Rewriting Logic Semantics of a Plan Execution Language Authors in alphabetical order.
Abstract
The Plan Execution Interchange Language (PLEXIL) is a synchronous language developed by NASA to support autonomous spacecraft operations. In this paper, we propose a rewriting logic semantics of PLEXIL in Maude, a highperformance logical engine. The rewriting logic semantics is by itself a formal interpreter of the language and can be used as a semantic benchmark for the implementation of PLEXIL executives. The implementation in Maude has the additional benefit of making available to PLEXIL designers and developers all the formal analysis and verification tools provided by Maude. The formalization of the PLEXIL semantics in rewriting logic poses an interesting challenge due to the synchronous nature of the language and the prioritized rules defining its semantics. To overcome this difficulty, we propose a general procedure for simulating synchronous set relations in rewriting logic that is sound and, for deterministic relations, complete. We also report on two issues at the design level of the original PLEXIL semantics that were identified with the help of the executable specification in Maude.
1Introduction
Synchronous languages were introduced in the 1980s to program reactive systems, i.e., systems whose behavior is determined by their continuous reaction to the environment where they are deployed. Synchronous languages are often used to program embedded applications and automatic control software. The family of synchronous languages is characterized by the synchronous hypothesis, which states that a reactive system is arbitrarily fast and able to react immediately in no time to stimuli from the external environment. One of the main consequences of the synchronous hypothesis is that components running in parallel are perfectly synchronized and cannot arbitrarily interleave. The implementation of a synchronous language usually requires the simulation of the synchronous semantics into an asynchronous computation model. This simulation must ensure the validity of the synchronous hypothesis in the target asynchronous model.
The Plan Execution Interchange Language (PLEXIL) [9] is a synchronous language developed by NASA to support autonomous spacecraft operations. Space mission operations require flexible, efficient and reliable plan execution. The computer system on board the spacecraft that executes plans is called the executive and it is a safetycritical component of the space mission. The Universal Executive (UE) [20] is an open source PLEXIL executive developed by NASA
Given the critical nature of spacecraft operations, PLEXIL’s operational semantics has been formally defined [8] and several properties of the language, such as determinism and compositionality, have been mechanically verified [7] in the Prototype Verification System (PVS) [13]. The formal smallstep semantics is defined using a compositional layer of five reduction relations on sets of nodes. These nodes are the building blocks of a PLEXIL plan and represent the hierarchical decomposition of tasks. The atomic relation describes the execution of an individual node in terms of state transitions triggered by changes in the environment. The micro relation describes the synchronous reduction of the atomic relation with respect to the maximal redexes strategy, i.e., the synchronous application of the atomic relation to the maximal set of nodes of a plan. The remaining three relations are the quiescence relation, the macro relation and the execution relation which describe the reduction of the micro relation until normalization, the interaction of a plan with the external environment, and the iteration of the macro relation corresponding to timesteps, respectively. From an operational point of view, PLEXIL is more complex than general purpose synchronous languages such as Esterel [2] or Lustre [4]. PLEXIL is designed specifically for flexible and reliable command execution in autonomy applications.
In this paper, we propose a rewriting logic semantics of PLEXIL in Maude [5] that complements the smallstep structural operational semantics written in PVS. In contrast to the PVS higherorder logic specification, the rewriting logic semantics of PLEXIL is executable and it is by itself an interpreter of the language. This interpreter is intended to be a semantic benchmark for validating the implementation of PLEXIL executives such as the Universal Executive and a testbed for designers of the language to study new features or possible variants of the language. Additionally, by using a graphical interface [15], PLEXIL developers will be able to exploit the formal analysis tools provided by Maude to verify properties of actual plans.
Rewriting logic is a logic of concurrent change in which a wide range of models of computation and logics can be faithfully represented. The rewriting semantics of a synchronous language such as PLEXIL poses interesting practical challenges because Maude implements the maximal concurrency of rewrite rules by interleaving concurrency. That is, although rewriting logic allows for concurrent synchronous specifications at the mathematical level, Maude executes the rewrite rules by interleaving concurrency. To overcome this situation, we develop a serialization procedure that allows for the simulation of a synchronous relation via set rewriting systems. This procedure is presented in a library of abstract set relations that we have written in PVS. The procedure is sound and complete for the synchronous closure of any deterministic relation under the maximal redexes strategy.
