Geometric Model Checking of Continuous Space

Topological Spatial Model Checking is a recent paradigm where model checking techniques are developed for the topological interpretation of Modal Logic. The Spatial Logic of Closure Spaces, SLCS, extends Modal Logic with reachability connectives that, in turn, can be used for expressing interesting spatial properties, such as"being near to"or"being surrounded by". SLCS constitutes the kernel of a solid logical framework for reasoning about discrete space, such as graphs and digital images, interpreted as quasi discrete closure spaces. Following a recently developed geometric semantics of Modal Logic, we propose an interpretation of SLCS in continuous space, admitting a geometric spatial model checking procedure, by resorting to models based on polyhedra. Such representations of space are increasingly relevant in many domains of application, due to recent developments of 3D scanning and visualisation techniques that exploit mesh processing. We introduce PolyLogicA, a geometric spatial model checker for SLCS formulas on polyhedra and demonstrate feasibility of our approach on two 3D polyhedral models of realistic size. Finally, we introduce a geometric definition of bisimilarity, proving that it characterises logical equivalence.


Introduction and Related Work
Spatial reasoning and spatial properties are of interest in a vast number of domains, ranging from collective adaptive systems, concerned with the emergence of spatial patterns, and the mobility and distribution of devices in cyber-physical systems to medical imaging and interactive visualisation.Recently, novel variants of model checking have been developed, moving the focus from checking temporal properties to spatial properties, see for example [GSC + 09, CLLM14, CLLM16a, CLLM16b, NBC + 18, HJK + 15, MBL + 21], and, in fact, also to the combination of reasoning on time and space in spatio-temporal model checking [CGL + 14, CLMP15, CGL + 15, CGG + 18, CLM + 16, Gri16,TKG17].
This so-called topological approach to spatial logic and spatial model checking has its origin in the ideas by McKinsey and Tarski [MT44], who recognised the possibility of reasoning about space using topology as a mathematical framework for the interpretation of modal logic (see [BB07] for a thorough introduction).The work by Ciancia et al. (see e.g.[CLLM14,CLLM16a]) builds on these theoretical developments using Closure Spaces, a generalisation of topological spaces encompassing also general discrete spatial structures such as graphs [Gal99,Gal14], as underlying model for the Spatial Logic for Closure Spaces SLCS.The original version of this spatial logic included two spatial operators, the near operator and the surrounded operator.The points in space satisfying 'near φ' are all those points close to any point satisfying φ.In other words, the near operator is interpreted as a closure operator on space.The points satisfying 'φ surrounded by ψ', instead, are all those points satisfying φ from which no path can be found that passes by a point not satisfying φ without first passing by a point satisfying ψ.In other words, these are those points, satisfying φ, that are surrounded by points satisfying ψ.
Two different spatial model-checkers for finite (quasi-discrete) closure spaces were developed based on this foundational work: Topochecker and VoxLogicA. 1,2These tools have been used successfully in several applications.For example, for the analysis of the spatial and spatio-temporal aspects of excessive delays in returning bikes in the London bike sharing system [CLM + 16] and the spatio-temporal aspects of the emergence of Turing patterns [CLLM16b, NBC + 18] and the robustness of their formation in the presence of noise.Also in the field of medical imaging these spatial model checking techniques have shown to be very promising as a novel approach to the segmentation of malignant brain lesions [BCLM19b, BBC + 20] in 3D MRI scans as well as for the segmentation of normal brain tissue, such as white and grey matter [BCLM19a].A similar approach has also been used for the segmentation of nevi 3 in 2D dermoscopic images [BBC + 21].The application of spatial model checking techniques on publicly available datasets, consisting of hundreds of such medical images, showed that an accuracy and computational efficiency can be obtained that is in line with the state-of-the-art in such fields.
So far, spatial model checking approaches focused on discrete spatial structures, i.e., discrete sets of points related by an adjacency relation, namely graphs.However, in several domains, e.g., medical imaging and visualisation in virtual reality, reasoning on continuous space is required.For example, computerised 3D visualisation of medical images can help physicians to make better diagnoses or treatment plans.Images used for visualisation often consist of continuous spatial structures that are divided into suitable areas of different size using mesh techniques such as triangular surface meshes or tetrahedral volume meshes (see for example [LPZ12]).
In the present work we therefore focus on the development of the foundations to reason about and model-check properties of continuous space.Interestingly, we will also show how our earlier results on discrete space are, in part, also relevant to model-checking continuous space.Unlike the topological semantics, where formulas are interpreted in the powerset algebra of a topological space, in the polyhedral semantics formulas are assigned polyhedral subsets of an m-dimensional Euclidean space.Polyhedral subsets can be thought of as finite unions of simplexes (i.e., n-dimensional triangles).Using piecewise linear geometry (triangulations, nerves), the work in [BMMP18] gives a full characterization of the intuitionistic and modal logics of the class of all compact polyhedra and [ABGM21, AD19] provide an infinite family of polyhedrally complete modal and intermediate logics.
The version of SLCS we use in this paper is obtained by extending the polyhedral modal logic with a spatial reachability modality γ, which is a variant of the ρ operator originally proposed in [BCLM19b] that, in turn, can be seen as a spatial version of the Existential Until operator of temporal logics (for more examples of spatial reachability operators, see also [NBBL22]).Roughly speaking, γ(φ, ψ) (pronounced as ψ is reachable through φ) means that a point satisfying ψ is reachable by a path satisfying φ along the way.The reachability modality is quite expressive and other operators, relevant for the intended applications (such as "surrounded", or "grow", discussed in more detail throughout the paper), can be defined based on it.We show that the reachability modality can be defined for polyhedral models.
One of the main conceptual results of the present paper is that, starting from a polyhedral model X , we can build a relational (Kripke) model M(X ) satisfying the same formulas of the logic.In particular, M(X ) is isomorphic to the face poset of an underlying triangulation of X .Triangulation is a standard technique of piecewise linear geometry in which each polyhedron is decomposed in simplexes.That triangulations play an important role in the logical analysis of polyhedra has already been observed in [BMMP18,AD19,ABGM21].However, here we show this also for the language enriched with the reachability modality γ.In particular, M(X ) captures all the properties expressible in this extended language.
The finite state, Kripke-style semantics that we define preserves all the information that can be discerned by SLCS formulas.This is the key for introducing a novel geometric model checking technique to analyse continuous space.We prove that the continuous model of the extended language can be turned into a finite relational model for the same language without losing any of the logical information.A model checking algorithm, along the lines of [BCLM19b], has been implemented in the free and open source geometric model checker PolyLogicA, which brings the core features of VoxLogicA (global model checking, concurrent multi-core execution, "memoization" at the syntactic level) to the continuous space domain.
Finally, we define a notion of bisimilarity between two polyhedral models, and we prove that bisimilarity preserves and reflects logical equivalence.
Summarizing, the original contributions in this paper are: • The development of a (continuous space) polyhedral semantics for the logic SLCS building upon recent developments in polyhedral semantics for modal and intuitionistic logic [BMMP18, ABGM21, AD19]; • The introduction of a finite state relational Kripke model M(X ) for any given (continuous space) polyhedral model X , such that M(X ) provides a full logical invariant for X with respect to SLCS; • A novel geometric spatial model checking algorithm for the verification of SLCS properties on polyhedral models; • First proof-of-concept model checking of two realistic-size polyhedral models using Poly-LogicA, the first-in-its-kind prototype implementation of the geometric model checking algorithm; Further related work.The theoretical framework for spatial model checking of continuous space in the present paper is based on spatial models involving polyhedra (see also the work in [CM21], generalising the semantics of SLCS to a categorical setting based on hyperdoctrines).Polyhedra also play an important role in development of model checking algorithms for the verification of behavioural properties of real-time and hybrid systems (see for example [HH94, Alu11, BFGH17, Hen00, AGH + 19] and references therein).In that context polyhedra, and their related notions such as template polyhedra [SDI08,BFGH17] and zonotopes [GL08], are obtained from sets of linear inequalities involving real-time constraints on system behaviour and are a natural representation of sets of states of such systems.In the present paper we focus on spatial properties of continuous space rather than behavioural properties.Topology and simplicial complexes also play an important role in the domain of geographic information systems (GIS).In that domain of application simplicial complexes are used as an efficient data structure to store large geospatial data sets [BBJ + 20] in 2D or 3D.They also form the core of several important tools in this domain such as the GeoToolKit [BBB + 04].This could therefore be in principle another interesting domain of application for spatial model checking techniques, enriching the spatial query languages that are currently used in this database oriented domain.
