Timeline-based planning: Expressiveness and Complexity
UU niversità degli S tudi di U dine D ipartimento di S cienze M atematiche , I nformatiche e F isiche C orso di D ottorato in I nformatica e S cienze M atematiche e F isiche TIMELINE-BASED PLANNING:EXPRESSIVENESS AND COMPLEXITY D issertation Cycle XXXI C andidate Nicola Gigante S upervisor Prof. Angelo Montanari C osupervisors Andrea Orlandini, Ph.D.Prof. Mark Reynolds R Department of Mathematics, Computer Science, and PhysicsUniversità degli Studi di UdineVia delle Scienze 208Udine 33100 (UD), Italy [ [email protected] Submitted to referees on 31 October 2018 ¸ Approved on 16 January 2019Final revision submitted on 30 January 2019 (cid:140)
An up-to-date version of this manuscript can be found on arXiv ii BSTRACT
Automated planning is an area of artificial intelligence which aims at developing systems capable ofautonomously reason about how to obtain a given goal, suitably interacting with their environment.
Timeline-based planning is an approach originally developed in the context of space missionplanning and scheduling, where problem domains are modelled as systems made of a number ofindependent but interacting components, whose behaviour over time, the timelines , is governed bya set of temporal constraints. This approach is di ff erent from the perspective adopted by morecommon planning languages, which reason in terms of which actions one or more agents canexecute in order to obtain their goals.Timeline-based systems have been successfully deployed in a number of complex real-world tasks,from mission planning and control to on-board autonomy for space exploration, over the pasttwenty years. However, despite this practical success, a thorough theoretical understanding of theparadigm was missing.This thesis addresses these issues, by providing the first detailed account of formal and com-putational properties of the timeline-based approach to planning. In particular, it focuses on expressiveness and computational complexity issues. At first, we compare the expressiveness oftimeline-based and action-based planning languages, showing that a particularly restricted vari-ant of the formalism is already expressive enough to compactly capture action-based temporalplanning problems. Then, we move to the characterisation of the problem in terms of computa-tional complexity, showing that finding a solution plan for a timeline-based planning problem is EXPSPACE -complete. We also show that finding infinite solution plans is
EXPSPACE -complete aswell, and that finding solution plans of bounded length is
NEXPTIME -complete.Then, we approach the problem of timeline-based planning with uncertainty , that is, problemsthat include external components whose behaviour is not under the control of the planned system.We analyse the state-of-the-art approach to these problems, based on the concept of flexible plans ,identifying some key issues, and then we propose an original solution based on timeline-basedgames , a game-theoretic interpretation of the problem as a two-players game where the controller,in order to win, has to execute a plan guaranteeing to satisfy the problem constraints independentlyfrom the behaviour of the environment. We show that this approach is strictly more general thanthe current one based on flexible plans, and we show that the problem of deciding whether awinning strategy for such games exists belongs to .In the last part of the thesis, we provide a characterisation of the expressiveness of timeline-basedlanguages in logical terms. We show that timeline-based planning problems can be expressed by
Bounded
TPTL with Past ( TPTL b + P ), a variant of the classic Timed Propositional Temporal Logic ( TPTL ).We introduce
TPTL b + P , showing that, while TPTL with Past ( TPTL + P ) is known to be non-elementary ,the satisfiability problem for TPTL b + P is EXPSPACE -complete. Then, we describe a tableau methodfor
TPTL and
TPTL b + P , extending a one-pass tree-shaped tableau recently introduced for LinearTemporal Logic ( LTL ), which is presented with a conceptually easier proof of its completeness basedon a novel model-theoretic argument, and extended in order to support past modalities . OMMARIO La pianificazione automatica (automated planning) è un’area dell’intelligenza artificiale che mira allosviluppo di sistemi in grado di ragionare autonomamente per perseguire determinati obbiettivi, in-teragendo di conseguenza con l’ambiente circostante. Il planning basato su timeline (timeline-basedplanning) è un approccio originariamente sviluppato per la gestione di missioni spaziali, secondocui i problemi vengono modellati come sistemi composti da una moltitudine di componenti indi-pendenti, ma interagenti tra loro. Il comportamento di tali componenti nel tempo, descritto dalle timeline , è governato da un insieme di vincoli temporali. Questo approccio adotta una prospettivadi ff erente da quella dei linguaggi di pianificazione più comunemente usati, che lavorano in terminidi azioni (action-based) che uno o più agenti possono eseguire per ottenere i propri obbiettivi.Negli ultimi vent’anni, i sistemi timeline-based sono stati impiegati con successo in molti scenarireali, dal controllo di satelliti fino a missioni di esplorazione spaziale. Nonostante questo successoapplicativo, manca una completa comprensione del paradigma dal punto di vista formale.Questa tesi intende riempire questo vuoto, fornendo la prima dettagliata analisi delle proprietàformali e computazionali del timeline-based planning. In particolare, ci concentriamo su questionidi espressività e complessità computazionale . Inizialmente, compariamo l’espressività dei linguaggidi modellazione timeline-based e action-based, mostrando che una particolare restrizione delformalismo è già su ffi cientemente espressiva da catturare compattamente il planning temporale action-based. Dopodiché, caratterizziamo il problema in termini di complessità computazionale,mostrando che trovare una soluzione per un problema di timeline-based planning è EXPSPACE -completo. Mostriamo inoltre che la ricerca di soluzioni infinite è anch’essa
EXPSPACE -completa, eche il problema, dato un limite alla lunghezza delle soluzioni, diventa invece
NEXPTIME -completo.Successivamente, approcciamo il problema del timeline-based planning con incertezza , in cuisono presenti delle componenti esterne il cui comportamento è fuori dal controllo del sistema.Analizziamo l’attuale approccio, basato sul concetto di piano flessibile , identificando alcune criticità,che approcciamo proponendo il concetto di timeline-base game . In questa interpretazione delproblema basata sulla teoria dei giochi, il problema è visto come un gioco a due giocatori, in cuiil controllore del sistema vince se riesce ad eseguire un piano garantendo il soddisfacimento deivincoli, a prescindere dal comportamento dell’ambiente. Mostriamo la maggiore generalità diquesto approccio rispetto all’attuale basato su piani flessibili, e dimostriamo che decidere se esisteuna strategia vincente per tali giochi appartiene alla classe .Nell’ultima parte della tesi, caratterizziamo l’espressività dei linguaggi di modellazione timeline-based in termini logici . Mostriamo che i problemi di timeline-based planning possono essereespressi dalla
Bounded TPTL with Past ( TPTL b + P ), una variante della classica logica Timed Propo-sitional Temporal Logic ( TPTL ). Introduciamo
TPTL b + P , mostrando che, mentre la soddisfacibilitàdi TPTL with Past ( TPTL + P ) è nota essere non elementare , il problema per TPTL b + P è EXPSPACE -completo. Dopodiché, descriviamo un metodo a tableau per
TPTL e TPTL b + P , estendendo untableau ad albero recentemente introdotto per la Linear Temporal Logic ( LTL ), che viene presentatocon una diversa e concettualmente più semplice dimostrazione di completezza, ed esteso persupportare operatori temporali al passato . er FitaTanti combattono per sé stessi, per gli altri,per un ideale, o per una ricompensa.Ben diverso è lottare contro te stessa,contro un oscuro passeggero che non dorme mai.Ma tornerà l’alba, sulla spiaggia di Geordie Bay.Grazie di lottare assieme a me.Ne vale la pena. CKNOWLEDGEMENTS
This thesis is the result of three years of hard work and it would not have been possibleat all without the precious help of many people. My gratitude goes first of all to myparents, and my mother in particular, for their endless understanding and support, andof course to my beloved Fita: her unconditional love and esteem are my most preciousresources and motivation.As everything written here is the result of team-working, I want to thank all those whomade it possible. First of all, I am greatly thankful to my supervisor Angelo Montanari,who has been a wise and understanding guide during all my journey. I have learnt fromhim quite everything I know about how to do this job, and to him also goes the merit ofidentifying the satisfactory research direction that we pursued together. Sincere thanksto Mark Reynolds, for his support and his very welcoming hospitality during my visitin the wonderful Perth, one of the best parts of my life. Andrea Orlandini and MartaCialdea Mayer, whose work put the basis for mine, were very helpful coauthors. Every-body else I worked with, including Dario Della Monica, Pietro Sala, and Guido Sciavicco,merit a big thanks for their precious advice. I also want to thank Simone Fratini andNicolas Markey for carefully reviewing my thesis and giving me many precise andinsightful suggestions, which helped me substantially improve the manuscript.Many thanks to all the people from Rome that I met around the world, includingAmedeo Cesta, Riccardo Rasconi, Angelo Oddi, Andrea Orlandini, and AlessandroUmbrico, for their friendly support and company, and in particular Simone Fratini, forhis invaluable role as a mentor at the ICAPS ‘17 Doctoral Consortium. I have learnt alot from that experience, and it gave me a fundamental motivation boost.Finally, I want to thank all those people who shared this path with me. Thanks toAlberto Molinari, surprising travel mate since the very first conferences, and to MartaFiori Carones for the many hours spent in stimulating conversations. Special thanksto Manlio Valenti for all the timely scheduled co ff ees, to Tobia Dondè and DavideLiessi for the relaxing and grammatically sound lunches, and to Andrea Viel, AndreaBrunello, and all the other colleagues. And, of course, thanks to Nicola Prezza, for hisuncompressible friendship. Life is a circle: best wishes to Luca Geatti, who is startinghis own journey right now.Research is not just a job. You need to keep believing in what you are looking for.Thanks to all those who helped me believe in what I do. ONTENTS
I Introduction 1
II Timeline-based planning 35
Timeline-based planning with uncertainty 89
III Timeline-based planning and Temporal Logic 109 b +P . . . . . . . . . . . . . . . . 1507.4 Complexity of TPTL b +P satisfiability . . . . . . . . . . . . . . . 1557.5 A one-pass tree-shaped tableau for TPTL b +P . . . . . . . . . . 1627.6 Conclusions and open questions . . . . . . . . . . . . . . . . . . 168 List of publications 171Bibliography 173 xii
INTRODUCTION
NTRODUCTION This dissertation provides a detailed theoretical investigation of timeline-basedplanning , studying the computational complexity of the involved decision prob-lems and the expressiveness of timeline-based modelling languages. In thetimeline-based approach to automated planning, problem domains are mod-elled as systems made of independent, but interacting, components, whosebehaviour over time, represented by the timelines , is governed by a set oftemporal constraints. Introduced in the context of planning and schedulingfor space missions, it has been successfully applied in a number of complexreal-world scenarios, but its formal and theoretical characteristics are not yetfully understood. This thesis starts to fill this gap, by providing a first detailedaccount of computational complexity and expressiveness issues. This introduct-ory chapter gives a brief overview of the history and relevant literature aboutautomated planning in general, and timeline-based planning in particular,introduces the topic of temporal logic, which will play an important role inlater chapters, and provides a detailed account of the motivations behind thework, surveying its novel contributions.
CONTENTS
Introduction Many technological applications are nowadays driven by artificial intelligence .The resurgence in popularity and the appearance of many successful applica-tions of AI in the last decade is commonly attributed to the development of deep learning techniques, on one hand, and to the rise of su ffi cient computa-tional power that allows such techniques to be fed with huge amounts of data,on the other. However, not all the application scenarios, not even the mostpopular ones, can be approached in their full generality with the exclusive useof learning techniques: many complex technological applications require tocombine learning with some kind of reasoning . This is the case, for example,of autonomous vehicles , one of the current flagship applications of AI, which,besides great computer vision and perception challenges, requires as well to ad-dress reasoning and decision making issues, from motion planning problems tothe interpretation and enforcement of road signals, to the vehicle-vehicle androad-vehicle cooperation needed to ensure driving safety and security [125].Located under the broad umbrella of artificial intelligence , the discipline of automated planning studies the design and development of such autonomoussystems , capable of reasoning about how to achieve their goals, and how to act accordingly, given a description of themselves and of their environment.The adoption of a model of the world, that is, an high level description ofhow the system is supposed to work and to interact with its environment, andthe use of general reasoning techniques on top of such model, are fundamentalfeatures of the artificial intelligence approach to these scenarios. The startingpoint is the abstract modelling of the world, which requires the application ofexpert knowledge of the application domain, and then the planning processis performed in the most domain-independent way possible, applying general reasoning techniques, which are, at least in principle, directly applicable todi ff erent scenarios, represented by di ff erent input models.This model-based approach distinguishes AI planning from domain-specifictechniques, where ad-hoc algorithmic solutions and software systems aredeveloped to solve the specific problem at hand, which, however, requirenon-trivial modifications when the problem changes.Using an internal representation of the world, to reason and decide howto act, appears to be similar to how intelligent beings reason in their everydaylives. This is not a coincidence, and indeed the automated planning field cantrace its roots back to the very early days of artificial intelligence research, withthe work of Turing [133], at first, and especially McCarthy and Hayes [98],later, which were mostly interested in the philosophical question of whether amachine could imitate human behaviour.In their seminal work, McCarthy and Hayes defined the situation calculus , Automated planning 5 a first-order logical formalism able to reason in terms of actions that, whenperformed, a ff ect the truth value of some predicates, called fluents , whichdescribe the state of the world. This philosophical investigation had substantialtechnological impact. Indeed, just a few years later, the first practical generalplanning system, the STanford Research Institute Problem Solver [57] (STRIPS)was introduced, which borrowed most of its core concepts from situationcalculus. In STRIPS, the fluents , i . e ., time-varying variables, describing theworld are predicates ranging over finite domains, whose truth values form thecurrent state of the system. Then, a number of actions are available to a ff ect thestate of the world. Actions may have preconditions, i . e ., logical formulae whichhave to be true for the action to be applicable to the current state, and theire ff ects are expressed in terms of how they change the fluents truth value. Givenan initial state, a solution plan to a STRIPS problem consists in a sequence ofactions that manage to reach a state satisfying the goal condition.STRIPS was a turning point in the history of automated planning research,so much that forty years later most state-of-the-art planning systems are stillbased on the state/action dichotomy, much research e ff ort is still being de-voted to e ffi cient reasoning techniques for STRIPS-like planning, and mostcontemporary systems even share with STRIPS some pieces of the syntax ofits modelling language, in the form of the Planning Domain Description Lan-guage [99] (PDDL), the standard language used in the international planningcompetitions (IPC).From the point of view of the employed solving techniques, STRIPS in-herited the work done a few years earlier on the
General Problem Solver pro-gram [107], which in turn was built on top of earlier work on theorem provingin first-order logic [106]. From a scientific point of view, it is remarkable thata research line that nowadays finds so many important application domainscan trace its root back to philosophical argumentation, and that its first de-velopments were possible only thanks to the earlier development of muchmore abstract fields, including not only computability theory – the concept of universal machine was fundamental in Turing’s conception of the possibility ofartificial intelligence itself [133] – but also earlier work on the foundations ofmathematics , including formal logic and proof theory .The performance of early systems, of course, su ff ered from the limitedcapabilities of the available hardware, and from the lack of solid search heur-istics. Such gaps were rapidly filled in the subsequent years, with the mostimportant turning points being the introduction of the GRAPHPlan planningsystem, based on the planning graph data structure [20], and the FF heuristicsearch system [74]. With the introduction of the planning as satisfiability ap-proach [79], the advancements of fast planning techniques intersected withthe contemporary development of fast solving techniques for the boolean sat-isfiability problem (SAT) [19, 52, 96]. In this approach, planning problems are Introduction encoded into SAT formulae, exploiting fast SAT solvers combined with cleverencodings [80, 120, 140]. At the state of the art, we can say that STRIPS-likeplanning, despite its high theoretical complexity, can be e ffi ciently solved.This success brought the planning community to raise the bar of expressiveness,investigating more flexible and expressive extensions of the base language,in order to make the problem more easily applicable to real-world scenarios.A natural extension was that of adding time as a first-class concept of themodelling language. Complex temporal specifications, known as temporallyextended goals [8], were first introduced instead of the simple reachabilityobjectives of STRIPS problems. Then the problem of temporal planning emerged,where time is treated explicitly by assigning a duration to each action, thusincreasing the complexity of the reasoning process because of the possibility ofoverlapping of concurrent actions. Nevertheless, the problem has been tackledby many planning systems, and the PDDL 2.1 language introduced syntax toexpress temporal problems for the 2002 IPC [59], together with the abilityto talk about the consumption and management of resources . Note that thefield of scheduling algorithms studies a form of temporal reasoning as well, buttemporal planning concerns about the question of what to do in addition to when , and is therefore an harder problem, in general.Going in a di ff erent direction, the PDDL+ language introduced supportfor modelling hybrid systems [60], mixing discrete and continuous dynamics,using hybrid automata [73] as the underlying semantic framework. Inspiredby SAT encodings for classical planning, PDDL+ problems have been encodedinto SAT Modulo Theory (SMT) [26]. In complex real-world scenarios, thereasoning process often cannot be limited to the actions and decisions ofa single agent, but has to confront with how the surrounding environmentreacts to those actions, handling exogenous events , i . e ., changes in the state ofthe system that do not have a causal relation with the actions of the agents,and, in general, nondeterministic behaviour . This consideration has led to thestudy of planning problems over nondeterministic domains, both under fullobservability of the current state (FOND planning, see e . g ., [49]) and underpartial observability [118], and probabilistic domains [93]. Recently, temporalplanning with uncontrollable action durations has been considered [46]. While this thesis was being written, the
European Space Agency announcedthe discovery of a pocket of «liquid water buried under layers of ice and dustin the south polar region of Mars» [3]. This is the first time the presenceof liquid water on the red planet was given conclusive evidence, and opens
Timeline-based planning 7 new scenarios both for the search for present or past life forms – subglacialwater pockets on Earth are rich of microbial life – and for the organisationof future human exploration missions [110]. The measurements that led tothe discovery come from the MARSIS instrument (
Mars Advanced Radar forSubsurface and Ionosphere Sounding ), a low-frequency radar mounted on
MarsExpress , a spacecraft in orbit around Mars since 2003.Controlling the operations of a spacecraft orbiting a planet two hundredsand sixty million kilometres away from Earth cannot be considered a trivialtask. Many di ff erent teams of scientists compete on Earth for a time slot ofusage of the many instruments mounted on the spacecraft [55]. Each one hasto be operated while the orbiter is in the right position, pointed in the rightdirection, and in general when the operating conditions are compatible withthe scientific task at hand. For example, MARSIS measurements made for theabove experiment were performed only when the satellite was on the nightside of the planet, in order to «minimize ionospheric dispersion of the signal.»Given the limited storage and processing resources of the spacecraft hardware,the collected data must be transmitted back to Earth as soon as possible,so to free space for new measurements. However, transmitting consumesenergy, hence everything has to be done while taking care of not drying outthe batteries, especially when the spacecraft is not under direct Sun exposure.Furthermore, transmission of data is only possible when one of Earth’s deepspace ground stations is visible, and when the usage of that ground stationis allocated to the same spacecraft. The choice of the ground station, andother environmental factors such as e . g ., space weather , a ff ect the transmissionspeed, and consequently how much data can be transmitted in the given timeslot, how much energy is required for the transmission, and thus how muchdata can be collected at that particular stage. All of this has to be controlledwhile guaranteeing the basic functionality of the spacecraft, performing thescheduled maintenance tasks, and so on.This kind of challenges is common to the operation of any space explorationmission, being it a probe, an orbiter, or a planetary rover, but also to theoperation of scientific, meteorological or telecommunication satellites orbitingEarth. An evident feature of the constraints and requirements exemplifiedabove is the important role assumed by temporal reasoning , that is, reasoningabout time of execution of tasks and about how the execution time and durationof such tasks a ff ect the others. It came natural, then, that when space agenciesstarted to integrate automated planning techniques into their workflows, animportant part of the e ff ort was devoted to the integration between planningand scheduling technologies. Timeline-based planning is an approach to planning born from the integration ofplanning and scheduling concepts in the context of space operations, designed
Introduction to specifically address the issues outlined above. The approach was firstproposed by Muscettola et al. [105], and deployed for the first time shortlyafter in the HSTS system [103], that was used to schedule and control theoperations of the Hubble Space Telescope . The major features that make thetimeline-based approach ideal for this kind of applications can be identified asits strong focus on temporal reasoning and its mostly declarative nature.This is achieved by changing the modelling perspective, when compared to action-based planning paradigms à la
STRIPS. In timeline-based planning, thereis no explicit separation between states, actions and goals. Rather, the domainis modelled as a set of independent, but interacting, components, whose beha-viour over time, described by the timelines , is governed by a set of temporalconstraints called synchronisation rules . The solution to a problem is then a setof timelines describing a possible behaviour of the system components thatsatisfies all the rules. This point of view turns out to be more declarative thancommon action-based languages such as PDDL, since the modelling task isfocused on what has or has not to happen, instead of what the agent has to do to obtain the same results. Furthermore, the modelling of the system can besubdivided between multiple knowledge engineers and domain experts, sincethe timelines of separate system components can be separately modelled, andthe resulting models can better reflect the architecture of the combined system.Another important feature of timeline-based systems, present since thefirst incarnations [103], is the ability to integrate the planning phase with the execution of the plan. Timeline-based planning domains often model real-time systems, whose constraints heavily depends on the precise timing of executionof the tasks. However, ensuring precise timing is often not possible, becauseof the inherent temporal uncertainty that arises in the interaction with theenvironment. This kind of uncertainty is taken into account, and the controllerexecuting the plan can handle it, by the use of flexible plans , i . e ., sets of di ff erentplans that di ff er in the execution time of the tasks.Since its inception, the timeline-based approach to planning has beenadopted and deployed in a number of systems developed by space agencies onboth sides of the Atlantic. The work by Muscettola, who later worked for NASA,led to the development of two major systems, EUROPA [129] and its successorEUROPA 2 [12, 15]. In addition, NASA’s Jet Propulsion Laboratory developedthe ASPEN system [37], which was successfully deployed for the Earth OrbiterOne experiment [39]. ASPEN was also used to plan the scientific operationsof the
Rosetta mission [38], which operated over ten years a spacecraft that,launched in 2004, successfully travelled five million kilometres across the solarsystem to reach the comet in 2014, landed a probeon its surface, and orbited around it until its dismissal two years later.On the European side, the timeline-based paradigm was notably imple-mented in the MEXAR2 system [28, 29, 30], which has been deployed by the Temporal logics 9 mission planning team of the same
Mars Express mission cited above. Later,the same concepts were integrated into APSI-TRF, the
Timeline RepresentationFramework of ESA’s
Automated Planning and Scheduling Initiative [2, 32, 64],currently used in many of the space agency’s operations. All of these systemswere in use as a support for mission planning tasks, but the approach was alsoused to handle on-board autonomy [39, 63, 104]. Recently, the timeline-basedapproach was implemented by the PLATINUm system [134, 135], a more gen-eral purpose framework which was employed in cooperative robotics [35] andassistive robotics tasks [31].
Every complex software and hardware system needs to be designed carefullyto avoid bugs, security issues, and in general, deviations from the originalspecification. However, not all bugs are created equal. In business-critical and safety-critical systems, a bug can cause severe losses or even damages toequipment or injuries to people. This kind of systems thus need to be designedmore carefully than others, and the field of formal methods aims at developingmathematical techniques apt to guarantee as much as possible the correctnessand the safety of complex systems. In model checking , one of the most successfulapproaches to formal verification, a model of the system is checked against aformal specification by automated techniques that can certify the adherence ofthe model to the specification, or otherwise provide a counterexample, i . e ., anexample execution of the system where the desired properties do not hold.Over the years, temporal logics has emerged as the most common specifica-tion language in the formal verification field. Temporal logics refers to a broadfamily of logics, usually modal logics , which can predicate about facts evolvingin time. Introduced by Prior [114] to address philosophical questions «aboutthe relationship between tense a modality» [70], the formalism of temporallogic was recognised as an ideal specification language for software systemsby Pnueli [113], which introduced Linear Temporal Logic ( LTL ), the simplestand most common kind of temporal logic, which is still nowadays the de-factostandard specification language for most formal verification systems. Onceagain, twentieth-century philosophy comes to rescue to contemporary com-puter science.
LTL is interpreted over linear temporal structures , meaning thatthe evolution of the system over time is represented as a discrete sequence ofstates. If, in contrast, one considers all the possible evolutions of the systemsas a unique entity, we obtain the concept of branching time , and logics such as
Computation Tree Logic ( CTL ), and its extension
CTL ∗ . Although Rosetta was an ESA mission, science planning was handled by NASA’s JPL. Besides formal verification, temporal logic is also often adopted in AIsystems where temporal reasoning is involved, as we will do in the next chapters.As an example, the specification of planning with temporally extended goals ,proposed by Bacchus and Kabanza [8], is made by evaluating a linear temporallogic formula over the trace of execution of the plan. Later,
LTL has been provedto be able to capture STRIPS-like planning [42].Details on
LTL and other specific temporal logics will be introduced asneeded in the following chapters. For a detailed introduction of the historyand contemporary applications of temporal logics, we refer the reader to thesurvey by Goranko and Galton [70], and to Chittaro and Montanari [40] for asurvey on the role of temporal reasoning in AI.
Action-based planning à la
STRIPS, and most of its successors, have beennot only greatly developed from an algorithmic and technological point ofview, but have also been thoroughly studied from a formal and theoreticalperspective, starting from the earliest work on situation calculus [98] as a firmformal background.Over the years, every major action-based planning paradigm has been clas-sified from the point of view of the computational complexity , starting fromclassic STRIPS-like planning which has been proved to be
PSPACE -completeby Bylander [24]. In light of this theoretical intractability result, Bäckström [9]looked for tractable fragments, showing a polynomial-time restriction of theproblem yet with a useful degree of expressiveness. Then, in contrast toplanning for temporally extended goals, which is still
PSPACE -complete [53],temporal planning has been proved to be strictly more complex, being an
EXPSPACE -complete problem [119]. The addition of other features or the re-laxation of some modelling assumption correspond to an inevitable increasein computational complexity. Indeed, planning on a nondeterministic do-main has been proved to be
EXPTIME -complete [91] with full observability, -complete with partial observability [118], and
EXPSPACE -completefor conformant planning ( i . e ., with no observability at all). In the probabilisticcase, the general problem of finding a plan that reaches the goal with a certainprobability is even undecidable [93], although easier restrictions exist withcomplexities ranging from EXPSPACE - down to NP -complete [92, 102, 117].From a formal perspective, the PDDL language, at least in its basic variants,has been given a standard well-defined semantics [59, 99], and the semanticsof many of its extensions are based on, or have been related to, well-definedformal models such as hybrid automata for PDDL+ [60] and Partially Observable
Expressiveness and complexity of timeline-based planning 11
Markov Decision Processes (POMDPs) for probabilistic variants [93]. Some workhas been done to relate planning languages to logic . Besides the various SATand SMT encodings, that in addition to their practical relevance also providea connection between certain PDDL fragments and corresponding logicalformalisms, a more direct connection has also been given with temporal logic ,proving that STRIPS-like planning and temporal planning can be captured byLinear Temporal Logic and suitable extensions [42, 48].In contrast to the above impressive body of theoretical work, and despitethe practical success of the approach deployed in many complex real-worldproblems, little work has been done on timeline-based planning from a formaland theoretical perspective. The concept of timelines and the main features ofthe paradigm have been characterised by di ff erent authors. The description ofthe early DDL.1 modelling description language by Cesta and Oddi [34] comeswith a well-defined semantics. Then, Frank and Jónsson [62] formally describethe constraint-based interval planning paradigm that underlies the EUROPAsystem, and Chien et al. [36] describe the general characteristics of the timeline-based approach adopted by a large number of space mission planning systemscurrently in use, comparing their di ff erences and common features. Taking arelatively di ff erent perspective, Frank [61] studied the concept of timeline froma knowledge engineering point of view. These works, however, did not aim atproviding a unifying description of the timeline-based approach that could betaken as a starting point for further theoretical investigation. A first step in thisdirection was provided by a semantically well-founded framework for timeline-based planning by Cimatti et al. [47], which however did not consider temporalflexibility, considered instead by Bernardini [14]. The latter work, however,used the formalism of simple temporal networks (STN) to represent temporalconstraints, and still did not address the issue of controllability of flexibleplans. Controllability issues were considered in many ways [43, 108, 109], butstill depending on the corresponding notions coming from the world of STNswith uncertainty (STNU) [138]. The first comprehensive formal frameworkdefining timeline-based planning was introduced by Cialdea Mayer et al. [44],including a uniform treatment of the integration of planning and executionthrough temporal flexibility, with a formal account, independent from STNUs,of the notions of controllability of flexible plans. Such framework was thentaken as the foundational platform for the PLATINUm system [134].Still, a comprehensive theoretical understanding of the paradigm is missing.In particular, timeline-based planning lacks a solid formal understanding of itsformal and computational characteristics, such as the computational complex-ity of the involved problems, and the expressiveness of its modelling languages,both in logical terms and in contrast to the more common action-based ones.This dissertation addresses these issues, by providing the first thoroughtheoretical investigation of the paradigm. The goal of our investigation is twofold:1. providing a detailed theoretical understanding of the timeline-basedapproach to planning, including the computational complexity of theinvolved decision problems;2. comparing the expressiveness of timeline-based and action-based model-ling languages, providing a bridge between the two worlds.In pursuing these objectives, we take as starting point the formal frameworkintroduced by Cialdea Mayer et al. [44], which comes as a representative ofthe many actual modelling languages employed by timeline-based systems.This formal framework is recalled in Chapter 2, providing all the necessarybackground for what follows, concluding this first introductory part.In the second part of the thesis, Chapter 3 addresses the expressiveness oftimeline-based planning languages, by comparing it with action-based plan-ning. In particular, in sight of the explicit focus of this paradigm on temporalreasoning, the natural candidate for this comparison is temporal planning .Timeline-based planning problems are thus compared with temporal planningproblems, represented by the formal temporal planning language introducedby Rintanen [119] to prove his computational complexity results. We identifya greatly restricted fragment of the general timeline-based language, which ishowever already expressive enough to capture temporal planning problems.The result is shown by providing a polynomial-size encoding of temporalplanning problems into timeline-based ones, that preserves the solution plans.Later, Chapter 4 addresses the more involved issue of the computationalcomplexity of finding solution plans for timeline-based planning problems. Westudy the general formalism, without any artificial restriction, but withoutconsidering uncertainty , which is left for later. In this context, the plan existenceproblem for timeline-based planning problems is proved to be
EXPSPACE -complete. While the hardness for the
EXPSPACE class comes directly from theencoding of action-based temporal planning problems provided earlier, theinclusion in the class is proved by exhibiting a decision procedure that runsusing at most exponential space.Such a procedure exploits the concept of rule graphs , a graph-theoreticrepresentation of synchronisation rules that allows us to easily manipulate,decompose and reason about timeline-based planning problems, providinguseful insights into the structure of the problem. Much space is devoted tothe development of this concept, which allows us to prove an upper bound onthe size of the solution plans of timeline-based problems, and to build a data
Contributions of the thesis 13 structure that can represent such plans compactly enough, in order to be usedin our exponential-space decision procedure.The complexity of two interesting variants of the problem is also studied.First, the problem of finding a solution plan of a given maximum length isproved to be
NEXPTIME -complete, leveraging much of the framework built forthe general result, while proving the
NEXPTIME -hardness by a reduction froma specific type of tiling problems. Then, we define the problem of the existenceof timeline-based planning problems over infinite plans , and prove it to be
EXPSPACE -complete as well, with di ff erent automata-theoretic technique.Then, Chapter 5 extends the picture by reintroducing the concept of uncer-tainty , i . e ., studying the problem when the modelled system has to account forthe behaviour of the surrounding environment. Timeline-based systems areespecially good at integrating planning with execution, by handling the tem-poral uncertainty inherent in the interaction with the environment. However,the current approach, based on flexible plans , also faces some limitation whenthe temporal uncertainty is not the only level of nondeterminism needed tocorrectly model the problem. On one hand, the focus on temporal uncertaintyenforces some systems, such as PLATINUm, to employ a feedback loop includ-ing a re-planning phase for handling non-temporal mismatches between theexpected and actual environment behaviour. Such re-planning phase can becostly and reduces the reactivity and autonomy of the system. On the otherhand, we observe that the syntax of timeline-based planning languages is ableto express situations that require general nondeterminism to be handled, whileapparently only focusing on temporal uncertainty, hence showing that flexibleplans cannot be considered a complete semantics for such problems.To tackle these issues, we propose a game-theoretic interpretation of timeline-based planning with uncertainty, introducing the concept of timeline-basedgame , a two-players game where the controller has to execute a plan that satis-fies the problem constraints independently from the action of the other player,which represents the surrounding environment. We show that this approachis strictly more general than the current one based on flexible plans, and weprove that the problem of finding a winning strategy for such games belongs tothe complexity class. Notably, both the definition of the game, andthe algorithm provided to decide the existence of winning strategies, heavilyexploits the conceptual framework of rule graphs introduced in Chapter 4.The third part of the thesis studies other expressiveness issues, but focusing onthe relationship between timeline-based planning and temporal logics .First, in Chapter 6, we introduce the topic of tableau methods , a long-studiedparadigm for solving the satisfiability problem of various logics. We studyin particular the novel kind of tableau methods for Linear Temporal Logic introduced by Reynolds [116]. The method, in contrast to earlier ones, produces a pure tree-shaped structure, where each branch only needs a single passto be either accepted or rejected. In this context, we provide a number ofcontributions:1. we recall Reynolds’s one-pass tree-shaped tableau method for LTL , butproving its soundness and, in particular, its completeness, with a novelproof technique employing a model-theoretic argument which is con-ceptually simpler than the combinatorial proof provided in the originalpresentation of the method;2. we report the results of the experimental evaluation of an implementationof the method, which shows how the simpler tree-shaped rule-basedstructure allows the tableau to be e ffi ciently implementable and easilyparallelisable, becoming competitive with other LTL satisfiability tools.3. we extend the method to support past operators , obtaining a one-passtree-shaped tableau for the resulting
LTL + P logic, with full proofs of thesoundness and completeness of the extended system.Lastly, Chapter 7 addresses the issue of characterising the expressivenessof timeline-based planning from a logical point of view. Logical characterisa-tions of action-based planning exist [42], which shows how classical planningproblems can be captured by LTL formulae. We pursue a similar result fortimeline-based planning, but
LTL is not enough for the task at hand. Hence, weconsider
Timed Propositional Temporal Logic ( TPTL ), a real-time extension of
LTL ,which sports most of the features needed to express timeline-based planningproblems. However, as synchronisation rules can arbitrarily talk about thefuture or the past of the current time point, any encoding of timeline-basedplanning into
TPTL would need the use of past operators . Unfortunately, addingpast operators to
TPTL is unfeasible, as the satisfiability problem for the result-ing
TPTL + P logic is known to be non-elementary . To circumvent the issue, weisolate a specific fragment of TPTL + P , called Bounded
TPTL with Past ( TPTL b + P ),which we show to be expressive enough to capture (most of) timeline-basedplanning, while still having an EXPSPACE -complete satisfiability problem. Thecomplexity of the satisfiability problem for
TPTL b + P is proved by exhibiting agraph-shaped tableau method, but then a one-pass tree-shaped method à la Reynolds is shown, which extends the one for
LTL + P described in Chapter 6. Contributions of the thesis 15
The contents of this work have been published in the proceedings of a numberof international conferences, see the List of Publications at page 171. In general,however, the whole material has been extensively revisited for this dissertationand many results have been extended and completed.In particular, the contents of Chapter 3 have been published in [TIME 2016],and Chapter 4 draws from [ICAPS 2017] for the main complexity results.The concept of rule graph was exploited for the first time in [ICAPS 2017],and glimpsed already in [TIME 2016], but Chapter 4 provides a completeand formally rigorous treatment of the concept with full details of all theproofs. Furthermore, the automata-theoretic approach to the complexity of theproblem over infinite timelines comes from the recent [KR 2018]. Then, thework published at [TIME 2018] is reported in Chapter 5.In the second part of the thesis, Chapter 6 presents the results published in[IJCAI 2016] (for the experimental evaluation of the tableau implementation),and in [LPAR-21] (for the extension to past operators). The di ff erent model-theoretic proof of the completeness of the one-pass tree-shaped tableau for LTL is novel. Finally, in Chapter 7, the
TPTL b + P logic and its use to encodetimeline-based planning problem come from [IJCAI 2017], while the one-passtree-shaped tableau for the logic has been reported in [GandALF 2018]. IMELINE-BASED PLANNING This chapter introduces timeline-based planning problems in full details. Incontrast to the world of action-based planning, where the STRIPS-inspiredPDDL language has been unanimously adopted as a de-facto standard mod-elling language, timeline-based planning has not converged over a singleformalism. The many systems developed during the decades-long history ofthe approach adopted di ff erent languages with di ff erent features and oftendi ff erent semantics. Our work is based on a recently introduced formal frame-work that captures many common features of timeline-based systems, enablingthe development of the results reported in the next chapters. CONTENTS The action-based planning has long since converged over PDDL as the de-factostandard modelling language, mainly thanks to its adoption by the interna-tional planning competition [99]. This standardisation, together with the strongstarting formal ground of the early days [98], eased cross-fertilisation betweenactors in the field.In contrast, timeline-based planning systems evolved quite independentlyfrom each other, each one developing its own features and characteristics,while respecting the main philosophy behind the approach. This resulted inmany concrete languages being adopted by the di ff erent systems. In the earlydays, a timeline-based Domain Description Language ( DDL.1 ) [33] was described,embedding the main ideas behind the approach. Nevertheless, the IxTeT sys-tem [68], introduced no much later, immediately adopted a di ff erent inputsyntax. Systems developed at NASA, such as EUROPA 2, adopted the New Do-main Description Language ( NDDL ) [12], but even inside NASA itself, the ASPENsystem was developed around yet another di ff erent input language called AS-PEN Modeling Language ( AML ) [37]. ESA systems based on APSI adopt the
DDL.3 modelling language. Lately, the
Action Notation Modeling Language ( ANML ) wasproposed by Smith et al. [128] as an extension to both
AML and
NDDL , whichalso incorporate action-based elements to get the best of both worlds.It is evident how this proliferation of languages with di ff erent syntaxes andsemantics made di ffi cult for the timeline-based planning community to pro-gress towards the kind of formally-grounded understanding of the approachwhose development is the aim of this thesis. Recently, some attempts weremade to provide a formal background to the approach [14, 47, 61]. However,these early attempts missed to formalise some of the most important featuresof timeline-based systems such as flexible plans , together with the associated controllability issues. The present work is based on a clean and comprehensiveformal framework describing timeline-based planning problems, includinguncertainty, temporal flexibility, and controllability issues, recently providedby Cialdea Mayer et al. [44]. The formal language introduced in their workabstracts over most features supported by the concrete syntax of di ff erentlanguages, with a well-defined semantics that provides the ideal starting pointfor our investigation.This chapter provides a detailed account of timeline-based planning asdefined by Cialdea Mayer et al. [44], which all the subsequent chapters willbuild upon. However, while taking it as a starting point, our presentationof their framework is tailored to our needs, as the original presentation had,in part, di ff erent goals. For example, one of the stated goals was that of de-fining all the relevant concepts in such a way to isolate what the executor of Introduction 19 the plans needed to store to be able to completely do its job without storingthe whole problem domain. This leads to a certain degree of redundancy insome definitions, that we can omit. A second, and maybe the most important,di ff erence of our presentation is the separation between timeline-based planningproblems , which do not admit any uncertainty, and timeline-based planningproblems with uncertainty , which reintroduce all the relevant bits to handle theinteraction with the environment. While the original presentation of the frame-work had the explicit goal of providing a uniform definition that accounted foruncertainty and temporal flexibility, in our computational complexity and ex-pressiveness study it is convenient to separate the basic satisfiability problem offinding a plan to a deterministic problem from the synthesis problem of findinga strategy to cope with the environment behaviour. For this reason, the formerconcept is defined first (Section 2.2), and extended later to define the latter (Sec-tion 2.3). The results regarding the two are also reported in di ff erent chapters(mostly Chapters 4 and 5). Other changes in our presentation are there for easeof exposition and uniformity with the whole material. In any case, care hasbeen taken to ensure that the given definitions are equivalent to the originals inany detail that could a ff ect expressiveness or computational complexity, suchas succinctness of representation and syntactic restrictions or limitations.Given the long history of timeline-based planning and the number di ff er-ent systems developed over the years, no formal framework can claim to becompletely exhaustive, and here we are explicitly making a few assumptions.Most importantly, the general framework from Cialdea Mayer et al. is time-domain-agnostic, being equivalently definable over discrete , dense , or even continuous time domains. In this work, we are instead exclusively focusedon timeline-based problems over discrete time domains, i . e ., time is a discretelinear order, and time stamps are integer numbers. As a matter of fact, most ofthe systems, despite often supporting the specification of fractional values as asyntactic convenience, reason over discrete domains, by discretising time overa convenient granularity. Nevertheless, the formal properties of the approachwhen applied to dense domains is of independent interest, and recently somework appeared studying this case, from a perspective similar to ours [21, 22].Another important limitation of our investigation is that we do not consider theconcept of resource handling . Reasoning about the consumption of resources,such as fuel or energy, is an important part of any real-world task, and mosttimeline-based systems supports modelling resources of di ff erent kinds. Theformal framework we base our work on has been recently extended to representresource handling [135], and the extension of our results to include this featureis an important future step in this line of research. In what follows, we denote as N and Z the sets of, respectively, natural numbersand integers. We denote as N + = N \{ } the set of positive natural numbers, andas N + ∞ = N ∪ { + ∞} the set of natural numbers augmented with an infinitaryvalue. Sequences (either finite or infinite) of elements x , x , . . . are denotedas x = (cid:104) x , x , . . . (cid:105) . Given a sequence x = (cid:104) x , x , . . . (cid:105) and an index k ∈ N , thesequence x ≥ k = (cid:104) x k , x k +1 , . . . (cid:105) is the su ffi x of x starting from the k th element.Analogously we define x >k , x ≤ k and x In our setting, interesting properties of the modelled system are representedby state variables , which range over finite domains. Definition 2.1 — State variable. A state variable is a tuple x = ( V x , T x , D x , γ x ) , where:• V x is the finite domain of x ;• T x : V x → V x is the value transition function of x ;• D x : V x → N × N + ∞ is the duration function of x ;• γ x : V x → { c , u } is the controllability tag , see Section 2.3. Intuitively, the transition function specifies which values T x ( v ) the variablecan hold immediately after point in time where x = v . The duration function D x maps any value v ∈ V x into a pair of non-negative integers ( d x = vmin , d x = vmax ),which respectively specify the minimum and maximum duration of any timeinterval where x = v . The maximum duration can be infinite ( d x = vmax = + ∞ ), inwhich case there is no upper bound to how long the variable can hold the Timeline-based planning 21 Earth [ , + ∞ ] Slewing [ , ] Science [ , ] Comm [ , ] Maintenance [ , ] Visible [ , ] Not Visible [ , ] Figure 2.1: Values of the example state variables x p (above) and x v (below) visualisedas state machines. Uncontrollable values are marked in orange. given value. The controllability tag comes into play when handling uncertainty .Intuitively, it states whether the duration of any time interval (of any token ,more precisely, as defined below), where a variable x holds a given value v iscontrollable by the system ( γ x ( v ) = c ) or not ( γ x ( v ) = u ).Two example state variables are depicted in Figure 2.1, belonging to adomain concerning the operations of a satellite orbiting a planet (a scenarioconceptually similar to the Mars Express mission). The first variable x p , rep-resents the pointing mode of the satellite, i . e ., whether it is pointing towardsEarth, doing maintenance, doing scientific measurements, slewing betweenthe direction facing Earth and the direction facing the underlying planet, orwhether it is transmitting some communications. The domain of the variablesthus consists of the five depicted values, and the transition function stateswhich task can follow each other, being visualisable as a state machine. Theminimum and maximum durations for each value are reported inside thebubbles. The second variable x v represents the visibility window of the Earthground station, which determines when the station is visible for transmitting.In this example γ x p ( Comm ) = u , i . e ., the Comm value is uncontrollable , meaningthat the system can decide when to start communicating but cannot decide nor x v Not Visible Visible x p Earth Slewing Science Slewing Earth Comm Earth Figure 2.2: Example timelines for the variables x v (above) and x p (below) predict how much time will be required by the transmission. All the values ofthe variable x v are uncontrollable since, of course, the satellite cannot decidewhen the ground stations are visible or not. In what follows, the controllabilitytag will be ignored, and considered again in Section 2.3.The evolution over time of the values of each state variable is representedby the timelines , which are the core concept of the whole formalism. Definition 2.2 — Timeline. A token for a state variable x is a triple τ = ( x, v, d ) , where v ∈ V x is the value heldby the variable, and d ∈ N + is the duration of the token. A timeline for a statevariable x is a finite sequence τ = (cid:104) τ , . . . , τ k (cid:105) of tokens for x . A timeline thus represents how a state variable changes over time in termsof a sequence of time intervals where the value of the variable keeps thesame value. Note that d ∈ N + , i . e ., the duration of tokens cannot be zero.Some notation will come useful to manipulate timelines and tokens. Forany token τ i = ( x, v i , d i ) in a timeline τ = (cid:104) τ , . . . , τ k (cid:105) , we define val ( τ i ) = v i and duration ( τ i ) = d i . Moreover, we can define the functions start - time ( τ, i ) = (cid:80) i − j =1 d j and end - time ( τ, i ) = start - time ( τ, i )+ d i , for all 1 ≤ i ≤ k , hence mappingeach token τ i to the corresponding [ start - time ( τ, i ) , end - time ( τ, i )) time interval(right extremum excluded). When there is no ambiguity about which timelinewe refer to, we write start - time ( τ i ) and end - time ( τ i ) to denote, respectively, start - time ( τ, i ) and end - time ( τ, i ). Note that two consecutive tokens can holdthe same value, in which case they are still treated as two distinct entities.This is sometimes forbidden in timeline-based