We are collaborating with the PLEXIL development team at NASA Ames by using the rewriting logic semantics of PLEXIL to validate the intended semantics of the language against a wide variety of plan examples. We report on two issues of PLEXIL’s original semantics that were discovered with the help of the rewriting logic semantics of PLEXIL presented in this paper: the first was found at the level of the atomic relation for which undesired interleaving semantics were introduced in some computations, and the second was found at the level of the micro relation for which spurious infinite loops were present in some computations. Solutions to both issues were provided by the authors, and have been adopted in the latest version of the PLEXIL semantics.
Summarizing, the contributions presented in this paper are:
The rewriting logic specification of the PLEXIL semantics.
A library of abstract set relations suitable for the definition and verification of synchronous relations.
A serialization procedure for the simulation of synchronous relations by rewriting, and an equational version of it in rewriting logic for deterministic synchronous relations.
The findings on two issues in the design of the original PLEXIL semantics, and the corresponding solutions that were adopted in an updated version of the language semantics.
Outline of the paper. Background on rewriting logic, and the connection between this logic and Structural Operational Semantics are summarized in Section 2. In Section 3 we present the library of set relations, including the soundness and completeness proof of the serialization procedure. Section 4 describes the rewriting logic semantics of PLEXIL. In Section 5 we discuss preliminary results. Related work and concluding remarks are presented in Section 6.
2Rewriting Logic and Structural Operational Semantics
Rewriting logic [11] is a general semantic framework that unifies in a natural way a wide range of models of concurrency. Language specifications can be executed in Maude, a highperformance rewriting logic implementation, and benefit from a wide set of formal analysis tools available to it, such as Maude’s LTL Model Checker.
A rewriting logic specification or theory is a tuple where:
is a membership equational logic theory with a signature having a set of kinds, a family of sets of operators, and a family of disjoint sets of sorts; a set of sentences, which are universally quantified Horn clauses with atoms that are equations and memberships , with terms and a sort; a set of “structural” axioms (typically associativity and/or commutativity and/or identity) such that there exists a matching algorithm modulo producing a finite number of matching substitutions; and
a set of universally quantified conditional rewrite rules of the form
where is a set of sorted variables, is a label, and are terms with variables among those in , and are sorts.
Intuitively, specifies a concurrent system, whose states are elements of the initial algebra specified by the theory and whose concurrent transitions are specified by the rules . Concurrent transitions are deduced according to the set of inference rules of rewriting logic, which are described in detail in [3] (together with a precise account of the more general forms of rewrite theories and their models). Using these inference rules, a rewrite theory proves a statement of the form , written as , meaning that, in , the state term can transition to the state term in a finite number of steps. A detailed discussion of rewriting logic as a unified model of concurrency and its inference system can be found in [11].
We have a onestep rewrite in iff we can find a term such that can be rewritten to using some rule in the standard way (see [6]), denoted , and we furthermore have . For arbitrary and , whether holds is in general undecidable, even when the equations in are confluent and terminating modulo . Therefore, the most useful rewrite theories satisfy additional executability conditions under which we can reduce the relation to simpler forms of rewriting just modulo , where both equality modulo and matching modulo are decidable.
The first condition is that should be terminating and ground confluent modulo [6]. This means that in the rewrite theory , (i) all rewrite sequences terminate, that is, there are no infinite sequences of the form , and (ii) for each there is a unique equivalence class called the canonical form of modulo such that there exists a terminating sequence of zero, one, or more steps .
The second condition is that the rules should be coherent [21] relative to the equations modulo . This precisely means that, if we decompose the rewrite theory into the simpler theories and , which have decidable rewrite relations and because of the assumptions of , then for each equivalence class such that we can always find a corresponding rewrite such that . Intuitively, coherence means that we can always adopt the strategy of first simplifying a term to canonical form with modulo , and then apply a rule with modulo to achieve the effect of rewriting with modulo .
The conceptual distinction between equations and rules has important consequences when giving the rewriting logic semantics of a language as a rewrite theory . Rewriting logic’s abstraction dial [12] captures precisely this conceptual distinction. One of the key features of Structural Operational Semantics is that it provides a stepbystep formal description of a language’s evaluation mechanisms [14]. Setting the level of abstraction in which the interleaving behavior of the evaluations in is observable, corresponds to the special case in which the dial is turned down to its minimum position by having . The abstraction dial can also be turned up to its maximal position as the special case in which , thus obtaining an equational semantics of the language. In general, we can make a specification as abstract as we want by identifying a subset such that the rewrite theory satisfies the executability conditions aforementioned. We refer the reader to [19] for an indepth presentation of the relationship between structural operational semantics and rewriting logic semantics, and the use of equations and rules to capture in rewriting logic the dynamic behavior of language semantics.
