A toolchain for strategy synthesis with spatial properties

We present an application of strategy synthesis to enforce spatial properties. This is achieved by implementing a toolchain that enables the tools CATLib and VoxLogicA to interact in a fully automated way. The Contract Automata Library ( CATLib ) is aimed at both composition and strategy synthesis of games modelled in a dialect of ﬁnite state automata. The Voxel-based Logical Analyser ( VoxLogicA ) is a spatial model checker for the veriﬁcation of properties expressed using the Spatial Logic of Closure Spaces on pixels of digital images. We provide examples of strategy synthesis on automata encoding motion of agents in spaces represented by images, as well as a proof-of-concept realistic example based on a case study from the railway domain. The strategies are synthesised with CATLib , while the properties to enforce are deﬁned by means of spatial model checking of the images with VoxLogicA . The combination of spatial model checking with strategy synthesis provides a toolchain for checking and enforcing mobility properties in multi-agent systems in which location plays an important role, like in many collective adaptive systems. We discuss the toolchain’s performance also considering several recent improvements.


Introduction
Collective Adaptive Systems (CAS) consist of multiple spatially distributed agents, each exhibiting intricate autonomous behaviour.These agents possess the ability to cooperate towards shared objectives while typically also engaging in competition over limited resources [51].
Formal modelling and analysis are essential for enabling rigorous reasoning on the behaviour of CAS [27,58].By employing strategy synthesis, we facilitate the capacity of CAS to dynamically adapt their behaviour in accordance with evolving requirements.The seamless integration of strategy synthesis with well-established methods such as spatial model checking enhances the modelling and analysis techniques available for CAS.
In an automata-based setting, a strategy is a prescription of the behaviour (transitions) of a particular player for all possible situations (states) that leads that player to a specific goal (final state).Typically, there are other players or an environment with different, often competing goals to account for, and the set of transitions may be partitioned into controllable (by the particular player) and uncontrollable transitions.Strategy synthesis is concerned with the automatic computation of a (safe, optimal) strategy (controller) in such a game-based automata setting.
Recent advancements in spatial model checking have led to relevant results like the fully automated segmentation of regions of interest in medical images by brief, unambiguous specifications in spatial logic.The topological approach to spatial model checking of [40] is based on the Spatial Logic of Closure Spaces (SLCS).It provides a fully au-tomated method to verify properties of points in graphs, digital images, and recently 3D meshes and geometric structures [28,65].Spatial properties of points are related to topological aspects like being near to points satisfying a given property, or being able to reach a point satisfying a certain property, passing only through points obeying specific constraints.
The free and open-source tool VoxLogicA [25,43] has been designed from scratch for image analysis.Logical operators can be freely mixed with a few imaging operators, related to colour thresholds, texture analysis, or normalisation.The tool is quite fast, due to the following three factors: i) most primitives are implemented using the state-of-the-art imaging library SimpleITK;1 ii) expressions are never recomputed (reduction of the syntax tree to a directed acyclic graph is used as a form of memoisation); iii) operations are implicitly parallelised on multi-core CPUs.Ongoing work (cf., e.g.[29]) is devoted to a GPU-based implementation which enables a speedup of 1-2 orders of magnitude.
Returning to the topic of strategy synthesis, the tool CATLib [5,6,10] is a library for performing compositions of contract automata [9] (a dialect of finite-state automata) and synthesising either their supervisory control, their orchestration, or their choreography [20], using novel notions of controllability [17].CATLib offers scalability features such as a bounded on-the-fly state-space generation optimised with pruning of redundant transitions and parallel streams computations.Moreover, the software is free and open source [6], it has been developed using principles of model-based software engineering [5], and it has been extensively validated using various testing and analysis tools to increase confidence on the library's reliability.

Contribution
In this paper, we extend [22], where we proposed a new approach to combine strategy synthesis and spatial model checking.We proceed in a bottom-up fashion.First, we present a toolchain based on established off-theshelf and tool-supported theories.We then explore the combination of CATLib and VoxLogicA, to concert the composition and synthesis functionalities of CATLib with the spatial model checking functionality of VoxLogicA.Subsequently, we provide proof-of-concept examples of strategy synthesis on automata encoding motion of agents in spaces represented by images. 2 The main insight is to encode an image as an automaton, whose states are the pixels of the image.These states are then interpreted as positions of an agent, and transitions to adjacent pixels represent motions of the agent.A composition of automata is thus a collective multi-agent system, in which each state of the composition is a snapshot of the current position of the agents in the map, and a game can thus be played by a set of agents against other opponent agents, where successful states and failure states can be identified using spatial model checking of the images.Consequently, the strategy is synthesised with CATLib, while the properties to enforce are defined by means of spatial model checking of the images with VoxLogicA.By updating the properties to enforce, it is possible to synthesise a new strategy enabling the agents to collectively adapt to the updated properties.The developed examples are open source and reproducible at [23].
This paper extends [22] into the following directions: • the toolchain is automatically invoked by a main program (written in Python) which takes care of receiving input parameters from the user, and automatically routing them appropriately when invoking the various phases of the toolchain; • the number of images that are analysed by the spatial model checker has been drastically reduced; • the performance of the toolchain has been improved by pruning unuseful computations and by reducing the size of the automata to be composed; • the spatial model-checking procedure has been improved by resorting to a batching technique that permits dramatically increasing the computation-to-overhead ratio; • an example from the railway domain [21] serves as a proofof-concept of the practical applicability of the toolchain to real-world case studies, which also showcases the necessity of using the recent notion of semi-controllability rather than uncontrollability.
The benefits of our contribution can be summarised as follows: we show the practical applicability of the combination of two quite different tools, and we provide an original approach to strategy synthesis and spatial model checking, bridging theories and tools developed in different research areas.

