Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Model-Based Development of Hybrid Systems. The demand for quality assurance of cyber-physical systems (CPS) is ever-rising, now that computer-controlled artifacts—cars, aircrafts, and so on—serve diverse safety-critical tasks everywhere in our daily lives. In the industry practice of CPS design, deployment of model-based development (MBD) has become a norm. In MBD, (physical and costly) testing workbenches are replaced by (virtual and cheap) mathematical models; and this reduces by a great deal the cost of running a development cycle—design, implementation, evaluation, and redesign.

One of the distinctive features of CPS is that they are hybrid systems and combine discrete and continuous dynamics. For MBD of such systems the software Simulink has emerged as an industry standard. In Simulink a designer models a system using block diagrams—a formalism strongly influenced by control theory—and runs simulation, that is, numerical solution of the system’s dynamics.

Falsification. The models of most real-world hybrid systems are believed to be beyond the reach of formal verification. While this is certainly the case with systems as big as a whole car, a single component of it (like automatic transmission or an engine controller) overwhelms the scalability of the state-of-art formal verification techniques, too.

What is worse, hybrid system models tend to have black-box components. An example is fuel combustion in an engine. Such chemical reactions are not easy to model with ODEs, and are therefore commonly represented in a Simulink model by a look-up table—a big table of values obtained by physical measurements [18, 19]. The lack of structure in a look-up table poses a challenge to formal verification: each entry of the table calls for separate treatment; and this easily leads to state-space explosion.

Under such circumstances, falsification by stochastic optimization has proved to be a viable approach to quality assurance [7, 18, 19]. The problem is formulated as follows:

figure a

Unlike testing or monitoring—where input \(\sigma _{{\mathrm {in}}}\) is given and we check if \(\mathcal {M}(\sigma _{{\mathrm {in}}})\models \varphi \)—a falsification solver employs stochastic optimization techniques (like the Monte-Carlo ones) and iteratively searches for a falsifying input signal \(\sigma _{{\mathrm {in}}}\).

Falsification is a versatile tool in MBD of hybrid systems. It is capable of searching for counterexamples, hence revealing potential faults in the design. One can also take, as a specification \(\varphi \), the negation \(\lnot \psi \) of a desirable property \(\psi \); then successful falsification amounts to synthesis of an input signal that satisfies \(\psi \). Stochastic optimization used in falsification typically does not rely on the internal structure of models, therefore the methodology is suited for models with black-box components. Falsification is fairly scalable, making it a realistic option in the industrial MBD scenarios; see e.g. [18, 19].

The current work aims at enhancing falsification solvers, notable among which are S-TaLiRo [7] and BREACH [11]. An obvious way to do so is via improvement of stochastic optimization; see e.g. [24, 26]. Here we take a different, logical approach.

Robustness in Metric Temporal Logics. Let us turn to a formalism in which a specification \(\varphi \) is expressed. Metric interval temporal logic (MITL) [6], and its adaptation signal temporal logic (STL) [23], are standard temporal logics for (continuous-time) signals. However their conventional semantics—where satisfaction is Boolean—is not suited for falsification by stochastic optimization. This is because a formula \(\varphi \), no matter if it is robustly satisfied and barely satisfied, yields the same truth value (“true”), making it not amenable to hill climb-style optimization.

It is the introduction of robust semantics of MITL [16] that set off the idea of falsification by optimization. In robust semantics, a signal \(\sigma \) and a formula \(\varphi \) are assigned a continuous truth value \({ [\![\sigma ,\, \varphi ]\!]}\in {\mathbb {R}}\) that designates how robustly the formula is satisfied. Such “robustness values” constitute a sound basis for stochastic optimization.

figure b

The original robust semantics in [16] is concerned with space robustness: for example, the truth values of \(\Diamond _{[0, 10]}(v \ge 80)\) (“the velocity reaches 80 km/h within 10 sec.”) are 20 and 0, for the green and red signals on the right. Therefore space robustness is a “vertical margin” between a signal and a specification. An efficient algorithm is proposed in [12] for computing this notion of robustness.

The notion of robustness is extended in [13] to take time robustness also into account. Consider the same specification \(\Diamond _{[0, 10]}(v \ge 80)\) against the green and red signals on the right. The green one is more robust since it reaches 80 km/h much earlier than the deadline (10 s), while the red one barely makes the deadline.

The current work continues this line of work, with the slogan that expressivity of temporal logic should help falsification. With more expressivity, a designer’s concerns that were previously ignored (much like time robustness was ignored in [16]) come to be reflected in the continuous truth value. The latter will in turn help stochastic optimization by giving additional “hints.” We however are in a trade-off situation: the more expressive a logic is, the more expensive computation of truth values is in general.

Contributions. We aim at: a good balance in the last trade-off between expressivity and computational cost; and thereby enhancing falsification solvers by giving more “hints” to stochastic optimization procedures. Our technical contributions are threefold.

The Logic \(\mathbf{AvSTL }\) . We introduce averaged STL (\(\mathbf{AvSTL }\)); it is an extension of \(\mathbf{STL }\) [23] by so-called averaged temporal operators like \(\mathbin {\overline{{\mathcal {U}}}_{I}}\) and \(\overline{\Diamond }_{I}\). The (continuous) truth values of the new operators are defined by the average of truth values in a suitable interval. We show that this simple extension of \(\mathbf{STL }\) successfully combines space and time robustness in [13, 16]; and that its expressivity covers many common specifications (expeditiousness, persistence, deadline, etc.) encountered in the context of CPS.

An Algorithm for Computing \(\mathbf{AvSTL }\) Robustness. It is natural to expect that nonlocal temporal operators—like \(\mathbin {{\mathcal {U}}_{I}}\), \(\Diamond _{I}\) and their averaged variants—incur a big performance penalty in computing truth values. For \(\mathbf{STL }\) (without averaged modalities) an efficient algorithm is proposed in [12]; it employs the idea of the sliding window minimum algorithm [22] and achieves complexity that is linear with respect to the size of an input signal (measured by the number of timestamps).