The conceptual distinction between equations and rules also has important practical consequences for program analysis, because it affords massive state space reduction which can make formal analyses such as breadthfirst search and model checking enormously more efficient. Because of statespace explosion, such analyses could easily become infeasible if we were to use a specification in which all computation steps are described with rules.
3A Rewriting Library for Synchronous Relations
When designing a programming language, it is useful to be able to define its semantic relation, to formally prove properties of this relation and to execute it on particular programs. However, defining such a semantic relation and formally reasoning about it is generally difficult, time consuming, and errorprone. This would be a major endeavor if it had to be done from scratch for each language. Moreover, since programming languages tend to evolve constantly, tools must allow reusing parts of former developments to support rapid yet correct prototyping.
Fortunately, smallstep operational semantic relations are, in general, built from simple relations with a limited number of operations, such as reflexivetransitive extension, reduction to normal form, parallel extension, etc. As a minimum, the framework should include a library containing the definitions of these operations and formal proofs of their properties. This will considerably reduce the amount of work needed to define the semantic relation of particular programming languages and to formally prove their properties. Defining the semantic relation of synchronous languages requires defining the synchronous extension of an atomic execution relation, an operation that has been much less studied formally than other relation operations such as the reflexivetransitive extension or the parallel extension.
We present in this section a first attempt to design a framework for rapid yet correct prototyping of semantic relations, in particular of synchronous languages. This framework allows one to define semantic relations, to execute them on particular programs and to formally prove some of their properties using general theorems about the operations that permit to build relations from relations. We have been experimenting with this framework using various versions of the PLEXIL language (see Section 4).
The definitions and properties presented in Section 3.1 have been developed in PVS. The Maude engine is used for executing the semantic relations on particular programs. The full development of the framework, including the formal semantics of PLEXIL, is available from http://research.nianet.org/fmatnia/PLEXIL.
3.1Set Relations and Determinism
Let be a binary relation on a set . We say that is a redex if there exists such that , and that it is a normal form otherwise. We denote by , , and , the identity relation, fold composition, and reflexivetransitive closure of , respectively.
In addition to the above relations, we also define the normalized reduction relation of .
Henceforth, we assume that the relation is defined on sets over an abstract type , i.e., . We define the asynchronous extension of , denoted , as the congruence closure of and the parallel extension of , denoted , as the parallel closure of .
The definition of a synchronous reduction requires the definition of a strategy that selects the redexes to be synchronously reduced.
A natural way of defining strategies is via priorities. A priority is a function that maps elements into natural numbers.
In addition to the definition of the relation operators presented here, our library includes formal proofs of properties related to determinism and compositionality for abstract set relations. In this paper, we will focus on determinism as this property is fundamental to the specification of synchronous relations in rewriting logic.
Determinism is a stronger property than confluence, i.e., a deterministic relation is also confluent, but a confluent relation is not necessarily deterministic.
In contrast, even if the relation is deterministic, the relations , and are not always deterministic.
3.2Executing Semantic Relations
Executing the semantic relation of a programming language is desirable during the design phase of the language. In particular, it allows the designer of the features to experiment with different semantic variants of the language before implementing them.
Rewrite systems are a computational way of defining binary relations. Since our formalism is based on set relations, we consider rewrite systems on an algebra of terms of type modulo associativity, commutativity, identity, and idempotence: the basic axioms for the union of sets. We denote the equality on terms of this algebra by . The relation defined by a rewrite system is defined as follows.
We remark that the previous definition uses the substitution closure of the rewrite system, rather than the more traditional definition based on the congruence closure. For example, if we consider the rewrite system
we have that and . On the other hand, is not a redex for .
The synchronous extension of a relation challenges the standard asynchronous interpretation of rewrite systems. Consider again the previous example. The asynchronous extension of defined in Section 3.1, which indeed encodes the congruence closure, relates and . However, it does not relate to , which corresponds to the parallel reduction of both and . In this particular case, we have that .
We remark that if , for a strategy , then . However, in order to select the redexes to be reduced, we need additional machinery. In particular, we need to keep a log book of redexes that need to be reduced and redexes that have been already reduced. We propose the following procedure to implement in an asynchronous rewrite engine, such as Maude, the synchronous extension of a relation for a strategy.
Since a strategy is a set of redexes, and this set is finite, the procedure is welldefined, i.e., it always terminates and returns a term. However, the procedure is not necessarily deterministic.
In our previous example, we want to apply the procedure to using the maximal redexes strategy (assuming that all terms have the same priority). Since , we have to reduce the pair to its normal form . Then, we compute , which is equal to . We check that .