Related work
Practical application of spatial logics, including model checking, has been ongoing during the last decade.For instance, the research line originating in [56] merges spatial model checking with signal analysis.In the domain of cyber-physical systems, the approach of [75] demonstrates applications of SLCS in a spatio-temporal domain with linear time, using bigraphical models.An abstract categorical definition of SLCS has been given in [34].The spatial model checking approach of SLCS and VoxLogicA has been demonstrated in case studies ranging from smart transportation [38,42] and bike sharing [39,41] in the context of CAS, to brain tumour segmentation [4,25], labelling of white and grey matter [24], and contouring of nevi [26] in the context of medical imaging.
Synthesising strategies (or plans/control) for motion of agents is widely researched [2,47,54,55,64,71].Spatial logics have been applied to this problem to investigate the synthesis of strategies from properties of spatially distributed systems specified with spatial logics [1,57,63].Recently, the application domain of smart cities has been explored in [67], and the aforementioned signal-based approach has been enhanced for a hybrid approach to multi-agent control synthesis, by exploiting neural network and spatial-logical specifications in the Spatio-Temporal Reach and Escape Logic (STREL) formalism.
Differently from the above literature, we set out to integrate previously developed off-the-shelf algorithms and tools, with the aim of showing their applicability.Contract automata and their toolkit were introduced to synthesise orchestrations and choreographies of compositions of service contracts exchanging offers and requests [6,9,17,20].The interpretation of an image as an (agent) contract automaton enables to connect contract automata and CATLib with spatial model checking and VoxLogicA, showing the flexibility of both approaches.

Structure of the paper
After providing the necessary background on the tools CATLib and VoxLogicA in Sect.2, we describe the proposed toolchain in Sect.3, followed by a report on three experiments in Sect.4, where we also discuss the improvement in performance with respect to [22].Finally, we conclude and mention some future work in Sect. 5.

Background
In this section, we provide some background on the various formalisms and tools used in this paper.

CATLib, automata composition, and strategy synthesis
We first formally introduce contract automata and their synthesis operation.Contract automata are a dialect of Finite State Automata with a partitioned alphabet of actions.A Contract Automaton (CA) models either a single service or a multi-party composition of services performing actions.The number of services of a CA is called its rank.When rank = 1, the contract is called a principal (i.e. a single service).Figure 3 shows an example of a principal contract automaton.Labels of CA are vectors of atomic elements called actions.Actions are either requests (prefixed by ?), offers (prefixed by !), or idle (denoted with a distinguished symbol -).Requests and offers belong to the (pairwise disjoint) sets R and O, respectively.The states of CA are vectors of atomic elements called basic states.Labels are restricted to be requests, offers, or matches where, respectively, there is either a single request action, a single offer action, or a single pair of request and offer actions that match, and all other actions are idle.The length of the vectors of states and labels is equal to the rank of the CA.
For example, the label [!goright, ?goright] is a match where the request action ?goright is matched by the offer action !goright.Note the difference between a request label (e.g.[?goright, -]) and a request action (e.g.?goright).A transition may also be called a request, offer, or match according to its label.
The goal of each service is to reach an accepting (final) state such that all its request (and possibly offer) actions are matched.In [17], CA were equipped with modalities, i.e. necessary ( ) and permitted ( ) transitions, respectively.Permitted transitions are controllable, whereas necessary transitions can be uncontrollable or semi-controllable.The resulting formalism is called Modal Service Contract Automata (MSCA).In the following definition, given a vector − → a , its ith element is denoted by − → a (i) .

Definition 1 (MSCA)
Given a finite set of states partitioned into permitted transitions T and necessary transitions T such that: (i) given t = ( − → q , − → a , − → q ) ∈ T , − → a is either a request, an offer, or a match; and (ii Composition of services is rendered through the composition of their MSCA models by means of the composition operator ⊗, which is a variant of a synchronous product.This operator basically interleaves or matches the transitions of the component MSCA, but, whenever two component MSCA are enabled to execute their respective request/offer action, the match is forced to happen.Moreover, a match involving a necessary transition of an operand is itself necessary.The rank of the composed MSCA is the sum of the ranks of its operands.The vectors of states and actions of the composed MSCA are built from the vectors of states and actions of the component MSCA, respectively.
In a composition of MSCA, typically various properties are analysed.We are especially interested in agreement.The property of agreement requires to match all requests, whilst offers can go unmatched.
CA support the synthesis of the most permissive controller (mpc) from the theory of supervisory control of discrete event systems [33,69], where a finite state automaton model of a supervisory controller (called a strategy in this paper) is synthesised from given (component) finite state automata that are composed.Supervisory control theory has been applied in a variety of domains [20,48,52,[72][73][74]76], including healthcare.In this paper, we use the synthesis in the framework of games, whose relation with supervisory control is well known [3].
The synthesised automaton, if successfully generated, is such that it is non-blocking, controllable, and maximally permissive.An automaton is said to be non-blocking if from each state at least one of the final states (distinguished stable states that represent completed 'tasks' [69]) can be reached without passing through so-called forbidden states, meaning that the system always has the possibility to return to an accepted stable state (e.g. a final state).The algorithm assumes that final states and forbidden states are indicated for each component.The synthesised automaton is said to be controllable when only controllable actions are disabled.Indeed, the supervisory controller is not permitted to directly block uncontrollable actions from occurring; the controller is only allowed to disable them by preventing controllable actions from occurring.Finally, the fact that the resulting supervisory controller is said to be maximally permissive (or least restrictive) means that as much behaviour of the uncontrolled system as possible is still present in the controlled system without violating neither the requirements, nor controllability, nor the non-blocking condition.
Finally, we recall the specification of the abstract synthesis algorithm of CA from [20].This algorithm will be used to synthesise a strategy for the spatial game in the next sections.The synthesis of a controller, an orchestration, and a choreography of CA are all different special cases of this abstract synthesis algorithm, formalised in [20] and implemented in CATLib [5] using map reduce style parallel operations of Java Streams.This algorithm is a fix-point computation where at each iteration the set of transitions of the automaton is refined (pruning predicate φ p ) and a set of forbidden states R is computed (forbidden predicate φ f ).The synthesis is parametric on these two predicates, which provide information on when a transition has to be pruned from the synthesised automaton or a state has to be deemed forbidden.We refer to MSCA as the set of (MS)CA, where the set of states is denoted by Q and the set of transitions by T (with T denoting the set of necessary transitions).For an automaton A, the predicate Dangling(A) contains those states that are not reachable from the initial state or that cannot reach any final state.Let B = { ,⊥} denote the Boolean constants true ( ) and false (⊥).

