGC \(\psi \), and an RTM\(^H\) H, the answer set \(\mathcal {T}\) of a query in \(\mathcal {L}\) over H is given by:

$$\begin{aligned} \mathcal {T} (H) = \{(m, \mathcal {V} (m, \psi )) | m\text { is a match for }n \wedge \mathcal {V} (m, \psi ) \not =\emptyset \} \end{aligned}$$

Regarding the operation of InTempo (see Fig. 1), the approach expects a metamodel, a set of queries in \(\mathcal {L}\), a mapping \(\mathcal {E}\) from events to modifications, and an event trace \(h_\tau \) as input—see definitions earlier. InTempo operationalizes queries (see Section 5). For each event events in \(h_\tau \), InTempo performs the corresponding changes to an RTM\(^\textrm{H}\) and, after each change, evaluates the queries. Pruning may follow, which triggers another query evaluation to update stored matches. Finally, InTempo returns the answer set \(\mathcal {T}\) or, for RM, performs the check described in Section 1 and essentially returns matches in the effective answer set \(\mathcal {T} ^e\) (see Section 5). In our implementation of InTempo, the metamodel, the queries, and the mapping are defined based on model-based technologies [48].

We present an example that demonstrates that \(\mathcal {T}\) may contain imprecise answers in the context of an incomplete trace.

Example 1

(imprecision over incomplete trace). Evaluated over \(H_{[7]}\) in Fig. 3, the query \((n_1, \lnot \psi _P)\) returns an answer set \(\mathcal {T} (H_{[7]})\) which contains a pair \((m_2, [7,\infty ))\); \(m_2\) is a match for \(n_1\) involving the vertex pm2, and \([7,\infty )\) is the temporal validity \(\mathcal {V}\) which states that \(m_2\) falsifies \(\psi _P\) from time point 7 onward. \(\mathcal {V}\) is the result of the intersection of \(\lambda ^{m_2}=[7,\infty )\) with \(\mathcal {Z} (m_2, \lnot \psi _P)=\mathbb {R}\). The satisfaction span \(\mathcal {Z}\) is computed according to Definition 4—see Table 1 for details.

This computation is definite only if \(H_{[7]}\) is the last instance in an RTM\(^\textrm{H}\)-trace; if the trace is incomplete, and it is to be continued by a new \(H_{[\tau ]}\) with \(\tau \le 67\), the match \(m_2\) may still satisfy \(\psi _P\), as there is still time for a DrugService to be created timely, i.e., a match for the pattern \(n_{1.2}\), which is compatible with \(m_2\), to be found—assuming that until then there would be no match for \(n_{1.1}\).

3 Definite Semantics for Metric Temporal Graph Logic

This section presents our contribution to MTGL. Specifically, we introduce a new semantics, called definite, which only returns answers if they are definite, i.e., no future change to the RTM\(^\textrm{H}\) will affect them. Similarly to temporal logics which account for RM over incomplete traces [8, 21], the definite semantics is three-valued, as they return the value unknown when the result of the satisfaction check is not definite. We show the soundness of the definite semantics in Theorem 1 based on the regular semantics in Definition 3. Moreover, we show that for a certain period the definite and the regular semantics are equivalent (Theorem 2); this equivalence enables our contribution in Section 5, i.e., it allows InTempo to return definite answers efficiently. Finally, we demonstrate an intrinsic limitation of the definite semantics: we show that for unsatisfiable properties, the semantics may return decisions with a delay, compared to the earliest time point on which the decisions could have been returned. We compute the maximum possible magnitude of the delay (Corollary 2).

We begin with the definition of the definite semantics. In the context of an RTM\(^\textrm{H}\) \(H_{[c]}\), a satisfaction decision for time point \(\tau \in [0, c]\) is definite if the decision for \(\tau \) remains the same in all possible future versions of \(H_{[c]}\). We obtain the definite satisfaction span by adjusting the satisfaction relation of MTGL from Definition 3 to this notion of definiteness. Moreover, we obtain the definite falsification by negating the statements in the cases of the definite satisfaction. We present the adjusted satisfaction relation, called definite satisfaction relation, and the definite falsification relation over an RTM\(^\textrm{H}\) below.

Definition 6

(definite satisfaction and definite falsification of metric temporal graph conditions over an RTM\(^\textbf{H}\)). Let \(H_{[c]}\) be a RTM\(^{H}\), n a pattern, and \(m: n \hookrightarrow H_{[c]} \) a match. Moreover, let \(\tau \in \mathbb {R}\) be a time point and \(\psi \) be an MTGC over n. Then the definite satisfaction relation \(\models ^{d}\) and definite falsification relation \(\models ^{d}_F\) are defined via mutual recursion as follows. The match m definitely satisfies \(\psi \) at \(\tau \), written \((H_{[c]}, m, \tau ) \models ^{d} \psi \), iff \(\tau \in \lambda ^m \cap [0, c]\), or m is the empty match, and one of the following cases applies.

• \(\psi = {true } \).

• \(\psi =\lnot \chi \) and \((H_{[c]}, m, \tau ) \models ^{d}_{F} \chi \).

• \(\psi =\chi \wedge \omega \), \((H_{[c]}, m, \tau ) \models ^d \chi \), and \((H_{[c]}, m, \tau ) \models ^d \omega \).

• \(\psi =\exists (f: n \hookrightarrow \hat{n}, \chi )\) and there exists \(\hat{m}: \hat{n} \hookrightarrow H_{[c]} \) such that \(\hat{m} \circ f = m\) and \((H_{[c]}, \hat{m}, \tau ) \models ^d \chi \).

• \(\psi = \chi \,\textrm{U}_I \omega \) and there exists \(\tau '\) with \(\tau '-\tau \in I\) such that \((H_{[c]}, m,\tau ') \models ^d \omega \) and for all \(\tau '' \in [\tau , \tau ')\) \((H_{[c]}, m, \tau '') \models ^d \chi \).

• \(\psi = \chi \,\textrm{S}_I \omega \) and there exists \(\tau '\) with \(\tau -\tau ' \in I\) such that \((H_{[c]}, m,\tau ') \models ^d \omega \) and for all \(\tau '' \in (\tau ', \tau ]\) \((H_{[c]}, m, \tau '') \models ^d \chi \).

The definite falsification relation is based on a logical negation of the statements in the cases of the definite satisfaction relation. The match m definitely falsifies \(\psi \) at \(\tau \), written \((H_{[c]}, m, \tau ) \models ^{d}_{F} \psi \), iff \(\tau \in \lambda ^m\cap [0, c]\), or m is the empty match, and one of the following cases applies.

• \(\psi =\lnot \chi \) and \((H_{[c]}, m, \tau ) \models ^d \chi \).

• \(\psi =\chi \wedge \omega \) and \((H_{[c]}, m, \tau ) \models ^{d}_{F} \chi \) or \((H_{[c]}, m, \tau ) \models ^{d}_{F} \omega \).

• \(\psi =\exists (f: n \hookrightarrow \hat{n}, \chi )\) and either there does not exist an \(\hat{m}: \hat{n} \hookrightarrow H_{[c]} \) such that \(\hat{m} \circ f = m\), or there exists \(\hat{m}\) and \((H_{[c]}, \hat{m}, \tau ) \models ^{d}_{F} \chi \).

• \(\psi = \chi \,\textrm{U}_I \omega \) and for all \(\tau '\) with \(\tau '-\tau \in I\) \((H_{[c]}, m,\tau ') \models ^{d}_{F} \omega \) or there exists \(\tau '' \in [\tau , \tau ')\) such that \((H_{[c]}, m, \tau '') \models ^{d}_{F} \chi \).

• \(\psi = \chi \,\textrm{S}_I \omega \) and for all \(\tau '\) with \(\tau -\tau ' \in I\) \((H_{[c]}, m,\tau ') \models ^{d}_{F} \omega \) or there exists \(\tau '' \in (\tau ', \tau ]\), \((H_{[c]}, m, \tau '') \models ^{d}_{F} \chi \).

In comparison to \(\models \), \(\models ^d\) confines the lifespans of matches and the satisfaction of exists to the period that has been observed, i.e., [0, c]. Moreover, \(\models ^d\) relies on \(\models ^d_F\) for the satisfaction of a negation. Similarly to \(\models ^d\), \(\models ^d_F\) confines the decisions for matches to [0, c], and relies on \(\models ^d\) for the falsification of negation. The match m never falsifies \({true } \). We note that \(\models ^d_F\) and \(\not \models ^d\) are not equivalent; \(\not \models ^d\) returns true for time points that do not definitely satisfy the operator, i.e., points that falsify it but also points for which a definite decision cannot yet be made.

The following theorem shows the soundness of the definite relations \(\models ^d\) and \(\models ^d_F\) by relating them to the regular satisfaction relation \(\models \) from Definition 3 and its negation \(\not \models \). The theorem refers to observed prefixes of a possibly infinite RTM\(^\textrm{H}\)-trace \(h^H\) and their possible continuations; an RTM\(^\textrm{H}\) \(H_{[\tau _{i}]}\) in \(h^H\) is associated with the \(\tau \) of the event with index \(i\in \mathbb {N}^+\) in the execution h—see Section 2.1. The theorem states that a definite decision, i.e., a decision made by either \(\models ^d\) or \(\models ^d_F\), for a certain time point \(\tau \) over an \(H_{[\tau _{i}]}\) in \(h^H\) implies that the same decision is made by \(\models \) (or \(\not \models \)) for \(\tau \) over \(H_{[\tau _{i}]}\); moreover, \(\models \) makes the same decision for \(\tau \) over all possible future versions of \(H_{[\tau _{i}]}\) in \(h^H\).

Theorem 1

(definite relations imply satisfaction relation over trace). Let \(\psi \) be an MTGC over a pattern n. Moreover, let \(h^H_{\tau _\mathcal {D}}\) be RTM\(^{H}\)-trace, with \(\mathcal {D} \in \mathbb {N}^+\). For all \(i \in [1, \mathcal {D}]\cap \mathbb {N}^+\), if m is a match for n in \(H_{[\tau _{i}]}\) and \(\tau \in [0, \tau _{i}]\), then for all \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\), (i) if \((H_{[\tau _{i}]}, m, \tau ) \models ^d \psi \), then \((H_{[\tau _{k}]}, m, \tau ) \models \psi \), and (ii) if \((H_{[\tau _{i}]}, m, \tau ) \models ^d_F \psi \), then \((H_{[\tau _{k}]}, m, \tau ) \not \models \psi \).