 Soundness
Assume that the procedure returns from . We have to prove that . Let , where , for . From the definition of a strategy, the elements in are pairwise disjoint. Then, from the procedure, , where , for . Let be such that none of the subsets of is in . Then, has the form . Hence, . By definition of , we have that .
 Completeness
In this case, it suffices to note that by Proposition ?, if is deterministic, then is deterministic. Therefore, the normal form of is unique and the procedure returns a unique . This is the only term that is related to in the relation .
4Rewriting Logic Semantics of PLEXIL
The framework presented in Section 3 is abstract with respect to the elements in the set and the basic set relation . If we consider that is a set of PLEXIL nodes and is PLEXIL’s atomic relation, we can deduce by Proposition ? that, since PLEXIL’s atomic relation is deterministic [7] , PLEXIL’s micro and quiescence relations are deterministic as well. Therefore, we can use the serialization procedure presented in Section 3.2 to implement a sound and complete formal interpreter of PLEXIL in Maude.
In this section, we describe in detail the specification of such an interpreter. We only discuss the atomic and micro relations since they are the most interesting ones for validating the synchronous semantics of PLEXIL. More precisely, we present the rewrite theory , specifying the rewriting logic semantics for PLEXIL’s atomic and micro relations. We use the determinism property of PLEXIL’s atomic relation to encode it as the computation rules in because it yields a confluent equational specification. Consequently, the serialization procedure for PLEXIL’s synchronous semantics into rewriting logic can be defined equationally, thus avoiding the interleaving semantics associated with rewrite rules in Maude. Of course, due to the determinism property of the language, one can as well turn up the “abstraction dial” to its maximum by making the rewrite rules into computational rules. This will result in a faster interpreter, for example. Nevertheless, we are interested in PLEXIL semantics at the observable level of the micro relation. Therefore, in the rewrite theory : (i) the equational theory defines the semantics of the atomic relation and specifies the serialization procedure for the synchronous semantics of PLEXIL, and (ii) the rewrite rules define the semantics of the micro relation.
In this section we assume the reader is familiar with the syntax of Maude [5], which is very close to standard mathematical notation.
4.1PLEXIL Syntax
A PLEXIL plan is a tree of nodes representing a hierarchical decomposition of tasks. The interior nodes in a plan provide the control structure and the leaf nodes represent primitive actions. The purpose of each node determines its type: List
nodes group other nodes and provide scope for local variables, Assignment
nodes assign values to variables (they also have a priority, which serves to solve race conditions between assignment nodes), Command
nodes represent calls to commands, and Empty
nodes do nothing. Each PLEXIL node has gate conditions and check conditions. The former specify when the node should start executing, when it should finish executing, when it should be repeated, and when it should be skipped. Check conditions specify flags to detect when node execution fails due to violations of preconditions, postconditions, or invariants. Declared variables in nodes have lexical scope, that is, they are accessible to the node and all its descendants, but not siblings or ancestors. The execution status of a node is given by status such as Inactive
, Waiting
, Executing
, etc. The execution state of a plan consists of (i) the external state corresponding to a set of environment variables accessed through lookups on environment variables, and (ii) the internal state which is a set of nodes and (declared) variables.

Figure ? illustrates with a simple example the standard syntax of PLEXIL. In this particular example, the plan tasks are represented by the root node SafeDrive
, the interior node Loop
, and the leaf nodes OneMeter
, TakePic
and Counter
. OneMeter
and TakePic
are, for example, nodes of type Command
. The node Counter
has two different conditions: Start
is a gate condition constraining the execution of the assignment to start only when the node TakePic
is in state Finished
, while Pre
is a check condition for the number of pictures to be less than 10. The internal state of the plan at a particular moment is represented by the set of all nodes of the plan, plus the value of the variable pictures
, while the external state of the plan contains the (external) variable WheelStuck
.
