Keywords

1 Introduction

Causality is a key ingredient for explaining model-checking results [5, 15, 38, 46] and a reasoning tool in several verification and synthesis algorithms [2, 36, 37]. These techniques have retrofitted causality definitions from philosophy [33, 40] and artificial intelligence [31], which were not designed for reactive systems with infinite dynamics and often fall short in such ad-hoc applications. For instance, popular approaches for explaining model-checking results highlight the counterexample trace at events that constitute causes [7, 18, 32]. Yet, marking a (possibly infinite) set of events does not clearly describe the temporal behavior manifested by them since, e.g., two events can be individually responsible for the effect or only together. Similarly, the occurrence of events in the loop part of a trace can be relevant, e.g., only once or infinitely often.

figure a

To address such reoccurring problems arising with causal reasoning in reactive systems, Coenen et al. have recently proposed temporal causality for drawing causal relationships between temporal properties on a given trace of a system [19]. Causal properties can then be described symbolically with logics or automata, which give a concise description of the possibly infinite causal behavior, and are, moreover, amenable to verification algorithms.

1.1 Temporal Causality

At its core, temporal causality uses counterfactual reasoning to infer a causal relationship: A property is a cause for some effect property on a given trace, where both properties hold, if on all closest traces that do not satisfy the cause, the effect is not satisfied either. Additionally, the cause property has to be semantically minimal. Hence, it is a form of actual causation [30], which describes the concrete causal behavior in the given, actual observation (the trace), and not all of the system behavior that may cause the effect (which loosely corresponds to the concept of general causation).Footnote 1

Fig. 1.
figure 1

Example system.

Full size image

To illustrate, consider the system depicted in Fig. 1, where x and y are inputs and e is an output. We are interested in what input behavior causes the effect on the trace \(\pi = (\{x,e\})^\omega \) – we skip the output label of the first position. Our first guess may be , which characterizes all system traces that satisfy . However, this is too general to describe the causal behavior on \(\pi \). After all, the left disjunct y is not even satisfied by \(\pi \). Let us see which condition fails. The counterfactual criterion holds: The closest system traces that do not satisfy also do not satisfy the effect, as these are exactly the traces that go directly to the lower state labeled with the empty set and loop there infinitely. However, minimality is not satisfied, as the property implies (i.e., is semantically smaller) and also satisfies the counterfactual criterion: the closest trace that does not satisfy it is \((\{\})^\omega \). In particular, the existence of, e.g., trace \(\{y,e\}(\{\})^\omega \) that also does not satisfy the cause , but still satisfies the effect , is irrelevant, as \((\{\})^\omega \) is closer to \(\pi \) than the trace \(\{y,e\}(\{\})^\omega \). It is worth pointing out that we only measure distance over inputs. Picking a property that is too small fails the counterfactual criterion: If we picked \(x\), which implies , there would be, e.g., the closest trace \(\{\}(\{x,e\})^\omega \) that still satisfies the effect.

In their original work [19], Coenen et al. showed that the requirements for a valid causal relationship can be encoded as a hyperproperty [17], such that checking whether a given \(\omega \)-regular property is indeed the cause for a given \(\omega \)-regular effect on a trace can be decided via model checking. This has recently been implemented in a sketch-based algorithm for enumerating causes [11], which is complete for effects containing as the only temporal operator. That approach, of course, covers only a tiny fragment of the original theory. How to compute the cause for an arbitrary \(\omega \)-regular effect has remained an open question.

1.2 Contributions and Structure

As it turns out, the intricate balance between the counterfactual criterion and minimality of temporal causality gives rise to an intuitive order-theoretic characterization of causes: The complement of the cause is the upward closure of the negated effect property in the partial order defined by the similarity relation (measuring distance from the actual trace). We illustrate the intuition behind this characterization in Sect. 3.1, and formally develop it in Sect. 5.1.

The consequence of our characterization is that if we can compute the upward closure of the negated effect \(\overline{\textsf{E}}\) and the complement of the result, then we can compute the cause for \(\textsf{E}\) on \(\pi \). We show that if \(\textsf{E}\) is an \(\omega \)-regular property, \(\pi \) in a lasso shape, and the similarity relation is also defined by a (relational) \(\omega \)-regular property, such an upward closure can be constructed as a nondeterministic Büchi automaton, which means that the cause (i.e., the complement of the automaton) again is an \(\omega \)-regular property. This approach forms the core of our cause synthesis algorithm, which we describe in Sect. 5.

The complexity of our algorithm significantly scales in the size of the description of the similarity relation, which is problematic due to the complex and large similarity relations of previous work. Coenen et al. [19] observed that with the original counterfactual criterion, these similarity relations need to satisfy the assumption that there is a non-empty set of closest traces for any actual trace and candidate cause, otherwise the counterfactual condition can be vacuously true. We tie this restriction to the limit assumption first introduced by Lewis [41] and study similarity relations through this lens. Concrete similarity relations that have been proposed so far [11, 19] satisfy the limit assumption by adding additional criteria, but these increase the size of the formula describing the similarity relation significantly. In Sect. 4, we show that we can instead modify the counterfactual condition of the causality definition to allow similarity relations that do not satisfy the limit assumption, using Lewis’ semantics for counterfactuals [41], as extended to non-total similarity relations by Finkbeiner and Siber [23]. Crucially, this modification retains the original semantics of Coenen et al. for similarity relations that satisfy the limit assumption as long as the actual trace is deterministic. Hence, it generalizes our closure-based characterization and the corresponding algorithm to significantly simpler similarity relations. All proofs can be found in the full version of this paper [22].

In Sect. 6, we show through experiments with our prototype tool CORP that our modified counterfactual criterion leads to significantly faster computations in practice. We further compare our cause synthesis algorithm with the incomplete sketching approach of the tool CATS [11]. Last, we extend our approach to cause checking through cause synthesis with an additional equivalence check, which we compare with the checker implemented in CATS.

Contributions. In summary, we make the following contributions:

  • We extend the theory of temporal causality to similarity relations that do not satisfy the limit assumption.

  • We prove an order-theoretic characterization of causes as downward closed sets of the similarity relation.

  • Based on this characterization, we develop the first complete method for \(\omega \)-regular cause synthesis.

  • We present and evaluate a prototype implementation of our approach.

2 Preliminaries

We start by recalling preliminaries regarding our system model. Then, we provide background on automata and logics for describing temporal properties.

Systems and Traces. We model systems as nondeterministic finite state machines \(\mathcal {T} = (S, s_0, AP , \delta , l)\) where S is a finite set of states, \(s_0 \in S\) is the initial state, is the set of atomic propositions consisting of inputs \( I \) and outputs \( O \), \(\delta : S \times 2^I \rightarrow 2^S\) is the transition function determining a set of successor states for a given state and input, and \(l: S \rightarrow 2^ O \) is the labeling function mapping each state to a set of outputs. A trace of \(\mathcal {T}\) is an infinite sequence \(\pi = \pi [0] \pi [1] \ldots \in (2^ AP )^\omega \), with \(\pi [i] = A \cup l(s_{i+1})\) for some \(A \subseteq I\) and \(s_{i+1} \in \delta (s_i,A)\) for all \(i \ge 0\), i.e., we skip the label of the initial state in the first position. \( traces (\mathcal {T})\) is the set of all traces of \(\mathcal {T}\). For two subsets of atomic propositions \( V , W \subseteq AP \), let \( V |_ W = V \cap W \), \(\pi |_ W = \pi _0|_ W \,\pi _1|_ W \ldots \) and \(\pi =_ V \pi '\) iff \(\pi |_ V = \pi '|_ V \) for traces \(\pi ,\pi '\). A trace \(\pi _0\) is deterministic in \(\mathcal {T}\) iff for all \(\pi _1 \in traces (\mathcal {T}): \pi _0 =_I \pi _1 \rightarrow \pi _0 = \pi _1\). A trace \(\pi \) is lasso-shaped, if there exist \(i,j=i+1,k \in \mathbb {N}\) such that \(\pi = \pi _0 \ldots \pi _i \cdot (\pi _{j} \ldots \pi _k)^\omega \), we then define \(| \pi | = k - 1\).