Proof (idea)

[idea] By mutual structural induction over \(\psi \). The implication is shown to hold for each MTGL operator. See Section B.1 for the complete proof.   \(\square \)

In the following, we discuss the second important result of this section, i.e., the equivalence of the definite and regular semantics.

The satisfaction decision for future temporal operators at time point \(\tau \) may depend on a \(\tau ' > \tau \). The upper bound of the distance between \(\tau '\) and \(\tau \) is given by the non-definiteness window, defined below.

Definition 7

(non-definiteness window \(w \)). Given an MTGC \(\psi \), the non-definiteness window \(w \), i.e., the period for which a satisfaction decision for \(\psi \) at a time point \(\tau \) may be non-definite, is defined as follows.

$$\begin{aligned} w (\psi ) = {\left\{ \begin{array}{ll} r(I) + \max {(w (\chi ), w (\omega ))} &{}\text {if } \psi = \chi \textrm{U}_{I} \,\omega \\ \max {(w (\chi ), w (\omega ))} &{}\text {if } \psi = \chi \textrm{S}_{I} \,\omega \\ \max {(w (\chi ), w (\omega ))} &{}\text {if } \psi = \chi \wedge \omega \\ w (\chi ) &{}\text {if } \psi = \lnot \chi \\ w (\chi ) &{}\text {if } \psi = \exists (n, \chi )\\ 0 &{}\text {if } \psi = {true } \\ \end{array}\right. } \end{aligned}$$

(7)

As usual in (online) RM, we assume that \(w\not =\infty \), i.e., MTGCs contain no unbounded future operators which may render a property non-monitorable [42].

Based on w, we present a variation of Theorem 1 which states that, given an \(H_{[\tau _i]}\), if \(\tau \in [0, \tau _{i}-w ]\), with i an index in a RTM\(^\textrm{H}\)-trace, then definite decisions made by either the definite satisfaction relation \(\models ^d\) or definite falsification relation \(\models ^d_F\) are equivalent to the decisions of the satisfaction relation \(\models \). If \(w \not = 0\), in order for \([0, \tau _{i}-w ]\) to be a valid interval, it is implicitly required that \(\tau _{i} \ge w \), i.e., \(H_{[\tau _{i}]}\) covers a period that is larger than the non-definiteness window.

Theorem 2

(definite relations are equivalent to satisfaction relation over certain period of trace). Let \(\psi \) be an MTGC over a pattern n and \(w \) the non-definiteness window of \(\psi \). Moreover, let \(h^H_{\tau _\mathcal {D}}\) be an RTM\(^{H}\)-trace, with \(\mathcal {D} \in \mathbb {N}^+\). For all \(i \in [1, \mathcal {D}]\cap \mathbb {N}^+\), if m is a match for n in \(H_{[\tau _{i}]}\) and \(\tau \in [0, \tau _{i}-w ]\), then for all \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\), (i) \((H_{[\tau _{i}]}, m, \tau ) \models ^d \psi \) iff \((H_{[\tau _{k}]}, m, \tau ) \models \psi \), and (ii) \((H_{[\tau _{i}]}, m, \tau ) \models ^d_F \psi \) iff \((H_{[\tau _{k}]}, m, \tau ) \not \models \psi \).

Proof (idea)

[idea] By mutual structural induction over \(\psi \). The equivalence is shown to hold for each MTGL operator. See Section B.2 for the complete proof.   \(\square \)

Theorem 2 enables our contribution to change-driven evaluation in Section 5.

Finally, we present the third important result of the section, i.e., the limitation of the semantics. The following corollary states that all time points for which a definite decision cannot be made belong to a certain period in the observed trace.

Corollary 1

(period in trace with non-definite decisions). Let \(\psi \) be an MTGC, w be the non-definiteness window of \(\psi \), \(H_{[\tau _{i}]}\) be an RTM\(^{H}\) instance associated with the time point \(\tau _{i}\), m be a match for a pattern n, and \(\tau \) a time point in \([0, \tau _{i}]\). If \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d \psi \) and \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d_F\psi \), then \(\tau \in (\tau _{i}-w,\tau _{i}]\).

Proof (idea)

[idea] Follows from Theorem 2—see Section B.3 for the complete proof.   \(\square \)

We demonstrate below that, in case an MTGC is unsatisfiable (or unfalsifiable), the definite relations may return an answer with a delay. The maximum possible delay depends on the non-definiteness window w from Definition 7.

Let \(\models _{\mathbb {T}}\) and \(\models _{F,\mathbb {T}}\) be respectively a satisfaction and falsification relation for MTGL that reflect the timeliest knowledge: Given a match m, an MTGC \(\psi \), an RTM\(^\textrm{H}\) instance \(H_{[\tau _i]}\) from a sequence of instances, and a time point \(\tau \in [0, \tau _{i}]\), \((H_{[\tau _i]}, m, \tau ) \models _{\mathbb {T}} \psi \) if \((H_{[\tau _i]}, m, \tau ) \models \psi \) and there exists no possible successor of \(H_{[\tau _i]}\) in the sequence that could falsify \(\psi \) at \(\tau \); analogously, \((H_{[\tau _i]}, m, \tau ) \models _{F,\mathbb {T}} \psi \) if \((H_{[\tau _i]}, m, \tau ) \not \models \psi \) and there exists no possible successor of \(H_{[\tau _i]}\) that could satisfy \(\psi \) at \(\tau \). These timeliest relations can only make decisions for m over the observed trace, as m may not exist in the parts covered by successors of \(H_{[\tau _i]}\) , i.e., in time points larger than \(\tau _i\).

Given a sequence of RTM\(^\textrm{H}\) instances \(h^H\) with \(H_{[\tau _i]}\) an instance in \(h^H\), let \(H_{[\tau _k]}\) be the first successor of \(H_{[\tau _i]}\) in \(h^H\) for which \(\tau _k \ge \tau _{i}+w\). The following corollary states that, contrary to \(\models _{\mathbb {T}}\) and \(\models _{F,\mathbb {T}}\), the definite relations may have to wait for \(H_{[\tau _k]}\) to be able to make a definite decision for \(\tau \in (\tau _{i}-w, \tau _{i}]\).

Corollary 2

(maximum possible delay before definite decision). Let \(\psi \) be an MTGC, w be the non-definiteness window of \(\psi \), m be a match for a pattern n, and \(H_{[\tau _i]}\) be an RTM\(^H\) instance from a sequence of RTM\(^H\) instances \(h^H_{\tau _\mathcal {D}}\) with \(i\in [1, \mathcal {D}]\cap \mathbb {N}^+\). Moreover, let \(\tau \in (\tau _{i}-w, \tau _{i}]\) and k be the smallest index in \([i, \mathcal {D}]\cap \mathbb {N}^+\) such that \(\tau _{k} \ge \tau _{i}+w\). If \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d \psi \) and \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d_F\psi \), then a definite decision for \(\tau \) can be made over \(H_{[\tau _k]}\).

Proof

Follows from Corollary 1.   \(\square \)

Thus, compared to \(\models _{\mathbb {T}}\) and \(\models _{F,\mathbb {T}}\), the definite relations may make a decision for \(\tau \in (\tau _{i}-w, \tau _{i}]\) with a delay of at most \((\tau _{k}-\tau _{i})\) time points.

Example 2

(delay in definite decision) Let \(\psi _c:= \lozenge _{[0,1]} (\lnot \exists \,n_{1} \wedge \exists \, n_{1})\). Consider an RTM\(^\textrm{H}\)-trace comprising two RTM\(^\textrm{H}\) instances: \(H_{[7]}\) in Fig. 3 and a hypothetical \(H_{[9]}\) which is yielded by an unrelated change and all elements from \(H_{[7]}\) are unchanged. Therefore, a match \(m_1\) exists in both instances. The check \((H_{[7]}, m_1, 7) \models _{F,\mathbb {T}} \psi _c\) returns true, as \((H_{[7]}, m_1, 7) \not \models \psi _c\) and there is no possible successor of \(H_{[7]}\) that could satisfy \(\psi _c\); on the other hand, \((H_{[7]}, m_1, 7) \models ^d_F \psi _c\) makes no decision, as according to its definition, the relation waits first for a duration of history that covers the timing constraint of until to be observed. The check \((H_{[9]}, m_1, 7) \models ^d_F \psi _c\) returns true, as enough time has elapsed. Thus, compared to \(\models _{F,\mathbb {T}}\), this decision has been made with a delay of two time points.

Avoiding this delay would require that the definite relations recognize whether an MTGC is satisfiable which is undecidable for NGCs and thus MTGCs. The delay is not observed with the running example, i.e., \(\psi _P:= \lnot \exists \,n_{1.1} \,\textrm{U}_{[0,60]}\, \exists \, n_{1.2}\) or similar MTGCs, e.g., \((\lozenge _{[0,2]} \exists \,n_{1.1}) \wedge (\lozenge _{[0,3]} \exists \, n_{1.2})\).

4 Computations and Answer Set for Definite Semantics

This section presents our contribution to the semantics of \(\mathcal {L}\), the query language of InTempo. Specifically, we adjust the satisfaction computation presented in Definition 4 to the definite satisfaction relation (\(\models ^d\)) from Definition 6. Moreover, we introduce the analogous concepts for the definite falsification relation (\(\models ^d_F\)). Theorem 3 shows the soundness of the introduced computations. Based on these computations, we introduce a definite answer set for \(\mathcal {L}\).