We show that, under mild and realistic assumptions, the same idea as in [12] can be successfully employed to compute \(\mathbf{AvSTL }\) truth values with linear complexity.

Enhancing S-TaLiRo: Implementation and Experiments. We use S-TaLiRo and demonstrate that our logic \(\mathbf{AvSTL }\) indeed achieves a reasonable balance between expressivity and computational cost. We present our prototype implementation: it takes S-TaLiRo and lets the above algorithm (called the \(\mathbf{AvSTL }\) evaluator) replace TaLiRo, S-TaLiRo’s original engine for computing \(\mathbf{STL }\) truth values (see Fig. 7 in Sect. 4).

For its evaluation, we pick some benchmark models \(\mathcal {M}\) and \(\mathbf{STL }\) specifications \(\varphi \)—they are mostly automotive examples from [18]—and compare performance between:

  • our prototype, run for \(\mathcal {M}\) and the original \(\mathbf{STL }\) specification \(\varphi \),Footnote 1 and

  • our prototype, run for \(\mathcal {M}\) and a refinement of \(\varphi \) given as an \(\mathbf{AvSTL }\) formula.

For benchmarks of a certain class we observe substantial performance improvement: sometimes the latter is several times faster; and in some benchmarks we even see the latter succeed in falsification while the former fails to do so.

Related Work. Besides those which are discussed in the above and the below, a closely related work is [2] (its abstract appeared in [3]). There a notion of conformance between two models \(\mathcal {M}_{1}\), \(\mathcal {M}_{2}\) is defined; and it is much like (an arity-2 variation of) combination of space and time robustness. Its use in falsification and comparison with the current approach is future work.

Organization of the Paper. In Sect. 2 we introduce the logic \(\mathbf{AvSTL }\): its syntax, semantics, some basic properties and examples of temporal specifications expressible in it. In Sect. 3, building on [12], an algorithm for computing \(\mathbf{AvSTL }\) truth values is introduced and its complexity is studied. The algorithm is implemented and used to enhance a falsification solver S-TaLiRo, in Sect. 4, where experiment results are presented and discussed.

We used colors in some figures for clarity. Consult the electronic edition in case the colors are unavailable. Most of the proofs are deferred to an appendix in the extended version [4], where the other appendices are found, too.

2 Averaged Signal Temporal Logic \(\mathbf{AvSTL }\)

We introduce averaged STL (\(\mathbf{AvSTL }\)). It is essentially an extension of MITL [6] and STL [23] with so-called averaged temporal operators. We describe its syntax and its semantics (that is inspired by robust semantics in [13, 16]). We also exemplify the expressivity of the logic, by encoding common temporal specifications like expeditiousness, persistence and deadline. Finally we will discuss the relationship to the previous robustness notions [13, 16] for \(\mathrm{STL}\).

2.1 Syntax

We let \(\equiv \) stand for the syntactic equality. We let \({\mathbb {R}}\) denote the set of real numbers, with \({\mathbb {R}}_{\ge 0}\) and \({\mathbb {R}}_{\le 0}\) denoting its obvious subsets. We also fix the set \(\mathbf {Var}\) of variables, each of which stands for a physical quantity (velocity, temperature, etc.).

Definition 2.1

(Syntax). In \(\mathbf{AvSTL }\), the set \(\mathbf {AP}\) of atomic propositions and the set \({\mathbf {Fml}}\) of formulas are defined as follows.

$$\begin{aligned} \small \begin{array}{rrl} \mathbf {AP}\ni &{} l \,::=\, &{} x < r \mid x \le r \mid x \ge r \mid x > r \quad \text { where } x \in \mathbf {Var}, r \in {\mathbb {R}}\\ {\mathbf {Fml}}\ni &{}\varphi \,::=\, &{} \top \mid \bot \mid l \mid \lnot \varphi \mid \varphi \vee \varphi \mid \varphi \wedge \varphi \mid \varphi \mathbin {{\mathcal {U}}_{I}} \varphi \mid \varphi \mathbin {\overline{{\mathcal {U}}}_{I}} \varphi \mid \varphi \mathbin {{\mathcal {R}}_{I}} \varphi \mid \varphi \mathbin {\overline{{\mathcal {R}}}_{I}} \varphi \end{array} \end{aligned}$$

Here I is a closed non-singular interval in \({\mathbb {R}}_{\ge 0}\), i.e. \(I=[a,b]\) or \([a, \infty )\) where \(a<b\). The overlined operator \(\mathbin {\overline{{\mathcal {U}}}_{I}}\) is called the averaged-until operator.

We introduce the following connectives as abbreviations, as usual: \(\varphi _1 \rightarrow \varphi _2 \equiv (\lnot \varphi _1) \vee \varphi _2\), \(\Diamond _{I} \varphi \equiv \top \mathbin {{\mathcal {U}}_{I}} \varphi \), \(\square _{I} \varphi \equiv \bot \mathbin {{\mathcal {R}}_{I}} \varphi \), \(\overline{\Diamond }_{I} \varphi \equiv \top \mathbin {\overline{{\mathcal {U}}}_{I}} \varphi \) and \(\overline{\square }_{I} \varphi \equiv \bot \mathbin {\overline{{\mathcal {R}}}_{I}} \varphi \). We omit subscripts I for temporal operators if \(I = [0, \infty )\). The operators \(\mathbin {\overline{{\mathcal {R}}}_{I}}\), \(\overline{\Diamond }_{I}\) and \(\overline{\square }_{I}\) are called the averaged-release, averaged-eventually and averaged-henceforth operators, respectively. We say a formula \(\varphi \) is averaging-free if it does not contain any averaged temporal operators.

Table 1. Definition of positive and negative robustness
Full size table

2.2 Robust Semantics

\(\mathbf{AvSTL }\) formulas, much like \(\mathbf{STL }\) formulas in [13, 16], are interpreted over (real-valued, continuous-time) signals. The latter stand for trajectories of hybrid systems.