Büchi Automata. A nondeterministic Büchi automaton (NBA) [13] is a tuple \(\mathcal {A} = (Q,\varSigma , Q^0, F, \varDelta )\), where Q denotes a finite set of states, \(\varSigma \) is a finite alphabet, \(Q^0 \subseteq Q\) is a set of initial states, \(F\subseteq Q\) is the set of accepting states, and \(\varDelta : Q \times \varSigma \rightarrow 2^Q\) is the transition function that maps a state and a letter to a set of possible successor states. The size of an NBA \(|\mathcal {A}|\) is the number of its states |Q|. A run of \(\mathcal A\) on an infinite word \(w = w_1w_2 \dots \in \varSigma ^{\omega }\) is an infinite sequence \( r = q_0q_1\dots \in Q^{\omega }\) with \(q_0 \in Q^0\) and \(q_{i+1} \in \varDelta (q_i,w_i)\) for all \(i \in \mathbb N\). A run r of the NBA is accepting if there exist infinitely many \(i \in \mathbb {N}\) such that \(q_i \in F\). The language \(\mathcal {L}(\mathcal {A})\) is the set of all words that have an accepting run. We say that some trace property \(\textsf{P}\subseteq (2^A)^\omega \) is \(\omega \)-regular, if there is an NBA \(\mathcal {A}\) such that \(\mathcal {L}(\mathcal {A}) = \textsf{P}\). A trace \(\pi \) satisfies any \(\textsf{P}\subseteq (2^A)^\omega \), denoted by \(\pi \vDash \textsf{P}\), iff \(\pi |_A \in \textsf{P}\).

Linear-Time Temporal Logic. We use Linear-time Temporal Logic (LTL) [44] to succinctly specify a fragment of \(\omega \)-regular properties throughout the paper. LTL formulas are built using the following grammar, where \(a \in AP \):

figure m

The semantics of LTL are given by the following satisfaction relation, which recurses over the positions i of the trace \(\pi \).

figure n

A trace \(\pi \) satisfies a formula \(\varphi \), denoted by \(\pi \vDash \varphi \) iff the formula holds at the first position: \(\pi ,0 \vDash \varphi \). The language \(\mathcal {L}(\varphi )\) is the set of all traces that satisfy a formula \(\varphi \). We also consider the usual derived Boolean connectives: \(\vee \), \(\rightarrow \), \(\leftrightarrow \); and temporal operators: , , .

Relational Properties. Relational properties, or, hyperproperties [17], allow us to relate multiple system executions, and reason about their interaction. Counterfactual reasoning often is a hyperproperty, and in particular, temporal causality as defined by Coenen et al. was formally shown to be a hyperproperty [19]. Many logics to express temporal hyperproperties have been suggested in recent years (e.g., [6, 8, 10, 28]), the most prominent one being HyperLTL [16]. In this paper, we do not use a hyperlogic to express temporal causality, but we use the related notion of zipped traces (e.g., [9]) for defining similarity relations. A zipped trace of three traces \(\pi _{0,1,2}\) is defined as \( zip (\pi _0,\pi _1,\pi _2)[i] = \{(a,t_k) \; | \; a \in \pi _k[i]\}\), i.e., we construct the zipped trace from disjoint unions of the positions of the three traces, where atomic propositions from the traces \(\pi _{0,1,2}\) are distinguished through pairing them with the trace variables \(t_{0,1,2}\).

3 Overview: The Topology of Causality

Our main results on cause synthesis heavily rely on a characterization of causes as certain downward closed sets of system traces that are ordered by a similarity relation. We illustrate the main intuition behind this characterization in Sect. 3.1. Then, in Sect. 3.2, we outline how we extend this result to more general similarity relations than originally considered by Coenen et al. [19].

3.1 Actual Causes as Downward Closed Sets of Traces

Our central theorem states that the temporal cause for an effect \(\textsf{E}\) on some actual trace \(\pi \) is the largest subset of \(\textsf{E}\) that is downward closedFootnote 2 in the preordered set of system traces \(( traces (\mathcal {T}),\le _\pi )\), where \(\le _\pi \) is a (comparative) similarity relation that orders traces based on their similarity to \(\pi \). Figure 2a illustrates this abstractly. Arrows together with nodes represent system executions, whose traces form \( traces (\mathcal {T})\) and are ordered by the irreflexive reduction \(<_\pi \) of the similarity relation. The set of system traces is, in general, infinite, such that there may be infinitely many other traces which are omitted from the illustration for sake of clarity. However, note that similarity relations must be designed such that all traces are further away from the actual trace \(\pi \) than itself, i.e., \(\pi \) is a minimum of \(\le _\pi \). The set of traces that satisfy the effect is depicted by the area that is colored in light blue. The actual trace \(\pi \) is an element of this set, as this is the trace on which the cause for a given effect is analyzed.

Fig. 2.
figure 2

Two highlighted aspects of the cause \(\textsf{C}\) in the preordered set (\( traces (\mathcal {T}),\le _\pi \)). Figure 2a illustrates that the cause is the largest downward-closed subset of the effect \(\textsf{E}\). The quantifiers in Fig. 2b show which traces outside of the cause are required to avoid the effect in our formalization (without limit assumption) and in Coenen et al.’s definition [19] (with limit assumption). (Color figure online)

Full size image

Coenen et al.’s temporal causality is counterfactual in nature, and now requires that the closest traces outside of the cause \(\textsf{C}\), which in Fig. 2a is marked by the red border, do not satisfy the effect. In the illustration, this is reflected by \(\pi _b\) and \(\pi _c\) not satisfying the effect, i.e., not being in a light blue area. At the same time, Coenen et al. require the cause to be the smallest set that satisfies this, which means that only traces that satisfy the effect are included: Otherwise, the upward closureFootnote 3 of traces that do not satisfy the effect could be removed. Hence, in Fig. 2a the area inside the red border is light blue.

In this paper, we show that the balance between these criteria defines causes that are the largest subsets of \(\textsf{E}\) that are downward closed in the preordered set \(( traces (\mathcal {T}),\le _\pi )\). We also propose an algorithm that constructs these causes for effects that are \(\omega \)-regular properties and traces that are in a lasso-shape. Our algorithm first constructs a nondeterministic Büchi automaton for the complement of the cause \(\textsf{C}\). This complement is the upward closure of the negated effect \(\overline{\textsf{E}}\), which means it includes all traces for which there exists an at-least-as close trace that does not satisfy the effect. Since \(\le _\pi \) is reflexive, this naturally includes all traces in \(\overline{\textsf{E}}\), such as \(\pi _b\) and \(\pi _c\) in Fig. 2a. It also includes all traces that are further away than a trace in \(\overline{\textsf{E}}\), such as \(\pi _a\) and \(\pi _d\).