In the context of a temporal query \((n, \psi )\) the definite satisfaction span related to a match m for n in \(H_{[c]}\) is defined similarly to the satisfaction span \(\mathcal {Y}\) in Section 2.3, i.e., \(\mathcal {Y}^{d} = \{\tau | \tau \in \mathbb {R} \wedge (H_{[c]}, m, \tau ) \models ^d \psi \}\). The definite falsification span is defined as \(\mathcal {F}^d = \{\tau | \tau \in \mathbb {R} \wedge (H_{[c]}, m, \tau ) \models ^d_F \psi \}\). Any time point in the time domain not in \(\mathcal {Y}^{d}\) or \(\mathcal {F}\) belongs to the unknown span X. The sets \(\mathcal {Y}^{d}, \mathcal {F}^d\), and X are disjoint. It also holds that \(\mathbb {R} = \mathcal {Y}^{d} \uplus \mathcal {F}^d \uplus X\). The definite satisfaction computation \(\mathcal {Z}^{d}\) and the definite falsification computation \(F^d\) for an MTGC are defined below.

Definition 8

(definite satisfaction computation \(\mathcal {Z}^{d}\) and definite falsification computation \(F^d\)). Let \(n, \hat{n}\) be patterns and \(\psi , \chi , \omega \) be MTGCs. Moreover, let m be a match for n in an RTM\(^H\) H, and \(\hat{M}\) a set of matches for \(\hat{n}\) that are compatible with the (enclosing) match m. The definite satisfaction computation \(\mathcal {Z}^{d}(m, \psi )\) and definite falsification computation \(F^d(m, \psi )\) are defined via mutual recursion as follows.

$$\begin{aligned} \mathcal {Z}^{d}(m, {true }) = \mathbb {R} \end{aligned}$$

(8)

$$\begin{aligned} \mathcal {Z}^{d}(m, \lnot \chi )= F^d(m, \chi ) \end{aligned}$$

(9)

$$\begin{aligned} \mathcal {Z}^{d}(m, \chi \wedge \omega )= \mathcal {Z}^{d}(m, \chi ) \cap \mathcal {Z}^{d}(m, \omega ) \end{aligned}$$

(10)

$$\begin{aligned} \mathcal {Z}^{d}(m,\exists (\hat{n}, \chi )) = (-\infty ,\tau ] \cap \bigcup \limits _{\hat{m} \in {\hat{M}}} \lambda ^{\hat{m}} \cap \mathcal {Z}^{d}(\hat{m}, \chi ) \end{aligned}$$

(11)

$$\begin{aligned} \mathcal {Z}^{d}(m,\chi \textrm{U}_I \omega )= {\left\{ \begin{array}{ll} \bigcup \limits _{i \in \mathcal {Z}^{d}(m, \omega ),\, j \in J^d_i} j \cap \big ((j^{+} \cap i) \ominus I\big ) &{} \text {if } 0 \, \not \in I \\ \bigcup \limits _{i \in \mathcal {Z}^{d}(m, \omega )} i \, \cup \bigcup \limits _{ j \in J^d_i} j \cap \big ((j^{+} \cap i) \ominus I\big ) &{} \text {if } 0 \, \in I \end{array}\right. }\end{aligned}$$

(12)

$$\begin{aligned} \mathcal {Z}^{d}(m,\chi \textrm{S}_I \omega )= {\left\{ \begin{array}{ll} \bigcup \limits _{i \in \mathcal {Z}^{d}(m,\omega ),\, j \in J^d_i} j \cap \big ((^{+}j \cap i) \oplus I\big ) &{} \text {if } 0 \, \not \in I \\ \bigcup \limits _{i \in \mathcal {Z}^{d}(m,\omega )} i \, \cup \bigcup \limits _{ j \in J^d_i} j \cap \big ((^{+}j \cap i) \oplus I\big ) &{} \text {if } 0 \, \in I \end{array}\right. } \end{aligned}$$

(13)

with \(J^d_i\) the set of all intervals in \(\mathcal {Z}^d(m, \chi )\) that are either overlapping or adjacent to some \(i\in \mathcal {Z}^d(m, \omega )\).

Based on \(\mathbb {R} = \mathcal {Y}^{d} \uplus \mathcal {F}^d \uplus X\), the definite falsification computation \(F^d(m, \psi )\) can be generally defined as \(F^d=\mathbb {R} \setminus (\mathcal {Z}^{d} \uplus X)\), which leads to the following equations.

$$\begin{aligned} F^d(m, {true }) = \emptyset \end{aligned}$$

(14)

$$\begin{aligned} F^d(m, \lnot \chi )= \mathcal {Z}^{d}(m, \chi ) \end{aligned}$$

(15)

$$\begin{aligned} F^d(m, \chi \wedge \omega )= F^d(m, \chi ) \cup F^d(m, \omega ) \end{aligned}$$

(16)

$$\begin{aligned} F^d(m,\exists (\hat{n}, \chi )) = (-\infty , \tau ] \cap \big (\mathbb {R} \setminus \mathcal {Z}^d(m, \exists (\hat{n}, \chi ))\big ) \end{aligned}$$

(17)

$$\begin{aligned} F^d(m,\chi \textrm{U}_I \omega )= {\left\{ \begin{array}{ll} \mathbb {R} \setminus \Bigg (\bigcup \limits _{i \in \mathcal {Z}^d(m, \omega )\uplus X(m, \omega ),\, j \in J^d_i} j \cap \big ((j^{+} \cap i) \ominus I\big )\Bigg ) &{} \text {if } 0 \, \not \in I \\ \mathbb {R} \setminus \Bigg ( \bigcup \limits _{i \in \mathcal {Z}^d(m, \omega )\uplus X(m, \omega )} i \, \cup \bigcup \limits _{ j \in J^d_i} j \cap \big ((j^{+} \cap i) \ominus I\big )\Bigg ) &{} \text {if } 0 \, \in I \end{array}\right. }\end{aligned}$$

(18)

$$\begin{aligned} F^d(m,\chi \textrm{S}_I \omega )= {\left\{ \begin{array}{ll} \mathbb {R} \setminus \Bigg (\bigcup \limits _{i \in \mathcal {Z}^d(m, \omega )\uplus X(m, \omega ),\, j \in J^d_i} j \cap \big ((^{+}j \cap i) \oplus I\big )\Bigg ) &{} \text {if } 0 \, \not \in I \\ \mathbb {R} \setminus \Bigg (\bigcup \limits _{i \in \mathcal {Z}^d(m, \omega )\uplus X(m, \omega )} i \, \cup \bigcup \limits _{ j \in J^d_i} j \cap \big ((^{+}j \cap i) \oplus I\big )\Bigg ) &{} \text {if } 0 \, \in I \end{array}\right. } \end{aligned}$$

(19)

where \(J^d_i\) is the set of all intervals in \(\mathcal {Z}^d(m, \chi )\uplus X(m,\chi )\) that are either overlapping or adjacent to some \(i\in \mathcal {Z}^d(m, \omega )\uplus X(m, \omega )\).

Regarding \(\mathcal {Z} ^d\), the equations for conjunction, until, and since have the same structure with their corresponding equations in Definition 4, but rely on \(\mathcal {Z}^d\) instead of \(\mathcal {Z}\). Analogously to \(\models ^d\), the computation for negation relies on \(F^d\). The computation for exists confines its decisions to the period that has been observed.

Regarding \(F^d\), a match m never falsifies \({true } \); analogously to \(\models ^d_F\), \(F^d\) relies on \(\mathcal {Z} ^d\) for the falsification of negation; the operator exists confines its computation to the observed period; the equations for until and since complement their respective definite satisfaction computations, whereby the definite satisfaction computation for their operands \(\chi \) and \(\omega \) instead of considering only time points that definitely satisfy \(\chi \) and \(\omega \), i.e., their satisfaction spans \(\mathcal {Z}^d(m, \chi )\) and \(\mathcal {Z}^d(m, \omega )\), considers time points that do not definitely falsify \(\chi \) and \(\omega \), i.e., \(\mathcal {Z}^d(m, \chi )\uplus X(m, \chi )\) and \(\mathcal {Z}^d(m, \omega )\uplus X(m, \omega )\).

The following theorem states that the set of time points in the definite satisfaction span \(\mathcal {Y}^{d}\) and definite falsification span \(\mathcal {F}^d\) are equal to the sets of time points obtained by the definite satisfaction computation \(\mathcal {Z}^{d}\) and definite falsification computation \(F^d\), respectively.

Theorem 3

(equality of definite spans and definite computations for satisfaction and falsification). Given a match m in an RTM\(^H\) \(H_{[\tau ]}\) and an MTGC \(\psi \), it holds that \(\mathcal {Y}^{d}(m, \psi )=\mathcal {Z}^{d}(m, \psi )\) and \(\mathcal {F}^d(m, \psi )=F^d(m, \psi )\).

Proof (idea)

[idea] The proof for \(\mathcal {Z}^d\) proceeds by structural induction over \(\psi \). The proof for \(F^d\) is based on the application of \(F^d=\mathbb {R} \setminus (\mathcal {Z}^{d} \uplus X)\) for each MTGL operator. See Section B.4 for the complete proof.   \(\square \)

Based on the definite computations, we now extend \(\mathcal {L}\) with a notion of definite answers by adjusting the answer set \(\mathcal {T}\) in Definition 5. To this end, we define the notion of temporal invalidity \(\mathcal{I}\mathcal{V}\) as the dual notion of temporal validity \(\mathcal {V}\) from Section 2.3, i.e., the intersection of the lifespan \(\lambda ^m\) of a match m with the falsification span. Moreover, we define the definite temporal validity \(\mathcal {V}^d\) as \(\lambda ^m \cap \mathcal {Z}^d\), and the definite temporal invalidity \(\mathcal{I}\mathcal{V}^d\) as \(\lambda ^m\cap F^d\).

Definition 9

(definite answer set \(\mathcal {T} ^d\)). Given a pattern n, an MTGC \(\psi \), and an RTM\(^H\) H, the definite answer set \(\mathcal {T} ^d\) of a query in \(\mathcal {L}\) over H is given by:

$$\begin{aligned} \mathcal {T} ^{d}(H) = \{(m, \mathcal {V}^{d}(m, \psi ), \mathcal{I}\mathcal{V}^{d}(m, \psi )) | m\text { is a match for }n \wedge (\mathcal {V} ^{d} \not =\emptyset \vee \mathcal{I}\mathcal{V}^{d} \not = \emptyset \} \end{aligned}$$

Table 1. Computations \(\mathcal {Z}\), \(\mathcal {Z}^d\), and \(F^d\) for two matches for \((n_1, \lnot \psi _P)\) over \(H_{[7]}\).