Model Checking of simplicial complexes is also the topic of a recent, independently developed result by Loreti and Quadrini [LQ21].Therein, a logic is defined, sharing similar syntax, but not its semantics, with the logic SLCS used in the present paper.More precisely, the domain upon which formulas are interpreted, are not (sets of) points in polyhedra, but rather (sets of) simplexes.This is reflected by the choice of the adjacency relation between objects 4 giving rise to nearness and reachability.In contrast, the domain of interpretation of our spatial logic SLCS are points of topological spaces, with polyhedral atomic valuations, and reachability is the classical topological notion, defined via paths.
Looking at tools, perhaps closest to our work is the python library pymeshlab [MC21], which is able to programmatically modify 3D meshes based on pre-built operators (mostly traditional 3D imaging filters).Since also the selection of connected components is an operator of the library, we envisage that it could be possible, given an SLCS formula, to encode it as a python program containing pymeshlab functions, effectively using the library as a backend for VoxLogicA.Indeed, using such a library within the context of a traditional programming language does not lay at the same level of abstraction of using a simple declarative language such as SLCS, with automatic parallelisation, and automatic memoization (caching) of intermediate results, so a direct comparison of the library and our tool would be misleading.
Outline.Section 2 introduces the basic geometrical notions and notation.Section 3 recalls SLCS and provides its semantics on polyhedral models.Section 4 and Section 5 present the foundations for geometric model checking and the related model checker PolyLogicA, respectively, including two proof-of-concept examples on realistic size polyhedra.In Section 6 the concept of simplicial bisimilarity is introduced and it is shown that it characterises logic equivalence for SLCS formulas.Section 7 concludes the paper with an outlook for future work.Proofs of the most relevant theoretical results are reported in Appendix A.

Background
In this section, we establish the basic geometric notions that we use in this work.See [Mau80, Chapter 2] for more details on these matters.In particular, we recall simplexes and simplicial complexes.They are frequently used in, for example, computer graphics and simulation.Polyhedra are the set-theoretic union of simplicial complexes and form the spatial models for the polyhedra model checking approach proposed in subsequent sections.
The number d is called the dimension of σ and v 0 , . . ., v d are called its vertices.
In Definition 2.1, any subset of {v 0 , . . ., v d } is also a set of affinely independent points, and thus it spans a simplex τ : we call τ a face of σ (in symbols τ σ), and we call it a proper face if τ = ∅ and τ = σ.
Simplexes are, informally speaking, the simplest linear convex bounded shapes.A two-dimensional simplex is a triangle; a three-dimensional simplex is a tetrahedron, and so on.Note that the two-dimensional faces of a tetrahedron are triangles, whose sides are line segments (one-dimensional simplexes), whose faces (endpoints) are points (zero-dimensional simplexes).
Next, we identify the "internal part" of a simplex.
Definition 2.2 (Relative interior).In terms of the notation of Definition 2.1, let the relative interior of σ be the set σ := Note that if σ is non-empty then also σ is non-empty.For instance, b σ := d i=0 1 d+1 v i (i.e., the barycentre of σ) is an element of σ.In particular, the relative interior of a point p is p itself, and the relative interior of the empty simplex is the empty simplex itself.
We emphasize another interesting property, which follows from the definition of face and that of relative interior: Each simplex σ is partitioned by the relative interiors of its faces, that is, σ = { τ | τ σ}.For example, a triangle can be partitioned into its interior (an open triangle), three open segments (sides without endpoints) and the three vertices.