Definition 2 (Abstract synthesis [20])
Let A be an MSCA, K 0 = A, and R 0 = Dangling(K 0 ).Given two predicates φ p , φ f : The abstract controller is defined in equation ( 1) below as the least fixed point (cf.[20,Theorem 5.2]) where, if the initial state belongs to R , then the controller is empty; otherwise, it is the automaton with the set of transitions T CATLib Contract automata and their functionalities are implemented in a software artefact, called Contract Automata Library (CATLib), which is under continuous development [6].This software artefact is a by-product of scientific research on behavioural contracts and implements results that have previously been formally specified in several publications (cf., e.g.[9][10][11][12][13][14][15][16][17]20]).CATLib has been designed to be easily extendable to support similar automata-based formalisms.Currently, CATLib also supports synchronous communicating machines [45,60].CATLib and the other CA tools [7] allow programmers to use CA for developing more reliable applications.In this paper, we further showcase the flexibility of CATLib by using it to synthesise strategies for mobile agents in spatial games.CATLib has been implemented using modern established technologies for building, testing, documenting, and delivering high quality source code.CATLib is tested up to 100% coverage of all lines, branches, and the strength of the tests is measured with mutation testing with top score.

VoxLogicA, spatial model checking, and image analysis
The Spatial Logic of Closure Spaces (SLCS) is a modal logic language equipped with a unary 'nearness' modality and two binary operators: 'reaches' and 'is reached'.The language is interpreted on points of a spatial structure, which is, generally speaking, a Closure Space (cf.[40] for details).Graphs, digital images, topological spaces, and simplicial complexes are all instances of closure spaces.
In this paper, we concentrate on the interpretation of SLCS on images.In this case, the two reachability modalities collapse and the nearness modality is a derived operator based on the reachability operator, causing a particularly simple syntax.

Definition 3
Fix a set AP of atomic propositions.The syntax of SLCS is defined by the following grammar: where p ∈ AP.Models of SLCS formulae, for the purpose of this paper, are the pixels of digital images, i.e. each SLCS formula induces a truth value for each point of a given digital image.In order to define the interpretation of formulae, a notion of path needs to be established, based on a notion of neighbourhood or connectivity of pixels.VoxLogicA uses the so-called '8neighbourhood', i.e. each pixel is adjacent to 8 other pixels, namely those that share an edge or a vertex with it.Adding a notion of connectivity permits one to interpret the set of pixels of an image as a (symmetric) graph.Graph-theoretical paths are then well defined, and used below.
The interpretation of formulae depends upon a valuation of atomic propositions, assigning to each atomic proposition the set of points on which it holds, and assigning a direct interpretation to the symbols p ∈ AP.The meaning of the truth value (true), negation (¬), and conjunction (∧) is the usual one.A pixel x satisfies ρ φ 1 [φ 2 ] if there is a path rooted in x, reaching a pixel satisfying φ 1 , such that all intermediate points, except eventually the extremes, must satisfy φ 2 .We make use of the derived operator φ 1 φ 2 which is similar to ρ φ 2 [φ 1 ], but the extremes are also required to satisfy φ 1 .The near derived operator N φ ρ φ[¬ ] is true at point x if and only if there is a pixel adjacent to x where φ holds.
From now on, we use the tool's syntax, which uses tt, &, |, !, ~>, and N for , conjunction, disjunction, negation, , and N , respectively, permits macro abbreviations of the form let identifier = expression, permits function definitions of the form let identifier(argument1,...,argumentN) = expression, and it also permits other constructs not needed for the scope of this paper.On images, atomic propositions can be expressions predicating over the colour components of the pixels.For instance, in our example specification (cf.Fig. 7), to characterise the pixels composing a door as the blue pixels (note that 255 is the maximum value since we are using 8-bit images), given that img denotes an image, we use: Also, the tool permits global formulae that assign a truth value to models, not just pixels in isolation.These can be based on the volume(phi) primitive that computes the num-ber of pixels satisfying the formula phi.For instance, existential and universal quantification are defined as follows: We note that the type system of VoxLogicA is very simple, and comprises numbers, Boolean values, images of numbers (single-channel images, sometimes called grayscale), images of Boolean values, very often called binary images or masks, and ordinary multi-channel images.Operators are strongly typed with no type overloading.Therefore, for instance, the pixel-by-pixel and of two Boolean-valued images is a different operator with respect to the conjunction of two Boolean values, and it also differs from the conjunction of the Boolean value of each pixel of an image with a Boolean (scalar) constant.With some exceptions, the naming convention of operators reflects their type, having a dot on the side of the 'scalar' value (Boolean or number) and no dot on the side of the image; so, for instance, .&. is Boolean and, whereas & is pixel-by-pixel and of two images.With respect to Fig. 7, for instance, we have that base and img are multi-channel images, with the operators red, green, blue, extracting number-valued images from them.The definition of mrRed (a red area) contains the =.operator taking a number-valued image on the left, and a number on the right (hence the dot on the right-hand side).In the definition of the property forbidden1, one can find an example of the use of the operator .|. which takes as arguments two Boolean values.