Example 3

(precision of definite computations over incomplete trace). As in Example 1, the query \((n_1, \lnot \psi _P)\) is evaluated over \(H_{[7]}\). This time however, we obtain the definite answer set \(\mathcal {T} ^d(H_{[7]})\). The match \(m_2\) for \(n_1\), that involves the object pm2, is not contained in \(\mathcal {T} ^d\); \(m_2\) is matched and its lifespan is computed to be \(\lambda ^{m_2}=[7,\infty )\) but no compatible match for \(n_{1.2}\) is found; As shown in Table 1, \(\mathcal {Z}^d(m_2, \psi _P)=(-\infty , -53]\) and \(F^d(m_2, \psi _P)=\emptyset \). Therefore, both \(\mathcal {V} ^d\) and \(\mathcal{I}\mathcal{V}^d\) are empty, and the match is excluded from \(\mathcal {T} ^d\). Note that \(\mathcal {T} ^d(H_{[7]})\) contains a match \(m_1\) for \(n_1\) that involves pm1, as its \(\mathcal {V} ^d\) is non-empty (see Table 1), i.e., there are time points for which \(m_1\) definitely falsifies \(\lnot \psi _P\), or definitely satisfies \(\psi _P\). All computations in Table 1 are interval sets (see Section 2.3), however, for presentation purposes, singletons are displayed as intervals.

Let \(H_{[67]}\) be an RTM\(^\textrm{H}\) that is yielded by an event at time point 67; the changes by this event do not affect vertices or nodes in \(H_{[7]}\); \(m_2\) would be returned by \(\mathcal {T} ^d\), paired with \(\mathcal {V} ^d=[7,7]\), as there would be no future version of the RTM\(^\textrm{H}\) which could satisfy \(\psi _P\) at time point 7.

5 Keeping to Change-driven Evaluation

The operationalization of queries in InTempo (see also Fig. 1) is based on Generalized Discrimination Networks (GDNs) [10, 28]. Specifically, a query in \(\mathcal {L}\) is decomposed into a suitable ordering, i.e., a network, N of simple sub-queries. N is a tree where each node represents a query and each edge a dependency between queries—see Fig. 2 (right) for the GDN for \(\psi _P\). N is executed bottom-up, i.e., the execution starts with leaves and proceeds upward. The root of N computes the answer set \(\mathcal {T} (H)\) of q. Each node in N stores intermediate matches paired with their \(\mathcal {Z}\); therefore N is amenable to change-driven and incremental execution: changes to H are propagated through N, whose nodes only recompute their stored matches if the change is relevant to them or one of their dependencies. Moreover, InTempo offers a method to remove temporally irrelevant history from the RTM\(^\textrm{H}\), thereby rendering the query evaluation memory-efficient.

Based on these features, an extensive experimental evaluation of our implementation of InTempo showed efficient performance in the evaluation of temporal graph queries over considerably large models (approximately from 10K to 48M elements) [49]. InTempo also evaluated queries faster than the established RV tool MonPoly  [6] as well as the RTM-based tool Hawk  [24] in an RM application scenario. In the scenario, incomplete traces were handled by performing a check for each match which, based on the timing constraints of the property, postponed returning the match if future changes could affect it.

The definite answer set \(\mathcal {T} ^d\) from Definition 9 handles incomplete traces comprehensively, as it only includes matches and time points which no future change can affect. However, \(\mathcal {T} ^d\) relies on the definite MTGL semantics from Definition 6 which, contrary to the regular semantics from Definition 3, considers the time point on which a query is evaluated; consequently, adjusting N to compute the definite computations \(\mathcal {Z} ^d\) and \(F^d\), and thus to return \(\mathcal {T} ^d\), would imply that every new version of \(H_{[\tau ]}\) would trigger a re-computation of all spans stored in N. Therefore, \(\mathcal {T} ^d\) is not amenable to change-driven evaluation.

Based on the intuition behind the check from above, we lastly present a new answer set, called effective, that contains definite results while relying on \(\mathcal {T}\), which is amenable to change-driven evaluation. Specifically, based on the equivalence in Theorem 2, we show that \(\mathcal {T}\) is equivalent to a subset of \(\mathcal {T} ^d\) if the \(\mathcal {V}\) of matches in \(\mathcal {T}\) is restricted to a period with definite decisions (see Corollary 1). This last contribution formalizes the intuition behind the check from above, and allows approaches like InTempo to maintain their efficiency while returning sound results. We define the effective answer set \(\mathcal {T} ^e\) for \(\mathcal {L}\) based on \(\mathcal {T}\) below.

Definition 10

(effective answer set \(\mathcal {T} ^e\)). Given a pattern n, an MTGC \(\psi \) with w the non-definiteness window of \(\psi \), an RTM\(^H\) \(H_{[\tau ]}\), and an answer set \(\mathcal {T} (H_{[\tau ]})\) of a query in \(\mathcal {L} \), the effective answer set \(\mathcal {T} ^e(H_{[\tau ]})\) of the query is the set of all tuples \((m,\mathcal {V} \cap [0, \tau -w])\) such that (i) \((m, \mathcal {V} (m, \psi )) \in \mathcal {T} (H_{[\tau ]})\) and (ii) \(\mathcal {V}(m, \psi ) \cap [0, \tau -w] \not = \emptyset \).

The following theorem states that \(\mathcal {T} ^e\) is equal to a restricted version of \(\mathcal {T} ^d\) whose \(\mathcal {V} ^d\) excludes a period equal to w. We assume that the trace duration is larger than w and that the trace has more than one member.

Theorem 4

(equality of effective answer set and restricted definite temporal validity answer set over trace). Let \((n, \psi )\) be a query with \(\psi \) an MTGC, w be the non-definiteness window of \(\psi \), and \(h^H_{\tau _\mathcal {D}}\) be a RTM\(^{H}\)-trace with \(\mathcal {D} \in [2,\infty ] \cap \mathbb {N}^+\), and i be an index in \([k, \mathcal {D}-1]\cap \mathbb {N}^+\) such that \(\tau _k \ge w\). Moreover, let \(\mathcal {T} ^{d}_{\mathcal {V},r}(H_{[\tau _i]})\) be the restricted definite temporal validity answer set over \(H_{[\tau _i]}\) which has been obtained from the definite answer set \(\mathcal {T} ^d\) but contains (i) only pairs of matches with their temporal validity \(\mathcal {V}^d\), with \(\mathcal {V}^d \not = \emptyset \) and (ii) \(\mathcal {V}^d\) is intersected with \([0, \tau _{i}-w]\). Then, \(\mathcal {T} ^e(H_{[\tau _i]}) = \mathcal {T} ^{d}_{\mathcal {V},r}(H_{[\tau _i]})\).

Proof (idea)

[idea] Based on the more general Theorem 2. See Section B.5 for the complete proof.   \(\square \)

Theorem 4 shows how InTempo returns definite results while using the change-driven evaluation for \(\mathcal {T}\) described above. On the other hand, as \(\mathcal {T} ^{d}_{\mathcal {V},r}\) excludes \(F^d\), obtaining \(F^d\) with \(\mathcal {T} ^e\) requires the evaluation of a separate query \((n, \lnot \psi )\) in parallel to \((n,\psi )\). Moreover, due to postponing returning answers that may be non-definite, \(\mathcal {T} ^e\) may return answers with a delay; although this is not observed in \(\psi _P\) from the running example, it may affect other properties, as demonstrated in Example 4. Hence, \(\mathcal {T} ^e\) is intended for application scenarios where this impact is either absent or acceptable.

Example 4

(Delay in detection). Let \(\psi _D:= (\lnot \exists n_{1.1}) \wedge (\lnot \lozenge _{[0,2]} \exists n_{1.2})\) be an MTGC and \((n_1, \lnot \psi _D)\) a query in \(\mathcal {L}\). Let \(H_{[5]}\) be a hypothetical RTM\(^\textrm{H}\) that contains a match for \(n_1\) and a match for \(n_{1.1}\), whose lifespans are \([5,\infty )\). The time point 5 is contained in \(\mathcal {V} ^d(m_1, \lnot \psi _D)\), i.e., the decision for 5 is definite; however, this time point is not admitted to \(\mathcal {T} ^e(H_{[5]})\) due to the intersection with \([0, 5-w]\), where, for \(\psi _D\), \(w=2\). The time point will be admitted to \(\mathcal {T} ^e\) when w has elapsed.

6 Related Work

In our previous work, we presented an analysis procedure with preliminary support for RM of MTGL, as the procedure can be adjusted so that it returns true either as soon as a falsification is detected or only when it has become definite [51]. When a falsification is detected, the procedure returns the time point on which the procedure was last executed. The result abstracts the interval-based semantics of MTGL into a point-based interpretation which lacks precision. The definite semantics from Section 3 supports RM of MTGL directly, i.e., at the level of semantics. Moreover, it enables the computations of the definite falsification and satisfaction spans, which in turn enable practical query evaluations.

Compared to InTempo and its advancement we presented, other query-based approaches for RM over structural RTMs either lack a formal treatment of monitoring, e.g.,  [1, 24], or do not support other key features, e.g., first-order quantification [19], temporal operators [13, 14], or timing constraints [40]. On the other hand, these approaches have their own advantages over the foundations we presented, e.g., support for distributed query evaluation [14] and more temporal primitives [24].