systems, but we do not need toimpose this restriction.Figure 2.2 shows two example timelines for the state variables x p and x v .Note how the sequence of values in each timeline obeys the transition functionof the two variables as depicted in Figure 2.1.The time span of a timeline is called horizon . Definition 2.3 — Horizon of a timeline. The horizon of a timeline τ = (cid:104) τ , . . . , τ k (cid:105) is defined as H ( τ ) = end - time ( τ k ) .The horizon of an empty timeline τ is defined as H ( τ ) = 0 . Given a set of state variables SV , the set of all the timelines that can beformed over the variables in SV is denoted as T SV . Timeline-based planning 23 A plan , in timeline-based planning, is a set of timelines describing theevolution of the considered set of state variables. More precisely: Definition 2.4 — Plan. Let SV be a set of state variables. A plan over SV is a function π : SV → T SV that maps each variable to the timeline describing its behaviour, such that all thetimelines have the same horizon, i . e ., H ( π ( x )) = H ( π ( x (cid:48) )) for all x, x (cid:48) ∈ SV . We denote as H ( π ) the horizon of the plan, i . e ., the horizon of all thetimelines in the plan. Given a system described by a set of state variables, its behaviour over timeis governed by a set of temporal constraints called synchronisation rules . Theparticular syntactic structure of these rules is what shapes the computationalproperties of timeline-based planning, as shown in the next chapters.In what follows, let us choose an arbitrary set N = { a, b, . . . } of token names .The basic building blocks of the syntax of synchronisation rules are the atomictemporal relations, also called atoms . Definition 2.5 — Atomic temporal relation. A term over N is an expression matching the following grammar: (cid:104) term (cid:105) := t | start ( a ) | end ( a ) where t ∈ N and a ∈ N . Terms of the form t ∈ N are called timestamps .An atomic temporal relation , or atom , over N is an expression of the form: (cid:104) atom (cid:105) := (cid:104) term (cid:105) ≤ [ l,u ] (cid:104) term (cid:105) where l ∈ N and u ∈ N + ∞ . For brevity, the subscript of atoms is omitted if l = 0 and u = + ∞ . Atomicrelations can be subdivided in di ff erent kinds depending on their form. Definition 2.6 — Qualitative, unbounded and pointwise atoms. Let α ≡ T ≤ [ l,u ] T (cid:48) be an atomic temporal relation. Then, α is said to be unbounded if u = + ∞ and T (cid:48) is not a timestamp, and bounded otherwise. Moreover, an atomis pointwise if one of its terms is a timestamp. If a and b are two token names, then examples of atomic relations are start ( b ) ≤ start ( a ) ≤ [3 , end ( b ), and start ( a ) ≤ [0 , + ∞ ] start ( b ). Intuitively, atoken name a refers to a specific token in a timeline, and start ( a ) and end ( a )to its endpoints. Then, an atom such as start ( a ) ≤ [ l,u ] end ( b ) constrains a tostart before the end of b , and the distance between the two endpoints to becomprised between the lower and upper bounds l and u . Atomic relations aregrouped into quantified clauses called existential statements . Definition 2.7 — Existential statement. Given a set SV of state variables, an existential statement over SV is a statement ofthe following form: (cid:104) ex . statement (cid:105) := (cid:104) quantifier prefix (cid:105) . (cid:104) clause (cid:105)(cid:104) quantifier prefix (cid:105) := ∃ a [ x = v ] a [ x = v ] . . . a n [ x n = v n ] (cid:104) clause (cid:105) := (cid:104) atom (cid:105) ∧ (cid:104) atom (cid:105) ∧ . . . ∧ (cid:104) atom (cid:105) where n ∈ N , a , . . . , a n ∈ N , x , . . . , x n ∈ SV , and v i ∈ V x i for all ≤ i ≤ n . In an existential statement E ≡ ∃ a [ x = v ] . . . a n [ x n = v n ] . C , all the tokennames appearing in the atoms inside C that do not appear in the quantifierprefix are said to be free in E , and all those that do appear are said to be bound .An existential statement is closed if it does not contain free token names. Notethat the quantifier prefix may as well be empty.Finally, the syntax of synchronisation rules is defined as follows. Definition 2.8 — Synchronisation rules. Given a set of state variables SV , a synchronisation rule over SV is an expressionmatching the following grammar: (cid:104) body (cid:105) := (cid:104) ex . statement (cid:105) ∨ . . . ∨ (cid:104) ex . statement (cid:105)(cid:104) rule (cid:105) := a [ x = v ] → (cid:104) body (cid:105)(cid:104) rule (cid:105) := (cid:62) → (cid:104) body (cid:105) where a ∈ N , x ∈ SV , v ∈ V x , and the only token name appearing free in thebody is a , and only in rules of the first form. In rules of the first form, the quantifier in the head is called trigger , and rulesof the second form are called triggerless rules . Intuitively, a synchronisation ruledemands that whenever a token exists that satisfies the trigger, then at least oneof the disjuncted existential statements must be satisfied, i . e ., there must existother tokens as specified in the quantifier prefix such that the correspondingclause is satisfied. Triggerless rules have a trivial universal quantification,which means they only demands the existence of some tokens, as specified bythe existential statements. As an example, consider the timelines in Figure 2.2,and the following synchronisation rule: a [ x p = Comm ] → ∃ b [ x v = Visible ] . start ( b ) ≤ start ( a ) ∧ end ( a ) ≤ end ( b ) a [ x p = Science ] → ∃ b [ x p = Slewing ] c [ x p = Comm ] . end ( a ) = start ( b ) ∧ end ( b ) = start ( c )The first rule expresses an essential guarantee for the satellite systemrepresented by the two example variables, namely that when the spacecraft Timeline-based planning 25 Allen’s relation Syntax Desugaring a meets b end ( a ) = start ( b ) a before b end ( a ) ≤ start ( b ) a after b end ( b ) ≤ start ( a ) a ⊆ b start ( b ) ≤ start ( a ) ∧ end ( a ) ≤ end ( b ) a overlaps b start ( a ) ≤ start ( b ) ∧ end ( a ) ≤ end ( b ) ∧ start ( b ) ≤ end ( a ) Table 2.1: Allen’s interval relations expressed in terms of atomic temporal relations is communicating with Earth, the ground station is visible. The timelinesin the figure satisfy this constraint, since the time interval corresponding tothe execution of the token where x p = Comm is contained in the one of thetoken where x v = Visible . The second rule instructs the system to transmit databack to Earth after every measurement session, interleaved by the requiredslewing operation, and is as well satisfied in the example. A triggerless rulemight instead be used to state the goal of the system, namely to perform somescientific measurement at all: (cid:62) → a [ x p = Science ]Some simple syntactic sugar can be defined on top of the basic syntax.A strict version of unbounded atoms can be obtained by writing T < T (cid:48) tomean T ≤ [1 , + ∞ ] T (cid:48) . Then, one can require two endpoints to coincide in timeby writing start ( a ) = start ( b ) instead of start ( a ) ≤ [0 , start ( b ), and two tokens tocoincide by writing a = b instead of start ( a ) = start ( b ) ∧ end ( a ) = end ( b ). Moregenerally, all the Allen’s interval relations [4] can be expressed in terms ofthese basic temporal relations, hence we can introduce abbreviations for eachof them, as listed in Table 2.1.Moreover, to constrain the duration of a token we can write duration ( a ) = t , duration ( a ) ≤ t and duration ( a ) ≥ t instead of, respectively, start ( a ) ≤ [ t,t ] end ( a ), start ( a ) ≤ [0 ,t ] end ( a ), and start ( a ) ≤ [ t, + ∞ ] end ( a ).Note that, in contrast to the relations shown in Table 2.1, one cannot express,within a single existential statement, the disjointness of two tokens, i . e ., thatone token appears either strictly after or strictly before another without over-lap. That would need a disjunction while clauses are purely conjunctive, anddisjunction is admitted only at top level, between whole existential statements.In relation to this issue, it is worth to note that the syntax of synchronisation rules as defined above does not include negation . One can easily negate anunbounded atom T ≤ T (cid:48) by writing T (cid:48) < T , but the negation bounded atomscannot generally be expressed without some sort of disjunction. The absence ofnegation and the limited use of disjunctions are the most important syntacticrestrictions of synchronisation rules. We will now formally define the semantics of synchronisation rules, to back upthe intuition built in the previous sections, and then timeline-based planningproblems will be defined. Let us start with atomic relations. Definition 2.9 — Semantics of atomic relations. An atomic evaluation is a function λ : N → N that maps each token name a to apair λ ( a ) = ( s, e ) of natural numbers. Given a term T and an atomic evaluation λ ,the evaluation of T induced by λ , denoted (cid:126) T (cid:127) λ , is defined as follows:• (cid:126) t (cid:127) λ = t for any t ∈ N ;• for any a ∈ N , if λ ( a ) = ( s, e ) , then (cid:126) start ( a ) (cid:127) λ = s and (cid:126) end ( a ) (cid:127) λ = e .Given an atomic temporal relation α ≡ T ≤ [ l,u ] T (cid:48) and an atomic evaluation λ , wesay that λ satisfies α , written λ | = α , if and only if l ≤ (cid:126) T (cid:48) (cid:127) λ − (cid:126) T (cid:127) λ ≤ u . Given a clause C ≡ α ∧ . . . ∧ α k , by extension we write λ | = C if λ | = α i for all1 ≤ i ≤ k . Atomic evaluations are extracted from tokens when trying to satisfya whole existential statement. Definition 2.10 — Semantics of existential statements. Let π be a plan over a set of state variables SV , and consider an existential statement E ≡ ∃ a [ x = v ] . . . a n [ x n = v n ] . C . A function η : N → tokens ( π ) mapping anytoken name to a token belonging to the plan π is called token mapping .We say that π satisfies E with the token mapping η , written π | = η E , if η ( a i ) = τ i such that τ i ∈ π ( x i ) and val ( τ i ) = v i , for all ≤ i ≤ n , and λ | = C for an atomicevaluation λ such that λ ( a i ) = ( start - time ( τ i ) , end - time ( τ i )) for all ≤ i ≤ n . A whole synchronisation rule is satisfied by a plan if, whenever the triggeris satisfied, at least one of its existential statements is satisfied as well. Definition 2.11 — Semantics of synchronisation rules. Let π be a plan and let R ≡ a [ x = v ] → E ∨ . . . ∨ E m be a synchronisation rule.We say that π satisfies R , written π | = R , if for any token τ ∈ π ( x ) , if val ( τ ) = v then there is at least one of its existential statements E i and a tokenmapping η such that η ( a ) = v and π | = η E i .For a triggerless rule R ≡ (cid:62) → E ∨ . . . ∨ E m , π | = R if there exist one E i and atoken mapping η such that π | = η E i . Timeline-based planning with uncertainty 27 We can finally define the notion of timeline-based planning problems , and ofwhich solution plans we are looking for. Definition 2.12 — Timeline-based planning problem. A timeline-based planning problem is a pair P = ( SV , S ) , where SV is a set of statevariables, and S is a set of synchronisation rules over SV . We consider the size | P | of a problem P to be the length of any reasonablerepresentation of P , with a binary encoding of numeric parameters. Definition 2.13 — Solution plan. Let P = ( SV , S ) be a timeline-based planning problem , and let π be a plan over SV . Then, π is a solution plan for P i ff π | = R for all synchronisation rules R ∈ S . The set of all the solution plans of a timeline-based planning problem P isdenoted as plans ( P ). Hence, given a timeline-based planning problem P , our problem is that of finding whether there exists a plan π | = P , i . e ., if plans ( P ) (cid:44) ∅ .This plan existence problem will be the main subject of most of the thesis.It is worth to note that in the original definition by Cialdea Mayer et al.[44], timeline-based planning problems include a component H which is a bound on the horizon of the aimed solutions. Here we omit this component,and consider a more general problem where no bound on the solutions horizonis set in advance. Nevertheless, the bounded-horizon variant is interestingsince many application scenarios require or can take advantage of a knowntemporal horizon for the plan. Hence, we also define this variant, that will bestudied in future chapters together with the more general one. Definition 2.14 —Timeline-based planning problem with bounded horizon. A timeline-based planning problem with bounded horizon is a tuple P = ( SV , S, H ) where SV is a set of state variables, S is a set of synchronisation rules over SV , and H ∈ N + is a positive integer. A plan π over SV is a solution plan for P if it is asolution plan for the timeline-based planning problem P (cid:48) = ( SV , S ) and H ( π ) ≤ H . Here we have defined the deterministic variant of the problem, where thereis no support for modelling the uncertainty coming from the interaction withthe external world. Section 2.3 defines timeline-based planning problems withuncertainty , which account for this important feature. This section extends the definitions provided in the previous one with thenotion of temporal uncertainty , defining timeline-based planning problems withuncertainty . The capability of handling such type of uncertainty, integratingthe planning and execution phases, is one of the key features of timeline-basedplanning systems. The state-of-the-art approach to this issue among currenttimeline-based systems revolves around the notion of flexible timelines and,consequently, flexible plans . τ x p Earth 110 120Slewing140 150 Science 181 200Slewing215 233 Earth τ (cid:48) x p Earth 115 Slewing 148 Science 185 Slewing 220 Earth Figure 2.3: Example of flexible timeline τ x p and one of its instances τ (cid:48) x p , for the variable x p of Figure 2.1. A flexible timeline abstracts multiple di ff erent timelines that di ff er only forthe precise timings of start and end of the tokens therein, embodying some temporal uncertainty about the events described by the timeline. Definition 2.15 — Flexible token. A flexible token for a state variable x is a triple τ = ( x, v, [ e, E ] , [ d, D ]) , where v ∈ V x , [ e, E ] ∈ N × N is the interval of possible end times of the token, and [ d, D ] ∈ N × N + is the interval of possible token durations . Definition 2.16 — Flexible timeline. A flexible timeline for a state variable x is a finite sequence τ = (cid:104) τ , . . . , τ k (cid:105) offlexible tokens τ i =( x, v i , [ e i , E i ] , [ d i , D i ]) for x , where [ e , E ]=[ d , D ] , e i ≥ e i − + d i ,and E ≤ E i − + D i . Hence, flexible timelines provide an uncertainty range for the end timeand duration of each flexible token of the timeline. Note that each flexibletoken reports a range of its end time , rather than its start time, because in thisway it can explicitly constrain its horizon. Tokens and timelines as defined inDefinition 2.2 are also called scheduled tokens and scheduled timelines , when thecontext requires disambiguation. Similarly to the notation used for scheduledtimelines, set of all the possible flexible timelines for the set of state variables SV is denoted as F SV .Given a state variable x = ( V x , T x , D x , γ x ), consider the controllability tag γ x ,which has been ignored in Section 2.2. The controllability tag tells, for each value of the domain of each variable, if the duration of tokens that hold thegiven value are under the control of the planner or not. Hence, a value v ∈ V x is said to be controllable if γ x ( v ) = c , and uncontrollable if, otherwise, γ x ( v ) = u .Given a flexible timeline τ = (cid:104) τ , . . . , τ k (cid:105) , with τ i = ( x, v i , [ e i , E i ] , [ d i , D i ]), ascheduled timeline τ (cid:48) = (cid:104) τ (cid:48) , . . . , τ (cid:48) k (cid:105) , with τ i = ( x, v (cid:48) i , d (cid:48) i ) is an instance of τ if d i ≤ d (cid:48) i ≤ D i and e i ≤ end - time ( τ (cid:48) i ) ≤ E i . Figure 2.3 shows an example of flexibletimeline for the example state variable x p of Figure 2.1, and one of its instances.We can now define the concept of flexible plan , which is an object moreinvolved than just a set of flexible timelines. Timeline-based planning with uncertainty 29 τ x vτ y v (cid:48) τ (cid:48) x = τ (cid:48)(cid:48) x vτ (cid:48) y v (cid:48) τ (cid:48)(cid:48) y v (cid:48) a [ x = v ] → ∃ a [ y = v (cid:48) ] . end ( a ) ≤ [0 , start ( a ) ∨ end ( a ) ≤ [5 , start ( a ) Figure 2.4: Example flexible timeline for two state variables x and y , where not all thepossible instances satisfy the above synchronisation rule. Definition 2.17 — Flexible plan. Given a set of state variables SV , a flexible plan over SV is a pair Π = ( π, R ) , where π : SV → F SV is a function providing a flexible timeline π ( x ) for each state variable x , and R is a set of atoms (Definition 2.5) using as token names the set of tokens ofthe timelines in π . Intuitively, the flexible plan Π = ( π, R ) represents a set of instances of theflexible timelines of π which, additionally, satisfy the constraints imposed bythe atoms included in R . Definition 2.18 — Instances of flexible plans. Let Π = ( π, R ) be a flexible plan over SV . A plan π (cid:48) is an instance of Π if π (cid:48) ( x ) is aninstance of π ( x ) for any x ∈ SV , and all the atoms T ∈ R are satisfied by the atomicevaluation λ such that λ ( τ ) = ( start - time ( τ ) , end - time ( τ )) for all token τ of π ( x ) for any x ∈ SV . To understand the need for the R component in Definition 2.17, considerFigure 2.4, which shows flexible timelines τ x = (cid:104) τ x , τ x , τ x (cid:105) and τ y = (cid:104) τ y , τ y , τ y (cid:105) for two variables x and y , that have to be constrained by the shown synchron-isation rule. The lower part of the picture shows some example instances of theflexible timelines. Given how the token τ x is instantiated, not all the possibleinstances of the timeline for y are valid with regards to the considered rule.The first example instantiation, namely τ (cid:48) y , violates the rule, while the secondsatisfies it. This happens because a simple set of flexible timelines misses thekey information that τ x cannot start before τ y . A flexible plan satisfying such arule would then have to provide additional constraints ensuring this fact, suchas R = { end ( τ x ) = end ( τ y ) } or R (cid:48) = { end ( τ x ) ≤ [5 , end ( τ y ) } . We can now define timeline-based planning problems with uncertainty , as anextension of the timeline-based planning problems of Definition 2.12. Wefirst provide the definition of problems and of flexible solution plans , and thendiscuss in detail their meaning and structure. Definition 2.19 — Timeline-based planning problem with uncertainty. A timeline-based planning problem with uncertainty is defined as a tuple P = ( SV C , SV E , S, O ) where:1. SV C and SV E are sets of, respectively, the controlled and external variables;2. S is a set of synchronisation rules over SV C ∪ SV E ;3. O = ( π E , R E ) is a flexible plan, called the observation , specifying the beha-viour of external variables. Definition 2.20 — Flexible solution plan. Let P = ( SV C , SV E , S, O ) , with O = ( π E , R E ) , be a timeline-based planning problemwith uncertainty. A flexible solution plan for P is a flexible plan Π = ( π, R ) over SV C ∪ SV E such that:1. Π agrees with O , i . e ., π ( x ) = π E ( x ) for each x ∈ SV E , and R E ⊆ R ;2. the plan does not restrict the duration of uncontrollable tokens, i . e ., forany state variable x and any flexible token τ = ( x, v, [ e, E ] , [ d, D ]) in π ( x ) , if γ x ( v ) = u , then d = d x = vmin and D = d x = vmax ;3. any instance of π is a solution plan for the timeline-based planning problem P (cid:48) = ( SV C ∪ SV E , S ) , and there is at least one such instance. The definitions above are worth a detailed explanation. Timeline-basedplanning problems with uncertainty consider two di ff erent sources of uncer-tainty: the behaviour of external variables , and the duration of uncontrollabletokens . In contrast to the simple problems without uncertainty defined inDefinition 2.12, the set of state variables is split into the controlled variables SV C and the external variables SV E . The behaviour of external variables cannot beconstrained by the planner in any way, hence any solution plan is constrainedto replicate the flexible timelines given by the observation O , which is a flexibleplan describing their behaviour. It is worth to note that being O a flexible plan,there is temporal uncertainty on the start and end time of the involved tokens,but the behaviour of the variables is otherwise known beforehand to the plan-ner. Despite the name, borrowed from [44], the observation O is more an a priori description of how the external variables will be have during the executionof the plan, up to the given temporal uncertainty on the precise timing of the Timeline-based planning with uncertainty 31 events. The intended role of the external variables, then, is not much that ofindependent components interacting independently with the planned system,but rather, of external entities useful to represents given facts and invariantsthat the planner has to account for during the search for a solution.As an example, consider a satellite seeking the right time to transmitdata to Earth. When modelling this scenario as a timeline-based planningproblem with uncertainty, the window of visibility of Earth’s ground stationscan be represented as an external variable with a suitable observation : the exacttiming of when each station will e ff ectively become visible is probably goingto be uncertain up to some flexibility interval, but otherwise, the visibilityand availability slots of each ground station to be used by that satellite haveprobably been already scheduled for the next months to come, and the plannerdoes not have to account for any variability in that regard.The second source of temporal uncertainty considered comes from tokensholding uncontrollable values . The duration of such tokens cannot be decidedby the planner, hence their minimum and maximum duration in the flexibilityrange of the timeline has to coincide with that specified by the duration func-tion of the variable. The planner can, however, decide which tokens to start andwhen, on controlled variables, even if γ x ( v ) = u . The uncontrollability is thusspecifically limited to the duration of the token. It is worth to note how theformalism has intentionally been tailored to consider only temporal uncertainty ,both with regards to external variables and to uncontrollable tokens. Timeline-based planning is an approach specifically targeted at the integrationbetween the planning phase and the execution of the plan. In this regard, itis important to ensure that, once a flexible plan is found for a timeline-basedplanning problem with uncertainty, the plan can be e ff ectively executed. Thisis not a trivial requirement given the presence of uncontrollable tokens, whoseduration is decided during execution and is unknown beforehand. Indeed,Definition 2.17 ensures that any scheduled instance of the plan is a solutionfor the problem, but does not guarantee that (1) such an instance exists for anypossible choice of the duration of uncontrollable tokens, and (2) at any time dur-ing the execution, the correct choice to keep following an instance of the plandepends only on events already happened and information already known.For this reason, we have to speak about the controllability of flexible plans, i . e ., the property of being e ff ectively executable by a controller. There are threemajor kinds of controllability properties that one may want to ensure on aflexible plan, depending on the application, informally defined as follows. Weak controllability For any possible choice of the duration of uncontrollable tokens, there is an instance of the flexible plan respecting that choice. Strong controllability There is a single way of instantiating controllable tokensthat results into a valid instance of the flexible plan, no matter which isthe duration of uncontrollable ones. Dynamic controllability A strategy exists to choose how to instantiate eachtoken, which, at any given point in time, can keep the execution in a validinstance of the plan, based only on what happened before that time.The formal definitions that will follow are borrowed from Cialdea Mayer etal. [44] as all the rest of this chapter. However, concepts and terminology comesfrom further back to the works on simple temporal networks with uncertainty (STNU) [138], which face very similar problems.Intuitively, weak controllability just ensures that the plan can be executed ifthe environment behaviour is known beforehand . This is clearly an unrealisticassumption, but can arise for example in the context of embedded deviceswith very little processing power but the possibility of storing in some formof ROM how to behave in correspondence of a pre-defined set of situations. Strong controllability , on the other hand, requires a single sequence of choicesto always work regardless of the environment behaviour, which is still a quiterare luxury, but is nevertheless a useful guarantee to enforce in many safety-critical scenarios, as for example to ensure the existence of blind reset-to-home sequences in robotics. Finally, dynamic controllability , the concept whichwe are mostly interested in, designates a properly reactive scenario, wherethe controller can step-by-step decide what to do responding to how theenvironment behaved up to that point, ensuring in any the satisfaction ofthe problem constraints.Let us now recap in formal terms the above concepts. The full and com-prehensive formal framework can be found in [44]. Here, we just give a fewcompact definitions useful to frame the results of the next chapters.Recall that the set of tokens of all the timelines of a plan is denoted as tokens ( π ). We extend this notation denoting as tokens ( Π ) the set of tokens ofall the timelines of a flexible plan, and specifically, as tokens U ( Π ) the set of uncontrollable tokens of Π , and as tokens C ( Π ) the set of controllable tokens of Π . Definition 2.21 — Situation. Given a flexible plan Π = ( π, R ) , a situation for Π is a function ω : tokens U ( Π ) → N assigning a duration to each uncontrollable token of Π . A situation represents the choices of the environment regarding the dura-tion of uncontrollable tokens, both of controlled and external variables. Givena flexible plan Π = ( π, R ), we denote as ω ( Π ) the set of instances of Π wherethe duration of uncontrollable tokens corresponds to what dictated by ω . Timeline-based planning with uncertainty 33 Regarding the external variables, any considered situation should respectthe observation given by the planning problem. In other words, since the prob-lem provides the behaviour of the external variable up to temporal uncertainty,and the executor is allowed to assume that things will evolve as stated, we onlyconsider situations that fall into the uncertainty left by the problem. Definition 2.22 — Relevant situation. Given a timeline-based planning problem P = ( SV C , SV E , S, O ) , with O = ( π E , R E ) and a flexible plan Π = ( π, R ) , a situation ω is said to be relevant if any instance of Π in ω ( Π ) satisfies the constraints of R E . Let us denote as Ω Π the set of relevant situations for Π . If situations repres-ent the decisions of the environment regarding the duration of uncontrollabletokens, then scheduling functions are the corresponding counterpart of thecontroller, deciding how to execute the whole plan. Definition 2.23 — Scheduling function. Given a timeline-based planning problem P = ( SV C , SV E , S, O ) and a flexible plan Π = ( π, R ) for P , a scheduling function for Π is a map θ : tokens ( Π ) → N providing an end time for each token in Π , such that the resulting scheduled plan θ ( Π ) is an instance of Π . Let us denote as T Π the set of scheduling functions for a flexible plan Π .Hence, the task of the controller is that of deciding which scheduling functionto apply in any given situation. This formalises the notion of execution strategy .Note that, while situations assign durations to tokens, a scheduling functionassigns their end times , including those of uncontrollable tokens. Of course, itis not the job of the controller to decide the duration of uncontrollable tokens,hence any chosen scheduling function must agree with the current situation. Definition 2.24 — Execution strategy. Given a flexible plan Π = ( π, R ) , an execution strategy for P is a map σ : Ω Π → T Π such that, given θ = σ ( ω ) for any ω ∈ Ω Π , if τ is an uncontrollable token of θ ( Π ) ,then duration ( τ ) = ω ( τ ) . Finally, we can now formally define the di ff erent concepts of controllabilityintroduced above. We start from the first two simpler ones. Definition 2.25 — Weak and strong controllability. Let Π be a flexible plan. Then, Π is:1. weakly controllable if there exists any execution strategy σ for Π ;2. strongly controllable if there is any execution strategy σ for Π such that σ ( ω ) = σ ( ω (cid:48) ) for each ω, ω (cid:48) ∈ Ω Π . Now, to formally define dynamic controllability , we need a way to talk aboutwhat happened up to a certain time , during the execution, or, equivalently, to represent which information the execution strategy can rely on to inform itsdecisions. To this aim, given a scheduling function θ , let θ Let Π be a flexible plan. Let σ be an execution strategy for Π , let ω, ω (cid:48) ∈ Ω Π be tworelevant situations, and τ ∈ tokens C ( Π ) be a controllable token in Π . Moreover, let σ ( ω ) = θ , σ ( ω (cid:48) ) = θ (cid:48) , and t = θ ( τ ) . Then:1. σ is a dynamic execution strategy if θ XPRESSIVENESS OFTIMELINE-BASED PLANNING We begin our investigation of theoretical properties of timeline-based plan-ning by answering some questions about the expressiveness of timeline-basedplanning languages. In particular, we compare timeline-based planning with arepresentative of action-based temporal planning languages, showing that theformer is expressive enough to capture the latter. CONTENTS Timeline-based planning has evolved through the years in relative isolationwith regards to more mainstream approaches to planning. As a result, thereare at present no results directly comparing timeline-based and action-basedplanning languages in terms of expressiveness. The question of which domainscan be compactly expressed in a formalism instead of the other is both ofpractical relevance and of theoretical interest. Given the exclusive focus oftimeline-based planning on temporal reasoning , the ideal candidate for thiscomparison is clearly the paradigm of temporal planning , usually representedby the features introduced in PDDL 2.1, i . e ., actions with a given duration , thatcan execute concurrently, possibly overlapping in time [59]. This kind of plan-ning problems have been proved to be EXPSPACE -complete by Rintanen [119].Indeed, earlier work provided a translation of temporal PDDL into NDDL, thetimeline-based modelling language adopted by the EUROPA 2 system [16].However, the translation was specific to the two languages.In this chapter, instead, we compare the two approaches using the formalframework described in Chapter 2 as a representative of a broad family oftimeline-based languages. In his complexity analysis of temporal planning,Rintanen [119] defined a streamlined formal language for describing temporalplanning domains, which subsumes the key temporal features of PDDL 2.1.Here, we take this language as a representative of action-based temporal plan-ning, for our expressiveness comparison with timeline-based languages. In par-ticular, we show that any problem expressed in Rintanen’s language can be ex-pressed by a suitable timeline-based planning problem, as per Definition 2.12.In this and in most of the next chapters, we choose to consider preferably compact translations, i . e ., such that the size of the resulting problem is at mostpolynomial in the size of the translated one. From a pure expressivenessperspective, any kind of translation would su ffi ce, but it would be of very littleinterest. Instead, here we provide a compact translation that, moreover, canbe produced in polynomial time, hence having also a precise computationalmeaning: a reduction between the two plan existence problems, that allows us toobtain a result of EXPSPACE -hardness for timeline-based planning, providinga starting point for the developments of Chapter 4.This translation is provided in Section 3.3. Before diving into it, the nextsection provides a number of useful results investigating the expressivenessof the synchronisation rules syntax. In particular, we show how a number offeatures of the formalism can be regarded as syntactic sugar. These resultsprovide some hints about how expressive the language of synchronisationrules is, with their limitations and their potential. Moreover, they simplify theexposition of all the subsequent chapters. Expressiveness of synchronisation rules 39 The language of synchronisation rules used in timeline-based planning prob-lems is at the same time highly constrained from a syntactic point of view, andquite rich in expressive power. Because of this syntactic richness, it can bedi ffi cult at times to recognise which features are really important and whichare just convenient. In Chapter 2, we already pointed out some syntactic sugarthat can be put on top of the basic syntax, and Section 3.3 will study theexpressiveness of the formalism when compared with common action-basedplanning languages. Here, we point out a few results, instrumental for thenext chapters, which show how certain syntactic features included in the baseformalism are not essential and can be regarded as syntactic sugar as well.Since the following results require the translation of some problems intoothers, we need to define precisely which kinds of translation we are consider-ing. Intuitively, we say that a problem embeds into another if all the solutionsof the former can be extracted from the solutions of the latter. Definition 3.1 — Embedding of problems. Let P = ( SV , S ) and P (cid:48) = ( SV (cid:48) , S (cid:48) ) be two timeline-based planning problems. We saythat P embeds into P (cid:48) (and P (cid:48) can be projected into P ) if there exists a polynomi-ally computable projection function f : plans ( P (cid:48) ) → plans ( P ) such that for any π ∈ plans ( P ) there exists a π (cid:48) ∈ plans ( P (cid:48) ) such that f ( π (cid:48) ) = π ( i . e ., f is surjective ). Two problems are equivalent if one can be embedded into the other and viceversa with a bijective projection function.Hence, some syntactic features of the formalism can be considered as notessential if a problem that uses such feature can be embedded into one thatdoes not. An essential requirement of Definition 3.1 is that of consideringonly translations for which a polynomially computable projection function isavailable. This restriction is essential to ensure the definition is meaning-ful: otherwise, any problem would be embeddable into any other problemwith a set of solutions of the same cardinality. That would technically fit thedefinition, despite being completely useless. However, there are no a priori restrictions on the size of one problem compared to the other. Although all thefollowing results provide polynomial translations, a translation producing, e . g .,an exponentially bigger problem (while perhaps easier to solve), could verywell be interesting to study, from the point of view of the expressive power.Pointwise atoms are simple examples of such non-essential features. Theorem 1 — Removal of pointwise atoms.Let P = ( SV , S ) be a timeline-based planning problem. Then, P can be translated,in polynomial time, into an equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) that does not makeuse of pointwise atoms in any synchronisation rule of S (cid:48) . Proof. P (cid:48) is built from P by adding an extra state variable x ⊥ = ( V x ⊥ , D x ⊥ , T x ⊥ )such that V x ⊥ = {⊥} , T x ⊥ ( ⊥ ) = ∅ , and D x ⊥ = (0 , + ∞ ). The extra variable has thusonly one value, whose tokens cannot have any successor but can be arbitrarilylong. Hence, any solution of P (cid:48) can only have a timeline for x ⊥ consisting of asingle token with x ⊥ = ⊥ starting at time 0 and ending at the end of the wholesolution. Now, let E ≡ ∃ a [ x = v ] . . . a n [ x n = v n ] . C be an existential statementwhere C contains a pointwise atom α ≡ T ≤ [ l,u ] t (resp., α ≡ t ≤ [ l,u ] T ). We canget rid of α by adding a ⊥ [ x ⊥ = ⊥ ] to the quantifier prefix of E , and replacing α with the atom start ( x ⊥ ) ≤ [ t − u,t − l ] T (resp., start ( x ⊥ ) ≤ [ t + l,t + u ] T ), where t − u is understood to be zero (resp., + ∞ ) if u = + ∞ . Any solution plan π for P can be extracted from the corresponding solution π (cid:48) of P (cid:48) by simply ignoringthe timeline for the extra x ⊥ variable, hence P embeds into P (cid:48) , and π (cid:48) can beobtained back from π by adding the only possible timeline for x ⊥ , hence P (cid:48) embeds into P as well, and the two problems are equivalent .A similar argument allows us to avoid triggerless rules . Theorem 2 — Removal of triggerless rules.Let P = ( SV , S ) be a timeline-based planning problem. Then, P can be translated,in polynomial time, into an equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) such that S (cid:48) doesnot contain any triggerless rule. Proof. Similarly to the proof of Theorem 1, we can add to SV (cid:48) a variable x ⊥ suchthat V x ⊥ = {⊥} T x ⊥ ( ⊥ ) = ∅ , and D x ⊥ = (0 , + ∞ ), such that the timeline for x ⊥ isconstrained to only have a single token as long as the entire plan. Then, anytriggerless rule R ≡ (cid:62) → E ∨ . . . ∨ E n in S can be translated into the triggeredone R (cid:48) ≡ a ⊥ [ x ⊥ = ⊥ ] → E ∨ . . . ∨ E n , which adds an always-satisfied trigger.Then, the projection function is trivially built by simply ignoring the timelinefor x ⊥ , and is easily invertible, hence the two problems are equivalent.Another simple translation can flatten the duration function of state vari-ables, by expressing the same constraints using synchronisation rules. Definition 3.2 — Trivial duration function. Let x = ( V x , T x , D x ) be a state variable. The duration function D x is trivial if D x ( v ) = (0 , + ∞ ) for all v ∈ V x . Theorem 3 — Removal of non-trivial duration functions.Let P = ( SV , S ) be a timeline-based planning problem. Then, P can be translated,in polynomial time, into an equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) such that any statevariable x ∈ SV (cid:48) has a trivial duration function. Proof. The problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) can be obtained by adding to P = ( SV , S ) anumber of synchronisation rules, one for each v ∈ V x in each variable x ∈ SV such that D x ( v ) = ( d x = vmin , d x = vmax ), with d x = vmin (cid:44) d x = vmax (cid:44) + ∞ and then setting D x ( v ) = (0 , + ∞ ). The added rule has the following form: a [ x = v ] → duration ( a ) ≥ d x = vmin ∧ duration ( a ) ≤ d x = vmax Expressiveness of synchronisation rules 41 where the second conjunct is omitted if d x = vmax = + ∞ . Then, a solution for P (cid:48) isdirectly a solution for P as well, and vice versa , hence the projection function isthe identity, up to renaming of variables, and the two problems are equivalent.A few words are worth spending on the time complexity of this translation.Since it iterates over all the values of the domain of each variables, one may atfirst suppose that an exponential number of iterations are needed. However, theinput contains the representation of the transition function T x of each variable x , that has to specify some subset of V x for each v ∈ V x . This implies that theinput length is of the same order of magnitude of the domains cardinality, andthus iterating over each element of such domains takes linear time.In contrast to the removal of duration functions shown in Theorem 3,removing transition functions is trickier. Definition 3.3 — Trivial transition function. Let x = ( V x , T x , D x ) be a state variable. The transition function T x is trivial if T x ( v ) = V x for all v ∈ V x . Theorem 4 — Removal of non-trivial transition functions.Let P = ( SV , S ) be a timeline-based planning problem. Then, P can be translated,in polynomial time, into an equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) such that any statevariable x ∈ SV (cid:48) has a trivial transition function. Proof. We need to express the fact that for each token where a certain variable x holds a given value v , either the plan ends or the subsequent token has tohold one of the allowed values. However, we cannot reference the end of theplan in that way, without using a non-trivial transition function as in the proofof Theorem 1. Hence, we have to go the other way around: for any token for x ,either this is the first token, or it is an allowed successor of its predecessor.More formally, we build P (cid:48) by turning the transition functions into trivialones and adding the following rule for each x ∈ SV and each v ∈ V x : a [ x = v ] → start ( a ) = 0 ∨ (cid:95) v (cid:48) ∈ V x v ∈ T x ( v (cid:48) ) ∃ b [ x = v (cid:48) ] . b meets a Here, again, the solutions for P (cid:48) are trivially solutions for P as well, and viceversa , and the two problems are equivalent.It is worth to note that, in contrast to Theorem 3, the translation shown inTheorem 4 makes use of pointwise atoms (albeit a rather specific one). Withoutthem, there is no way for a rule to reference the start of the whole plan, whichis needed in order to encode transition functions where T x ( v ) = ∅ for some v .Hence, while both Theorems 1 and 4 hold, they cannot be combined toremove the use of both pointwise atoms and non-trivial transition functions.The same applies to Theorem 2 as well, which does not seem to be provablewithout the use of non-trivial transition functions. All the translations above involve a very simple manipulation of variables,with the addition of some rules at most, and the solutions of the translatedproblems were mostly already solutions for the original one. The following isan example of a more involved translation where the shape of the problem ischanged more evidently, motivating the generality of Definition 3.1. Theorem 5 — Restriction to binary variables.Let P = ( SV , S ) be a timeline-based planning problem. Then, P can be translated,in polynomial time, into an equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) that contains onlybinary variables, i . e ., V x = { , } for each x ∈ SV (cid:48) . Proof. Let P = ( SV , S ) be a timeline-based planning problem, with a statevariable x = ( V x , T x , D x ) ∈ SV with domain V x = { v , . . . , v k } . We can constructan equivalent problem P (cid:48) = ( SV (cid:48) , S (cid:48) ) where x has been replaced by a suitablenumber of binary state variables x = ( V , T , D ) , . . . , x k = ( V k , T k , D k ). Notethat we cannot simply replace each value of the variables domains with theirbinary encoding, since manipulating that would require to apply a universalquantification over multiple variables at once, which is not possible. Instead,we need to use a unary encoding, with one variable for each possible value that x can hold. Synchronisation rules are then introduced to ensure that x i = 1holds in a solution or P (cid:48) if and only if x = v i holds in the corresponding solutionfor P . However, as before, iterating over the values of the variables domainscan be done in linear time thanks to the presence of the transition functions aspart of the input.As a first step, a set of rules is introduced to ensure mutual exclusionbetween the binary variables, so for all v i ∈ V : a i [ x i = 1] → ∃ except a i (cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125)(cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123) a [ x = 0] . . . a k [ x k = 0] . k (cid:94) j =0 j (cid:44) i a i = a j Transitions and duration functions T x and D x have to be transferred to the newvariables. By Theorem 3 we can suppose, without loss of generality, that theduration function is trivial. The transition function has to be encoded throughthe use of additional synchronisation rules. Hence, for each i = 1 , . . . , k we set T i ( v ) = { , } , and we add the following rule: a i [ x i = 1] → (cid:95) j =1 ,...,kv j ∈ T ∃ a j [ x j = 1] . end ( a i ) ≤ [0 , start ( a j )All the synchronisation rules of the original problem have to be translatedto speak about the newly introduced binary variables. So each appearance of Timelines vs actions 43 a token quantifier of the form a [ x = v i ], both in a trigger or in an existentialstatement, is replaced with one of the form a [ x i = 1]. For example: a [ x = v ] → ∃ b [ x = v ] . C is replaced by: a [ x = 1] → ∃ b [ x = 1] . C The projection function to obtain a solution for P given one for P (cid:48) is lesstrivial than the other cases, but is not complex. Each group of timelines forvariables x , . . . , x k is translated into a timeline for x with the value given bythe binary variable currently set. The encoding is two-way, hence the oppositeprojection is possible as well, and the two problems are equivalent.These results, although simple, show both the features and the limitationsof the synchronisation rules syntax. The absence of negation, the limited useof disjunctions, and the fixed ∀∃ ∗ quantification structure, concur to obtain apeculiar tool, and will be crucial for the work shown in the following chapters. This section studies the relationship between timeline-based planning lan-guages, represented by the formal language defined in Chapter 2, and action-based planning languages, which is commonly represented by the PDDL [99]language. The goal is to compare the expressiveness of the two approaches tothe modelling of planning problems.We focus on deterministic timeline-based planning problems, as defined inSection 2.2, as uncertainty will be added to the picture in Chapter 5. Giventhe explicit focus on temporal reasoning put by timeline-based planning, thenatural action-based counterpart consists in temporal planning languages suchas PDDL 2.1 [59], which adds to PDDL the explicit concept of time, and durative actions , i . e ., actions with a specified time duration.Rather than directly studying PDDL itself, however, we take a more stream-lined language as a representative of action-based planning languages, which isformally easier to define. The considered language was introduced by Rintanen[119] to study the computational complexity of the problem of plan existencefor such kinds of planning domains. First, Rintanen’s language will be recalled,and then we will show how any temporal planning problem can be expressedby a suitable timeline-based planning problem, with a translation preservingthe set of solutions. Here we recall the definition of the action-based temporal planning languagethat will be used in our comparison with timeline-based planning. In the fol-lowing, we will refer to problems in this language simply as temporal planningproblems . It can be thought of as an extension of a classical STRIPS-like plan-ning language, where preconditions of actions can involve any state traversedduring the execution of the plan rather than only the current one. The approachto the modelling of actions is, in some sense, opposite to that of PDDL. Insteadof modelling the future e ff ects of something that is being done now ( e . g ., start-ing an action), the language focuses on what has to happen at the current timepoint if some preconditions involving the past hold ( i . e ., the action started).Preconditions are expressed as formulae whose syntax is defined as follows. Definition 3.4 — Precondition formula. Let Σ be a set of proposition letters . A precondition formula over Σ is anyexpression produced by the following grammar: φ := p | ¬ φ | φ ∧ φ | φ ∨ φ | [ i..j ] φ where p ∈ Σ and i, j ∈ Z with i ≤ j . The set of all the precondition formulae over Σ is denoted as F Σ . Precondi-tion formulae are made of standard propositional logic connectives with theaddition of a temporal operator [ i..j ] φ that states that φ must hold in all timepoints from i to j steps from now . The formula [ i..i ] φ is written in short as [ i ] φ .In Rintanen’s original definition, precondition formulae were restricted totalk about the past only. For example, the formula [ − p ∧ [3] q ) contains thesubformula [3] q , but it refers only to time points in the past as it is equivalentto [ − p ∧ [ − q . Our encoding does not need this restriction. Definition 3.5 — Temporal planning problem. Let Σ be a set of proposition letters. A literal over Σ is either p or ¬ p , with p ∈ Σ .A temporal planning problem over Σ is a tuple P = ( A, I, O, R, D, G ) , where:1. A ⊆ Σ is a finite set of proposition letters, called fluents ; I ⊆ A is a subset of A representing the fluents true at the initial state ;3. O ⊆ Σ is a finite set of proposition letters, called actions (or operators );4. R : O → F Σ is a function that maps each action to its precondition ;5. D is the domain , i . e ., a finite set of rules of the form r = ( φ, E ) , where φ is aprecondition formula and E is a set of literals over A ;6. G ∈ F is a precondition formula that specifies the goal condition. Timelines vs actions 45 Intuitively, a rule r = ( φ, E ) states that whenever φ holds at time point i ,the literals in E become true at time point i + 1, while all the other propositionletters preserve their truth. The truth of precondition formulae at each timepoint depends both on the truth value of fluents and on which actions arebeing executed ( i . e ., the corresponding proposition letters hold) at that point,hence by choosing di ff erent actions we obtain di ff erent outcomes, dependingon which rules are triggered. An action o can be executed at any given timepoint i only if it is applicable , i . e ., if its precondition R ( o ) is true at i . It can beseen [119] that this language can model durative actions, conditional e ff ects,and many other common features of PDDL 2.1.To formally define this intuitive meaning, let us first give a semantics to pre-condition formulae. Given a temporal planning problem P = ( A, I, O, R, D, G ),let Σ = A ∪ O . A trace for P is a finite sequence σ = (cid:104) σ , . . . , σ n (cid:105) of states σ i ⊆ Σ ,meaning that the proposition letter p ∈ Σ holds at time i if and only if p ∈ σ i . Definition 3.6 — Semantics of precondition formulae. Let P = ( A, I, O, R, D, G ) be a temporal planning problem, φ a precondition formulaover Σ , σ a trace for P , and t ∈ N . We define when σ satisfies φ at time t , written σ | = i φ , as follows:1. σ | = i p i ff i ≥ and p ∈ σ i ; σ | = i ¬ φ i ff σ (cid:54)| = i φ ;3. σ | = i φ ∧ φ i ff σ | = i φ and σ | = i φ ;4. σ | = i φ ∨ φ i ff σ | = i φ or σ | = i φ ;5. σ | = i [ j..k ] φ i ff σ | = i + h φ for all j ≤ h ≤ k . Precondition formulae predicate over future and past states looking both atwhich fluents held and which actions were executing at any given time. Apartfrom the temporal operator, the semantics follows that of propositional logic.In particular, we can define some common shorthands, such as (cid:62) ≡ p ∨ ¬ p forsome p ∈ Σ , and ⊥ ≡ ¬(cid:62) .A plan over some set of actions O is a sequence O = (cid:104) O , . . . , O n (cid:105) of sets of ac-tions O i ⊆ O . How a plan O for a problem P gets executed is defined as follows. Definition 3.7 — Execution trace of a plan. Let P = ( A, I, O, R, D, G ) be a temporal planning problem, and let O = (cid:104) O , . . . , O n (cid:105) be a plan over O . The execution trace of O for P is a trace σ = (cid:104) σ , . . . , σ n +1 (cid:105) definedas follows, for each ≤ i ≤ n : Elements of A were called state variables in [119], but we change terminology here to notconflict with state variables of timeline-based planning problems. The original semantics given in [119] defines as well the truth value of fluents at negative timepoints , giving them the same truth value as the initial state. This arbitrary choice, however, is notessential in the proofs given there, nor for ours, so we adopt a more standard semantics. a ∈ σ i ff a ∈ I ;2. o ∈ σ i i ff o ∈ O i ;3. σ | = i R ( o ) for all o ∈ σ i , i . e ., the preconditions of actions are satisfied;4. a ∈ σ i +1 if there exists a rule r = ( φ, E ) ∈ D such that σ | = i φ and a ∈ E , or if a ∈ σ i and there is no such rule such that ¬ a ∈ E ;5. a (cid:60) σ i +1 if there exists a rule r = ( φ, E ) ∈ D such that σ | = i φ and ¬ a ∈ E , or if a (cid:60) σ i and there is no such rule such that a ∈ E ; Note that Items 4 and 5 of Definition 3.7 are defined in such a way thatif there is no enabled rule a ff ecting a given fluent, its truth value remainsunchanged from the previous state. Note that the kind of planning problemsthat we are defining are deterministic , hence the two conditions conflict if tworules a ff ect the same fluent in opposite ways. In this case, it means some actionshave conflicting e ff ects, and the execution trace for such a plan does not exist. Definition 3.8 — Solution plan. A solution plan for a temporal planning problem P = ( A, I, O, R, D, G ) is a plan O = (cid:104) O . . . , O n (cid:105) that, when executed, reaches a state that satisfies the goal G , i . e .,such that the execution trace σ of O over P exists and σ | = n +1 G . The original motivation for the introduction of this language was thestudy of the computational complexity of temporal planning problems. Inthis regard, Rintanen [119] proves that, given a temporal planning problem P = ( A, I, O, R, D, G ), deciding whether there exists a solution plan for P is EXPSPACE -complete. We will now show how any temporal planning problem, as per Definition 3.5,can be polynomially encoded into a timeline-based planning problem, pre-serving the solutions.The first step is to introduce a simplification of the syntax of Rintanen’s tem-poral planning language, which can be applied without changing its complexitynor its expressive power. In particular, we show how temporal operators ofthe form [ i ] φ are su ffi cient to compactly express any general temporal formula[ i..j ] φ , i . e ., that any problem can be rewritten to only use temporal operatorsof the former kind with at most a polynomial increase in size. As remarkedpreviously, we are concerned to find translations that preserve solutions, i . e .,such that there is a bijection between the solutions of the translation and of theoriginal problem, when restricted to the original alphabet. Hence given twotemporal planning problems P = ( A, I, O, R, D, G ) and P (cid:48) = ( A (cid:48) , I (cid:48) , O (cid:48) , R (cid:48) , D (cid:48) , G (cid:48) ), Timelines vs actions 47 P (cid:48) is a translation of P if, for any plan O (cid:48) over O (cid:48) , O (cid:48) is a solution plan for P (cid:48) ifand only if its restriction to O is a solution plan for P . Lemma 3.9 — Simplification of temporal operators. Any temporal planning problem can be compactly translated into another one thatonly makes use of temporal formulae of the form [ i ] φ .Proof. Let P = ( A, I, O, R, D, G ) be a temporal planning problem. We will trans-late it into a problem P (cid:48) = ( A (cid:48) , I (cid:48) , O (cid:48) , R (cid:48) , D (cid:48) , G (cid:48) ) whose precondition formulaeonly makes use of temporal operators of the form [ i ] φ , equal to P exceptingfor what follows. First, observe that [ i..j ] φ ≡ [ j ][ i − j.. φ and that [0] φ ≡ φ ,thus we can suppose w.l.o.g. that all the occurrences of temporal operatorsare either already of the simple form [ i ] φ or of the form [ i.. φ , for i < 0. Forany formula φ that appears inside an occurrence of a temporal operator, let[ k .. φ, . . . , [ k n .. φ be all such occurrences, and let k = max {− k , . . . , − k n } + 1.The core idea is to encode a counter that increments at each step through allthe execution of the plan, from zero up to a maximum of k (and stays at k afterwards), but resets to zero every time ¬ φ holds. Then, to know if [ k i .. φ holds it is su ffi cient to check if the counter is greater than − k i .The value of the counter c φ for the formula φ , in short only c from now,is represented in binary notation by additional actions c , . . . , c w − ∈ O (cid:48) ( c theleast significant), where w = (cid:100) log ( k + 1) (cid:101) + 1. What follows will use a fewshorthands for basic formulae that assert useful facts about the counter:1. The formula c = n , for n < k , asserts the current value of the counter, andis simply a conjunction of literals asserting the truth value of the singlebits of n . The formula c (cid:44) n is a shorthand for ¬ ( c = n ).2. The formula c < n compares the current value of c with a constant value n .This shorthand can be defined recursively on the number w of bits ofthe counter. We can suppose w.l.o.g. that n can be represented in at mostthe same w bits as c , otherwise any formula c < n with n > w − (cid:62) . Let (cid:104) b . . . b w − (cid:105) be the bits of n (represented in theformulae as (cid:62) for 1, ⊥ for 0). For w = 1, c < b