Definition 2.2

(Signal). A signal over \(\mathbf {Var}\) is a function \(\sigma :{\mathbb {R}}_{\ge 0}\rightarrow ({\mathbb {R}}^{\mathbf {Var}})\); it is therefore a bunch of physical quantities indexed by a continuous notion of time.

For a signal \(\sigma \) and \(t\in {\mathbb {R}}_{\ge 0}\), \(\sigma ^t\) denotes the t -shift of \(\sigma \), that is, \(\sigma ^t(t') \triangleq \sigma (t+t')\).

The interpretation of a formula \(\varphi \) over a signal \(\sigma \) is given by two different “truth values,” namely positive and negative robustness. They are denoted by \({ [\![\sigma ,\, \varphi ]\!]}^{+}\) and \({ [\![\sigma ,\, \varphi ]\!]}^{-}\), respectively.

figure d

We will always have \({ [\![\sigma ,\, \varphi ]\!]}^{+} \ge 0\) and \({ [\![\sigma ,\, \varphi ]\!]}^{-} \le 0\). We will also see that, for averaging-free \(\varphi \), it is never the case that \({ [\![\sigma ,\, \varphi ]\!]}^{+} > 0\) and \({ [\![\sigma ,\, \varphi ]\!]}^{-} <0\) hold at the same time. See the figure on the right for an example, where a sine-like (black) curve is a signal \(\sigma \). The blue and red curves stand for the positive and negative robustness, of the formula \(x\ge 0\) over the (t-shifted) signal \(\sigma ^{t}\), respectively.

Definition 2.3

(Positive/Negative Robustness). Let \(\sigma :{\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}^\mathbf {Var}\) be a signal and \(\varphi \) be an \(\mathbf{AvSTL }\) formula. We define the positive robustness \({ [\![\sigma ,\, \varphi ]\!]}^{+} \in {\mathbb {R}}_{\ge 0}\cup \{\infty \}\) and the negative robustness \({ [\![\sigma ,\, \varphi ]\!]}^{-} \in {\mathbb {R}}_{\le 0}\cup \{- \infty \}\) by mutual induction, as shown in Table 1. Here \(\sqcap \) and \(\sqcup \) denote infimums and supremums of real numbers, respectively.

The definition in Table 1 is much like the one for \(\mathbf{STL }\) [12, 13],Footnote 2 except for the averaged modalities on which a detailed account follows shortly. Conjunctions and disjunctions are interpreted by infimums and supremums, in a straightforward manner.

Figure 1 illustrates the semantics of averaged-temporal operators—the novelty of our logic \(\mathbf{AvSTL }\). Specifically, the black line designates a signal \(\sigma \) whose only variable is x; and we consider the “averaged-eventually” formula \(\overline{\Diamond }_{[0, 1]} (x \ge 0)\). For this formula, the definition in Table 1 specializes to:

$$\begin{aligned} \begin{array}{l} { [\![\sigma ,\, \overline{\Diamond }_{[0, 1]} (x \ge 0) ]\!]}^{+} \\ =\displaystyle \int _{0}^{1} \Bigl (\,{{\bigsqcup _{\tau ' \in [0 , \tau ]}}} 0\sqcup \, \sigma (\tau ')(x)\,\Bigr ) \,d\tau , \end{array} \qquad \text {and}\qquad \begin{array}{l} { [\![\sigma ,\, \overline{\Diamond }_{[0, 1]} (x \ge 0) ]\!]}^{-} \\ = \displaystyle \int _{0}^{1}\Bigl (\, {{\bigsqcup _{\tau ' \in [0 , \tau ]}}} 0 \sqcap \,\sigma (\tau ')(x) \,\Bigr )\,d\tau . \end{array} \end{aligned}$$
Fig. 1.
figure 1

The positive and negative robustness of \(\overline{\Diamond }_{[0, 1]} (x \ge 0)\) at \(t=0\).

Full size image

These values obviously coincide with the sizes of the blue and red areas in Fig. 1, respectively. Through this “area” illustration of the averaged-eventually operator we see that: the sooner \(\varphi \) is true, the more (positively) robust \(\overline{\Diamond }_{I}\varphi \) is. It is also clear from Fig. 1 that our semantics captures space robustness too: the bigger a vertical margin is, the bigger an area is.

Remark 2.4

Presence of averaged temporal operators forces separation of two robustness measures (positive and negative). Assume otherwise, i.e. that we have one robustness measure that can take both positive and negative values; then robustness that floats between positive and negative values over time can “cancel out” after an average is taken. This leads to the failure of soundness (see Propositions 2.9 and 2.10; also [13, 16]), and then a positive robustness value no longer witnesses the Boolean truth of (the qualitative variant of) the formula. This is not convenient in the application to falsification.

2.3 Basic Properties of \(\mathbf{AvSTL }\)

Lemma 2.5

(Temporal Monotonicity). Let \(0 \le t_0 < t \le t'\). The following hold.

$$\begin{aligned} \small \begin{array}{rclrcl} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {U}}_{[t_0,t]}} \varphi _2 ]\!]}^{+} &{}\le &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {U}}_{[t_0,t']}} \varphi _2 ]\!]}^{+} \quad &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {U}}_{[t_0,t]}} \varphi _2 ]\!]}^{-} &{}\le &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {U}}_{[t_0,t']}} \varphi _2 ]\!]}^{-} \\ { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {R}}_{[t_0,t]}} \varphi _2 ]\!]}^{+} &{}\ge &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {R}}_{[t_0,t']}} \varphi _2 ]\!]}^{+} &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {R}}_{[t_0,t]}} \varphi _2 ]\!]}^{-} &{}\ge &{} { [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {R}}_{[t_0,t']}} \varphi _2 ]\!]}^{-} \end{array} \end{aligned}$$

The inequalities hold also for the averaged temporal operators. \(\quad \square \)

We can now see well-definedness of Definition 2.3: we need that the integrals are defined; and the lemma shows that the integrated functions are monotone, hence Riemann integrable.