Runtime Verification (RV) is also concerned with formally precise online RM over incrementally processed, and thus possibly incomplete, traces of events. Despite the similarity of their aim, RV and RTMs are different in their applications and characteristics: for instance, state representations in RV focus on a low level of abstraction and are typically inaccessible during monitoring. Conversely, an RTM aims at a richer knowledge representation [14] and has to be accessible to end-users or other technologies during monitoring, as it acts as an interface to manage the system [23]—see [47, 49] for a more elaborate comparison. In RV, properties may be specified using various formalisms, e.g., temporal logics and regular expressions [3], comparisons among which are non-trivial [33, 43]. In the following, we focus on approaches based on temporal logics. According to a recent classification, no approach simultaneously supports key features of InTempo such as first-order quantification, metric temporal constraints, interval-based interpretations, and native support for graph queries and bindings [22].

The RV approach most relevant to our work is MonPoly  [6]. MonPoly, an established tool that has been among the top-performers in an RV competition [2], is an implementation of an incremental monitoring algorithm based on Metric First-Order Temporal Logic (MFOTL) [7]. The semantics of MFOTL is point-based, i.e., the logic assesses the truth of a formula only for the time points of events in a trace, which means the logic cannot support the computation of a temporal validity or represent the lifespan of a match straightforwardly. MonPoly cannot always encode complex graph queries: for instance, expressing the MTGC from the running example, which prohibits the existence of a pattern, is not possible as MonPoly restricts the use of negation in this place at the formula for reasons of monitorability. Even when possible, this encoding may become overly technical and, as indicated by the performance comparison of InTempo to MonPoly  [49] as well as another similar comparison [19], may affect performance: for instance, emulating graph pattern matching requires that partial orderings of match candidates are explicitly formulated in MFOTL which may bloat the size of the formula.

The RV tool DejaVu  [30, 31] monitors properties specified in a first-order metric past-only logic with point-based semantics. Translating MTGCs in this logic would require emulating graph-based encodings and bindings (similar to MonPoly) and, moreover, reformulating MTGCs such that they feature only past operators. Such reformulations are not always possible and could be significantly less compact [32, 37]. Monitoring algorithms for interval-based propositional or signal logics with metric timing constraints [5, 38] are capable of interval-based interpretations; although inapplicable to a graph-based first-order setting, they are therefore based on interval computations which are similar to ours. Havelund et al. present a monitoring approach for a logic defined over intervals; properties in the logic refer to interval relations, e.g., requiring that two intervals overlap, where the intervals my contain data [29]. The logic supports quantification over intervals but does not support quantification over the data.

7 Conclusion and Future Work

We present a formal and systematic treatment of incomplete traces in query-based runtime monitoring of temporal properties over structural runtime models. First, we introduce a new semantics for a first-order temporal graph logic, called definite, which only returns decisions if no future change to the model will affect them. Then, based on the definite semantics, we introduce a new definite answer set for the query language of InTempo, a querying scheme we previously presented. Lastly, we present the effective answer set which, contrary to the definite answer set, is amenable to change-driven evaluation. This answer set allows approaches like InTempo to maintain their efficiency while returning definite answers.

Our plans for future work include a consideration of a rewriting procedure for properties in MTGL, such that the rewritten properties avoid or minimize possible delays in returning results, while allowing for a comparable performance to the property before rewriting. We plan to extend the API of the InTempo implementation with the option to return the effective answer set directly. Moreover, we plan to implement the definite answer set and investigate its impact on performance. Although not as efficient as the effective answer set, we also plan to use the definite answer set for testing the answers in the effective answer set. Finally, we plan to extend InTempo with a decision procedure that, depending on the property, switches to the answer set that is more appropriate.

Appendices

A Overview of Notation

The overview is shown in Table 2.

Table 2. Main symbols, their denoted concept, and formal representation; the rightmost column shows the page on which the symbol was first defined.

B Proofs

Following are the proofs for the theorems in the paper, as presented in the doctoral thesis of the first author [47].

1.1 B.1 Theorem 1: definite relations imply satisfaction relation over trace

Following is the proof for Theorem 1 (see [47], Section A.3.2]), i.e., given an MTGC \(\psi \) over a pattern n and an RTM\(^\textrm{H}\)-trace \(h^H_{\tau _\mathcal {D}}\) with \(\mathcal {D} \in \mathbb {N}^+\) the last index, for all \(i \in [1, \mathcal {D}]\cap \mathbb {N}^+\), if m a match for n in \(H_{[\tau _{i}]}\) and \(\tau \in [0, \tau _{i}]\), then for all \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\), (i) if \((H_{[\tau _{i}]}, m, \tau ) \models ^d \psi \), then \((H_{[\tau _{k}]}, m, \tau ) \models \psi \), and (ii) if \((H_{[\tau _{i}]}, m, \tau ) \models ^d_F \psi \), then \((H_{[\tau _{k}]}, m, \tau ) \not \models \psi \).

Proof

By definition of the RTM\(^\textrm{H}\), a match m in \(H_{[\tau _i]}\) will be structurally present in all \(H_{[\tau _k]}\) with \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\)—what may change (once) in future versions of \(H_{[\tau _i]}\) is the lifespan of m, i.e., if the dts of all matched elements is \(\infty \) and one of these elements is updated to a value less than \(\infty \); even then, this change will not affect the lifespan of m in the period \([0, \tau _{i}]\), that is, in \(H_{[\tau _i]}\), the observation on whether m is present in \(\lambda ^m\cap [0, \tau _{i}]\) will never be refuted.

The proof proceeds by mutual structural induction over \(\psi \). In the base case, we show the theorem to be true for the MTGL operator \({true } \). We omit the straightforward step for conjunction.

• Base case: \({true } \).

  We begin with the definite satisfaction. We assume \((H_{[\tau _i]}, m, \tau ) \models ^d {true } \) and show that \((H_{[\tau _k]}, m, \tau ) \models {true } \) for an arbitrary \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\). By the semantics of MTGL, \( {true } \) is always satisfied. Therefore, m in \(H_{[\tau _k]}\) also satisfies \({true } \) at \(\tau \). We have shown that the implication is true.

  We proceed with the definite falsification. Based on the semantics of the definite falsification relation, a match m never falsifies \({true } \). Therefore, the antecedent \((H_{[\tau _i]}, m, \tau ) \models ^d_F {true } \) is false, making the consequent \((H_{[\tau _k]}, m, \tau ) \not \models {true } \) true.

• Induction step: \(\psi =\lnot \chi \).

  We begin with the definite satisfaction. Assume that \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \not \models \chi \) for an arbitrary \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\). By the semantics of negation and the definite relations, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \Leftrightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \lnot \chi \). Similarly, \((H_{[\tau _k]}, m, \tau ) \not \models \chi \Leftrightarrow (H_{[\tau _k]}, m, \tau ) \models \lnot \chi \). Therefore, it also holds that \((H_{[\tau _i]}, m, \tau ) \models ^d \lnot \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \lnot \chi \).

  We proceed with the definite falsification. Assume that \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \chi \). Analogously to the definite satisfaction, \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \Leftrightarrow (H_{[\tau _i]}, m, \tau ) \models ^d_F \lnot \chi \) and \((H_{[\tau _k]}, m, \tau ) \models \chi \Leftrightarrow (H_{[\tau _k]}, m, \tau ) \not \models \lnot \chi \). Therefore, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \lnot \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \not \models \lnot \chi \).

• Induction step: \(\psi =\exists (\hat{n}, \chi )\).

  Let the induction hypothesis be \((H_{[\tau _i]}, \hat{m}, \tau ) \models ^d \chi \Rightarrow (H_{[\tau _k]}, \hat{m}, \tau ) \models \chi \) and \((H_{[\tau _i]}, \hat{m}, \tau ) \models ^d_F \chi \Rightarrow (H_{[\tau _k]}, \hat{m}, \tau ) \not \models \chi \), where \(\hat{m}\) is a match for the pattern \(\hat{n}\) and k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\).

  We begin with the definite satisfaction. We assume \((H_{[\tau _i]}, m, \tau ) \models ^d \exists (\hat{n}, \chi )\) and show this implies \((H_{[\tau _k]}, m, \tau ) \models \exists (\hat{n}, \chi )\). Since \((H_{[\tau _i]}, m, \tau ) \models ^d \exists (\hat{n}, \chi )\), there exists matches m and \(\hat{m}\) such that \(\hat{m}\) is compatible with m and \(\tau \in \lambda ^m\cap \lambda ^{\hat{m}}\). The matches \(m, \hat{m}\) will be structurally present and \(\hat{m}\) will be compatible with m in all future versions of \(H_{[\tau _i]}\). Moreover, there will be no changes in \(\lambda ^{m}, \lambda ^{\hat{m}}\) for the period \([0, \tau ]\). Also, by the induction hypothesis, \(\hat{m}\) satisfies \(\chi \) at \(\tau \). Therefore, by the semantics of the satisfaction relation for exists, \((H_{[\tau _k]}, m, \tau ) \models \exists (\hat{n}, \chi )\). We have shown that the implication is true.

  We proceed with the definite falsification. We assume that \((H_{[\tau _i]}, m, \tau ) \models ^d_F \exists (\hat{n}, \chi )\) and show that this implies \((H_{[\tau _k]}, m, \tau ) \not \models \exists (\hat{n}, \chi )\). Since \((H_{[\tau _i]}, m, \tau )\) \(\models ^d_F \exists (\hat{n}, \chi )\), (i) either there exists no \(\hat{m}\) in \(H_{[\tau _i]}\) such that \(\hat{m}\) is compatible with m, or (ii) there exists \(\hat{m}\) compatible with m, but \(\tau \not \in \lambda ^m\cap \lambda ^{\hat{m}}\), or (iii) there exists \(\hat{m}\) compatible with m with \(\tau \in \lambda ^m\cap \lambda ^{\hat{m}}\) but \(\hat{m}\) definitely falsifies \(\chi \) at \(\tau \). If (i) is true, it will be true in all future versions of \(H_{[\tau _i]}\), as matches cannot be found retrospectively. If (ii) is true, the lifespan of \(\lambda ^{\hat{m}}\) in the period \([0, \tau _{i}]\) will not change in all future versions of \(H_{[\tau _i]}\). Finally, if (iii) is true, we know from the induction hypothesis that \((\hat{m}, \tau ) \not \models \chi \) also over \(H_{[\tau _k]}\). Therefore, in any case, \((H_{[\tau _k]}, m, \tau ) \not \models \exists (\hat{n}, \chi )\). We have shown that the implication is true.