Tool methodology
In this section, we discuss the tool methodology used to chain CATLib and VoxLogicA in order to perform strategy synthesis of spatial properties.The diagram in Fig. 1 depicts the workflow and the various activities in which the whole process is decomposed.
The process starts with a PNG image, depicting a map or planimetry, for agents to move in.Note that this implies that the state space is discrete, finite, and can be provided by a user with no training on the underlying theories used.Further input concerns the spatial properties that one wants to enforce with the synthesised strategy, modelling the forbidden configurations to avoid and the final configurations to reach, as well as the number of agents in the experiments with their starting position, and an indication of which agents are the controllable players and which are the uncontrollable opponents.The aim of the process is to produce the maximally permissive strategy for moving the players against all possible moves of the opponents, such that no forbidden configuration is ever reached and it is always possible to reach a final con-Fig. 1 The workflow showing the integration of the two tools Fig. 2 A zoom-in on a fragment of the agent automaton Fig. 3 The driver automaton Fig. 4 The door automaton figuration.In game-theoretical jargon, this is both a safety game and a reachability game [19].The strategy is maximal, in the sense that it includes all possible behaviour that satisfies the above properties.If the strategy is empty, then there exists no strategy for the players satisfying the given properties.CATLib only considers finite traces: infinite looping behaviour where an agent is stalled and is prevented from reaching a reachable final configuration is ruled out.
CATLib activities To allow the integration of CATLib and VoxLogicA, CATLib has been extended to allow the import/export of PNG images, which are internally converted into automata.These automata have pixels as states and transitions connecting adjacent pixels.We interpret these automata as agents, whose position is represented by the current state and transitions are requests to move up, down, left, or right to adjacent pixels/states.Note that more transitions could be added to model complex movements (e.g. between pixels that are not adjacent) should this be required by the specific application.The experiments in this paper did not require such movements.If a border is reached, then there will be no request transition in the automaton to move beyond that border.Each state is labelled with both a position, rendered in three coordinates (the third coordinate is currently not used), and the colour of the pixel.Figure 2 depicts a small portion of an agent automaton.
A driver automaton is used to command an agent to move in a specific direction.It is depicted in Fig. 3.The driver can impose some constraints (e.g.never go down).The last automaton that is used models a door, which is initially closed, and which can be opened and closed repeatedly.It is depicted in Fig. 4.
The first activity of CATLib thus consists of importing and creating such automata.There can be several instances of agents and doors or different maps according to the parameters of the experiments to perform.
The second activity consists of composing these automata to generate all possible reachable and valid configurations.As stated in Sect.2, the composition has unicast synchronisations between offers and requests of agents (called matches), and labels that are only single moves of an agent performing an offer.Agents who perform requests can move only when paired with a corresponding offer.This type of synchronised behaviour is called agreement -all requests must be matched.
Note that this is an optimisation with respect to the previous version of the toolchain as discussed in [22].Indeed, in [22], the composition included all possible behaviours, including invalid ones.We refined this activity to avoid the generation of invalid states in the composition.Previously, this was done in an additional activity performed later on, which has been removed.In Sect.4, we will discuss the improvement in performance.
To reduce the size of the state space, the composition of CATLib allows to avoid generating portions of the state space that are known to violate some property.These are, for example, configurations where an agent is placed on top of a wall (i.e. its state has colour #000000), on top of another agent (i.e. in a state of the composition, two agents have the same coordinates), or on top of a closed door (i.e. in a state of the composition, one agent has the same coordinates as the door and the door is closed).Since these are simple invariant properties (it only suffices to check the labels of states), they can be directly checked in CATLib.VoxLogicA is used to evaluate more complex spatial properties (cf.Fig. 7 below).The aforementioned invalid moves are also specified in VoxLogicA under the property wrong in Fig. 7 below.
In case of controllable 'bad' transitions, these will not be generated since they will be pruned by the synthesis.In case of uncontrollable 'bad' transitions, these will be generated (since they cannot be pruned) but their target state will not be visited (the synthesis will try to make these 'bad' states unreachable).Thus, once some agent is rendered as not controllable (by changing its transitions), it cannot be stopped from reaching an illegal configuration.It follows that illegal configurations must be removed before deciding which agents are not controllable and which are controllable.In this step it is also decided what are the initial positions of the agents, i.e. the initial state where the state-space generation starts.Indeed, the generated state space also depends on the given initial conditions.In the composed automaton, each state is a tuple of states of all agents (including the door and the driver).Each state can be represented as an image, a snapshot of the current configuration.For instance, Fig. 5 depicts a state rendered as an image.The image is generated by colouring the starting PNG image with a red, green, and blue pixel to indicate where, respectively, the first agent, the second agent, and the door are located.The door is only coloured when it is closed.
The third activity consists of generating all images for all states of the composition.These images are then passed to VoxLogicA (whose activities are described below) to evaluate for all properties whether or not they are satisfied.The number of images generated at this step are far fewer than those that were generated in [22], because the composed automaton has been polished by removing invalid states.
Next, the composed automaton must be marked with those states that are forbidden and those that are final.This is the fourth activity of CATLib.Also, it must be decided which agents are controllable and which not.This information is provided partly as input parameters of the experiments, and partly as a JSon file computed by VoxLogicA, where each state has as set of Boolean attributes, one for each evaluated spatial property.
After all states and transitions have been marked with the required information, the strategy synthesis is performed as the final, fifth activity of CATLib.The algorithm computes the maximal behaviour of the composition (in agreement) such that it is always possible to reach a final configuration and forbidden configurations are never traversed.If the strategy is non-empty, this will provide information on the behaviour to be followed by the controllable agents to ensure that a final configuration is always reached without passing through forbidden configurations, against all possible moves of uncontrollable components.
VoxLogicA activities The first activity of VoxLogicA is the evaluation of the formulae representing final and forbidden states.This is done via an auxiliary Python script that takes as input the logical specification, written into a file with .imgqlextension, the base image (i.e. the map or planimetry where agents move), and the directory containing all reachable configurations, encoded as images.The Python script then iterates the specification on the whole dataset of input images.
The second activity of VoxLogicA collects all the properties that have been computed in the first activity, locally for each state, and turns them into a single source of information, in the form of a JSon file that contains a record for each state, reporting on all the properties that have been described in the specification.In order to do so, a special output mode of VoxLogicA is used, where the tool outputs a single JSon record of all the user-specified properties that have been printed or saved in the specification.
Parameterisation Previously, in [22], the parameters of the experiments were hardcoded and each different setup required to update the source code.We updated the toolchain such that the parameters are now passed to the toolchain at command line.This improves the usability of the toolchain and allows its automatisation.Below we only report the most significant parameters: experiment [1|2|3] This is a special option that allows to select the setup of either experiment 1, 2, or 3 (cf.Sect.4).If this option is not specified, one has to provide the setup with the parameters below; gateCoordinates x y This parameter is used to set the coordinates of the gate; position_agent_1 x y This parameter is used to set the initial coordinates of the first agent; position_agent_2 x y This parameter is used to set the initial coordinates of the second agent; controllability [1|2] If the value is 1 (2, respectively), then the agents (gate, respectively) are controllable, but not the gate (agents, respectively).specification This parameter indicates the ImgQL specification to be used as input of VoxLogicA.
Other parameters include the various paths of the files to load/store, the name of the attributes in the output provided by VoxLogicA, and the selection of an activity to execute (e.g.image generation and strategy synthesis).