In the end, these mechanisms make temporal causality a form of actual causality that describes a local generalization of the behavior that causes the effect on the actual trace. In the introductory example from Fig. 1 with the actual trace \(\pi = \{x,e\}^\omega \), traces in, e.g., are all further away from \(\pi \) than the trace \(\{\}^\omega \), which is in \(\overline{\textsf{E}} = \mathcal {L}(\lnot e)\). Hence, is included in the upward closure of \(\overline{\textsf{E}}\), and none of its elements is included in the cause.

3.2 Causality Without the Limit Assumption

With our approach based on set closure, we can solve a central issue of temporal causality: Since the preordered set \(( traces (\mathcal {T}),\le _\pi )\) is infinite, there only exist traces in \(\overline{\textsf{C}}\) that are the closest with respect to the actual trace \(\pi \) if \((\overline{\textsf{C}},\le _\pi )\) is well-founded. If this is the case for all possible pairs of actual trace \(\pi \) and cause candidate \(\textsf{C}\), we say the similarity relation satisfies the limit assumption, after Lewis [41], who formalized it for counterfactual modal logic. Since Coenen et al.’s definition [19] requires that all closest traces avoid the effect, it is restricted to similarity relations that satisfy this assumption. Their counterfactual condition is illustrated in the lower part of Fig. 2b. If the limit assumption holds, any descending chain \(\pi _j \ge _\pi \pi _{j-1} \ge _\pi \ldots \) stabilizes at some \(\pi _i\), for which Coenen et al. require \(\pi _i \in \overline{\textsf{E}}\).

If the limit assumption does not hold (upper part of Fig. 2b), there may be infinite chains \(\pi _j\ge _\pi \pi _{j-1} \ge \ldots \) for which a closest \(\pi _i\) does not exist. In these instances, Coenen et al.’s criterion would be vacuously true. This is particularly problematic as the canonical similarity relation \(\le ^\textit{subset}_\pi \) does not satisfy the limit assumption. This metric orders two traces as \(\pi _{j} \le ^\textit{subset}_\pi \pi _k\) if the changes between \(\pi _j\) and \(\pi \) are a subset of the changes between \(\pi _k\) and \(\pi \). This may lead, for example, to the infinite chain \(\{\}^\omega \ge _{\pi }^\textit{subset} \{x\}\{\}^\omega \ge _{\pi }^\textit{subset} \ldots \) in the preordered set , where \(\pi = \{x\}^\omega \). Coenen et al. add additional constraints on top of \(\le ^\textit{subset}_\pi \) to ensure that it satisfies the limit assumption. These, however, make cause checking more expensive, as observed by Beutner et al. [11], who therefore combine \(\le ^\textit{subset}_\pi \) with a vacuity check. While this is computationally better, this check simply fails in instances as outlined above, and so certain causes cannot be checked by this method [11].

In this work, we solve this conundrum by modifying the definition of temporal causality to accommodate similarity relations that satisfy the limit assumption. We change the central counterfactual condition from a universal quantification over the closest traces in \(\overline{\textsf{C}}\) to an \(\forall \exists \)-quantification over all traces \( \pi _j \in \overline{\textsf{C}}\). For each such trace \(\pi _j\), we require the existence of a closer trace \(\pi _i \le _\pi \pi _j\) that does not satisfy the effect. This is depicted in the upper part of Fig. 2b. Naturally, this quantification mirrors exactly the characterization of cause-complements via upward closed sets (cf. Sect. 5.1). On the theoretical side, we show that if the similarity relation satisfies the limit assumption and a minor assumption on nondeterminism is met, our definition is equivalent to Coenen et al.’s original definition (Sect. 4.3). On the practical side, we confirm experimentally that our approach leads to significant improvements through the accommodation of simpler similarity relations that do not satisfy the limit assumption (Sect. 6).

4 Generalized Temporal Causality

In this section, we generalize the definition of temporal causality to accommodate similarity relations that do not satisfy the limit assumption. We first recall similarity relations and formalize the limit assumption (Sect. 4.1). Then we present our updated definition of temporal causality (Sect. 4.2). Last, we prove that it retains the original semantics in the special case considered by Coenen et al. with a minor additional assumption on nondeterminism (Sect. 4.3).

4.1 Similarity Relations and the Limit Assumption

A comparative similarity relation \(\le _\pi \, \subseteq (2^I)^\omega \times (2^I)^\omega \) is a partial order that orders traces by their \(comparative \) distance from the given actual trace \(\pi \), i.e., it gives no quantitative but a relative measurement of distance: \(\pi _0 \le _\pi \pi _1\) means \(\pi _0\) is at-least-as close to \(\pi \) as \(\pi _1\). We measure distance over the set of inputs I, i.e., for two traces \(\pi _{0,1} \in (2^ AP )^\omega \) we are only interested in \(\pi _0|_I \le _\pi \pi _1|_I\).

If I is clear from the context, we write \(\pi _0 \le _\pi \pi _1\). We require the actual trace to be closer to itself than any other trace, i.e., \(\pi \le _\pi \pi '\) for all \(\pi ' \in (2^ AP )^\omega \). The ternary relation \(\le \), where \((\pi _0,\pi _1,\pi _2) \in \ \le \) iff \(\pi _1 \le _{\pi _0} \pi _2\), encodes the comparative similarity relations of all possible actual traces \(\pi _0\).

Example 1

To illustrate our formalism for similarity relations, consider the following subset-based similarity relation \(\le ^{\textit{subset}}\) defined via the zipped trace \(\textit{zip}(\pi _0,\pi _1,\pi _2) \in (2^{ AP \times \{t_0,t_1,t_2\}})^\omega \). To ease comprehension, for some \(a \in AP \) we write \(a_\textit{actual}\) for \((a,t_0)\), \(a_\textit{close}\) for \((a,t_1)\), and \(a_\textit{far}\) for \((a,t_2)\) to explicitly identify, e.g., propositions on the actual trace, in a given formula. We then have \(\pi _{\textit{close}} \le ^{\textit{subset}}_{\pi _{\textit{actual}}} \pi _{\textit{close}}\) iff

$$\begin{aligned} \textit{zip}(\pi _{\textit{actual}},\pi _{\textit{close}},\pi _{\textit{far}}) \vDash \bigwedge _{i\in I} \big ((i_\textit{actual} \not \leftrightarrow i_\textit{close}) \rightarrow (i_\textit{actual} \not \leftrightarrow i_\textit{far})\big ) . \end{aligned}$$

For the three traces \(\pi _\textit{actual}, \pi _\textit{close}, \pi _\textit{far}\) this requirement states that the changes between \(\pi _\textit{actual}\) and \(\pi _\textit{close}\) are a subset of the changes between \(\pi _\textit{actual}\) and \(\pi _\textit{far}\), where we define the changes between two traces \(\pi _0,\pi _1\) as \(\textit{changes}(\pi _0,\pi _1) = \{(a,i) \ | \ \pi _0[i] \ne _{\{a\}} \pi _1[i] \}\). For example, let \(\pi = \{x\}(\{\})^\omega , \pi _0 = \{\}(\{\})^\omega , \pi _1 = \{\}\{y\}(\{\})^\omega \) and \(I = \{x,y\}\). Then, \(\pi _0 \le _\pi \pi _1\), since \(\textit{changes}(\pi ,\pi _0) = \{(x,0)\} \subseteq \{(x,0),(y,1)\} = \textit{changes}(\pi ,\pi _1)\). The trace \(\pi _2 = \{x\}(\{y\})^\omega \), however, is incomparable to \(\pi _0\) and \(\pi _1\), as \(\textit{changes}(\pi ,\pi _2) = \{(y,j) \ | \ j \ge 1 \}\) is not in any subset relationship with the respective sets for \(\pi _0, \pi _1\).