• Induction step: \(\psi =\chi \textrm{U}_I \omega \).

  We begin with the definite satisfaction. Induction hypothesis: \((H_{[\tau _i]}, m, \tau )\) \(\models ^d \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \chi \) and \((H_{[\tau _i]}, m, \tau ) \models ^d \omega \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \omega \) with k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\).

  We assume \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{U}_I \omega \) and show this implies \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{U}_I \omega \). Since \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{U}_I \omega \), there exists \(\tau \) such that \(\tau ' - \tau \in I\) and \((H_{[\tau _i]}, m, \tau ') \models ^d \omega \), and for all \(\tau ''\in [\tau , \tau ')\) \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \). The decisions for the time point \(\tau '\) and for all time points \(\tau ''\) either concern a match or not: if they do concern a match, then they are confined to \([0, \tau _{i}]\) and remain unaltered throughout the trace; if they do not concern a match, e.g., they concern \({true } \) or \(\lnot {true } \), then they again remain unaltered. Therefore, also over \(H_{[\tau _k]}\) it will hold that at \(\tau '\) \((H_{[\tau _k]}, m, \tau ') \models \omega \), and for every \(\tau ''\) \((H_{[\tau _k]}, m, \tau '') \models \chi \). Thus, by the semantics of the satisfaction relation for until, \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{U}_I \omega \). We have shown that the implication is true.

  We proceed with the definite falsification. Let the induction hypothesis be \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \not \models \chi \) and \((H_{[\tau _i]}, m, \tau ) \models ^d_F \omega \Rightarrow (H_{[\tau _k]}, m, \tau )\) \(\not \models \omega \).

  We assume \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{U}_I \omega \) and show that this implies \((H_{[\tau _k]}, m, \tau )\) \(\not \models \chi \textrm{U}_I \omega \). Since \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{U}_I \omega \), for all \(\tau '\) such that \(\tau '-\tau \in I\), either (i) \((H_{[\tau _i]}, m, \tau ') \models ^d_F \omega \) or (ii) there exists \(\tau ''\in [\tau , \tau ')\) such that \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \). Regardless of which is the case, i.e., (i) or (ii) or both, analogously to the definite satisfaction, if the decisions for all \(\tau '\) and at \(\tau ''\) concern a match, they will remain unaltered, and so will they if they do not concern a match. Therefore, the case will also hold over \(H_{[\tau _k]}\). Therefore, \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{U}_I \omega \). We have shown that the implication is true.

• Induction step: \(\psi =\chi \textrm{S}_I \omega \).

  The proof proceeds analogously to until. We begin with the definite satisfaction. Let the induction hypothesis be \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \chi \) and \((H_{[\tau _i]}, m, \tau ) \models ^d \omega \Rightarrow (H_{[\tau _k]}, m, \tau ) \models \omega \) with k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\).

  We assume \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{S}_I \omega \) and show this implies \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{S}_I \omega \). Since \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{S}_I \omega \), there exists \(\tau '\) such that \(\tau - \tau ' \in I\) and \((H_{[\tau _i]}, m, \tau ') \models ^d \omega \), and for all \(\tau ''\in (\tau ', \tau ]\) \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \). The decisions for the time point \(\tau '\) and all time points \(\tau ''\) either concern a match or not: if they do concern a match, then they are confined to \([0, \tau _{i}]\) and remain unaltered throughout the trace; if they do not concern a match, then they will again remain unaltered. Therefore, also over \(H_{[\tau _k]}\) it will hold that at \(\tau '\) \((H_{[\tau _k]}, m, \tau ') \models \omega \), and for all \(\tau ''\) \((H_{[\tau _k]}, m, \tau '') \models \chi \). Thus by the semantics of the satisfaction relation for since, \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{S}_I \omega \). We have shown that the implication is true.

  We proceed with the definite falsification. Let the induction hypothesis be \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \Rightarrow (H_{[\tau _k]}, m, \tau ) \not \models \chi \) and \((H_{[\tau _i]}, m, \tau ) \models ^d_F \omega \Rightarrow (H_{[\tau _k]}, m, \tau )\) \(\not \models \omega \).

  We assume \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{S}_I \omega \) and show that this implies \((H_{[\tau _k]}, m, \tau )\) \(\not \models \chi \textrm{S}_I \omega \). Since \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{S}_I \omega \), for all \(\tau '\) such that \(\tau -\tau ' \in I\), either (i) \((H_{[\tau _i]}, m, \tau ') \models ^d_F \omega \) or (ii) there exists \(\tau ''\in (\tau ', \tau ]\) such that \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \). Regardless of which is the case, i.e., (i) or (ii) or both, analogously to the definite satisfaction, if the decisions for all \(\tau '\) and at \(\tau ''\) concern a match, they will remain unaltered, and so will they if they do not concern a match. Therefore, the case will also hold over \(H_{[\tau _k]}\). Therefore, \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{S}_I \omega \). We have shown that the implication is true.

From the base case and induction steps, it follows that Theorem 1 holds.   \(\square \)

1.2 B.2 Theorem 2: definite relations are equivalent to satisfaction relation over certain period of trace

Following is the proof for Theorem 2 (see [47], Section A.3.3]), that is, given an MTGC \(\psi \) over a pattern n, the non-definiteness \(w \) window of \(\psi \), and a sequence of RTM\(^\textrm{H}\) instances \(h^H_{\tau _\mathcal {D}}\) with \(\mathcal {D} \in \mathbb {N}^+\) the last index, for all \(i \in [1, \mathcal {D}]\cap \mathbb {N}^+\), if m a match for n in \(H_{[\tau _{i}]}\) and \(\tau \in [0, \tau _{i}-w ]\), then for all \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\), (i) \((H_{[\tau _{i}]}, m, \tau ) \models ^d \psi \) iff \((H_{[\tau _{k}]}, m, \tau ) \models \psi \), and (ii) \((H_{[\tau _{i}]}, m, \tau ) \models ^d_F \psi \) iff \((H_{[\tau _{k}]}, m, \tau ) \not \models \psi \).

By definition of the RTM\(^\textrm{H}\), a match m in \(H_{[\tau _i]}\) will be structurally present in all \(H_{[\tau _k]}\) with \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\)—what may change (once) in future versions of \(H_{[\tau _i]}\) is the lifespan of m, i.e., if the dts of all matched elements is \(\infty \) and one of these elements is updated to a value less than \(\infty \); even then, this change will not affect the lifespan of m in the period \([0, \tau _{i}]\), that is, in \(H_{[\tau _i]}\), the observation on whether m is present in \(\lambda ^m\cap [0, \tau _{i}]\) will never be refuted.

Proof

The direction \(\Rightarrow \) of the equivalence has been shown by the more general Theorem 1, which concerned an arbitrary \(\tau \). We therefore focus on direction \(\Leftarrow \) of the equivalence. As m is present in \(H_{[\tau _i]}\), its lifespan \(\lambda ^m\) in the period \([0, \tau _{i}]\) will remain unchanged in subsequent versions of \(H_{[\tau _i]}\). In the following, the non-definiteness window \(w \) is computed according to Definition 7.

The proof proceeds by mutual structural induction over \(\psi \). In the base case, we show the theorem to be true for the MTGL operator \({true } \). We omit the straightforward step for conjunction.

• Base case: \({true } \).

  We begin with the satisfaction. We assume \((H_{[\tau _k]}, m, \tau ) \models {true } \) for an arbitrary \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\) and \(\tau \in [0, \tau _{i}-w ]\) with \(w^{nd}=0\), and show that this implies \((H_{[\tau _i]}, m, \tau ) \models ^d {true } \). As \( {true } \) is always satisfied, m in \(H_{[\tau _i]}\) definitely satisfies \({true } \) at \(\tau \). Hence, the implication to be true.

  We proceed with the falsification. Based on the semantics of satisfaction, a match m never satisfies \(\not \models {true } \). Therefore, the antecedent \((H_{[\tau _k]}, m, \tau ) \not \models {true } \) is false, making the consequent \((H_{[\tau _i]}, m, \tau ) \models ^d_F {true } \) true.

• Induction step: \(\psi =\lnot \chi \).

  We begin with the satisfaction. Let \((H_{[\tau _k]}, m, \tau )\) \(\not \models \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \) for an arbitrary \(k \in [i, \mathcal {D}]\cap \mathbb {N}^+\) and \(\tau \in [0, \tau _{i}-w ]\) with \(w (\lnot \chi )=w (\chi )\). By the semantics of negation and the satisfaction relation, \((H_{[\tau _k]}, m, \tau ) \not \models \chi \Leftrightarrow (H_{[\tau _k]} m, \tau ) \models \lnot \chi \). Similarly, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \Leftrightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \lnot \chi \). Therefore, it also holds that \((H_{[\tau _k]}, m, \tau ) \models \lnot \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \lnot \chi \).

  We proceed with the falsification. Assume \((H_{[\tau _k]}, m, \tau ) \models \chi \Rightarrow \) \((H_{[\tau _i]}, m, \tau )\) \(\models ^d \chi \). Analogously to the satisfaction, \((H_{[\tau _k]}, m, \tau ) \models \chi \Leftrightarrow (H_{[\tau _i]}, m, \tau ) \not \models \lnot \chi \) and \((H_{[\tau _k]}, m, \tau ) \models ^d \chi \Leftrightarrow (H_{[\tau _k]}, m, \tau ) \models ^d_F \lnot \chi \). Therefore, \((H_{[\tau _k]}, m, \tau ) \not \models \lnot \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d_F \lnot \chi \).

• Induction step: \(\psi =\exists (\hat{n}, \chi )\).

  Let the induction hypothesis be \((H_{[\tau _k]}, \hat{m}, \tau ) \models \chi \Rightarrow (H_{[\tau _i]}, \hat{m}, \tau ) \models ^d \chi \) and \((H_{[\tau _k]}, \hat{m}, \tau ) \not \models \chi \Rightarrow (H_{[\tau _i]}, \hat{m}, \tau ) \models ^d_F \chi \), where \(\hat{m}\) is a match for the pattern \(\hat{n}\), k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\), and \(\tau \in [0, \tau _{i}-w ]\). The non-definiteness window \(w\) is given by \(w (\exists (\hat{n}, \chi ))=w (\chi )\).

