The Plan Execution Interchange Language (PLEXIL) is a synchronous language developed by NASA to support autonomous spacecraft operations. In this paper, we propose a rewriting logic semantics of PLEXIL in Maude, a high-performance logical engine. The rewriting logic semantics is by itself a formal interpreter of the language and can be used as a semantic benchmark for the implementation of PLEXIL executives. The implementation in Maude has the additional benefit of making available to PLEXIL designers and developers all the formal analysis and verification tools provided by Maude. The formalization of the PLEXIL semantics in rewriting logic poses an interesting challenge due to the synchronous nature of the language and the prioritized rules defining its semantics. To overcome this difficulty, we propose a general procedure for simulating synchronous set relations in rewriting logic that is sound and, for deterministic relations, complete. We also report on two issues at the design level of the original PLEXIL semantics that were identified with the help of the executable specification in Maude.
Synchronous languages were introduced in the 1980s to program reactive systems, i.e., systems whose behavior is determined by their continuous reaction to the environment where they are deployed. Synchronous languages are often used to program embedded applications and automatic control software. The family of synchronous languages is characterized by the synchronous hypothesis, which states that a reactive system is arbitrarily fast and able to react immediately in no time to stimuli from the external environment. One of the main consequences of the synchronous hypothesis is that components running in parallel are perfectly synchronized and cannot arbitrarily interleave. The implementation of a synchronous language usually requires the simulation of the synchronous semantics into an asynchronous computation model. This simulation must ensure the validity of the synchronous hypothesis in the target asynchronous model.
The Plan Execution Interchange Language (PLEXIL) [9] is a synchronous language developed by NASA to support autonomous spacecraft operations. Space mission operations require flexible, efficient and reliable plan execution. The computer system on board the spacecraft that executes plans is called the executive and it is a safety-critical component of the space mission. The Universal Executive (UE) [20] is an open source PLEXIL executive developed by NASA 1 . PLEXIL and the UE have been used on midsize applications such as robotic rovers and a prototype of a Mars drill, and to demonstrate automation for the International Space Station.
Given the critical nature of spacecraft operations, PLEXIL’s operational semantics has been formally defined [8] and several properties of the language, such as determinism and compositionality, have been mechanically verified [7] in the Prototype Verification System (PVS) [13]. The formal small-step semantics is defined using a compositional layer of five reduction relations on sets of nodes. These nodes are the building blocks of a PLEXIL plan and represent the hierarchical decomposition of tasks. The atomic relation describes the execution of an individual node in terms of state transitions triggered by changes in the environment. The micro relation describes the synchronous reduction of the atomic relation with respect to the maximal redexes strategy, i.e., the synchronous application of the atomic relation to the maximal set of nodes of a plan. The remaining three relations are the quiescence relation, the macro relation and the execution relation which describe the reduction of the micro relation until normalization, the interaction of a plan with the external environment, and the n-iteration of the macro relation corresponding to n time-steps, respectively. From an operational point of view, PLEXIL is more complex than general purpose synchronous languages such as Esterel [2] or Lustre [4]. PLEXIL is designed specifically for flexible and reliable command execution in autonomy applications.
In this paper, we propose a rewriting logic semantics of PLEXIL in Maude [5] that complements the small-step structural operational semantics written in PVS. In contrast to the PVS higher-order logic specification, the rewriting logic semantics of PLEXIL is executable and it is by itself an interpreter of the language. This interpreter is intended to be a semantic benchmark for validating the implementation of PLEXIL executives such as the Universal Executive and a testbed for designers of the language to study new features or possible variants of the language. Additionally, by using a graphical interface [15], PLEXIL developers will be able to exploit the formal analysis tools provided by Maude to verify properties of actual plans.
Rewriting logic is a logic of concurrent change in which a wide range of models of computation and logics can be faithfully represented. The rewriting semantics of a synchronous language such as PLEXIL poses interesting practical challenges because Maude implements the maximal concurrency of rewrite rules by interleaving concurrency. That is, although rewriting logic allows for concurrent synchronous specifications at the mathematical level, Maude executes the rewrite rules by interleaving concurrency. To overcome this situation, we develop a serialization procedure that allows for the simulation of a synchronous relation via set rewriting systems. This procedure is presented in a library of abstract set relations that we have written in PVS. The procedure is sound and complete for the synchronous closure of any deterministic relation under the maximal redexes strategy.
We are collaborating with the PLEXIL development team at NASA Ames by using the rewriting logic semantics of PLEXIL to validate the intended semantics of the language against a wide variety of plan examples. We report on two issues of PLEXIL’s original semantics that were discovered with the help of the rewriting logic semantics of PLEXIL presented in this paper: the fir
This content is AI-processed based on open access ArXiv data.