is just ¬ c ∧ b . For w > (cid:104) c . . . c w − (cid:105) < (cid:104) b . . . b w − (cid:105) is defined as:( c w − < b w − ) ∨ ( c w − ←→ b w − ∧ (cid:104) c . . . c w − (cid:105) < (cid:104) b . . . b w − (cid:105) )Then, c < n is just (cid:104) c . . . c w − (cid:105) < (cid:104) b . . . b w − (cid:105) . Moreover, shorthands c > n , c ≥ n and c ≤ n are defined as one may expect.3. The formula inc ( c ) asserts that the counter has incremented its valuesince the previous step, i . e ., if c currently holds the value n , then at theprevious step it held the value n − 1, and vice versa. Again, it can be defined recursively on the number w of bits. For w = 1, inc ( c ) is simply[ − c ←→ ¬ c . For w > inc ( (cid:104) c . . . c w − (cid:105) ) is defined as: (cid:94) [ − c ←→ ¬ c [ − c → inc ( (cid:104) c . . . c w − (cid:105) ) if the lsb is set, it carries to the other bits ¬ [ − c → w − (cid:94) i =1 ( c i ←→ [ − c i ) otherwise, they remain unchanged With these formulae in place we can write a rule that enforces the counterto increase at each step if less than k , stay still when it reaches k , and reset tozero whenever ¬ φ holds. For this purpose we introduce an additional fluent f c ∈ A (cid:48) that we will set to true at the initial state and that we require to be truein the goal condition. In other words, we define I (cid:48) ( f c ) = 1 and G (cid:48) ≡ G ∧ f c . Thisflag will be set to false by the following rule, to invalidate the plan wheneverthe counter does not behave as intended. The rule is thus ( ¬ ψ, {¬ f c } ) where ψ is the following formula: ψ ≡ ([ − φ ∧ c < k ) → inc ( c )) ∧ (1)([ − φ ∧ c = k ) → c = k ) ∧ (2)([ − ¬ φ → c = 0) (3)The first clause says that if at the previous step φ was true and the counterhad not reached its maximum value, then an increment took place. The secondclause says that if φ was true but the counter reached the maximum value, itstayed the same. Finally, the third clause states that if φ did not hold at theprevious step, then the counter had to be reset to zero. Since this rule set f c to false whenever ψ is false , any plan containing a sequence of states wherethe counter does not behave as wanted is rejected. However, any plan thatwas valid before is still valid now, when the truth values for the new actionsand the new fluents are added accordingly. With the counter in place, we canrewrite any formula of the form [ k i .. φ with the formula c φ > − k i , stating thatthe steps passed since the last time φ was false are more than − k i .Note that this encoding only adds a constant number of rules and a singlenew fluent for each formula φ that appears inside a temporal operator. Thesize of the precondition formula for the new rule is polynomial in the numberof bits used to represent k , . . . , k n , thus polynomial in the size of the input.Note that Lemma 3.9, as an immediate consequence, implies that it ispossible to obtain a negated normal form for precondition formulae, that is, foreach formula φ there is an equivalent one nnf ( φ ) where negations are onlyapplied to proposition letters (either fluents or actions). nnf ( φ ) can be obtained Timelines vs actions 49 as for propositional logic as far as boolean connectives are concerned, and byobserving that ¬ [ i ] φ ≡ [ i ] ¬ φ . Similarly, note that [ i ]( φ ∧ φ ) ≡ [ i ] φ ∧ [ i ] φ and [ i ]( φ ∨ φ ) ≡ [ i ] φ ∨ [ i ] φ , hence any formula can also be translated toan equivalent one where all the temporal operators are pushed down to beapplied only to literals.Now we can show how to encode any temporal planning problem into acorresponding timeline-based planning problem. As always, we are interestedin translations that produce problems of size polynomial in the size of theoriginal problem, and that preserve all its solutions. Theorem 6 — Timelines can capture action-based temporal planning.Let P = ( A, I, O, R, D, G ) be a temporal planning problem. A timeline-basedplanning problem P = ( SV , S ) can be built in polynomial time such that there isa one-to-one relation between solution plans for P and solution plans for P . Proof. Let P = ( A, I, O, R, D, G ) be an temporal planning problem. Thanks toLemma 3.9, we can assume w.l.o.g. that all the temporal operators that appearin precondition formulae for rules in D and all action preconditions in R are ofthe form [ i ] φ . Moreover, we can assume that all the aforementioned formulaeare in negated normal form , and that all the temporal operators are pushed downto literals. We will now translate P into a timeline-based problem P = ( SV , S )in a solution-preserving way. Let F be a set of formulae built as follows:1. φ ∈ F for each subformula φ of each precondition formula from the rulesin D and of each precondition R ( o ), with o ∈ O ;2. for each p ∈ A ∪ O , p ∈ F and ¬ p ∈ F ;3. for each p ∈ A , [ ± p ∈ F and [ ± ¬ p ∈ F ;4. for each rule ( φ, E ) ∈ D , [ − φ ∈ F ;5. for each formula φ ∈ F , nnf ( ¬ φ ) ∈ F .The set of state variables SV for P contains a state variable x φ for each φ ∈ F .Each of these state variables is boolean ( i . e ., their domain is the set { , } ), and itsduration is fixed to a unitary length, that is, D ( v ) = (1 , 1) for each v ∈ { , } . Thetransition function does not impose any constraint, so T ( v ) = { , } for v ∈ { , } .For each p ∈ A ∪ O , the value of state variables x p will describe the executiontrace of P at a given time point, with each unitary token corresponding to asingle state. A set of suitable synchronisation rules will ensure that each x φ state variable will be true (resp., false) only when the corresponding formula φ would be true (resp., false) given the truth values of literals. To implementthis behaviour for conjunctions, for each formula φ ∧ ψ appearing in F , therewill be two rules as follows: a [ x φ ∧ ψ = 1] → ∃ b [ x φ = 1] c [ x ψ = 1] . a = b ∧ a = ca [ x φ ∧ ψ = 0] → ∃ b [ x nnf ( ¬ ( φ ∧ ψ )) = 1] . a = b The first rule above ensures that whenever we have an interval where φ ∧ ψ holds, then both φ and ψ hold over that interval. The second rule handles thecase where the formula is false, and it delegates the work to the rules governingthe variable for its negation. The negated formula does not appear directlybecause all the formulae in F are in negated normal form, hence a rule tohandle negation is unnecessary. Negations are instead handled at the bottomlevel on literals, with rules connecting the tokens of x p , for each letter p , withthe tokens of its negation x ¬ p . So for each literal (cid:96) over letters p ∈ A ∪ O we have: a [ x (cid:96) = 1] → ∃ b [ x (cid:96) = 0] . a = ba [ x (cid:96) = 0] → ∃ b [ x (cid:96) = 1] . a = b The rules for disjunctions are symmetrical to conjunctions: a [ x φ ∨ ψ = 1] → ∃ b [ x φ = 1] . a = b ∨ ∃ b [ x ψ = 1] . a = ba [ x φ ∨ ψ = 0] → ∃ b [ x nnf ( ¬ ( φ ∨ ψ )) = 1] . a = b The last kind of formula to handle is the temporal operator. For a formula [ i ] (cid:96) ,for some literal (cid:96) , the rules have to ensure that whenever the correspondingvariable is true in an interval, then (cid:96) holds at i time steps after that point (or before if i is negative). This is easily expressed as: a [ x [ i ] (cid:96) = 1] → ∃ b [ x (cid:96) = 1] . start ( a ) ≤ [ i,i ] start ( b )if i ≥ 0, and similarly, if i < a [ x [ i ] (cid:96) = 1] → ∃ b [ x (cid:96) = 1] . start ( b ) ≤ [ i,i ] start ( a )With this infrastructure in place, the timelines of the problem now encode thetruth of all the formulae involved in the description of the execution trace ofany solution plan for P , so it is possible to encode the rules of the problemitself. Recall that each rule ( φ, E ) specifies that every time the precondition φ is satisfied, literals in E must be true at the next step. This is equivalent to saythat every time φ is satisfied, the formula (cid:86) (cid:96) ∈ E [1] (cid:96) holds, and it can thus beexpressed as follows, where (cid:96) , . . . , (cid:96) n ∈ E : a [ x P = 1] → ∃ a [ x [1] (cid:96) = 1] . . . a n [ x [1] (cid:96) n = 1] . a = a ∧ · · · ∧ a = a n Since we are encoding a deterministic planning problem, it is also implicit thatevery literal not explicitly changed by a rule has to preserve its truth value.Additional synchronisation rules are required to ensure this inertia . These rulessay that if a literal holds a given value at the current time point, it either had Timelines vs actions 51 the same value at the previous step, or a precondition of some rule involvingit was true, causing its change. A special case is needed for the first time point,which has not a predecessor. In detail, for every literal (cid:96) over A , let φ , . . . , φ n be the preconditions of all the rules r i = ( φ i , E i ) such that (cid:96) ∈ E i . Then, theinertia for literal (cid:96) can be expressed as follows: a [ x (cid:96) = 1] → start ( a ) = 0 (cid:87) ∃ b [ x [ − (cid:96) = 1] . a = b (cid:87) ni =1 ∃ b [ x [ − P i = 1] . a = b In a similar way, it is possible to encode preconditions of actions, so that whenactions are performed their preconditions are ensured to hold. For each action o ∈ O , we have: a [ x o = 1] → ∃ b [ x R ( o ) = 1] . a = b At this point, the domain of the problem is completely encoded by the synchron-isation rules of the timeline-based planning problem, and it is now su ffi cientto express the initial state and the goal condition. Let (cid:96) , . . . , (cid:96) n ∈ I be the liter-als asserted by the initial state, and G be the formula that describes the goalcondition. They are encoded by the following triggerless synchronisation rules: (cid:62) → ∃ a [ x (cid:96) = 1] . . . a n [ x (cid:96) n = 1] . start ( a ) = 0 ∧ . . . ∧ start ( a n ) = 0 (cid:62) → ∃ a [ x G = 1] . (cid:62) This step completes the encoding. The timelines for the variables x o , with o ∈ O from any solution plan π for P encode a solution plan O for the temporalplanning problem P . Moreover, it can be seen that building P can be done inpolynomial time as stated, since it only involves iterating over the elementsof F whose size is linear in the size of P . In particular the size of the encodedproblem is polynomial as well.Theorem 6 proves that any temporal planning problem can be encoded by atimeline-based planning problem preserving all its solutions. In its statementwe stressed on the fact that the encoding can be produced in polynomial time.Although complexity-theoretic considerations will be the topic of Chapter 4,the EXPSPACE -completeness of temporal planning shown by Rintanen [119]allows us to already state the following immediate consequence of Theorem 6. Corollary 3.10 Let P be a timeline-based planning problem. Deciding whether there exists a solutionplan for P is EXPSPACE -hard. In this chapter, we started our formal investigation of timeline-based planningby showing that the formal language described in Chapter 2 is expressiveenough to capture action-based temporal planning. This result compares thetwo paradigms, setting a starting point for subsequent developments.It is important to note that the translation provided in the proof of The-orem 6 requires a quite restricted set of features among those supported by thegeneral formalism. In particular, note the absence of unbounded atoms. On theother hand, since temporal planning problems can have solutions of lengtheven doubly exponential in the size of the problem [119], a translation target-ing timeline-based planning problems with bounded horizon (Definition 2.14)would not be possible. This fact is worth noting, since most timeline-basedplanning often considers the bounded horizon variant of the problem. OMPLEXITY OFTIMELINE-BASED PLANNING With basic expressiveness issues settled in the previous chapter, we move tostudy the computational complexity of the problem of plan existence for agiven timeline-based planning problem. We prove that finding whether asolution plan exists is EXPSPACE -complete, and becomes NEXPTIME -completeif a bound on the solution horizon is given. In doing that, we make use ofthe conceptual framework based on the notion of rule graph , a structure thatallows us to decompose and better reason about synchronisation rules. Theconcept is developed here and extensively employed in the rest of the thesis.Then, we define and approach the problem of finding infinite solution plans,a variant that was not considered in literature before. The problem is provedto be EXPSPACE -complete as well, employing a di ff erent automata-theoreticargument, that sheds light on the problem from an alternative perspective. CONTENTS How hard a problem is to solve is maybe the most common question that imme-diately comes to mind to anyone that is confronted with a new computationaltask. Analysing the computational complexity of a problem answers this ques-tion from a precise formal perspective. For action-based planning formalisms,this issue has been addressed in many forms. The basic classical planning prob-lem has been proved to be PSPACE -complete [24], but has also been studied ingreater detail: fixed-parameter tractable fragments have been studied [11], andstrict time and space bounds have been identified [10]. The complexity of mostof the many extensions to the classical planning problem have been classifiedas well, from the EXPSPACE -completeness of temporal planning discussed inChapter 3 [119], to the many variants of nondeterministic and probabilisticplanning problems [91, 92, 93, 102, 118].In contrast, timeline-based planning lacks any result regarding the compu-tational complexity of its related decision problems. This chapter provides thefirst results in this direction.In particular, we prove that finding a solution plan for timeline-based plan-ning problems, as per Definition 2.12, is EXPSPACE -complete. Since we knowalready that the problem is EXPSPACE -hard from the encoding of action-basedtemporal planning shown in Chapter 3 (Corollary 3.10), it is su ffi cient here toshow a decision procedure that can solve the problem in an exponential amountof space. To exhibit such procedure, we introduce and make use of the notionof rule graphs , a graph representation of synchronisation rules that allows us tobetter decompose and reason about rules. In particular, the decomposition ofrule graphs into a particular kind of connected components allows us to definea particular data structure, called matching record , that can completely repres-ent the current state of a plan in a compact way. Matching records allow us toderive a small-model result , that provides a doubly-exponential upper bound onthe size of solution plans for a given timeline-based planning problem, and toexhibit a decision procedure that, thanks to such upper bound, can be provedto require at most an exponential amount of space. Rule graphs and matchingrecords are essential in our proof, but they also provide a solid foundation toreason about synchronisation rules and their semantics, that will be exploitedin subsequent chapters as well (Chapters 5 and 7, in particular).Then, we consider two di ff erent variants of the problem. First, decidingwhether a solution plan exists for timeline-based planning problems with bounded horizon (Definition 2.14) is proved to be NEXPTIME -complete. Theinclusion in the class can be easily shown by adapting the procedure for thegeneral case, while the hardness is proved by a reduction from a certain kindof tiling problems . Then, a di ff erent automata-theoretic perspective is explored, Structure of synchronisation rules 55 showing how a nondeterministic finite automaton can be built to accept onlythe language of words that suitably represent the solution plans of a givenproblem. Such construction provides an alternative proof of the above results,but by adapting it to build a Büchi automaton, we prove that finding an infinite solution plan to a given problem is EXPSPACE -complete as well.The chapter is structured as follows. At first, we introduce rule graphs andall the surrounding conceptual framework in Section 4.2. Then, Section 4.3defines matching records and uses them to prove the doubly exponentialupper bound on the size of solution plans, that then is used to prove the EXPSPACE -completeness of the problem. The NEXPTIME -completeness for thecase with bounded horizon is proved thereafter. Then, Section 4.4 provides thecomplexity of the problem over infinite solution plans exploiting a di ff erentautomata-theoretic argument, and Section 4.5 wraps up the chapter with finalremarks and ideas for future lines of work. This section defines and explores the concept of rule graph , which will be essen-tial in the development of the following complexity analysis, and extensivelyemployed in the following chapters as well.Without loss of generality, in this chapter we will make a few assumptionsthat simplify the exposition considerably. In particular, we can assume that anyconsidered timeline-based planning problem does not make use of pointwiseatoms (Theorem 1 in Chapter 3), has no triggerless rules (Theorem 2), and onlymakes use of trivial duration functions (Theorem 3). In what follows, it will come useful to represent plans in a form more suitableto manipulation. In particular, instead of focusing on the single timelines asbuilding blocks, plans can be flattened over a single sequence of events thatmark the start/end of tokens. Definition 4.1 — Event sequence. Let SV be a set of state variables. Let A SV be the set of all the terms, called actions ,of the form start ( x, v ) or end ( x, v ) , where x ∈ SV and v ∈ V x .An event sequence over SV is a sequence µ = (cid:104) µ , . . . , µ n (cid:105) of pairs µ i = ( A i , δ i ) ,called events , where A i ⊆ A SV is a non-empty set of actions, and δ i ∈ N + , suchthat, for any x ∈ SV :1. for all ≤ i ≤ n , if start ( x, v ) ∈ A i for some v ∈ V x , then there are no start ( x, v (cid:48) ) in any µ j before the closest µ k , with k > i , such that end ( x, v ) ∈ A k (if any); 2. for all ≤ i ≤ n , if end ( x, v ) ∈ A i for some v ∈ V x , then there are no end ( x, v (cid:48) ) in any µ j after the closest µ k , with k < i , such that start ( x, v ) ∈ A k (if any);3. for all ≤ i < n , if end ( x, v ) ∈ A i for some v ∈ V x , then start ( x, v (cid:48) ) ∈ A i forsome v (cid:48) ∈ V x .4. for all < i ≤ n , if start ( x, v ) ∈ A i for some v ∈ V x , then end ( x, v (cid:48) ) ∈ A i forsome v (cid:48) ∈ V x . Intuitively, an event µ i = ( A i , δ i ) consists of a set A i of actions describingthe start or the end of some tokens, happening δ i time steps after the previousone. In an event sequence , events are collected to describe a whole plan.Note that events where nothing happens are possible, although useless. It isunnecessary to forbid them, though. The first two conditions of Definition 4.1ensure a proper parenthesis structure between the start and the end of tokensthat appear in the sequence. Item 1 ensures that there are no tokens startingbefore the end of the previous one, and Item 2 ensures the specular conditionfor the end ( x, v ) actions. The end action of a token is placed at the sametime of the starting one because start / end pairs identify intervals with theleft extremum included but the right one excluded. Then, Items 3 and 4 ofDefinition 4.1 ensure that that the end (start) of a token is followed subsequent(preceded) by the start (end) of another excepting, most importantly, for thelast (first) event in the sequence. In this way we avoid any gap in the descriptionof each timeline of the represented plan.Figure 4.1 shows an example event sequence associated with a plan madeof two timelines. The variables x and y in the example can take a few integervalues, say V x = V y = { , , , } . Observe how each transition from a token to thenext is represented by a pair of start / end actions belonging to the same event.It is important to note that, by Definition 4.1, a started token is not requiredto end before the end of the sequence, and a token can end without the corres-ponding starting action to ever have appeared before. In this case, the eventsequence is said open for the variable x that is missing the start/end event. Inevent sequences where this does not happen, called closed , both the endpointsof all tokens are specified. Definition 4.2 — Open and closed event sequences. An event sequence µ = (cid:104) µ , . . . , µ n (cid:105) is closed on the right (left) for a variable x if foreach ≤ i ≤ n , if start ( x, v ) ∈ A i ( end ( x, v ) ∈ A i ), then there is a j > i ( j < i ) suchthat end ( x, v ) ∈ A j ( start ( x, v ) ∈ A j ). Otherwise, µ is open on the right (left) for x . An event sequence is simply open or closed (to the right or to the left) ifit is respectively open or closed (to the right or to the left) for any variable x .Note that the empty event sequence is closed on both sides for any variable. As a matter of fact, allowing empty events improves the exposition of Chapter 5. Structure of synchronisation rules 57 x x = 0 x = 2 x = 1 x = 3 y y = 0 y = 3 y = 2 µ start ( x, start ( y, µ end ( y, start ( y, δ = 2 µ end ( x, start ( x, δ = 2 µ end ( x, start ( x, δ = 2 µ end ( x, end ( y, start ( x, start ( y, δ = 2 µ end ( x, end ( y, δ = 2 Figure 4.1: Example event sequence associated with two timelines Moreover, on closed event sequences, the first event only contains start ( x, v )actions and the last event only contains end ( x, v ) actions, and one for eachvariable x . By admitting open event sequences, we can represent plans thatare under construction, for example during the execution of the decisionprocedure that is going to be presented in the next sections. Most importantly,a subsegment µ [ i...j ] of an event sequence µ is still, conveniently, a proper eventsequence. Note that an event µ can be appended to an event sequence µ , i . e ., µµ is a proper event sequence, only if µ is open to the right. Similarly, twoevent sequences µ and µ can be concatenated into µ = µ µ only if µ is opento the right and µ is open to the left, and the empty event sequence ε can beconcatenated to the right or to the left with any other.Let us set some notation to talk about event sequences. Given an eventsequence µ = (cid:104) µ , . . . , µ n (cid:105) over a set of state variables SV , where µ i = ( A i , δ i ), wedefine δ ( µ ) = (cid:80)
Let µ = (cid:104) µ , . . . , µ n (cid:105) be a closed event sequence. Then, π µ is the plan where, for each x ∈ SV , π µ ( x ) = (cid:104) τ , . . . , τ k (cid:105) is a timeline such that start ( x, v ) ∈ A i ( end ( x, v ) ∈ A i )i ff there is a τ j such that val ( τ j ) = v and start - time ( τ j ) = δ ,i ( end - time ( τ i ) = δ ,i ). Note how the essential assumption of not using pointwise atoms allowsus to forget about any absolute time reference and reason only in terms ofdistance between events. In mapping an event sequence to its representedplan, the value of δ of the first event µ = ( A , δ ) is ignored, since it wouldrepresent the time passed after a non-existent previous event. By fixing anarbitrary value for δ , the converse mapping from plans to event sequences canbe also defined, hence we denote as µ π the event sequence such that π µ π = π .Given this correspondence, the following sections will manipulate plansas event sequences. A token for a state variable x is identified, inside an eventsequence, by the pair of indices of the start and end events of the token. Moreformally, given µ = (cid:104) µ , . . . , µ n (cid:105) , the pair ( i, j ) of indices 1 ≤ i, j ≤ n (or the pairof the corresponding events) identifies a token τ ∈ π µ ( x ) in the timeline for x if µ i = ( A i , δ i ) and µ j = ( A j , δ j ) such that start ( x, val ( τ )) ∈ A i and end ( x, val ( τ )) ∈ A j ,and there are no other actions referring to x in the events between µ i and µ j . Considering again the example in Figure 4.1, we can say that the indices(2 , µ and µ , identify the second token of thetimeline for y , where y = 3. Moreover, if a rule R ≡ a [ x = v ] → E ∨ . . . ∨ E m istriggered by some token τ of π µ ( x ), and τ is identified by two events µ i and µ j ,then we say that R is triggered by the event µ i , i . e ., we identify the triggeringpoint of the rule with the start of the triggering token.As a final remark, note that, by Definition 4.1, the same event cannotcontain both start ( x, v ) and end ( x, v ) for the same x , i . e ., tokens cannot start andend at the same time. This is compatible with Definition 2.2, which excludestokens of null duration. We can now define the main theoretical tool behind our complexity analysis.The rule graphs are edge-labelled graphs that suitably represent the synchron-isation rules of a problem in a way that makes them easier to manipulate. Definition 4.4 — Rule graphs. Let E ≡ ∃ a [ x = v ] . . . a k [ x k = v k ] . C be one of the existential statements of asynchronisation rule R ≡ a [ x = v ] → E ∨ . . . ∨ E m .Then, the rule graph of E is an edge-labelled graph G E = ( V , E, β ) where:1. the set of nodes V is made of terms (as per Definition 2.5) such that:(a) start ( a ) ∈ V or end ( a ) ∈ V if and only if a ∈ { a , . . . , a k } , for any a ∈ N ;(b) if the term T is used in C , then T ∈ V ;2. E ⊆ V × V is the edge relation such that, for each pair of nodes T , T (cid:48) ∈ V , thereis an edge ( T , T (cid:48) ) ∈ E if and only if C contains an atom of the form T ≤ [ l,u ] T (cid:48) ,or T = start ( a i ) and T (cid:48) = end ( a i ) for some ≤ i ≤ k ; Structure of synchronisation rules 59 β : E → N × N + ∞ is the edge-labelling function, such that for each e ∈ E , if e isassociated with the atom T ≤ [ l,u ] T (cid:48) in C , then β ( e ) = ( l, u ) , or β ( e ) = (0 , + ∞ ) otherwise, and vice versa , if β ( e ) (cid:44) (0 , + ∞ ) , then there is such an atom in C . Figure 4.2 shows the rule graph for (the existential statement of) an ex-ample synchronisation rule. Unbounded edges, i . e ., those with β ( e ) = ( l, + ∞ ),are drawn as dashed arrows. Intuitively, a rule graph is an alternative represent-ation of an existential statement where the endpoints of each quantified tokenare represented by nodes, and temporal constraints between such endpointsby labelled edges. Note that, in Definition 4.4 and in any manipulation of rulegraphs, the token name a used in the trigger of the synchronisation rule of agiven existential statement is considered to be quantified in the statement asall the other token names involved.Any existential statement has its rule graph, but the opposite connection isalso possible. Indeed, given any edge-labelled graph G = ( V , E, β ) where V is aset of terms, E ⊆ V × V , and β : E → N × N + ∞ , we can associate an existentialstatement E such that G E = G . This close relationship allows us to identify therule graphs with their existential statements, manipulating or analysing thegraphs to a ff ect the existential statements, and vice versa .A rule graph matches over an event sequence if each node can be mappedto an event such that such temporal constraints are satisfied. Definition 4.5 — Rule graphs matching over event sequences. Let µ = (cid:104) µ , . . . , µ n (cid:105) be a (possibly open) event sequence, and let G E = ( V , E, β ) bethe rule graph of some existential statement E . A matching function is a function γ : V → [1 , . . . , n ] , mapping each node in T ∈ V with an event µ γ ( T ) in µ .We say that G E matches µ with the matching function γ , written µ, γ | = G E , if:1. for each node T ∈ V , with T = start ( a ) (resp., T = end ( a ) ), if a is quantifiedas a [ x = v ] in E , then the event µ γ ( T ) = ( A T , δ T ) is such that start ( x, v ) ∈ A T (resp., end ( x, v ) ∈ A T );2. if both T = start ( a ) and T (cid:48) = end ( a ) belong to V for some token name a ∈ N ,then γ ( T ) and γ ( T (cid:48) ) identify the endpoints of a token for x in π µ ( x ) ;3. for any edge e ∈ E , if e = ( T , T (cid:48) ) and β ( e ) = ( l, u ) , then l ≤ δ γ ( T ) ,γ ( T (cid:48) ) ≤ u .We write µ | = G E if there is some γ for which µ, γ | = G E . As an example, if µ = { µ , . . . , µ } is the event sequence shown in Figure 4.1,then the rule graph of Figure 4.2 matches over µ with a matching function γ such that γ ( start ( a )) = 1, γ ( start ( b )) = 2, γ ( end ( a )) = 3, γ ( start ( c )) = 4, and γ ( end ( b )) = γ ( end ( c )) = 5.Note that the use of Definition 4.5 requires an explicit association betweenthe rule graph and its original existential statement, because the rule graph by a [ x = 0] → ∃ b [ y = 3] c [ x = 1] . start ( b ) ≤ [0 , end ( a ) ∧ end ( b ) = end ( c ) start ( a ) start ( b ) end ( a ) start ( c ) end ( b ) end ( c )[0 , + ∞ ] [0 , + ∞ ] [0 , + ∞ ] [ , ] [0 , Figure 4.2: Rule graph of an example existential statement itself does not include any information about the meaning of the token namesmentioned in its nodes. For this reason we often keep this explicit associationby referring to a rule graph as G E , where E is its original existential statement.Now, recall how the satisfaction of existential statements is defined byDefinition 2.10. As event sequences represent plans, if a rule graph matchesover an event sequence, it follows that the corresponding existential statementis satisfied by the plan. Hence, we can rephrase whether a synchronisationrule is satisfied by a plan in terms of how its rule graphs match over thecorresponding event sequence. Lemma 4.6 — Satisfaction of a synchronisation rule by an event sequence. Let R ≡ a [ x = v ] → E ∨ . . . ∨ E m be a synchronisation rule over a set of statevariables SV , let π be a plan over SV , and let µ π = (cid:104) µ , . . . , µ n (cid:105) be the correspond-ing event sequence. Then, π | = R if and only if, for any µ i = ( A i , δ i ) such that start ( x , v ) ∈ A i , there is an E k and a γ such that µ, γ | = G E k and γ ( start ( a )) = i .Proof. Let E ≡ a [ x = v ] . . . a n [ x n = v n ] . C be any existential statement of R . Atfirst, we need to show that there is a token mapping η such that π | = η E if andonly if there is a matching function γ such that µ π , γ | = G E . Then, it directlyfollows that if the rule is triggered by an event µ i that identifies the startingpoint of the trigger token τ , and γ ( start ( a )) = i , then η ( a ) = τ .( −→ ). Hence, let η be a token mapping such that π | = η E . By Definition 2.10,this means that η ( a i ) = τ i where τ i ∈ π ( x i ) and val ( τ i ) = v i for all 1 ≤ i ≤ n , and λ | = C for the atomic evaluation λ where λ ( a i ) = ( start - time ( τ i ) , end - time ( τ i ))for all 1 ≤ i ≤ n . From such η and λ we can build a matching function γ for G E as follows. For each token name a i quantified as a [ x i = v i ] in E , let η ( a i ) = τ i be a token identified in µ π = (cid:104) µ , . . . , µ n (cid:105) by the two events µ j = ( A j , δ j )and µ k = ( A k , δ k ). In particular, start ( x i , v i ) ∈ A j and end ( x i , v i ) ∈ A k . Then,for each node T = start ( a i ) ∈ V (resp., T = end ( a i ) ∈ V ), we define γ ( T ) = j (resp., γ ( T ) = k ). In this way, Items 1 and 2 of Definition 4.5 are satisfied byconstruction. For Item 3, consider any edge e ∈ E , corresponding to an atom T ≤ [ l,u ] T (cid:48) in C . Now, observe that by construction we have (cid:126) T (cid:127) λ = δ ,γ ( T ) and Structure of synchronisation rules 61 (cid:126) T (cid:48) (cid:127) λ = δ ,γ ( T (cid:48) ) and β ( e ) = ( l, u ). Since λ | = C , we have l ≤ (cid:126) T (cid:48) (cid:127) λ − (cid:126) T (cid:127) λ ≤ u , andit follows that l ≤ δ ,γ ( T (cid:48) ) − δ ,γ ( T ) ≤ u , which means 1 ≤ δ γ ( T ) ,γ ( T (cid:48) ) ≤ u , henceItem 3 of Definition 4.5 is satisfied.( ←− ). On the converse, let γ be a matching function such that µ, γ | = G E .We can build the corresponding token mapping η in the following way. Foreach node T = start ( a i ) ∈ V (or end ( a i ) ∈ V , interchangeably), consider thecorresponding event µ γ ( T ) = ( A γ ( T ) , δ γ ( T ) ) in µ π , which, since start ( x i , v i ) ∈ A γ ( T ) (or end ( x i , v i ) ∈ A γ ( T ) ), marks the start (or end) of a certain token τ ∈ π ( x i ).Then, we define η ( a ) = τ . It is easy to confirm that, in this way, π | = η E as perDefinition 2.10. First, τ ∈ π ( x i ) and val ( τ ) = v i by construction. Then, considerthe atomic evaluation λ such that λ ( a i ) = ( start - time ( τ ) , end - time ( τ )). For eachatom T ≤ [ l,u ] T (cid:48) in C , we know that G E contains an edge e = ( T , T (cid:48) ) ∈ E with β ( e ) = ( l, u ). Since µ π , γ | = G E , by definition we know that l ≤ δ γ ( T ) ,γ ( T (cid:48) ) ≤ u .Observe again that by construction we have (cid:126) T (cid:127) λ = δ ,γ ( T ) and (cid:126) T (cid:48) (cid:127) λ = δ ,γ ( T (cid:48) ) ,hence l ≤ (cid:126) T (cid:48) (cid:127) λ − (cid:126) T (cid:127) λ ≤ u , implying that λ | = C .It is useful to set up some notation to talk about rules triggered by anevent sequence. Given an event sequence µ = (cid:104) µ , . . . , µ n (cid:105) and a rule graph G E = ( V , E, β ), we write µ, γ | = i G E to denote the fact that µ, γ | = G E and start ( a ) ∈ V implies γ ( start ( a )) = i , that is, that G E matches over µ in agree-ment with the token µ i that triggered the corresponding rule. Note thatonly the index of the triggering event is specified, but there is no ambigu-ity over which token name we are constraining since the trigger name of therule of each existential statement is uniquely identified. Consequently, wealso write µ | = i G E if µ, γ | = i G E for some γ , and given a synchronisation rule R ≡ a [ x = v ] → E ∨ . . . ∨ E m , we write µ | = i R if there is an E k such that µ | = i G E k , and µ | = R if for any event µ i in µ that triggers R , it holds that µ | = i R .Finally, given a timeline-based planning problem P = ( SV , S ), we write µ | = P if µ | = R for any R ∈ S . Thanks to Lemma 4.6 we can conclude that this notation iswell-defined, since µ | = P if and only if π µ | = P . Considering our examples, notehow the event sequence µ from Figure 4.1 and the graph G from Figure 4.2 aresuch that µ | = G , since the rule is triggered (only) by µ and, as noted before,matches correctly with γ ( start ( a )) = 1.In other words, Lemma 4.6 tells us that rule graphs are a faithful represent-ation of existential statements. Rule graphs, however, are easier to manipulate,decompose, and reason about, mainly for two reasons: on one hand, becausetheir graph structure allows us to reuse all the terminology and intuitive under-standing of graphs, and on the other hand, the distinction of the endpoints oftokens, which are a single entity, into two di ff erent nodes of the graph, whichcan be manipulated separately, will be essential in our argument.A first result that we can prove by reasoning on rule graphs is an upperbound on the distance between two consecutive events in an event sequence. Lemma 4.7 — Upper bound on the distance between events. Let P = ( SV , S ) be a timeline-based planning problem. If there is any event sequence µ such that µ | = P , then there exists another event sequence µ (cid:48) and a d ∈ N suchthat µ (cid:48) | = P and the distance between two consecutive events of µ (cid:48) is at most d .Proof. We define d = max ( L, U ) + 1, where L and U are in turn the maximum lower and (finite) upper bounds of any edge in any rule graph of P . Then,consider µ = (cid:104) µ , . . . , µ n (cid:105) and any pair of subsequent events µ i and µ i +1 such that δ i +1 > d (we do not consider δ , since, as said before, we can ignore its value).We define µ (cid:48) = (cid:104) µ (cid:48) , . . . , µ (cid:48) n (cid:105) to be an event sequence equal to µ excepting forthe fact that δ (cid:48) i +1 = d . Observe that such edit does not change which rules aretriggered in µ (cid:48) , since the triggers are not a ff ected by the duration of tokens. Now,for any time any rule R ∈ S is triggered in µ , there is an existential statement E of R and a matching function γ such that µ, γ | = G E , where G E = ( V , E, β ) is therule graph of E (by Definition 2.11 and Lemma 4.6). We show that it also holdsthat µ (cid:48) , γ | = G E . To see this, suppose that there are nodes T , T (cid:48) ∈ V such that γ ( T ) = i and γ ( T (cid:48) ) = i +1, and observe that there cannot be any edge e = ( T , T (cid:48) ) ∈ E such that β ( e ) = ( l, u ) with u (cid:44) + ∞ , otherwise we would have δ γ ( T ) ,γ ( T (cid:48) ) > u ,violating the matching. Then, for any such edge it must be u = + ∞ , then it stillmatches correctly with δ (cid:48) i +1 = d . Let β ( e ) = ( l, + ∞ ). Given that l ≤ d by defin-ition, it still holds that l ≤ δ i,i +1 as required to match the edge. Hence γ is stilla suitable matching function such that µ (cid:48) , γ | = G E , hence µ (cid:48) | = P as stated.What follows introduces some concepts and tools to reason about rulegraphs. The next section makes use of them to carry on our complexity analysis. It is useful to set some terminology regarding edges and paths of rule graphs.Let G = ( V , E, β ) be a rule graph. An edge e ∈ E is unbounded if β ( e ) = ( l, u ) with u = + ∞ , and is bounded otherwise. A rule graph is bounded if it is made ofbounded edges only. A path T = (cid:104) T , . . . , T k (cid:105) , where ( T i , T i +1 ) ∈ E for all 1 ≤ i < k ,is said to be bounded if it is made only of bounded edges.It is useful to consider also undirected paths, that is, sequences of nodes of G which form a path if we ignore the direction of edges. In other words, an undir-ected path is a sequence of nodes T = (cid:104) T , . . . , T k (cid:105) such that either ( T i , T i +1 ) ∈ E or ( T i +1 , T i ) ∈ E for all 1 ≤ i < k . Note that, of course, a path of the graph is inparticular also an undirected path. An undirected edge is an undirected path T = (cid:104) T , T (cid:105) of only two nodes. To distinguish the direction of an undirectededge T = (cid:104) T , T (cid:105) with respect to the real edge found in the graph, we define sign ( T ) = +1 if e = ( T , T ) ∈ E , and sign ( T ) = − e = ( T , T ) ∈ E . We alsoextend the notation for the edge bounds by defining β ( T ) = β ( e ).If two nodes are connected by an undirected path, we can compute the Structure of synchronisation rules 63 minimum and maximum distance between their corresponding events in anyevent sequence, generalising and combining the bounds of the single edgesthat form the path. Definition 4.8 — Lower and upper bounds on undirected paths. Let G = ( V , E, β ) be a rule graph, and let T k = (cid:104) T , . . . , T k (cid:105) be an undirected path of G .Then, let lbound ( T ) ∈ Z ∪ {−∞} and ubound ( T ) ∈ Z ∪ { + ∞} be the two quantitiesrecursively defined as follows:1. if k = 1 , lbound ( (cid:104) T (cid:105) ) = 0 and ubound ( (cid:104) T (cid:105) ) = 0 ;2. if k = 2 , given T = (cid:104) T , T (cid:105) , with β ( T ) = ( l, u ) : lbound ( T ) = min ( sign ( T ) · l, sign ( T ) · u ) ubound ( T ) = max ( sign ( T ) · l, sign ( T ) · u ) 3. if k > , given T k − = (cid:104) T , . . . , T k − (cid:105) : lbound ( T k ) = lbound ( T k − ) + lbound ( (cid:104) T k , T k +1 (cid:105) ) ubound ( T k ) = ubound ( T k − ) + ubound ( (cid:104) T k , T k +1 (cid:105) ) where, in the above context, it holds that x ± ∞ = ±∞ , x < + ∞ , and x > −∞ for all x ∈ Z , −∞ < + ∞ , ± · + ∞ = ±∞ , + ∞ + ∞ = + ∞ and −∞ − ∞ = −∞ . Lemma 4.9 — Correctness of the bounds. Let G = ( V , E, β ) be a rule graph, and let T = (cid:104) T , . . . , T k (cid:105) be an undirected path of G .Then, for any event sequence µ and any matching function γ such that µ, γ | = G , itholds that lbound ( T ) ≤ γ ( T k ) − γ ( T ) ≤ ubound ( T ) .Proof. The proof goes by induction on the length of T = (cid:104) T , . . . , T k (cid:105) , fol-lowing the structure of Definition 4.8. If k = 1, with lbound ( T ) = 0 and ubound ( T ) = 0, the thesis trivially holds. If k = 2, we have an undirectededge T = (cid:104) T , T (cid:105) . Then, either T agrees with the direction of the edge inthe graph, i . e ., e = ( T , T ) ∈ E , or not, i . e ., e = ( T , T ) ∈ E . In the first case,by definition, lbound ( T ) = l and ubound ( T ) = u , where β ( T ) = ( l, u ). In thesecond case, the definition sets lbound ( T ) = − u and ubound ( T ) = − l . Ineither case, the thesis follows immediately from Definition 4.5. Note thatif the edge is unbounded, then either ubound ( T ) = + ∞ or lbound ( T ) = −∞ depending on the direction, but in either case, the inequalities still hold,following the definition of matching of unbounded edges. Otherwise, if k > 2, consider any event sequence µ and any γ such that µ, γ | = G . Since lbound ( T k − ) ≤ γ ( T k − ) − γ ( T ) and lbound ( (cid:104) T k − , T k (cid:105) ) ≤ γ ( T k ) − γ ( T k − ) by theinduction hypothesis, it follows that lbound ( T k ) ≤ γ ( T k ) − γ ( T ). It holds alsoin the case that lbound ( (cid:104) T k − , T k (cid:105) ) = −∞ , since in this case it follows that lbound ( T k ) = −∞ and this is coherent with the addition of an unboundededge between T k − and T k , in the opposite direction relative to the path. In asimilar way, the stated inequality holds for ubound ( T k ).Intuitively, given an undirected path T = (cid:104) T , . . . , T k (cid:105) , the bounds lbound ( T )and ubound ( T ) are the minimum and maximum signed distance between thetwo endpoints of the path, generalising the bounds given on the single edges towhole undirected paths. Their value is positive if the edges involved in the pathconstrain T to be mapped before T k , with the given bounds on their distance,and is negative if the terms are constrained to be mapped in the reverse order.If they have opposite signs, it means that both orders are possible, althoughstill respecting the given distance constraints. The two bounds lbound ( T ) and ubound ( T ) also provide the maximum absolute distance between the endpointsof the path, denoted as d max ( T ) = max ( | lbound ( T ) | , | ubound ( T ) | ), which is well-defined only if both bounds are finite. We also define d max ( T , T (cid:48) ), for two nodes T and T (cid:48) , as the minimum d max ( T ) among all undirected paths T connecting T and T (cid:48) . That is, d max ( T , T (cid:48) ) is the maximum distance the two nodes can havewhen mapped on any event sequence.With these concepts at hand, rule graphs can often be simplified to obtainsmaller ones, with a smaller number of edges or with smaller bounds on theiredges, while preserving the same matchings over any event sequence. Lemma 4.10 — Simplification of undirected paths. Any timeline-based planning problem P = ( SV , S ) can be translated, in polynomialtime, into an equivalent one P (cid:48) = ( SV , S (cid:48) ) such that, for each existential statement E of any rule R ∈ S , if its rule graph G E = ( V , E, β ) contains an undirected path T = (cid:104) T , . . . , T k (cid:105) and an edge e = ( T , T k ) ∈ E , then:1. ubound ( T ) ≥ l and lbound ( T ) ≤ u , where β ( e ) = ( l, u ) ;2. l and u are not both zero;3. lbound ( T ) ≤ l ≤ u ≤ ubound ( T ) , but either lbound ( T ) (cid:44) l or ubound ( T ) (cid:44) u .Proof. Consider any event sequence µ and any γ such that µ, γ | = G E , and sup-pose there is an undirected path T = (cid:104) T , . . . , T k (cid:105) and an edge e = ( T , T k ) ∈ E . Toprove Item 1, suppose by contradiction that ubound ( T ) < l , or lbound ( T ) > u ,where β ( e ) = ( l, u ). This assumption directly conflicts with the fact that l ≤ γ ( T k ) − γ ( T ) ≤ ubound ( T ) and lbound ( T ) ≤ γ ( T k ) − γ ( T ) ≤ u , which followsfrom Lemma 4.9 and Definition 4.5. Hence, either both ubound ( T ) ≤ l and lbound ( T ) ≤ u , or there cannot be any such γ , i . e ., E is unsatisfiable . In this case,it can be removed from R obtaining an equivalent timeline-based planningproblem. To prove Item 2, note that if l = u = 0, it means the only possiblesatisfying choice is to have γ ( T k ) = γ ( T ), i . e ., the two terms have to be mapped Structure of synchronisation rules 65 to the same event. In this case, we can express the same constraint by chan-ging to zero the lower and upper bounds of each edge of T , and removing e . Note that this creates new edges e (cid:48) with l (cid:48) = u (cid:48) = 0, but the total numberof edges strictly decreases, hence the operation can be repeated only a finitenumber of times. As for Item 3, suppose that lbound ( T ) > l . Then, we have thatthe constraint l ≤ γ ( T k ) − γ ( T ) given by the edge is implied by the fact that lbound ( T ) ≤ γ ( T k ) − γ ( T ), which follows from T . Then, the lower bound l canbe increased up to lbound ( T ), without changing how the graph can match over µ , i . e ., we can obtain an equivalent problem by setting β ( e ) = ( lbound ( T ) , u ). Asimilar argument ensures that we can, if needed, decrease the value of u toensure that ubound ( T ) ≥ u . Hence, we have lbound ( T ) ≤ l ≤ u ≤ ubound ( T ).Now, suppose lbound ( T ) = l and ubound ( T ) = u . This means that the edgeimposes exactly the same constraint lbound ( T ) ≤ γ ( T k ) − γ ( T ) ≤ ubound ( T )imposed by the path. In this case, therefore, the edge is redundant and canbe removed from the graph. It is easy to verify how any rule graph can betraversed to apply these simplifications in polynomial time.Lemma 4.10 has some useful consequences, which will be exploited asneeded. The first one is that we can assume w.l.o.g. the acyclicity of all theconsidered rule graphs. Lemma 4.11 — Acyclicity of rule graphs. Any timeline-based planning problem P = ( SV , S ) can be translated, in polynomialtime, into an equivalent one P (cid:48) = ( SV , S (cid:48) ) such that, for each existential statement E of any rule R ∈ S , its rule graph G E is acyclic.Proof. At first, take any timeline-based planning problem and translate it asstated in Lemma 4.10. Then, suppose by contradiction that a cycle is present inany rule graph G E of the translated problem. The cycle can be seen as made of apath T = (cid:104) T k , . . . , T (cid:105) and an edge e = ( T , T k ). Since the edge goes from T to T k ,if we look at the path as an undirected path T = (cid:104) T , . . . , T k (cid:105) , the upper boundof the path results in ubound ( T ) = − (cid:80) ≤ i ≤ k − l i , where l i is the lower bound ofthe edge e i = ( T i +1 , T i ). All such lower bounds are non-negative and l ≥ ubound ( T ) ≤ ≤ l . Moreover, ubound ( T ) ≥ l by Item 1 ofLemma 4.10, hence the only possible consequence is that l = u = ubound ( T ) = 0,but this cannot be the case because of Item 2 of Lemma 4.10.Hence, from now on we will suppose w.l.o.g. that all the considered timeline-based planning problems lead to acyclic rule graphs where, in general, theconditions described by Lemma 4.10 hold. Most of the next section will deal with rule graphs and their subgraphs . Giventhe rule graph G E = ( V , E, β ) of an existential statement E , a subgraph of G E is agraph G (cid:48) = ( V (cid:48) , E (cid:48) , β (cid:48) ) such that V (cid:48) ⊆ V , E (cid:48) ⊆ E , and β (cid:48) = β | E (cid:48) . We write G (cid:48) (cid:118) G E .A trivial subgraph of any rule graph is the empty graph G ∅ = ( ∅ , ∅ , ∅ ). It isworth noting that a subgraph G (cid:48) of a rule graph G E is still a proper rule graph,and can be associated with some existential statement E (cid:48) such that G = G E (cid:48) ,albeit probably not part of the considered planning problem. Hence, anythingthat can be said on rule graphs holds directly on their subgraphs, which areproper rule graphs themselves.It is also worth to note that subgraphs of rule graphs are well-behavedwith regards to the matching relation sequences: it can be observed that if µ | = G E , then µ | = G E (cid:48) for any G E (cid:48) (cid:118) G E . Moreover, note that a (directed) path T = ( T , . . . , T k ) can be regarded as a subgraph of G , hence we can write T (cid:118) G .Similarly, single nodes can be seen as simple subgraphs as well, hence we canwrite T (cid:118) G when T ∈ V . Finally, if a rule graph G = ( V , E, β ) matches on µ with some matching function γ , we denote as µ | γG the subsequence of µ coveredby G , i . e ., µ | γG = µ [ i...j ] where i = min T ∈ V ( γ ( T )) and j = max T ∈ V ( γ ( T )).A particular kind of subgraphs will play an important role in what follows. Definition 4.12 — Bounded components of rule graphs. Let G E be the rule graph of some existential statement E . A bounded component B = ( V B , E B , β B ) is a maximal subgraph of G E where each node T ∈ V B can reachany other T (cid:48) ∈ V B through a bounded undirected path . In other words, bounded components of a rule graph are maximal sub-graphs connected by bounded edges. A bounded component B (cid:118) G E is the trigger component of E if it contains the term start ( a ) where a is the triggertoken name of E .Suppose µ, γ | = B for some event sequence µ and some bounded component B (cid:118) G E . Since any two nodes T and T (cid:48) of B are connected by a undirected path T = (cid:104) T , . . . , T (cid:48) (cid:105) , we know lbound ( T ) ≤ γ ( T (cid:48) ) − γ ( T ) ≤ ubound ( T ), and, since T is bounded , we know lbound ( T ) and ubound ( T ) are finite . Moreover, Lemma 4.10has the interesting consequence that a bounded component cannot contain any unbounded edge: since any two nodes T and T (cid:48) are connected by a bounded undirected path T = (cid:104) T , . . . , T (cid:48) (cid:105) , the presence of an unbounded edge, either e = ( T , T (cid:48) ) ∈ E or e = ( T (cid:48) , T ) ∈ E , would contradict either Item 1 or Item 3 ofLemma 4.10, depending on the sign of lbound ( T ) and ubound ( T ).These observations allow us to define in the following way the maximumdistance between any event involved in the matching of a bounded component. Definition 4.13 — Window of a bounded rule graph. Let B (cid:118) G E be a bounded component of a rule graph G E . The window of B is the Structure of synchronisation rules 67 quantity defined as: window ( B ) = max T ,T (cid:48) (cid:118) G E d max ( T , T (cid:48) )In other words, the window of a bounded component B is the maximumamount of time that can elapse between two events that are involved in thematching of B over any event sequence. More precisely, this means that δ ( µ | γB ) ≤ window ( B ) for any µ and γ such that µ, γ | = B . It is worth to note that thisdefinition is well-defined thanks to the fact that no unbounded edge can beincluded in B , as observed above, and thus all the undirected paths connectingthe nodes of B have finite bounds.If B = { B , . . . , B n } are the the bounded components of a rule graph G E , wecan define the window of G E as window ( G E ) = (cid:80) ≤ i ≤ n window ( B i ). The windowof a rule graph does not give a bound on the distance of nodes of the graph,which is not possible because of unbounded edges, but gives us a bound on thesize of any set of bounded components that overlap with each other. Lemma 4.14 — Matching gap. Let G E be a rule graph, and let µ be an event sequence such that µ, γ | = G E for some γ .If δ ( µ | γG E ) > window ( G E ) , then there is a position k in µ | γG E that is not covered byany bounded edge, i . e ., there are no T , T (cid:48) (cid:118) G E such that the edge ( T , T (cid:48) ) ∈ E isbounded and γ ( T ) ≤ k and γ ( T ) > k .Proof. For each bounded component B i (cid:118) G E , let s i and e i be two positionssuch that µ | γB i = µ [ s i ...e i ] , and order the components in a sequence B = (cid:104) B , . . . , B n (cid:105) such that s i < s i +1 for all 0 ≤ i < n . If there is no position k not covered byany unbounded edge, then δ ( µ [ s i ...s i +1 ] ) ≤ window ( B i ) for all 0 ≤ i < n , hence δ ( µ | γG E ) ≤ (cid:80) ≤ i ≤ n window ( B i ) = window ( G E ).Intuitively, window ( G E ) gives us a su ffi ciently large size where we can findgroups of components matching together, while being able to correctly verifythe satisfaction of all the edges that connect them. Extending this considerationto any rule graph of a problem P , we denote window ( P ) as the maximum window ( G E ) for all the existential statements E of all the rules of a problem P .A consequence of their definition is that any two bounded components B, B (cid:48) (cid:118) G E of a rule graph are disjoint , i . e ., they do not have nodes in common.In particular, we can observe that the sets of nodes of the bounded componentsof a rule graph G E forms a partition of all the nodes of G E , and that any un-bounded edge of G E must connect two di ff erent bounded components. Hence,by merging all the components of a rule graph G E , and adding back all theunbounded edges between them, one gets back the whole G E . This mergeoperation is not a simple set-theoretic union, because the edges going from acomponent to another must be reconnected. Definition 4.15 — Concatenation of subgraphs. Let G E (cid:48) = ( V (cid:48) , E (cid:48) , β (cid:48) ) and G E (cid:48)(cid:48) = ( V (cid:48)(cid:48) , E (cid:48)(cid:48) , β (cid:48)(cid:48) ) be two disjoint subgraphs of a rulegraph G E = ( V , E, β ) . The concatenation of G E (cid:48) and G E (cid:48)(cid:48) , written G E (cid:48) ⇒ G E (cid:48)(cid:48) , is asubgraph ( V ⇒ , E ⇒ , β ⇒ ) of G E , where:1. V ⇒ = V (cid:48) ∪ V (cid:48)(cid:48) ;2. E ⇒ = E (cid:48) ∪ E (cid:48)(cid:48) ∪ ( E ∩ ( V (cid:48) × V (cid:48)(cid:48) )) , i . e ., the edges going from G E (cid:48) to G E (cid:48)(cid:48) are added;3. β ⇒ = β | E ⇒ . In other words, the concatenation of two subgraphs is the set-theoreticunion of the two, that we can denote as G E (cid:48) ∪ G E (cid:48)(cid:48) , plus all the edges thatconnect one to the other. It holds that G E (cid:48) ∪ G E (cid:48)(cid:48) (cid:118) G E (cid:48) ⇒ G E (cid:48)(cid:48) but in general not vice versa . Note that the definition considers only the edges that go from onesubgraph to the other. As it turns out, in the case of a rule graph decomposedinto its bounded components, connecting only edges that go in one direction issu ffi cient to reconstruct the whole rule graph. Lemma 4.16 — Decomposition into concatenation of bounded components. Any rule graph G E can be decomposed into a sequence of bounded components B = (cid:104) B , . . . , B n (cid:105) such that G E = B ⇒ B ⇒ . . . ⇒ B n .Proof. Consider the directed graph B = ( V , E ) such that V is the set of boundedcomponents of G E and, for any two bounded components B, B (cid:48) (cid:118) G E , ( B, B (cid:48) ) ∈ E if and only if B (cid:44) B (cid:48) and there is an edge (unbounded, as we know) from anynode in B to any node in B (cid:48) . In other words B is the graph obtained by col-lapsing on a single node each bounded components, or, equivalently, collapsingany bounded edge of G E . Now, it is su ffi cient to show that B is acyclic. Inthis way, any topological ordering of B provides a sequence B = (cid:104) B , . . . , B n (cid:105) ofbounded components such that any edge between any two of them goes from B i to B j with j > i , and thus their concatenation B ⇒ · · · ⇒ B n corresponds tothe whole G E . To prove the acyclicity of B , at first note that it cannot containself-loops by definition. Then, suppose by contradiction that it contains a cycle B = (cid:104) B k , . . . , B (cid:105) where ( B i +1 , B i ) ∈ E and ( B , B k ) ∈ E . Consider the unboundededge e = ( T , T k ) of G E , with β ( e ) = ( l, u ), that connects the node T of B tothe corresponding node T k of B k . Then, B identifies one (but possibly many)undirected path T = (cid:104) T , . . . , T k (cid:105) in G E , that connect T k to T by traversing allthe bounded components of B passing through the unbounded edges that formthe cycle. We know that all the unbounded edges of T go in the same direction,from T i +1 to T i for some i , because B is a cycle in B . Hence, by Definition 4.8 itfollows that lbound ( T ) = −∞ , but ubound ( T ) is finite. However, since u = + ∞ ,we have ubound ( T ) < u , which contradicts Item 3 of Lemma 4.10.Thanks to Lemma 4.16 we can extend the partial order between the nodesof the graph to a pre-order between its bounded components. Structure of synchronisation rules 69 Note that the graph concatenation operation is not well-behaved withrespect to the matching of the concatenated subgraphs on any given eventsequence. More precisely, if µ | = G E (cid:48) and µ | = G E (cid:48)(cid:48) , and G E (cid:48)(cid:48) matches later than G E (cid:48) , then one might think that all the unbounded edges going from G E (cid:48) to G E (cid:48)(cid:48) are trivially satisfied, and so we may conclude that µ | = G E (cid:48) ⇒ G E (cid:48)(cid:48) .However, this is only true if the two graphs do not contain two endpoints start ( a ) and end ( a ) for the same a . Otherwise, to make the concatenationinherit the matching of the operands, we need to explicitly take care to ensurethat the two endpoints correctly match on the same token. Definition 4.17 — Matching preserving open tokens. Let G E be a rule graph and µ be an event sequence such that µ, γ | = G E for some γ .We say that µ matches on G E preserving open tokens , written µ, γ | = ∗ G E , if forany token name a ∈ N :1. if start ( a ) (cid:118) G E but end ( a ) (cid:54)(cid:118) G E , there is no event in µ that ends the tokenstarted at γ ( start ( a )) ;2. if end ( a ) (cid:118) G E but start ( a ) (cid:54)(cid:118) G E , there is no event in µ that starts the tokenended at γ ( end ( a )) ; It follows from the definition that µ | = ∗ G E implies µ | = G E , and that the con-verse is true, in general, only for closed event sequences. This restricted notionof matching has now a precise relationship with the concatenation of graphs. Lemma 4.18 — Graph concatenation with open tokens. Let G E (cid:48) and G E (cid:48)(cid:48) be two disjoint subgraphs of G E , and suppose that the lowerbound of any unbounded edge in G E is zero. Let µ be an event sequence such that µ [ i...j ] | = ∗ G E (cid:48) and µ [ j...k ] | = ∗ G E (cid:48)(cid:48) , with i ≤ j ≤ k . Then, µ [ i...k ] | = ∗ G E (cid:48) ⇒ G E (cid:48)(cid:48) .Proof. Let γ (cid:48) and γ (cid:48)(cid:48) be two matching functions such that µ [ i...j ] , γ (cid:48) | = G E (cid:48) and µ [ i...j ] , γ (cid:48)(cid:48) | = G E (cid:48)(cid:48) . We can define a matching function γ such that γ ( T ) = γ (cid:48) ( T )if T (cid:118) G E (cid:48) and γ ( T ) = γ (cid:48)(cid:48) ( T ) if T (cid:118) G E (cid:48)(cid:48) (this is well-defined since the twosubgraphs are disjoint). Let us now check that µ [ i...k ] , γ | = ∗ G E (cid:48) ⇒ G E (cid:48)(cid:48) . Wealready observed that, qualitatively, the fact that G E (cid:48)(cid:48) matches completely laterthan G E (cid:48) ensures that any unbounded edge added between the two is satisfied.Moreover, since both matchings on µ [ i...j ] and µ [ j...k ] preserve open tokens, weknow any node two nodes start ( a ) (cid:118) G E (cid:48) and end ( a ) (cid:118) G E (cid:48)(cid:48) will be mapped insuch a way that γ ( start ( a )) and γ ( end ( a )) correctly identify a proper token.The assumption that the lower bounds in unbounded edges are zero madein the statement of Lemma 4.18 is essential to make it work as-is. For easeof exposition, in the following section we suppose that this restriction holdsfor any considered rule graph. However, the whole argument can be adaptedeasily to remove this restriction by taking care of such lower bounds whenreasoning about the concatenation of subgraphs. In this section we can leverage the conceptual framework of rule graphs definedpreviously to analyse the computational complexity of the plan existenceproblem for timeline-based planning. In particular, we prove that the problemis EXPSPACE -complete. Note, that EXPSPACE -hardness comes directly from theencoding of action-based temporal planning problems shown by Corollary 3.10in Chapter 3. Hence, it is su ffi cient here to provide a decision procedure thatcan solve the problem using at most exponential space.The section starts by providing a small-model theorem , that is, a resultshowing that any satisfiable timeline-based planning problem has a solutionshorter than a given upper bound. Then, the decision procedure will beprovided, whose complexity depends on said bound. The upper bound will be proved with a fairly standard contraction argument.We will show that, when a solution longer than the bound is found, thenanother shorter one can be built by suitably contracting it between specificpoints. Similar techniques are often used to prove upper bounds on the lengthof models for various temporal logics, e . g . [127].The key step behind this kind of contraction arguments is the identificationof some local state, i . e ., an object that can be defined at a specific point of thesolution, that can finitely represent the current state of the system at that point.A long solution can then be cut between two repetitions of the same state.In the case of timeline-based planning problems, the current state cannot berepresented only by the current value of state variables. Instead, apparently,the whole plan contributes to the current state of the system because anyrule triggered anywhere can be satisfied by looking at something happenedarbitrarily far in the past or that will happen arbitrarily far in the future.However, thanks to the decomposition of rule graphs into bounded components ,such information can be finitely and compactly represented in a data structure,that we call matching record , which has size exponential in the size of theproblem and uniquely identifies the state of the system. Definition 4.19 — Matching record. Let P = ( SV , S ) be a timeline-based planning problem and let µ = (cid:104) µ , . . . , µ n (cid:105) be anevent sequence over SV closed to the left such that δ ( µ ) ≥ window ( P ) .The matching record of µ is a tuple [ µ ] = ( ω, Γ , ∆ ) , where:1. ω is the shortest su ffi x µ ≥ h of µ that can be split into two subsequences span-ning at least window ( P ) time steps, i . e ., ω = ω − ω + , where ω − = µ [ h...h + − , ω + = µ ≥ h + , and both δ ( ω − ) ≥ window ( P ) and δ ( ω + ) ≥ window ( P ) ; Complexity of timeline-based planning 71 Γ is a function that maps any existential statement E of any R ∈ S and a ≤ k ≤ | ω − | , to the maximal subgraph Γ ( E , k ) of G E such that:(a) µ ≤ h + k , γ | = ∗ Γ ( E , k ) for some matching function γ ;(b) Γ ( E , k ) does not contain the trigger node start ( a ) ;(c) any edge going out of Γ ( E , k ) is unbounded ;3. ∆ is a function that maps an existential statement E of any R ∈ S and a ≤ k ≤ | ω + | , to the maximal subgraph ∆ ( E , k ) (cid:118) G E such that:(a) for each position t in ρ, ω − where R is triggered, µ h + + k | = ∗ t ∆ ( E , k ) ;(b) any edge going in or out from ∆ ( E , k ) is unbounded .If instead µ is empty, made of only one event, or δ ( µ ) < window ( P ) , then [ µ ] = µ . Intuitively, the matching record [ µ ] = ( ω, Γ , ∆ ) of a long enough event se-quence µ stores three pieces of information: the recent history ω of the plan, i . e ., a su ffi x of the event sequence that is worth remembering in detail, a record Γ of all the pieces of rule graphs that matched in the past, and the record ∆ ofpieces of rule graphs that still have to be matched in the future to satisfy somepreviously triggered rule. The following result confirms the role of matchingrecords: when an event sequence is represented by its matching record, wehave su ffi cient information to decide whether the event sequence satisfies ornot the given timeline-based planning problem. Lemma 4.20 — Matching record of a solution plan. Let P = ( SV , S ) be a timeline-based planning problem, and let [ µ ] = ( ω, Γ , ∆ ) be thematching record of an event sequence µ over SV .Then, µ | = P if and only if, for each rule R ≡ a [ x = v ] → E ∨ . . . ∨ E m ∈ S :1. if R is triggered by an event µ i inside ω + , there is some existential statement E of R , a k ∈ N , and two subgraphs G >k (cid:118) G E and G ≤ k (cid:118) Γ ( E , k ) , such that:(a) µ >k | = ∗ i G >k ;(b) G ≤ k and G >k are disjoint and G ≤ k ⇒ G >k = G E ;2. there is at least a k and an existential statement E of R such that ∆ ( E , k ) = G E .Proof ( ←− ) . Consider a timeline-based planning problem P = ( SV , S ), and let[ µ ] = ( ω, Γ , ∆ ) be the matching record of an event sequence µ = (cid:104) µ , . . . , µ n (cid:105) over SV , with µ i = ( A i , δ i ). We show that if the stated conditions hold, then µ | = P , i . e ., that for each rule R ≡ a [ x = v ] → E ∨ . . . ∨ E m ∈ S triggered by an event µ i , there is an E k such that µ | = i G E k . Recall that ω + = µ ≥ h + . We distinguish twocases, depending on whether µ i lies before ω + ( i < h + ) or not ( i ≥ h + ). If i < h + , we know by Item 2 that µ | = i G E for at least one E of R , sinceotherwise ∆ ( E , k ) not be equal to G E for any k . Hence R is satisfied.If i ≥ h + , since Item 1 holds, we know that there are an existential statement E of R , a k ∈ N with 1 ≤ k ≤ n , and two disjoint subgraphs G ≤ k (cid:118) Γ ( E , k ) and G >k (cid:118) G E , such that that µ >k , γ >k | = ∗ i G >k for some γ >k and G ≤ k ⇒ G >k = G E .By Item 2 of Definition 4.19, we know that µ ≤ k , γ ≤ k | = ∗ Γ ( E , k ) for some γ ≤ k ,and so in particular µ ≤ k , γ ≤ k | = G ≤ k . However, we can argue that µ ≤ k , γ ≤ k | = G ≤ k as well, because G ≤ k and G >k are disjoint and if G ≤ k contained some unpaired start ( a ) nodes that were not already unpaired in Γ ( E , k ), it could not be that G ≤ k ⇒ G >k = G E . Then, by combining γ >k and γ ≤ k we can obtain the matchingfunction γ such that µ, γ ≤ k | = ∗ G E thanks to Lemma 4.14. Moreover, sincethe trigger node start ( a ) is not part of G ≤ k (Item 2b of Definition 4.19), then start ( a ) (cid:118) G >k , and since γ ( start ( a )) = γ >k ( start ( a )), we have µ, γ ≤ k | = ∗ i G E .