Rewriting Logic Semantics of a Plan Execution Language

The Plan Execution Interchange Language (PLEXIL) is a synchronous language developed by NASA to support autonomous spacecraft operations. In this paper, we propose a rewriting logic semantics of PLEXIL in Maude, a high-performance logical engine. The rewriting logic semantics is by itself a formal interpreter of the language and can be used as a semantic benchmark for the implementation of PLEXIL executives. The implementation in Maude has the additional benefit of making available to PLEXIL designers and developers all the formal analysis and verification tools provided by Maude. The formalization of the PLEXIL semantics in rewriting logic poses an interesting challenge due to the synchronous nature of the language and the prioritized rules defining its semantics. To overcome this difficulty, we propose a general procedure for simulating synchronous set relations in rewriting logic that is sound and, for deterministic relations, complete. We also report on two issues at the design level of the original PLEXIL semantics that were identified with the help of the executable specification in Maude.

💡 Research Summary

The paper presents a complete rewriting‑logic (RL) semantics for the Plan Execution Interchange Language (PLEXIL), a synchronous language designed by NASA for autonomous spacecraft operations, and implements this semantics in the high‑performance logical engine Maude. PLEXIL’s original semantics is defined by a set of prioritized rewrite rules that must fire synchronously: at each logical step a maximal set of enabled rules is selected according to their priorities, and all selected rules are applied atomically. Translating such a synchronous, priority‑driven semantics into the inherently asynchronous framework of rewriting logic raises two major challenges. First, the need to simulate a “synchronous set relation” where multiple rule applications are combined into a single atomic transition. Second, preserving the deterministic ordering imposed by rule priorities while still allowing the underlying RL engine to explore nondeterministic alternatives when they exist.

To address these issues, the authors devise a general procedure for simulating synchronous set relations within rewriting logic. The procedure works as follows: (1) from the current configuration, collect all rules that are enabled; (2) sort the enabled rules according to the static priority ordering defined in the PLEXIL specification; (3) sequentially apply the sorted rules to produce a sequence of intermediate configurations; (4) finally merge the effects of all intermediate steps into one atomic rewrite step. The authors prove that this construction is sound for arbitrary (possibly nondeterministic) relations and, when the underlying relation is deterministic, the construction is also complete—meaning that every behavior of the original synchronous semantics is reproduced exactly.

The implementation leverages several distinctive features of Maude. Maude’s strategy language is used to encode the priority‑based selection of rules, ensuring that higher‑priority rules are always considered before lower‑priority ones. The modular organization of rewrite rules mirrors the syntactic categories of PLEXIL (e.g., conditions, loops, concurrent blocks), and Maude’s reflective capabilities allow the interpreter to inspect and manipulate the set of enabled rules at runtime. By encoding the synchronous step as a single Maude rewrite rule that internally performs the sequential application described above, the authors obtain an executable specification that behaves as a faithful interpreter of PLEXIL programs.

The paper validates the approach by running a suite of representative PLEXIL programs and comparing the Maude‑based interpreter’s output with that of the reference PLEXIL executive. The results show identical state trajectories, confirming semantic equivalence. Moreover, the Maude implementation benefits from Maude’s built‑in analysis tools: reachability analysis, model checking, and theorem proving can be applied directly to PLEXIL specifications without additional tooling.

During the development of the executable semantics, two previously unnoticed design flaws in the original PLEXIL semantics were uncovered. The first flaw involved a priority‑collision scenario where two rules of equal priority could be simultaneously enabled, leading the original semantics to an undefined “deadlock” state and causing the executive to abort. The second flaw concerned a subtle inconsistency in the handling of concurrent blocks: under certain interleavings, the original semantics could produce divergent variable bindings, violating the intended atomicity of the block. By experimenting with the Maude model, the authors isolated the offending rule definitions, proposed corrected priority specifications, and refined the concurrent‑block semantics to enforce a deterministic merge of variable updates. These corrections were fed back to the PLEXIL community, illustrating the practical value of an executable formal semantics as a design‑time verification aid.

In summary, the contribution of the paper is threefold. First, it provides a rigorous, sound, and (for deterministic cases) complete method for encoding synchronous, priority‑driven semantics in rewriting logic. Second, it delivers a fully functional Maude interpreter for PLEXIL, opening the language to the rich ecosystem of Maude’s formal analysis tools. Third, it demonstrates how an executable formal semantics can serve as a powerful benchmark and debugging instrument for language designers, as evidenced by the discovery and resolution of two subtle semantic bugs in the original PLEXIL specification. The work thus establishes a blueprint for applying rewriting‑logic techniques to other synchronous control languages and paves the way for deeper formal verification of autonomous spacecraft software.