The external state of a plan is defined in the functional module EXTERNALSTATESYNTAX
. The sort ExternalState represents sets of elements of sort Pair, each of the form ; we assume that the sorts Name and Value, specifying names and values, respectively, have been defined previously in the functional modules NAME
and VALUE
, respectively.
fmod
EXTERNALSTATESYNTAX
is
protecting
Name
.
protecting
Value
.
sort
Pair
.
op
(_,_)
:
Name
Value
>
Pair
.
sort
ExternalState
.
subsort
Pair
<
ExternalState
.
op
mtstate
:
>
ExternalState
.
op
_,_
:
ExternalState
ExternalState
>
ExternalState
[assoc
comm
id:
mtstate]
.
eq
ES:ExternalState
,
ES:ExternalState
=
ES:ExternalState
.
endfm
The internal state of a plan is represented with the help of Maude’s builtin CONF
module supporting object based programming. The internal state has the structure of a set made up of objects and messages, called configurations in Maude, where the objects represent the nodes and (declared) variables of a plan. Therefore, we can view the infrastructure of the internal state as a configuration built up by a binary set union operator with empty syntax, i.e., juxtaposition, as . The operator is declared to satisfy the structural laws of associativity and commutativity and to have identity mtconf
. Objects and messages are singleton set configurations and belong to subsorts , so that more complex configurations are generated out of them by set union. An object, representing a node or a (declared) variable, in a given configuration is represented as a term , where is the object’s name or identifier (of sort Oid), is its class (of sort Cid), the ’s are the names of the object’s attribute identifiers, and the ’s are the corresponding values. The set of all the attributevalue pairs of an object state (of sort Attribute) is formed by repeated application of the binary union operator which also obeys structural laws of associativity, commutativity, and identity, i.e., the order of the attributevalue pairs of an object is immaterial. The internal state of a plan is defined in the functional module INTERNALSTATESYNTAX
by extending the sort Configuration; the sorts Exp and Qualified, which we assume to be defined, are used to specify expressions and qualified names, respectively.
fmod
INTERNALSTATESYNTAX
is
extending
CONFIGURATION
.
protecting
EXP
.
protecting
QUALIFIED
.
subsort
Qualified
<
Oid
.
—
Qualified
elements
are
object
identifiers
ops
List
Command
Assignment
Empty
:
>
Cid
.
—
Types
of
nodes
sort
Status
.
ops
Inactive
Waiting
Executing
Finishing
Failing
Finished
IterationEnded
Variable
:
>
ExecState
.
sort
Outcome
.
ops
None
Success
Failure
:
>
Outcome
.
op
status:
:
Status
>
Attribute
.
—
Status
of
execution
op
outcome:
:
Outcome
>
Attribute
.
—
Outcome
of
execution
ops
start:
skip:
repeat:
end:
:
Exp
>
Attribute
.
—
Gate
conditions
ops
pre:
post:
inv:
:
Exp
>
Attribute
.
—
Check
conditions
op
command:
:
Exp
>
Attribute
.
—
Command
of
a
command
node
op
assignment:
:
Exp
>
Attribute
.
—
Assignment
of
an
assignment
node
ops
initval
actval:
Exp
>
Attribute
.
—
Initial
and
actual
values
of
a
variable
node
...
endfm
Using the infrastructure in INTERNALSTATESYNTAX
, the internal state of SafeDrive in Figure ?, is represented by the configuration in Figure ?. Observe that the sort Qualified provides qualified names by means of the operator , which we use to maintain the hierarchical structure of the plans. The dots at the end of each object represent the object’s attributes that are not explicitly defined by the plan but that are always present in each node such as the status or the outcome. There is a “compilation procedure” from PLEXIL plans to their corresponding representation in Maude, that we do not discuss in this paper, which includes all implicit elements of a node as attributes of the object representation of the node.

We are now ready to define the sort State representing the execution state of the plans in the functional module STATESYNTAX
, by importing the syntax of external and internal states:
fmod
STATESYNTAX
is
pr
EXTERNALSTATESYNTAX
.
pr
INTERNALSTATESYNTAX
.
sort
State
.
op
__
:
ExternalState
Configuration
>
State
.
endfm
We adopt the syntax to represent the execution state of the plans, where and are the external and internal states, respectively.
4.2PLEXIL Semantics
PLEXIL execution is driven by external events. The set of events includes events related to lookup in conditions, e.g., changes in the value of an external state that affects a gate condition, acknowledgments that a command has been initialized, reception of a value returned by a command, etc. We focus on the execution semantics of PLEXIL specified in terms of node states and transitions between node states that are triggered by condition changes (atomic relation) and its synchronous closure under the maximal redexes strategy (micro relation). PLEXIL’s atomic relation consists of 42 rules, indexed by the type and the execution status of nodes into a dozen groups. Each group associates a priority to its set of rules which defines a linear order on the set of rules.