  We begin with the satisfaction. We assume that \((H_{[\tau _k]}, m, \tau ) \models \exists (\hat{n}, \chi )\) and show that this implies \((H_{[\tau _i]}, m, \tau ) \models ^d \exists (\hat{n}, \chi )\). Since \((H_{[\tau _k]}, m, \tau ) \models \exists (\hat{n}, \chi )\), there exists matches m and \(\hat{m}\) in \(H_{[\tau _k]}\) such that \(\hat{m}\) is compatible with m and \(\tau \in \lambda ^m\cap \lambda ^{\hat{m}}\). The match m is present in \(H_{[\tau _i]}\) and, according to the induction hypothesis, the match \(\hat{m}\) is also present in \(H_{[\tau _i]}\). As the matches are structurally the same, \(\hat{m}\) is also compatible with m in \(H_{[\tau _i]}\). Moreover, as there are no changes in \(\lambda ^{m}, \lambda ^{\hat{m}}\) for the period \([0, \tau _i]\), \(\tau \in \lambda ^m\cap \lambda ^{\hat{m}}\) over \(H_{[\tau _i]}\). We also know that \(\tau \le \tau _i\) and, by the induction hypothesis, that \(\hat{m}\) satisfies \(\chi \) at \(\tau \). Therefore, by the semantics of the definite satisfaction relation for exists, \((H_{[\tau _i]}, m, \tau ) \models ^d \exists (\hat{n}, \chi )\). We have shown that the implication is true.

  We proceed with the falsification. We assume that \((H_{[\tau _k]}, m, \tau ) \not \models \exists (\hat{n}, \chi )\) and show that this implies \((H_{[\tau _i]}, m, \tau ) \models ^d_F \exists (\hat{n}, \chi )\). Since \((H_{[\tau _k]}, m, \tau )\) \(\not \models \exists (\hat{n}, \chi )\), (i) either there exists no \(\hat{m}\) in \(H_{[\tau _k]}\) such that \(\hat{m}\) is compatible with m, or (ii) there exists \(\hat{m}\) compatible with m, but \(\tau \not \in \lambda ^m\cap \lambda ^{\hat{m}}\), or (iii) there exists \(\hat{m}\) compatible with m with \(\tau \in \lambda ^m\cap \lambda ^{\hat{m}}\) but \(\hat{m}\) falsifies \(\chi \) at \(\tau \). If (i) is true, it will be true in all future versions of \(H_{[\tau _i]}\), as matches cannot be found retrospectively. If (ii) is true, the lifespan of \(\lambda ^{\hat{m}}\) in the period \([0, \tau _{i}]\) will not change in all future versions of \(H_{[\tau _i]}\). Finally, if (iii) is true, we know from the induction hypothesis that \((\hat{m}, \tau ) \models ^d_F \chi \) also over \(H_{[\tau _i]}\) and that \(\tau \le \tau _i\). Therefore, in any case, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \exists (\hat{n}, \chi )\). We have shown that the implication is true.

• Induction step: \(\psi =\chi \textrm{U}_I \omega \).

  We begin with the satisfaction. Let the induction hypothesis be \((H_{[\tau _k]}, m, \tau ) \models \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \chi \) and \((H_{[\tau _k]}, m, \tau ) \models \omega \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \omega \) with k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\) and \(\tau \in [0, \tau _{i}-w ]\). The non-definiteness window \(w\) is given by \(max(w (\chi ), w (\omega ))+r(I)\).

  We assume \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{U}_I \omega \) and show \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{U}_I \omega \). Since \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{U}_I \omega \), there exists \(\tau '\) such that \(\tau ' - \tau \in I\) and \((H_{[\tau _k]}, m, \tau ') \models \omega \), and for all \(\tau ''\in [\tau , \tau ')\) \((H_{[\tau _k]}, m, \tau '') \models \chi \). From \(\tau \in [0, \tau _i - w]\) and \(\tau ' \in [\tau +\ell (I), \tau +r(I)]\), it follows that \(\tau '\le \tau _i - max(w (\chi ), w (\omega ))\). Based on this and the induction hypothesis, \((H_{[\tau _i]}, m, \tau ') \models ^d \omega \). Moreover, as \(\tau '\) stems from a period outside the non-definiteness window of \(\omega \) , the decision at \(\tau '\), whether it concerns a match or not, will remain unaltered once made.

  The decision at \(\tau '\) as well as the preceding period \([\tau , \tau ')\) are also outside the non-definiteness window of \(\chi \). Thus, all \(\tau ''\in [\tau , \tau ')\) stem from a period covered by \(H_{[\tau _i]}\), and decisions for \(\chi \) made in this period are definite. Therefore, for all \([\tau +\ell (I), \tau +\tau ')\) \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \), and, by the definite semantics, \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{U}_I \omega \). We have shown that the implication is true.

  We proceed with the falsification. Let the induction hypothesis be that \((H_{[\tau _k]}, m, \tau ) \not \models \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \) and \((H_{[\tau _k]}, m, \tau ) \not \models \omega \Rightarrow (H_{[\tau _i]}, m, \tau )\) \(\models ^d_F \omega \).

  We assume \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{U}_I \omega \) and show \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{U}_I \omega \). Since \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{U}_I \omega \), it holds that for all \(\tau '\) such that \(\tau '-\tau \in I\) either (i) \((H_{[\tau _k]}, m, \tau ') \not \models \omega \) or (ii) there exists \(\tau ''\in [\tau , \tau ')\) such that \((H_{[\tau _k]}, m, \tau '') \models \chi \). Regardless of which is the case, i.e., (i) or (ii) or both, analogously to the satisfaction, the decisions for all \(\tau '\) and at \(\tau ''\) stem from a period that is covered by \(H_{[\tau _i]}\), and decisions made in this period regarding \(\chi \) and \(\omega \) are definite. Therefore, the case will also hold over \(H_{[\tau _i]}\). Therefore, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{U}_I \omega \). We have shown that the implication is true.

• Induction step: \(\psi =\chi \textrm{S}_I \omega \).

  We begin with the satisfaction. Let the induction hypothesis be \((H_{[\tau _k]}, m, \tau ) \models \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \chi \) and \((H_{[\tau _k]}, m, \tau ) \models \omega \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d \omega \) with k an arbitrary index in \([i, \mathcal {D}]\cap \mathbb {N}^+\) and \(\tau \in [0, \tau _{i}-w ]\). The non-definiteness window \(w\) is given by \(max(w (\chi ), w (\omega ))\).

  We assume \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{S}_I \omega \) and show \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{S}_I \omega \). Since \((H_{[\tau _k]}, m, \tau ) \models \chi \textrm{S}_I \omega \), there exists \(\tau '\) such that \(\tau - \tau ' \in I\) and \((H_{[\tau _k]}, m, \tau ') \models \omega \), and for all \(\tau ''\in (\tau ', \tau ]\) \((H_{[\tau _k]}, m, \tau '') \models \chi \). From \(\tau \in [0, \tau _i - w]\) and \(\tau ' \in [\tau -r(I), \tau -\ell (I)]\), it follows that \(\tau '\le \tau _i - max(w (\chi ), w (\omega ))\). Hence, the decision at \(\tau '\) can already be made over \(H_{[\tau _i]}\), and, moreover, as \(\tau '\) stems from a period outside the non-definiteness window of \(\omega \), the decision at \(\tau '\), whether it concerns a match or not, will remain unaltered once made. Therefore, \((H_{[\tau _i]}, m, \tau ') \models ^d \omega \). The decision at \(\tau '\) as well as the succeeding period \((\tau ', \tau ]\) is also outside the non-definiteness window of \(\chi \). Thus, all \(\tau ''\in (\tau ', \tau ]\) stem from a period covered by \(H_{[\tau _i]}\), and decisions for \(\chi \) made in this period are definite. Therefore, for all \(\tau ''\in (\tau ', \tau ]\) \((H_{[\tau _i]}, m, \tau '') \models ^d \chi \), and, by the definite semantics, \((H_{[\tau _i]}, m, \tau ) \models ^d \chi \textrm{S}_I \omega \). We have shown that the implication is true.

  We proceed with the falsification. Let the induction hypothesis be that \((H_{[\tau _k]}, m, \tau ) \not \models \chi \Rightarrow (H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \) and \((H_{[\tau _k]}, m, \tau ) \not \models \omega \Rightarrow (H_{[\tau _i]}, m, \tau )\) \(\models ^d_F \omega \).

  We assume \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{S}_I \omega \) and show \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{S}_I \omega \). Since \((H_{[\tau _k]}, m, \tau ) \not \models \chi \textrm{S}_I \omega \), it holds that for all \(\tau '\) such that \(\tau -\tau ' \in I\) either (i) \((H_{[\tau _k]}, m, \tau ') \not \models \omega \) or (ii) there exists \(\tau ''\in (\tau ', \tau ]\) such that \((H_{[\tau _k]}, m, \tau '') \models \chi \). Regardless of which is the case, i.e., (i) or (ii) or both, analogously to the satisfaction, the decisions for all \(\tau '\) and at \(\tau ''\) stem from a period that is covered by \(H_{[\tau _i]}\), and decisions made in this period regarding \(\chi \) and \(\omega \) are definite. Therefore, the case will also hold over \(H_{[\tau _i]}\). Therefore, \((H_{[\tau _i]}, m, \tau ) \models ^d_F \chi \textrm{S}_I \omega \). We have shown that the implication is true.

From the base case and induction steps, it follows that Theorem 2 holds.   \(\square \)

1.3 B.3 Corollary 1: Period in trace with non-definite decisions

Following is the proof for Corollary 1 (see [47], p.32]), that is, if \(\psi \) is an MTGC, w is the non-definiteness window of \(\psi \), \(H_{[\tau _{i}]}\) is a RTM\(^\textrm{H}\) instance associated with the time point \(\tau _{i}\), m is a match for a pattern n, and \(\tau \) a time point in \([0, \tau _{i}]\), then if \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d \psi \) and \((H_{[\tau _{i}]}, m, \tau ) \not \models ^d_F\psi \), then \(\tau \in (\tau _{i}-w,\tau _{i}]\).