The similarity relations considered in previous works [11, 19] are all fundamentally based on \(\le ^{\textit{subset}}\) as defined in Example 1, with added conditions to avoid infinite chains of closer traces. This is directly tied to the limit assumption first studied by Lewis in his seminal work on counterfactual modal logic [41]. In our setting, this assumption can be formalized as follows.

Definition 1

(Limit Assumption). A similarity relation \(\le \ \subseteq (2^I)^\omega \times (2^I)^\omega \times (2^I)^\omega \) satisfies the limit assumption, if for all traces \(\pi \in (2^{I\cup O})^\omega \) and all possible causes \(\textsf{C}\subseteq (2^I)^\omega \), we have that \((\overline{\textsf{C}},<_\pi )\) is well-founded, i.e., there is no infinite descending chain \(\pi _0 >_\pi \pi _1 >_\pi \ldots \text { with } \pi _i \in \overline{\textsf{C}}\).

This requirement means that there always exist closest counterfactual traces that do not satisfy the cause no matter which actual trace we pick (except if all traces satisfy the cause). These closest traces would be ideal candidates for causal analysis, but unfortunately, they do not always exist, in particular not for the similarity relation \(\le ^{\textit{subset}}\), as stated in Proposition 1. Note that all proofs can be found in the full version of this paper [22].

Proposition 1

\(\le ^{\textit{subset}}\) does not satisfy the limit assumption.

Since the original definition of Coenen et al. [19] quantifies universally over closest traces, it can be vacuously satisfied if the similarity relation does not satisfy the limit assumption. Previous works have therefore added additional constraints. For instance, Beutner et al. [11] propose \(\le ^{\textit{full}}\), which additionally to the constraints of \(\le ^{\textit{subset}}\) (cf. Example 1) requires the following:

figure u

This encodes that whenever \(\pi _\textit{close}\) differs differs from \(\pi _\textit{actual}\) on some input at infinitely many locations, then \(\pi _\textit{far}\) agrees with \(\pi _\textit{close}\) on this input. Hence, on any chain in \(<^\textit{full}_\pi \), infinite changes on some \(i \in I\) eventually get converted into finite ones, which ensures finiteness of the chain since there are only finitely many atomic propositions. We confirm that this results in \(\le ^{\textit{full}}\) satisfying the limit assumption.

Proposition 2

\(\le ^{\textit{full}}\) satisfies the limit assumption.

While satisfying the limit assumption is, in principle, useful, in the case of \(\le ^\textit{full}\) this comes at a significant cost: Its logical description contains a large conjunction over the inputs, each containing an implication between temporal formulas. Hence, any algorithmic approach to cause synthesis (and checking) that uses \(\le ^\textit{full}\) will scale poorly in the size of I. This motivates us to develop a modified definition of temporal causality that can directly work with the smaller, canonical similarity relation \(\le ^\textit{subset}\), while retaining most of the original semantics of Coenen et al. for similarity relations that satisfy the limit assumption, such as \(\le ^\textit{full}\).

4.2 A General Definition of Temporal Causality

We now develop our generalized definition of temporal causality for similarity relations that do not satisfy the limit assumption.

The idea behind our generalization stems from counterfactual modal logic as formalized by Lewis [41]. Lewis’ semantics a priori only work for total similarity relations, making them unsuitable for our setting. However, they were recently extended to non-total similarity relations by Finkbeiner and Siber [23]. We apply these semantics to our concrete problem to obtain a well-defined notion of causality for similarity relations that do not satisfy the limit assumption. In Sect. 4.3, we show that our definition retains the original semantics proposed by Coenen et al. for similarity relations that satisfy the limit assumption.

Definition 2

(Temporal Causality). Let \(\mathcal {T}\) be a system, \(\pi \in \textit{traces}(\mathcal {T})\) a trace, \(\le _\pi \) a similarity relation, and \(\textsf{E}\subseteq (2^ AP )^\omega \) an effect property. We say that \(\textsf{C}\subseteq (2^{I})^\omega \) is a cause of \(\textsf{E}\) on \(\pi \) in \(\mathcal {T}\) if the following conditions hold.

  • SAT: For all \(\pi _0 \in \textit{traces}(\mathcal {T}) \) such that \(\pi _0 =_I \pi \) we have \(\pi _0|_I \in \textsf{C}\) and \(\pi _0 \in \textsf{E}\).

  • CF: For all \(\pi _0 \in \overline{\textsf{C}}\) there is an at-least-as close trace \(\pi _1 \in \overline{\textsf{C}}\), i.e., with \(\pi _1 \le _\pi \pi _0\), such that there is a \(\pi _2 \in \textit{traces}(\mathcal {T}) \) with \(\pi _1 =_I \pi _2\) and \(\pi _2 \in \overline{\textsf{E}}\).

  • MIN: There is no \(\textsf{C}' \subset \textsf{C}\) such that \(\textsf{C}'\) satisfies SAT and CF.

The main idea of the counterfactual criterion CF is that for every trace \(\pi _0\) that does not satisfy the cause, there exists a closer trace \(\pi _2\) that does not satisfy the cause and the effect. The additional quantification over \(\pi _1\) is a technicality included because the cause \(\textsf{C}\subseteq (2^{I})^\omega \) consists of input sequences while \(\pi _2 \in \textit{traces}(\mathcal {T})\) is a full system trace. It also closely mirrors the structure of Coenen et al.’s PC2 criterion (cf. Definition 3) which it neatly generalizes to similarity relations that do not satisfy the limit assumption: If the assumption holds, then a \(\pi _2\) is, in particular, required for the closest traces \(\pi _0\) in \(\overline{\textsf{C}}\), for which \(\pi _2\) can only be instantiated by themselves. Hence, the closest traces are required to not satisfy the effect (we develop this comparison more formally in Sect. 4.3). If the limit assumption does not hold and there exists an infinite chain of ever-closer traces \(\pi _0 \in \overline{\textsf{C}}\), the condition requires that for all these \(\pi _0\) there is a closer \(\pi _2\) that avoids the effect, even in infinity: No matter how far we descend on this chain, we are always guaranteed that we can descend further towards a closer counterfactual trace that does not satisfy the effect.

Example 2

To illustrate these conditions with a concrete example, consider the system from Fig. 1, the trace \(\pi =\{x,e\}^\omega \), the effect , and the cause , with similarity relation \(\le ^\textit{subset}\). It is easy to that SAT is satisfied, as the system is deterministic and \(\pi |_I = \{x\}^\omega \in \textsf{C}\) and \(\pi \in \textsf{E}\). There is, as discussed in Sect. 3.2, an infinite chain in and, hence, no closest trace. We require for all a \(\pi _1 \in \overline{\textsf{C}}\) with and a \(\pi _2 =_I \pi _1\) such that \(\pi _2 \in \overline{\textsf{E}}\). In this case, we can pick \(\pi _1\) as \(\pi _0\) and \(\pi _2\) as the corresponding system trace, hence CF is satisfied. To see that MIN is satisfied, consider any strict subset \(\textsf{C}' \subset \textsf{C}\). Hence, there is some \(\pi ' \in \overline{\textsf{C}'}\) such that . Then, all system traces \(\pi _2\) with \(\pi _2 \le _\pi \pi '\) satisfy by the definition of \(\le ^\textit{subset}_\pi \), and in this system this also means . Hence, \(\textsf{C}\) satisfies MIN because no strict subset satisfies CF.