( −→ ). We now suppose that the event sequence µ is a solution plan forthe timeline-based planning problem P = ( SV , S ) and prove that the statedconditions hold. As for Item 1, suppose R is triggered inside ω + by an event µ i . Since µ | = P , we know there is a γ such that µ, γ | = G E for some existentialstatement E of R , and γ ( start ( a )) = i . Now, let G E = ( V , E, β ), and let h ≤ k < h + be a position in ω − such that there is no bounded edge e = ( T , T (cid:48) ) ∈ E over-lapping k , i . e ., with γ ( T ) ≤ k and γ ( T (cid:48) ) > k . This position is guaranteed toexist by Lemma 4.14 since δ ( ω − ) ≥ window ( P ). Hence, we can identify the twosubgraphs G ≤ k (cid:118) G E and G >k (cid:118) G E such that µ ≤ k | = ∗ G ≤ k µ >k | = ∗ G >k . Note thatby construction the two subgraphs are disjoint, since we are splitting themon the gap at position k , we know G ≤ k ⇒ G >k = G E , and G ≤ k (cid:118) Γ ( E , k ) because Γ ( E , k ) is the maximal subgraph of G E that matches over µ ≤ k .As far as Item 2 is concerned, suppose R is triggered in some positions t , t , . . . , t n in ρω − . Then, since µ | = R , we know µ | = t i G E for each t i , and so ∆ ( E , | ω + | ) = G E .It is easy to verify that the size of [ µ ] is exponential in the size of theconsidered planning problem. Lemma 4.21 — Size of matching records. Let P = ( SV , S ) be a timeline-based planning problem and let µ be an event sequenceover SV . Then, the size of [ µ ] is exponential in the size of P .Proof. Let [ µ ] = ( ω, Γ , ∆ ). The first component, ω , is an event sequence suchthat δ ( ω ) ≤ window ( P ). It is easy to see that window ( P ) ≤ | P | , hence thereare at most an exponential number of events, and each such event µ = ( A, δ )has polynomial size, given that δ ≤ window ( P ) and A is a set of size at mostpolynomial, hence | ω | ∈ O (2 | P | ). Then, consider the size of Γ . A key observationis that Γ ( E , k ) (cid:118) Γ ( E , k + 1) for each 1 ≤ k < | ω − | . This means that, even thoughthe di ff erent values of k are exponentially many, there are only a polynomialnumber of them where Γ ( E , k ) di ff ers from Γ ( E , k + 1), and this allows us to Complexity of timeline-based planning 73 represent Γ using a polynomial amount of space. It is easy to check that ∆ isrepresentable in polynomial space as well. Hence, the size of [ µ ] is dominatedby the size of ω , which is exponential in the size of the problem.Finally, all the building blocks are in place to show the main result of thissection, which paves the way for an exponential-space decision procedure forthe plan existence problem for timeline-based planning. Theorem 7 — Small-model theorem for timeline-based planning problems. P = ( SV , S ) be a timeline-based planning problem. If there is any solution plan µ | = P , then there is a solution plan µ (cid:48) | = P such that δ ( µ (cid:48) ) ∈ O (cid:16) | P | (cid:17) . Proof. The proof adopts a standard contraction argument. We know fromLemma 4.21 that [ µ ] ∈ O (2 | P | ). Let K ∈ O (2 | P | ) be the actual maximum size, inbits, of the matching record of an event sequence over SV . If | µ | > K , therehas to be at least two positions i and j such that [ µ ≤ i ] = [ µ ≤ j ]. Then, it can bechecked that for any two event sequences µ (cid:48) and µ (cid:48)(cid:48) such that [ µ (cid:48) ] = [ µ (cid:48)(cid:48) ], itholds that [ µ (cid:48) µ ] = [ µ (cid:48)(cid:48) µ ] for any event µ . Hence, it holds that µ | = P if and onlyif µ (cid:48) = µ ≤ i µ ≥ j +1 | = P . In other words, we can cut and remove the subsequence µ [ i +1 ...j ] without changing the satisfaction of the rules of P , obtaining an eventsequence µ (cid:48) such that | µ (cid:48) | < K (or we can repeat the process until we obtainone). Recall that K ∈ O (2 | P | ). Since, thanks to Lemma 4.7, we supposed w.l.o.g. that the time distance δ k +1 between any two consecutive events µ k and µ k +1 is bounded by some d ∈ O (2 | P | ), we obtain that δ ( µ (cid:48) ) < d · K , hence at mostdoubly-exponential in the size of P . Thanks to Theorem 7, and exploiting the machinery of matching records, wecan now devise a decision procedure for deciding whether a given timeline-based planning problem admits a solution plan, using at most an exponentialamount of space, proving the EXPSPACE -completeness of the problem.Since we aim at proving an upper bound on the space complexity of theproblem, we can employ a standard shortcut: the algorithm is designed torun, using at most an exponential amount of space, on a nondeterministic Turing machine. Then, the classic complexity theory result by Savitch [111,123], which, in particular, implies that NEXPSPACE = EXPSPACE , ensures thata deterministic exponential-space procedure exists as well.The first building block is a subprocedure that, given the matching record[ µ ] of an event sequence and an event µ , obtains the matching record [ µµ ] ofthe event sequence resulting from appending the event at the end. Lemma 4.22 — Appending an event to a matching record. Let P = ( SV , S ) be a timeline-based planning problem, let [ µ ] be the matching recordof an event sequence µ , and let µ be any event applicable to [ µ ] . Then, the matchingrecord [ µµ ] can be built in exponential time in the size of P .Proof. Let [ µ ] = ( ω, Γ , ∆ ) be the matching record of some event sequence µ = (cid:104) µ , . . . , µ n (cid:105) . Let be clear that the construction does not receive µ as input,but only [ µ ]. Then, we will build the matching record [ µµ ] of the event sequence µµ . Let it be [ µµ ] = ( ω (cid:48) , Γ (cid:48) , ∆ (cid:48) ). Let us show how the three components have tobe updated to account for the incoming event.At first, updating ω is the easiest part of the procedure. In the case that δ ( ωµ ) ≤ window ( P ), then ω (cid:48) = ωµ , otherwise, if ω = µ ≥ h for some h , then ω (cid:48) = µ ≥ h (cid:48) µ , where h (cid:48) ≥ h is the least position in µ such that δ ( ω (cid:48) ) ≥ window ( P ).In other words, the new event is appended, becoming part of the recent historystored by the matching record, and the oldest events are discarded, as many aspossible while preserving the fact that δ ( ω ) ≥ window ( P ). With the updated ω (cid:48) , recall that ω (cid:48)− is the shortest prefix of ω such that δ ( ω (cid:48)− ) ≥ window ( P ).Then, Γ is updated accordingly. Let s = h (cid:48) − h be the number of eventsdiscarded in the update of ω to ω (cid:48) . As a first step, all the components of Γ are shifted back by s positions, and updated to reflect the incoming event, i . e ., Γ (cid:48) ( E , k ) = Γ ( E , k + s ) for all 1 ≤ k ≤ | ω (cid:48)− | − s . Then, Γ (cid:48) ( E , k ) for the posi-tions k > | ω (cid:48)− | − s can be obtained by composing two parts. The first part G [ h (cid:48) ...k (cid:48)(cid:48) ] is the maximal concatenation of bounded components of G E suchthat µ [ h (cid:48) ...k ] | = ∗ G [ h (cid:48) ...k ] for some h (cid:48) > h , and the second is Γ (cid:48) ( E , h (cid:48) ), i . e ., we set Γ (cid:48) ( E , k ) = Γ ( E , k (cid:48) + s ) ⇒ G [ h...k ] . Note that this composition correctly captures thedefinition of Γ (cid:48) ( E , k ), since δ ( µ [ h...k ] ) ≥ window ( P ) for all k > | ω (cid:48)− | − s .To update ∆ , we proceed similarly. First, the contents of ∆ ( E , k ) for all1 ≤ k ≤ | ω + | are shifted back of s positions, i . e ., ∆ (cid:48) ( E , k ) = ∆ ( E , k + s ). The s + 1values of ∆ ( E , 0) to ∆ ( E , s ), that are shifted out, however, are not discarded,but intersected together to set ∆ (cid:48) ( E , 0) = (cid:84) ≤ i ≤ s ∆ ( E , i ). Then, a new value forthe newcomer positions ∆ ( E , k ) with k > | ω (cid:48) + | − s , are computed. This can bedone similarly to Γ , by considering the maximal concatenation of boundedcomponents of G E matching inside ω + , and concatenating them with thesuitable already known values of ∆ ( E , h (cid:48) ) for some suitable h (cid:48) .Now, it is time to check that these updates can be computed in nondetermin-istic exponential time , as stated. To see this, observe that a single rule graph canbe matched over an event sequence in polynomial space, hence exponentialtime in particular, by nondeterministically guessing a matching function γ and then checking the satisfaction of the match. Then, during the updates of Γ and ∆ , an exponential number of such checks are needed.Combining Corollary 3.10, Theorem 7, and Lemmata 4.20 and 4.22, we canfinally devise a decision procedure for the problem. Complexity of timeline-based planning 75 Theorem 8 — Complexity of timeline-based planning.Deciding whether a timeline-based planning problem admits a solution planis EXPSPACE -complete. Proof. We devise a nondeterministic decision procedure for the problem, thatruns in nondeterministic exponential space. The procedure builds the match-ing record [ µ ] of a satisfying event sequence µ incrementally, starting from[ µ ] = [ ε ] and, at each step i ≥ 0, nondeterministically guessing the next event µ i to obtain [ µ i +1 ] = [ µ i µ ], thanks to Lemma 4.22. At each step, by Lemma 4.20the procedure can check whether a solution for the problem has been found. Ifnot, the procedure continues until a number of steps greater than the maximumbound computed in Theorem 7 is reached, in which case the nondetermin-istic computation branch is rejected. By Lemma 4.21, the size of matchingrecords is exponential in the size of the problem, hence to maintain the cur-rent matching record and to count up the upper bound of Theorem 7, onlyexponential space is needed. Given the well-known result by Savitch [123] that NEXPSPACE = EXPSPACE , the nondeterministic procedure outlined here alsogives us a deterministic procedure running in exponential space. As noted in Section 2.2, a variant of timeline-based planning problems thatis relevant in practical applications is that of problems with bounded horizon (Definition 2.14), where the input is expected to provide an a priori bound onthe duration of the interesting solutions. This section studies the complexity ofthis special case, proving it to be NEXPTIME -complete.As will be shown later, the decision procedure for the general case shownabove can be adapted in a straightforward way. To shown that the problem is NEXPTIME -hard, we employ a reduction from a variant of tiling problem . Definition 4.23 — Exponentially bounded square tiling problem. A tiling structure is a tuple T = ( T , t , H, V , n ) , where T is a set of elements called tiles , t ∈ T is the initial tile, H, V ⊆ T × T , are the horizontal and verticaladjacency relations , and n ∈ N + is a positive number, encoded in binary.A tiling of the tiling structure T is a function f : [ n ] × [ n ] → T , mapping anyposition ( i, j ) of the square of size n × n to a tile f ( i, j ) ∈ T such that:1. f (0 , 0) = t 2. for all x ∈ [ n − and y ∈ [ n ] , f ( x, y ) H f ( x + 1 , y ) 3. for all x ∈ [ n ] and y ∈ [ n − , f ( x, y ) V f ( x, y + 1) The exponentially bounded square tiling problem is the problem of findingwhether a given tiling structure admits a tiling. Tiling problems have been used for a long time as a source of reductionsto study the computational complexity of many problems in logic and com-binatorics [77, 84, 85, 122, 136, 139]. Quoting van Emde Boas [136], «it is thesimplicity of the tiling problem combined with the very local structure of thetiling constraints which makes these problems attractive for use in reductions.»Furthermore, by variating the shape of the surface to be tiled (a square, a rect-angle with an unbounded side, a quadrant, etc .), one can obtain complete prob-lems for a broad range of complexity classes ranging from NP to EXPSPACE , tonon-elementary, undecidable, and highly undecidable problems. Two-playersvariants of the problem such as tiling games have also been studied [41].In particular, the exponentially bounded square tiling problem defined aboveis known to be NEXPTIME -hard [77], and allows us to give a simple and straight-forward proof of NEXPTIME -completeness for our problem. Theorem 9 — Complexity of bounded horizon timeline-based planning.Finding whether a timeline-based planning problem with bounded horizonadmits a solution plan is NEXPTIME -complete. Proof. Let us first shown how the problem can be solved in nondeterministicexponential time . A timeline-based planning problem with bounded horizon P = ( SV , S, H ) asks to find a solution plan π for the problem P (cid:48) = ( SV , S ) suchthat H ( π ) ≤ H . Hence, we can employ the same procedure shown in the proofof Theorem 8, but taking care of stopping the search not when the doublyexponential upper bound of Theorem 7 is found, but after only H steps. Since H ∈ O (2 | P | ), the algorithm then runs in nondeterministic exponential time.Let us now show that the problem is NEXPTIME -hard, by reduction fromthe exponentially bounded square tiling problem defined in Definition 4.23.Let T = ( T , t , H, V , n ) be a tiling structure. We build a suitable timeline-basedplanning problem with bounded horizon P = ( SV , S, H ) such that T admits atiling if and only if P admits a solution plan.The set SV consists of a single state variable x with domain V x = T , i . e .,one possible value for each tile in T . The transition function is T x ( v ) = V x , foreach v ∈ V x , and the duration function constrains every token to have unitaryduration, that is, D x ( v ) = (1 , 1) for each v ∈ V x . By setting the horizon H = n ,the values of x over time represent the tilings of the n × n square in a row-majorlayout. The synchronisation rules can encode the tiling constraints as follows.First of all, the initial tile is put into place with a triggerless rule: (cid:62) → ∃ a [ x = t ] . start ( a ) = 0 An automata-theoretic perspective 77 The horizontal tiling relation H is represented by the following rules. For eachtile t ∈ T , there is a rule for the consistency of the H relation on the right: a [ x = t ] → start ( a ) = n ∨ t (cid:48) ∈ T (cid:95) tHt (cid:48) ∃ b [ x = t (cid:48) ] . start ( a ) ≤ [1 , start ( b )and one on the left: a [ x = t ] → start ( a ) = 0 ∨ t (cid:48) ∈ T (cid:95) t (cid:48) Ht ∃ b [ x = t (cid:48) ] . start ( b ) ≤ [1 , start ( a )These rules handle the satisfaction of the horizontal constraints in bothdirections. Both handle the special case for respectively the first/last tile, whichcannot have anything on the right/left side. The encoding of vertical tilingconstraints is similar. For each t ∈ T , the following rules are added: a [ x = t ] → start ( a ) ≤ n ∨ t (cid:48) ∈ T (cid:95) tV t (cid:48) ∃ b [ x = t (cid:48) ] . start ( a ) ≤ [ n,n ] start ( b ) a [ x = t ] → n − n ≤ start ( a ) ∨ t (cid:48) ∈ T (cid:95) t (cid:48) V t ∃ b [ x = t (cid:48) ] . start ( b ) ≤ [ n,n ] start ( a )It can be verified that this timeline-based problem with horizon correctly en-codes the original tiling problem. Moreover, the encoding can be produced inpolynomial time, since it only involves loops making one step for each elementsof the tiling set T and the relations H and V . This section revisits the results given in previous sections from a di ff erent, automata-theoretic point of view. We will re-prove Theorem 8 by constructing asuitable nondeterministic finite automaton that can recognise solution plans fora given timeline-based planning problem.This di ff erent perspective gives us two major contributions:1. the resulting decision procedure, based on a reachability analysis of theautomaton, is more likely to lead to practicable techniques since it canexploit all existing tools based on automata theory;2. by extending the construction to Büchi automata, we can prove the com-putational complexity of the problem when interpreted over infinite plans ,a generalisation never considered before in the literature. The rest of the section will show the automata-theoretic construction indetail, providing an alternative proof of Theorem 8. Then, the problem oftimeline-based planning on infinite timelines will be defined, and the complex-ity of the problem will be shown to still be EXPSPACE -complete by extendingthe automaton construction to obtain a Büchi automaton. We now show how to build, for any given timeline-based planning problem P = ( SV , S ), a nondeterministic finite automaton (NFA) that accepts exactly thosewords that represent solution plans for P . We first have to choose a suitableword representation for plans. In the rest of the chapter we made extensiveuse of event sequences for this purpose, which, however, do not fit well as theinput word of a finite automaton. The representation used by our automatonconstruction is, however, very similar. PLANS AS WORDS Let Σ = { σ : SV → V ∪ { (cid:23) } | σ ( x ) ∈ V x ∪ { (cid:23) }} , i . e ., the alphabet is a set of functionsassigning a legitimate value (or the special symbol (cid:23) ) to each variable in SV .Notice that we can equivalently define Σ as the cartesian product × x ∈ SV ( V x ∪{ (cid:23) } ), i . e ., a set of tuples with a value (or (cid:23) ) for each variable. Treating symbols asfunctions will be useful as a notation to define the automaton, while thetuple point of view helps the intuitive understanding of the construction.Elements of Σ are called token symbols . Among them, we identify the set Σ S = { σ ∈ Σ | σ ( x ) (cid:44) (cid:23) } of starting token symbols . Observe that | Σ | ≤ ( |V | + 1) | SV | ,that is, the number of token symbols is at most exponential in the size of P .A one-to-one correspondence can be easily established between finitewords σ = σ σ · · · σ n ∈ Σ S Σ ∗ and event sequences µ = (cid:104) µ , . . . , µ m (cid:105) . Each event µ i = ( A i , δ i ) corresponds to δ i symbols σ j , . . . , σ j + δ i in the word, with σ k ( x ) = (cid:23) for each x ∈ SV and each j ≤ k < j + δ i , and for the last of them, σ δ i ( x ) = v if start ( x, v ) ∈ A i and σ δ i ( x ) = v otherwise. In other terms, time is flattened, witha symbol for each time step instead of the jumps of δ i time steps made by eachevent, and σ j ( x ) = v if a token with x = v starts at time j , while σ j ( x ) = (cid:23) if notoken for the variable x is starting at time j (and so the current token for x hasthe value of the position j (cid:48) < j where σ j (cid:48) (cid:44) (cid:23) ). BLUEPRINTS Intuitively speaking, the states of the automaton contain patterns of tokens,called blueprints , that track the satisfaction of the rules on the current word.Blueprints specify the qualitative information about the relative position of An automata-theoretic perspective 79 such tokens abstracting away most of the quantitative information about howfar apart tokens are. Each blueprint is associated with a synchronisation ruleof the problem, and a specific way to schedule tokens apt to satisfy such rule.While reading the input word, the automaton nondeterministically matchesthe abstract tokens of a set of blueprints with the concrete tokens found in theplan. A word is accepted if every token that triggers a synchronisation rule isinvolved in some instantiation of a blueprint that satisfies the rule.This intuitive description can be turned into a formal definition as follows.Let us define the following two quantities:1. N is the largest finite constant appearing in P as bounds in any atom;2. M is the length of the largest existential prefix of an existential statementoccurring inside a synchronisation rule of P .Notice that N is exponential in the size of P , since constants are expressed inbinary, while M ∈ O ( | P | ). Then, let K = 2 · ( N + 1) + 2 · ( N + 1) · ( M + 1). Definition 4.24 — Blueprints. A blueprint is a tuple B = ( m, f s , f e , f SV , f V , P ) , with m ∈ [ M ] , f s , f e : [ m ] → [ K ] , f SV : [ m ] → SV , f V : [ m ] → V , and P ⊆ N , such that for all i ∈ [ m ] :1. x − ∈ P for each x + 1 ∈ [2( N + 1) , K ] ∩ ( Img ( f s ) ∪ Img ( f e )) ;2. f s ( i ) < f e ( i ) ;3. if f SV ( i ) = ( V x , T x , D x ) , then f V ( i ) ∈ V x ;4. tokens in the blueprint are disjoint , i . e ., for each j ∈ [ m ] , if f SV ( i ) = f SV ( j ) ,then exactly one of the following holds:(a) f e ( i ) ≤ f s ( j ) ,(b) f s ( i ) ≥ f e ( j ) ,(c) [ f s ( i ) , f e ( i )] = [ f s ( j ) , f e ( j )] and f V ( i ) = f V ( j ) .We refer to P as the set of pumping points of B . Each blueprint is functional to the satisfaction of a synchronisation rule.Figure 4.3 shows two blueprints for the following synchronisation rule: a [ x = v ] → ∃ a [ x = v ] a [ x = v ] . ( start ( a ) ≤ [1 , + ∞ ] start ( a ) ∧ end ( a ) ≤ [1 , + ∞ ] start ( a )) ( R ex )The meaning of the rule is the following: for every token a for x with value v ,there must exist a token a for x with value v and a token a for x with value v such that the starting point of token a occurs strictly before the starting point of a and the ending point of a occurs strictly before the starting pointof a . Such a rule is triggered by tokens (1 , , , 12) in the plan inFigure 4.3. Blueprint B can be used to certify the fulfilment of such a rulewhen triggered by (6 , 8) (resp., (8 , B satisfies R and there is aninstantiation of B which associates a with (6 , 8) (resp., (8 , B is an abstraction representing all scenarios where thethree tokens a (for x = v ), a (for x = v ), and a (for x = v ) occur in thefollowing relative positions: a occurs entirely before a , which, in turn, occursentirely before a . As already mentioned, information about how long andhow far apart the tokens are is abstracted away, thanks to the presence of the pumping points (filled circles in the picture), which allow for stretching thedistances through the addition of points. Roughly speaking, a pumping pointcan be replaced by one or more other points if needed in order to match theblueprint over the input word.Such a blueprint can be instantiated in two di ff erent ways in the plandepicted in Figure 4.3:1. by instantiating tokens a , a , a in B with tokens (6 , , , a , a , a in B with tokens (8 , , , 18) in the plan, respectively.Contrarily, blueprint B cannot be instantiated by associating a with (1 , 6) inthe plan because, even though the state variable and the value of a match theones of (1 , x ending before point 1 in the plan, meaningthat the relative positioning of tokens imposed by B cannot be fulfilled.Now, let B be the set of blueprints, and note that, by Definition 4.24, itfollows that | B | ∈ O ( M · K M · K M ·| SV | M ·|V | M · M ), i . e ., the number of blueprintsis at most exponential in the size of P . We can now formally define how a wordmatches a given blueprint. Definition 4.25 — Fulfilment of rules by blueprints. Let R = a [ x = v ] → E ∨ . . . ∨ E k be a synchronisation rule, and consider ablueprint B = ( m, f s , f e , f SV , f V , P ) . We say that B fulfils R , written B | = R , if there isan existential statement E i = ∃ a [ x = v ] . . . a m [ x m = v m ] . α ∧ · · · ∧ α h such that:1. f SV ( j ) = x j and f V ( j ) = v j for each ≤ j ≤ m ;2. each α j ≡ T ≤ [ l,u ] T (cid:48) is satisfied by an atomic evaluation λ j such that:(a) λ j interprets start ( a k ) and end ( a k ) as, respectively, f s ( k ) and f e ( k ) ;(b) if u (cid:44) + ∞ , then [ (cid:126) T (cid:127) λ j , (cid:126) T (cid:48) (cid:127) λ j ] ∩ P = ∅ ; An automata-theoretic perspective 81 (a) (b) (c) (d) (cid:34) v v (cid:35) σ = π = (cid:34) (cid:23) v (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) v (cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23) v (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23) v (cid:35) (cid:34) v (cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23) v (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23) v (cid:35) (cid:34) v (cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) (cid:34) (cid:23) v (cid:35) (cid:34) (cid:23)(cid:23) (cid:35) x x = v x = v x = v x = v x = v x = v x = v x x = v x = v x = v x = v a [ x = v ] a [ x = v ] a [ x = v ] B = , f s ( ) = f s ( ) = f s ( ) = , f e ( ) = f e ( ) = f e ( ) = , f S V ( ) = x f S V ( ) = x f S V ( ) = x , f V ( ) = v f V ( ) = v f V ( ) = v , { , , , } = a [ x = v ] a [ x = v ] a [ x = v ] B = , f s ( ) = f s ( ) = f s ( ) = , f e ( ) = f e ( ) = f e ( ) = , f S V ( ) = x f S V ( ) = x f S V ( ) = x , f V ( ) = v f V ( ) = v f V ( ) = v , { , , , , } = ( B , − ) ( B , − ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) ( B , ) Figure 4.3: A run of the automaton (a) over a word w (b) associated with the plan π (c);states contain blueprints B and B (d). Blueprints are, in some sense, static , representing a priori a possible arrange-ment of tokens through the entire plan. A viewpoint , instead, tracks the currentstate of matching of a blueprint over the current word. More precisely, a view-point is a pair ( B, k ), where B is a blueprint and − ≤ k ≤ K is the current pointup to which the blueprint has correctly matched over the word that is beingscanned by the automaton. States of the automaton are sets of viewpoints, ascan be seen in the example run of the automaton shown in Figure 4.3a.In other terms, if, after reading the token symbol σ i in the input word σ ,the automaton reaches a state that contains the viewpoint ( B, k ); then, point k of B is matched with point i of the input plan/word.The set of viewpoints is denoted by V . Its size is at most exponentialin the size of P , that is, | V | ∈ O ( K · | B | ). We say that a viewpoint ( B, k ), with B = ( m, f s , f e , f SV , f v , P ), is closed if k ≥ max ( Img ( f e )), and is initial if k = − k is a pumping point of B , thenthe automaton computation can (nondeterministically) move to a state whereviewpoint ( B, k ) is left unchanged, while the input head move to from σ i to σ i +1 ,meaning that the k th point of the blueprint is associated with both points i and i + 1 of the plan. In this way, several points of the plan are abstracted together.Being in a pumping point k is a necessary condition for a viewpoint to beallowed to pump the blueprint at point k , that is, to keep its pointer still whilethe input head moves to the next token symbol and the computation movesto the next step; however, it is not a su ffi cient one. To define when a viewpointcan pump the blueprint, we introduce the notions of active variables (and theirvalues) in a viewpoint, as well as the one of pumping symbol for a viewpoint.Let value : V × SV → V ∪ {⊥} be a partial function that returns the value of astate variable x in a viewpoint V , defined as: value ( V , x ) = v ∃ i f s ( i ) ≤ k < f e ( i ) f SV ( i ) = xf v ( i ) = v ⊥ otherwiseThanks to the disjointness of the tokens for x in the blueprint (condition 4in Definition 4.24), value is well defined. This disjointness condition directlyfollows from the definition of timeline (Definition 2.2), and plays a major rolein the construction. A variable x ∈ SV is active in V if value ( V , x ) is defined. Definition 4.26 — Pumping symbol. Let B be a blueprint with set of pumping points P . A token symbol σ ∈ Σ is a pumping symbol for a viewpoint V = ( B, k ) , if k ∈ P ∪ {− } and σ ( x ) = (cid:23) for every x that is active in V . An automata-theoretic perspective 83 Intuitively, a viewpoint V is allowed to pump when the next symbol readby the automaton is a pumping symbol for V . The second part of the condition( σ ( x ) = (cid:23) for all active variables x ) reflects the fact that a point in a blueprintcannot hide a point that correspond in the input plan to the end of the activetoken: this would cause the active token to span two or more tokens in theplan, thus violating the (qualitative) structure of the plan itself.Besides pumping, a viewpoint can evolve during the computation by syn-chronising with the plan, that is, the pointer of the viewpoint moves along theblueprint as the input head moves along the plan. In this case, we say that theviewpoint steps upon reading a given token symbol. This is captured by meansof the following notions.A viewpoint V = ( B, k ), with B = ( m, f s , f e , f SV , f v , P ), is said to start ( end ) astate variable x if there is an i such f SV ( i ) = x and f s ( i ) = k ( f e ( i ) = k ). Definition 4.27 — Step symbol. Let V = ( B, k ) be a viewpoint. A token symbol σ ∈ Σ is a step symbol for V if:1. for all x ∈ SV , if ( B, k + 1) starts x , then it holds that value (( B, k + 1) , x ) = σ ( x ) ;2. for all x ∈ SV with x being active in V , ( B, k + 1) ends x if and only if σ ( x ) (cid:44) (cid:23) . The evolution of viewpoints along computations can be described by meansof a ternary relation → ∈ V × Σ × V , defined as follows: ( V , σ , V (cid:48) ) ∈ → , with V = ( B, k ), if and only if one of the following holds:1. σ is a pumping symbol for V and V (cid:48) = V ,2. σ is a step symbol for V and V (cid:48) = ( B, k + 1),3. V is closed and V (cid:48) = V .In the following, we use the more intuitive notation V → V (cid:48) for ( V , σ , V (cid:48) ) ∈ → .It is worth noticing that the notions of pumping and step symbols are not mutu-ally exclusive, meaning that a symbol can be both a pumping and a step symbolfor a given viewpoint. Consequently, a viewpoint V = ( B, k ) can pump and stepat the same time, thus leading to a state containing the two viewpoints V = V (obtained through pumping) and V = ( B, k +1) (obtained through stepping).Roughly speaking, in such a case the viewpoint splits into two copies , that is,two viewpoints with the same blueprint but di ff erent pointers. Such a split-ting corresponds to di ff erent instantiations of the same blueprint in order tosatisfies a synchronisation rule that is triggered by di ff erent tokens in the plan.Figure 4.3a depicts how viewpoints based on blueprints B and B (shownin Figure 4.3d) evolve with respect to the word σ (Figure 4.3b): stepping isrepresented through solid arrows, pumping is represented through dashedones. Let us focus on blueprint B . As already pointed out, it can be used to certify the fulfilment of synchronisation rule R ex shown above, when triggeredby (6 , 8) and (8 , ff erent instantiations: a is associated with (6 , , 12) in the other. This is doneby exploiting the above described splitting mechanism. At the beginning,after reading the first token symbol ( σ = { x (cid:55)→ v , x (cid:55)→ v } ), the viewpoint V = ( B , 0) is created, thus establishing the correspondence between point 0in B and point 0 in the plan. It is easy to check that σ = { x (cid:55)→ v , x (cid:55)→ (cid:23) } is a step symbol (but it is not a pumping one) for V , thus the computationleads to viewpoint V = ( B , σ = { x (cid:55)→ v , x (cid:55)→ (cid:23) } , the state contains viewpoint V = ( B , σ isboth a pumping and a step symbol for V , viewpoint V splits into V (cid:48) = V and V = ( B , V (created through stepping) establishes a corres-pondence between point 4 in B and point 6 in the plan, thus commencing theinstantiation of token (4 , 6) in B with (6 , 8) in the plan (which is a trigger for R ex ). On the other hand, viewpoint V (cid:48) (created through pumping) will be usedto fulfil R ex when it will be triggered by token (8 , 12) in the plan. To this end, V (cid:48) will pump point 3 until token symbol σ = { x (cid:55)→ v , x (cid:55)→ (cid:23) } is reached; atthat point, it steps to viewpoint V (cid:48) = ( B , , 6) in B with (8 , 12) in the plan (which is another trigger for R ex ). THE AUTOMATA CONSTRUCTION We are now ready to define the NFA we are looking for. As a matter of fact, it isobtained by intersecting two simpler automata, E P and A P . The first checks thatthe word respects the basic syntactic requirements needed to correspond to anactual event sequence over SV , while the second actually exploits the machinerydefined above to accept only words that represent solutions for the problem.As in the rest of the chapter, we can suppose to consider only timeline-basedplanning problems that do not use triggerless rules nor pointwise atoms , and thatonly contain trivial duration functions . This means that the E P automaton onlyhas to check the transition function, so it is fairly straightforward to build it insuch a way that a word σ is accepted by E P if and only if σ correctly representsan event sequence over SV .Let us therefore focus on A P , which does the greatest part of the work. It isdefined as A P = (2 V , Σ , Q , F , ∆ ), where:1. 2 V is the finite set of states (states are sets of viewpoints), whose size is2 | V | , that is, at most doubly exponential in the size of P ;2. Σ is the input alphabet;3. Q ⊆ V is the set of initial states, such that Υ ∈ Q if and only if k = − B, k ) ∈ Υ ; An automata-theoretic perspective 85 F ⊆ V is the set of final states, defined as: F = { Υ ⊆ V | V is closed for all V ∈ Υ } ∆ ⊆ V × Σ × V is the transition relation, which reflects the aforemen-tioned transition → . Roughly speaking, a set of viewpoints Υ evolvesinto another one, say it Υ (cid:48) , upon reading token symbol σ if, and onlyif, each viewpoint V ∈ Υ evolves into a viewpoint V (cid:48) ∈ Υ (cid:48) according tothe → relation and, vice versa, each viewpoint V (cid:48) ∈ Υ (cid:48) is the image of aviewpoint V ∈ Υ with respect to relation → . Formally, ( Υ , σ , Υ (cid:48) ) ∈ ∆ ifand only if:(a) if Υ ∈ Q , then σ is a starting symbol;(b) for each V ∈ Υ , there exists V (cid:48) ∈ Υ (cid:48) such that V → V (cid:48) ;(c) for each V (cid:48) ∈ Υ (cid:48) , there exists V ∈ Υ such that V → V (cid:48) ;(d) if there is a synchronisation rule R = a [ x = v ] → E ∨ . . . ∨ E h in S such that σ ( x ) = v , then there exists ( B, k ) ∈ Υ (cid:48) such that B | = R ,( B, k ) starts x , and value (( B, k ) , x ) = v .For every token in the plan that triggers a synchronisation rule, condition 5dforces the existence of a viewpoint ( B, k ) to be used to satisfy that rule whentriggered by that token. In particular, this condition forces the split of aviewpoint in situations analogous to the one described above, that is, whenthe blueprint of the viewpoint must be used to satisfy a rule triggered by twodi ff erent tokens of the plan: indeed, if the viewpoint were not split, then oneof the two triggers would never be instantiated and the computation wouldhalt when the token symbol corresponding to the beginning of such token isread, without reaching a final state. Instead, satisfaction of triggerless rulesis guaranteed by the presence of suitable viewpoints in every initial statebelonging to Q .It is worth pointing out that A P has two sources of nondeterminism: one isrepresented by the nondeterministic choice of the set of viewpoints containedin the initial states, while the other is given by viewpoints that can both pumpand step in correspondence of some token symbol.It can be seen that |A P | ∈ O ( | Σ | · | V | ), that is, the size of A P is at most doublyexponential in the one of P . After checking that the construction above actuallycaptures the semantics of synchronisation rules, we proved the following result. Theorem 10 — Recognising solution plans through NFAs.Let P be a planning problem. A nondeterministic finite automaton of A size atmost doubly exponential in the size of P can be built that accepts a non-emptylanguage if and only if P admits a solution plan. The automaton has doubly exponential size, but combining a classic reach-ability procedure (which runs in logarithmic space in the size of the automaton),with an on-the-fly generation of the nodes of the automaton, we can devisefrom this construction a decision procedure for the problem that actually runsin exponential space. This can be then seen as another proof of Theorem 8. In this section, we show that the construction described in the previous sectioncan be suitably adapted to deal with infinite timelines . By extending the problemto infinite timelines, one can express recurrent goals, such as requiring certainfacts to hold infinitely often during the execution of the system. Despitethe existence of a number of natural application scenarios, to the best of ourknowledge, the case of infinite plans has not been investigated in the context oftimeline-based planning. Here, we show that the automata-theoretic approachdescribed above can be naturally extended, by building a Büchi automatoninstead of a normal NFA.Formally, the definition of infinite timelines and infinite solution plans to alarge extent coincides with the standard one: besides changing Definition 2.2 toconsider infinite sequences of tokens, all the remaining definitions remain un-changed. The representation of plans through event sequences remains mostlyunchanged, by considering infinite sequences of events. As a consequence, theencoding of plans as words is unchanged as well.The automata construction shares most of its structure with the finite case.The E P automaton can be defined in the same way, as it only has to take careof admitted transitions. Hence, we can directly turn to the definition of theinfinite-word version of the A P automaton, that we will call B P .Given Σ , Q and F are defined exactly as they have been defined in theprevious section for A P , the automaton is defined as B P = (2 V × V , Σ , Q × Q , V × F , ∆ ω ), where the set of states 2 V × V is a set of pairs of what werestates of A P , and the transition relation ∆ ω ⊆ (2 V × V ) × Σ × (2 V × V ) is definedin such a way that (( Υ , Υ ) , σ , ( Υ (cid:48) , Υ (cid:48) )) ∈ ∆ ω if and only if:1. ( Υ , σ , Υ (cid:48) ) ∈ ∆ ;2. if Υ (cid:60) F , then ( Υ , σ , Υ (cid:48) ) ∈ ∆ ;3. if Υ ∈ F , then Υ (cid:48) = Υ (cid:48) .Intuitively, the automaton runs two copies of A P in parallel. The firstcomputation, whose state is represented by Υ , proceeds exactly like a run of A P and its goal is to ensure that every token that triggers a synchronisationrule is involved in some instantiation of a blueprint that satisfies the rule. Conclusions and further work 87 However, due to the possible presence of recurrent goals , that is, rules imposingconstraints to be verified infinitely often along the plan, such a componentmight never happen to reach states in F .For this reason, we introduce a second copy of A P , that is, the secondcomponent Υ , that works on separate, adjacent chunks of the input word,focusing each time on (previously triggered) synchronisation rules that havenot yet been fulfilled at the beginning of the current chunk. When all thesesynchronisation rules (ignoring further synchronisation rules that might betriggered after the beginning of the chuck) have been satisfied ( i . e ., Υ ∈ F ), thestate ( Υ , Υ ) is final for the automaton B P . With the next transition, leading to anew state ( Υ (cid:48) , Υ (cid:48) ), a new chunk is started by taking a snapshot of the first statecomponent Υ (cid:48) , that is, Υ (cid:48) is copied into Υ (cid:48) . It is worth noticing that final statesin B P are determined only by the second component Υ , that is, ( Υ , Υ ) is a finalstate of B P if and only if Υ is a final state of A P , and that the state that followsa final one along a run of B P , say it ( Υ , Υ ), satisfies Υ = Υ .Moreover, note that finding a recurrent solution for a timeline-based plan-ning problem (if any) is more general than finding a solution for it. As a matterof fact, it is possible to show that a timeline-based planning problem P can betranslated into a timeline-based planning problem P (cid:48) that only admits recur-rent solutions, for which there exists a correspondence between solutions for P and solutions for P (cid:48) such that the former ones correspond to finite prefixesof the latter.Finally, observe that the considerations made in the previous section on thesize and the final state reachability check for the automaton A P (cid:117) E P (obtainedby intersecting A P and E P ) still hold for the size and the final state recurrentreachability check for automaton B P , thus yielding the following complexitycharacterisation for the problem of finding (infinite) recurrent solutions fortimeline-based planning problems. Theorem 11 — Complexity with infinite solution plans.Deciding whether a given timeline-based planning problem admits an infinitesolution plan is EXPSPACE -complete. In this chapter, we proved the first results regarding the computational com-plexity of timeline-based planning problems.Besides the results per se , the conceptual framework of rule graphs intro-duced and used to prove them is also of independent interest, as proved byhow the concept will be used in the following chapters. Nevertheless, theconsequences of their definition still needs to be further explored. For ex-ample, Lemma 4.10 provides some criteria apt to simplify the structure of the synchronisation rules of a problem, removing some cases of redundant edges.However, rules are only considered in isolation, and the ability to identifyedges that are redundant because of the interactions with other rules wouldhave an important practical impact. Preprocessing techniques apt to reducingthe magnitude of edge bounds are also an interesting development.Our complexity analysis may be further refined in the future. In particular,finding tractable fragments is an important task for problems of such an highcomplexity. Since an exponential jump in the complexity comes from thesuccinct representation of edge bounds, the complexity of the problem withlimited bounds and/or with only unbounded edges is conjectured to decreaseto PSPACE . A complete parameterised complexity analysis, in the style of thework done by Bäckström et al. [11] on classical planning, would perfectlycomplete the picture.The infrastructure based on matching records, built to show Theorem 8,may also be adapted in the future to solve related problems. In particular,matching records may form the basis of a monitoring procedure, enabling theconstruction of runtime verification tools [83] for timeline-based systems.Section 4.4 used an automata-theoretic argument to prove that the problemover infinite solution plans is EXPSPACE -complete as well. Although interest-ing, this automata-theoretic approach is still in its infancy. Indeed, the showndecision procedure exploits the fact that the doubly-exponentially sized auto-maton resulting from the construction can be generated on-the-fly during anondeterministic procedure. However, while theoretically this ensures thata deterministic procedure with the same space bound exists, the resultingalgorithm will hardly be applicable in practice. In order to leverage the ex-isting huge corpus of automata-theoretic research and software tools, a moreexpressive and more succinct class of automata (with a consequently harderemptiness problem) needs to be found to encode the problem into a moresuccinct automaton that can then be e ff ectively manipulated.As a last remark, note that the problem of timeline-based planning overinfinite plans, handled in many systems in terms of repeated problems withbounded horizon, has never been explicitly studied in the literature. However,the problem has quite natural uses cases, deserving to be further investigated. IMELINE-BASED PLANNINGWITH UNCERTAINTY The ability of properly integrating planning and execution is one of the flagshipfeatures of timeline-based planning systems. Current systems employ thenotion of flexible plan to handle the temporal uncertainty that inherently ariseswhen interacting with the environment in order to execute a plan. In thischapter, after discussing some limitations of the current approach, we proposeand study the concept of timeline-based games , our take at timeline-basedplanning problems with uncertainty. CONTENTS The most important feature of existing timeline-based planning systems iscertainly that of integrating the planning and execution phases under a unifiedframework. Issues related to uncertainty have been ignored in Chapters 3 and 4,in order to simplify the starting point for the discussion, providing their found-ational results about expressiveness and complexity of timeline-based planninglanguages and problems. It is now time to add uncertainty back to the picture.Rather than simply extending our results to the flexible timelines setting,a path which would certainly be worth exploring, this chapter takes a moreproactive approach. First, in the rest of this section, we highlight a few limits ofthe current approach to uncertainty based on flexible plans. Then, Section 5.2introduces timeline-based games , an extension to timeline-based planning prob-lems with uncertainty that addresses the considered issues. Then, Section 5.4addresses the problem of finding a winning strategy for a given timeline-basedgame, showing the complexity of the problem. The whole discussion revolves around the notion of nondeterminism . Thedesign of most timeline-based planning systems, and of the formal frameworkby Cialdea Mayer et al. [44] in particular, has been intentionally tailoredto the handling of temporal uncertainty , i . e ., uncertainty about when thingswill happen, disregarding general forms of nondeterminism, i . e ., uncertaintyabout what will happen. Indeed, as defined in Section 2.3, flexible plans areintrinsically sequential objects, that cannot represent any choice about how theexecution of the plan can proceed if not regarding the timing of events. This is,as stated multiple times, an intentional design choice of these systems.In the meantime, the action-based planning community studied how tohandle general nondeterminism quite extensively in the past years, followingdi ff erent approaches such as, for instance, reactive planning systems [13],deductive planning [130], POMDPs [78], model checking [49], and, especially,fully observable nondeterministic planning (FOND planning) [100, 101], whichwas also recently solved considering temporally extended goals [25, 112].On the other hand, these approaches to nondeterministic action-basedplanning do not support flexible plans and temporal uncertainty, and donot account for controllability issues. Recently, SMT-based techniques havebeen exploited to deal with uncontrollable durations in strong temporal plan-ning [46], but dynamic controllability issues are not addressed.It seems therefore that the two worlds have evolved in di ff erent and in-comparable ways. On one side, timeline-based planning supports specifically Introduction 91 temporal uncertainty but does not consider general nondeterminism. On theother side, action-based planning considers general nondeterminism but doesnot explicitly support temporal uncertainty.However, the explicit focus of timeline-based planning on temporal un-certainty does not imply that handling general nondeterminism would beuseless in the common application scenarios of these systems. As explained inSection 2.3, the external variables in timeline-based planning problems withuncertainty are used more to express known facts about what will happen,rather than components of a full-fledged external entity running alongsidethe planned system. To this end, planning problems include a flexible plan,the observation , describing the behaviour of external variables up to the giventemporal flexibility. The definition of the various forms of controllability thenassumes that the behaviour of the environment follows what is stated by theobservation. This is perfectly fine in some scenarios but limiting in others. Forexample, in collaborative robotics domains where the PLATINUm planningsystem was designed to be deployed [134], the controlled system has to co-operate with human agents, hence a true reactive behaviour is required andstrong assumptions about the environment choices are not available. To copewith this need, many timeline-based systems have employed a feedback loopbetween the planning and execution phases, which includes a failure manager that senses when the execution is deviating from the assumed observation, andtriggers a re-planning phase if necessary, devising a new flexible plan and adynamic execution strategy that can be used to resume execution. However,the re-planning phase can be expensive to perform on-the-fly, limiting thereal-time reactivity of the system.Moreover, even when ignoring the issue noted above, the relationshipbetween temporal uncertainty, nondeterminism, and timeline-based planninglanguages turns out to be more complex than anticipated. As a matter of fact,even explicitly focusing on temporal uncertainty, timeline-based planninglanguages are still able to express scenarios where handling nondeterminismin a more general way is required. To see what we mean, consider a timeline-based planning problem with uncertainty P = ( SV C , SV E , S, O ), with a singlecontrolled state variable x ∈ SV C with V x = { v , v , v } , SV E = ∅ , and S consistingof the following synchronisation rules: a [ x = v ] → ∃ b [ x = v ] . end ( a ) ≤ [0 , start ( b ) ∧ start ( a ) ≤ [0 , end ( a ) ∨ ∃ c [ x = v ] . end ( a ) ≤ [0 , start ( c ) ∧ start ( a ) ≤ [6 , end ( a ) (cid:62) → ∃ a [ x = v ] . start ( a ) = 0Suppose that D x ( v ) = [1 , 10] for all v ∈ V x , and that tokens where x = v areuncontrollable, i . e ., γ x ( v ) = u and γ x ( v ) = γ x ( v ) = c . The rules require thecontroller to start the execution with a token where x = v , followed by a token where either x = v or x = v depending on the duration of the first token. Thisscenario is, intuitively, trivial to control. The system must execute x = v as afirst token due to the second rule. Then, the environment controls its duration,and the system simply has to wait for the token to end, and then execute either x = v or x = v depending on how long the first token lasted. However, thereare no flexible plans that represent this simple strategy, since each given planmust fix the value of every token in advance. To guarantee the satisfaction ofthe rules, the value to assign to x on the second token must be chosen during theexecution, but this is not possible because of the exclusively sequential natureof flexible plans. In this case, therefore, the problem would be considered asunsolvable, even if the goals stated by the rules seem simple to achieve.The problem above stems from the inherently sequential nature of flexibleplans, which cannot represent the need for a choice to be made during execu-tion other than regarding the timings of events. However, the example showshow the syntax of the language supports the modelling of scenarios wheremaking qualitative choices depending on the environment nondeterministic be-haviour is needed. Note that this is a di ff erent situation to that of deterministic action-based languages such as PDDL. In these languages, nondeterminismis not supported and simply cannot enter the picture. To support modellingnondeterministic behaviour, PDDL has to be extended with syntactic elementsuseful for the purpose ( e . g ., the anyof keyword for nondeterministic e ff ects). Inthis case, instead, the basic syntax of the language is su ffi cient to express suchscenarios, but the way solutions are represented is incapable of representingtheir solutions. In logical terms, one may say that dynamically controllableflexible plans do not provide a complete semantics for timeline-based planningwith uncertainty. One may suppose that this expressive power comes from disjunctions in synchronisation rules, which allows us to compose the aboveexample, but results such as Theorem 6 of Chapter 3 show how their presenceis essential even to express simple deterministic scenarios, hence the gap cannotbe filled by removing them.It can be seen that scenarios like the one above would immediately arisewhen trying to encode any kind of nondeterministic action-based problemsuch as fully observable nondeterministic (FOND) planning problems. Hence,extending to nondeterministic planning the results of Chapter 3 is impossible.The key point, however, is that a syntactic representation of a FOND planningproblem would be perfectly feasible, similarly to the encoding for classicalplanning gave in Theorem 6, which, however, would lack a proper semantics,corresponding to FOND policies , to express its solutions. Timeline-based games 93 In this chapter, we propose and study an extension to timeline-based plan-ning problems with uncertainty, called timeline-based games , which addressesboth the issues outlined above by treating temporal uncertainty and generalnondeterminism in a uniform way. Timeline-based games are two-player turn-based perfect-information games where the players play by executing the startand end endpoints of tokens, building a set of timelines. The first player,representing the controller, wins the game if it can manage to build a solutionplan for a given timeline-based planning problem, independently from thebehaviour of the second player, which represents the environment.In Section 5.2, after defining the structure of these games, we show thatthey can capture the semantics of timeline-based planning problems withuncertainty, in the sense that for any such problem there is a game wherethe controller has a winning strategy if and only if the problem admits adynamically controllable flexible plan. Moreover, we show that they strictlysubsume the approach based on flexible plans, by showing how the aboveexample can be modelled into a timeline-based game that admits a winningstrategy for the controller.Then, we address the problem of finding a winning strategy for such games,showing, in Section 5.4, that the problem of deciding whether the controller hasa winning strategy for a given timeline-based planning game is in .The decision procedure heavily exploits the framework of rule graphs definedin Chapter 4. Whether this upper bound is strict is still an open question. This section introduces the timeline-based games , our game-theoretic approachto the handling of uncertainty in timeline-based planning. We first describetheir general mechanism, including the winning condition, and then go indetail on how they relate to dynamically controllable flexible plans and theissues brought up in Section 5.1.Intuitively, a timeline-based game is a turn-based, two-player game playedby the controller, Charlie , and the environment, Eve . By playing the game,the players progressively build the timelines of a scheduled plan (see Defini-tion 2.4). At each round, each player makes a move deciding which tokens tostart and/or to stop and at which time. Both players are constrained by the set D of domain rules, which describe the basic rules governing the world. Domainrules replace the observation carried over by timeline-based planning problemswith uncertainty (Definition 2.19), but generalise them allowing one to freelymodel the interaction between the system and the environment. Note that domain rules are not intended to be Eve ’s (nor Charlie ’s) goals , but, rather, aset of background facts about how the world works that can be assumed tohold at any time. Since neither player can violate D , the strategy of each playermay safely assume the validity of such rules. In addition, Charlie is responsiblefor satisfying the set S of system rules, which describe the rules governing thecontrolled system, including its goals. Charlie wins if, assuming Eve behavesaccording to the domain rules, he manages to construct a plan satisfying thesystem rules. In contrast, Eve wins if, while satisfying the domain rules, sheprevents Charlie from winning, either by forcing him to violate some systemrule, or by indefinitely postponing the fulfilment of his goals. Let us immediately start by defining timeline-based games themselves. Definition 5.1 — Timeline-based game. A timeline-based game is a tuple G = ( SV C , SV E , S , D ) , where SV C and SV E arethe sets of, respectively, the controlled and the external variables, and S and D are two sets of synchronisation rules, respectively called system and domain rules,involving variables from both SV C and SV E . During the game, the current state of the play can be seen as a partiallybuilt plan, where at any given time some tokens will be waiting to be com-pleted. A partial plan is such a plan when each timeline might be incomplete.In Chapter 4 we already met objects apt to represent partially built plans: theevent sequences (Definition 4.1). Event sequences closed on the left (Defini-tion 4.2) exactly represent a plan that is being built going forward in time. Definition 5.2 — Partial plan. Let G = ( SV C , SV E , S , D ) be a timeline-based game. A partial plan for G is an eventsequence µ over SV C ∪ SV E , closed on the left . Let Π G be the set of all possible partial plans for G , or simply Π when thereis no ambiguity. It is worth stressing again that the plan being built by the play-ers, represented by the partial plan, is a scheduled plan, not a flexible one. Theuncertainty is moved to the ignorance about what the next moves of Eve will beat each step. Partial plans can be either open or closed on the right dependingon the particular moment of the game, but they are always closed on the left.Since there is no ambiguity, we will simply say open or closed to mean openor closed on the right . Recall that δ ( µ ) denotes the duration of µ , that is, thedistance in time between the last and the first events of the sequence, hence inour settings it can be interpreted as the time elapsed from the start of the game.Since ε counts as a closed event sequence and δ ( ε ) = 0, the empty partialplan ε is good starting point for the game. Players thus incrementally builda partial plan, starting from ε , by playing actions that specify which tokens Timeline-based games 95 to start and/or end, producing an event that extends the event sequence, orcomplementing the already existing last event of the sequence. Recall fromDefinition 4.1 that actions are terms of the form start ( x, v ) or end ( x, v ), where x ∈ SV and v ∈ V x , and that the set of possible actions over SV is denoted as A SV ,here just A for simplicity. Actions of the former kind are called starting actions,and those of the latter kind are called ending actions. Then, we partition all theavailable actions into those that are playable by either of the two players. Definition 5.3 — Partition of player actions. The set A of available actions over the set of state variables SV = SV C ∪ SV E ispartitioned into the set A C of Charlie ’s actions, and the set A E of Eve ’s actions,defined as follows: A C = { start ( x, v ) | x ∈ SV C , v ∈ V x } (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) start tokens on Charlie ’s timelines ∪ { end ( x, v ) | x ∈ SV , v ∈ V x , γ x ( v ) = c } (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) end controllable tokens A E = { start ( x, v ) | x ∈ SV E , v ∈ V x } (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) start tokens on Eve ’s timelines ∪ { end ( x, v ) | x ∈ SV , v ∈ V x , γ x ( v ) = u } (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) end uncontrollable tokens Hence, players can start tokens for the variables that they own, and end thetokens that hold values that they control. It is worth to note that, in contrast tothe original definition of timeline-based planning problems with uncertainty(Definition 2.19), Definition 5.3 admits cases where x ∈ SV E and γ x ( v ) = c for some v ∈ V x , that is, cases where Charlie may control the duration of avariable that belongs to Eve . This situation is symmetrical to the more commonone where Eve controls the duration of a variable that belongs to Charlie ( i . e .,uncontrollable tokens), and we have no needs to impose any asymmetry.Actions are combined into moves that can start/end multiple tokens at once. Definition 5.4 — Moves for Charlie . A move µ C for Charlie is a term the form wait ( δ C ) or play ( A C ) , where δ C ∈ N and ∅ (cid:44) A C ⊆ A C is a set of either all starting or all ending actions. Definition 5.5 — Moves for Eve . A move µ E for Eve is a term of the form play ( A E ) or play ( δ E , A E ) , where δ E ∈ N and A E ⊆ A E is a set of either all starting or all ending actions. Two di ff erent aspects of the mechanics of the game influence the abovedefinitions. First, moves such as play ( A C ) and play ( δ E , A E ) can play either only start ( x, v ) or only end ( x, v ) actions. A move of the former kind is called a starting move, while a move of the latter kind is called an ending move. Note that emptymoves play ( δ E , ∅ ) can be considered both starting or ending moves. Moreover,we consider wait moves as ending moves. In some sense, starting and endingmoves have to be alternated during the game.Second, the two players can play the two di ff erent sets of moves definedabove, hence we denote as M C the set of moves playable by Charlie , and as M E the set of moves playable by Eve . Charlie can choose to play some actionsto start/end a set of tokens, by playing a play ( A C ) move, or to do nothing andwait a certain amount of time by playing a wait ( δ C ) move. Charlie plays firstat each round, as will be formally stated later, hence Eve can reply to Charlie ’smove by playing a play ( A E ) move in response to a play ( A C ) move by Charlie ,and a play ( δ E , A E ) move in response to a wait ( δ C ) move by Charlie . If Charlie plays a play ( A C ) move, the given actions are applied immediately , for somespecific sense defined later, and Eve replies by specifying what happens to hervariables at the same time point. Instead, if Charlie plays a wait ( δ C ) move towait some amount of time δ C , there is no reason why Eve should be forcedto wait the same amount of time without doing nothing, so she can play a play ( δ E , A E ) move, specifying an amount δ E ≤ δ C , so that actions in A E will beapplied accordingly, interrupting the wait of Charlie who can then timely replyto Eve ’s actions. This is formalised as the following notion of round . Definition 5.6 — Round. A round ρ is a pair ( µ C , µ E ) ∈ M C × M E of moves such that:1. µ C and µ E are either both starting or both ending moves;2. either ρ = ( play ( A C ) , play ( A E )) , or ρ = ( wait ( δ C ) , play ( δ E , A E )) with δ E ≤ δ C ; A starting ( ending ) round is one made of both starting (ending) moves. Notethat since Charlie cannot play empty play moves and wait moves are consideredending moves, each round is unambiguously either a starting or an endinground. We can now define how a round is applied to the current partial planto obtain the new one. Definition 5.7 — Outcome of rounds. Let µ = (cid:104) µ , . . . , µ n (cid:105) be a partial plan, with µ n = ( A n , δ n ) , let ρ = ( µ C , µ E ) be a round, δ E and δ C the time increments of the moves ( δ C = δ E = 1 for play ( A ) moves), andlet A E and A C be the set of actions of the two moves ( A C is empty if µ C is a wait move).The outcome of ρ on µ is the event sequence ρ ( µ ) defined as follows:1. if ρ is a starting round, then ρ ( µ ) = µ Together, Definitions 5.6 and 5.7 finally define the mechanics of the game,that can now be fully clarified. The game starts from the empty partial plan ε ,and players play in turn, composing a round from the move of each one, whichis applied to the current partial plan to obtain the new one. Let µ be the currentpartial plan. At each step of the game, both players can either only stop theexecution of a set of tokens, by playing an ending round, or start the executionof a set of others, by playing a starting round (Item 1 of Definition 5.6). Thisdoes not mean that at each time point in the constructed plan only one of thetwo things can happen, but that the ending and starting actions of each eventsare contributed separately in two phases. When a starting round is played,its actions are added to the last event of the round (and indeed, since no timeamount need to be specified, note that starting rounds can only be made of play ( A ) moves). In contrast, when an ending round is played, the correspondingactions form an event that is appended to µ , obtaining that δ ( ρ ( µ )) > δ ( µ ). Then,the next round, which must be a starting round by Item b) of Definition 5.7, canstart the new tokens following the ones that were just closed. Note that Items a)and b) of Definition 5.7 together ensure that a) the played actions make sensewith regards to the current partial plan being built (such as the fact that tokencan be closed only if it was open etc ., see Definition 4.1), and b) that time cannotstall, by forcing starting rounds to be immediately followed by ending ones. Since we defined the mechanics of the game, we need now to define the winningcondition for the players, for which we define the notion of strategy . Definition 5.8 — Strategy for Charlie . A strategy for Charlie is a function σ C : Π → M C that maps any given partialplan µ to a move µ C applicable to µ . Definition 5.9 — Strategy for Eve . A strategy for Eve is a function σ E : Π × M C → M E that maps a partial plan µ anda move µ C ∈ M C applicable to µ , to a µ E such that ρ = ( µ C , µ E ) is applicable to µ . A sequence ρ = (cid:104) ρ , . . . , ρ n (cid:105) of rounds is called a play of the game. A playis said to be played according to some strategy σ C for Charlie , if, starting fromthe initial partial plan µ = ε , it holds that ρ i = ( σ C ( Π i − ) , µ iE ), for some µ iE ,for all 0 < i ≤ n , and to be played according to some strategy σ E for Eve if ρ i = ( µ iC , σ E ( Π i − , µ iC )), for all 0 < i ≤ n . It can be seen that for any pair ofstrategies ( σ C , σ E ) and any n ≥ 0, there is a unique run ρ n ( σ C , σ E ) of length n played according both to σ C and σ E .It is worth to note that, according to our definition of strategy, Charlie canbase his decisions only on the previous rounds of the game, not including Eve ’smove at the current round. However, Charlie can still react immediately , in some sense, to decide which token to start after an uncontrollable one closedby Eve , because of the alternation between starting and ending rounds. Hence Charlie can choose the starting actions of an event depending on the endingactions of that same event, but the contrary is not true: after Eve closes a token, Charlie has to wait at least one time step to react to that move with an ending action. This design choice is crucial to replicate and capture the semantics ofdynamically controllable flexible plans, as will be detailed in Section 5.3.As for the winning condition, we have to formalise the intuition given atthe beginning of the section, regarding the role of domain rules and systemrules. Charlie wins if, assuming domain rules are never broken, he manages tosatisfy the system rules no matter how Eve plays.Thus, let G = ( SV C , SV E , S , D ) be a planning game. To evaluate the satis-faction of the two sets of rules over the current partial plan, we proceed asfollows. First, we define from G two timeline-based planning problems (asfor Definition 2.12), P D = ( SV , D ) and P S = ( SV , S ). Then, given a partial plan µ , we consider the scheduled plan π µ (cid:48) corresponding to an event sequence µ (cid:48) obtained by closing µ at time δ ( µ ), i . e ., completing the last event of µ in such away to close any open token. Then, we say that a partial plan µ , and the play ρ such that µ = ρ ( ε ), are admissible , if π µ (cid:48) | = P D , i . e ., if the partial plan satisfies thedomain rules, and are successful if both π µ (cid:48) | = P D and π µ (cid:48) | = P S , i . e ., if the partialplan satisfies both the domain and system rules. Definition 5.10 — Admissible strategy for Eve . A strategy σ E for Eve is admissible if for each strategy σ C for Charlie , there is a k ≥ such that the play ρ k ( σ C , σ E ) is admissible. Definition 5.11 — Winning strategy for Charlie . Let σ C be a strategy for Charlie . We say that σ C is a winning strategy for Charlie if for any admissible strategy σ E for Eve , there exists an n ≥ such that the play ρ n ( σ C , σ E ) is successful. We say that Charlie wins the game G if he has a winning strategy, while Evewins the game if a winning strategy does not exist.To see an example, consider a timeline-based game G = ( SV C , SV E , S , D ) withtwo variables x ∈ SV C and y ∈ SV E , V x = V y = { go, stop } , unit duration, and thesets of rules defined as follows: S = (cid:40) a [ x = stop ] → ∃ b [ y = stop ] . end ( b ) = start ( a ) (cid:41) (cid:62) → ∃ a [ x = stop ] . (cid:62)D = (cid:110) (cid:62) → ∃ a [ y = stop ] . (cid:62) (cid:111) Here, Charlie ’s ultimate goal is to realise x = stop , but this can only happenafter Eve realised y = stop . This is guaranteed to happen, since we consideronly admissible strategies. Hence, the winning strategy for Charlie only chooses Timeline-based games and flexible plans 99 x = go until Eve chooses y = stop , and then wins by executing x = stop . If D was instead empty, a winning strategy would not exist since a strategy thatnever chooses y = stop would be admissible. This would therefore be a casewhere Charlie loses because Eve can indefinitely postpone his victory. Let us compare now the concept of dynamic controllability of flexible plans, asdefined in [44], with the existence of winning strategies for timeline-basedplanning games, and show the greater generality of the latter concept.The first step is to back the claim of this greater generality. Hence, weprove that given a flexible solution plan for a timeline-based planning problemwith uncertainty, we can reduce the problem of the dynamic controllabilityof the plan to the existence of a winning strategy for a particular game. Tothis aim, we need a way to represent as a game any given planning problemwith uncertainty together with its flexible plan. Intuitively, this can be done byencoding the observations O into suitable domain rules. The game associatedwith a problem therefore mimics the exact setting described by the problem.What follows shows how such a game is built and which relationship existsbetween its winning strategies and dynamically controllable flexible plans forthe original problem. Theorem 12 — Winning strategies vs dynamic controllability.Let P be a timeline-based planning problem with uncertainty, and supposethat P admits a flexible solution plan Π . Then, a timeline-based game G P , Π can be built, in polynomial time, such that Π is dynamically controllable ifand only if Charlie has a winning strategy for G P , Π . Proof. Let P = ( SV C , SV E , S, O ) be a timeline-based planning problem withuncertainty and a flexible solution plan Π = ( π, R ) for P . We can build anequivalent timeline-based game G P , Π = ( SV C , SV E , S , D ), by keeping SV C and SV E unchanged, and then suitably encoding the observation O and the flexibleplan Π into, respectively, the set of domain rules D and of system rules S . Inthis way, Eve ’s behaviour will be constrained to follow what is dictated by theobservation, replicating the semantics of timeline-based planning problemswith uncertainty, and the behaviour of Charlie will follow by construction whatis stated by the flexible plan.To proceed, let SV E = { x , . . . , x n } , O = ( π E , R E ), and τ i = π E ( x i ) = (cid:104) τ i , . . . , τ ik i (cid:105) ,for some k i and all x i ∈ SV E , with τ ij = ( x i , v ij , [ e ij , E ij ] , [ d ij , D ij ]). Finally, let R E = { α , . . . , α m } . The set D can encode the whole observation by a single triggerless Because of the great computational complexity mismatch, this is of course not a way to solvethe dynamic controllability problem in practice, but shows the greater generality of the formalism. 00 Timeline-based planning with uncertainty rule stating that: (1) the tokens τ ij are required to exist, (2) their (a) position inthe sequence, and (b) the end time and duration flexibility ranges correspondto the plan, and (3) the atoms in R = { α , . . . , α | R | } are satisfied.Such a rule can be written as follows: (cid:62) → ∃ τ [ x = v ] , . . . , ∃ τ nk n [ x n = v nk n ] . (1) ∧ (cid:94) ≤ i ≤ n ≤ j Charlie needs to be able to react to the end of each uncontrollable token by startingthe next token immediately after. For this reason, it is important that, as notedin Section 5.2.2, Charlie has the ability to decide which tokens to start in astarting round of the game based on which were closed in the previous endinground. On the contrary, to make Charlie decide when to end each token, hiswinning strategy can just mimic the dynamic execution strategy of the plan.( ←− ). On the other hand, if a winning strategy for G exists, we need to en-sure that it can be translated into a dynamic execution strategy for Π . Besidesthe translation itself which can be constructed easily, the important point isto guarantee that winning strategies for the game do not have more expressivepower than dynamic control strategies for the plan (in general they do, butnot in this specific game which is already constrained to replicate a singleflexible plan). The critical issue here is that Definition 2.26 requires that the Timeline-based games and flexible plans 101 end time of any token τ chosen by the control strategy only depends on theend times of uncontrollable tokens that ended before the end time of τ . In otherwords, the control strategy cannot decide to end a token at time t based on thefact that other tokens ended at time t , but only based on those ended at time t − Charlie cannot choose which tokens to end in an ending round base on whichuncontrollable tokens will be ended by Eve at the same round, but has to waitto the next ending round, at least one time step later.Theorem 12 shows that given a flexible solution plan Π , we can decide itsdynamic controllability by looking for a winning strategy for the game G P , Π .In a more general setting, given the timeline-based planning problem withuncertainty P = ( SV C , SV E , S, O ), in a completely similar way we can build agame G P = ( SV C , SV E , S , D ) such that the existence of a dynamically controllableflexible plan for P implies the existence of a winning strategy for G P . This isdone by encoding the observation O into the set of domain rules D exactly asdone in Theorem 12, but setting S = S , without constraining the game to anyspecific plan. Then if a plan exists, and it is dynamically controllable, witharguments similar to Theorem 12 it can be checked that a winning strategy for G P must exist as well. Corollary 5.12 — Generality of timeline-based games. Let P be a timeline-based planning problem with uncertainty. Then, a timeline-based game G P can be built, in polynomial time, such that if P admits a dynamicallycontrollable flexible solution plan, then Charlie has a winning strategy for G P . The converse is not true, however, because winning strategies for timeline-based games are strictly more expressive than timeline-based planning prob-lems with uncertainty, hence there can be some problems P that do not haveany dynamically controllable flexible plan, but there is a winning strategy for G P . This is the case with the example problem discussed in Section 5.1.1, whichhas an easy winning strategy when seen as a game, while it has no dynamicallycontrollable flexible plan. We can encode the example problem P with thegame G P , in which the shown synchronisation rules are included as systemrules, the set of domain rules is empty (since there are no external variablesand thus the observation is empty as well). The winning strategy is as simpleas promised: after playing start ( x, v ) at the beginning, Charlie only has to waitfor Eve to play end ( x, v ), and then play start ( x, v ) or start ( x, v ) according tothe current timestamp. Therefore, one can prove the following theorem. Theorem 13 There exists a timeline-based planning problem with uncertainty P such thatthere are no dynamically controllable flexible plans for P , but Charlie has awinning strategy for the associated planning game G P . 02 Timeline-based planning with uncertainty In previous sections we motivated and shown the definition of timeline-basedgames , and shown how the existence of a winning strategy for such a gamesubsumes the existence of dynamically controllable flexible plans for the equi-valent timeline-based planning problem with uncertainty. In this section, weshow how such a winning strategy can be found, providing the complexity ofthe problem of establishing whether it exists.The proof employs an encoding of timeline-based games into concurrentgame structures (CGS) [7], and in particular, into the specific subclass of turn-based synchronous game structures . The encoding of the game into one suchstructure allows us to decide the existence of a winning strategy by expressingthe winning condition in a extended alternating-time temporal logic ( ATL ∗ ) [7]formula. In the rest of the section, a brief introduction to CGSs and the ATL ∗ logic will be provided, and then the encoding of timeline-based games intoCGSs will be shown and used to prove the final result. In the field of model checking [50], two of the logics most commonly used as aspecification language are linear temporal logic ( LTL ) and the computation treelogic ( CTL ), a fragment of the more general CTL ∗ . In contrast to LTL , which is atemporal logic interpreted over linear-time domains (see more on this front inChapter 6), CTL and CTL ∗ adopt a branching-time semantics: CTL / CTL ∗ formulaeare interpreted over trees (usually the result of the unrolling of some statetransition system) that represent the di ff erent possible future evolutions of asystem, and formulae can quantify over paths of such trees. For example, the CTL ∗ formula A φ demands φ to be true when interpreted over all the paths ofthe tree rooted at the current state, while E φ dually states that there is at leastone such path where φ holds. Alternating-time temporal logic ( ATL ) [7], and its extension ATL ∗ , can be seenas generalisations of CTL and CTL ∗ where the system used to interpret theformulae is the transition system resulting from the composition of multipleagents instead of a single one. In this context, paths of the system correspondsto the trace of the parallel execution of the components of the system. Whenwe assign goals to each player or to subsets of the players, we can see thestructure as the state space of a game , and ATL / ATL ∗ formulae have the abilityto quantify over paths played according to specific strategies adopted by eachplayer. In particular, a formula of the form (cid:104)(cid:104) A (cid:105)(cid:105) φ is true whenever there is a setof strategies for the set of players A such that φ is true on all the paths playedaccording to said strategies. If P is the set of all the players of the system, Finding winning strategies 103 then (cid:104)(cid:104)P (cid:105)(cid:105) φ is equivalent to E φ in CTL ∗ , hence ATL / ATL ∗ are proper extensionsof CTL / CTL ∗ . The ability of quantifying over paths played according to specificstrategies makes these logics particularly suitable for expressing the winningcondition of timeline-based games. Let us now recall the syntax and semanticsof these logics.Let P = { , . . . , k } be a finite set of players , and Σ a finite set of propositions.Then, an ATL ∗ formula over Σ and P is a state formula φ defined as follows: φ := p | ¬ φ | φ ∨ φ | (cid:104)(cid:104) A (cid:105)(cid:105) ψ state formulae ψ := φ | ¬ ψ | ψ ∨ ψ | X ψ | ψ U ψ path formulaewhere φ , φ and φ are state formulae, ψ , ψ and ψ path formulae, and A ⊆ P is a set of players. Besides standard boolean connectives, with shortcuts such as ψ ∧ ψ ≡ ¬ ( ¬ ψ ∨¬ ψ ) and ψ → ψ ≡ ¬ ψ ∨ ψ , we have the tomorrow ( X ψ ) and until ( ψ U ψ ) temporal operators as in LTL and CTL ∗ , and, more importantly, the existential strategy quantifying operator (cid:104)(cid:104) A (cid:105)(cid:105) ψ , from which we can define the universal dual (cid:126) A (cid:127) ψ = ¬(cid:104)(cid:104) A (cid:105)(cid:105)¬ ψ . Note the subdivision into path and state formu-lae: path formulae need to be interpreted over a path, while state formulae areinterpreted over a single state. ATL is the fragment of ATL ∗ where temporal op-erators can only appear directly nested inside a strategy quantifying operator. ATL and ATL ∗ formulae are interpreted over concurrent game structures , whichcan represent a vast variety of concurrent games. In our setting, it is su ffi cientto consider the specific subclass of turn-based synchronous game structures . Definition 5.13 — Turn-based synchronous game structure. A turn-based synchronous game structure is a tuple S = (cid:104)P , Q, Σ , ν, λ, R (cid:105) , where:1. P = { , . . . , k } is the set of players;2. Q is the finite set of states ;3. Σ is the finite set of propositions ;4. ν : Q → Σ provides the set ν ( q ) of propositions true at any state q ∈ Q ;5. λ : Q → P is a function telling which player owns any given state;6. R ⊆ Q × Q is the transition relation. Turn-based synchronous game structures, simply called game structures from now, represent games where players play in turn, not concurrently, andindeed each state q ∈ Q is owned by the player λ ( q ), who plays when the gamereaches one of their states. To define how ATL / ATL ∗ formulae are interpretedover game structures we need to define the notion of strategy. A path of thegame is an infinite sequence of states q = (cid:104) q , q , . . . (cid:105) such that ( q i , q i +1 ) ∈ R for all i ≥ 0. Given a player a ∈ P , a strategy for a is a function f a : Q + → Q 04 Timeline-based planning with uncertainty that maps any non-empty finite prefix q = (cid:104) q , . . . , q n (cid:105) of a path (the historyof the game play), where λ ( q n ) = a , to the next state f a ( q n ) chosen among thesuccessors of q n . A play such that q i +1 = f a ( q i ) for any q i such that λ ( q i ) = a issaid to be played according to the strategy f a . Given a set of players A ⊆ P , anda set of strategies F A , one for each a ∈ A , the sequence q is played according to F A if it is played according to all the strategies in F A .Then, given a game structure S = (cid:104)P , Q, Σ , ν, λ, R (cid:105) , and an ATL ∗ (state) for-mula φ over propositions Σ and players P , we define the satisfaction of φ overa state q ∈ Q of S , written S, q | = φ , as follows:1. S, q | = p i ff p ∈ ν ( q );2. S, q | = ¬ φ i ff S, q (cid:54)| = φ ;3. S, q | = φ ∨ φ i ff S, q | = φ or S, q | = φ ;4. S, q | = (cid:104)(cid:104) A (cid:105)(cid:105) ψ i ff there exists a set of strategies F A , one for each a ∈ A , such that S, q | = ψ for all paths q = (cid:104) q, . . . (cid:105) played from q according to F A ;where the satisfaction of a path formula ψ over a state sequence q = (cid:104) q , q , . . . (cid:105) ,written S, q | = ψ , is defined as follows:5. S, q | = φ i ff S, q | = φ , for a state formula φ ;6. S, q | = ¬ ψ i ff S, q (cid:54)| = ψ ;7. S, q | = ψ ∨ ψ i ff S, q | = ψ or S, q | = ψ ;8. S, q | = X ψ i ff S, q ≥ | = ψ ;9. S, q | = ψ U ψ i ff there exists a position i ≥ S, q ≥ i | = ψ ,and S, q ≥ j | = ψ for all 0 ≤ j < i .Note that the existential strategy quantifier (cid:104)(cid:104) A (cid:105)(cid:105) contains an element ofuniversal quantification on the paths played according to the existentiallyquantified set of strategies. In the restricted context of turn-based structuresthat we are considering, the games are determined , which means the absence ofa winning strategy for a player implies the existence of a winning strategy forthe antagonist. In other terms, as also noted in [7], over turn-based structuresit holds that (cid:104)(cid:104) A (cid:105)(cid:105) φ = (cid:126) P \ A (cid:127) φ . We can now finally show how the existence of a winning strategy can be decidedfor timeline-based games, by encoding them into suitable game structures.From the definitions given in Section 5.2 and, in particular, the definitionsof strategies for the two players (Definitions 5.8 and 5.9), it can be seen that Finding winning strategies 105 a timeline-based game provides an implicit representation for a potentiallyinfinite state space composed by all possible partial plans Π . Therefore, inorder to encode a timeline-based game into a game structure, we need toreduce it to a finite state space. The key observation here is that, althougheach synchronisation rule can potentially look arbitrarily far in the past andin the future, a finite representation of the history of the game is possible. Wemet already the same problem in Chapter 4, when solving the satisfiability problem for timeline-based planning problems. Indeed, here we can reuse theframework built for the satisfiability problem.Recall, from Section 4.3.1, that given a timeline-based planning problem P = ( SV , S ) and any event sequence µ , it is possible to build a structure [ µ ],called matching record , such that an e ff ective algorithm exists to tell whetheror not µ is a solution for P (Lemma 4.20). Furthermore, given an event µ , itis possible to e ff ectively build the matching record [ µµ ]. This can thereforebe the mechanism apt to reduce to a finite size the state space of our games.Given a timeline-based game G = ( SV C , SV E , S , D ), a game structure can be builtover the set of all possible matching records for the timeline-based planningproblem P = ( SV C ∪ SV E , S ∪ D ). Suitable edges connect the states accordingto the applicable moves available to the players. Then, a simple ATL ∗ formulaexpressing the winning condition of Definition 5.11 can be model-checkedagainst the game structure to decide the existence of the winning strategy. Theorem 14 — Complexity of finding winning strategies.Let G = ( SV C , SV E , S , D ) be a timeline-based game. Whether Charlie has awinning strategy for G can be decided in doubly-exponential time . Proof. As anticipated, we will reduce the problem to the model checking ofa suitable ATL ∗ formula over a game structure that encodes the state space ofthe game. Given a timeline-based game G = ( SV C , SV E , S , D ), the starting pointfor building the corresponding game structure is the set M of all the matchingrecords for the timeline-based planning problem P = ( SV C ∪ SV E , S ∪ D ). First,observe that by construction, if an event sequence µ is such that µ | = P , thenit also holds that µ | = P S = ( SV C ∪ SV E , S ) and µ | = P D = ( SV C ∪ SV E , D ). Observe,moreover, that from a matching record [ µ ] built for P we can decide, in thesame way as shown in Lemma 4.20, whether µ | = P S or µ | = P D , by focusing ona subset of the rules of P and ignoring the others. Since the matching record[ µ ] by definition includes as-is a su ffi x of µ , and the last event in particular,moves applicable to µ when seen as a partial plan are identifiable by lookingat [ µ ] alone. Let [ Π ] be the set of matching records [ µ ] for µ ∈ Π . Then, wecan encode the state space of the game as the turn-based synchronous gamestructure S G = (cid:104)P , Q, Σ , ν, λ, R (cid:105) defined as follows:1. the set of players is P = { , } , where player 1 represents Charlie andplayer 2 represents Eve ; 06 Timeline-based planning with uncertainty Q ⊆ [ Π ] ∪ ([ Π ] × M C ) is the set of states, which is partitioned into theset Q = [ Π ] and the set Q ⊆ [ Π ] × M C of pairs ([ µ ] , µ C ) where [ µ ] is amatching record and µ C is a Charlie move applicable to [ µ ];3. Σ = { d, w } is a set of two propositions;4. the valuation ν is such that ν ( q ) = ∅ for all q ∈ Q , for all [ µ ] ∈ Q , d ∈ ν ([ µ ]) i ff q | = P D and w ∈ ν ([ µ ]) i ff w | = P D and w | = P S ;5. λ ( q ) = 1 if q ∈ Q and λ ( q ) = 2 if q ∈ Q ;6. the transition relation is bipartite, relating only states from Q to statesfrom Q or vice versa , and is defined as follows:(a) ([ µ ] , ([ µ (cid:48) ] , µ C )) ∈ R if and only if [ µ ] = [ µ (cid:48) ];(b) (([ µ ] , µ C ) , [ µ (cid:48) ]) ∈ R if and only if there is an Eve ’s move µ E such thatthe round ρ = ( µ C , µ E ) is applicable to µ , and [ ρ ( µ )] = [ µ (cid:48) ].Hence, the game structure follows the game by connecting two states if thereis a corresponding move of the game. The partition into two kind of statesrepresents the division in turns where Charlie plays first without knowing Eve ’s move, and then Eve moves knowing both the current partial plan and Charlie ’s move. Note that general strategies for game structures as definedabove are stateful, since they are functions f : Q + → Q which account for theentire history up to the last state. However, by construction, a single stateof S G already sums up all the necessary information about the history of thegame that brought the players to reach that state, hence w.l.o.g. we can consider state-less strategies f : Q → Q , i . e ., this game is positional . Then, because ofhow the states are partitioned and how the transition relation is defined, wecan see that a strategy for player 1 consists in a function f : [ Π ] → M C which,given any state [ µ ] ∈ Q belonging to player 1, chooses Charlie ’s move µ C , se-lecting the next state ([ µ ] , µ C ). Similarly, a strategy for player 2 ( i . e ., Eve ) is afunction f : [ Π ] × M C → M E , which from a state ([ µ ] , µ C ) ∈ Q , which belongsto player 2, selects a move µ E for Eve , and consequently the next state [ µ (cid:48) ] ∈ Q such that [ µ (cid:48) ] = [ ρ ( µ )] for ρ = ( µ C , µ E ). Hence we can notice that strategies forplayer 1 and 2 in S G corresponds to strategies for Charlie and Eve , respectively,in G . Now, since we labelled each state [ µ ] ∈ Q either with d or w dependingon whether [ µ ] was admissible or winning , we can find whether a strategy for Charlie exists by model-checking over S G the following ATL ∗ formula φ : φ ≡ (cid:104)(cid:104) (cid:105)(cid:105) ( F d → F w )Note that φ corresponds to ¬(cid:104)(cid:104) (cid:105)(cid:105) ( F d ∧ G ¬ w ), i . e ., we are asking whether player 2 cannot maintain w false ( i . e ., system rules unsatisfied), while behaving well Conclusions and open questions 107 ( i . e ., domain rules satisfied). Hence, it can be seen that a winning strategy for Charlie exists if and only if the above formula holds on S G . Since the size of[ µ ] is exponential in the size of G (by Lemma 4.21), the size of Q is doublyexponential in the size of G . Now, we know that ATL ∗ model checking over afixed-size formula can be solved in polynomial time in the size of the struc-ture [7], and each node can by itself be built in exponential time as noted inthe proof of Lemma 4.22. Hence we obtained a procedure to solve the problemrunning in doubly-exponential time . This chapter provided our take at the problem of timeline-based planningwith uncertainty. Flexible plans, as currently adopted by most state-of-the-arttimeline-based systems, are inherently sequential, and are designed to handletemporal uncertainty without considering further sources of nondeterminism.However, here we have shown that this exclusive focus is in contrast with thesyntax of the modelling language, which can express problems that requireto handle general nondeterminism. The sequentiality of flexible plans alsoforces some systems, such as PLATINUm [134], to employ a feedback loopincluding a re-planning phase to handle any non-temporal mismatch betweenthe expected and actual behaviours of the environment.To overcome these issues, we introduced the notion of timeline-based games ,that generalise timeline-based planning problems with uncertainty as definedby Definition 2.19. We have shown that the approach is strictly more generalthan the current one based on dynamic controllability of flexible plans, andthen we provided a procedure, running in doubly-exponential time, to decidewhether a winning strategy exists for a given game.We believe that the approach introduced here is worth exploring in anumber of di ff erent directions. First of all, of course, a lower bound on thecomplexity of the problem of the existence of winning strategies is needed,to settle the complexity issue. We conjecture that, similarly to what done inSection 4.3.3 for timeline-based planning problems with bounded horizon, areduction from domino-tiling games [41] can be used to obtain a matching lowerbound, showing that the problem is -complete. This would solve theproblem of finding whether a winning strategy exists for a given game, butthen, the problem of the synthesis of controllers to implement such strategieswill have to be addressed as well.Then, to test the applicability of the approach, the decision procedureshown here must be turned into a form that can be implemented in a reasonablye ffi cient way. Although the framework of ATL ∗ model-checking has come usefulto prove Theorem 14, an ad-hoc algorithm to check the existence of the strategy, 08 Timeline-based planning with uncertainty with a symbolic representation of the game structure, may be the neededingredients. In this regard, it is worth to note that the automata-theoreticconstruction shown in Section 4.4 might be an alternative underlying platformfor the construction of the concurrent game structure representing the game.Once the basic questions about the approach will be answered, it can beforeseeably extended in a number of directions. First of all, note that thedefinitions of strategies and of winning condition given here are the ones aptto precisely capture the semantics of dynamically controllable flexible plansas defined by Cialdea Mayer et al. [44], but are not the only ones that can besensibly defined over the same game arena. In particular, the game might bedefined over infinite executions, letting Charlie win if it can satisfy the systemrules infinitely often. Then, a number of extensions of the game arena can beimagined as well, such as multiple-players extensions, with players belongingto teams competing with each other, but that cooperates inside the same teamto obtain a common goal while also trying to achieve the personal goals ofeach. Then, variants with partial observability of the timelines belonging toother players can be defined. Furthermore, a distributed version of the gamemight be defined, where there is not a single unique clock and communicationhappens through message passing. II TIMELINE-BASED PLANNINGAND TEMPORAL LOGIC ABLEAU METHODS FORLINEAR TEMPORAL LOGICS The last part of this dissertation draws a connection between timeline-basedplanning and temporal logics. This chapter introduces some tools, tableaumethods , that play a role in this connection. A recently introduced one-passtree-shaped tableau method for LTL satisfiability checking is studied, providinga novel and more insightful proof of its completeness. Then, after reviewing anexperimental evaluation of the method, we extend it to support past operators .The presented work, part of an interesting line of research of its own, opensthe way for the adaptation of the method to the TPTL b + P logic used in the nextchapter to capture timeline-based planning problems. CONTENTS 12 Tableau methods for Linear Temporal Logics Linear Temporal Logic ( LTL ) is a propositional modal logic originally introducedas a specification language for the behaviour of reactive systems [113]. Sinceits inception, LTL has become the de-facto standard language to express prop-erties of systems in the field of formal verification of hardware and softwaresystems [50]. Its success is due mainly to its simplicity, which leads to specific-ations fairly similar to their natural language counterparts. In this context, the model checking problem for LTL formulae (deciding if a given structure satisfiesa formula) has been thoroughly studied over the last years. However, withthe specifications and the modelled systems constantly growing in size andcomplexity, it becomes more and more di ffi cult for knowledge engineers to beconfident in the correctness of the specifications, which thus need to be checkedagainst common modelling errors. For example, checking a system against avalid specification ( i . e ., a formula which is trivially true in every structure),is useless at the least, and could be severely harmful at worst: the positiveanswer from the model checking procedure may convince the designers ofthe system of its safety while potentially life-threatening bugs may instead bepresent. For this reason, a growing importance is being given to the sanity check of specifications, which is an application of the satisfiability checking problem,that is, deciding whether there exists a model satisfying a given formula.The satisfiability problem for LTL and other temporal logics also has inter-esting applications in artificial intelligence, and in planning in particular. Asit turns out, it can be proved [42] that classical STRIPS-like planning prob-lems can be expressed as LTL formulae, whose satisfiability corresponds to theexistence of a solution plan for the problem. Furthermore, with the releaseof PDDL 3 [67] supporting temporally extended goals [8], LTL (or rather, the LTL -inspired syntactic extensions to PDDL) becomes the modelling languageused to express goals, background theory, and control knowledge.In the case of LTL , satisfiability checking can be reduced to model checking,and both problems are PSPACE -complete [127]. Nevertheless, a great researche ff ort has been dedicated over the years to techniques specifically targeted atsatisfiability checking of LTL formulae. Besides model checkers that directlysupport satisfiability checking, like, for instance, NuSMV [45], many tools havebeen developed based on a wide range of di ff erent techniques. An interestingapproach is to reduce the problem to the emptiness problem of Büchi automata ,an approach adopted by tools like Aalta [86]. An alternative approach is tem-poral resolution , which was pioneered by Cavalli and Cerro [27] and Venkatesh[137], and later employed by Fisher et al. [58]. Such an approach is also atthe core of the labelled superposition technique by Suda and Weidenbach [132].Recently, SAT-based techniques have also gained attention [88]. A number of Introduction 113 surveys exist comparing the performance of tools based on these and othertechniques [87, 121, 124].This chapter focuses on tableau methods , another class of decision proced-ures for LTL satisfiability, which were among the first to be investigated [141].Originally devised for propositional logic [18] and later adapted to many otherlogics during the last half of a century [51], tableau-based techniques providea useful theoretical tool to reason about the proof theory of the consideredlogic, as they are tightly related to cut-free Gentzen-style sequent calculi forthe given logic. Often – this is the case for LTL – tableau methods provide theeasiest to understand decision procedures for the logic.In contrast to the tableau method for propositional and first-order logic,most of early tableaux for LTL produce graph-shaped structures [89, 94, 141].After building the tableau itself, whose nodes are labelled with sets of formulae,the decision procedure traverses it to look for a specific kind of infinite pathwitnessing the existence of a model for the formula. This procedure turns outto be very easy to show and to prove correct, but also makes it impracticalbecause of the huge size of the resulting graphs. Aiming at solving this issue, incremental tableaux were proposed [71, 81] which traverse only a limitedpart of the graph by ignoring nodes that are not e ff ectively reachable from theinitial ones, and creates the traversed nodes on the fly during the traversal.However, the size of the traversed part of the graph can still grow significantly.A di ff erent approach was proposed by Schwendimann [126], with a one-pass tableau system which works by building a graph structure which is almost atree if not for a number of back-edges.More recently, Reynolds introduced a one-pass tableau method for LTL which builds a purely tree-shaped structure [116]. Similarly to Schwendimann’s,Reynolds’ tableau only requires a single pass to decide about the acceptanceor the rejection of a given branch of the search tree. Unlike Schwendimann’s,however, Reynolds’ system is a purely tree-shaped search procedure, whereany branch can be explored independently from any other. Its rule-based treesearch architecture combines the simplicity of classic declarative tableaux withthe e ffi ciency of a one-pass system. Despite its simplicity, or maybe thanksto it, the system also turns out to be e ffi cient in practice. Indeed, a tool thatimplements the system (briefly described in Section 6.4) has shown superiorperformance with regards to other tableau methods, and competitive withother tools adopting di ff erent techniques. Moreover, it has shown to be veryeasily and e ff ectively parallelised [97].In this chapter, we study Reynolds’ one-pass tree-shaped tableau methodfor LTL , introducing a few contributions. First, we provide a clean exposition ofthe tableau method itself, with full proof of its soundness and completeness.In contrast to the original exposition of the system [116], we employ a novelproof technique for the completeness result. The new proof is based on an 14 Tableau methods for Linear Temporal Logics argument which is conceptually simpler and more insightful, as it providesa greater understanding of the role of the most critical rule of the system.Then, we discuss some experimental results obtained with the aforementionedimplementation of the system, that show how the simplicity of its rule basedtree search pays o ff in terms of e ffi ciency and ease of parallelisation.Finally, we exploit this simplicity to extend the tableau system to support past temporal operators , hence providing a one-pass tree-shaped tableau methodfor Linear Temporal Logic with Past ( LTL + P ). It is well known that if we interpretthe logic on structures with a definite starting point in time, then past modal-ities do not add any expressive power, i . e ., any formula with past modalitieshas an initially equivalent future-only counterpart [65, 66, 115]. Neverthe-less, LTL + P is interesting for a number of reasons [89, 90]. Most importantly,many relevant properties are easier to express using past modalities, allowingspecifications to match more closely the way they are expressed in naturallanguage. Furthermore, if we consider the size of specifications, past-timemodalities do add expressive power, as LTL + P is exponentially more succinctthan LTL [95]. The extension to past operators of Reynolds’ tableau system isthus a natural step, and, moreover, it opens the path to provide a one-passtree-shaped tableau method for the timed temporal logics used in Chapter 7 tocapture timeline-based planning problems.The simplicity of the system allows us to extend it to LTL + P (and to otherlogics in the next chapter) in a very modular way: only three rules have to beadded, while any existing rule remains unchanged, and applying the systemto a future-only formula leads to the same computation that would resultfrom the future-only tableau. The novel proof technique used to prove thecompleteness of the system for LTL can be directly extended to the LTL + P caseas well. The contribution is thus twofold: while providing evidence of howeasily extendable the system is, we also further improve its extensibility byproviding an easier proof technique to build such extensions upon.The chapter is structured as follows. The rest of this section recalls thesyntax and semantics of LTL and LTL + P , and provides a basic exposition of theclassic graph-shaped tableau, for comparison with the one-pass tree-shapedone. Then, Section 6.2 provides a clean exposition of the tableau systemitself, and Section 6.3 provides full proofs of its soundness and completeness,adopting our novel, simpler proof technique. Then, Section 6.4 reports theresults of the experiments on the aforementioned implementation. Finally, inSection 6.5 shows the extension of the system LTL + P also proving its soundnessand completeness. Section 6.6 concludes the chapter discussing the obtainedresults and potential for future work. Introduction 115 Let us now recall the precise syntax and semantics of this well-known logic. Linear Temporal Logic ( LTL ) is a propositional temporal logic interpreted overinfinite, discrete linear orders. Linear Temporal Logic with Past ( LTL + P ) extends LTL with the addition of temporal operators able to talk about what happenedin the past respect to the current time. We will now briefly recall the syntaxand semantics of LTL + P , which encompasses that of LTL as well.Syntactically, LTL can be seen as an extension of propositional logic with theaddition of the tomorrow ( X φ , i . e ., at the next state φ holds) and until ( φ U φ , i . e ., φ will eventually hold and φ will hold until then) temporal operators. LTL + P is obtained from LTL by adding the yesterday ( Y φ , i . e ., at the previous state φ holds) and since ( φ S φ , i . e ., there was a past state where φ held, and φ hasheld since then) past temporal operators. Formally, given a set Σ of propositionletters, LTL + P formulae over Σ are generated by the following grammar: φ := p | ¬ φ | φ ∨ φ | φ ∧ φ propositional connectives | X φ | φ U φ | φ R φ | F φ | G φ future temporal operators | Y φ | φ S φ | φ T φ | P φ | H φ past temporal operatorswhere p ∈ Σ and φ and φ are LTL + P formulae. Most of the temporal operatorsof the language can be defined in terms of a small number of basic ones. Inparticular, the release ( φ R φ ≡ ¬ ( ¬ φ U ¬ φ )), eventually ( F φ ≡ (cid:62) U φ ), and always ( G φ ≡ ¬ F ¬ φ ) future operators can all be defined in terms of the until operator, while the triggered ( φ T φ ≡ ¬ ( ¬ φ S ¬ φ )), once ( P φ ≡ (cid:62) S φ ), and historically ( H φ ≡ ¬ P ¬ φ ) past operators can all be defined in terms of the since operator. However, in our setting, it is useful to consider them as primitive.A model for an LTL + P formula φ is an infinite sequence of sets of propositionletters, i . e ., σ = (cid:104) σ , σ , . . . (cid:105) , where each state σ i ⊆ Σ represents the propositionletters that hold in the state. Given a model σ , a position i ≥ 0, and an LTL + P formula φ , we inductively define the satisfaction of φ by σ at position i , writtenas σ , i | = φ , as follows:1. σ , i | = p i ff p ∈ σ i ;2. σ , i | = ¬ φ i ff σ , i (cid:54)| = φ ;3. σ , i | = φ ∨ φ i ff σ , i | = φ or σ , i | = φ ;4. σ , i | = φ ∧ φ i ff σ , i | = φ and σ , i | = φ ;5. σ , i | = X φ i ff σ , i + 1 | = φ ;6. σ , i | = Y φ i ff i > σ , i − | = φ ;7. σ , i | = φ U φ i ff there exists j ≥ i such that σ , j | = φ ,and σ , k | = φ for all k , with i ≤ k < j ; 16 Tableau methods for Linear Temporal Logics σ , i | = φ S φ i ff there exists j ≤ i such that σ , j | = φ ,and σ , k | = φ for all k , with j < k ≤ i ;9. σ , i | = φ R φ i ff either σ , j | = φ for all j ≥ i , or there exists k ≥ i such that σ , k | = φ and σ , j | = φ for all i ≤ j ≤ k ;10. σ , i | = φ T φ i ff either σ , j | = φ for all 0 ≤ j ≤ i , or there exists k ≤ i such that σ , k | = φ and σ , j | = φ for all i ≥ j ≥ k We say that σ satisfies φ , σ | = φ , if it satisfies the formula at the first state, i . e ., if σ , | = φ . This is often called initial satisfiability, as opposed to the notionof global satisfiability, where a formula is said to be satisfied by a model if itholds at some position of the model. Without loss of generality, we restrict ourattention to initial satisfiability. It can be indeed easily shown that φ is globallysatisfiable if F φ is initially satisfiable. We will also make use of the notion of initial equivalence between formulae, i . e ., we say that two formulae φ and ψ are equivalent ( φ ≡ ψ ) if and only if they are satisfied by the same set of modelsat the initial state.A literal (cid:96) is a formula of the form p or ¬ p , where p ∈ Σ . Since we definedthe release and triggered operators as primitive instead of defining them interms of the until and since operators, any LTL + P formula can be turned intoits negated normal form : a formula φ can be translated into an equivalentone nnf ( φ ) where negations appear only in literals, by exploiting the dualitybetween the until/release and since/triggered pairs of operators, and classic DeMorgan laws (the tomorrow and yesterday operators are their own duals). In thewhole chapter, we will assume w.l.o.g. that all the considered formulae are innegated normal form. This section recalls how classic graph-shaped tableau systems for LTL and LTL + P work. The presentation follows the one given in [89]. Presenting agraph-shaped tableau system will allow us to better highlight the di ff erenceswith the one-pass tree-shaped system that is the topic of this chapter.The closure of φ is the set of formulae, some of which are subformulae of φ ,that are su ffi cient to be considered to decide the satisfiability of φ . Definition 6.1 — Closure. The closure of an LTL + P formula φ is the set C ( φ ) of formulae defined as follows:1. φ ∈ C ( φ ) ;2. if ψ ∈ C ( φ ) , then nnf ( ¬ φ ) ∈ C ( φ ) ; Introduction 117 3. if ◦ φ ∈ C ( φ ) , with ◦ ∈ { X , Y } , then φ ∈ C ( φ ) ;4. if φ ◦ φ ∈ C ( φ ) , with ◦ ∈ {∧ , ∨} , then { φ , φ } ⊆ C ( φ ) ;5. if φ ◦ φ ∈ C ( φ ) , with ◦ ∈ { U , R } , then { φ , φ , X ( φ ◦ φ ) } ⊆ C ( φ ) ;6. if φ ◦ φ ∈ C ( φ ) , with ◦ ∈ { S , T } , then { φ , φ , Y ( φ ◦ φ ) } ⊆ C ( φ ) ; The tableau for φ is a graph where the nodes, called atoms are maximallyconsistent sets of formulae from the closure of φ . Definition 6.2 — Atom of the graph-shaped tableau. An atom for an LTL + P formula φ is a subset ∆ ⊆ C ( φ ) of the closure of φ such that:1. for each p ∈ Σ , p ∈ ∆ if and only if ¬ p (cid:60) ∆ ;2. if φ ∨ φ ∈ ∆ , then φ ∈ ∆ or φ ∈ ∆ (or both);3. if φ ∧ φ ∈ ∆ , then both φ ∈ ∆ and φ ∈ ∆ ;4. if φ U φ ∈ ∆ , then φ ∈ ∆ or { φ , X ( φ U φ ) } ⊆ ∆ ;5. if φ S φ ∈ ∆ , then φ ∈ ∆ or { φ , Y ( φ S φ ) } ⊆ ∆ ;6. if φ R φ ∈ ∆ , then { φ , φ } ⊆ ∆ or { φ , X ( φ R φ ) } ⊆ ∆ ;7. if φ T φ ∈ ∆ , then { φ , φ } ⊆ ∆ or { φ , Y ( φ T φ ) } ⊆ ∆ . We can then formally define the tableau for φ . Definition 6.3 — Graph-shaped tableau for a LTL formula. The tableau for an LTL + P formula φ is a graph G φ = ( V , E ) , where V ⊆ C ( φ ) is theset of all the atoms for φ , and E ⊆ V × V is such that, for any edge ( ∆ , ∆ (cid:48) ) ∈ E :1. X φ ∈ ∆ if and only if φ ∈ ∆ (cid:48) ;2. Y φ ∈ ∆ (cid:48) if and only if φ ∈ ∆ . Intuitively, atoms represent sets of formulae that can possibly be true at thesame time in any given state of a model for φ . An edge between two atoms ∆ and ∆ (cid:48) is present in the tableau if ∆ (cid:48) represents a state that can be a successor of ∆ in a model for φ , respecting the requests imposed by tomorrow and yesterday operators. The semantics of the temporal operators such as, for example, the until operator φ U φ , is implemented by expanding them into a present anda future part, that is then postponed to the next state. In the case of the until operator, if φ U φ holds in any given state, then by the semantics of theoperator it follows that either φ holds now, or φ holds and φ U φ holdsagain at the next state. Hence, if an atom ∆ contains φ U φ , then it has to 18 Tableau methods for Linear Temporal Logics contain either φ or φ and X ( φ U φ ). The constraint on the edge relationgiven in Definition 6.3 then forces φ U φ to appear in any successor of ∆ .An atom ∆ is called initial if φ ∈ ∆ and there is no Y φ ∈ ∆ . From an infinitesequence of atoms ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) one can extract a state sequence σ = (cid:104) σ , . . . (cid:105) by stating that σ i = ∆ i ∩ Σ for all i ≥ 0. Any path in the tableau starting froman initial atom hence represents a state sequence which is a candidate modelfor φ . The path is e ff ectively a model for the formula if the satisfaction of theformulae requested by the until operators are not postponed forever.As proved in [127], any satisfiable LTL (and LTL + P , as they are expressivelyequivalent) formula has a periodic model, i . e ., a model σ = σ σ ω , where σ isthe finite prefix and σ is the period , which repeats infinitely. As a consequence,the satisfiability of φ can be characterised by the presence in G φ of a cycle,reachable from an initial atom, where for any φ U φ in any atom ∆ of thecycle, φ ∈ ∆ (cid:48) in some other ∆ (cid:48) in the cycle. Rather than explicitly looking forsuch a cycle in the graph, however, it is su ffi cient to look for a self-fulfillingstrongly connected component (self-fulfilling SCC) of G φ , i . e ., an SCC of G φ ,reachable from an initial atom, such that for any until operator present in anyatom of the component, another atom of the component contains the requestedformula. In contrast to the search for cycles, the SCC decomposition can bedone in linear time in the size of the graph. Theorem 15 — Lichtenstein and Pnueli [89], Theorem 3.16.Let φ be an LTL + P formula. Then, φ is satisfiable if and only if G φ contains astrongly connected component C , reachable from an initial atom, such that forany ∆ ∈ C and any φ U φ ∈ ∆ , there is a ∆ (cid:48) such that φ ∈ ∆ (cid:48) .The satisfiability checking procedure then works by building the tableaustructure G φ from φ , and then applying the SCC decomposition to look forself-fulfilling SCCs. A few observation can be made on this method. First,regarding the support for past operator, it is worth to note that removingItems 5 and 7 from Definition 6.2 and Item 2 from Definition 6.3 yields atableau system for pure-future LTL . Note that the definition of self-fulfillingSCC does not involve formulae requested by the since operator, as those cannotbe postponed forever in the past, since each path has a definite starting point.From a practical standpoint, the satisfiability procedure based on thistableau method is di ffi cult to implement in an e ffi cient way. As the numberof possible di ff erent atoms is exponential in the size of the formula, the graphis in the worst case exponentially large. Several optimisations are possible ontop of this basic procedure. For example, by generating the graph structureincrementally while looking for the fulfilling SCC, it is possible to devise anexponential space algorithm, but that would be still not optimal with regardsto the LTL satisfiability problem which is PSPACE -complete [127]. The non-optimal computational complexity is a limitation shared by all the tableaumethods that will be discussed in this and the next chapter. The one-pass tree-shaped tableau for LTL 119 This section recalls Reynolds’ one-pass tree-shaped tableau for LTL [116]. Thenext section will then show the soundness and completeness of the system,exploiting our major contribution on this front which is the simpler overhauledcompleteness proof.A tableau for φ is a tree T where each node u is labelled by a subset Γ ( u ) of the closure C ( φ ) and the label of the root node u contains only φ , i . e ., Γ ( u ) = { φ } . The tableau is built recursively from the root, at each step applyingone from a set of rules to a leaf of the tree. Each rule can add one or two childrento the current node, advancing the construction of the tree, or close the currentbranch by accepting ( (cid:51) ) or rejecting ( (cid:55) ) the current node. At the end of thesection, the construction is proved to terminate with a complete tableau, i . e .,one where all the leaves are either ticked or crossed. Once a complete tableau isobtained, the formula is recognised as satisfiable if there is at least one acceptedbranch. Given two nodes u and v , we write u ≤ v to mean that u is an ancestorof v , and u < v to mean that u is a proper ancestor of v , i . e ., u ≤ v and u (cid:44) v .The construction of a branch of the tree can be seen as the search for amodel of the formula in a state-by-state way. At each step, expansion rules are applied first, building a possible assignment of proposition letters for thecurrent state, which is then checked for the absence of contradictions. Next,the termination rules are checked to possibly detect if the construction can bestopped. At the end, information about the current state is used to determinethe next one, and the construction proceeds by executing a temporal step .The expansion rules look for a specific formula into the label, creating oneor two children whose labels are obtained by replacing the target formula withsome others. Table 6.1 shows the expansion rules with the following notation:each rule looks for a formula φ ∈ Γ ( u ), where u is the current node, and twochildren u (cid:48) and u (cid:48)(cid:48) of u are created with labels Γ ( u (cid:48) ) = Γ ( u ) \ { φ } ∪ Γ ( φ ) and Γ ( u (cid:48)(cid:48) ) = Γ ( u ) \ { φ } ∪ Γ ( φ ), where Γ ( φ ) and Γ ( φ ) are defined in Table 6.1. Ifthe corresponding expansion rule has an empty Γ ( φ ), a single child is added.The rules for the primitive operators such as the until operator would besu ffi cient, but Table 6.1 shows as well some derived rules for operators such asthe eventually and always operators, for ease of exposition. Note that a commonfeature of all the expansion rules is that the expanded formulae are entailed bytheir replacement, i . e ., both Γ ( φ ) | = φ and Γ ( φ ) | = φ .After a finite number of applications of expansion rules, the constructionwill eventually reach a node whose label contains only elementary formulae, i . e ., only formulae of the forms p or ¬ p , for some p ∈ Σ , or X α for some α ∈ C ( φ )(while p and ¬ p cannot both belong to the same label, it can be the case that 20 Tableau methods for Linear Temporal Logics Rule φ ∈ Γ Γ ( φ ) Γ ( φ ) DISJUNCTION α ∨ β { α } { β } UNTIL α U β { β } { α, X ( α U β ) } RELEASE α R β { α, β } { β, X ( α R β ) } EVENTUALLY F α { α } { XF α } CONJUNCTION α ∧ β { α, β } ALWAYS G α { α, XG α } Table 6.1: Tableau expansion rules. When a formula φ of one of the types shown inthe table is found in the label Γ of a node u , one or two children u (cid:48) and u (cid:48)(cid:48) are created with the same label as u excepting for φ which is replaced,respectively, by the formulae from Γ ( φ ) and Γ ( φ ). both X α and X ¬ α belong to it, in which case the contradiction will be detectedat a later stage). Such a label is called a poised label and the node is called a poised node . A poised branch u = (cid:104) u , . . . , u n (cid:105) is a branch of the tableau where u n is a poised node. Intuitively, a poised node represents a guess for the truthof elementary formulae at the current state. Once a poised node has beenobtained, the search can proceed to the next state, by applying the STEP rule: STEP Given a poised branch u = (cid:104) u , . . . , u n (cid:105) , a child u n +1 is added to u n , with Γ ( u n +1 ) = { α | X α ∈ Γ ( u n ) } .It is worth to make a couple of observations at this point. First of all, notethat the expansion rules can be seen as a more schematic way of expressingthe definition of atom of a graph-shaped tableau as defined in Definition 6.2,and the STEP rule corresponds to Item 1 of Definition 6.3. At the same time,note that some combinations are missing. In a graph-shaped tableau, an atommay exist containing a disjunction α ∨ β and both its disjuncts, while in thissystem, one child of a node containing α ∨ β contains α , and the other contains β , but there is no child necessarily containing both (unless both have beenexpanded by other means). During the construction, adding either formulato the opposite child would still result in locally consistent labels, but wouldbe redundant, since once one of the two disjuncts has been chosen to hold,the truth of the other is irrelevant. A single node of the one-pass tree-shapedsystem can thus be viewed as a representative of a set of atoms from the graph-shaped tableau that ignores some formulae whose truth is irrelevant in thatparticular point of the model. Similarly, a branch of the tree can be seen as aset of paths of the graph-shaped tableau which di ff er only regarding the truthvalue of these irrelevant formulae.Since the STEP rule represents an advancement in time, (some of the) poisednodes will be used later to extract a model of φ from a successful tableau branch. The one-pass tree-shaped tableau for LTL 121 Before this can happen, the label of each poised node has to be checked forthe absence of contradictions . If the check succeeds, then the STEP rule can beapplied to advance to the next temporal state; otherwise, the branch is crossed. CONTRADICTION If { p, ¬ p } ⊆ Γ ( u n ), for some p ∈ Σ , then u n is crossed .The rules introduced so far allow us to build a tentative model for the for-mula step-by-step, but we introduced only rules that can reject wrong branches,thus we still need to specify how to recognise good branches corresponding toactual models. The first obvious case in which we have to stop the constructionis when there is nothing left to do: EMPTY Given a branch u = (cid:104) u , . . . , u n (cid:105) , if Γ ( u n ) = ∅ , then u n is ticked .Since LTL models are in general infinite, only tableaux for simple formulaewill have branches satisfying the EMPTY rule. Others, e . g ., GF p , at any staterequire something to happen in the future. Thus, some criteria are needed toensure that the construction can find models exhibiting infinitary behaviours,while guaranteeing that the expansion of every branch eventually terminates.For this reason, the system includes a pair of termination rules , the LOOP rule and the PRUNE rule, which are checked at each poised node. Note that thepotentially infinite expansion of the branches is caused by the recursive natureof most of the expansion rules. The UNTIL rule (and the derived EVENTUALLY rule) is the most critical one. In the expansion of a formula of the form α U β ,the rule tries to either fulfil the request for β immediately or to postpone itsfulfilment to a later step by adding X ( α U β ) to the label. A formula of the form X ( α U β ) is called X -eventuality . If an X -eventuality appears in a label, it meansthat some pending request still needs to be fulfilled in the future, and somecriterion has to be used to avoid postponing its fulfilment indefinitely. Thesame arguments hold for formulae of the form XF β , but since the EVENTUALLY rule can be derived from the UNTIL rule, we focus on the latter. Given a branch u = (cid:104) u , . . . , u n (cid:105) , an X -eventuality of the form X ( ψ U ψ ) appearing in Γ ( u i ) forsome 0 ≤ i ≤ n is said to be requested in u i ; moreover, we say that it is fulfilled in u k , with i < k , if β ∈ Γ ( u k ) and α ∈ Γ ( u j ) for all i ≤ j < k . Moreover, we say thatthat it is fulfilled in a subsequence u [ i...j ] if it is fulfilled in u k for some i < k ≤ j .The LOOP and PRUNE rules, checked in this order, allow us to respectivelyhandle the case of a branch that is repeating by successfully fulfilling recurrentrequests and the case of a branch that is indefinitely postponing the fulfilmentof an eventuality that is impossible to fulfil. They are defined as follows. LOOP If there is a poised node u i < u n such that Γ ( u i ) = Γ ( u n ), and all the X -eventualities requested in u i are fulfilled in u [ i +1 ...n ] , then u n is ticked . PRUNE If there are two positions i < j ≤ n , such that Γ ( u i ) = Γ ( u j ) = Γ ( u n ), andamong the X -eventualities requested in these nodes, all those fulfilled in u [ j +1 ...n ] are fulfilled in u [ i +1 ...j ] as well, then u n is crossed . 22 Tableau methods for Linear Temporal Logics Intuitively, the LOOP rule is responsible for recognising when a model forthe formula has been found, while the PRUNE rule rejects branches that weredoing redundant work without managing to fulfil any new eventuality. Then,if none of these two rules have closed the branch, the current state is ready andthe construction can advance in time by applying the STEP rule. The PRUNE rule was the main novelty of this tableau system when introduced by Reynolds[116], and is the main focus of the novel completeness proof of Section 6.3.The rules described above are repeatedly applied to the leaves of any openbranch until all branches have been either ticked or crossed. This process isguaranteed to terminate. Theorem 16 — Termination.Given a formula φ , the construction of a (complete) tableau T for φ will alwaysterminate in a finite number of steps. Proof. To start with, we observe that the tree has a finite branching degree,as any rule of the system creates at most two children. Thus, by König’slemma, for the construction to proceed forever the tree should contain atleast one infinite branch. This, however, cannot be the case, because of thefinite number of possible di ff erent labels and of di ff erent X -eventualities: afterenough steps, any branch has to contain either two occurrences of the samelabel triggering the LOOP rule, or three occurrences of the same label triggeringthe PRUNE rule. Note that the LOOP rule is never triggered if the formula isunsatisfiable. However, if this is the case, the PRUNE rule will always eventuallybe because the set of X -eventualities is finite and the number of X -eventualitiesencountered along a branch from a given node is non-decreasing.As for the computational complexity of the procedure, it can be seen that thewhole decision procedure runs using at most an exponential amount of space:only a single branch at the time is needed to be kept in memory, and any branchcannot be longer than an exponential upper bound, given by the number ofpossible di ff erent labels that can appear on a branch before triggering eitherthe LOOP or the PRUNE rule. The running time of the procedure is therefore atmost doubly exponential in the size of the formula. The procedure is thus notoptimal with regards to the complexity of LTL satisfiability, which is PSPACE -complete. However, on one hand, this is in line with the classic graph-shapedtableau-based decision procedure highlighted in Section 6.1.2 and with theone-pass system by Schwendimann [126]. On the other hand, the procedurecan be turned into a PSPACE one by suitably exploiting nondeterminism, andthen employing the well-known fact that PSPACE = NPSPACE [123]. However,such theoretically optimal version would not be of any practical use.To get an intuitive understanding of how the tableau works for typicalformulae, take a look at Figure 6.1, where two example tableaux are shown.Figure 6.1a shows part of the tableau for the liveness formula GF ( p ∧ X ¬ p ). The one-pass tree-shaped tableau for LTL 123 { GF ( p ∧ X ¬ p ) }{ F ( p ∧ X ¬ p ) , XGF ( p ∧ X ¬ p ) } ... { p, X ¬ p, XGF ( p ∧ X ¬ p ) }{¬ p, GF ( p ∧ X ¬ p ) }{¬ p,p, X ¬ p,... } (cid:55) {¬ p, XF ( p ∧ X ¬ p ) , XGF ( p ∧ X ¬ p ) }{ F ( p ∧ X ¬ p ) , GF ( p ∧ X ¬ p ) } ... { p, X ¬ p, XGF ( p ∧ X ¬ p ) } (cid:51) { G ¬ p ∧ q U p }{ G ¬ p,q U p }{¬ p, XG ¬ p,p } (cid:55) {¬ p, XG ¬ p,q, X ( q U p ) }{ G ¬ p,q U p }{¬ p, XG ¬ p,p } (cid:55) {¬ p, XG ¬ p,q, X ( q U p ) }{ G ¬ p,q U p }{¬ p, XG ¬ p,p } (cid:55) {¬ p, XG ¬ p,q, X ( q U p ) } (cid:55) (a) Tableau for GF ( p ∧ X ¬ p ),closed by the LOOP rule. (b) Tableau for G ¬ p ∧ q U p ,closed by the PRUNE rule. Figure 6.1: Example tableaux for two formulae, involving the LOOP and PRUNE rules.Dashed edges represent subtrees collapsed to save space, bold arrows rep-resent the application of a STEP rule to a poised label. This formula requires something, i . e ., p ∧ X ¬ p , to happen infinitely often. Aswe go down any branch, we can see that the request XGF ( p ∧ X ¬ p ) is presentat any poised label, propagated by the corresponding expansion rule. Then,any time F ( p ∧ X ¬ p ) is added to a label, the branch forks to choose betweenadding p ∧ X ¬ p immediately or postponing it. When the request is fulfilled, p cannot hold twice in a row, and this is handled by the CONTRADICTION rule,that fires when the wrong choice is made. Then, the LOOP rule is triggered bythe rightmost branch, which is repeating the same label for the second time.The looping arrow does not represent a real edge, since otherwise it would notbe a tree, but it is just a way to highlight to which label the loop is jumping to.Figure 6.1b shows an example of application of the PRUNE rule in thetableau for the formula G ¬ p ∧ q U p . The formula is unsatisfiable, not directlybecause of a propositional contradiction, but rather because the eventualityrequested by q U p cannot be realised for the presence of the G ¬ p component.The expansion of the until operator will then try to realise p at each step, eachtime resulting into a propositional contradiction. The rightmost branch wouldthen continue postponing the X -eventuality forever, if not for the PRUNE rulewhich crosses the branch after the third repetition of the same label (with no X -eventuality fulfilled in between).One may wonder why the PRUNE rule needs to look for the third occurrence 24 Tableau methods for Linear Temporal Logics φ ≡ p ∧ G ( p ←→ X ¬ p ) ∧ GF q ∧ GF q ∧ G ¬ ( q ∧ q ) ∧ G ( q → ¬ p ) ∧ G ( q → ¬ p ) { φ }{ ..., XF q , XF q ,... } ... { ..., XF q , XF q ,... } (cid:55) ? ... { ..., XF q , XF q ,... } (cid:51) q q Figure 6.2: Example of why the PRUNE rule waits for three repetitions of the same label. of a label before triggering. An enlightening example is given in Figure 6.2.The formula φ shown in the figure requires q and q to appear infinitelyoften, but never at the same time, thus forcing a kind of (not necessarily strict)alternation between the two. Developing the tableau for φ , one can see that therequests XF q and XF q will be permanently present in the labels, including,in particular, after realising one of the two. Thus, crossing the branch afterthe second occurrence of the label would be wrong, since the repetition of thelabel alone does not imply that the branch is doing wasteful. Indeed, after thefirst repetition, the branch can continue making di ff erent choices, realising theother request, and can be closed by the LOOP rule after having realised both. This section proves that the tableau system for LTL described earlier is sound and complete . In comparison with known proofs for Reynolds’ one-pass tree-shapedtableau for LTL , our proof of the completeness of the system adopts a new moreinsightful argument, which characterises the behaviour of the PRUNE rule byidentifying a specific class of models, called greedy models , that are found bythe system. Orthogonally, proof also of course handles the YESTERDAY rule,added in this chapter to support past operators.The two proofs are independent, but related by the common use of theconcept of pre-model , which is an abstract representation of one or more modelsof a formula. The concept of pre-model is not new in the expositions of tableaumethods, but here we define it in such a way to cope with the fact, noted Soundness and completeness 125 above, that the labels of our tableau can avoid to contain formulae that are notrelevant for the satisfiability of the formula in a given state. The rest of thesection is organised as follows. In Section 6.3.1, we introduce the concept ofpre-model, and of greedy pre-model , setting up the necessary machinery usedin the subsequent proofs. Then, Sections 6.3.2 and 6.3.3 exploit this machineryto prove the system to be sound and complete, respectively. Pre-models are an abstract representation of one or more models of a formulathat di ff er for some details that are not relevant to the satisfaction of theformula. Pre-models are made of basic objects called atoms . Definition 6.4 — Atom. An atom for an LTL formula φ is a set ∆ ⊆ C ( φ ) , such that:1. { p, ¬ p } (cid:42) ∆ , for any p ∈ Σ ;2. if ψ ∈ ∆ , then either Γ ( ψ ) ⊆ ∆ or Γ ( ψ ) (cid:44) ∅ and Γ ( ψ ) ⊆ ∆ , where Γ ( ψ ) and Γ ( ψ ) are defined in Table 6.1;3. for each ψ, ψ (cid:48) ∈ C ( φ ) , if ψ ∈ ∆ and ψ | = ψ (cid:48) , then ψ (cid:48) ∈ ∆ , i . e ., ∆ is closed bylogical deduction. Our definition of atom follows the expansion rules as defined in Table 6.1,similarly to Definition 6.2. In addition to that, however, the set is closed bylogical entailment. Another di ff erence is that our atoms are incomplete , i . e .,they do not necessarily specify the truth of all the formulae, but only of thosethat are required to justify the presence of others. This is in line with howlabels of the tableau are constructed, as noted above. Note that the empty setis a valid atom in our definition. Single atoms are not useful by themselves,but have to be arranged in sequences, called pre-models , which are an abstractrepresentation of the models of a formula. Definition 6.5 — Pre-model. Let φ be a LTL formula. A pre-model of φ is an infinite sequence ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) of minimal atoms for φ such that, for all i ≥ :1. φ ∈ ∆ ;2. if X ψ ∈ ∆ i , then ψ ∈ ∆ i +1 ;3. if ψ U ψ ∈ ∆ i , then there is a j ≥ i with ψ ∈ ∆ j and ψ ∈ ∆ k for all i ≤ k < j ; Pre-models take their name from the fact that they abstractly represent amodel for their formula, and thus the existence of a pre-model witnesses thesatisfiability of the formula. 26 Tableau methods for Linear Temporal Logics Lemma 6.6 — Extraction of a model from a pre-model. Let φ be a LTL formula. If φ has a pre-model, then φ is satisfiable.Proof. Let ∆ be a pre-model of φ and let σ be a state sequence such that p ∈ ∆ i if and only if σ , i | = p . Then, we show that σ | = φ and thus the formula issatisfiable. Note that this definition makes the precise choice of setting as false all the literals that are missing from the atoms of the pre-model, but anyarbitrary choice would work for such literals. For any ψ ∈ C ( φ ), let the nestingdegree deg ( ψ ) of ψ be defined inductively as deg ( p ) = deg ( ¬ p ) = 0 for p ∈ Σ , deg ( X ψ ) = deg ( Y ψ ) = deg ( ψ ) + 1, and deg ( φ ◦ φ ) = max ( deg ( ψ ) , deg ( ψ )) + 1,with ◦ ∈ {∧ , ∨ , U , S , R , T } . We prove by induction on deg ( ψ ) that if ψ ∈ ∆ i , then σ , i | = ψ for any ψ ∈ C ( φ ) and any i ≥ 0. The thesis then follows immediately,since φ ∈ ∆ by definition.As for the base case, if p ∈ ∆ i or ¬ p ∈ ∆ i , then the thesis follows by thedefinition of σ . As for the inductive step, we go by cases:1. if ψ ∨ ψ ∈ ∆ i (resp., ψ ∧ ψ ∈ ∆ i ), then by definition of atom and by theinductive hypothesis, either σ , i | = ψ or σ , i | = ψ (resp., both), and thus σ , i | = ψ ∨ ψ (resp., σ , i | = ψ ∧ ψ );2. if X ψ ∈ ∆ i , then, by Item 2 of Definition 6.5, it holds that ψ ∈ ∆ i +1 . Since deg ( ψ ) < deg ( X ψ ), by the inductive hypothesis it follows that σ , i + 1 | = ψ .Then, by the semantics of the tomorrow operator, we have σ , i | = X ψ ;3. if ψ U ψ ∈ ∆ i , then, by definition of atom, there exists j ≥ i such that ψ ∈ ∆ j and ψ ∈ ∆ k , for all i ≤ k < j . Then, by the inductive hypothesis, σ , j | = ψ and σ , k | = ψ for all i ≤ k < j , hence by the semantics of the until operator, we have σ , i | = ψ U ψ ;4. the argument is similar to Item 1 when ψ R ψ ∈ ∆ i , ψ S ψ ∈ ∆ i , or ψ T ψ ∈ ∆ i , following the corresponding expansion rules.Note that, on the contrary, a pre-model can be obtained straightforwardlyfrom any model σ | = φ of a formula by simply setting φ ∈ ∆ , and then follow-ing the definition obtaining a sequence ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) of atoms where each ∆ i is the minimal atom whose every formula holds at σ i . Here we prove that the tableau system is sound , that is, if a complete tableaufor a formula has a successful branch, then the formula is satisfiable. Moreover,a model for the formula can be e ff ectively obtained from any successful branch.The proof shows how a pre-model for φ can be extracted from a completetableau, which then lets us obtain one or more models of the formula. Let usfirst define how an atom can be constructed on top of a tableau poised node. Soundness and completeness 127 Definition 6.7 — Atom of a tableau node. Let T be a tableau for an LTL formula φ and let u i be a non-crossed poised node of T . The atom of u i , written ∆ ( u i ) , is the closure by logical entailment of Γ ( u i ) . The exclusion of crossed poised nodes is essential to guarantee that theresulting set does not contain contradictions and hence the definition is well-defined. Now we can state how exactly to extract a model for a formula from asuccessful branch of its tableau. Let u = (cid:104) u , . . . , u n (cid:105) be a branch of the tableau,and let π = (cid:104) π , . . . , π m (cid:105) be the sequence of its poised nodes. Then, given apoised node u i , let Γ ∗ ( u i ) = (cid:83) j STEP rulewas never applied before u i . In other terms, Γ ∗ ( u i ) contains all the formulaethat were expanded to build the poised label of u i . Lemma 6.8 — Extraction of a pre-model from a successful tableau. Let φ be a LTL formula and T a complete tableau for φ . If T has a successful branch,then there exists a pre-model for φ .Proof. Let u = (cid:104) u , . . . , u n (cid:105) be a successful branch of T and let π = (cid:104) π , . . . , π m (cid:105) be the subsequence of poised nodes of u . Intuitively, a pre-model for φ can beobtained from u by building the atoms from the labels of the poised nodes, andextending them to an infinite sequence. If the branch has been accepted by the LOOP rule, we can identify a position 0 ≤ k ≤ m in π such that ∆ ( π k ) = ∆ ( π m )and all the X -eventualities requested in π k are fulfilled in π [ k +1 ...m ] . If instead u has been accepted by the EMPTY rule, then Γ ( π m ) = ∅ , and in particularthere are no X -eventualities requested, hence setting k = m we obtain thesame e ff ect. Therefore, we can extract from π the periodic sequence of atoms ∆ = ∆ ∆ ωT , where ∆ = (cid:104) ∆ ( π ) , . . . , ∆ ( π k ) (cid:105) , and either ∆ T = (cid:104) ∆ ( π k +1 ) , . . . , ∆ ( π m ) (cid:105) or ∆ T = (cid:104) π m (cid:105) depending on which rule accepted the branch, respectively the LOOP or the EMPTY rule. In other words, we build a periodic pre-model thatinfinitely repeats the fulfilling loop identified by the LOOP rule, or the lastempty node otherwise. Then let K : N → N be the map from positions in thepre-model to their original positions in the branch, which is defined as K ( i ) = i for 0 ≤ i < k , and for i ≥ k is defined either as K ( i ) = k + (( i − k ) mod T ), with T = m − k ( LOOP rule), or as K ( i ) = k ( EMPTY rule).We can now show that ∆ is indeed a pre-model for φ . First, observe that φ ∈ ∆ because φ ∈ Γ ( π ) by construction, thus Item 1 of Definition 6.5 issatisfied. Then, we check Items 2 and 3 of Definition 6.5.2. consider any formula X ψ ∈ ∆ i . Being an elementary formula, we canobserve that that X ψ ∈ Γ ( π K ( i ) ). Two cases have to be considered. If π K ( i +1) = π K ( i )+1 , i . e ., the next atom comes from the actual successor ofthe current one in the tableau branch, then, by the STEP rule, we know ψ ∈ Γ ( π K ( i +1) ) ⊆ ∆ i +1 . Otherwise, ∆ i = ∆ m = ∆ ( π m ) and π m was tickedby the LOOP rule (because ∆ i is not empty), and thus ∆ i +1 = ∆ ( π k +1 ) for 28 Tableau methods for Linear Temporal Logics some k < m such that Γ ( π k ) = Γ ( π m ). Hence, X ψ ∈ Γ ( π k ) as well, and, bythe STEP rule applied to π k , we know that ψ ∈ Γ ∗ ( π k +1 ) ⊆ ∆ ( π k +1 ) = ∆ i +1 .3. The other cases, such as if ψ U ψ ∈ ∆ i , are straightforward in view ofhow expansion rules are defined.The above results let us conclude the soundness of the tableau system. Theorem 17 — Soundness.Let φ be a LTL formula, and let T be a complete tableau for φ . If T has asuccessful branch, then φ is satisfiable. Proof. Extract a pre-model for φ from the successful branch of T as shown inLemma 6.8, and then obtain from it an actual model for the formula as shownby Lemma 6.6. We now prove the completeness of the tableau system, i . e ., if a formula φ issatisfiable, then any complete tableau T for it has an accepting branch.The proof uses a pre-model for φ , which we know to exist if the formula issatisfiable, as a guide to suitably descend through the tableau to look for anaccepted branch. Then, we will show how to make sure that this descent mustobtain an accepted branch. The descent is performed as follows. Lemma 6.9 — Extraction of the branch. Let ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) be a pre-model for a formula φ . Then, any complete tableaufor φ has a branch u , with sequence of poised nodes π = (cid:104) π , . . . , π m (cid:105) , such that ∆ ( π i ) = ∆ i for all ≤ i ≤ m .Proof. To find u , we traverse the tree using ∆ as a guide, starting from the root u , building a sequence of branch prefixes u i = (cid:104) u , . . . , u i (cid:105) , suitably choosing u i +1 at each step among the children of u i . Meanwhile, we maintain a non-decreasing function J : N → N that maps positions in u i to positions in ∆ suchthat Γ ( u k ) ⊆ ∆ J ( k ) for each 0 ≤ k ≤ i , starting from u = (cid:104) u (cid:105) and J (0) = 0. Withthis base case the invariant holds since Γ ( u ) = { φ } and φ ∈ ∆ by definition.Then, at each step i ≥ 0, we choose u i +1 among the children of u i as follows:1. if u i is a poised node but not a leaf, then it has a single child which ischosen as u i +1 , defining J ( i + 1) = J ( i ) + 1, since we need to advance to thenext position in the pre-model as well;2. if u i is not a poised node, then it has two children u (cid:48) i and u (cid:48)(cid:48) i and aformula φ such that Γ ( u (cid:48) i ) = Γ ( u i ) \{ φ }∪ Γ ( φ ) and Γ ( u (cid:48)(cid:48) i ) = Γ ( u i ) \{ φ }∪ Γ ( φ ),where Γ ( φ ) and Γ ( φ ) are defined in Table 6.1. Since we maintained that Γ ( u i ) ⊆ ∆ J ( i ) , and thus φ ∈ ∆ J ( i ) , by Definition 6.4 we know that either Soundness and completeness 129 Γ ( φ ) (cid:118) ∆ J ( i ) or Γ ( φ ) (cid:118) ∆ J ( i ) , hence either Γ ( u (cid:48) i ) ⊆ ∆ J ( i ) or Γ ( u (cid:48)(cid:48) i ) ⊆ ∆ J ( i ) , sowe can choose u i +1 accordingly. Note that both might be suitable choices,in which case, which one is chosen is not important. In any case, we set J ( i + 1) = J ( i ), since we do not need to advance in the pre-model.Now, let u = (cid:104) u , . . . , u n (cid:105) be the branch found as described above, and let π = (cid:104) π , . . . , π m (cid:105) the sequence of its poised nodes. Since in the traversal thevalue of J ( i ) is incremented only when an application of the STEP rule is tra-versed, it holds that Γ ( π i ) ⊆ ∆ i . Since ∆ ( π i ) is by definition the minimal atomincluding Γ ( π i ), it follows that ∆ ( π i ) ⊆ ∆ i . Now, consider the set of formulae X i such that X = { φ } , and X i +1 = { ψ | X ψ ∈ ∆ i } , and note that, by constructionit holds that X i ⊆ ∆ ( π i ) for each 0 ≤ i ≤ m , and that all the formulae ψ ∈ ∆ i thatare the result of expansion of X i are in ∆ ( π i ) as well, because of how we fol-lowed ∆ during the descent. Moreover, by Definitions 6.4 and 6.5, any formulain ∆ i must be either the result of the expansion of X i or the logical deductionof some other formulae of the set hence we can conclude that ∆ ( π i ) = ∆ i .The particular branch found as described above might, in general, becrossed. However, it is immediate to note that it cannot possibly have beencrossed by an application of the CONTRADICTION rule, since this would implythe existence of some { p, ¬ p } ⊆ ∆ i for some i , which cannot be the case. Hence,if a crossed leaf is found, it has been crossed by the PRUNE rule. The noveltyof the proof presented here is how we can select a proper class of models (andtheir pre-models) such that the descent described by Lemma 6.9, applied onone of these particular models, cannot possibly find a node crossed by the PRUNE rule, neither.The key concept behind our proof is that of greedy pre-model . Given a pre-model ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) , an X -eventuality ψ ≡ X ( ψ U ψ ) is requested at position i ≥ ψ ∈ ∆ i , and fulfilled at j > i if j is the first position where ψ ∈ ∆ j and ψ ∈ ∆ k , for all i < k < j . Let U ( φ ) = { ψ ∈ C ( φ ) | ψ ≡ X ( ψ U ψ ) } be the set of X -eventualities in the closure of φ . For each position i ≥ 0, we define the delay at position i as a function d i : U ( φ ) → N providing a natural number for eacheventuality in U ( φ ), as follows: d i ( ψ ) = ψ is not requested at position in if ψ is requested at i and fulfilled at j such that n = j − i Intuitively, d i ( ψ ) is the number of states elapsed between the request andthe fulfilment of ψ . Let D be the set of all possible delays. Then, we can definea partial order ( D , (cid:22) ) between delays by comparing them component-wise, i . e .,for any d , d (cid:48) ∈ D , d ( ψ ) ≤ d (cid:48) ( ψ ) for each ψ ∈ U ( φ ). Note that D is just anotherway to denote N |U ( φ ) | , and ( D , (cid:22) ) is just ( N |U ( φ ) | , ≤ ), i . e ., tuples of |U ( φ ) | naturalnumbers ordered component-wise. In particular, this means that ( D , (cid:22) ) is 30 Tableau methods for Linear Temporal Logics well-founded , i . e ., there are no infinite descending chains of elements. Giventwo infinite sequences of delays d = (cid:104) d , d , . . . (cid:105) and d (cid:48) = (cid:104) d (cid:48) , d (cid:48) , . . . (cid:105) , we cancompare them lexicographically, hence defining a partial order ( D ω , (cid:22) lex ) suchthat d (cid:22) lex d (cid:48) i ff either d (cid:22) d (cid:48) or d = d and d ≥ (cid:22) lex d (cid:48)≥ .A pre-order can instead be defined over pre-models, by defining ∆ (cid:22) ∆ (cid:48) i ff d (cid:22) lex d (cid:48) , where d and d (cid:48) are the sequences of delays of ∆ and ∆ (cid:48) , respectively.This is only a pre-order instead of a partial order because ∆ (cid:22) ∆ (cid:48) and ∆ (cid:48) (cid:22) ∆ donot imply that ∆ = ∆ (cid:48) , as two di ff erent pre-models may have the same delays.Minimal elements in this pre-order are called greedy pre-models . Definition 6.10 — Greedy pre-models. A pre-model ∆ for a formula φ is greedy if there is no pre-model ∆ (cid:48) such that ∆ (cid:48) ≺ ∆ . Intuitively, in greedy pre-models all the requested X -eventualities are al-ways fulfilled as soon as possible. We will show that starting from one suchpre-model ensures we avoid crossed nodes when extracting a branch from thetableau as described in Lemma 6.9. Therefore we need first to ensure that agreedy pre-model always exists, which follows from the lexicographic orderingused to compare delays. Lemma 6.11 — Existence of greedy pre-models. Let ∆ be a pre-model for a formula φ . Then, there is a greedy pre-model ∆ (cid:48) (cid:22) ∆ .Proof. We distinguish two cases. If there is a finite sequence ∆ (cid:31) ∆ (cid:31) . . . (cid:31) ∆ n ,with ∆ = ∆ and n ≥ 1, which is maximal with respect to (cid:31) , i . e ., it cannot befurther extended, then ∆ (cid:48) = ∆ n is a greedy model with ∆ (cid:48) (cid:22) ∆ . Otherwise, let ∆ (= ∆ ) (cid:31) ∆ (cid:31) . . . be an infinite sequence of pre-models. We prove that itslimit is a greedy pre-model ∆ (cid:48) . To this end, it su ffi ces to show that for every n ∈ N (prefix length), there is m ∈ N (pre-model index) such that the prefix upto position n of pre-models ∆ m , ∆ m +1 , . . . is the same.For i ≥ 1, let d i = (cid:104) d i , d i , . . . (cid:105) be the sequence of delays of ∆ i . Let us considerthe j th pre-model ∆ j , for some j ≥ 1. By definition of (cid:31) , there is a position n j ≥ d j +1 n j < d jn j , and d j +1 m = d jm , for all 0 ≤ m < n j . We show thatthere are finitely many indices l > j for which there exists a position n k , with n k ≤ n j , such that d l +1 n k < d ln k , and d l +1 m = d jm , for all 0 ≤ m < n k . Let l be thelargest of such indices l . We prove it by contradiction. Assume that there areinfinitely many. Let n h be the leftmost position that comes into play infinitelymany times. If n h = 0, then there is an infinite strictly decreasing sequence ofdelays d h > d h > d h > . . . , with j < h < h < h < . . . , which cannot be the casesince the ordered set ( N |U ( φ ) | , ≤ ) is well-founded (the definition of temporalshift operators ensures that the closure set of φ is finite, and thus U ( φ ) is finiteas well). Let 0 < n h ≤ n j . Since the positions to the left of n h are chosen onlyfinitely many times, there exists a tuple ( d , . . . , d n h − ) which is paired withan infinite strictly decreasing sequence of delays d h n h > d h n h > d h n h > . . . , with j < h < h < h < . . . , which again cannot be the case since the ordered set Soundness and completeness 131 ( N |U ( φ ) | , ≤ ) is well-founded. This allows us to conclude that the prefix up toposition n j of all pre-models of index greater than or equal to l is the same.Now, we can introduce the connection between the PRUNE rule and greedypre-models. To this aim, we define a similar contraction rule on pre-models. Definition 6.12 — Redundant segments. Let ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) be a pre-model for φ , and let i < j < k be three positions suchthat ∆ i = ∆ j = ∆ k . Then, the subsegment ∆ [ j +1 ...k ] of ∆ is redundant if not all the X -eventualities requested in the atoms are fulfilled between in ∆ [ j +1 ...k ] , and all thosefulfilled in ∆ [ j +1 ...k ] are fulfilled in ∆ [ i +1 ...j ] as well. Intuitively, a redundant segment is one where the pre-model is doing someuseless work, because there are no new X -eventualities fulfilled in the segmentthat were not already fulfilled before, among those recurrently requested. Itcan be recognised that the condition of Definition 6.12 is similar to the onechecked by the PRUNE rule on a branch of the tableau, but transferred topre-models. The important feature of redundant segments is that they canbe safely removed obtaining another pre-model which, most importantly, haslower delays than the original. Lemma 6.13 — Removal of redundant segments. Let ∆ be a pre-model for a formula φ with a redundant segment ∆ [ j +1 ...k ] . Then, thesequence of atoms ∆ (cid:48) = ∆ ≤ j ∆ >k is a pre-model for φ , and ∆ (cid:48) ≺ ∆ .Proof. First of all, we check that ∆ (cid:48) = ∆ ≤ j ∆ >k is still a pre-model for φ . This canbe seen by observing that, since ∆ j and ∆ k are equal, ψ ∈ ∆ k +1 for any X ψ ∈ ∆ j .Now, let d and d (cid:48) be the sequences of delays of ∆ and ∆ (cid:48) , respectively.Since ∆ [ j +1 ...k ] is a redundant segment, there is an atom ∆ i with i < j suchthat ∆ i = ∆ j (= ∆ k ). We proceed by showing that d (cid:48) i ≺ d i , while d (cid:48) n (cid:22) d n for all n < i , thus implying that ∆ (cid:48) ≺ ∆ . To this aim we show that there is at least one X -eventuality ψ ≡ X ( ψ U ψ ) for which d (cid:48) i ( ψ ) < d (cid:48) i ( ψ ) while the other valuesof the delay vector for the other eventualities at worst do not increase. Now,let ψ ≡ X ( ψ U ψ ) be any X -eventuality requested in ∆ i (and ∆ j and ∆ k ), andconsider the position h > i where ψ is first fulfilled (such that d i ( ψ ) = h − i ).Note that it cannot be the case that h appears inside the redundant segment, i . e .,that j < h ≤ k , since ψ , by Definition 6.12, would have to be fulfilled between ∆ i and ∆ j as well, hence h would not be the point of its first fulfilment. Hence,there are two cases. If h < j , then the point of first fulfilment of ψ is not a ff ectedby the cut and the delay cannot decrease because of it. Otherwise, if h > k , thecut decreases the delay of ψ , hence d (cid:48) i ( ψ ) = d i ( ψ ) − ( k − j ). Note that at least one X -eventuality fulfilled after k exists because they cannot be neither all fulfilledin ∆ [ i +1 ...j ] , nor inside ∆ [ j +1 ...k ] by Definition 6.12, hence d i ≺ d (cid:48) i .Now, consider any position n < i . In any of those positions, d n ( ψ ), for any X -eventuality ψ U ψ , cannot increase because of the cut, otherwise the first 32 Tableau methods for Linear Temporal Logics fulfilment of ψ would have been in ∆ [ j +1 ...k ] (thus postponing its first fulfilmentto a later point), which cannot be the case because all the eventualities fulfilledthere are fulfilled also in ∆ [ i +1 ...j ] . Hence, d n (cid:22) d (cid:48) n for all n < i , thus d ≺ lex d (cid:48) ,which implies ∆ (cid:48) ≺ ∆ .Now we can exploit the results obtained so far to prove the completeness ofthe tableau system, proving that a complete tableau for a satisfiable formulacontains at least an accepted branch. Theorem 18 — Completeness.Let φ be a closed LTL formula and let T be a complete tableau for φ . If φ issatisfiable, then T contains a successful branch. Proof. Let σ be a model for φ . As already noted, it is straightforward to builda pre-model for φ from σ . Then, given a pre-model for φ , Lemma 6.11 ensuresthat a greedy pre-model for φ exists. We can thus consider ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) tobe a greedy pre-model for φ . Now, given a complete tableau T for φ , thanksto Lemma 6.9 we can obtain a branch from T , with sequence of poised nodes π = (cid:104) π , . . . , π m (cid:105) such that ∆ ( π k ) = ∆ k for all 0 ≤ k ≤ m . As already noted, weknow that if π m is crossed, then it has to have been crossed by the PRUNE rule. If this was the case, however, it would mean there are other two poisednodes π i and π j with i < j < m and Γ ( π i ) = Γ ( π j ) = Γ ( π m ), and such that allthe X -eventualities requested in the three nodes and fulfilled between π j +1 and π m are fulfilled between π i +1 and π j as well. Since ∆ ( π k ) = ∆ k for all0 ≤ k ≤ m , this fact reflects onto the pre-model, hence ∆ i = ∆ j = ∆ m , and all the X -eventualities requested in these atoms and fulfilled in ∆ [ j +1 ...m ] are fulfilledin ∆ [ i +1 ...j ] as well. In other words, ∆ [ j +1 ...m ] is a redundant segment, but this,by Lemma 6.13 contradicts the assumption that ∆ is greedy. This section surveys the main results of the experimental evaluation of a toolfor LTL satisfiability, called Leviathan , which implements the above system [17].As it turns out, the simplicity of its rule-based tree search structure pays o ff ,allowing for a very e ffi cient and low-overhead implementation. The tool wasalso parallelised with great results [97]. In our evaluation, we compared thetool on a standard set of benchmarks, not only against other tableau-based toolsbut also against tools employing di ff erent techniques. The performance of thetool turned out to be competitive with other tools on many classes of formulae,while better than other tableau-based tools most of the cases. Notably, thetool obtains this result by implementing the method as-is , without any sortof search heuristics. Here, we illustrate the main techniques used in the toolto obtain such e ffi ciently, and then describe the benchmark results more in Experimental evaluation 133 details. Despite the simplicity of the system’s rules, finding the most e ffi cient way toimplement them is not trivial, requiring a subtle balance between executionspeed and memory consumption. The most important ingredient is the datamemory layout of the structure used to represent the current explored branchand its nodes.Each input formula, before being given as input to the main algorithm,passes through several preprocessing steps which syntactically simplify theformula while maintaining logical equivalence. The preprocessing phase isused to desugar derived logical syntax and to turn the formula into NegationNormal Form, as assumed in Section 6.2, but also to remove or transform afew kinds of trivial subformulae with common propositional and temporalequivalences, most of which can be found in [69].To achieve as much space e ffi ciency as possible, formulae are representedin a compact way during the search. In the preprocessing phase, all thesubformulae that will be needed for the application of expansion rules areextracted. The resulting set of formulae is then ordered in such a way that,for each formula φ , if φ is at position i , then formulae ¬ φ and X φ , if present,are at positions i + 1 and i + 2, respectively. The ordered set is not representedexplicitly. Instead, a few bitset data structures are created, one for each syntactictype of formula, such that the i th bit in the bitset T is set to 1 if and only if the i th formula in our ordering is of type T . To complete the picture, two vectors,respectively called lhs and rhs , are used to get the index of the left and rightsubformulae of each formula.This compact representation also provides an e ffi cient way to test theconditions of the tableau rules. As an example, consider the CONTRADICTION rule, which crosses a branch if occurrences of both p and ¬ p , for some p , aredetected in a node’s label. Such an operation can be e ffi ciently implementedas follows. Let formulae be the bitset corresponding to the current label and neg_lits be the bitset that specifies which subformulae are negative literals .Then, consider the following expression of bitwise operations: ((formulae & neg_lits) << 1) & formulae The first bitwise and operation intersects the current label with the set of allthe negative literals. The shift moves of one position all those bits, and in theresult of the second bitwise and there will be a bit set to 1 only if both were set, i . e ., only if both positive and negative literals of the same atom were present.This exploits the fact that φ and ¬ φ are consecutive in the ordering. Anotherexample is an expansion rule such as CONJUNCTION , whose condition can be 34 Tableau methods for Linear Temporal Logics tested by a bitwise and operation between the bitsets representing the currentnode’s label, the set of formulae in the label that still have to be processed,and the set of all the subformulae of conjunction type. Finally, during thepreprocessing step all the subformulae corresponding to X -eventualities arediscovered and saved in a vector for later uses, together with a lookup table thatlinks each eventuality to the corresponding index in the bitset representation.The total independence of each branch of the tree from each other allowsthe tool to keep in memory only a single branch at any given time. Since arun of the procedure resembles a pre-order depth-first visit of the tree, a stackdata structure is su ffi cient to maintain the state of the search. Similarly to theimplementation of logic programming languages such as prolog , two di ff erenttypes of frame are interleaved in the stack: choice and step frames. The formerare pushed when an expansion rule has been applied and a new branchingpoint has been created. Additional information is held by the frame to make itpossible to rollback the choice and to descend through the other branch. Thelatter are pushed when a STEP rule has been applied and thus a temporal stephas been made. These are the frames corresponding to the nodes which havea poised label in the tableau and they bring with them information about the X -eventuality satisfied at the current step. Note that only the expansion rulesthat create a two children for the current node have a corresponding choiceframe in the stack. The others are expanded in-place in the current frame.Each frame of the stack records the set of formulae belonging to the cor-responding tableau node, and it keeps track of those formulae that have beenalready expanded by expansion rules. Both these pieces of information arestored in two bitsets similar to those described previously. Moreover, eachframe keeps track of which eventualities have been fulfilled. Finally, eachframe stores three pointers to previous frames in the stack, used to check the PRUNE rule: to the last step frame, to the last occurrence of its label, and to itsfirst, earliest occurrence. We can now outline the experimental evaluation of the tool against a numberof other LTL satisfiability checkers. In order to obtain significant data and toreduce chances of misinterpretation, we relied on StarExec [131], an onlinetesting and benchmarking infrastructure specifically designed to measureperformance of tools for logic-related problems like SAT, SMT, CLP, etc . The useof a common infrastructure increases the reproducibility of the experimentalresults, and minimises the risk of configuration errors of the tools that couldlead to misleading results.Complete and detailed surveys of the performance of available LTL satisfiab-ility checkers appeared in the last few years [71, 87, 121, 124]. The following Experimental evaluation 135 acacia-demo-v22acacia-demo-v3acacia-examplealaska-liftalaska-lift-balaska-lift-b-falaska-lift-b-f-lalaska-lift-b-lalaska-lift-falaska-lift-f-lalaska-lift-lschuppan-O1schuppan-O2schuppan-phltltrp-N12xtrp-N12ytrp-N5xtrp-N5yrozier-counterrozier-counterCrozier-counterCLrozier-counterLrozier-n1rozier-n2rozier-n3rozier-n4rozier-n5rozier-C1rozier-C2rozier-Erozier-Qrozier-Rrozier-Srozier-U2rozier-Uanzu-ambaanzu-amba-canzu-amba-clanzu-genbufanzu-genbuf-canzu-genbuf-clforobots aalta trp++ ls4 NuSMVLeviathan pltl-graph pltl-tree Figure 6.3: Benchmark results about time (left) and memory consumption (right) 36 Tableau methods for Linear Temporal Logics analysis used the reference set of testing formulae available on StarExec, whichcame from the survey by Schuppan and Darmawan, including a total of 3723formulae collected from a number of di ff erent sources. The following toolswere available in StarExec and were included in the comparison: Aalta [86],based on Büchi automata, TRP++ [76] and LS4 [132], which are based on tem-poral resolution, the NuSMV symbolic model checker [45], and PLTL , anothertableau-based tool. NuSMV , configured in BDD-based symbolic model check-ing mode, has been chosen among other model checkers, as a single proponentof this class of tools, mainly because it was the one used in the aforementionedsurvey by Schuppan and Darmawan. The PLTL tool implements two di ff erentkinds of tableau-based algorithms for LTL satisfiability, an on-the-fly graph-shaped tableau system [1], and the already mentioned tree-like tableau systemby Schwendimann [126].A plot of the comparison results can be seen in Figure 6.3, where testformulae are grouped by type and displayed horizontally, and vertical barsof di ff erent shades represent the relative performance of di ff erent tools. Thetop and bottom plots show time and memory usage, respectively, obtained intwo di ff erent runs with 500MB maximum memory limit in the second case,and a 30 minutes timeout in both (which is the maximum timeout allowed byStarExec). Experiments are basically limited to solvers already available in theStarExec infrastructure, to ensure repeatability and availability of results, butother tools may be considered in the future [23, 72].In summary, the results show that Leviathan ’s performance is comparablein most cases with other tools, both regarding time and memory usage, withboth dark and bright corners. Diving deeper, a case-by-case analysis has tobe done looking at di ff erent kinds of test formulae. While data confirm that LS4 , Aalta and NuSMV are likely the best tools available, our tool is competitivein a number of cases. Notable examples are the anzu , forobots , and rozier datasets (excluding counters), where Leviathan ’s running time is one of thelowest, and the schuppan and rozier-counter datasets, where the memoryusage was very low. The rozier dataset is also notable for being much easierfor all the tested tableau-based approaches, including Leviathan , than for othertools. The alaska dataset is very di ffi cult for most of the tested tools, and Leviathan times out on all of it. However, it is a curious fact that, for the timeit has been running before the timeout, its memory usage in this dataset wasvery low compared to other tools.Another interesting point of view is the comparison of Leviathan with PLTL ,as both are tableau-based tools. Leviathan performs better on the anzu data-set, uses less memory in the trp and shuppan datasets, and performance iscomparable in other datasets. The one-pass tree-shaped tableau for LTL+P 137 This section shows how the tableau system described in Section 6.2 can beextended to support past operators , hence providing a one-pass tree-shapedtableau system for Linear Temporal Logic with Past ( LTL + P ).In contrast to classic graph-shaped tableaux like the one discussed in Sec-tion 6.1, where one only has to ensure that edges between nodes are consistentwith the past requests of each state, in the one-pass tree-shaped system eachbranch of the tree is committed to the choices done in its own history, hence itis not clear a priori how such system could support past operators without mak-ing substantial changes to its structure. Nevertheless, our system extends theoriginal future-only one in a perfectly modular way, by only adding a few ruleswhich handle past operators orthogonally. The resulting system can be cut backto the original one by simply ignoring these rules, and, furthermore, runningour system on a future-only formula leads to exactly the same computation aswith the future-only system.The soundness and completeness of the system are proved. Notably, themodel-theoretic argument based on greedy pre-models, employed in Sec-tion 6.3, also applies in this case, hence the proofs are a simple extensionof those for the future-only case. The one-pass tree-shaped tableau system for LTL + P works in the same way asthe one for LTL , with the addition of a few rules specific to past operators.Past operators supported by LTL + P are specular to future ones supportedby LTL . In particular, as a formula employing the until operator ψ U ψ holds ifeither ψ or ψ ∧ X ( ψ U ψ ) hold at the current state, so the since operator canbe recursively expressed in terms of the yesterday operator, as ψ Sψ holds ifeither ψ or ψ ∧ Y ( ψ S ψ ) hold. Hence, as a first step in extending the tableausystem to LTL + P , we can extend the set of expansion rules of Table 6.1 to a set ofspecular rules involving past operators, as shown in Table 6.2.Formulae of the form Y ψ are considered elementary , in the same way as tomorrow operators and literals, since they cannot be further expanded. Hence,the yesterday operator needs to be specifically handled, and the YESTERDAY rule is added for this purpose. Let u = (cid:104) u , . . . , u n (cid:105) be a poised branch. YESTERDAY If Y α ∈ Γ ( u n ), then let Y n = { ψ | Y ψ ∈ Γ ( u n ) } , and let u k be theclosest ancestor of u n where the STEP rule was applied. 