In Definition 2.3, the definitions for averaged operators with an infinite endpoint (like \(\mathbin {\overline{{\mathcal {U}}}_{[0, \infty )}}{\varphi }\)) are given in terms of non-averaged operators. This is so that their well-definedness is immediate; the following lemma justifies those definitions.

Lemma 2.6

For any \(t_0 \in {\mathbb {R}}_{\ge 0}\), \({ [\![\sigma ,\, \varphi _1 \mathbin {{\mathcal {U}}_{[t_0, \infty )}} \varphi _2 ]\!]}^{+} = {\displaystyle {\lim _{t \rightarrow \infty }}} { [\![\sigma ,\, \varphi _1 \mathbin {\overline{{\mathcal {U}}}_{[t_0, t]}} \varphi _2 ]\!]}^{+}\). The same is true if we replace \([\![\underline{}\, ]\!]^{+}\) with \([\![\underline{}\, ]\!]^{-}\), and if we replace \(\mathbin {{\mathcal {U}}_{}}\) with \(\mathbin {{\mathcal {R}}_{}}\). \(\quad \square \)

Fig. 2.
figure 2

Expeditiousness

Full size image
Fig. 3.
figure 3

Deadline

Full size image
Fig. 4.
figure 4

Persistence

Full size image

2.4 Common Temporal Specifications Expressed in \(\mathbf{AvSTL }\)

Here we shall exemplify the expressivity of \(\mathbf{AvSTL }\), by encoding typical temporal specifications encountered in the model-based development of cyber-physical systems.

Remark 2.7

In what follows we sometimes use propositional variables such as \({\mathtt {airbag}}\) and \({\mathtt {gear}}_{i}\). For example, \({\mathtt {gear}}_{2}\) is a shorthand for the atomic formula \(x_{{\mathtt {gear}}_{2}} \ge 0\) in \(\mathbf{AvSTL }\), where the variable \(x_{{\mathtt {gear}}_{2}}\) is assumed to take a discrete value (1 or \(-1\)).

Expeditiousness \((\overline{\Diamond }_{I}\varphi )\) . Consider the following informal specification: after heavy braking, the airbag must operate within 10 ms. Its formalization in \(\mathbf{STL }\) is straightforward by the formula \(\square _{}(\mathtt {heavyBraking} \rightarrow \Diamond _{[0,10]}\mathtt {airbag})\). However, an airbag that operates after 1 ms. is naturally more desirable than one that operates after 9.99 ms. The \(\mathbf{STL }\) formula fails to discriminate between these two airbags.

Such expeditiousness (“as soon as possible”) requirements are more adequately modeled in \(\mathbf{AvSTL }\), using the averaged-eventually modality \(\overline{\Diamond }_{I}\). See Fig. 2, where the horizontal axis is for time t. The vertical axis in the figure stands for the positive robustness value \({ [\![\sigma _{t},\, \overline{\Diamond }_{[0,10]}\mathtt {airbag} ]\!]}^{+}\) of the formula \(\overline{\Diamond }_{[0,10]}\mathtt {airbag}\), where \(\sigma _{t}\) is a signal in which \(\mathtt {airbag}\) operates (i.e. \(x_{\mathtt {airbag}}\) becomes from \(-1\) to 1) at time t. We see that the formula successfully distinguishes an early-bird airbag from a lazy one.

Therefore the \(\mathbf{AvSTL }\) formula \(\square _{} ({\mathtt {heavyBraking}} \rightarrow \overline{\Diamond }_{[0,10]}{\mathtt {airbag}})\) formalizes a (refined) informal specification that: after heavy braking, the airbag must operate within 10 ms; but the sooner the better. It is not hard to expect that the latter is more faithful to the designer’s intention than the original informal specification. Deadline \((\Diamond _{[0,T]}\varphi \vee \overline{\Diamond }_{[T,T+\delta ]}\varphi )\) . The expeditiousness-type requirement that we have discussed is sometimes too strict. Let us consider the following scenario: there is a deadline set at time T and arrival by then is rewarded no matter how late; and then there is a deadline extension by time \(\delta \) and arrival between the deadline and the extended one is rewarded too, but with certain deduction.

Such a deadline specification is expressed in \(\mathbf{AvSTL }\) by the formula \(\Diamond _{[0,T]}\varphi \vee \overline{\Diamond }_{[T,T+\delta ]}\varphi \), combining non-averaged and averaged eventually modalities. See Fig. 3, where the positive robustness of the formula \((\Diamond _{[0,5]}\mathtt {airbag})\vee (\overline{\Diamond }_{[5,5+5]}\mathtt {airbag})\) is plotted, for the same signals \(\sigma _{t}\) as before (i.e. in \(\sigma _{t}\) the airbag operates at time t).

Persistence \((\square _{[0,T]}\varphi \wedge \overline{\square }_{[T,T+\delta ]}\varphi )\) . Persistence (“for as long as possible”) specifications are dual to deadline ones and expressed by a formula \(\square _{[0,T]}\varphi \wedge \overline{\square }_{[T,T+\delta ]}\varphi \). An example is the following informal specification on automatic transmission: when a gear shifts into first, it never shifts into any other gear for the coming 50 ms. A likely intention behind it is to prevent mechanical wear of gears that is caused by frequent gear shifts. In this case the following specification would be more faithful to the intention: when a gear shifts into first, it never shifts into any other gear for the coming 50 ms., and preferably for longer. This is formalized by the formula \(\square _{} (\mathtt {shiftIntoGear_1} \rightarrow \square _{[0,50]}\mathtt {gear_1}\wedge \overline{\square }_{[50,50+\delta ]}\mathtt {gear_1})\).

For illustration, Fig. 4 plots the positive robustness of \(\square _{[0,50]}\mathtt {gear_1}\wedge \overline{\square }_{[50,60]}\mathtt {gear_1}\) for signals \(\sigma '_{t}\), where \(\mathtt {gear_1}\) is true in \(\sigma '_{t}\) from time 0 to t, and is false afterwards.