Handling higher dimensions
Although in this paper, we only develop examples using 2-dimensional images, the toolchain enables the representation of scenarios with higher dimensions.An n-dimensional object can be represented in CATLib as an automaton whose state is a vector of coordinates of length n (currently, three dimensions are supported).On the logical side, we remark that the main case study for VoxLogicA uses medical 3D images [25].Furthermore, the model checker has been ported to the analysis of 3D meshes in [28].Finally, the logic SLCS has also been interpreted Green agent in front of red agent Green agent in front of red agent

Final states
Both the red and the green agent reached the exit The door separates the green agent on the right from the red agent on the left

Forbidden states
The door separates the green agent on the right from the red agent on the left, or the red and green agents are not near each other Both the red and the green agent reached the exit

Strategy
The red and green agents switch position before traversing the door Empty Both trains behind the semaphore

Final states
Both trains outside the junction area

Forbidden states
Both trains inside the junction area or one train is inside the junction area, while the other train is before the semaphore and the semaphore is open

Strategy
The semaphore is opened for letting the first train enter the junction area.After it does, the semaphore is closed.
Once the first train exits the junction area, the semaphore opens again to let the second train enter the junction area so that both trains can eventually exit the junction area on higher-dimensional simplicial complexes, which are capable of expressing logical relationships between data, as demonstrated in [65].However, it must be noted that higher dimensions may render analysis unfeasible unless specific computational methods are used.

User input
The way in which a user can provide the images in input to the toolchain is not constrained, and it depends on the specific problem.The automata used by CATLib are generated from the input image.Later, the images generated by CATLib are interpreted as graphs for model-checking purposes by VoxLogicA.Note that the input image provided by the user is different from the images that are generated by CATLib and model checked by VoxLogicA.Indeed, the graph representation used by VoxLogicA is not related to the behavioural graph (i.e. the contract automaton) used by CATLib, but it only depends on an image's structure.

Experiments
In this section, we describe the experiments that have been performed following the process described in the previous section.We performed three experiments.
The first two experiments, discussed in Sect.4.1, start from the same initial conditions, but with opposite controllable/uncontrollable agents and forbidden/final states.The setup and outcome of these two experiments are reported in Table 1.The third experiment, discussed in Sect.4.2, is based on a railway scenario.The setup and outcome of this experiment are reported in Table 2.
The repository, publicly available [23], contains all data, sources, and step-by-step instructions on how to use the toolchain to reproduce the experiments.

Maze examples
The PNG map image used as planimetry is a 10 × 10 pixels image that weighs 188 bytes.It is depicted in Figs. 1  and 5 (without coloured pixels).This image was generated using one of the many maze generators available through the Internet.
The setup for the experiments is that of two duplicate mobile agents, one door agent, and one driver agent.The door agent is placed in position (2; 7) (cf.Fig. 5).Initially, the red agent is in the top left corner of the white corridor (position (1; 1)), whereas the green agent is just below the red one (position (2; 1)) and the door is closed.The initial state is depicted in Fig. 6 (left).The illegal moves were described in the previous section.We recall that in a legal composition, no agent moves over a wall, a closed door, or another agent.
Below we report the invocation of the composition function of CATLib.The composition is instantiated with the list of operands, namely the two agents, the driver, and the door.The second argument is the pruning predicate: if a generated transition satisfies the pruning predicate it will be pruned and not further explored.When applying the composition it is possible to specify a bound on the maximum depth of the generated automaton.In this case, the bound is set to the maximum Integer value.The two agents are instantiated with maze_tr and maze2_tr being their set of transitions, which only differ in the initial state.The property of agreement is passed as a lambda expression: transitions with a request label will be pruned.Similarly, this condition is put in disjunction with a condition checking whether the target state of the generated transition is 'bad' (i.e. an illegal transition), in which case the transition is pruned.