Remark 1

Note that Definition 2 is not restricted to similarity relations that can be expressed via zipped traces and LTL formulas as used in the previous examples, but instead applies to any comparative similarity relation as defined at the start of this section.

4.3 Proving Generalization

This section is dedicated to proving that our generalization (Definition 2) is conservative, i.e., agrees with Coenen et al.’s original definition whenever the underlying similarity relation satisfies the limit assumption and the actual trace is deterministic. First, we recall Coenen et al.’s definition.

Definition 3

(Coenen et al. [19]). Let \(\mathcal {T}\) be a system, \(\pi \in \textit{traces}(\mathcal {T})\) a trace, \(\le _\pi \) a similarity relation, and \(\textsf{E}\subseteq (2^{O})^\omega \) an effect property. \(\textsf{C}\subseteq (2^{I})^\omega \) is a cause of \(\textsf{E}\) on \(\pi \) in \(\mathcal {T}\) if the following three conditions hold.

  • PC1: \(\pi |_I \in \textsf{C}\) and \(\pi \in \textsf{E}\).

  • PC2: For all closest counterfactual traces \(\pi _0 \in \overline{\textsf{C}}\), i.e., traces for which there are no closer traces \(\pi _1 \in \overline{\textsf{C}}\) with \(\pi _1 <_{\pi } \pi _0\), there exists a \(\pi _2 \in \textit{traces}(\mathcal {T})\) such that \(\pi _0 =_I \pi _2\) and \(\pi _2 \in \overline{\textsf{E}}\).

  • PC3: There is no \(\textsf{C}' \subset \textsf{C}\) such that \(\textsf{C}'\) satisfies PC1 and PC2.

Unlike in our updated definition, PC1 only works if the actual trace \(\pi \) is deterministic. If the \(\pi \) is nondeterministic, the effect can be avoided with no modifications at all to \(\pi \) (which is minimal), hence the cause should be empty. PC1 does not reflect this and allows to build a cause that includes \(\pi |_I\) (and possibly more), wrongfully implying that a modification of the sequence is required to avoid the effect. PC2 may be vacuously satisfied if the similarity relation does not satisfy the limit assumption, as outlined in Sect. 3.2.

Remark 2

Note that Coenen et al. consider traces \(\pi \in \textit{traces}(\mathcal {C}^\mathcal {T}_\pi )\) of the counterfactual automaton \(\mathcal {C}^\mathcal {T}_\pi \) for PC2. This automaton models contingencies, which allow to partially reset outputs back to as they were on the actual trace \(\pi \), and to change the system state accordingly. For PC2 in Definition 3, this means that the closest counterfactual traces \(\pi _2\) do not have to avoid the effect themselves, but together with some contingency. This mechanism, inspired by Halpern’s modified version of actual causality [29], was extended by Coenen et al. [18, 19] to lasso-shaped traces and finite state machines to sometimes obtain more accurate causes. However, to guarantee meaningful results, the original system has to have unique output labels. Beutner et al.’s implementation [11] therefore allows to toggle the usage of contingencies. Similarly, our generalization works both with contingencies and without. For the latter case, one simply supplants \(\mathcal {T}\) with \(\mathcal {C}^\mathcal {T}_\pi \) in both definitions. Our cause synthesis algorithm can also handle contingencies, and our implementation allows to toggle them as a feature. Our theoretical contribution is independent of this detail.

We now proceed to show the equivalence between our definition (Definition 2) and Coenen et al.’s definition (Definition 3) in case the limit assumption is fulfilled and the actual trace is deterministic. We start with proving the equivalence of the counterfactual conditions CF and PC2, which holds regardless of nondeterminism on the actual trace.

Lemma 1

Let \(\mathcal {T}\) be a system, \(\pi \in \textit{traces}(\mathcal {T})\) a trace, \(\textsf{C}\subseteq (2^{I})^\omega \) a cause property, and \(\textsf{E}\subseteq (2^ AP )^\omega \) an effect property. Let \(\le \) be a similarity relation that satisfies the limit assumption. Then we have that PC2 is satisfied iff CF is satisfied.

With Lemma 1 at hand, we only need to address the differences between PC1 and SAT. It is easy to see that their equivalence fails when behavior on the actual trace \(\pi \) is nondeterministic, i.e., when there is another trace that is input-equivalent to \(\pi \) but does not satisfy the effect. In such a case, PC1 is satisfied but SAT is not. Hence, our definition is equivalent to Coenen et al.’s definition only in deterministic systems, as we deliberately diverge in the case of nondeterminism on the actual trace. Notably, Lemma 1 holds for both deterministic and nondeterministic systems, and determinism is only relevant on the actual trace. The restriction to output-only effects \(\textsf{E}\subseteq (2^O)^\omega \) is inherited from Coenen et al.’s definition, but technically not necessary.

Theorem 1

Let \(\le \) be a similarity relation that satisfies the limit assumption. Then \(\textsf{C}\subseteq (2^{I})^\omega \) is a cause for \(\textsf{E}\subseteq (2^O)^\omega \) on a trace \(\pi \) that is deterministic in \(\mathcal {T}\) according to our definition (Definition 2) if and only if it is a cause according to Coenen et al.’s definition (Definition 3).

5 Cause Synthesis

In this section, we develop our algorithm for synthesizing causes. In Sect. 5.1 we formalize the characterization of a cause as the complement of the upper closure of the negated effect, which we have discussed intuitively in Sect. 3.1. In Sect. 5.2 we provide an algorithm for cause synthesis in the \(\omega \)-regular setting, when the effect is given as a nondeterministic Büchi automaton and the actual trace is in a lasso shape.

5.1 Proving Our Characterization

For this section, we fix a system \(\mathcal {T}\), an actual trace \(\pi \in traces(\mathcal {T})\), a similarity relation \(\le \), and an effect \(\textsf{E}\). We now show that, if it exists, the cause for \(\textsf{E}\) on \(\pi \) is the complement of the upward closure of \(\overline{\textsf{E}}\) in \(( traces (\mathcal {T}),\le _\pi )\). Formally, we construct a set \(\textsf{D}\) that is a cause for \(\textsf{E}\) on \(\pi \) via its complement:

$$\begin{aligned} \overline{\textsf{D}} &= \{\,\rho \in (2^I)^\omega \, \mid \, \exists \sigma \in \textit{traces}(\mathcal {T}) . \ \sigma \le _\pi \rho \wedge \sigma \in \overline{\textsf{E}} \,\} , \text { hence}\\ \textsf{D} &= \{\,\rho \in (2^I)^\omega \, \mid \, \forall \sigma \in \textit{traces}(\mathcal {T}) . \ \sigma \le _\pi \rho \rightarrow \sigma \in \textsf{E}\,\} . \end{aligned}$$

The set \(\textsf{D}\) directly corresponds to the (unique) cause if there exists one, and is empty if there is none. We establish this in a series of lemmas.

Lemma 2

If the set \(\textsf{D}\) is non-empty, it is a cause for \(\textsf{E}\) on \(\pi \) in \(\mathcal {T}\).

Lemma 2 shows that \(\textsf{D}\) satisfies Definition 2 assuming it is non-empty. The assumption is only required for SAT, as this criterion requires that \(\pi \) and all input-equivalent traces are in the cause. CF follows from the definition of \(\textsf{D}\), and for MIN we can show that any strict subset of \(\textsf{D}\) does not satisfy CF.

Lemma 3

Iff the set \(\textsf{D}\) is empty, there exists no cause that satisfies SAT.