Other Temporal Specifications. Expressivity of \(\mathbf{AvSTL }\) goes beyond the three examples that we have seen—especially after the extension of the language with time-reversed averaged temporal operators. The reversal of time here corresponds to the symmetry between left and right time robustness in [13]. Such an extension of \(\mathbf{AvSTL }\) enables us to express specifications like punctuality (“no sooner, no later”) and periodicity. The details will be reported in another venue.

2.5 Soundness of Refinements from \(\mathbf{STL }\) to \(\mathbf{AvSTL }\)

In Sect. 2.4 we have seen some scenarios where an \(\mathbf{STL }\) specification is refined into an \(\mathbf{AvSTL }\) one so that it more faithfully reflects the designer’s intention. The following two are prototypical:

  • ( \(\Diamond \) -refinement) the refinement of \(\Diamond _{I}\varphi \) (“eventually \(\varphi \), within I”) into \(\overline{\Diamond }_{I}\varphi \) (“eventually \(\varphi \) within I, but as soon as possible”); and

  • ( \(\Box \) -refinement) the refinement of \(\square _{[a,b]}\varphi \) (“always \(\varphi \) throughout [ab]”) into \(\square _{[a,b]}\varphi \wedge \overline{\square }_{[b,b+\delta ]}\varphi \) (“always \(\varphi \) throughout [ab], and desirably also in \([b,b+\delta ]\)”).

The following soundness results guarantee validity of the use of these refinements in falsification problems. Completeness, in a suitable sense, holds too.

Definition 2.8

A positive context is an \(\mathbf{AvSTL }\) formula with a hole \([\,]\) at a positive position. Formally, the set of positive contexts is defined as follows:

$$\begin{aligned} \begin{array}{rl} {\mathcal {C}}\,::=\,&{} [\,] \mid {\mathcal {C}}\vee \varphi \mid \varphi \vee {\mathcal {C}}\mid {\mathcal {C}}\wedge \varphi \mid \varphi \wedge {\mathcal {C}}\mid {\mathcal {C}}\mathbin {{\mathcal {U}}_{I}} \varphi \mid \varphi \mathbin {{\mathcal {U}}_{I}} {\mathcal {C}}\mid {\mathcal {C}}\mathbin {\overline{{\mathcal {U}}}_{I}} \varphi \mid \varphi \mathbin {\overline{{\mathcal {U}}}_{I}} {\mathcal {C}}\\ &{} \mid {\mathcal {C}}\mathbin {{\mathcal {R}}_{I}} \varphi \mid \varphi \mathbin {{\mathcal {R}}_{I}} {\mathcal {C}}\mid {\mathcal {C}}\mathbin {\overline{{\mathcal {R}}}_{I}} \varphi \mid \varphi \mathbin {\overline{{\mathcal {R}}}_{I}} {\mathcal {C}}\quad \text { where }\varphi \text { is an }\mathbf{AvSTL }\text { formula.} \end{array} \end{aligned}$$

For a positive context \({\mathcal {C}}\) and an \(\mathbf{AvSTL }\) formula \(\psi \), \({\mathcal {C}}[\psi ]\) denotes the formula obtained by substitution of \(\psi \) for the hole \([\,]\) in \({\mathcal {C}}\).

Proposition 2.9

(Soundness and Completeness of \(\Diamond _{}\) -Refinement). Let \({\mathcal {C}}\) be a positive context. Then \({ [\![\sigma ,\, {\mathcal {C}}[\overline{\Diamond }_{[a,b]}\varphi ] ]\!]}^{+} > 0\) implies \({ [\![\sigma ,\, {\mathcal {C}}[\Diamond _{[a,b]}\varphi ] ]\!]}^{+} >~0\). Moreover, for any \(b'\) such that \(b' < b\), \({ [\![\sigma ,\, {\mathcal {C}}[\Diamond _{[a,b']}\varphi ] ]\!]}^{+} > 0\) implies \({ [\![\sigma ,\, {\mathcal {C}}[\overline{\Diamond }_{[a,b]}\varphi ] ]\!]}^{+} > 0\). \(\quad \square \)

Proposition 2.10

(Soundness and Completeness of \(\square _{}\) -Refinement). Let \({\mathcal {C}}\) be a positive context. Then \({ [\![\sigma ,\, {\mathcal {C}}[\square _{[a,b]}\varphi \wedge \overline{\square }_{[b,b+\delta ]}\varphi ] ]\!]}^{+} > 0\) implies \({ [\![\sigma ,\, {\mathcal {C}}[\square _{[a,b]}\varphi ] ]\!]}^{+} > 0\). Moreover, for any \(b'>b\), \({ [\![\sigma ,\, {\mathcal {C}}[\square _{[a,b']}\varphi ] ]\!]}^{+} > 0\) implies \({ [\![\sigma ,\, {\mathcal {C}}[\square _{[a,b]}\varphi \wedge \overline{\square }_{[b,b+\delta ]}\varphi ] ]\!]}^{+} > 0 \). \(\quad \square \)

2.6 Relationship to Previous Robustness Notions

Our logic \(\mathbf{AvSTL }\) captures space robustness [16]—the first robustness notion proposed for \(\mathbf{MITL}\)/\(\mathbf{STL }\), see Sect. 1—because the averaging-free fragment of \(\mathbf{AvSTL }\) coincides with \(\mathbf{STL }\) and its space robust semantics, modulo the separation of positive and negative robustness (Remark 2.4).

figure e

The relationship to space-time robustness proposed in [13] is interesting. In [13] they combine time and space robustness in the following way: for each time t and each space robustness value \(c>0\), (right) time robustness relative to c, denoted by \(\theta ^{+}_{c}(\varphi ,\sigma ,t)\), is defined by “how long after time t the formula \(\varphi \) maintains space robustness c.” See the figure on the right, where the space-time robustness \(\theta ^{+}_{c}(x\ge 0,\sigma ,0)\) is depicted.

After all, space-time robustness in [13] is a function from c to \(\theta ^{+}_{c}(\varphi ,\sigma ,t)\); and one would like some real number as its characteristic. A natural choice of such is the area surrounded by the graph of the function (the shaded area in the figure), and it is computed in the same way as Lebesgue integration, as the figure suggests.