In this paper we adopt the Kuratowski axiomatic characterisation of topological spaces, based on the closure operator.We denote the latter by C. Given topological space (X, C) we let I denote the interior operator, i.e., the dual of C defined as I(A) = X \ C(X \ A) for all A ⊆ X.Finally, for X ⊆ X, the topological sub-space of (X, C) generated by X is the pair (X , C ), where C (A) = C(A) ∩ X for all A ⊆ X .For ease of notation, we will indicate the topological space (X, C) simply as X when no confusion arises.
Simplexes are bounded, convex, compact subspaces of R m [Mau80, Proposition 2.3.3].Being subsets of an Euclidean space R m , a simplex σ inherits the topological structure of  black.On the right, we highlight some of the faces of the simplicial complex, of dimension 2, 1 and 0 (the green triangle, blue segment and red point, respectively).
Figure 2: A graphical representation of a collection of simplexes (in 2D) not forming a simplicial complex.In particular, the collection of simplexes depicted consists of 6 points, 6 edges and 2 triangles.Notice that Condition (2) of Definition 2.3 is not respected: the intersection between the two triangles is not a simplex of the collection itself.
the sub-space from R m .Let us indicate by C m the closure operator of R m and by C σ the induced closure operator on σ.Notice that, since σ is a closed subset of R m , the closure of any subset A ⊆ σ is the same computed in both topologies, that is, C m (A) = C σ (A).An emblematic example is the closure of σ: C σ ( σ) = C m ( σ) = σ.However, the interior of a set may depend on the topology considered: for example, I m (σ) is either σ if the dimension of σ is m, or the empty set otherwise.On the other hand, I σ (σ) = σ, independently from the dimension.More complex spaces are obtained by "gluing" simplexes together.
Definition 2.3 (Simplicial complex).A simplicial complex K is a finite set of simplexes of R m such that: (1) If σ ∈ K and τ is a face of σ, then τ ∈ K; (2) If σ, τ ∈ K, then σ ∩ τ is a face of σ and τ (possibly the empty simplex).Figure 1 illustrates an example of a simplicial complex K and highlights some of the simplexes comprising it.Figure 2 illustrates a collection of simplexes that does not form a simplicial complex.The dimension of K is the maximum of the dimensions of its simplexes, i.e., 2 in Figure 1.The face relation on simplexes is inherited by simplicial complexes in the expected way: the face relation on simplicial complex K is the union of the face relations on the simplexes composing K. Given simplicial complex K = {σ 1 , . . ., σ n }, the polyhedron of K, denoted by |K|, is the set-theoretic union of the simplexes in K. Formally, |K| := n i=1 σ i .Figure 3a shows a simplicial complex, which is a set of 11 elements -4 points, 5 open segments and 2 open triangles.The set-theoretic union of these 11 simplexes is the square shown in Figure 3c the corresponding polyhedron.Note that a different simplicial complex, shown in Figure 3b, has the same (underlying) polyhedron.As in the case of simplexes, the polyhedron |K| is a subset of the ambient space R m and so inherits the topological structure of sub-space of R m .Let us indicate with C K the corresponding closure operator -notice that this operator only depends on the set |K|.A point of |K| may belong to several of the simplexes in K.However, there is a natural way to associate to each point of |K| the "smallest" simplex it belongs to.
Lemma 2.4.Each point of |K| belongs to the relative interior of exactly one non-empty simplex in K.That is, We call K a simplicial partition of |K|, and we call its elements the cells of the partition. 6Note that distinct simplicial complexes induce distinct partitions, even when they are associated to the same polyhedron, as shown in Figure 3. From now on, to ease readability, we fix a simplicial complex K, with the associated |K| and K. Finally, we recall the topological notion of path.
Definition 2.5.A topological path in a topological space P is a total, continuous function π : [0, 1] → P , where [0, 1] is equipped with the subspace topology of R.