Spatial properties
In the first experiment, the final and forbidden states are set according to the following definitions.Consider the specification given in Fig. 7 (cf.Sect. 2 for an introduction to the operators used therein).The final state is set to be that on the right-hand side of the image passing through the corridor where the door is located (property final1), and is depicted in Fig. 6 (middle).The property forbidden1 identifies forbidden states as the disjunction of three sub-properties, characterising: 1) illegal states (property wrong); 2) states in which the two agents are in two areas separated by the closed door, and the green agent is on the right side of the door, i.e. it can reach an escape (a final state), whereas the red agent cannot because it is blocked by the door (property greenFlees); and 3) states in which the agents are not close to each other (!. nearby).In fact, Fig. 5 represents one of these forbidden states.In the second experiment, we change the setting according to what is summarised in Table 1.The final state becomes an illegal state of the first experiment such that we end up with an empty strategy.Hence, the property final2 is the disjunction of two previously forbidden properties: greenFlees (i.e. the green agent can reach an exit, while the red one cannot) and wrong, namely, an illegal situation that might consist of agents over the door, agents over a wall, or overlapping agents.Conversely, property forbidden2 is set to be the final state of experiment 1, so we simply get forbidden2 = final1 (cf.Fig. 7).Thus the forbidden state is now the one in which both agents reach the exit.
Synthesis Finally, in this first experiment we interpret the door as uncontrollable, whereas the red and green agents are controllable.Basically, this is a scenario in which the two players are playing against an uncontrollable door.Below we list the code used to invoke the synthesis operation of Fig. 8 The scenario taken from [21], where one train is waiting to enter a junction area while another train is traversing it CATLib.The instantiation of the operation takes as argument the property to enforce, agreement in this case, and the automaton where the synthesis is applied, called marked in this case.
The most permissive synthesised strategy consists of 684 states and 2635 transitions (recall that in each transition, only one of the agents is moving).The length of a shortest path from the initial state to a final state is composed of 33 transitions to be executed.In the initial state (Fig. 6 (left)), the green agent is in front of the red agent on the path to the exit.However, in the strategy the green agent cannot traverse the open door before the red agent.Indeed, in this case, since the door is uncontrollable, it is not possible to prevent the door from closing and separating the red agent (blocked by the door) from the green agent (who can reach the exit).This is indeed a forbidden state that the strategy must avoid.In the strategy, to overcome this problem, the two agents switch position before crossing the door.Figure 6 (right) depicts the moment where the red agent is crossing the door right after exchanging position with the green agent who is still in the corridor.Indeed, in the shortest path they switch position near the Note that no forbidden state occurs the door closes after only the red agent has traversed it.Indeed, in this scenario the green agent is prevented from reaching an exit because it is blocked by the door.Hence, after the red agent has traversed the door, the strategy guides the green agent to safely cross the door such that they can both reach a final state.
To confirm the first experiment, we performed a second experiment by inverting the setup of the first experiment.In this second experiment, the door is controllable, whereas the green and red agents are both uncontrollable.The final states are those in which the door separates the green agent (on the right-hand side of the door) from the red agent (on the left-hand side of the door).These are basically the forbidden states of the first experiment.Similarly, the forbidden states in the second experiment are those states in which both the green and red agents have reached the exit, i.e. the final states of the first experiment.The initial configuration is the same as in the first experiment.As expected, in this dual case the returned strategy is empty.Indeed, if this were not the case, then we would have a contradiction because the green and red agents have a strategy to reach the exit without being separated by the door with the red agent blocked, for every possible finite behaviour of the door.
There is no strategy for the door to reach a final configuration mainly because the door cannot ensure that the uncontrollable green agent traverses the door first.Moreover, the door cannot prevent the agents from reaching the exit by always remaining closed since (unless only the green agent has traversed the door) a final state would not be reachable.

Railway example
The third experiment is based on a real-world case study from the railway domain, which is a well-known application domain for formal methods [50].The specific example is taken from [21] and it is displayed in Fig. 8. Similarly to the previous two experiments, this experiment uses two agents and a gate.It serves as a proof-of-concept of the practical applicability of the toolchain to real-world problems.
In [21], an autonomous tram positioning (ATP) system is analysed.In an ATP, the physical track circuits detecting the occupancy of portions of the railway track are substituted by virtual track circuits (VTCs).The VTCs are virtual positions on a map.The real position of a train is detected using a global positioning system.
In the scenario in Fig. 8, one junction area (commanded by one interlocking) is composed of two VTCs, and there is one tram outside the junction area and one tram inside the junction area.Tram 2 is traversing its assigned route while Tram 1 is waiting at a red signal for its route to be assigned.VTC 0 is used to detect the occupation of a route, whereas VTC 1 is used to detect the release of a route.Initially, both trains are located behind the semaphore.The first train will communicate its route to the interlocking, which will proceed to set the route.This may cause the movement of the junction point.Once the route is set, the interlocking will signal to the train that the route is set by opening the semaphore.The train enters the junction point and the semaphore is closed again.While the first train is traversing its route, the second train will stop at the (closed) semaphore to ask for its route.The route will be assigned, the junction point moved, and the semaphore opened only after the first train has exited the junction area.Otherwise, the movement of the junction point could cause the derailment of the train inside the junction area [21].We have modelled this scenario using images.Indeed, in general, maps of railway stations are bidimensional planimetries (generally called centralised traffic control boards).In this experiment, the PNG map image used as planimetry is an 11 × 6 pixel image that occupies 157 bytes.This image is derived from the junction scenario in Fig. 8.The image representing the initial configuration of this experiment is depicted in Fig. 9 (left).Initially, both trains (green and red) are waiting for entering the junction area, whose access is signalled by a semaphore (blue).The semaphore acts like the gate in the maze examples.The open gate models the green signal, whilst the closed gate models the red signal.The VTC 0 detecting the occupancy of the junction area is at the right-hand side of the semaphore, while we assume that the last two pixels on the right borders of the image both contain VTCs for realising the junction.Figure 9 (middle) shows a final configuration where both trains exited the junction area from the same exit, whereas Fig. 9 (right) shows in purple the junction area.
We want to synthesise a controller for the semaphore such that both trains can safely traverse the junction area.Therefore, we synthesise a strategy for a game in which the semaphore is the player and the opponents are the trains.The successful final states are those where both trains have exited the junction area, i.e. they both reach the right-hand side of the image.In this case, the trains cannot travel backwards (from right to left).This means that in the composition, the Driver automaton (cf.Fig. 3) does not have the transition labelled with !goleft.The forbidden states are those where both trains are inside the junction area as well as those where one train is inside the junction area, the other train is before the semaphore, and the semaphore is opened (thus creating a hazardous scenario).