38 Tableau methods for Linear Temporal Logics Rule φ ∈ Γ Γ ( φ ) Γ ( φ ) SINCE α S β { β } { α, Y ( α S β ) } TRIGGERED α T β { α, β } { β, Y ( α S β ) } PAST P α { α } { YP α } HISTORICALLY H α { α, YH α } Table 6.2: Additional expansion rules supporting LTL + P past operators. Then, the node u n is crossed either if u k does not exist because there is noapplication of the STEP rule preceding u n , or if Y n (cid:42) Γ ∗ ( u k ).Intuitively, the YESTERDAY rule fulfils the purpose of Item 2 of Defini-tion 6.3, that is, to check whether the transitions from a state to the next areconsistent with the coming past requests. It is also in this sense specular tothe STEP rule, but di ff ers significantly from the latter because instead of act-ively building the model such that the requests are satisfied, it is forced toretroactively check this consistency.Whenever a formula Y α is found in a poised label, the previous stateis checked for the presence of α . Note that, of course, the rule could notconceivably test the exact satisfaction of the formula, because that wouldrequire testing whether α is a logical consequence of the formulae found inthe labels, which would be as hard as the satisfiability problem itself. Instead,the presence of the formula in the labels is taken as a good approximation ofwhether the formula holds in the state or not.However, the YESTERDAY rule alone would result into an incomplete system.Given a formula Y α in a given node, most of the times there are no otherreasons for α to be forced to hold at the previous state. Hence, if not explicitlyaccounted for, the formula may be never expanded and any instance of the YESTERDAY rule would fail. Hence, we need a further rule, running on poisednodes before the application of the STEP rule, which guesses which formulaemust be true at the current state because of yet-unseen past requests comingfrom future nodes. This guess is made explicit in the tableau by adding anumber of children whose label contain the additional formulae. Hence, let u = (cid:104) u , . . . , u n (cid:105) be a poised branch. FORECAST Let G n = { α ∈ C ( φ ) | Y α is a subformula of any ψ ∈ Γ ( u n ) } be the setof formulae involved in any yesterday operator appearing inside theformulae of Γ ( u n ).Then, for each subset G (cid:48) n ⊆ G n (including the empty set), a child u (cid:48) n isadded to u n such that Γ ( u (cid:48) n ) = Γ ( u n ) ∪ G (cid:48) n . This is done at most once beforeeach application of the STEP rule. The one-pass tree-shaped tableau for LTL+P 139 { XY p }{ XY p }{ Y p } (cid:55) { XY p, p }{ Y p } ∅ (cid:51) Figure 6.4: Example tableau for the formula XY p , applying the additional rules. The added children will not be, in general, poised nodes, hence the expan-sion continues as usual and their whole subtrees are explored. The expansioneventually leads to further poised nodes, which then can be subject to the STEP rule in order to advance in time. In this way, we ensure that for any potentiallyfailing instance of the YESTERDAY rule, another branch exists where the ruledoes not fail (if this is possible at all).Figure 6.4 shows an example of the use of the new rules on the very simpleformula XY p . Before the first application of the STEP rule, the root node u ,whose label is Γ ( u ) = { XY p } , triggers the FORECAST rule, which adds to it twochildren, one with the same label, and one with an additional p . Then, pro-ceeding with the expansion of such children as usual, a STEP rule is performedin each branch and the following instance of the YESTERDAY rule fails in onecase but succeeds in the other. In the succeeding case, a second STEP rule thenproduces an empty label, as no occurrence of tomorrow is present, accepting thebranch. Note that, in this example, the branch where p is not added might seemuseless. Indeed in more complex formulae, some of the added children mightbe redundant, but in general there is no way to know which formulae will beactually needed without expanding until the failure of the YESTERDAY rule, atwhich time it would be too late. For this reason, any possible combination istried beforehand.Note that the number of children added by the FORECAST rule is finite.Then, with an argument totally similar to Theorem 16, the finite branchingfactor guarantees the termination of the construction. Theorem 19 — Termination of the tableau for LTL + P .Given an LTL + P formula φ , the construction of a (complete) tableau T for φ will always terminate in a finite number of steps. 40 Tableau methods for Linear Temporal Logics Soundness and completeness of the system will be now proved, extending theproofs shown in Section 6.3. Notably, the approach based on greedy models canbe easily extended to cope with the YESTERDAY and FORECAST rules.Let us start by adapting the concept of pre-model. The atoms for an LTL + P formula are defined exactly in the same way as in Definition 6.4, but consider-ing the extended set of expansion rules of Tables 6.1 and 6.2. Definition 6.14 — Pre-models for LTL + P . Let φ be an LTL + P formula. A pre-model for φ is an infinite sequence ∆ of minimal atoms for φ such that, for all i ≥ :1. Items 1 to 3 of Definition 6.5 hold;2. if Y ψ ∈ ∆ i , then i > and ψ ∈ ∆ i − . Hence, what holds for pre-models defined in Section 6.3 holds here aswell, and the soundness of the system follows easily by simply extending thearguments shown in Lemmata 6.6 and 6.8. The presence of the FORECAST ruleimplies a little di ff erence, though. Since the rule might add some childrento any poised node, with the expansion going on from there after the addi-tion, not all poised nodes have to be considered as representing distinct statesof the found model. Hence, when considering a branch, we have to distin-guish between those poised nodes where the STEP rule was applied, creating asingle child node, and those where the FORECAST rule were applied, creating anumber of children which however do not represent an advancement in time. Definition 6.15 — Step nodes. Let u be a poised node of a complete tableau T . Then, u is said to be a step node ifeither u is a leaf, or it has a child added by an application of the STEP rule. Then, the soundness proof can proceed by extracting a pre-model for φ from the step nodes of any successful branch. Theorem 20 — Soundness.Let φ be a LTL + P formula, and let T be a complete tableau for φ . If T has asuccessful branch, then φ is satisfiable. Proof. Let u = (cid:104) u , . . . , u n (cid:105) be an accepted branch, and let π = (cid:104) π , . . . , π m (cid:105) be thesequence of its step nodes. As in the proof of Theorem 17, we can build a peri-odic pre-model ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) from the sequence of atoms (cid:104) ∆ ( π ) , . . . , ∆ ( π m ) (cid:105) ,infinitely repeating the fulfilling segment identified by the LOOP rule. Only step nodes are considered in the construction, instead of any poised node. Re-call that the branch and the constructed pre-model are bound by a function K : N → N that maps the atom ∆ i to its original step node ∆ K ( i ) . Then, wecan check that the process actually yields a pre-model for φ . We know that The one-pass tree-shaped tableau for LTL+P 141 φ ∈ ∆ by construction, and if X φ ∈ ∆ i or ψ U ψ ∈ ∆ i , then Items 2 and 3 ofDefinition 6.5, recalled by Definition 6.14, are satisfied as shown in the proof ofLemma 6.8. Then, consider any formula Y ψ ∈ ∆ i and thus Y ψ ∈ Γ ( π K ( i ) ). By the YESTERDAY rule, i > 0. Then, either ∆ i − is the atom coming from the previouspoised node, and thus ψ ∈ ∆ i − by the YESTERDAY rule, or ∆ i = ∆ ( π k +1 ) forsome k that triggered the LOOP rule because Γ ( π k ) = Γ ( π m ), which implies that ∆ k = ∆ m . Hence, by the YESTERDAY rule, we have ψ ∈ ∆ k = ∆ m = ∆ i − .Once a pre-model has been obtained from the successful branch, an actualmodel for φ can be extracted as shown in Lemma 6.6, where a state sequence σ = (cid:104) σ , σ , . . . (cid:105) is extracted from ∆ by stating that σ , i | = p if and only if p ∈ ∆ i for any p ∈ Σ . It can be checked, by induction over the nesting degree of theformulae, that σ , i | = ψ for each ψ ∈ ∆ i and all i ≥ 0. In particular, if Y ψ ∈ ∆ i ,then i > ψ ∈ ∆ i − by Definition 6.14, and by the induction hypothesis weknow σ , i − | = ψ , hence σ , i | = Y ψ , and σ is a sound model for φ .Hence, the soundness proof has been adapted to LTL + P quite straightfor-wardly. Similarly, the completeness proof from Theorem 18 can be extended tohandle the new rules. Theorem 21 — Completeness.Let φ be a closed LTL + P formula and let T be a complete tableau for φ . If φ issatisfiable, then T contains a successful branch. Proof. Similarly to Theorem 18, the proof proceeds in the following way:starting from a model σ for φ , which is supposed to exist by hypothesis, weconsider a corresponding greedy pre-model ∆ , which we use as a guide totraverse the tableau to find an accepted branch. The tree is traversed to extractsuch branch in the same way as described in the proof of Lemma 6.9, exceptingfor when a poised node is found. Recall that the descent through the tree findsa branch u = (cid:104) u , . . . , u n (cid:105) while maintaining a mapping J : N → N such that Γ ( u k ) ∈ ∆ J ( k ) for all 0 ≤ k ≤ n . We maintain this property also in the case wherethe FORECAST rule is applied to a poised node u i . In this case, u i has a numberof children { u i , . . . , u ki } , such that Γ ( u i ) ⊆ Γ ( u ji ) for all 0 ≤ j ≤ k . Then, we set J ( i + 1) = J ( i ), and we choose as u i +1 the child u ji with the maximal label suchthat Γ ( u ji ) ⊆ ∆ J ( i ) . Note that at least one such child exists since one among themhas the same label as u i . The rest of the descent proceeds as shown in theproof of Lemma 6.9. Then, consider the sequence π = (cid:104) π , . . . , π m (cid:105) of step nodesof the branch u . Then, similarly to Lemma 6.9, we can show that ∆ ( π i ) = ∆ i for all 0 ≤ i ≤ m . To do this, consider again the set X i such that X = { φ } and X i +1 = { φ | X φ ∈ ∆ i } . In contrast to the future-only case, we also needto define a set Y i = { φ | Y φ ∈ ∆ i +1 } . Note that Y i ⊆ ∆ i by Definition 6.14 andthat, crucially, it holds that Y i ⊆ ∆ ( π i ) as well, because of the FORECAST ruleand the way we choose the children of a non-step poised node in the descentdescribed above. Now, ∆ i is by definition the minimal closure by expansion 42 Tableau methods for Linear Temporal Logics and logical deduction of the formulae in X i and Y i (Definition 6.4), and so is ∆ ( π i ) by the way we descend through the tree, hence ∆ i = ∆ ( π i ). Now, observethat, by construction, the branch found in this way cannot be crossed by anapplication of the YESTERDAY rule (nor by the CONTRADICTION rule, as in thefuture-only case), hence it might only have been crossed by the PRUNE rule.However this would reach a contradiction, exactly as in Theorem 18, becauseof the assumption that ∆ is a greedy pre-model. This chapter introduces Reynolds’ one-pass tree-shaped tableau method forsatisfiability checking of LTL formulae. The system is presented with a novelsimpler proof of completeness, and is extended to support past operators ,obtaining a one-pass tree-shaped tableau system for LTL + P . The approachis of interest for us for a number of reasons. The reported experimental resultsare promising, and encouraged us into looking at it more deeply, but thesimplicity of the rules is the real feature of this system, which allowed us toextend it to other logics while maintaining the same basic structure.In particular, note that the extension to LTL + P presented here consists onlyof a few additional rules, and the resulting system runs exactly as the future-only counterpart when applied to a future-only formula. Proof techniquesemployed for the LTL tableau also directly apply to the past extension. Themodularity of the design of the system, and the resulting extendability, will befurther demonstrated in the next chapter where the system will be extended toa real-time logic used to encode timeline-based planning problems.When comparing this system with the one-pass tableau by Schwendimann[126], where the acceptance or rejection of a branch required to wait for theexploration of a whole subtree, we can realise that the PRUNE rule is, in the end,what allows for the pure tree-shaped structure and the total independenceof the exploration of each branch. Indeed, the PRUNE rule were the mainnovelty of the system when originally described [116]. In our novel proofof completeness, we shed some light on how the rule works under the hood,providing a model-theoretic interpretation of its role, i . e ., trying to avoid non-greedy models. A more detailed and complete study of the notion of greedy-model is due, to better understand the rule and possibly find improvements tothe system or useful heuristics. LOGICALCHARACTERISATION OFTIMELINE-BASED PLANNING This chapter addresses the issue of the expressiveness of timeline-based plan-ning problems in logical terms, as opposed to the comparative take of Chapter 3.As we know that classical action-based planning can be capture by LTL formu-lae, we pursue a similar result for timeline-based planning as well. To thisend, we introduce the Bounded TPTL with Past logic ( TPTL b + P ), a fragment of TPTL + P , the classic Timed Propositional Temporal Logic ( TPTL ) augmented withpast operators. We motivate its introduction, we show how (most) timeline-based planning problems can be expressed by TPTL b + P , and prove that itssatisfiability problem is EXPSPACE -complete. Then, we adapt to TPTL b + P theone-pass tree-shaped tableau method described in the previous chapter. CONTENTS b +P . . . . . . . . . . . . . . . . 1507.4 Complexity of TPTL b +P satisfiability . . . . . . . . . . . . . . . 1557.4.1 The tableau system . . . . . . . . . . . . . . . . . . . . . 1557.4.2 Soundness and completeness . . . . . . . . . . . . . . . 1597.5 A one-pass tree-shaped tableau for TPTL b +P . . . . . . . . . . 1627.5.1 TPTL b +P as a guarded fragment of TPTL+P . . . . . . . 1627.5.2 The tableau system for G(TPTL+P) . . . . . . . . . . . . 1637.6 Conclusions and open questions . . . . . . . . . . . . . . . . . . 168 44 A logical characterisation of timeline-based planning In our study of the expressiveness of timeline-based planning languages de-scribed in Chapter 3, we mainly approached the problem from the point ofview of the comparison with action-based languages. Starting to fill the theor-etical understanding of the timeline-based planning paradigm, a comparisonwith more mainstream approaches was certainly due. In this chapter, we againlook at expressiveness issues from a di ff erent point of view, looking for a logicalcharacterisation of what timeline-based planning languages are able to model.In other words, we will answer the question of which logic is expressive enoughto describe solution plans of a given timeline-based planning problem with anequivalent formula.In the world of action-based planning, some results exist that relate PDDLand similar languages to common temporal logics. In particular, CialdeaMayer et al. [42] proved that any classical STRIPS-like planning problem canbe encoded as a Linear Temporal Logic ( LTL ) formula φ , such that φ is satisfiableif and only if the original planning problem admits a solution plan. Theirwork shows how, once the problem has been encoded, the formula can be thenaugmented with a variety of control knowledge , otherwise not easily expressibleas PDDL, that can help guide the search for a solution.Having a similar result for timeline-based planning, identifying a temporallogic able to capture timeline-based planning problems, is useful for a numberof reasons. First of all, it eases any further expressiveness comparison withother formalisms, using the firm ground of logic as a kind of Rosetta stone. Fur-thermore, given the definition of timeline-based games provided in Chapter 5, alogical encoding of timeline-based planning problems can be taken a startingpoint to approach the problem of the synthesis of a controller for timeline-basedgames, exploiting the great amount of literature available in the field of react-ive synthesis of logical specifications [56]. In sight of a practical use of sucha logical encoding, in this chapter we are interested, similarly to Chapter 3, intranslations that preserve the solutions , meaning that we do not accept simplereductions between the respective decision problems, but we want to be able toextract solution plans for the original timeline-based planning problem fromthe models of the corresponding logical formula. Moreover, when possible, wewant polynomial-size translations, even though, from the point of view of pureexpressiveness, any translation would be perfectly fine, notwithstanding thesize of the resulting formulae.However, in contrast to classical and temporal planning, timeline-basedplanning languages immediately appear to be syntactically richer and, becauseof that, much more di ffi cult to encode. In particular, simple LTL formulae fallshort in capturing the semantics of synchronisation rules if the corresponding Introduction 145 rule graph (see Chapter 4) is not a tree. Abstractly, the inability to use LTL for a polynomial-size translation of timeline-based planning problems comesdirectly from the mismatch in computational complexity of the two formal-ism, since LTL satisfiability is PSPACE -complete [127], while plan existencefor timeline-based planning problems is EXPSPACE -complete (Theorem 8 inChapter 4).By looking in more detail, however, we can identify two main concreteobstacles. The first obvious one is the absence of metric capabilities, in contrastto the synchronisation rules which allow bounded atoms to impose real-timeconstraints. This problem, however, would be easily circumventable by ad-opting Metric Temporal Logic ( MTL ) [82], which allows to succinctly specify abound on the number of the considered states, such as in formulae like F n ψ ,that holds if φ holds before n steps from now. MTL , interpreted over discrete-time structures, is EXPSPACE -complete, which closes the gap in computationalcomplexity. However, a second obstacle a ff ects MTL as well, and still preventsus from obtaining a polynomial-size translation of timeline-based planningproblems. To see it, consider the following synchronisation rule: a [ x = v ] → ∃ b [ y = u ] c [ z = w ] . start ( a ) ≤ [0 , start ( b ) ∧ start ( b ) ≤ [0 , start ( c ) ∧ start ( a ) ≤ [0 , start ( c )The rule graph corresponding to this rule is a triangle between the threenodes start ( a ), start ( b ) and start ( c ). Note that, because of the finite bounds onatoms, the start ( a ) ≤ [0 , start ( c ) atom is not made redundant by the other two.Trying to encode a rule of this kind with MTL , one would probably start with aformula such as G ( a → F ( b ∧ F ( c ∧· · · ))). That is, supposing to have somehowencoded as the propositions a , b and c the starting point of the consideredtokens, we would say that every occurrence of a is followed after at most tensteps by an occurrence of b , which in turn is followed after at most ten steps byan occurrence of c . However, when trying to complete the formula to encodethe last requirement that c must be at most ten steps away from a , one cannottalk again about to the point where a was originally found. An encoding ofthis scenario in MTL is indeed possible, but requires an expensive enumerationof all the di ff erent possible ordering of the events. Intuitively, what lacks is theability to talk multiple times about previously visited points in the model.This observation led us to focus on Timed Propositional Temporal Logic ( TPTL ) [5, 6], a real-time extension of LTL originally introduced for the formalverification of real-time systems. TPTL augments LTL with the addition of a freezequantifier x.φ , which binds the variable x with the timestamp of the currentstate, and with timing constraints , such as x ≤ y + 5, which allow one to comparethe timestamp of di ff erent states where the corresponding freeze quantifierswhere previously interpreted. TPTL is known to be strictly more expressive of 46 A logical characterisation of timeline-based planning MTL [75], and in light of the observations made above, it is potentially a greatfit to encode timeline-based planning problems. Under the same assumptionsof the previous example, the above synchronisation rule could be encoded asthe following TPTL formula: G x. ( a → F y. ( b ∧ F z. ( c ∧ y ≤ x + 10 ∧ z ≤ y + 10 ∧ z ≤ x + 10)))However, even TPTL is not enough to encode any possible synchronisationrule, because of the lack of past operators . Indeed, synchronisation rules canarbitrarily look back in the past and forward in the future from the point wherethey get triggered, hence, a slightly modified version of the above rule where b instead of a is the trigger token would not be expressible without lookingat the past. Adding past operators to TPTL , however, is far from trivial. Asnoted in Chapter 6, adding past operators to LTL makes no di ff erence regardingthe computational complexity of the satisfiability problem, which remains PSPACE -complete for LTL + P [89]. However, this is not the case for TPTL , as thesatisfiability problem of TPTL + P is known to be non-elementary [6].In this chapter, we circumvent this problem by isolating a fragment of TPTL + P , called Bounded Propositional Temporal Logic with Past ( TPTL b + P ), whichallows for the use of past operators, but put some restrictions that allow thecomputational complexity of its satisfiability problem to be brought back to be EXPSPACE -complete again. Given this match in computational complexity, itmakes sense to use TPTL b + P to encode timeline-based planning problems, andwe show that, although TPTL b + P appears to be still not su ffi cient to provide apolynomial-size encoding of the general formalism, it can compactly capture abroad fragment of the syntax of synchronisation rules.The complexity of the satisfiability problem of TPTL b + P is proved by adapt-ing the tableau method originally provided by Alur and Henzinger [6] for TPTL .Then, this graph-shaped tableau is adapted to a one-pass tree-shaped tableausystem in the style of Chapter 6, showing another example of the extensibilityof the framework.The chapter is structured as follows. Section 7.2 introduces syntax andsemantics of TPTL , TPTL + P and TPTL b + P , and Section 7.3 shows how TPTL b + P can be used to capture timeline-based planning problems. Then, Section 7.4proves that the satisfiability problem for TPTL b + P is EXPSPACE -complete byshowing a graph-shaped tableau system adapted from the one originally intro-duced for TPTL . Finally, Section 7.5 adapts it to obtain a one-pass tree-shapedtableau system, and Section 7.6 wraps up with some conclusive remarks and adiscussion of open questions and future lines of work. Bounded TPTL with Past 147 This section recalls syntax and semantics of TPTL and TPTL + P , and introducestheir restriction TPTL b + P . TPTL is an extension of LTL originally introduced inthe area of formal verification to model properties of real-time systems [6].In its original definition, the logic only supports future temporal operators,because the addition of past modalities makes the complexity of the problemfor the resulting logic go from EXPSPACE -complete to non-elementary [5]. Nev-ertheless, we introduce TPTL + P first, to be able later to restrict it to obtain TPTL b + P , which will then used and studied in the next sections. Let Σ be a set of proposition letters and V be a set of variables . A TPTL + P formula φ over Σ and V is recursively defined as follows: φ := p | ¬ φ | φ ∨ φ | φ ∧ φ boolean connectives | X φ | φ U φ | φ R φ future temporal operators | Y φ | φ S φ | φ T φ past temporal operators | x.φ | x ≤ y + c | x ≤ c freeze quantifier and timing constraintswhere p ∈ Σ , φ , φ are TPTL + P formulae, x, y ∈ V , c ∈ Z . Formulae of the form x.φ are called freeze quantifications , while those of the forms x ≤ y + c and x ≤ c are called timing constraints . A formula φ is closed if any variable x occurringinside φ occurs inside a freeze quantification x.ψ . TPTL is the fragment of TPTL + P obtained by removing the past operators.One can note how the syntax directly extends that of LTL + P (see Section 6.1),with the addition of the freeze quantifier and the timing constraints. Simil-arly to Chapter 6, we prefer to consider the release and triggered operators asprimitive, so that each formula can have a corresponding negated normal form ,even though they can be defined in terms of the respective dual operators as ψ R ψ ≡ ¬ ( ¬ ψ U ¬ ψ ) and ψ T ψ ≡ ¬ ( ¬ ψ S ¬ ψ ). Moreover, similarly to LTL + P , standard logical and temporal shortcuts are used, such as (cid:62) for p ∨ ¬ p ,for some p ∈ Σ , ⊥ for ¬(cid:62) , φ ∧ φ for ¬ ( ¬ φ ∨ ¬ φ ), F φ for (cid:62) U φ , G φ for ¬ F ¬ φ ,and P φ for (cid:62) S φ , as well as constraint shortcuts, such as, e . g ., x ≤ y for x ≤ y + 0, x > y for ¬ ( x ≤ y ), x = y for x ≤ y ∧ y ≤ x , and others. TPTL + P formulae are interpreted over timed state sequences , i . e ., structures ρ = ( σ , τ ), where σ = (cid:104) σ , σ , . . . (cid:105) is an infinite sequence of states σ i ∈ Σ , with i ≥ 0, and τ = (cid:104) τ , τ , . . . (cid:105) is an infinite sequence of timestamps τ i ∈ N , with i ≥ τ i +1 ≥ τ i ( monotonicity ), and (2) for all t ∈ N , there is some i ≥ τ i ≥ t ( progress ). 48 A logical characterisation of timeline-based planning Formally, the semantics of TPTL + P is defined as follows. An environment isa function ξ : V → N that interprets a given variable as a timestamp. A timedstate sequence ρ = ( σ , τ ) satisfies a TPTL + P formula φ at position i ≥ 0, underthe environment ξ , written ρ, i | = ξ φ , if the following conditions are met:1. ρ, i | = ξ p i ff p ∈ σ i ;2. ρ, i | = ξ φ ∨ φ i ff either ρ, i | = ξ φ or ρ, i | = ξ φ ;3. ρ, i | = ξ ¬ φ i ff ρ, i (cid:54)| = ξ φ ;4. ρ, i | = ξ x ≤ y + c i ff ξ ( x ) ≤ ξ ( y ) + c ;5. ρ, i | = ξ x ≤ c i ff ξ ( x ) ≤ c ;6. ρ, i | = ξ x.φ i ff ρ, i | = ξ (cid:48) φ where ξ (cid:48) = ξ [ x ← τ i ];7. ρ, i | = ξ X φ i ff ρ, i + 1 | = ξ φ ;8. ρ, i | = ξ φ U φ i ff there exists j ≥ i such that (a) ρ, j | = ξ φ , and(b) ρ, k | = ξ φ for all k such that i ≤ k < j ;9. ρ, i | = ξ φ R φ i ff either ρ, j | = ξ φ for all j ≥ i , or there is a k ≥ i with ρ, k | = ξ φ and ρ, j | = ξ φ for all i ≤ j ≤ k ;10. ρ, i | = ξ Y φ i ff i > ρ, i − | = ξ φ ;11. ρ, i | = ξ φ S φ i ff there exists j ≤ i such that (a) ρ, j | = ξ φ , and(b) ρ, k | = ξ φ for all k such that j < k ≤ i ;12. ρ, i | = ξ φ T φ i ff either ρ, j | = ξ φ for all 0 ≤ j ≤ i , or there is a k ≤ i with ρ, k | = ξ φ and ρ, j | = ξ φ for all i ≥ j ≥ k .As already noted, the satisfiability problem for TPTL is EXPSPACE -complete,while the same problem for TPTL + P is non-elementary [6]. Finding models for TPTL + P can be so hard because, by a combination of future and past operators,we can turn the freeze quantifier into a full-fledged first-order existentialquantifier, capturing the first-order logic of timed state sequences as follows: ∃ x.φ ( x ) ≡ y. FP x. ( FP z. ( z = y ∧ φ ( x )))Intuitively, this encoding works because the FP ψ combination of future andpast operators allows us to find a point anywhere in the model ( y. FP x. ( · · · )),and then, with the freeze quantifier, go back exactly at the point where thewhole formula was originally being interpreted ( FP z. ( z = y ∧· · · )), to interpret φ in the correct context. This mechanism thus requires two capabilities to workproperly: to move forth and back arbitrarily far , and to use the freeze quantifierto refer to the timestamps of states found in that way. Bounded TPTL with Past 149 The TPTL b + P logic, that we are now going to introduce, restricts TPTL + P toforbid the kind of constructs exploited above, by limiting the use of freezequantifiers only to formulae that can guarantee a bound on the distance betweendi ff erent quantified variables. Intuitively, each temporal operator such as Xφ is replaced by a bounded version X w φ , with w ∈ N ∪ { + ∞} , such that X w φ holdsif the timestamp of the next state di ff ers by at most w from the current one, and φ there holds. Hence, X + ∞ φ is equivalent to X φ from TPTL + P , but we imposean additional restriction that w can be infinite only if φ is a closed formula, i . e .,we can look arbitrarily far in the model only if the formula will not refer backto the starting point.More formally, an TPTL b + P formula φ is recursively defined as follows: φ := p | ¬ φ | φ ∨ φ | φ ∧ φ boolean connectives | X w φ | (cid:101) X w φ | φ U w φ | φ R w φ future temporal operators | Y w φ | (cid:101) Y w φ | φ S w φ | φ T w φ past temporal operators | x.φ | x ≤ y + c | x ≤ c freeze quantifier and constraintswhere w ∈ N ∪{ + ∞} , and in any temporal operator, if the enclosed formulae arenot closed then w (cid:44) + ∞ . A noteworthy addition with respect to TPTL + P is the weak version of the tomorrow and yesterday operators, (cid:101) X w ψ and (cid:101) Y w ψ . While X w ψ mandates the next state to satisfy ψ and have a timestamp less than w greaterthan the current one, the weak version (cid:101) X w ψ states that if the timestamp boundis satisfied, then ψ has to hold. The tomorrow and weak tomorrow operators arenegated duals, since X w ψ ≡ ¬ (cid:101) X w ¬ ψ , and the same applies to the correspondingpast operators, so this allows us to have a negated normal form for TPTL b + P formulae as well.The semantics of TPTL b + P is defined as follows. A TPTL b + P formula φ issatisfied by a timed state sequence ρ at position i with the environment ξ ifthe following conditions are met:1. same as TPTL + P for all kind of formulae not explicitly considered;2. ρ, i | = ξ X w φ i ff τ i +1 − τ i ≤ w and ρ, i + 1 | = ξ φ ;3. ρ, i | = ξ (cid:101) X w φ i ff τ i +1 − τ i ≤ w implies ρ, i + 1 | = ξ φ ;4. ρ, i | = ξ φ U w φ i ff there exists j ≥ i such that:(a) τ j − τ i ≤ w ;(b) ρ, j | = ξ φ ;(c) ρ, k | = ξ φ for all k such that i ≤ k < j ;5. ρ, i | = ξ φ R w φ i ff either (a) τ j − τ i ≤ w implies ρ, j | = ξ φ for all j ≥ i ,or (b) there is a k ≥ i such that τ k − τ i ≤ w and ρ, k | = ξ φ , and ρ, j | = ξ φ for all i ≤ j ≤ k ; 50 A logical characterisation of timeline-based planning ρ, i | = ξ Y w φ i ff i > τ i − τ i − ≤ w , and ρ, i − | = ξ φ ;7. ρ, i | = ξ (cid:101) Y w φ i ff i > τ i − τ i − ≤ w imply ρ, i − | = ξ φ ;8. ρ, i | = ξ φ S w φ i ff there exists j ≤ i such that:(a) τ i − τ j ≤ w ;(b) ρ, j | = ξ φ ;(c) ρ, k | = ξ φ for all k such that j < k ≤ i ;9. ρ, i | = ξ φ T w φ i ff either (a) τ i − τ j ≤ w implies ρ, j | = ξ φ for all j ≤ i ,or (b) there is a k ≤ i such that τ i − τ k ≤ w and ρ, k | = ξ φ , and ρ, j | = ξ φ for all i ≥ j ≥ k . b +P This section shows how timeline-based planning problems can be capturedby suitable TPTL b + P formulae. Unfortunately, TPTL b + P is still not su ffi cientlyexpressive to compactly capture the whole syntax of synchronisation rulesused in timeline-based planning problems, but the encoding shown here isable to obtain formulae of polynomial size for a broad fragment of the wholeformalism. Nevertheless, we also show how the entire language can be capturedby TPTL b + P if we allow a single exponential increase of the size of the formulae.To identify such syntactic fragment, and in the description of the encodingitself, we will make use once again of the concept of rule graph , introduced inChapter 4 to reason about the computational complexity of the plan existenceproblem. Recall that any existential statement E of any rule R can be associatedwith a rule graph G E (Definition 4.4), that represents the semantics of thestatement in graph form. As in Chapter 4, we can make a few assumptions thatsimplify the exposition without loss of generality. In particular, we can assumethat any considered timeline-based planning problem does not make use of pointwise atoms nor of triggerless rules , and uses only trivial duration functions (Theorems 1 to 3 of Chapter 3). Furthermore, we can assume w.l.o.g. that therule graphs of any considered synchronisation rules satisfy the conditions ofLemma 4.10, and, in particular, that they are acyclic (Lemma 4.11).In Chapter 4 we defined the notion of bounded component (Definition 4.12),as subgraphs B ⊆ G E formed only by bounded edges. If B = { B , . . . , B n } are thebounded components of a rule graph G E , we can define an undirected graph B E = ( B, E ), where there is an edge between B i and B j if there is any unbounded edge between a node of B i and a node of B j , or vice versa . Then, the timeline-based planning problems that TPTL b + P can capture with polynomial-size for-mulae can be identified as those where the rule graphs of any synchronisationrule satisfy the following property. Capturing timelines with TPTL b +P 151 Definition 7.1 — Forest of bounded components. Let G E be the rule graph of an existential statement E . Then, we say that G E is a forest of bounded components if any bounded component of G E is connected toany other by at most one unbounded edge, and B E is a forest. We can now finally show how TPTL b + P can capture timeline-based plan-ning problems, where all the rule graphs are forests of bounded components,with polynomial-size formulae. Let P = ( SV , S ) be a timeline-based planningproblem. We will build a TPTL b + P formula φ P such that φ P is satisfiable if andonly if P admits a solution plan.Recall that plans over SV , and in particular solution plans for P , can be rep-resented as event sequences (Definition 4.1), which are sequences µ = (cid:104) µ , . . . , µ n (cid:105) of events µ i = ( A i , δ i ), where A i ⊆ A SV is a set of actions and δ i ∈ N + is the timedistance between the event and the previous one. Looking at the definitionof timed state sequences given in the previous section, one can easily interpretany such event sequence as a timed state sequence ρ over the alphabet made ofactions from A SV , where the timestamps can be defined on top of the δ i . How-ever, TPTL b + P models are infinite timed state sequences, while event sequencesare finite. The formula φ P will be the conjunction of a formula φ , enforcingeach considered timed state sequence to represent a valid event sequence, witha formula φ R for any R ∈ S , which encode the semantics of each rule.When representing an event sequence as a timed state sequence we needan additional symbol end representing the end of the interesting prefix of themodel, so we define the alphabet as Σ = A SV ∪ { end } . Symmetrically, we alsouse the shortcut start ≡ ¬ Y (cid:62) , to identify the first state of the state sequence.Recall that actions in A SV , which are now our proposition letters, are either start ( x, v ) or end ( x, v ) for some x ∈ SV and some v ∈ V x . We will use the shortcuts start ( x ) ≡ (cid:87) v ∈ V x start ( x, v ) and end ( x ) ≡ (cid:87) v ∈ V x end ( x, v ) to identify the start orthe end of a token for the variable x independently from the value.The structure of timed state sequences as proper event sequences, followingDefinition 4.1, and the meaning of the end symbol, can be encoded as theconjunction of the following clauses. First of all, we need to state that timestrictly increases at each state/event of the sequence: G x. X y. ( y > x )Then, Items 1 and 2 of Definition 4.1 are stated by conjuncting the followingclauses for all x ∈ SV and all v ∈ V x : G (cid:16) start ( x, v ) → X (cid:16) ¬ start ( x ) U end ( x, v ) (cid:17)(cid:17) G (cid:16) end ( x, v ) → Y (cid:16) ¬ end ( x ) S start ( x, v ) (cid:17)(cid:17) 52 A logical characterisation of timeline-based planning Items 3 and 4 of Definition 4.1 are stated as follows, for all x ∈ SV and v ∈ V x : G (cid:16) end ( x, v ) → (cid:16) end ∨ (cid:95) v (cid:48) ∈ T x ( v ) start ( x, v (cid:48) ) (cid:17)(cid:17) G (cid:16) start ( x, v ) → (cid:16) start ∨ end ( x ) (cid:17)(cid:17) Then, the semantics of the end symbol is expressed as follows: G (cid:16) end → G (cid:94) x ∈ SV v ∈ V x (cid:16) ¬ start ( x, v ) ∧ ¬ end ( x, v ) (cid:17)(cid:17) ∧ F end Let φ be the conjunction of all the clauses above, expressing the basic struc-ture of event sequences. Note that most of the clauses in φ use unboundedtemporal operators, but only on closed formulae. It can be easily checked thatfor any event sequence µ there is a timed state sequence ρ µ such that ρ µ | = φ .We can now encode the synchronisation rules of the problem, by means oftheir rule graphs. Thus, let R ≡ a [ x = v ] → E ∨ · · · ∨ E m ∈ S be a synchron-isation rule. We can write a formula φ R such that R is satisfied by an eventsequence µ if and only if φ R is satisfied by ρ µ , as follows: φ R ≡ G t . (cid:16) start ( x , v ) → φ E ( t ) ∨ · · · ∨ φ E m ( t ) (cid:17) where φ E i ( t ) are formulae, with a free variable t , encoding the semantics ofeach existential statement E i . To write φ E ( t ) for some existential statement E of R , consider its rule graph G E and its bounded components B = { B , . . . , B n } .Since the bounded components form a forest as described in Definition 7.1,we can separate them into subsets B , . . . , B k , each forming a tree of boundedcomponents. Let us suppose w.l.o.g. that the forest is a single tree, i . e ., that it isconnected. If not, we can encode each tree separately and conjunct the resultingformulae. Each bounded component B i will be encoded by a formula φ B i . Allsuch formulae will be closed , with the exception of the formula that encodesthe trigger component of G E , say B , which will contain a free appearance ofthe variable t . We choose B as the root of the tree, and proceed encoding thetree from there, hence φ E ( t ) ≡ φ B ( t ).Each B i is encoded by looking for all the events matching with the nodesof the components, and then imposing the timing constraints between them.Some of the nodes of the component might be the endpoints of unboundededges connecting the component to another one. When one such node is found,the existence of the corresponding other component is requested, by lookingat the other endpoint node and matching the component from there. Hence,each component, excepting the trigger component, will be found starting froma specific node that we call the anchor of the component. As a last remark, Capturing timelines with TPTL b +P 153 note that in any formula we need to apply special care to ensure that nodescorresponding to the endpoints of the same token are matched accordingly.We can now show the formulae backing this intuition. Let B = ( V , E, β ) beone of the bounded components. Each node T ∈ V is identified by a formula φ T .Suppose T = start ( a ), with a quantified as a [ x = v ]. The case where T = end ( a )will be symmetrical. Then, φ T is defined as just φ T ≡ start ( x, v ), or, if T isthe endpoint of an unbounded edge connecting T with a node T (cid:48) in anothercomponent B (cid:48) (hence T (cid:48) will be the anchor of B (cid:48) ), then φ T is defined as follows:1. if the edge goes from a node T (cid:48) to T , then: φ T ≡ start ( x, v ) ∧ P φ B (cid:48) 2. if the edge goes from T to T (cid:48) , and T (cid:48) (cid:44) end ( a ), then: φ T ≡ start ( x, v ) ∧ F φ B (cid:48) 3. otherwise, if the edge goes from T to T (cid:48) , and T (cid:48) = end ( a ), then: φ T ≡ start ( x, v ) ∧ ¬ start ( x ) U φ B (cid:48) Note that, since we will build all the φ B as closed formulae (excepting φ B , which however is taken as the root of the tree thus it does not come upin this context), the application of the unbounded temporal operators in theformulae above is well-formed. Now, to encode the whole component, wewill need to apply temporal operators to formulae containing free variables,hence requiring a bound. From Chapter 4 we know that the maximum distancebetween any node of a component is bounded above by window ( P ), hence, inthe following formulae, we will consider the bound w = window ( P ) for anybounded temporal operator.Then, if T is the anchor of B , fix an arbitrary order between the nodes T i ∈ V , say T = (cid:104) T , T , . . . , T n (cid:105) , such that T is the first, if present, and if T i = start ( a ) and T j = end ( a ), then j = i + 1, i . e ., the end and the start of the sametoken, if they are both part of the component, are placed one after the other.Then, we define φ B as φ T , where φ T is defined recursively as follows. Let T = (cid:104) T i , T i +1 , . . . (cid:105) . If T i = start ( x, v ) and T i +1 = end ( x, v ), then: φ (cid:104) T i ,T i +1 ,... (cid:105) ≡ t i . (cid:16) φ T i ∧ ¬ start ( x ) U w φ (cid:104) T i +1 ,... (cid:105) (cid:17) or, otherwise: φ (cid:104) T i ,T i +1 ,... (cid:105) ≡ t i . (cid:16) φ T i ∧ F w P w φ (cid:104) T i +1 ,... (cid:105) (cid:17) 54 A logical characterisation of timeline-based planning For the base case when T = (cid:104) T (cid:105) is made of a single node, we start checkingthat all the temporal constraints between the found time points are satisfied,hence φ (cid:104) T (cid:105) ≡ φ T ∧ φ C , where φ C = (cid:86) e ∈ E φ e encodes each edge e ∈ E of the cur-rent component, that is, if e = ( T i , T j ) ∈ E with β ( e ) = ( l, u ), then the constraintis encoded as φ e ≡ t j ≥ t i + l ∧ t j ≤ t i + u .Since all the variables t i used in these timing constraints were quantified inprevious steps of the recursive definition of φ T , the resulting formula has nofree variables, eventually excepting for t in the case of the trigger component,thus the whole construction is well-formed from the point of view of the TPTL b + P syntax. It can be checked that the semantics of φ P precisely matchesthe semantics of P , hence we can state the following result. Theorem 22 — TPTL b + P captures timeline-based planning with forest rules.Let P be a timeline-based planning problem whose rule graphs consist offorests of bounded components. Then, a TPTL b + P formula φ P can be built, ofsize polynomial in the size of P , such that φ P is satisfiable if and only if P admits a solution plan.Besides the technicalities involved in its definition, the encoding shownabove is quite natural: each time a rule is triggered by the start of a token, theendpoints of all the tokens involved in the rule are looked for with temporaloperators, their timestamps are recorded with freeze quantifiers, and the tem-poral constraints are then expressed using timing constraints. The subdivisionof the rule graphs into bounded components allows us to isolate pieces of therules that can be bounded in size and thus encoded with an unrestricted use ofnested freeze quantifications, while unbounded edges between the componentsare expressed by unbounded temporal operators.Now, the reasons behind the restrictions of Definition 7.1 become clear. Ifmultiple unbounded edges connect two components, or if the undirected graphof the bounded components were not a tree (or forest), then the schema usedabove would not work: the formulae encoding a component would need tocompare its timestamps with the others in order to guarantee the satisfactionof all the constraints, violating the syntax of TPTL b + P . Unfortunately, whether TPTL b + P admits a way to compactly encode timeline-based planning problemswithout restrictions, or whether it can be extended to do so without increasingits computational complexity, are still open questions.It is worth to note that the fragment captured here is broad enough tocomprehend the formulae used to encode action-based temporal problems inChapter 3, whose rule graphs actually consist of the trigger component only.Furthermore, note that the formulae described above, which are of polynomialsize, can also in particular be built in polynomial time. Hence, we can exploitthe hardness result of Corollary 3.10, and state the following. Theorem 23 — TPTL b + P satisfiability is EXPSPACE -hard.Finding whether a TPTL b + P formula is satisfiable is EXPSPACE -hard. Complexity of TPTL b +P satisfiability 155 b +P SATISFIABILITY This section proves that the problem of finding whether a TPTL b + P formula issatisfiable is EXPSPACE -complete. Since we got the hardness result from theencoding of timeline-based planning problems shown in the previous section,here we will provide an exponential-space decision procedure for the problem.In particular, we present a tableau system for TPTL b + P , which adapts andextends the tableau system originally provided for TPTL by Alur and Henzinger[6]. It is a graph-shaped tableau, very similar in basic principles to the onefor LTL described in Section 6.1.2. The next section will show how it can beadapted to a one-pass tree-shaped system à la Reynolds, as those described inChapter 6. For ease of exposition, we can assume w.l.o.g. any formula to have a top-levelfreeze quantifier, that we always mention explicitly, so any formula will bereferred to as x.φ . Given such a formula, we can define two quantities usefulin the definition of the tableau. Given x.φ , let m be the number of temporalmodalities with finite bounds used in x.φ , and let { w , . . . , w m } be the set ofall such finite bounds. Among those, let w max be the maximum one, and let W = w max · ( m + 1). Intuitively, W is a broad upper bound on how far anybounded temporal operator in the formula can look. Then, let δ max = (cid:81) i | c i | for all the non-zero coe ffi cients c i appearing in the timing constraints of theformula, e . g ., in x ≤ y + c i . Note that, since coe ffi cients are succinctly encoded,the size of both W and δ max is exponential in the size of x.φ . Adapting theargument employed for TPTL by [6], and for event sequences in Chapter 4,we can suppose w.l.o.g. that any satisfiable formula x.φ has a model ρ = ( σ , τ )where τ i +1 − τ i ≤ δ max for all i ≥ 0. Furthermore, we will suppose all theformulae to be in negated normal form .The basic mechanics of the system is similar to the graph-shaped tableaufor LTL from Section 6.1.2: a graph is built, where each node represents apossible state of a model, and then a model is searched among the infinitepaths of this graph. In contrast to the usual LTL tableaux, however, a tableaufor TPTL and TPTL + P has also to keep track, in addition to the truth assignmentof any given node, of how much time has to pass between two di ff erent states,and handle the freeze quantifications accordingly. The key ingredient of theoriginal tableau for TPTL , adapted here to the TPTL b + P case, is the temporal shift ,a transformation of formulae that allows the tableau handle the binding ofvariables to timestamps, i . e ., the freeze quantifiers, in an implicit way, withoutkeeping track of the environment explicitly. 56 A logical characterisation of timeline-based planning Definition 7.2 — Temporal shift. Let z.φ be a closed TPTL formula, δ ∈ N , and x.ψ ∈ C ( z.φ ) . Then, x.ψ δ is theformula obtained by applying the following steps:1. replace any timing constraint of the forms x ≤ y + c , and y ≤ x + c , for anyother variable y ∈ V , by, respectively, x ≤ y + c (cid:48) , and y ≤ x + c (cid:48)(cid:48) , where c (cid:48) = c + δ and c (cid:48)(cid:48) = c − δ ; and then2. replace any timing constraint of the forms x ≤ y + c and y ≤ x + c either by (cid:62) ,if c ≥ W , or by ⊥ , if c < − W . Intuitively, the temporal shift x.ψ δ of a formula x.ψ allows one to interpretthe formula as if the timestamp of the current state were shifted by δ time steps.However, the transformation also recognises when a temporal shift makes atimed constraint trivially valid or unsatisfiable, because the involved constantshave grown too much. The formal counterpart of this intuition will be foundin Section 7.4.2, along with the proofs of soundness and completeness.We can now define the closure of a formula. Definition 7.3 — Closure. The closure of an TPTL b + P formula x.φ is the set C ( x.φ ) of formulae defined as:1. x.φ ∈ C ( x.φ ) ;2. if z.ψ ∈ C ( x.φ ) , then nnf ( ¬ z.ψ ) ∈ C ( x.φ ) ;3. if z.y.ψ ∈ C ( x.φ ) , then z.ψ [ y/z ] ∈ C ( x.φ ) 4. if X w ψ ∈ C ( x.φ ) , then { x.ψ δ | δ ∈ N } ⊆ C ( x.φ ) ;5. if Y w ψ ∈ C ( x.φ ) , then { x.ψ − δ | δ ∈ N } ⊆ C ( x.φ ) ;6. if φ ◦ φ ∈ C ( x.φ ) , with ◦ ∈ {∧ , ∨} , then { φ , φ } ⊆ C ( x.φ ) ;7. if φ ◦ w φ ∈ C ( x.φ ) , with ◦ ∈ { U , R } , then { φ , φ } ⊆ C ( x.φ ) and X w ( φ ◦ w − δ φ ) ∈ C ( x.φ ) for all δ ≤ w ;8. if φ ◦ w φ ∈ C ( x.φ ) , with ◦ ∈ { S , T } , then { φ , φ } ⊆ C ( x.φ ) and Y w ( φ ◦ w − δ φ ) ∈ C ( x.φ ) for all δ ≤ w ; Note that in the closure of a formula of the form x.φ , all the formulae havea top-level freeze quantification. Moreover, if x.φ is closed , then its closurecontains only closed formulae. In particular, any timing constraint in C ( x.φ ) isof the form x. ( x ≤ x + c ) with | c | ≤ δ max .It is worth to discuss Items 4 and 5 of Definition 7.3. As all the possibletemporal shifts of a formula will be needed to construct the tableau, these areincluded in the closure. However, since timing constraints with too big or too Complexity of TPTL b +P satisfiability 157 little coe ffi cients are flattened to (cid:62) or ⊥ , in Definition 7.2, the set { x.ψ δ | δ ∈ N } actually turns out to be finite.Note that the TPTL version of the system [6] adopted a definition of temporalshift, with the same property, which however was simpler as it does not needto deal with any bound. The TPTL definition of temporal shift was based onthe observation that in a formula such as F x. ( x ≤ y − c ), with a free variable y ,because the logic only supports future operators we can assume that x is goingto be bound to a timestamp surely greater than y , hence the timing constraintcan be considered unsatisfiable. With past operators, this assumption is invalid,and without any other truncation condition for the temporal shift operationthe closure set of the formula becomes infinite. Here, thanks to the boundsadopted by TPTL b + P temporal operators, we can be sure that the distancebetween any bound variable appearing in the same formula cannot be greaterthan W , hence obtaining a di ff erent truncating condition that recovers a finite(and exponentially sized) closure set.We now show how the tableau for φ is built. To this end, let us define C ∗ ( x.φ ) = C ( x.φ ) ∪ { Prev δ | ≤ δ ≤ δ max } ∪ { Succ γ | ≤ γ ≤ δ max } to be an exten-sion of the closure set of x.φ with fresh proposition letters Prev δ and Succ γ ,which keep track of the time between the current state and, respectively, theprevious and the next one. Definition 7.4 — Atom for the TPTL b + P tableau. An atom for x.φ is a maximal subset ∆ of C ∗ ( φ ) such that:• Prev δ ∈ ∆ and Succ γ ∈ ∆ for exactly one δ and exactly one γ between and δ max , denoted respectively as δ ∆ and γ ∆ , with δ ∆ i , ∆ j = (cid:80) i TPTL b + P . The tableau for φ is a graph where the nodes are all the possible atoms for φ andthere is an edge between ∆ and ∆ (cid:48) i ff the following conditions hold: 58 A logical characterisation of timeline-based planning γ ∆ = δ (cid:48) ∆ ;2. z. X w ψ ∈ ∆ i ff γ ∆ ≤ w and z.ψ γ ∆ ∈ Ψ ;3. z. Y w ψ ∈ Ψ i ff δ ∆ (cid:48) ≤ w and z.ψ − δ Ψ ∈ ∆ . Similarly to the graph-shaped tableau for LTL + P , Items 2 and 3 of Defini-tion 7.5 handle the temporal operators tomorrow and yesterday , by ensuringthat whenever there is an edge between two atoms, the formulae requestedby temporal operators in the two atoms are present. However, this is also thepoint where the tableau handles the binding of variables without explicitlykeeping track of any environment. The freeze quantifications are pushed tothe next state by shifting the formula of the right amount, preserving thesemantics. Then, as in the tableaux for LTL and TPTL , the search for a model for φ is reduced to the search for a particular infinite path. Definition 7.6 — Fulfilling paths. Given the tableau for x.φ , a fulfilling path is an infinite path ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) ofatoms from the tableau such that:1. x.φ ∈ ∆ ;2. there are no z. Y w ψ ∈ ∆ ;3. δ ∆ i > for infinitely many i ≥ ;4. for all i ≥ and all z. ( φ U w φ ) ∈ ∆ i , there is k ≥ i such that δ ∆ i , ∆ k ≤ w and z.ψ δ ∆ i, ∆ k ∈ ∆ k ; As proved in the next section, a formula x.φ is satisfiable if and only ifits tableau contains a fulfilling path. As the number of possible atoms isexponential in the size of x.φ , one can prove a contraction argument similar tothat employed by Sistla and Clarke [127] for LTL and by Alur and Henzinger[6] for TPTL , proving the complexity of the problem. Theorem 24 — Complexity of TPTL b + P satisfiability.Finding whether a TPTL b + P formula is satisfiable is EXPSPACE -complete. Proof. Let ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) be any fulfilling path in the tableau for a TPTL b + P formula x.φ . It can be checked that the total number of possible di ff erentatoms in the tableau is exponential in the size of x.φ . Moreover, the number of eventualities of the form z. ( ψ U w (cid:48) ψ ) is finite and exponentially bounded. Hence,there must be two position i < j such that ∆ i = ∆ j , and for all z. ( ψ U w ψ ) ∈ ∆ i ,there is a i ≤ k ≤ j such that δ ∆ i , ∆ k ≤ w and z.ψ ∈ ∆ k . Then, we can obtain a periodic fulfilling path of the form ∆ = ∆ ≤ i ( ∆ [ i +1 ...j ] ) ω , of doubly-exponentiallength, which can be found in (singly) exponential space by a nondeterministicprocedure similar to those employed for LTL [127] and TPTL [6]. Complexity of TPTL b +P satisfiability 159 This section proves that the tableau system for TPTL b + P described above issound and complete. The structure of the proofs is similar to that of othergraph-shaped tableau systems, but the additional ingredient of the handlingof time makes it a bit more involved.The key step is to formalise and prove the e ff ects of the temporal shifting operation that is applied to the formulae during the construction of the tableau. Lemma 7.7 — Semantics of the temporal shifts. Let ρ = ( σ , τ ) be a timed state sequence and ξ be an environment. Consider aposition i ≥ and δ ∈ Z such that δ ≤ τ i .Then, for any formula z.ψ ∈ C ( x.φ ) , it holds that: ρ, i | = ξ z.ψ δ i ff ρ, i | = ξ (cid:48) ψ, where ξ (cid:48) = ξ [ x ← τ i − δ ] .Proof. Let us first define some notation. For each TPTL b + P formula ψ , let deg ( ψ ) be the temporal nesting of ψ , i . e ., the nesting degree defined countingonly bounded temporal operators. If ψ is a subformula of x.φ , let d ( ψ ) = deg ( x.φ ) − deg ( ψ ) + 1. Observe that d ( x.φ ) = 1 and that the value of d ( ψ ) ismaximal when ψ is atomic ( i . e ., a literal or a timing constraint). Note, moreover,that since the closure of an until or since operator can increase the temporalnesting by one, it may be that d ( z.ψ ) = 0 ( e . g ., when z.