The atomic relation is defined by , where . For instance, the four atomic rules corresponding to the transitions from Executing
for nodes of type Assignment
are depicted in Figure ?. Rule updates the status and the outcome of node A
to the values IterationEnded
and Success
, respectively, and the variable to the value v
, i.e., the value of the expression e
in the state , whenever the expressions associated with the gate condition End
and the check condition Post
of node A
both evaluate to true
in . In rule , AncInv(A)
is a predicate, parametric in the name of nodes, stating that none of the ancestors of A
has changed the value associated with its invariant condition to false
. The value represents the special value “Unknown”. We use to denote that expression evaluates to value in state ; by abuse of notation, we write to denote that expression does not evaluate to value in .
The relation between the labels of two different rules specifies that the rule is only applied when the second rule cannot be applied. That is, the binary relation on rules defines the order of their application when deriving atomic transitions. So, a rule can be used to derive an atomic transition if all its premises are valid and no rule higher than (in its group) is applicable. In the case of PLEXIL’s atomic relation, the binary relation on rules is a linear ordering. This linearity is key to the determinism of PLEXIL (see [8]).
The micro relation , the synchronous closure of the atomic relation under the maximal redexes strategy, is defined as:
where is the set of nodes and variables in that are affected by the micro relation. If two different processes in , say A
and B
, write to the same variable, only the update of the process with higher priority is considered (assignment nodes have an associated priority always), e.g., A
if A.priority > B.priority
, B
if B.priority > A.priority
, and none otherwise.
In order to specify the PLEXIL semantics in Maude, we first define the infrastructure for the serialization procedure in the functional module SERIALIZATIONINFRASTRUCTURE
.
fmod
SERIALIZATIONINFRASTRUCTURE
is
inc
STATESYNTAX
.
...
op
[_:__]
:
Oid
Cid
AttributeSet
>
Object
.
—
New
syntactic
sugar
for
objects
op
updateStatus
:
Qualified
Status
>
Msg
.
—
Update
status
message
op
updateOutcome
:
Qualified
Outcome
>
Msg
.
—
Update
outcome
message
op
updateVariable
:
Qualified
Value
>
Msg
.
—
Update
variable
message
...
ops
applyUpdates
unprime
:
State
>
State
.
—
Application
of
updates
and
‘unpriming
’
var
:
ExternalState
.
var
:
InternalState
.
var
A
:
Oid
.
var
C
:
Cid
.
var
Att
:
AttributeSet
.
vars
S
S’
:
Status
.
var
St
:
State
.
eq
applyUpdates(
[
A
:
C

status:
S
,
Att
]
updateStatus(A
,
S’)
)
=
applyUpdates(
[
A
:
C

status:
S’
,
Att
]
)
.
...
eq
applyUpdates(St)
=
St
[owise]
.
eq
unprime(
[
A
:
C

Att
]
)
=
unprime(
<
A
:
C

Att
>
)
.
eq
unprime(St)
=
St
[owise]
.
endfm
Following the idea of the serialization procedure, we distinguish between unprimed and primed redexes by using syntactic sugar for denoting objects in the Maude specification: unprimed redexes are identified with the already defined syntax for objects in the form of and primed redexes are identified with the new syntax for objects in the form of . We use messages, i.e., elements in the sort Msg, to denote the update actions associated with the reduction rules for the atomic relation; we accumulate these messages in the internal state of the execution state of the plans, i.e., we also use the internal state in the spirit of the log book of the serialization procedure. For example, the configuration updateStatus(A,IterationEnded) updateOutcome(A,Success) updateVariable(x,v)
corresponds to the update actions in the conclusion of rule in Figure ?. The functions applyUpdates
and unprimes
apply all the collected updates in the internal state, and “unprimes” the “primed” nodes, respectively. In the specification above, it is shown how the status of a node is updated and how primed nodes become unprimed.
We give the equational serialization procedure in the general setting in which we consider a linear ordering on the rules.
The equational serialization procedure defines a fresh function symbol, say, . The first equation for tries to apply the atomic rules in the given order, by first evaluating the condition and then marking the affected node. If the condition evaluates to true, then update messages are generated. The second equation, removes the function symbol when there aren’t any more possible atomic reductions with the rules .
The atomic relation is defined in the functional module ATOMICRELATION
by instantiating the equational serialization procedure for each one of the twelve groups of atomic rules with a different function symbol for each one.
Finally, the micro relation is defined by the rule micro
in the system module PLEXILRLS
, which materializes the rewrite theory in Maude:
mod
PLEXILRLS
is
pr
ATOMICRELATION
.
pr
SERIALIZATIONINFRASTRUCTURE
.
rl
[micro]
:
=>
unprime(applyUpdates(a
(...a
(
)...)))
.
endm
where are the function symbols in ATOMICRELATION
defining the serialization procedure for each one of the twelve groups of rules.