Spatial properties
The setting in this experiment is quite similar to that of the previous ones.The semaphore changes its colour dynamically, and this requires to check which part of the floor is free (floor is the white area in the specification) for each image, differently than in the previous examples (cf.Figs.7 and 10).We are also interested in knowing where the semaphore is (gate in the specification).We then specify what is the junction area, namely, the area where the railway forks after the semaphore: this is a dangerous area.Then we consider the area before the semaphore (out Fig. 10 VoxLogicA specification of the properties of experiment 3 in the specification) and the exits (outOfJunction) to be safe.The semaphore is green in those images where there is no blue pixel in (4,2): we can thus match these coordinated with the floor (note that it is not needed to explicitly check for the y coordinate, as it is implicitly assumed by the floor).Trains, which are represented by the green and the red pixels, are defined as MrGreen and MrRed, as in the previous specification.
At this point, we can start to define our properties of interest.The possible final combinations are represented by those in which both trains reach the exit.So we have two possibilities: MrRed reaches the upward exit, while mrGreen reaches the other exit, or vice versa.Hence, the final state is the disjunction of the two.
We can now focus on the forbidden state.Also in this case, we have two possibilities, but things are a bit more involved.Indeed, we may have a forbidden state in the case where only one of the trains is inside the junction area, but the semaphore is green.As previously said, this could lead to a dangerous situation, and must thus be avoided.This sit-uation is managed by defining the two properties gOp1 and gOp2.The property wrongSignal, which is the disjunction of the two, is the first part of our forbidden property.The other forbidden situation is represented by the simpler case of having both trains inside the junction.This is managed directly in the definition of the forbidden property, by means of the conjunction (exists(mrRed & junction) .&. exists(mrGreen & junction)).In the end, the forbidden property is defined as the disjunction of the latter and wrongSignal.

Synthesis
In the previous experiments, the player transitions were controllable, whereas the opponent transitions were uncontrollable (called urgent necessary transitions in contract automata [20]), and the standard most permissive controller synthesis of supervisory control theory (implemented in CATLib) was used to synthesise the strategies.However, the standard notion of uncontrollability from supervisory control theory is too strict for this third experiment.This is because in the composed automaton, the transitions of the uncontrollable opponents (i.e. the trains) would be prioritised over those of the controllable player (i.e. the semaphore).This causes the strategy to be empty.Indeed, the semaphore must be opened to reach a final state (both trains have crossed the junction area).Once the semaphore is opened, both opponent trains can execute a sequence of uncontrollable transitions leading them to a forbidden state (e.g. both trains inside the junction area).These uncontrollable transitions have higher priority than the player's controllable transitions (i.e.closing the semaphore).Indeed, the setting of a player (the semaphore) playing against an opponent (the trains) is not suitable for this particular case study.
For this reason, the orchestration synthesis introduced in contract automata theory is used instead of the mpc synthesis (cf.Sect.2).Differently from the mpc synthesis, in the orchestration synthesis, the transitions are partitioned into controllable for the player and semi-controllable (also known as lazy necessary transitions) for the opponent [20].The notion of semi-controllability emerges when dealing with concurrent compositions of agents who can internally decide their next transition, but whose scheduling is controllable [8].In this experiment, the player controls both the semaphore and also decides whose service in the composition will execute the next transition (i.e. the player also acts as the scheduler/orchestrator).All transitions (i.e. the trains' movements) of the opponent cannot be prevented from eventually being executed, but their execution can be scheduled to happen after the execution of transitions of other services in the composition (i.e. the semaphore transitions).This means that the (controllable) semaphore can thus be closed before the (semi-controllable) second train traverses it.Indeed, the trains are not competing against the semaphore, but are rather cooperating with the semaphore to traverse their (internally chosen) route safely.
The synthesised strategy consists of 180 states and 469 transitions.In this strategy, once the semaphore is opened and the first train enters the junction area, the closing of the semaphore happens prior to the second train entering the junction area.After the first train has exited the junction area, the semaphore is opened again, and the second train can now execute its transitions to reach the exit of the junction area.Hence, a final state is reached without traversing forbidden states.
We conclude with some further remarks on the difference between semi-controllability and controllability.Note that in Fig. 9 (right), on both routes the two right-most pixels are outside the junction area.This allows both trains to exit the junction area from the same route, as shown in Fig. 9 (middle).Conversely, if only the right-most pixel were outside the junction area, then it would not be possible for both trains to exit the junction from the same route.The trains could only exit the junction area if their route is different.In this case, a non-empty strategy is only possible if also the trains are controllable (i.e.there is no opponent).Instead, if the trains are semi-controllable, then there would be no strategy to guarantee that both trains eventually exit the junction area.This is because the opponent decides internally which route each train will take.Hence, the player cannot prevent the trains from taking the same route.