What corresponds in our \(\mathbf{AvSTL }\) framework to this “area” characteristic value is the robustness of the formula \(\overline{\square }_{[0,\infty )}(x\ge 0)\) computed by Riemann integration (here we have to ignore the normalizing factor \(\frac{1}{b-a}\) in Table 1). Therefore, very roughly speaking: our “averaged” robustness is a real-number characteristic value of the space-time robustness in [13]; and the correspondence is via the equivalence between Riemann and Lebesgue integration.

3 A Sliding-Window Algorithm for \(\mathbf{AvSTL }\) Robustness

We shall present an algorithm for computing \(\mathbf{AvSTL }\) robustness. It turns out that the presence of averaged modalities like \(\overline{\Diamond }_{I}\)—with an apparent nonlocal nature—does not incur severe computational overhead, at least for formulas in which averaged modalities are not nested. The algorithm is an adaptation of the one in [12] for \(\mathbf{STL }\) robustness; the latter in turn relies on the sliding window minimum algorithm [22]. The algorithm’s time complexity is linear with respect to the number of timestamps in the input signal; it exhibits a practical speed, too, as we will see later in Sect. 4.

Firstly we fix the class of signals to be considered.

Definition 3.1

(Finitely Piecewise-Constant/Piecewise-Linear Signal). A 1-dimensional signal \(\sigma :{\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}\) is finitely piecewise-constant (FPC) if it arises from a finite sequence \(\bigl [\, (t_{0},r_{0}), (t_{1},r_{1}), \cdots , (t_{n},r_{n}) \,\bigr ]\) of timestamped values, via the correspondence \(\sigma (t) = r_{i}\) (for \(t\in [t_{i}, t_{i+1})\)). Here \(0=t_{0}<\cdots <t_{n}\), \(r_{i}\in {\mathbb {R}}\), and \(t_{n+1}\) is deemed to be \(\infty \).

Similarly, a 1-dimensional signal \(\sigma :{\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}\) is finitely piecewise-linear (FPL) if it is identified with a finite sequence \(\bigl [\, (t_{0},r_{0}, q_{0}), \cdots , (t_{n},r_{n},q_{n}) \,\bigr ]\) of timestamped values, via the correspondence \(\sigma (t)= r_{i} + q_{i}(t-t_{i})\) (for \(t\in [t_{i}, t_{i+1})\)). Here \(q_{i}\in R\) is the slope of \(\sigma \) in the interval \([t_{i}, t_{i+1})\).

The definitions obviously extend to many-dimensional signals \(\sigma :{\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}^\mathbf {Var}\).

We shall follow [12, 13] and measure an algorithm’s complexity in terms of the number of timestamps (n in the above); the latter is identified with the size of a signal.

Definition 3.2

(Robustness Signal \([\varphi ]_{\sigma }\) ). Let \(\sigma : {\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}^{\mathbf {Var}}\) be a signal, and \(\varphi \) be an \(\mathbf{AvSTL }\) formula. The positive robustness signal of \(\varphi \) over \(\sigma \) is the signal \([\varphi ]_{\sigma }^{+}:{\mathbb {R}}_{\ge 0}\rightarrow {\mathbb {R}}\) defined by: \([\varphi ]_{\sigma }^{+}(t)\triangleq { [\![\sigma ^{t},\, \varphi ]\!]}^{+}\). Recall that \(\sigma ^{t}(t')=\sigma (t+t')\) is the t-shift of \(\sigma \) (Definition 2.2). The negative robustness signal \([\varphi ]_{\sigma }^{-}\) is defined in the same way.

An averaged modality turns a piecewise-constant signal into a piecewise-linear one.

Lemma 3.3

  1. 1.

    Let \(\varphi \) be an averaging-free \(\mathbf{AvSTL }\) formula. If a signal \(\sigma \) is finitely piecewise-constant (or piecewise-linear), then so is \([\varphi ]^{+}_{\sigma }\).

  2. 2.

    Let \(\varphi \) be an \(\mathbf{AvSTL }\) formula without nested averaged modalities. If a signal \(\sigma \) is finitely piecewise-constant, then \([\varphi ]^{+}_{\sigma }\) is finitely piecewise-linear.

The above holds for the negative robustness signal \([\varphi ]^{-}_{\sigma }\), too.

Proof

Straightforward by the induction on the construction of formulas. \(\quad \square \)

Our algorithm for computing \(\mathbf{AvSTL }\) robustness \({ [\![\sigma ,\, \varphi ]\!]}\) will be focused on: (1) a finitely piecewise-constant input signal \(\sigma \); and (2) an \(\mathbf{AvSTL }\) formula \(\varphi \) where averaged modalities are not nested. In what follows, for presentation, we use the (non-averaged and averaged) eventually modalities \(\Diamond _{I},\overline{\Diamond }_{I}\) in describing algorithms. Adaptation to other modalities is not hard; for complex formulas, we compute the robustness signal \([\varphi ]_{\sigma }\) by induction on \(\varphi \).

3.1 Donzé et al.’s Algorithm for \(\mathbf{STL }\) Robustness

We start with reviewing the algorithm [12] for \(\mathbf{STL }\) robustness. Our algorithm for \(\mathbf{AvSTL }\) robustness relies on it in two ways: 1) the procedures for averaged modalities like \(\overline{\Diamond }_{I}\) derive from those for non-averaged modalities in [12]; and (2) we use the algorithm in [12] itself for the non-averaged fragment of \(\mathbf{AvSTL }\).

Remark 3.4

The algorithm in [12] computes the \(\mathbf{STL }\) robustness \({ [\![\sigma ,\, \varphi ]\!]}\) for a finitely piecewise-linear signal \(\sigma \). We need this feature e.g. for computing robustness of the formula \(\square _{} (\mathtt {heavyBraking}\) \(\rightarrow \overline{\Diamond }_{[0,10]}\mathtt {airbag})\): note that, by Lemma 3.3, the robustness signal for \(\overline{\Diamond }_{[0,10]}\mathtt {airbag}\) is piecewise-linear even if the input signal is piecewise-constant.