5Preliminary Results
We have used to validate the semantics of PLEXIL against a wide variety of plan examples. We report on the following two issues of the original PLEXIL semantics that were discovered with the help of :
Nonatomicity of the atomic relation. A prior version of the atomic rules and for
Assignment
nodes in stateExecuting
, presented in Figure ?, introduced an undesired interleaving semantics for variable assignments, which invalidated the synchronous nature of the language.Spurious nontermination of plans. Due to lack of detail in the original specification of some predicates, there were cases in which some transitions for
List
nodes in stateIterationEnded
would lead to spurious infinite loops.
Although the formal operational semantics of PLEXIL in [8] has been used to prove several properties of PLEXIL, neither one of the issues was previously found. As as matter of fact, these issues do not compromise any of the proven properties of the language. Solutions to both issues were provided by the authors, and have been adopted in the latest version of the formal PLEXIL semantics. We are currently using as the formal interpreter of PLEXIL’s Formal Interactive Visual Environment [15] (PLEXIL5), a prototype graphical environment that enables stepbystep execution of plans for scripted sequence of external events, for further validation of the language’s intended semantics.
We have also developed a variant of in which the serialization procedure was implemented with rewrite rules, instead of equations, and rewrite strategies. In general, outperforms that variant by two orders of magnitude on average, and by three orders of magnitude in some extreme cases.
The rewrite theory has approximately 1000 lines of code, of which 308 lines correspond to the module ATOMICRELATION
. The rest corresponds to the syntax and infrastructure specifications.
6Related Work and Conclusion
Rewriting logic has been used previously as a testbed for specifying and animating the semantics of synchronous languages. M. AlTurki and J. Meseguer [1] have studied the rewriting logic semantics of the language Orc, which includes a synchronous reduction relation. T. Serbanuta et al. [17] define the execution of systems with structured data with continuations. The focus of the former is to use rewriting logic to study the (mainly) nondeterministic behavior of Orc programs, while the focus of the latter is to study the relationship between systems and the existing continuation framework for enriching each with the strong features of the other. Our approach is based more on exploiting the determinism of a synchronous relation to tackle the problem associated with the interleaving semantics of concurrency in rewriting logic. P. Lucanu [10] studies the problem of the interleaving semantics of concurrency in rewriting logic for synchronous systems from the perspective of systems. The determinism property of the synchronous language Esterel [2] was formally proven by O. Tardieu in [18].
We have presented a rewriting logic semantics of PLEXIL, a synchronous plan execution language developed by NASA to support autonomous spacecraft operations. The rewriting logic specification, a formal interpreter and a semantic benchmark for validating the semantics of the language, relies on the determinism of PLEXIL’s atomic relation and a serialization procedure that enables the specification of a synchronous relation in an asynchronous computational model. Two issues in the original design of PLEXIL were found with the help of the rewriting logic specification of the language: (i) there was an atomic rule with the potential to violate the atomicity of the atomic relation, thus voiding the synchronous nature of the language, and (ii) a set of rules introducing spurious nonterminating executions of plans. We proposed solutions to these issues that were integrated into the current semantics of the language.
Although we have focused on PLEXIL, the formal framework that we have developed is presented in a general setting of abstract set relations. In particular, we think that this framework can be applied to other deterministic synchronous languages. To the best of our knowledge there was no mechanized library of abstract set relations suitable for the definition and verification of synchronous relations; neither was there a soundness and completeness proof of a serialization procedure for the simulation of synchronous relations by rewrite systems.
To summarize, we view this work as (i) a step forward in bringing the use of formal methods closer to practice, (ii) a contribution to the modular and mechanized study of semantic relations, and (iii) yet another, but interesting contribution to the rewriting logic semantics project.
We intend to continue our collaborative work with PLEXIL development team with the goal of arriving at a formal environment for the validation of PLEXIL. Such an environment would provide a rich formal tool to PLEXIL enthusiasts for the experimentation, analysis and verification of PLEXIL programs, which could then be extended towards a rewritingbased PLEXIL implementation with associated analysis tools. Part of our future work is also to investigate the modularity of the equational serialization procedure with prioritized rules.
Acknowledgments. This work was supported by the National Aeronautics and Space Administration at Langley Research Center under the Research Cooperative Agreement No. NCC102043 awarded to the National Institute of Aerospace, while the second author was resident at this institute. The third author was partially supported by NSF Grant IIS 0720482. The authors would like to thank the members of the NASA’s Automation for Operation (A4O) project and, especially, the PLEXIL development team led by Michael Dalal at NASA Ames, for their technical support.