ψ is x. X w φ ). Recallthat W = w max · ( m + 1) where m is the number of temporal operators withfinite bound that appear in x.φ , and w max is the maximum one. Thus, since deg ( z.ψ ) ≤ m + 1, observe that W ≥ w max · deg ( z.ψ ).We first prove a more general claim, namely that if ψ is a subformula , notnecessarily closed , of some formula x.ψ (cid:48) ∈ C ( x.φ ) (including itself), and ξ is anenvironment such that | ξ ( y ) − τ i | ≤ w max · d ( ψ ) for any variable y that is free in ψ , then ρ, i | = ξ x.ψ δ i ff ρ, i | = ξ [ x ← τ i − δ ] ψ . The thesis then follows as a specialcase, since all the x.ψ ∈ C ( φ ) are closed and the above condition on ξ is triviallysatisfied if there are no free variables.The claim is proved by structural induction on x.ψ . The first base case x.p for p ∈ Σ is trivial since x.p δ ≡ p . The interesting base case is thus when x.ψ isa timing constraint involving x . If x.ψ ≡ x. ( x ≤ z + c ), there are a few cases:1. if | c + δ | ≤ W , then x.ψ δ ≡ x. ( x ≤ z + ( c + δ )). In this case, ρ, i | = ξ x.ψ δ i ff ρ, i | = ξ [ x ← τ i ] x ≤ z + ( c + δ ). But the constraint x ≤ z + ( c + δ ) is equivalentto x − δ ≤ z + c , thus ρ, i | = ξ [ x ← τ i − δ ] x ≤ z + c ≡ ψ .2. if c > c + δ > W , then x.ψ δ ≡ (cid:62) , thus we have to show that it cannotbe the case that ρ, i (cid:54)| = ξ [ x ← τ i − δ ] ψ . By contradiction, that would mean that 60 A logical characterisation of timeline-based planning τ i − δ > ξ ( z )+ c , which means τ i > ξ ( z )+ W is impossible since we assumed | ξ ( z ) − τ i | ≤ w max · d ( x.ψ ) ≤ W .If x.ψ ≡ x. ( z ≤ x + c ) the argument is symmetrical. Hence the base case holds,and we can consider the inductive step. The cases of boolean connectives comedirectly from the inductive hypothesis, hence we focus on temporal operators.If x.ψ ≡ x. X w ψ (cid:48) , then x.ψ δ ≡ x. X w ψ (cid:48) δ . Thus, by considering the semantics ofthe tomorrow operator, and the inductive hypothesis, we obtain: ρ, i | = ξ x. X w ψ (cid:48) δ ρ, i + 1 | = ξ [ x ← τ i ] ψ (cid:48) δ at the next state ρ, i + 1 | = ξ [ x ← τ i +1 − δ (cid:48) ] ψ (cid:48) δ where δ (cid:48) = τ i +1 − τ i ρ, i + 1 | = ξ x.ψ (cid:48) δ + δ (cid:48) by the ind. hyp. ρ, i + 1 | = ξ [ x ← τ i +1 − δ − δ (cid:48) ] ψ (cid:48) by the ind. hyp. ρ, i + 1 | = ξ [ x ← τ i − δ ] ψ (cid:48) since τ i +1 − δ (cid:48) = τ i ρ, i | = ξ [ x ← τ i − δ ] X w ψ (cid:48) back one stateWe still have to check that the inductive hypothesis was applicable, by showingthat | ξ ( y ) − τ i | ≤ w max · d ( x.ψ ) implies that | ξ ( y ) − τ i +1 | ≤ w max · d ( x.ψ (cid:48) ) for anyvariable y that is free in x.ψ , and thus free in x.ψ (cid:48) . Observe that, if w = ∞ , ψ (cid:48) has to be a closed formula, so there are no free variables y whatsoever, and thiscondition on ξ is trivially satisfied.Otherwise, we know that δ (cid:48) ≤ w ≤ w max , thus we obtain: | ξ ( y ) − τ i | ≤ w max · d ( ψ ) | ξ ( y ) − τ i +1 − δ (cid:48) | ≤ w max · d ( ψ ) because τ i = τ i +1 − δ (cid:48) | ξ ( y ) − τ i +1 | ≤ w max · d ( ψ ) + δ (cid:48) because δ (cid:48) ≥ ≤ w max · d ( ψ ) + w max because δ (cid:48) ≤ w max ≤ w max · ( d ( ψ ) + 1) ≤ w max · d ( ψ (cid:48) )The converse is symmetric, and the argument is similar for other operators.With the shifting operator in place, we can now prove that the system issound and complete. Theorem 25 — The TPTL b + P tableau is sound and complete.A TPTL b + P formula is satisfiable if and only if its tableau has a fulfilling path. Proof ( soundness ) . We show that, given a fulfilling path ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) in thetableau for x.φ , we can build a timed state sequence ρ = ( σ , τ ) such that ρ | = x.φ .The model ρ can be extracted in an easy way: for each p ∈ Σ , p ∈ σ i i ff x.p ∈ ∆ i ,and τ i = (cid:80) ≤ k ≤ i δ ∆ i . Note that the progress and monotonicity conditions on Complexity of TPTL b +P satisfiability 161 the timed state sequence so obtained are satisfied by construction. We willnow show that, for each formula x.ψ ∈ C ( x.φ ) and all i ≥ 0, if x.ψ ∈ ∆ i then ρ, i | = x.ψ , from which the thesis follows since x.φ ∈ ∆ . This is done bystructural induction on x.ψ .• if x.p ∈ ∆ i , the thesis holds by construction;• if a timing constraint x. ( x ≤ x + c ) ∈ ∆ i , by Definition 7.4 we know that c ≥ 0, thus ρ, i | = x. ( x ≤ x + c ).• If x. ¬ ψ ∈ ∆ i , Definition 7.4 implies that x.ψ (cid:60) ∆ i , which by the inductivehypothesis implies that ρ, i | = x. ¬ ψ .• If x. ( ψ ∨ ψ ) ∈ ∆ i , then either x.ψ ∈ ∆ i or x.ψ ∈ ∆ i , thus either ρ | = x.ψ or ρ | = x.φ , which implies ρ | = x. ( ψ ∨ ψ ).• If x. X w ψ ∈ ∆ i , then γ ∆ i ≤ w and x.ψ γ ∆ i ∈ ∆ i +1 by Definition 7.5, whichimplies ρ, i + 1 | = ξ x.ψ γ ∆ i for any ξ . Then, by Lemma 7.7, we know that ρ, i + 1 | = ξ [ x ← τ i +1 − γ ∆ i ] ψ . But τ i = τ i +1 − γ ∆ i , thus τ i +1 ≤ τ i + w , and we have ρ, i | = ξ x. X w ψ for any ξ .• If x. Y w ψ ∈ ∆ i , then by Definitions 7.5 and 7.6 we know i > δ ∆ i ≤ w ,and x.ψ − δ ∆ i ∈ ∆ i − , which implies ρ, i − | = ξ x.ψ − δ ∆ i for any ξ . Then, byLemma 7.7, we have ρ, i − | = ξ [ x ← τ i − + δ ∆ i ] ψ . But τ i = τ i − + δ ∆ i , thus τ i ≤ τ i − + w , and we have ρ, i | = ξ x. Y ψ for any ξ .• If x. ( ψ U w ψ ) ∈ ∆ i , then by Definition 7.6 there is a k ≥ i such that x.ψ δ ∆ i, ∆ k ∈ ∆ k and x.ψ δ ∆ i, ∆ j ∈ ∆ j for all i ≤ j < k . Thus, by the inductionhypothesis, ρ, k | = ξ x.ψ δ ∆ i, ∆ k and ρ, j | = ξ x.ψ δ ∆ i, ∆ j for all i ≤ j < k , for any ξ .By Lemma 7.7, it implies that ρ, k | = ξ [ x ← τ k − δ ∆ i, ∆ k ] ψ and ρ, j | = ξ [ x ← τ j − δ ∆ i, ∆ j ] ψ for all i ≤ j < k . But, τ k = τ i + δ ∆ i , ∆ k and τ j = τ i + δ ∆ i , ∆ j for all i ≤ j < k ,thus τ k ≤ τ i + w , and we have ρ, k | = ξ x.ψ U w ψ .• The case of x. ( ψ S w ψ ) ∈ ∆ i mirrors the previous one.( completeness ) We now show that, given a timed state sequence ρ = ( σ , τ ) suchthat ρ | = φ , then there exists a fulfilling path ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) in the tableau for φ . The construction, again, is simple: the atom ∆ i , for each i , is built so that x.ψ ∈ ∆ i if and only if ρ, i | = x.ψ for each x.ψ ∈ C ( x.φ ). Then, Prev ∈ ∆ and Prev δ ∈ ∆ i with δ = τ i − τ i − for each i > 0, and Succ γ ∈ ∆ i with γ = τ i +1 − τ i foreach i ≥ 0. It is easy to verify that the consistency conditions of Definition 7.4are satisfied, so that ∆ , ∆ , . . . are indeed atoms.To see that ∆ is indeed a path in the tableau, we need to show that there isan edge between ∆ i and ∆ i +1 for each i . It is easy to check that γ ∆ i = δ ∆ i +1 by 62 A logical characterisation of timeline-based planning construction. Then, consider a formula x. X w ψ ∈ ∆ i . By construction we knowthat ρ, i | = ξ x. X w ψ , for any ξ , thus ρ, i + 1 | = ξ [ x ← τ i ] ψ and τ i +1 ≤ τ i + w . Thus,since τ i = τ i +1 − γ ∆ i +1 we have γ ∆ i +1 ≤ w , and by Lemma 7.7 we obtain that ρ, i + 1 | = ξ x.ψ γ ∆ i , which implies that x.ψ γ ∆ i ∈ ∆ i +1 . With a similar argumentwe know that x. Y w ψ ∈ ∆ i +1 implies x.ψ − δ ∆ i +1 ∈ ∆ i .To see that ∆ is, in particular, a fulfilling path, first observe that φ ∈ ∆ because ρ, | = φ , that no x. Y w ψ can be in ∆ since it cannot be the case that ρ, | = x. Y w ψ , and that ∆ satisfies the progress condition because the timed statesequence does, thus Items 1 to 3 of Definition 7.6 are satisfied. For Defini-tion 7.6, consider a formula x. ( ψ U w ψ ) ∈ ∆ i for some i ≥ 0. By construction, ρ, i | = ξ x. ( ψ U w ψ ), so there is a k such that τ k ≤ τ i + w and ρ, k | = ξ [ x ← τ i ] ψ .But τ i = τ k − δ ∆ i , ∆ k , thus by Lemma 7.7 we have that ρ, k | = ξ x.ψ δ ∆ i, ∆ k , thus byconstruction x.ψ δ ∆ i, ∆ k ∈ ∆ k . Similarly, x.ψ δ ∆ i, ∆ j ∈ ∆ j for all i ≤ j < k . b +P This section shows how the one-pass tree-shaped tableau system for LTL + P de-scribed in Section 6.5 can be adapted to TPTL b + P . The result is a one-passtree-shaped tableau system à la Reynolds for this logic.The tableau system shown here does not handle directly TPTL b + P formulae.Rather, the formulae are translated into a proper fragment of TPTL + P , and thetableau rules are defined to handle such fragment. The fragment of TPTL + P identified here corresponds exactly to TPTL b + P , thus providing also a character-isation of the expressiveness of TPTL b + P in comparison with the whole TPTL + P .The system will be proved to be sound and complete by sketching how to adaptto it the same argument based on greedy models employed in Chapter 6 forthe LTL and LTL + P case. b +P AS A GUARDED FRAGMENT OF TPTL+P We now show how TPTL b + P can be identified as a guarded fragment of TPTL + P ,that is, a syntactic fragment of the logic, that we call G ( TPTL + P ), where eachoccurrence of any temporal operator is guarded by an additional formula whichimplements the bounded semantics of TPTL b + P operators. A one-pass tree-shaped tableau for TPTL b +P 163 G ( TPTL + P ) is the fragment of TPTL + P defined as follows: φ := p | ¬ p | φ ∨ φ | x ≤ y + c | x ≤ c | x ≡ m y + c | x. X y. ( γ x,yw ∧ φ ) | x. X y. ( γ x,yw → φ ) | x. Y y. ( γ x,yw ∧ φ ) | x. Y y. ( γ x,yw → φ ) | x. (cid:16) z. ( γ x,zw → φ ) U y. ( γ x,yw ∧ φ ) (cid:17) | x. (cid:16) z. ( γ x,zw ∧ φ ) R y. ( γ x,yw → φ ) (cid:17) | x. (cid:16) z. ( γ x,zw → φ ) S y. ( γ x,yw ∧ φ ) (cid:17) | x. (cid:16) z. ( γ x,zw ∧ φ ) T y. ( γ x,yw → φ ) (cid:17) where γ x,yw = y ≤ x + w , if w (cid:44) + ∞ , and γ w = (cid:62) otherwise, with w ∈ N ∪{ + ∞} and x and y fresh in φ and φ . Moreover, as in TPTL b + P , each temporal operatorcan appear with w = + ∞ only if the corresponding formula is closed. All thetemporal operators where w (cid:44) + ∞ are called guarded .One can check that the negated normal form of a G ( TPTL + P ) formula is stilla G ( TPTL + P ) formula, and, as shown below, that any TPTL b + P formula has anequivalent G ( TPTL + P ) one. Lemma 7.8 — Translation of TPTL b + P into G ( TPTL + P ). Let φ be a TPTL b + P formula. Then, there exists a G ( TPTL + P ) formula φ (cid:48) such thatfor any timed state sequence ρ , any environment ξ , and any i ≥ , it holds that ρ, i | = ξ φ if and only if ρ, i | = ξ φ (cid:48) .Proof. The semantics of most temporal operators of TPTL b + P exactly matchesthe corresponding guarded form in the G ( TPTL + P ) syntax, hence the translationis straightforward. The only exception is the tomorrow and yesterday operators,whose strong and weak versions are both mapped to the G ( TPTL + P ) tomorrow and yesterday operators. However, G ( TPTL + P ) supports two possible ways toguard these operators, one where the guard is conjuncted to, and one where theguard implies, the target formula. Hence, the tomorrow operator is translated as X w ψ ≡ x. X y. ( y ≤ x + w ∧ ψ ) for the strong version, and (cid:101) X w ψ ≡ x. X y. ( y ≤ x + w → ψ ),for the weak version, if w (cid:44) + ∞ , and simply X + ∞ ψ ≡ (cid:101) X + ∞ ψ ≡ X ψ otherwise. Here we can finally show the adaptation to TPTL b + P of the one-pass tree-shapedtableau for LTL + P shown in Section 6.5. As anticipated, the tableau does nothandle directly TPTL b + P formulae. Rather, the system handles generic TPTL + P formulae, but embedding the guarded semantics of TPTL b + P . Hence, whenapplying the system to a G ( TPTL + P ) formula, the result is sound and complete.The first step is thus the definition of the closure of a TPTL + P formula. Thedefinition will again use the temporal shift operation defined for the graph-shaped tableau for TPTL b + P described in Section 7.5. Although applied on TPTL + P formulae, the operation is defined exactly as in Definition 7.2. 64 A logical characterisation of timeline-based planning Definition 7.9 — Closure of a TPTL + P formula. The closure of a TPTL + P formula x.φ is the set C ( z.φ ) of formulae defined as:1. z.φ ∈ C ( z.φ ) ;2. if x. ( ψ ∧ ψ ) ∈ C ( z.φ ) , then { x.ψ , x.ψ } ⊆ C ( z.φ ) ;3. if x. ( ψ ∨ ψ ) ∈ C ( z.φ ) , then { x.ψ , x.ψ } ⊆ C ( z.φ ) ;4. if x. X ψ ∈ C ( z.φ ) , then x.ψ δ ∈ C ( z.φ ) , for all δ ≥ ;5. if x. Y ψ ∈ C ( z.φ ) , then x.ψ − δ ∈ C ( z.φ ) , for all δ ≥ ;6. if x. ( ψ ◦ ψ ) ∈ C ( z.φ ) , where ◦ ∈ { U , R , S , T } , then { x.ψ , x.ψ , x. X ( ψ ◦ ψ ) } ⊆C ( z.φ ) ;7. if x.y.ψ ∈ C ( z.φ ) , then x.ψ [ y/x ] ∈ C ( z.φ ) . The basic structure of the system is very similar to the LTL + P tableau. Atableau for a G ( TPTL + P ) formula x.φ is a tree where any node u is labelled by asubset Γ ( u ) ⊆ C ( x.φ ) of the closure of x.φ . The tree is built, starting from theroot u with Γ ( u ) = { x.φ } , by applying a set of rules to each leaf. Each rulecan potentially create some children, thus creating new leaves from which theprocess can continue, or close the branch by accepting or rejecting it.The set of rules is similar to those used in the LTL + P tableau. The expansionrules for TPTL + P are shown in Table 7.1, and are very similar to those for LTL + P .They look for a formula x.ψ in Γ ( u ), and create two children u (cid:48) and u (cid:48)(cid:48) suchthat Γ ( u (cid:48) ) = Γ ( u ) \ { x.ψ } ∪ Γ ( u ) and Γ ( u (cid:48)(cid:48) ) = Γ ( u ) \ { x.ψ } ∪ Γ ( u ), or a single child u (cid:48) if Γ ( u ) is empty. Apart from the di ff erent syntax of the formulae themselves,it can be seen that the expansions of each formula are mostly unchanged withregards to LTL + P .Atomic formulae such as propositions and timing constraints, and tomorrow and yesterday operators, are considered elementary formulae. Nodes whoselabels contain only elementary formulae are called poised nodes. The majordi ff erence of this system in contrast to the LTL + P one is the STEP rule, whichhere does not only have to propagate the tomorrow requests from a state tothe next, but also has to choose how much time has to pass between the twostates. This is done by simply creating as many children as are the possible timeadvancements. Recall that we can assume that the maximum time gap betweentwo states is bounded by δ max , hence the number of such choices is finite. STEP Let u be a poised node. Then, δ max + 1 children nodes u , . . . , u δ max areadded to u , such that Γ ( u δ ) = { x.ψ δ | x. X ψ ∈ Γ ( u ) } for all 0 ≤ δ ≤ δ max . A one-pass tree-shaped tableau for TPTL b +P 165 Rule φ ∈ Γ Γ ( φ ) Γ ( φ ) DISJUNCTION x.ψ ∨ x.ψ { x.ψ } { x.ψ } CONJUNCTION x.ψ ∧ x.ψ { x.ψ , x.ψ } UNTIL x. ( ψ U ψ ) { x.ψ } { x.ψ , x. X ( ψ U ψ ) } RELEASE x. ( ψ R ψ ) { x.ψ , x.ψ } { x.ψ , x. X ( ψ R ψ ) } EVENTUALLY x. F ψ { x.ψ } { x. XF ψ } ALWAYS x. G ψ { x.ψ , x. XG ψ } SINCE x. ( ψ S ψ ) { x.ψ } { x.ψ , x. Y ( ψ S ψ ) } TRIGGERED x. ( ψ T ψ ) { x.ψ , x.ψ } { x.ψ , x. Y ( ψ S ψ ) } PAST x. P ψ { x.ψ } { x. YP ψ } HISTORICALLY x. H ψ { x.ψ , x. YH ψ } Table 7.1: Expansion rules for the G ( TPTL + P ) tableau. Similarly to the LTL + P tableau, the STEP rule is not always applied to allpoised nodes, but rather the FORECAST rule is applied first to guess whichformulae will be needed for future instances of the YESTERDAY rule. Onlywhen the expansion of such nodes leads again to poised nodes, the STEP ruleis applied to them. As a consequence, any poised node has either a numberof children added by the FORECAST rule or δ max children added by the STEP rule. As in the LTL + P case, given a branch u = { u , . . . , u n } of the tableau, wedefine the step nodes as those poised nodes u i where u i +1 is one of the children u δ , for some 0 ≤ δ ≤ δ max , added by the STEP rule. We denote such valueof δ as δ ( u i ). For each node u i in the branch we can thus define a quantity time ( u i ) = (cid:80) If either x. ( x ≤ x + c ) ∈ Γ ( u n ) or x. ¬ ( x ≤ x + c ) ∈ Γ ( u n ), but, respectively, c < c ≥ 0, then u n is crossed . FORECAST Let G n = { α ∈ C ( φ ) | x. Y ψ is a subformula of any ψ ∈ Γ ( u n ) } be theset of formulae involved in any yesterday operator appearing inside theformulae of Γ ( u n ). 66 A logical characterisation of timeline-based planning Then, at most once before any application of the STEP rule, for eachsubset G (cid:48) n ⊆ G n (including the empty set), a child u (cid:48) n is added to u n suchthat Γ ( u (cid:48) n ) = Γ ( u n ) ∪ G (cid:48) n . YESTERDAY If x. Y ψ ∈ Γ ( u n ), let u k be the closest ancestor of u n where the STEP rule was applied, and let Y n = { x.ψ | x.Y ψ ∈ Γ ( u n ) } .Then, the node u n is crossed if u k does not exists because there is noapplication of the STEP rule preceding u n , or if Y n (cid:42) Γ ∗ ( u k ). LOOP If there is a step node u i < u n such that Γ ( u i ) = Γ ( u n ), and all the X -eventualities requested in u i are fulfilled in u [ i +1 ...n ] , then:1. if time ( u i ) = time ( u n ), then u n is crossed ;2. if time ( u i ) < time ( u n ), then u n is ticked . PRUNE If there are two positions i < j ≤ n , such that Γ ( u i ) = Γ ( u j ) = Γ ( u n ), andamong the X -eventualities requested in these nodes, all those fulfilled in u [ j +1 ...n ] are fulfilled in u [ i +1 ...j ] as well, then u n is crossed .Let us discuss this set of rules. In comparison with the rules for the LTL + P tableau, an additional SYNC rule is present, which similarly to the CONTRADIC-TION rule checks for contradictions, but regarding the timing constraints. The EMPTY , FORECAST , YESTERDAY and PRUNE rules are unchanged. The LOOP rule works similarly, but now has to distinguish two cases, depending onwhether time has passed between the two repeating nodes. If the di ff erencein time between the nodes is zero, then the loop cannot be accepted because itwould result into a timed state sequence that violates the progress condition. Itcan be seen that the tree has a finite branching factor, hence adapting the argu-ments used in Theorem 19 of Chapter 6, we can see that the construction alwaysterminates. Moreover, adapting the arguments used in Theorems 20 and 21of Chapter 6, we can prove the soundness and completeness of the system.We will again base our arguments on the notion of pre-model , adaptedto G ( TPTL + P ) from Section 6.5.2. Here, an atom is thus a set ∆ ⊆ C ( x.φ ) offormulae from the closure of x.φ that are closed by expansion (by Table 7.1)and by logical deduction, similarly to Definition 6.4. Then, pre-models areinfinite sequences of such atoms, defined similarly to Definition 6.14, butsuitably adapted to the structure of G ( TPTL + P ) and of our tableau. Definition 7.10 — Pre-models for G ( TPTL + P ). Let x.φ be a G ( TPTL + P ) formula. A pre-model for x.φ is a pair Π = ( ∆ , δ ) , where δ = (cid:104) δ , δ , . . . (cid:105) is an infinite sequence of non-negative integers δ i ∈ N , and ∆ is aninfinite sequence ∆ = (cid:104) ∆ , ∆ , . . . (cid:105) of minimal atoms for x.φ such that, for all i ≥ :1. x.φ ∈ ∆ ; A one-pass tree-shaped tableau for TPTL b +P 167 2. if x. X ψ ∈ ∆ i , then x.ψ δ i +1 ∈ ∆ i +1 ;3. if x. Y ψ ∈ ∆ i , then i > and x.ψ − δ i ∈ ∆ i − ;4. if x. ( ψ U ψ ) ∈ ∆ i , there is a j ≥ i with x.ψ δ ij ∈ ∆ j and x.ψ δ i k ∈ ∆ k for all i ≤ k < j , where δ ij = (cid:80) i Theorem 26 — The tree-shaped tableau for TPTL b + P is sound and complete.A TPTL b + P formula is satisfiable if and only if the tableau built on its G ( TPTL + P )translation has an accepted branch. Proof (soundness) . Let x.φ be the G ( TPTL + P ) translation of a TPTL b + P formula.For Lemma 7.8 we know x.φ is satisfiable if and only if the original formula is,hence let us focus on the tableau built on x.φ .To show the soundness of the system, i . e ., that if the tableau for φ has anaccepted branch then the formula is satisfiable, we look at one such acceptedbranch u = (cid:104) u , . . . , u n (cid:105) and extract a model for x.φ . Let π = (cid:104) π , . . . , π m (cid:105) bethe sequence of step nodes of u . A pre-model Π = ( ∆ , δ ) can be extractedfrom an accepted branch. A suitable periodic sequence of atoms ∆ can beextracted in the same way as in Lemma 6.8, and δ can be defined such that δ i = time ( π i ), where π i is the tableau node corresponding to ∆ i , for the prefix,and consequently in the period. We can check that thanks to the definition of LOOP rule, an accepted branch can only lead to a pre-model satisfying Item 5of Definition 7.10. An actual model for x.ψ can then be extracted from Π asin Lemma 6.6, with arguments totally similar to those used in Theorem 25,and suitably computing from δ the absolute timestamps of the timed statesequence, proving the soundness of the system.(completeness). To show the completeness, i . e ., that the tableau for asatisfiable formula has at least an accepted branch, the argument based on greedy pre-models used for LTL and LTL + P in Chapter 6 can again be adapted tothe G ( TPTL + P ) case. In particular, the definition of delays of the requests of X -eventualities is totally similar to that employed in Section 6.3. Note that thesedelays still only count the number of atoms from the request of an X -eventualityto its satisfaction, disregarding the timestamps of such atoms. Following theargument used in the proof of Theorem 21, knowing that x.φ is satisfiable wecan suppose to have a greedy pre-model Π = ( ∆ , δ ) for x.φ , and traverse the treeto obtain a branch u = (cid:104) u , . . . , u n (cid:105) , as in Lemma 6.9. In this traversal, whendescending from a step node u i through the application of the STEP rule, wehave to choose the child u δ i +1 i , matching the time advancement made by the pre-model and in the branch. If π = (cid:104) π , . . . , π m (cid:105) is the sequence of step nodes of u , 68 A logical characterisation of timeline-based planning then, as in the LTL + P case, by construction we have that ∆ i = ∆ ( π i ). In additionto the argument employed in the LTL + P case, we only have to observe that if u is not accepting, then u n cannot have been crossed by the SYNCH rule, norby the LOOP rule, since this would contradict the fact that Π is a pre-model for Π . Then, as in Theorem 21, the node cannot have been crossed by the PRUNE rule either, because it would contradict the assumption that Π is a greedypre-model. Hence u must be an accepted branch, completing the proof. This chapter approached the expressiveness of timeline-based planning prob-lems from a logical perspective, as opposed to the comparative point of viewadopted in Chapter 3, by exhibiting a temporal logic capable of expressing abroad fragment of the whole formalism. The TPTL b + P logic, a guarded frag-ment of TPTL + P , has been defined and proved to have an EXPSPACE -completesatisfiability problem. This is in contrast with full TPTL + P which is known tobe non-elementary. Furthermore, a one-pass tree-shaped tableau for TPTL b + P has been shown, extending the one for LTL + P described in Chapter 6.In contrast to action-based planning languages, which can be easily cap-tured by LTL formulae [42], capturing timeline-based planning with temporallogic proved to be a challenging task. As has been shown, the use of the freezequantifier of TPTL b + P is essential in expressing the structure of arbitrary rules,but the restrictions needed to keep the complexity of the logic under controlmake it still not expressive enough to capture the whole formalism, forcingus to define the concept of forest of bounded components , restricting the en-coding to timeline-based planning problems whose rule graphs satisfy suchproperty. The question of whether a more complex encoding could reach ourgoal, or whether TPTL b + P could be extended to capture the whole formalismwhile keeping the same computational complexity, are still open questions.Past operators are essential in the encoding of synchronisation rules, whichcan arbitrarily look forward or backward from their trigger. However theremight be other ways to add past operators to TPTL while restricting their usageso to recover a good complexity. A possible way might be to retain the full TPTL + P syntax but restricting the maximum quantifier alternation depth of theformulae. Given the strict ∀∃ ∗ structure of synchronisation rules, an encodingsimilar to that shown here can be defined to capture the whole formalismwith formulae of TPTL + P with the form G ( FP ), i . e ., a single universal modalityencompassing an arbitrary combination of existential past or future modalities.The conjecture is that this fixed-alternation fragment of TPTL + P may still be EXPSPACE -complete.The primary motivation behind the pursue of a logical characterisation Conclusions and open questions 169 of timelines is the possibility to leverage the substantial corpus of researchdevoted to synthesis of controllers from temporal logic specifications [56]. Syn-thesising a controller from a TPTL b + P specification may represent an alternativeand promising way to implement synthesis for controllers of the timeline-basedgames defined in Chapter 5. IST OF PUBLICATIONS [KR 2018] Dario Della Monica, Nicola Gigante, Angelo Montanari and PietroSala. ‘A Novel Automata-Theoretic Approach to Timeline-BasedPlanning’. In: Proceedings of the 16th International Conference onPrinciples of Knowledge Representation and Reasoning . Ed. by Mi-chael Thielscher, Francesca Toni and Frank Wolter. AAAI Press,2018, pp. 541–550. url : https://aaai.org/ocs/index.php/KR/KR18/paper/view/18024 .[GandALF 2018] Luca Geatti, Nicola Gigante, Angelo Montanari and Mark Reyn-olds. ‘One-Pass and Tree-Shaped Tableau Systems for TPTL andTPTLb+Past’. In: Proceedings of the 9th International Symposiumon Games, Automata, Logics, and Formal Verification . Ed. by An-drea Orlandini and Martin Zimmermann. Vol. 277. EPTCS. 2018,pp. 176–190. doi : .[TIME 2018] Nicola Gigante, Angelo Montanari, Marta Cialdea Mayer, AndreaOrlandini and Mark Reynolds. ‘A Game-Theoretic Approach toTimeline-Based Planning with Uncertainty’. In: Proceedings ofthe 25th International Symposium on Temporal Representation andReasoning . Ed. by Natasha Alechina, Kjetil Nørvåg and WojciechPenczek. Vol. 120. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrumfuer Informatik, 2018, 13:1–13:17. doi : .[IJCAI 2017] Dario Della Monica, Nicola Gigante, Angelo Montanari, PietroSala and Guido Sciavicco. ‘Bounded Timed Propositional Tem-poral Logic with Past Captures Timeline-based Planning withBounded Constraints’. In: Proceedings of the 26th InternationalJoint Conference on Artificial Intelligence . Ed. by Carles Sierra. 2017,pp. 1008–1014. doi : .[ICAPS 2017] Nicola Gigante, Angelo Montanari, Marta Cialdea Mayer and An-drea Orlandini. ‘Complexity of Timeline-Based Planning’. In: Pro-ceedings of the 27th International Conference on Automated Planningand Scheduling . Ed. by Laura Barbulescu, Jeremy Frank, Mausamand Stephen F. Smith. AAAI Press, 2017, pp. 116–124. url : https://aaai.org/ocs/index.php/ICAPS/ICAPS17/paper/view/15758 . 72 List of publications [LPAR-21] Nicola Gigante, Angelo Montanari and Mark Reynolds. ‘A One-Pass Tree-Shaped Tableau for LTL+Past’. In: Proceedings of the21st International Conference on Logic for Programming, ArtificialIntelligence and Reasoning . Ed. by Thomas Eiter and David Sands.Vol. 46. EPiC Series in Computing. EasyChair, 2017, pp. 456–473. url : .[IJCAI 2016] Matteo Bertello, Nicola Gigante, Angelo Montanari and MarkReynolds. ‘Leviathan: A New LTL Satisfiability Checking ToolBased on a One-Pass Tree-Shaped Tableau’. In: Proceedings of the25th International Joint Conference on Artificial Intelligence . Ed. bySubbarao Kambhampati. IJCAI/AAAI Press, 2016, pp. 950–956. url : .[TIME 2016] Nicola Gigante, Angelo Montanari, Marta Cialdea Mayer and An-drea Orlandini. ‘Timelines Are Expressive Enough to CaptureAction-Based Temporal Planning’. In: Proceedings of the 23rd Inter-national Symposium on Temporal Representation and Reasoning . Ed.by Curtis E. Dyreson, Michael R. Hansen and Luke Hunsberger.IEEE Computer Society, 2016, pp. 100–109. doi : . IBLIOGRAPHY [1] Pietro Abate, Rajeev Goré and Florian Widmann. ‘An On-the-fly Tableau-basedDecision Procedure for PDL-satisfiability’. In: Electronic Notes in TheoreticalComputer Science 231 (2009), pp. 191–209.[2] European Space Agency. APSI - Advanced Planning and Scheduling Initiative . url : https://essr.esa.int/project/apsi- advanced- planning- and-scheduling-initiative (visited on 07/01/2019).[3] European Space Agency. Mars Express detects liquid water hidden under planet’ssouth pole . url : (visited on 31/10/2018).[4] James F. Allen. ‘Maintaining Knowledge about Temporal Intervals’. In: Commu-nications of the ACM doi : .[5] Rajeev Alur and Thomas A. Henzinger. ‘Real-Time Logics: Complexity andExpressiveness’. In: Information and Computation doi : .[6] Rajeev Alur and Thomas A. Henzinger. ‘A Really Temporal Logic’. In: Journal ofthe ACM doi : .[7] Rajeev Alur, Thomas A. Henzinger and Orna Kupferman. ‘Alternating-timeTemporal Logic’. In: Journal of the ACM doi : .[8] Fahiem Bacchus and Froduald Kabanza. ‘Planning for Temporally ExtendedGoals’. In: Annals of Mathematics in Artificial Intelligence doi : .[9] Christer Bäckström. ‘Computational Complexity of Reasoning about Plans’.PhD thesis. Linköping University, 1999.[10] Christer Bäckström and Peter Jonsson. ‘Time and Space Bounds for Planning’.In: Journal of Artificial Intelligence Research 60 (2017), pp. 595–638. doi : .[11] Christer Bäckström, Peter Jonsson, Sebastian Ordyniak and Stefan Szeider. ‘Acomplete parameterized complexity analysis of bounded planning’. In: Journalof Computer and System Sciences doi : . 74 Bibliography [12] Tania Bedrax-Weiss, Conor McGann, Andrew Bachmann, Will Edgington andMichael Iatauro. EUROPA2: User and contributor guide . Tech. rep. NASA AmesResearch Center, 2005.[13] Michael Beetz and Drew McDermott. ‘Improving Robot Plans During TheirExecution’. In: Proc. of the International Conference on Artificial IntelligencePlanning Systems (AIPS) . 1994.[14] Sara Bernardini. ‘Constraint-based temporal planning: issues in domain model-ling and search control’. PhD thesis. University of Trento, Italy, 2008.[15] Sara Bernardini and David E. Smith. ‘Developing Domain-Independent SearchControl for Europa2’. In: Proceedings of the ICAPS 2007 Workshop on Heuristicsfor Domain-Independent Planning . 2007.[16] Sara Bernardini and David E. Smith. ‘Translating PDDL2.2. into a Constraint-based Variable/Value Language’. In: Proceedings of the ICAPS 2008 Workshop onHeuristics for Domain-Independent Planning . 2008.[17] Matteo Bertello. Leviathan LTL satisfiability tool GitHub repository . url : https://github.com/Corralx/leviathan (visited on 31/10/2018).[18] Evert W. Beth. ‘Semantic Entailment and Formal Derivability’. In: KoninklijkeNederlandse Akademie van Wentenschappen, Proceedings of the Section of Sciences 18 (1955), pp. 309–342.[19] Armin Biere, Marijn Heule, Hans van Maaren and Toby Walsh, eds. Handbookof Satisfiability . Vol. 185. Frontiers in Artificial Intelligence and Applications.IOS Press, 2009. isbn : 978-1-58603-929-5.[20] Avrim Blum and Merrick L. Furst. ‘Fast Planning Through Planning GraphAnalysis’. In: Artificial Intelligence doi : .[21] Laura Bozzelli, Alberto Molinari, Angelo Montanari and Adriano Peron. ‘Com-plexity of Timeline-Based Planning over Dense Temporal Domains: Exploringthe Middle Ground’. In: Proceedings of the 9th International Symposium on Games,Automata, Logics, and Formal Verification . Ed. by Andrea Orlandini and MartinZimmermann. Vol. 277. EPTCS. 2018, pp. 191–205. doi : .[22] Laura Bozzelli, Alberto Molinari, Angelo Montanari and Adriano Peron. ‘De-cidability and Complexity of Timeline-Based Planning over Dense TemporalDomains’. In: Proceedings of the 16th International Conference on Principles ofKnowledge Representation and Reasoning . Ed. by Michael Thielscher, FrancescaToni and Frank Wolter. AAAI Press, 2018, pp. 627–628. url : https://aaai.org/ocs/index.php/KR/KR18/paper/view/17995 .[23] Aaron R. Bradley. ‘Understanding IC3’. In: . 2012, pp. 1–14.[24] Tom Bylander. ‘The Computational Complexity of Propositional STRIPS Plan-ning’. In: Artificial Intelligence doi : . [25] Alberto Camacho, Eleni Triantafillou, Christian Muise, Jorge A. Baier and SheilaA. McIlraith. ‘Non-Deterministic Planning with Temporally Extended Goals:LTL over Finite and Infinite Traces’. In: Proc. of the 31 st AAAI Conference onArtificial Intelligence . 2017.[26] Michael Cashmore, Maria Fox, Derek Long and Daniele Magazzeni. ‘A Com-pilation of the Full PDDL+ Language into SMT’. In: Proceedings of the 26thInternational Conference on Automated Planning and Scheduling . Ed. by AmandaJane Coles, Andrew Coles, Stefan Edelkamp, Daniele Magazzeni and Scott San-ner. AAAI Press, 2016, pp. 79–87. url : .[27] Ana R. Cavalli and Luis Fariñas del Cerro. ‘A Decision Method for LinearTemporal Logic’. In: Proceedings of the 7th International Conference on AutomatedDeduction . Ed. by Robert E. Shostak. Vol. 170. Lecture Notes in ComputerScience. Springer, 1984, pp. 113–127. doi : .[28] Amedeo Cesta, Gabriella Cortellessa, Michel Denis, Alessandro Donati, SimoneFratini, Angelo Oddi, Nicola Policella, Erhard Rabenau and Jonathan Schulster.‘Mexar2: AI Solves Mission Planner Problems’. In: IEEE Intelligent Systems doi : .[29] Amedeo Cesta, Gabriella Cortellessa, Simone Fratini, Angelo Oddi and NicolaPolicella. ‘Software Companion: The Mexar2 Support to Space Mission Plan-ners’. In: Proceedings of the 17th European Conference on Artificial Intelligence .Ed. by Gerhard Brewka, Silvia Coradeschi, Anna Perini and Paolo Traverso.Vol. 141. Frontiers in Artificial Intelligence and Applications. IOS Press, 2006,pp. 622–626.[30] Amedeo Cesta, Gabriella Cortellessa, Simone Fratini, Angelo Oddi and NicolaPolicella. ‘An Innovative Product for Space Mission Planning: An A PosterioriEvaluation’. In: Proceedings of the 17th International Conference on AutomatedPlanning and Scheduling . Ed. by Mark S. Boddy, Maria Fox and Sylvie Thiébaux.AAAI, 2007, pp. 57–64. url : .[31] Amedeo Cesta, Gabriella Cortellessa, Andrea Orlandini and Alessandro Um-brico. ‘A Cognitive Architecture for Autonomous Assistive Robots’. In: ERCIMNews url : https : / / ercim - news . ercim . eu / en114 /special / a - cognitive - architecture - for - autonomous - assistive -robots .[32] Amedeo Cesta, Simone Fratini and Federico Pecora. ‘Unifying planning andscheduling as timelines in a component-based perspective’. In: Archives ofControl Science issn : 1230-2384.[33] Amedeo Cesta and Angelo Oddi. ‘A Formal Domain Description Language for aTemporal Planner’. In: Proceedings of the 4th Congress of the Italian Association forArtificial Intelligence . Ed. by Marco Gori and Giovanni Soda. Vol. 992. LectureNotes in Computer Science. Springer, 1995, pp. 255–260. doi : . 76 Bibliography [34] Amedeo Cesta and Angelo Oddi. ‘DDL.1: A Formal Description of a ConstraintRepresentation Language for Physical Domains’. In: New directions in AI plan-ning . Ed. by Malik Ghallab and Alfredo Milani. IOS Press, 1996.[35] Amedeo Cesta, Lorenzo Molinari Tosatti, Andrea Orlandini, Nicola Pedroc-chi, Stefania Pellegrinelli, Tullio Tolio and Alessandro Umbrico. ‘Planning andExecution with Robot Trajectory Generation in Industrial Human-Robot Collab-oration’. In: Proceedings of the 4th Italian Workshop on Artificial Intelligence andRobotics . Ed. by Salvatore Maria Anzalone, Alessandro Farinelli, Alberto Finziand Fulvio Mastrogiovanni. Vol. 2054. CEUR Workshop Proceedings. CEUR-WS.org, 2017, pp. 47–52. url : http://ceur-ws.org/Vol-2054/paper8.pdf .[36] Steve A. Chien, Mark Johnston, Jeremy Frank, Mark Giuliano, Alicia Kavelaars,Christoph Lenzen and Nicola Policella. ‘A Generalized Timeline Represent-ation, Services, and Interface for Automating Space Mission Operations’. In: Proceedings of the 12th International Conference on Space Operations . 2012.[37] Steve A. Chien, Gregg Rabideau, Russell L. Knight, Rob Sherwood, BarbaraE. Engelhardt, D. Mutz, Tara Estlin, B. Smith, Forest Fisher, T. Barrett, G.Stebbins and Daniel Tran. ‘ASPEN - Automating Space Mission Operationsusing Automated Planning and Scheduling’. In: Proceedings of the InternationalConference on Space Operations . 2000.[38] Steve A. Chien, Gregg Rabideau, Daniel Tran, Martina Troesch, Joshua Doubleday,Federico Nespoli, Miguel Perez Ayucar, Marc Costa Sitja, Claire Vallat, BernhardGeiger, Nico Altobelli, Manuel Fernandez, Fran Vallejo, Rafael Andres andMichael Kueppers. ‘Activity-Based Scheduling of Science Campaigns for theRosetta Orbiter’. In: Proceedings of the 24th International Joint Conference onArtificial Intelligence . Ed. by Qiang Yang and Michael Wooldridge. AAAI Press,2015, pp. 4416–4422. url : http://ijcai.org/Abstract/15/655 .[39] Steve A. Chien, Rob Sherwood, Daniel Tran, Benjamin Cichy, Gregg Rabideau,Rebecca Castaño, Ashley Davies, Rachel Lee, Dan Mandl, Stuart Frye, BruceTrout, Jerry Hengemihle, Je ff D’Agostino, Seth Shulman, Stephen G. Ungar,Thomas Brakke, Darrell Boyer, Jim Van Gaasbeck, Ronald Greeley, ThomasDoggett, Victor R. Baker, James M. Dohm and Felipe Ip. ‘The EO-1 AutonomousScience Agent’. In: . IEEE Computer Society, 2004, pp. 420–427. doi : .[40] Luca Chittaro and Angelo Montanari. ‘Temporal representation and reasoningin artificial intelligence: Issues and approaches’. In: Annals of Mathematics in Ar-tificial Intelligence doi : .[41] Bogdan S. Chlebus. ‘Domino-Tiling Games’. In: Journal of Computer and SystemSciences doi : .[42] Marta Cialdea Mayer, Carla Limongelli, Andrea Orlandini and Valentina Pog-gioni. ‘Linear temporal logic as an executable semantics for planning languages’.In: Journal of Logic, Language and Information doi : . [43] Marta Cialdea Mayer and Andrea Orlandini. ‘An Executable Semantics ofFlexible Plans in Terms of Timed Game Automata’. In: Proceedings of the 22ndInternational Symposium on Temporal Representation and Reasoning . Ed. by FabioGrandi, Martin Lange and Alessio Lomuscio. IEEE Computer Society, 2015,pp. 160–169. doi : .[44] Marta Cialdea Mayer, Andrea Orlandini and Alessandro Umbrico. ‘Planningand execution with flexible timelines: a formal account’. In: Acta Informatica doi : .[45] Alessandro Cimatti, Edmund M. Clarke, Enrico Giunchiglia, Fausto Giunchiglia,Marco Pistore, Marco Roveri, Roberto Sebastiani and Armando Tacchella.‘NuSMV 2: An OpenSource Tool for Symbolic Model Checking’. In: Proceedingsof the 14th International Conference on Computer Aided Verification . Ed. by EdBrinksma and Kim Guldstrand Larsen. Vol. 2404. Lecture Notes in ComputerScience. Springer, 2002, pp. 359–364. doi : .[46] Alessandro Cimatti, Minh Do, Andrea Micheli, Marco Roveri and David E.Smith. ‘Strong temporal planning with uncontrollable durations’. In: ArtificialIntelligence 256 (2018), pp. 1–34.[47] Alessandro Cimatti, Andrea Micheli and Marco Roveri. ‘Timelines with Tem-poral Uncertainty’. In: Proceedings of the 27th AAAI Conference on Artificial Intel-ligence . Ed. by Marie desJardins and Michael L. Littman. AAAI Press, 2013. url : .[48] Alessandro Cimatti, Andrea Micheli and Marco Roveri. ‘Validating Domainsand Plans for Temporal Planning via Encoding into Infinite-State Linear Tem-poral Logic’. In: Proceedings of the 31st AAAI Conference on Artificial Intelligence .Ed. by Satinder P. Singh and Shaul Markovitch. AAAI Press, 2017, pp. 3547–3554. url : http://aaai.org/ocs/index.php/AAAI/AAAI17/paper/view/14311 .[49] Alessandro Cimatti, Marco Pistore, Marco Roveri and Paolo Traverso. ‘Weak,strong, and strong cyclic planning via symbolic model checking’. In: ArtificialIntelligence Handbook of Model Checking . Springer, 2018. isbn : 978-3-319-10574-1. doi : .[51] Marcello D’Agostino, Dov M. Gabbay, Reiner Hähnle and Joachim Posegga, eds. Handbook of Tableau Methods . Springer, 1999. isbn : 978-0-7923-5627-1. doi : .[52] Martin Davis and Hilary Putnam. ‘A Computing Procedure for QuantificationTheory’. In: Journal of the ACM issn : 0004-5411. doi : . 78 Bibliography [53] Giuseppe De Giacomo and Moshe Y. Vardi. ‘Automata-Theoretic Approach toPlanning for Temporally Extended Goals’. In: Proceedings of the 5th EuropeanConference on Planning . Ed. by Susanne Biundo and Maria Fox. Vol. 1809. Lec-ture Notes in Computer Science. Springer, 1999, pp. 226–238. doi : .[54] Daniel Díaz, Amedeo Cesta, Angelo Oddi, Riccardo Rasconi and María DoloresRodríguez-Moreno. ‘E ffi cient Power-Aware Resource Constrained Schedulingand Execution for Planetary Rovers’. In: Proceedings of the 14th InternationalConference of the Italian Association for Artificial Intelligence . Ed. by Marco Gavan-elli, Evelina Lamma and Fabrizio Riguzzi. Vol. 9336. Lecture Notes in ComputerScience. Springer, 2015, pp. 383–396. doi : .[55] Alessandro Donati, Nicola Policella, Erhard Rabenau, Giovanni Righini andEmanuele Tresoldi. ‘An Automatic Planning and Scheduling System for theMars Express Uplink Scheduling Problem’. In: IEEE Transactions on Systems,Man, and Cybernetics, Part C doi : .[56] Rüdiger Ehlers, Stéphane Lafortune, Stavros Tripakis and Moshe Y. Vardi. ‘Su-pervisory control and reactive synthesis: a comparative introduction’. In: Dis-crete Event Dynamic Systems doi : .[57] Richard Fikes and Nils J. Nilsson. ‘STRIPS: A New Approach to the Applicationof Theorem Proving to Problem Solving’. In: Artificial Intelligence doi : .[58] Michael Fisher, Clare Dixon and Martin Peim. ‘Clausal temporal resolution’. In: ACM Transactions on Computational Logic doi : .[59] Maria Fox and Derek Long. ‘PDDL2.1: An Extension to PDDL for ExpressingTemporal Planning Domains’. In: Journal of Artificial Intelligence Research Journal of Artificial Intelligence Research 27 (2006), pp. 235–297. doi : .[61] Jeremy Frank. ‘What is a Timeline?’ In: Proceedings of the 4th Workshop onKnowledge Engineering for Planning and Scheduling . 2013, pp. 31–38.[62] Jeremy Frank and Ari K. Jónsson. ‘Constraint-Based Attribute and Interval Plan-ning’. In: Constraints doi : .[63] Simone Fratini, Amedeo Cesta, Andrea Orlandini, Riccardo Rasconi and Ric-cardo De Benedictis. ‘APSI-based Deliberation in Goal Oriented AutonomousControllers’. In: ASTRA 2011 . Vol. 11. ESA, 2011.[64] Simone Fratini and L. Donati. APSI Timeline Representation Framework v. 3.0 .Tech. rep. European Space Agency - ESOC, 2011. [65] Dov M. Gabbay, Ian Hodkinson and Mark Reynolds. Temporal Logic: Mathem-atical Foundations and Computational Aspects . Vol. 1. Oxford University Press,1994. isbn : 978-0198537694.[66] Dov M. Gabbay, Amir Pnueli, Saharon Shelah and Jonathan Stavi. ‘On theTemporal Basis of Fairness’. In: Proceedings of the 7th Annual ACM Symposiumon Principles of Programming Languages . Ed. by Paul W. Abrahams, Richard J.Lipton and Stephen R. Bourne. ACM Press, 1980, pp. 163–173. doi : .[67] Alfonso Gerevini, Patrik Haslum, Derek Long, Alessandro Saetti and YannisDimopoulos. ‘Deterministic planning in the fifth international planning com-petition: PDDL3 and experimental evaluation of the planners’. In: Artificial In-telligence doi : .[68] Malik Ghallab and Hervé Laruelle. ‘Representation and Control in IxTeT, aTemporal Planner’. In: Proceedings of the 2nd International Conference on ArtificialIntelligence Planning Systems . Ed. by Kristian J. Hammond. AAAI, 1994, pp. 61–67. url : .[69] Dimitra Giannakopoulou and Flavio Lerda. ‘From States to Transitions: Improv-ing Translation of LTL Formulae to Büchi Automata’. In: Formal Techniques forNetworked and Distributed Systems . 2002, pp. 308–326.[70] Valentin Goranko and Antony Galton. ‘Temporal Logic’. In: The Stanford En-cyclopedia of Philosophy . Ed. by Edward N. Zalta. Winter 2015. MetaphysicsResearch Lab, Stanford University, 2015.[71] Valentin Goranko, Angelo Kyrilov and Dmitry Shkatov. ‘Tableau Tool forTesting Satisfiability in LTL: Implementation and Experimental Analysis’. In: Electronic Notes in Theoretical Computer Science 262 (2010), pp. 113–125. doi : .[72] Zyad Hassan, Aaron R. Bradley and Fabio Somenzi. ‘Better generalization inIC3’. In: Formal Methods in Computer-Aided Design . 2013, pp. 157–164.[73] Thomas A. Henzinger. ‘The Theory of Hybrid Automata’. In: Proceedings ofthe 11th Annual IEEE Symposium on Logic in Computer Science . IEEE ComputerSociety, 1996, pp. 278–292. doi : .[74] Jörg Ho ff mann and Bernhard Nebel. ‘The FF Planning System: Fast Plan Gener-ation Through Heuristic Search’. In: Journal of Artificial Intelligence Research . IEEE Computer Society, 2013, pp. 349–357. doi : .[76] Ullrich Hustadt and Boris Konev. ‘TRP++2.0: A Temporal Resolution Prover’.In: Proc. of the 19th International Conference on Automated Deduction . 2003,pp. 274–278. 80 Bibliography [77] David S. Johnson. ‘A Catalog of Complexity Classes’. In: Handbook of TheoreticalComputer Science, Volume A: Algorithms and Complexity . 1990, pp. 67–161.[78] Leslie P. Kaelbling, Michael L. Littman and Anthony R. Cassandra. ‘Planningand acting in partially observable stochastic domains’. In: Artificial Intelligence Proceedings ofthe 10th European Conference on Artificial Intelligence . 1992, pp. 359–363.[80] Henry A. Kautz and Bart Selman. ‘Unifying SAT-based and Graph-based Plan-ning’. In: Proceedings of the 16th International Joint Conference on Artificial In-telligence . Ed. by Thomas Dean. Morgan Kaufmann, 1999, pp. 318–325. url : http://ijcai.org/Proceedings/99-1/Papers/047.pdf .[81] Yonit Kesten, Zohar Manna, Hugh McGuire and Amir Pnueli. ‘A DecisionAlgorithm for Full Propositional Temporal Logic’. In: Proceedings of the 5th In-ternational Conference on Computer Aided Verification . Vol. 697. LNCS. Springer,1993, pp. 97–109. doi : .[82] Ron Koymans. ‘Specifying Real-Time Properties with Metric Temporal Logic’.In: Real-Time Systems doi : .[83] Martin Leucker and Christian Schallhart. ‘A brief account of runtime verifica-tion’. In: Journal of Logic and Algebraic Programming doi : .[84] L.A. Levin. ‘Universal Sequential Search Problems’. In: Problems in InformationTransmission Unsolvable Classes of Quantificational Formulas . Addison-Wesley,Reading, Mass., 1979. isbn : 0201040697.[86] Jianwen Li, Yinbo Yao, Geguang Pu, Lijun Zhang and Jifeng He. ‘Aalta: an LTLsatisfiability checker over Infinite/Finite traces’. In: Proceedings of the 22nd ACMSIGSOFT International Symposium on Foundations of Software Engineering . Ed. byShing-Chi Cheung, Alessandro Orso and Margaret-Anne D. Storey. ACM, 2014,pp. 731–734. doi : .[87] Jianwen Li, Lijun Zhang, Geguang Pu, Moshe Y. Vardi and Jifeng He. ‘LTL Satis-fiability Checking Revisited’. In: Proceedings of the 20th International Symposiumon Temporal Representation and Reasoning . 2013, pp. 91–98. doi : .[88] Jianwen Li, Shufang Zhu, Geguang Pu and Moshe Y. Vardi. ‘SAT-Based Expli-cit LTL Reasoning’. In: Proceedings of the 11th International Haifa VerificationConference . Ed. by Nir Piterman. Vol. 9434. Lecture Notes in Computer Science.Springer, 2015, pp. 209–224. doi : .[89] Orna Lichtenstein and Amir Pnueli. ‘Propositional Temporal Logics: Decidabil-ity and Completeness’. In: Logic Journal of the IGPL doi : . [90] Orna Lichtenstein, Amir Pnueli and Lenore D. Zuck. ‘The Glory of the Past’.In: Proceedings of the 1st Conference on Logics of Programs . Ed. by Rohit Parikh.Vol. 193. Lecture Notes in Computer Science. Springer, 1985, pp. 196–218. doi : .[91] Michael L. Littman. ‘Probabilistic Propositional Planning: Representationsand Complexity’. In: Proceedings of the 14th National Conference on ArtificialIntelligence and the 9th Innovative Applications of Artificial Intelligence Conference .Ed. by Benjamin Kuipers and Bonnie L. Webber. AAAI Press / The MIT Press,1997, pp. 748–754. url : .[92] Michael L. Littman, Judy Goldsmith and Martin Mundhenk. ‘The Computa-tional Complexity of Probabilistic Planning’. In: Journal of Artificial IntelligenceResearch doi : .[93] Omid Madani, Steve Hanks and Anne Condon. ‘On the undecidability of prob-abilistic planning and related stochastic optimization problems’. In: ArtificialIntelligence doi : .[94] Zohar Manna and Amir Pnueli. Temporal Verification of Reactive Systems - Safety .Springer, 1995. isbn : 978-0-387-94459-3.[95] Nicolas Markey. ‘Temporal logic with past is exponentially more succinct’. In: Bulletin of the EATCS 79 (2003), pp. 122–128.[96] Joao P. Marques-Silva and Karem A. Sakallah. ‘GRASP: a search algorithm forpropositional satisfiability’. In: IEEE Transactions on Computers issn : 0018-9340. doi : .[97] John Christopher McCabe-Dansted and Mark Reynolds. ‘A Parallel LinearTemporal Logic Tableau’. In: Proceedings of the 8th International Symposium onGames, Automata, Logics and Formal Verification . Ed. by Patricia Bouyer, AndreaOrlandini and Pierluigi San Pietro. Vol. 256. EPTCS. 2017, pp. 166–179. doi : .[98] John McCarthy and Patrick J. Hayes. ‘Some Philosophical Problems from theStandpoint of Artificial Intelligence’. In: Machine Intelligence 4 . Ed. by B. Meltzerand D. Michie. Edinburgh University Press, 1969, pp. 463–502.[99] Drew McDermott, Malik Ghallab, Adele Howe, Craig Knoblock, Ashwin Ram,Manuela Veloso, Daniel Weld and David Wilkins. PDDL - The Planning DomainDefinition Language . Tech. rep. Technical Report TR98003. Yale Center forComputational Vision and Control, 1997.[100] Christian Muise, Sheila A. McIlraith and J. Christopher Beck. ‘Improved Non-Deterministic Planning by Exploiting State Relevance’. In: Proc. of the 22 nd International Conference on Automated Planning and Scheduling . 2012.[101] Christian Muise, Sheila A. McIlraith and Vaishak Belle. ‘Non-DeterministicPlanning With Conditional E ff ects’. In: Proc. of the 24 th International Conferenceon Automated Planning and Scheduling . 2014. 82 Bibliography [102] Martin Mundhenk, Judy Goldsmith, Christopher Lusena and Eric Allender.‘Complexity of finite-horizon Markov decision process problems’. In: Journal ofthe ACM doi : .[103] Nicola Muscettola. ‘HSTS: Integrating Planning and Scheduling’. In: IntelligentScheduling . Ed. by Monte Zweben and Mark S. Fox. Morgan Kaufmann, 1994.Chap. 6, pp. 169–212.[104] Nicola Muscettola, P. Pandurang Nayak, Barney Pell and Brian C. Williams. ‘Re-mote Agent: To Boldly Go Where No AI System Has Gone Before’. In: ArtificialIntelligence doi : .[105] Nicola Muscettola, Stephen F. Smith, Amedeo Cesta and Daniela D’Aloisi. ‘Co-ordinating space telescope operations in an integrated planning and schedulingarchitecture’. In: IEEE Control Systems 12 (1 1992), pp. 28–37.[106] Allen Newell and J. C. Shaw. ‘Programming the Logic Theory Machine’. In: Papers Presented at the Western Joint Computer Conference: Techniques for Reliab-ility . IRE-AIEE-ACM ’57 (Western). ACM, 1957, pp. 230–240. doi : .[107] Allen Newell, J. C. Shaw and Herbert A. Simon. ‘Report on a general problem-solving program’. In: Proceedings of the 1st International Conference on Informa-tion Processing . 1959, pp. 256–264.[108] Andrea Orlandini, Alberto Finzi, Amedeo Cesta and Simone Fratini. ‘TGA-Based Controllers for Flexible Plan Execution’. In: Proceedings of the 34th AnnualGerman Conference on Artificial Intelligence . Ed. by Joscha Bach and StefanEdelkamp. Vol. 7006. Lecture Notes in Computer Science. Springer, 2011,pp. 233–245. doi : .[109] Andrea Orlandini, Marco Suriano, Amedeo Cesta and Alberto Finzi. ‘ControllerSynthesis for Safety Critical Planning’. In: Proceedings of the 25th IEEE Inter-national Conference on Tools with Artificial Intelligence . IEEE Computer Society,2013, pp. 306–313. doi : .[110] R. Orosei, S. E. Lauro, E. Pettinelli, A. Cicchetti, M. Coradini, B. Cosciotti, F.Di Paolo, E. Flamini, E. Mattei, M. Pajola, F. Soldovieri, M. Cartacci, F. Cassenti,A. Frigeri, S. Giuppi, R. Martufi, A. Masdea, G. Mitri, C. Nenna, R. Noschese,M. Restano and R. Seu. ‘Radar evidence of subglacial liquid water on Mars’.In: Science (2018). issn : 0036-8075. doi : . url : http://science.sciencemag.org/content/early/2018/07/24/science.aar7268 .[111] Christos H. Papadimitriou. Computational complexity . Addison-Wesley, 1994. isbn : 978-0-201-53082-7.[112] F. Patrizi, N. Lipovetzky and H. Ge ff ner. ‘Fair LTL Synthesis for Non-DeterministicSystems Using Strong Cyclic Planners’. In: Proc. of the 23 rd International JointConference on Artificial Intelligence . 2014.[113] Amir Pnueli. ‘The Temporal Logic of Programs’. In: Proceedings of the 18thAnnual Symposium on Foundations of Computer Science . IEEE Computer Society,1977, pp. 46–57. doi : . [114] Arthur N. Prior. Time and modality . John Locke lectures. Clarendon Press Ox-ford, 1957.[115] Mark Reynolds. ‘More Past Glories’. In: Proceedings of the 15th Annual IEEESymposium on Logic in Computer Science . IEEE Computer Society, 2000, pp. 229–240. doi : .[116] Mark Reynolds. ‘A New Rule for LTL Tableaux’. In: Proc. of the 7 th InternationalSymposium on Games, Automata, Logics and Formal Verification . Vol. 226. EPTCS.2016, pp. 287–301. doi : .[117] Jussi Rintanen. ‘Complexity of Probabilistic Planning under Average Rewards’.In: Proceedings of the 17th International Joint Conference on Artificial Intelligence .Ed. by Bernhard Nebel. Morgan Kaufmann, 2001, pp. 503–508.[118] Jussi Rintanen. ‘Complexity of Planning with Partial Observability’. In: Proceed-ings of the 14th International Conference on Automated Planning and Scheduling .Ed. by Shlomo Zilberstein, Jana Koehler and Sven Koenig. AAAI, 2004, pp. 345–354. url : .[119] Jussi Rintanen. ‘Complexity of Concurrent Temporal Planning’. In: Proceedingsof the 17th International Conference on Automated Planning and Scheduling . Ed. byMark S. Boddy, Maria Fox and Sylvie Thiébaux. AAAI, 2007, pp. 280–287. url : .[120] Jussi Rintanen, Keijo Heljanko and Ilkka Niemelä. ‘Planning as Satisfiability:Parallel Plans and Algorithms for Plan Search’. In: Artificial Intelligence Inter-national Journal on Software Tools for Technology Transfer Proc. of the 2nd Frege Conference . Vol. 20.Mathematische Forschung. Akademic Verlag, 1984, pp. 354–363.[123] Walter J. Savitch. ‘Relationships Between Nondeterministic and DeterministicTape Complexities’. In: Journal of Computer and System Sciences doi : .[124] Viktor Schuppan and Luthfi Darmawan. ‘Evaluating LTL Satisfiability Solvers’.In: Proceedings of the 9th International Symposium on Automated Technology forVerification and Analysis . 2011, pp. 397–413. doi : .[125] Wilko Schwarting, Javier Alonso-Mora and Daniela Rus. ‘Planning and Decision-Making for Autonomous Vehicles’. In: Annual Review of Control, Robotics,and Autonomous Systems doi : . 84 Bibliography [126] Stefan Schwendimann. ‘A New One-Pass Tableau Calculus for PLTL’. In: Pro-ceedings of the 7th International Conference on Automated Reasoning with AnalyticTableaux and Related Methods . Vol. 1397. LNCS. Springer, 1998, pp. 277–292. doi : .[127] A. Prasad Sistla and Edmund M. Clarke. ‘The Complexity of PropositionalLinear Temporal Logics’. In: Journal of the ACM doi : .[128] David E. Smith, Jeremy Frank and William Cushing. ‘The ANML Language’. In: Proceedinsgs of the ICAPS 2008 Workshop on Knowledge Engineering for Planningand Scheduling . 2008.[129] David E. Smith, Jeremy Frank and Ari K. Jónsson. ‘Bridging the gap betweenplanning and scheduling’. In: The Knowledge Engineering Review Journal of Logic and Computation ff Sutcli ff e and Cesare Tinelli. ‘StarExec: A Cross-CommunityInfrastructure for Logic Solving’. In: Proceedings of the 7th International JointConference on Automated Reasoning . 2014, pp. 367–373.[132] Martin Suda and Christoph Weidenbach. ‘A PLTL-Prover Based on LabelledSuperposition with Partial Model Guidance’. In: Proceedings of the 6th Interna-tional Joint Conference on Automated Reasoning . Vol. 7364. LNCS. Springer, 2012,pp. 537–543. doi : .[133] Alan M. Turing. ‘Computing machinery and intelligence’. In: Mind LIX.236(1950), pp. 433–460. doi : .[134] Alessandro Umbrico, Amedeo Cesta, Marta Cialdea Mayer and Andrea Orland-ini. ‘PLATINUm: A New Framework for Planning and Acting’. In: Proceedings ofthe 16th International Conference of the Italian Association for Artificial Intelligence .Ed. by Floriana Esposito, Roberto Basili, Stefano Ferilli and Francesca A. Lisi.Vol. 10640. Lecture Notes in Computer Science. Springer, 2017, pp. 498–512. doi : .[135] Alessandro Umbrico, Amedeo Cesta, Marta Cialdea Mayer and Andrea Or-landini. ‘Integrating Resource Management and Timeline-Based Planning’.In: Proceedings of the 28th International Conference on Automated Planning andScheduling . Ed. by Mathijs de Weerdt, Sven Koenig, Gabriele Röger and MatthijsT. J. Spaan. AAAI Press, 2018, pp. 264–272. url : https://aaai.org/ocs/index.php/ICAPS/ICAPS18/paper/view/17773 .[136] Peter van Emde Boas. ‘The convenience of tilings’. In: Complexity, Logic, andRecursion Theory . Ed. by Andrea Sorbi. Vol. 187. Lecture Notes in Pure andApplied Mathematics. Marcel Dekker Inc., 1997, pp. 331–363.[137] G. Venkatesh. ‘A Decision Method for Temporal Logic Based on Resolution’. In: Proc. of the 5 th Conference on Foundations of Software Technology and TheoreticalComputer Science . Vol. 206. LNCS. Springer, 1985, pp. 272–289. doi : . [138] Thierry Vidal and Hélène Fargier. ‘Handling contingency in temporal constraintnetworks: from consistency to controllabilities’. In: Journal of Experimentaland Theoretical Artificial Intelligence doi : .[139] Hao Wang. ‘Proving Theorems by Pattern Recognition I’. In: Communications ofthe ACM doi : .[140] Martin Wehrle and Jussi Rintanen. ‘Planning as Satisfiability with Relaxed ∃ -Step Plans’. In: Proceedings of the 20th Australian Joint Conference on ArtificialIntelligence . 2007, pp. 244–253.[141] Pierre Wolper. ‘Temporal Logic Can Be More Expressive’. In: Information andControl doi :10.1016/S0019-9958(83)80051-5