Consider computing the robustness signal \([\Diamond _{[a,b]} \varphi ]_{\sigma }\), assuming that the signal \([\varphi ]_{\sigma }\) is already given.Footnote 3 The task calls for finding the supremum of \([\varphi ]_{\sigma }(\tau )\) over \(\tau \in [t+a, t+b]\); and this must be done for each t. Naively doing so leads to quadratic complexity.

Instead Donzé et al. in [12] employ a sliding window of size \(b-a\) and let it scan the signal \([\varphi ]_{\sigma }\) from right to left. The scan happens once for all, hence achieving linear complexity. See Fig. 5, where we take \([\Diamond _{[0,5]} (x\ge 0)]^+_{\sigma }\) as an example, and the blue shaded area designates the position of the sliding window. The window slides from [3, 8] to the closest position to the left where its left-endpoint hits a new timestamped value of \([\varphi ]_{\sigma }\), namely [1, 6].

Fig. 5.
figure 5

A sliding window for computing \([\Diamond _{[0,5]} (x\ge 0)]^+_{\sigma }\); the black line is the signal \(\sigma \)

Full size image
Fig. 6.
figure 6

Use of stackqueues and their operations, in the sliding window algorithm

Full size image
figure f

It is enough to know the shape of the blue (partial) signal in Fig. 5, at each position of the window. The blue signal denotes the (black) signal \(\sigma \)’s local supremum within the window; more precisely, it denotes the value of the signal \({ [\![\sigma ^t,\, \Diamond _{[0,\tau ]}(x\ge 0) ]\!]}^+\) at time \(t+\tau \), where \(\tau \in [0,5]\) and t is the leftmost position of the window. We can immediately read off the signal \([\Diamond _{[0,5]} (x\ge 0)]^+_{\sigma }\) from the blue signals: the former is the latter’s value at the rightmost position of the window.

The keys in the algorithms in [12, 22] lie in:

  • use of the stackqueue data structure (depicted above on the right) for the purpose of representing the blue (partial) signal in Fig. 5; and

  • use of the operations push, pop and dequeue for updating the blue signal.

See Fig. 6, where each entry of a stackqueue is a timestamped value (tr). We see that the slide of the window, from top-left to top-right in Fig. 6, is expressed by dequeue, pop and then push operations to stackqueues (in Fig. 6: from top-left to bottom-left, bottom-right and then top-right). Pseudocode for the algorithm can be found in  [4, Appendix A.1].

3.2 An Algorithm for \(\mathbf{AvSTL }\) Robustness

It turns out that the last algorithm is readily applicable to computing \(\mathbf{AvSTL }\) robustness. Consider an averaged-eventually formula \(\overline{\Diamond }_{[a,b]} \varphi \) as an example. What we have to compute is the size of the shaded areas in Fig. 5 (see also Fig. 1); and the shape of the blue signals in Fig. 5 carry just enough information to do so.

Pseudocode for the adaptation of the previous algorithm (in Sect. 3.1) to \(\overline{\Diamond }_{[a,b]} \varphi \) is found in Algorithm 1. Its complexity is linear with respect to the number n of the timestamp values that represent the signal \([\varphi ]_{\sigma }\).

figure g

An algorithm for the averaged-henceforth formula \([\overline{\square }_{[a,b]} \varphi ]_{\sigma }\) is similar. Extensions to averaged-until and averaged-release operators are possible, too; they use doubly-linked lists in place of stackqueues. See [4, Appendix A.2] for more details. Combining with the algorithm in Sect. 3.1 to deal with non-averaged temporal operators, we have the following complexity result. The complexity is the same as for \(\mathbf{STL }\) [12].

Theorem 3.5

Let \(\varphi \) be an \(\mathbf{AvSTL }\) formula in which averaged modalities are not nested. Let \(\sigma \) be a finitely piecewise-constant signal. Then there exists an algorithm to compute \({ [\![\sigma ,\, \varphi ]\!]}^{+}\) with time-complexity in \(\mathcal {O}(d^{|\varphi |} |\varphi | |\sigma |)\) for some constant d.

The same is true for the negative robustness \({ [\![\sigma ,\, \varphi ]\!]}^{-}\). \(\quad \square \)

Remark 3.6

The reason for our restriction to finitely piecewise-constant input signals is hinted in Remark 3.4; let us further elaborate on it. There the averaged modality \(\overline{\Diamond }_{[0,10]}\) turns a piecewise-constant signal into a piecewise-linear one (Lemma 3.3); and then the additional Boolean connectives and non-averaged modalities (outside \(\overline{\Diamond }_{[0,10]}\)) are taken care of by the algorithm in [12], one that is restricted to piecewise-linear input.

It is not methodologically hard to extend this workflow to piecewise-polynomial input signals (hence to nested averaged modalities as well). Such an extension however calls for computing local suprema of polynomials, as well as their intersections—tasks that are drastically easier with affine functions. We therefore expect the extension to piecewise-polynomial signals to be computationally much more expensive.

4 Enhanced Falsification: Implementation and Experiments

Table 2. Experiment results. Time is in seconds. The “Succ.” columns show how many trials succeeded among the designated number of trials; the “Iter.” columns show the average number of iterations of the S-TaLiRo loop, executed in each trial (max. 1000); and the “Time” columns show the average time that each trial took. For the last two we also show the average over successful trials.
Full size table
Fig. 7.
figure 7

An overview of S-TaLiRo (from [1]), with our modification

Full size image

We claim that our logic \(\mathbf{AvSTL }\) achieves a good balance between expressivity—that communicates a designer’s intention more faithfully to a falsification solver—and computational cost, thus contributing to the model-based development of cyber-physical systems. In this section we present our implementation that combines: (1) S-TaLiRo [7], one of the state-of-art falsification solvers that relies on robust MTL semantics and stochastic optimization; and (2) the \(\mathbf{AvSTL }\) evaluator, an implementation of the algorithm in Sect. 3.2. Our experiments are on automotive examples of falsification problems; the results indicate that (refinement of specifications by) \(\mathbf{AvSTL }\) brings considerable performance improvement.