Footnotes
References
 Electr. Notes Theor. Comput. Sci. 200(3), pp. 25–41.
M. AlTurki & J. Meseguer (2008): Reduction Semantics and Formal Analysis ofOrc Programs.  In: Proof, Language and Interaction: Essays in Honour of Robin Milner. MIT Press, Cambridge, MA, USA, pp. 425–454.
G. Berry (2000): The Foundations ofEsterel.  Theor. Comput. Sci. 360(13), pp. 386–414.
R. Bruni & J. Meseguer (2006): Semantic foundations for generalized rewrite theories. Available athttp://dx.doi.org/10.1016/j.tcs.2006.04.012
.  In: POPL ’87: Proceedings of the 14th ACM SIGACTSIGPLAN symposium on Principles of programming languages. ACM, New York, NY, USA, pp. 178–188.
P. Caspi, D. Pilaud, N. Halbwachs & J. A. Plaice (1987): LUSTRE: a declarative language for realtime programming.  Springer LNCS Vol. 4350, 1st edition.
M. Clavel, F. Durán, S. Eker, J. Meseguer, P. Lincoln, N. MartíOliet & C. Talcott (2007): All About Maude  A HighPerformance Logical Framework.  In: Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics (B). The MIT Press, pp. 243–320.
N. Dershowitz & J. P. Jouannaud (1990): Rewrite Systems.  In: Proceedings of 3rd Workshop on Planning and Plan Execution for RealWorld Systems. pp. 45–51.
G. Dowek, C. Muñoz & C. Păsăreanu (2007): A Formal Analysis Framework forPLEXIL.  Technical Report 200811, National Institute of Aerospace, Hampton, VA.
G. Dowek, C. Muñoz & C. Păsăreanu (2008): A SmallStep Semantics OFPLEXIL.  Technical Memorandum TM2006213483, NASA.
T. Estlin, A. Jónsson, C. Păsăreanu, R. Simmons, K. Tso & V. Verna (2006): PlanExecutionInterchangeLanguage (PLEXIL).  Electr. Notes Theor. Comput. Sci. 237, pp. 107–125.
D. Lucanu (2009): StrategyBased Rewrite Semantics for Membrane Systems Preserves Maximal Concurrency of Evolution Rule Actions.  Theoretical Computer Science 96(1), pp. 73–155.
J. Meseguer (1992): Conditional Rewriting Logic as a Unified Model of Concurrency.  Theor. Comput. Sci. 373(3), pp. 213–237.
J. Meseguer & G. Rosu (2007): The rewriting logic semantics project. Available athttp://dx.doi.org/10.1016/j.tcs.2006.12.018
.  In: Deepak Kapur, editor: 11th International Conference on Automated Deduction (CADE), Lecture Notes in Artificial Intelligence 607. SpringerVerlag, Saratoga, NY, pp. 748–752.
S. Owre, J. Rushby & N. Shankar (1992): PVS: A Prototype Verification System.  J. Log. Alg. Prog. 6061, pp. 17–139.
G. D. Plotkin (2004): A structural approach to operational semantics.  IEEE International Conference on Space Mission Challenges for Information Technology 0, pp. 201–207.
C. Rocha, C. Muñoz & H. Cadavid (2009): A Graphical Environment for the Semantic Validation of a Plan Execution Language.  Inf. Comput. 207(2), pp. 305–340.
T. Serbanuta, G. Rosu & J. Meseguer (2009): A rewriting logic approach to operational semantics.  In: David W. Corne, Pierluigi Frisco, Gheorghe Paun, Grzegorz Rozenberg & Arto Salomaa, editors: Workshop on Membrane Computing, Lecture Notes in Computer Science 5391. Springer, pp. 374–393.
T. Serbanuta, G. Stefanescu & G. Rosu (2008): Defining and Executing P Systems with Structured Data in K.  ACM Trans. Program. Lang. Syst. 29(2), p. 8.
O. Tardieu (2007): A deterministic logical semantics for pure Esterel.  J. Log. Algebr. Program. 67(12), pp. 226–293.
A. Verdejo & N. MartíOliet (2006): Executable structural operational semantics in Maude.  In: Proceedings of the American Institute of Aeronautics and Astronautics Space Conference.
V. Verna, A. Jónsson, C. Păsăreanu & M. Latauro (2006): Universal Executive and PLEXIL: Engine and Language for Robust Spacecraft Control and Operations.  Theoretical Computer Science 285, pp. 487–517.
P. Viry (2002): Equational rules for rewriting logic.