Lemma 3 serves two purposes. First, it helps us argue for the completeness of our construction. Second, it shows that the only reason why there may be no cause is due to a nondeterministic actual trace. To fully argue completeness, we show that causes are unique, and hence \(\textsf{D}\) is the only relevant cause in all cases.

Lemma 4

  Causes are (semantically) unique: There can be no two sets \(\textsf{C}\ne \textsf{C}'\) that are both causes for some effect property \(\textsf{E}\) on a trace \(\pi \) in some system \(\mathcal {T}\).

Remark 3

This does not mean that there can only exist a single causal event, such as “a at position 0” or “b at position 1”, in a given scenario. Instead, Lemma 4 states that the semantics of the symbolic description of the causal behavior in a given scenario is unique. It is precisely the idea of temporal causality to encompass multiple single events in a single symbolic description, e.g., through a conjunction such as .

5.2 Cause-Synthesis Algorithm for \(\omega \)-Regular Effects

In Sect. 5.1, we have established a direct characterization of causes as downward closed sets, independent of any concrete descriptions of cause, effect, and trace. In this section, we develop an automata-based algorithm for synthesizing causes of \(\omega \)-regular effects given, e.g., by a nondeterministic Büchi automaton (NBA), on lasso-shaped traces. We assume that the relation \(\le \ \subseteq (2^I)^\omega \times (2^I)^\omega \times (2^I)^\omega \) is definable by a relational \(\omega \)-regular property \(\textsf{P}_\le \subseteq (2^{I \times \{t_0,t_1,t_2\}})^\omega \), such that \((\pi _0,\pi _1,\pi _2) \in \ \le \) iff the zipped trace \(\textit{zip}(\pi _0,\pi _1,\pi _2)\) satisfies \(\textsf{P}_\le \). Note that this applies to all concrete similarity relations introduced in Sect. 4. We show that under these assumptions, the set \(\textsf{D}\) from Sect. 5.1 can be constructed as an NBA. First, we construct an NBA for \(\overline{\textsf{D}}\) and subsequently complement it. This is necessary because we start out from an NBA representation for the effect, and assume the similarity relation to be given by an NBA as well. Since the NBAs acceptance condition is existential, we need the additional complementations to express the universal quantification over the closer traces \(\sigma \) appearing in the definition of \(\textsf{D}\).

The main technical difficulty that remains is to ensure that the conditions on the three traces \(\pi _\textit{actual}\), \(\pi _\textit{close}\) and \(\pi _\textit{far}\), as they appear in the alphabet of a similarity relation, are applied consistently, and that the quantification over \(\sigma \) in \(\textsf{D}\), which corresponds to \(\pi _\textit{close}\), is resolved at the correct step, as the automaton should range over the inputs I and not, e.g., over \(I \times \{t_0,t_1,t_2\}\) as used by the similarity relation.

Similarity Relation. Our starting point is the NBA for the similarity relation defined by the \(\omega \)-regular property \(\textsf{P}_\le \): \(\mathcal {A}_{\le }^I = (Q_{\le },2^{I \times \{t_0,t_1,t_2\}}, Q_{\le }^0, F_{\le }, \varDelta _{\le }^I)\). The automaton \(\mathcal {A}_{\le }^I\) only reasons about inputs and uses tuples with the trace variables \(t_0,t_1\) and \(t_2\) to encode whether the input appears on the actual, closer or farther trace, respectively. We lift the automaton to the full set of atomic propositions as the automaton \(\mathcal {A}_{\le } = (Q_{\le },2^{(I \times \{t_0,t_1,t_2\}) \cup (O \times \{t_0,t_1\})}, Q_{\le }^0, F_{\le }, \varDelta _{\le })\). The transition relation is defined as follows, for a letter w: \(q_2 \in \varDelta _{\le }(q_1,w) \text { iff } q_2 \in \varDelta _{\le }^I\big (q_1,w \setminus (O \times \{t_0,t_1\})\big )\). Hence, \(\mathcal {A}_{\le }\) specifies the same relation between the inputs of the three traces as \(\mathcal {A}_{\le }^I\), but allows arbitrary output behavior. Its alphabet does not contain outputs for \(\pi _2\), as these traces eventually form the elements of the cause, which only ranges over the inputs.

Effect. Next, we modify the NBA \(\mathcal {A}_{\textsf{E}}^* = (Q_{\textsf{E}},2^ AP , q_{\textsf{E}}, F_{\textsf{E}}, \varDelta _{\textsf{E}}^*)\) for the \(\omega \)-regular effect \(\textsf{E}\) such that it refers to the closer trace \(t_1\) and ranges over the same alphabet as \(\mathcal {A}_{\le }\). We obtain \(\mathcal {A}_{\textsf{E}} = (Q_{\textsf{E}},2^{(I \times \{t_0,t_1,t_2\}) \cup (O \times \{t_0,t_1\})}, q_{\textsf{E}}, \) \(F_{\textsf{E}}, \varDelta _{\textsf{E}})\) with:

$$\begin{aligned} &q_2 \in \varDelta _{\textsf{E}}\big (q_1,(w \times \{t_1\}) \cup X \cup Y\big ) \text { iff} \\ q_2 \in \varDelta _{\textsf{E}}^*&(q_1,w) \wedge X \subseteq ( AP \times \{t_0\}) \wedge Y \subseteq (I \times \{t_2\}). \end{aligned}$$

Hence, \(\mathcal {A}_{\textsf{E}}\) restricts \(\pi _1\) to be in \(\textsf{E}\) by restricting it to the transition relation of \(\mathcal {A}_{\textsf{E}}^*\), while allowing an arbitrary trace \(\pi _0\) and arbitrary input sequence in \(\pi _2\).

Intersection. For the conjunction that defines the set \(\overline{\textsf{D}}\), we intersect \(\mathcal {A}_{\le }\) with the complement of \(\mathcal {A}_{\textsf{E}}\) to obtain \(\mathcal {A}_{\cap } = (Q_{\cap },2^{(I \times \{t_0,t_1,t_2\}) \cup (O \times \{t_0,t_1\})}, Q_{\cap }^0, F_{\cap }, \varDelta _{\cap })\) such that: \(\mathcal {A}_{\cap } = \mathcal {A}_{\le } \cap \overline{\mathcal {A}_{\textsf{E}}}\).

System Product. As the next step, we construct the product of the automaton \(\mathcal {A}_{\cap }\) with the system \(\mathcal {T} = (S,s_0, AP ,\delta ,l)\), ensuring that the atomic propositions \(t_1\) are picked from a valid system trace. When building the product, we project away explicit atomic propositions paired with \(t_1\), as the traces of the desired set \(\textsf{D}\) are only the traces paired with \(t_2\). The resulting automaton is \(\mathcal {A}_{\times } = (S \times Q_{\cap },\) \( 2^{( I \times \{t_0,t_2\}) \cup (O \times \{t_0\})}, \{s_0\} \times Q_{\cap }^0, S \times F_{\cap }, \varDelta _\times )\), where

$$\begin{aligned} \varDelta _\times \big ((s_i,q_i),w\big ) = \big \{(s_{i+1},q_{i+1})\mid \ {} &\exists A \subseteq I . \ s_{i+1} \in \varDelta _{\cap }(s_i,A)\\ &\wedge q_{i+1} \in \varDelta _{\cap }(q_i,(l(s_{i+1}) \cup A) \times \{t_1\})\big \} . \end{aligned}$$