Implementation. S-TaLiRo [7] is “a Matlab toolbox that searches for trajectories of minimal robustness in Simulink/Stateflow” [1]. Recall the formalization of a falsification problem (Sect. 1). S-TaLiRo’s input is: (1) a model \(\mathcal {M}\) that is a Simulink/Stateflow model; and (2) a specification \(\varphi \) that is an \(\mathbf{STL }\) formula.

S-TaLiRo employs stochastic simulation in the following S-TaLiRo loop:

  1. 1.

    Choose an input signal \(\sigma _{{\mathsf {in}}}\) randomly.

  2. 2.

    Compute the output signal \(\mathcal {M}(\sigma _{{\mathsf {in}}})\) with Simulink.

  3. 3.

    Compute the robustness \({ [\![\mathcal {M}(\sigma _{{\mathsf {in}}}),\, \varphi ]\!]}\).

  4. 4.

    If the robustness is \(\le 0\) then return \(\sigma _{{\mathsf {in}}}\) as a critical path. Otherwise choose a new \(\sigma _{{\mathsf {in}}}\) (hopefully with a smaller robustness) and go back to Step 2.

Our modification of S-TaLiRo consists of: 1) changing the specification formalism from \(\mathbf{STL }\) to \(\mathbf{AvSTL }\) (with the hope that the robustness \({ [\![\mathcal {M}(\sigma _{\mathsf {in}}),\, \varphi ]\!]}^+\) carries more information to be exploited in stochastic optimization); and 2) using, in Step 3 of the above loop, the \(\mathbf{AvSTL }\) evaluator based on the sliding-window algorithm in Sect. 3. See Fig. 7.

Experiments. As a model \(\mathcal {M}\) we used the automatic transmission model from [18], where it is offered “as benchmarks for testing-based falsification” [18]. The same model has been used in several works [15, 20, 25]. The model has two input ports (\(\mathtt {throttle}\) and \(\mathtt {brake}\)) and six output ports (the engine speed \(\omega \), the vehicle speed v, and four mutually-exclusive Boolean ports \(\mathtt {gear}_{1},\cdots ,\mathtt {gear}_{4}\) for the current gear). See [4, Appendix C] for more details. As a specification \(\varphi \) to falsify, we took six examples from [18], sometimes with minor modifications. They constitute Problems 1–6 in Table 2.

Our goal is to examine the effect of our modification to S-TaLiRo. For the model \(\mathcal {M}\) (that is fixed) and each of the six specifications \(\varphi \), experiments are done with:

  • \(\mathcal {M}\) and the original \(\mathbf{STL }\) formula \(\varphi \), as a control experiment; and

  • \(\mathcal {M}\) and the \(\mathbf{AvSTL }\) formula \(\varphi '\) that is obtained from \(\varphi \) as a refinement. The latter specifically involves \(\Diamond \) -refinement and \(\Box \) -refinement described in Sect. 2.5.

Faster, or more frequent, falsification in the latter setting witnesses effectiveness of our \(\mathbf{AvSTL }\) approach. We note that falsifying \(\varphi '\) indeed means falsifying \(\varphi \), because of the soundness of the refinement (Propositions 2.9 and 2.10).

A single falsification trial consists of at most 1000 iterations of the S-TaLiRo loop. For each specification \(\varphi \) (i.e. for each problem in Table 2) we made 20–100 falsification trials, sometimes with different parameter values T. We made multiple trials because of the stochastic nature of S-TaLiRo.

Experiment Results and Discussion. The experiment results are in Table 2. We used Matlab R2014b and S-TaLiRo ver.1.6 beta on ThinkPad T530 with Intel Core i7-3520M 2.90GHz CPU with 3.7 GB memory. The OS is Ubuntu14.04 LTS (64-bit).

Notable performance improvement is observed in Problems 3–5, especially in their harder instances. For example, our \(\mathbf{AvSTL }\) enrichment made 17 out of 20 trials succeed in Problem 3 (\(T=4\)), while no trials succeeded with the original \(\mathbf{STL }\) specification. A similar extreme performance gap is observed also in Problem 5 (\(T=0.8\)).

Such performance improvement in Problems 3–5 is not surprising. The specifications for these problems are concerned solely with the propositional variables \(\mathtt {gear}_{i}\) (cf. Remark 2.7); and the space robustness semantics for \(\mathbf{STL }\) assigns to these specifications only 0 or 1 (but no values in-between) as their truth values. We can imagine such “discrete” robustness values give few clues to stochastic optimization algorithms.

Both of \(\Diamond \)- and \(\Box \)-refinement in Sect. 2.5 turn out to be helpful. The latter’s effectiveness is observed in Problems 3–5; the former improves a success rate from 32/100 to 81/100 in Problem 1 (\(T=40\)).

Overall, the experiment results seem to support our claim that the complexity of (computing robustness values in) \(\mathbf{AvSTL }\) is tractable. There is no big difference in the time each iteration takes, between the \(\mathbf{STL }\) case and the \(\mathbf{AvSTL }\) case.

5 Conclusions and Future Work

We introduced \(\mathbf{AvSTL }\), an extension of \(\mathbf{STL }\) with averaged temporal operators. It adequately captures both space and time robustness; and we presented an algorithm for computing robustness that is linear-time with respect to the “size” of an input signal. Its use in falsification of CPS is demonstrated by our prototype that modifies S-TaLiRo.

As future work, we wish to compare our averaged temporal operators with other quantitative temporal operators, among which are the discounting ones [5, 6]. The latter are closely related to mean-payoff conditions [10, 14] as well as to energy constraints [8, 9], all of which are studied principally in the context of automata theory.

Application of \(\mathbf{AvSTL }\) to problems other than falsification is another important direction. Among them is parameter synthesis, another task that S-TaLiRo is capable of. We are now looking at application to sequence classification (see e.g. [21]), too, whose significant role in model-based development of CPS is widely acknowledged.