Proof

The proof follows from Theorem 2. The satisfaction relation and its negation make a decision for every time point in \([0, \tau _{i}-w]\), i.e., the relation does not support the value unknown; Theorem 2 shows that the decisions made by the satisfaction relation and its negation for \([0, \tau _{i}-w]\) are equivalent to the decisions made by the definite relations. Consequently, if no definite decision is made for \(\tau \in [0, \tau _{i}]\), then \(\tau \not \in [0, \tau _{i}-w]\).   \(\square \)

1.4 B.4 Theorem 3: Equality of definite spans and definite computations for satisfaction and falsification

Following is the proof for Theorem 3 (see [47], Section A.3.4]), i.e., given a match m over a RTM\(^\textrm{H}\) \(H_{[\tau ]}\) and an MTGC \(\psi \), the definite satisfaction span \(\mathcal {Y}^{d}\) of m for \(\psi \) over \(H_{[\tau ]}\) is given by the definite satisfaction computation \(\mathcal {Z}^{d}\) of m for \(\psi \) over \(H_{[\tau ]}\) in Definition 8, that is, \(\mathcal {Y}^{d}(m, \psi )=\mathcal {Z}^{d}(m, \psi )\). Moreover, the definite falsification span \(\mathcal {F}\) of m for \(\psi \) over \(H_{[\tau ]}\) is given by the definite falsification computation F of m for \(\psi \) over \(H_{[\tau ]}\) in Definition 8, that is, \(\mathcal {F}(m, \psi )=F(m, \psi )\).

Proof

The proof for the definite satisfaction span \(\mathcal {Z}^d\) proceeds almost identically to the proof for Theorem 1 for \(\mathcal {Z}\) in [47], Section A.3.1], i.e., by structural induction over \(\psi \), and therefore omitted. For \({true } \), conjunction, exists, until, and since in Definition 8, inclusion can be shown in both directions—the proof for the negation relies on a reasoning analogous to the one presented below for negation for the definite falsification span.

The proof for the definite falsification F is based on the application of \(F=\mathbb {R} \setminus (\mathcal {Z}^{d} \uplus X)\) for each MTGL operator—which follows from \(\mathbb {R} = \mathcal {Y}^{d} \uplus \mathcal {F} \uplus X\). The unknown span X for \({true } \) is \(X=\emptyset \), whereas for exists, by definition of the RTM\(^\textrm{H}\) \(H_{[\tau ]}\), it is \(X=(\tau , \infty )\). If F is known, it can be used to compute \(\mathcal {Z}^{d} \uplus X\).

• \(\psi ={true } \): From Equation 8 in Definition 8, we have \(\mathcal {Z}^d(m, {true })=\mathbb {R}\), therefore \(F(m, {true })=\emptyset \).

• \(\psi =\lnot \chi \): It holds that

  $$\begin{aligned} \overline{F}(m, \lnot \chi )= \mathcal {Z}^d(m, \lnot \chi ) \uplus X(m, \lnot \chi ) \end{aligned}$$

  and

  $$\begin{aligned} \overline{\mathcal {Z}^d}(m, \chi ) = \mathcal {Z}^d(m, \lnot \chi ) \uplus X(m, \lnot \chi ) \end{aligned}$$

  Therefore,

  $$\begin{aligned} F(m, \lnot \chi )= \overline{\overline{\mathcal {Z}^d}}(m, \chi ) = \mathcal {Z}^d(m, \chi ) \end{aligned}$$

• \(\psi =\chi \wedge \omega \): Let each time point that does not definitely falsify the MTGC a that \(\chi \) encloses to be assumed to satisfy the a. In practice, this includes all time points in \(\mathcal {Z}^d(m, \chi )\uplus X(m, \chi )\) for a. Subtracting this maximal satisfaction span from the time domain \(\mathbb {R}\) yields the set of time points that definitely falsify \(\chi \). Let the satisfaction span of \(\omega \) be defined analogously. If the satisfaction span of conjunction is computed based on these maximal satisfaction spans of \(\chi \) and \(\omega \), i.e., by \((\mathcal {Z}^d(m, \chi )\uplus X(m, \chi )) \cap (\mathcal {Z}^d(m, \omega )\uplus X(m, \omega ))\), the definite falsification span of conjunction can be computed analogously.

  $$\begin{aligned} \begin{aligned} F(m, \chi \wedge \omega ) & = \mathbb {R} \setminus \big ( (\mathcal {Z}^d(m, \chi )\uplus X(m, \chi )) \cap (\mathcal {Z}^d(m, \omega )\uplus X(m, \omega ))\big ) \\ & = \mathbb {R} \setminus \big ((\mathbb {R} \setminus F(m, \chi )) \cap (\mathbb {R} \setminus F(m, \omega ))\big ) \\ & = F(m, \chi ) \cup F(m, \omega ) \end{aligned} \end{aligned}$$

• \(\psi =\exists (\hat{n}, \chi )\): Let \(\tau \) be the time point of the RTM\(^\textrm{H}\) \(H_{[\tau ]}\). As \(\mathcal {Z}(m, \exists (\hat{n}, \chi ))\) is known and \(X(m, \exists (\hat{n}, \chi ))=(\tau , \infty )\), to obtain the falsification computation, we can directly solve \(\mathbb {R} \setminus (\mathcal {Z}^d \uplus X)\).

  $$\begin{aligned} \begin{aligned} F(m, \exists (\hat{n}, \chi )) & = \mathbb {R} \setminus \big (\mathcal {Z}^d(m, \exists (\hat{n}, \chi )) \cup (\tau , \infty )\big ) \\ & = \big (\mathbb {R} \setminus (\tau , \infty )\big ) \cap \big (\mathbb {R} \setminus \mathcal {Z}^d(m, \exists (\hat{n}, \chi ))\big )\\ & = (-\infty , \tau ] \cap \big (\mathbb {R} \setminus \mathcal {Z}^d(m, \exists (\hat{n}, \chi ))\big ) \end{aligned} \end{aligned}$$

• \(\psi =\chi \textrm{U}_I \omega \) and \(0 \not \in I\): The computation for until relies on the reasoning explained in the case of conjunction. The satisfaction span of until is computed based on the maximal satisfaction spans of \(\omega \), i.e., \(\mathcal {Z}^d(m, \omega )\uplus X(m, \omega )\), and \(\chi \), that is, \(J_i^X\) is obtained by \(\mathcal {Z}^d(m, \omega )\uplus X(m, \omega )\) and \(\mathcal {Z}^d(m, \chi )\uplus X(m, \chi )\), thus the until satisfaction span is similarly maximal. Therefore, complementing this maximal satisfaction span yields all time points that definitely falsify until. Therefore, we have:

  $$\begin{aligned} \begin{aligned} F(m,\chi \textrm{U}_I \omega ) & = \mathbb {R} \setminus \Bigg (\bigcup \limits _{i \in \mathcal {Z}^d(m, \omega )\cup X(m, \omega ),\, j \in J^X_i} j \cap \big ((j^{+} \cap i) \ominus I\big )\Bigg ) \end{aligned} \end{aligned}$$

• \(\psi =\chi \textrm{U}_I \omega \) and \(0 \in I\): The reasoning is similar to the case where \(0 \not \in I\).

• \(\psi =\chi \textrm{S}_I \omega \) and \(0 \not \in I\): The case proceeds analogously to the corresponding case of until.

• \(\psi =\chi \textrm{S}_I \omega \) and \(0 \in I\): The case proceeds analogously to the corresponding case of until.

By showing that \(\mathcal {Y}^{d}(m, \psi )=\mathcal {Z}^{d}(m, \psi )\) and the equations for \(F(m, \psi )\), we have shown that theorem holds.

1.5 B.5 Theorem 4: Equality of effective answer set and restricted definite temporal validity answer set over trace

Following is the proof for Theorem 4 (see [47], p.57]), which states that, if \(\zeta := (n, \psi )\) is a temporal query with \(\psi \) an MTGC, w is the non-definiteness window of \(\psi \), \(h^H_{\tau _\mathcal {D}}\) is a RTM\(^\textrm{H}\)-trace with \(\mathcal {D} \in [2,\infty ] \cap \mathbb {N}^+\), i is an index in \([k, \mathcal {D}-1]\cap \mathbb {N}^+\) such that \(\tau _k \ge w\). \(\mathcal {T} ^{d}_{\mathcal {V},r}(H_{[\tau _i]})\) is the restricted definite temporal validity answer set over \(H_{[\tau _i]}\) which has been obtained from the definite answer set \(\mathcal {T} ^d\) but contains (i) only pairs of matches with their temporal validity \(\mathcal {V}^d\) with \(\mathcal {V}^d \not = \emptyset \) and (ii) \(\mathcal {V}^d\) is intersected with \([0, \tau _{i}-w]\), then the effective answer set \(\mathcal {T} ^e(H_{[\tau _i]})\) is equal to \(\mathcal {T} ^{d}_{\mathcal {V},r}(H_{[\tau _i]})\).

Proof

Based on the more general Theorem 2 which shows that, for \(\tau \in [0, \tau _{i}-w ]\), the satisfaction decision for \(\tau \) in \(H_{[\tau _i]}\) is equivalent to definite satisfaction decision for \(\tau \) in \(H_{[\tau _i]}\). The computations of \(\mathcal {V}\) and \(\mathcal {V} ^d\) over \(H_{[\tau _i]}\) rely on the computations of \(\mathcal {Z}\) and \(\mathcal {Z} ^d\) over \(H_{[\tau _i]}\), respectively. Theorem 1 in [47], Section A.3.1] and Theorem 3 show that satisfaction relation and definite satisfaction relation over \(H_{[\tau _i]}\) are soundly reflected in \(\mathcal {Z} \) and \(\mathcal {Z} ^d\) over \(H_{[\tau _i]}\), respectively.   \(\square \)