Cause Automaton. To obtain the final result, we first complement the automaton from the previous step to obtain \(\overline{\mathcal {A}_{\times }} = (Q_{\times },2^{( I \times \{t_0,t_2\}) \cup (O \times \{t_0\})}, Q_{\times }^0, F_{\times }, \varDelta _\times )\), and then build the product with the trace. At the same step we project away atomic propositions paired with \(t_0\), and remove the trace variable \(t_2\) to obtain the alphabet \(2^I\) for the cause. For the lasso-shaped trace \(\pi = \pi _0 \ldots \pi _{j-1} \cdot (\pi _{j} \ldots \pi _k)^\omega \) we define the set of positions as \(\varPi = \{\pi _0,\ldots ,\pi _k\}\) and a successor function \(\textit{succ}: \varPi \mapsto \varPi \) as \(\textit{succ}(\pi _r) = \pi _{r+1}\) for \(r < k\), and \(\textit{succ}(\pi _k) = \pi _{j}\). The cause automaton is then \(\mathcal {A}_{\textsf{D}} = (\varPi \times Q_{\times },2^I, \{\pi _0\} \times Q_{\times }^0, \varPi \times F_{\times }, \varDelta _\textsf{D})\), where

$$\begin{aligned} \varDelta _\textsf{D} \big ((\pi _i,q_i),w\big ) = \big \{(\textit{succ}(\pi _i),q_{i+1})\mid \ q_{i+1} \in \varDelta _{\times }\big (q_i,(\pi _i \times \{t_0\}) \cup (w \times \{t_2\})\big )\big \} . \end{aligned}$$

From the lemmas established in Sect. 5.1, we conclude that there is a cause iff \(\mathcal {A}_{\textsf{D}}\) is non-empty, and then the cause is uniquely determined by its language.

Corollary 1

The language of \(\mathcal {A}_\textsf{D}\) is empty iff there is no cause \(\textsf{C}\) for \(\textsf{E}\) on \(\pi \) in \(\mathcal {T}\), and if \(\mathcal {L}(\mathcal {A}_\textsf{D})\) is non-empty, then it is the unique cause for \(\textsf{E}\) on \(\pi \) in \(\mathcal {T}\).

We can also state an upper bound on the size of \(\mathcal {A}_{\textsf{D}}\), which is dominated by the potentially exponential growth from NBA complementation [47].

Proposition 3

If the effect \(\textsf{E}\) and the similarity relation \(\le \) are given as NBAs \(\mathcal {A}_\textsf{E}\) and \(\mathcal {A}_{\le }\), respectively, then the size of \(\mathcal {A}_\textsf{D}\) is in \(|\pi | \cdot 2^{(2^{\mathcal {O}(|\mathcal {A}_{\textsf{E}}|)} \cdot |\mathcal {A}_{\le }| \cdot |\mathcal {T}|)}\).

Note that the doubly-exponential upper bound in the description of \(\textsf{E}\) persists independent of whether it is given as an NBA or LTL formula. In the latter case, we simply translate the negated formula, which again leads to an exponential blow-up. In theory, the description does make a difference for \(\le \): If it is represented as a formula, we first need to translate it with a potentially exponential increase in size, hence it would move up one exponent in the bound. In practice, the canonical similarity relation \(\le ^\textit{subset}\) can always be represented by a 1-state NBA, such that its contribution to the bound is less relevant.

While the stated upper bound may seem daunting, it mirrors the (tight) bounds of related problems, such as LTL synthesis [45]. In the following section, we show that, not only can our approach solve many cause-synthesis problems in practice, it also significantly improves upon previous methods for cause checking.

6 Implementation and Evaluation

In this section, we evaluate a prototype tool implementing our cause-synthesis approach, called CORP - Causes for Omega-Regular Properties.Footnote 4 Our prototype is written in Python and uses Spot [21] for automata operations and manipulation. The prototype allows for both cause synthesis and cause checking, where in the latter case the correct cause is first synthesized and than checked for equivalence against the cause candidate. This allows for a direct comparison with the cause checking tool CATS [11] in Sect. 6.2. Before, we report on our experiments on cause synthesis, where we compare our method with the incomplete, sketch-based approach of CATS. All experiments were carried out on a machine equipped with a 2.8 GHz Intel Xeon processor and 64 GB of memory, running Ubuntu 22.04.

6.1 Cause Synthesis

We conducted three different experiments that highlight how the similarity relations, effect size and system size contribute to the performance of our algorithm.

Table 1. Cause synthesis for arbiters. \(|\mathcal {T}|\) is the number of system states. In all instances, \(\pi \) is the (unique) trace where all n clients send a request at every position, which has length \(|\pi | = n\). \(\varphi _\textsf{E}\) is the effect. We report the time taken to synthesize the causal NBA with the metrics \(\le ^\textit{full}\) and \(\le ^\textit{subset}\) in seconds and the respective NBA sizes \(|\mathcal {A}_\textsf{C}^\textit{full}|\) and \(|\mathcal {A}_\textsf{C}^\textit{subset}|\), and provide an LTL description \(\varphi _\textsf{C}\) of the NBA language (guessed manually). TO denotes the timeout of 60 seconds.
Full size table

Arbiters. We computed causes on traces of resource arbiters to compare the performance of our algorithm under different similarity relations, whose logical description scales in the number of system inputs. An arbiter instance is parameterized by a number of clients n, each with its own input. This let us easily scale the size of the similarity relation’s description. For some number n of clients (indexed by k) that request access to a shared resource with a request \(r_k\), an arbiter grants mutually exclusive access to the resource with a grant \(g_k\). We considered different arbiter strategies, and for each we synthesize causes as NBAs \(\mathcal {A}_\textsf{C}^\textit{full}\) and \(\mathcal {A}_\textsf{C}^\textit{subset}\) with the similarity relations \(\le ^\textit{full}\) and \(\le ^\textit{subset}\), respectively. The results of these instances are depicted in Table 1. Spurious arbiters simply give out grants to all clients in a round-robin manner, regardless of previous requests. Unfair arbiters prioritize one client with request \(r_\textit{prio}\) over the others, while full arbiters are fully functional arbiters that only give out grants that were requested beforehand. In all instances, we computed causes on the (unique) trace \(\pi \) where all clients send requests continuously, i.e., \(\pi |_I = \{r_0,\ldots ,r_n\}^\omega \). Consequently, on this trace both the spurious and the full arbiter send grants to all clients, while the unfair arbiter only gives grants to the prioritized client. These varying strategies are reflected in the synthesized cause-effect pairs. In the spurious arbiters, the language of the synthesized cause NBA for the effect is \( true \), which reflects that the effect appears on all system traces. In the unfair arbiters, the cause for no grant being given to client 0 is that the prioritized arbiter sends requests permanently, i.e., the causal NBA has the language \(r_\textit{prio}\). In the full arbiters, is caused, as expected, by and is caused by . From a performance standpoint, the arbiter instances show us that accommodating the canonical similarity relation \(\le ^\textit{subset}\), as we did through our generalization of temporal causality in Sect. 4, leads to significant improvements in practice: In all instances, synthesizing causes with \(\le ^\textit{subset}\) was faster than with \(\le ^\textit{full}\), and the resulting causal NBAs were smaller as well. This is mostly because of the number of inputs involved: The other parameters stay comparably small when going from the spurious 1-arbiter to the spurious 4-arbiter, but the latter times out when using \(\le ^\textit{full}\). When the systems get larger and the effects more complex, e.g., in the instance of the full 4-arbiter with the effect , the automata produced can become bigger even with \(\le ^\textit{subset}\). However, the language of the produced automata has a small representation, i.e., , such that we see potential for improvement through automata minimization techniques.