Performance of the experiments
We now report the time needed to compute various phases of the three experiments and measures of the computed automata.We also discuss the performance improvement with respect to [22].The experiments have been performed on a machine with Intel(R) Core(TM) i9-9900K CPU @ 3.60 GHz equipped with 32 GB of RAM.This is the same machine that was used in [22].
The time performance is reported in Table 3.We note that the synthesis is (computationally) more expensive than the composition.Indeed, as showed in Sect.2, each iteration of the synthesis requires to compute the set of dangling states, which requires a forward and backward visit of the automaton.The performances of the synthesis are similar to those of [22].There is a slight difference due to the updated version of CATLib (v.1.0.2) that has been used in this paper with respect to that used in [22] (v.1.0.1).In CATLib v.1.0.2, the forward and backward visit of the synthesis has been updated from a (tail) recursive schema to an iterative schema.This solved the problem of requiring a larger than default size of the stack to avoid stack overflow errors due to the many recursive calls.
We also analysed the improvement in the various activities of CATLib with respect to [22].We only compare the   performance of the first two experiments (Table 1), since the third experiment was not present in [22].
In [22], the composition was computed twice, first with all possible behaviour and subsequently with only legal behaviour.This required a total of 29,130 ms, which has been reduced to 1739 ms in this paper.Similarly, the generation of images has been improved by passing from 7910 ms in [22] to 1518 ms in this paper.This is because the number of images to generate (i.e. the number of states in the composition) has been reduced.Finally, we consider the activity of marking the composition with the properties computed by VoxLogicA.Again, the log to parse in this paper is much smaller than that produced in [22], due to the reduced number of images that are generated.In [22], the marking required 108,058 and 118,291 ms for the first and second experiment, respectively.In this paper, the time has been reduced to 29,822 and 10,161 ms, respectively.
Finally, concerning the performance of the third experiment in Table 2, we note that it is better (faster) than either of the first two experiments, mainly due to the smaller size of the image.
Tables 4 and 5 report the number of states, the number of transitions, and the size (in bytes) of the various automata.As expected, the number of states of the agent automata equals the number of pixels of the images.We note that an automaton encoding an image weighs more than the starting PNG image.Finally, the marked compositions have two additional states with respect to the composition, which are the added initial and final states.The number of transitions of these two automata differs according to the number of states marked as final, to which a transition to the newly added final state is added, and the number of forbidden states, to which a bad transition is added as a self-loop.

Spatial properties
The analysis of spatial properties is performed using the image analyser VoxLogicA, as in [22].However, the overall performance has improved significantly: indeed, the execution time in the previous version of the toolchain was dominated by the overhead of setting up the computation, importing the images and parsing the specification several times.This depends on the fact that a single image at a time was processed.In this paper, we overcome this issue by adopting a batching technique, similar to that used in [30].The logical specification is parsed by a Python script, which automatically generates a new, much larger specification, replicating the original specifica-tion k times, each time replacing the name of the image to be analysed, so that k images are processed in a single run.VoxLogicA is then called to process the newly generated specification, and to produce the JSon script to be used by CATLib.The size k of each such 'batch' is limited to 150 images, as the current version of VoxLogicA does not include a garbage collector (which is a planned feature), therefore much larger specifications may result in memory overflows.By using this technique, the overhead for loading and starting the tool's executable, and parsing the specification, only affects the computation time once every k runs of the model checker, instead of each time.Furthermore, the degree of parallelism can be much higher, as the processing of each image is independent from the others, and all such threads are executed concurrently on multi-core machines.

Conclusion
We have discussed a further integration of the tools CATLib and VoxLogicA to perform strategy synthesis on images processed with spatial model checking.
Our original contribution, in [22], constituted the first application of CATLib and VoxLogicA to build a framework for modelling and solving mobility problems of collective multiagent systems, introducing an original approach to combine strategy synthesis with spatial model checking.In this paper, we have presented a full-fledged toolchain built from CATLib and VoxLogicA, thus enriching the available tooling for modelling and analysis of CAS.We have improved the efficiency of the encodings, the computations, and the tool integration.The preliminary experiments we performed in [22] have been enriched with a realistic example based on a case study from the railway domain.Several interesting opportunities for future work remain.

Future work
The toolchain could be improved further.In the current approach, each agent has a state for each pixel of the image.Relaxing the representation of an image to one where each state is a zone of the image (e.g. a corridor) rather than a pixel would reduce the state space.Another improvement could be to decompose a large image into smaller images.For instance, the final states of the first experiment in Sect. 4 could be entering points to a new portion of the map.Several small maps could be linked together by ports for entering and exiting.Yet another improvement could be to drop the requirement of a strategy to be most permissive in favour of some objective function to optimise.A near-optimal solution could be synthesised as a trace using statistics over runs, in the style of [54].As for the possibility of allowing more than two agents, this would lead to an exponential blow up of the state space of the composed automaton.However, in future work we plan to exploit state-space reduction techniques, like those just discussed, to tackle this kind of problem.
Concerning metrics, from the behavioural point of view, the purpose of our analysis is qualitative, i.e. to synthesise strategies described through finite state automata that enforce qualitative properties described in the spatial logic supported by VoxLogicA.Future work is needed for synthesising strategies enforcing quantitative properties.From the spatial point of view, the language of VoxLogicA already supports distance and texture similarity measures, which could definitely be employed in further examples similar to those included in this paper.Finally, concerning VoxLogicA, the input/output overhead could also be eliminated by exploiting the recent GPU implementation [29], which is expected to yield an additional speedup, typically of 1-2 orders of magnitude.A future version of the toolchain is meant to leverage on such currently experimental improvements.

Fig. 5
Fig.5 State [(10; 10; 0)_#FFFFFF, (5; 7; 0)_#FFFFFF, Driver, Close] of the composition of two agents, a driver, and a door.The door is in position (2; 7) and is closed.The first agent is depicted red, the second is green, and the door is blue.The attributes of the position of the two agents are both #FFFFFF, which is the hexadecimal value for the colour white, i.e. both agents are placed on a white cell of the map (Color figure online)

Fig. 6 (
Fig. 6 (Left) The initial configuration of both experiments.(Middle) The final states of the first experiment (marked in violet).(Right) A configuration traversed by one of the shortest paths of the first experiment's strategy, in which the red agent is crossing the door before the green agent does, thus avoiding forbidden configurations (Color figure online)

Fig. 7
Fig. 7 VoxLogicA specification of the properties of experiments 1 and 2

Fig. 9 (
Fig. 9 (Left) The initial configuration of the railway example.(Middle) A final configuration where both trains exit the junction from the same route.(Right) The junction area is emphasised in purple (Color figure online)

Table 1
Summary of the two experiments

Table 2
Summary of the third experiment

Table 3
Time needed to perform the three experiments

Table 5
Number of states, number of transitions, and size of the automata used in the third experiment