Fig. 3.
figure 3

Computing causes for neural synthesis mispredictions with CORP. Size of a point represents the length of the counterexample (between 2 and 16).

Full size image

Neural Synthesis. For more diverse effects, we considered mispredicted circuits from a neural synthesis model [48]. Given some specification (in this case, generated by Spot’s randltl) the neural model predicts an implementation as an AIGER [12] circuit, which is in the end model-checked against the specification. Since neural synthesis is not sound, this check fails occasionally and returns a counterexample, which may be used for further repair [20]. We used our tool CORP to compute the cause for the violation of the specification on such a counterexample. In Fig. 3 we report the time of computing causes with respect to size of the syntax tree of the effect formula, and the system size. The timeout was set to 100 s. The size of the points in the scatter plot corresponds to the length of the counterexample and the color to the system size. From the plot we can deduce that a large effect does not mean a long runtime of our tool per se. However, a combination of large effects, bigger systems, and longer counterexamples usually means that the tool takes longer. The sizes of the synthesized causes are diverse and range from 2 to 60 states.

Fig. 4.
figure 4

A system predicted wrongly by a neural synthesis model (Fig. 4a) for the specification \(\lnot \varphi _\textsf{E}\), i.e., the negation of the effect. The effect is shown together with the actual trace \(\pi \), i.e., a counterexample obtained from model checking, and the computed cause automaton \(\mathcal {A}_\textsf{C}^\textit{subset}\) in Fig. 4b.

Full size image

Example 3

We discuss an illustrative example of cause synthesis with a small benchmark from the neural synthesis datatset. All relevant inputs and outputs of our cause synthesis algorithm are depicted in Fig. 4. First, we have the system (cf. Fig. 4a), which is a wrongly predicted circuit of the neural synthesis model. This model tried to come up with a solution for the specification , i.e., \(o_4\) appears infinitely often if and only if input \(i_2\) is enabled until input \(i_0\) is enabled. The predicted system does not satisfy this specification, because there are cases where holds without the inputs meeting the required condition. Hence, model checking the specification returns a counterexample \(\pi \) that violates the formula, which means the negated specification can be seen as an effect \(\varphi _\textsf{E}\) that is present on the counterexample \(\pi \) (cf. Fig. 4b). Our algorithm then computes the cause for this effect, i.e., for the violation of the specification, on the counterexample \(\pi \), as a nondeterministic Büchi automaton. The computed automaton \(\mathcal {A}_\textsf{C}^\textit{subset}\) is depicted at the bottom of Fig. 4b. It is language-equivalent to the LTL formula , which basically states that the effect is caused by a conjunction of four inputs spread out over the first three steps. Indeed, it is easy to see that modifying any of these four inputs results in a trace that satisfies the specification: For instance, setting \(i_0\) at the first position results in the trace that immediately enters the state labeled with \(o_4\) and loops there forever such that the left part of the equivalence is satisfied, while removing \(i_0\) from the third position results in looping in the initial state such that the right part of the equivalence is not satisfied anymore.

Comparison with Cause Sketching. CATS, the tool of Beutner et al. [11], allows to enumerate non-temporal formulas in holes of a provided cause sketch until a cause is found. If the effect contains as the only temporal operator and a cause exists, there is a sketch that is guaranteed to encompass the cause. This provides us with a baseline with which we can compare our cause-synthesis algorithm. We constructed random benchmarks that fall into CATS’ complete fragment using Spot’s randaut function to generate systems with 10 up to 1000 states, obtaining traces of length 2 and then inserting a new atomic proposition e at the last position of the trace and in the system. The effect then is defined as the occurrence of e at exactly this position. We chose such small traces and effects because CATS timed out already on slightly larger instances. We conducted additional experiments using just our tool CORP with traces (and effects) of size 10. Figure 5a shows the time taken by CATS and CORP to synthesize causes. The influence of the system size on the runtime of CORP in this setting is negligible, which we believe is due to the efficient automata operations performed by Spot. The hyperproperty encoding of CATS does not seem as amenable to similar optimizations.

Fig. 5.
figure 5

Direct comparisons between our tool CORP and the tool CATS [11]. Figure 5a shows the time CATS needs to synthesize a cause in its complete fragment with trace and effect of size 2, and the time taken by CORP for sizes 2 and 10. Figure 5b shows the time taken to check single causal relationships. These problems are taken from Beutner et al. [11] (where “Instances” are “Examples”).

Full size image

6.2 Cause Checking

It is straightforward to use our cause synthesis algorithm to also check causes through an equivalence check between the synthesized causal NBA and the candidate formula (or automaton). This allows a direct performance comparison with the cause checking tool CATS of Beutner et al. [11], which we conducted on the publicly available benchmarks of their paper. In these cause-checking benchmarks, a cause candidate is given in addition to the system, actual trace and effect. The time CATS and our tool CORP took in each instance to check whether the given candidate is a cause is depicted in Fig. 5b. Somewhat surprisingly, our cause checker based on cause synthesis performs significantly better on all benchmarks. This shows that our characterization of causes as complements of the upward closure of the negated effect (cf. Section 5.1) is more efficient than encoding the cause-checking instances into a hyperlogic, as done by CATS.

7 Related Work

The study of causality and its applications in formal methods has gained great interest in recent years [3]. In a finite setting, Ibrahim et al. use SAT solvers and linear programming to check [35] and infer [34] actual causes. Our definition of actual causality for reactive systems extends the definitions of Coenen et al. [19] to cases in which the limit assumption does not hold. While Coenen et al. study the theory of actual causality [29] in reactive systems, they do not provide a way to generate causes and explanations. In terms of cause synthesis, the most related work is by Beutner et al. [11], which checks causality and generates causes based on sketching. Unlike ours, their tool is only applicable for the small fragment of LTL containing only operators, while we are able to generate temporal causes for all \(\omega \)-regular specifications.

In a series of works, Leue et al. study symbolic description of counterfactual causes in Event Order Logic [14, 38, 39]. However, this logic can only reason about the ordering of events, and not their absolute timing, as we can do with \(\omega \)-regular properties (e.g., specifying that the input at the second position is the cause).

Gössler and Métayer [24] define causality for component-based systems, and Gössler and Stefani [25] study causality based on counterfactual builders. Their formalisms differ from ours, which is based on Coenen et al. [19], and none of the works considers cause synthesis.

Most other works related to cause synthesis concern generating explanations for effects observed on finite traces [5, 26, 27, 49], or effects restricted to safety properties [43]. In the context of cause synthesis over infinite traces for effects given as temporal specifications, existing works are limited to causes given as sets of events (i.e., atomic propositions and times points) [7, 18, 32] or take a state-centric view to, e.g., measure the responsibility of a state for an observed effect property [1, 4, 42].

8 Conclusion

This paper presents the first complete algorithm to compute temporal causes for arbitrary \(\omega \)-regular properties. It is based on a new, generalized version of temporal causality that solves a central dilemma of previous definitions by loosening the assumptions on similarity relations. From a philosophical perspective, this is an immense step forward since it is the first definition that accommodates the canonical similarity relation used in previous literature. Our experimental results show that our generalization also leads to significant improvements from a practical perspective. These mainly stem from characterizing causes based on set-closure properties, which may be an interesting approach for counterfactual causality in other formalisms. Besides, our work opens up exciting research directions on generating explanations from temporal causes, i.e., as formulas or annotations in highlighted counterexamples.