With a mild abuse of notation, for S a subset of [0, 1] and π a path, we write π(S) to denote {π(x) | x ∈ S}.

Interpreting SLCS on Polyhedra
In this section we introduce the main theory driving our model checking approach to polyhedra.In the classical topological tradition, valuations of atomic propositions can be arbitrary subsets of the space.In this work, instead, we restrict our attention to a specific class of spatial regions, namely unions of cells of a fixed simplicial partition.This simple change makes it possible to define the spatial logic SLCS on continuous space, while retaining decidability of the model checking problem.First of all, we introduce the syntax of the variant of SLCS that we use in this paper, that is based on the binary modality γ instead of ρ of [BCLM19b]; the relationship between ρ and γ will be shown in Proposition A.1.Definition 3.1 (Syntax).The syntax of the logic SLCS is: where p is an atomic proposition, taken from a fixed finite set AP.
Thus, we enhance the basic modal logic with a spatial reachability operator γ.As in the standard topological semantics for modal logic, we interpret formulas as sets of points.
Boolean operators are given their standard set-theoretical interpretation; disjunction ∨ is derived via the De Morgan laws.The 2 modality corresponds to topological interior I.
The formula γ(φ, ψ) ("reach ψ through φ") is satisfied by a point if there is a path rooted in that point, leading to a point satisfying ψ and whose intermediate points all satisfy φ.We provide a number of examples of the operators after presenting the models and formal semantics of the logic.In the following, we let P(P ) denote the powerset of P .Definition 3.2 (Model).A Polyhedral Model is a triplet X = P, K, V , where P ⊆ R d is a polyhedron, K is a simplicial complex such that P = |K|, and V : AP → P(P ) is a valuation such that V (p) is a union of cells of K.
Polyhedral models are essentially topological models with some extra restrictions on the valuation: P plays the role of the topological space and V is used to interpret atomic propositions as specific subsets of this space, namely those that are the union of a finite number of simplicial cells.From now on, fix a polyhedral model X = P, K, V .Definition 3.3 (Semantics).Given x ∈ P , satisfaction X , x φ over formulas φ is given by the following inductive clauses, where we let φ X denote the set {x ∈ P | X , x φ}: The definition of the satisfaction relation for the standard operators of modal logic is the usual one for the classical topological interpretation.In particular, note the interpretation of 2φ as the topological interior with respect to the topology of P = |K|, intuitively expressing that point x is in the "internal" part of the set of points satisfying φ.Notice that the closure operator C P can be obtained as the dual of topological interior 3φ = ¬(2¬φ).Figure 4 illustrates these operators and their combination applied on a simple polyhedral model.Regarding spatial reachability, a point x satisfies γ(φ, ψ) in model X if there is a path π rooted in x leading to a point y satisfying ψ; in addition, all the points that lay in π, except x and y, are required to satisfy φ.Indeed, several different variants of reachability could be defined using this operator.
As a prominent example, the reachability modality ρ ψ [φ] introduced in [BCLM19b], that we also employ to introduce some derived operators, can be defined as ρ ψ[φ] := ψ ∨ γ(φ, ψ).Actually, the two operators are inter-definable, by letting γ(φ, ψ) In this work we opt to use γ since, in the context of polyhedral models, its definition is more concise.
Another relevant spatial modality is the surrounded operator S (e.g., [CLLM16a, LPS20, TKG17, NBC + 18] use it as a primitive of the language).A point x satisfies φ S ψ if it lays in an area whose points satisfy φ, and that is limited (i.e., surrounded) by points that satisfy ψ.In other words, it is not possible to exit this area without passing by a point satisfying ψ.Following [BCLM19b], we can define the operator S on polyhedral models in terms of ρ through the following expression:  ) applied to the model in 5a.Note that these include points in the closure of the green area since the first point of the paths passing by green and reaching blue do not need to be green themselves.5c) In orange: Points satisfying grow(r, g).Note that only the points corresponding to the red area and one green triangle in the model in 5a satisfy this formula.5d) In orange: Points satisfying g ∧ γ(g, γ(b, r)); by nesting reachability, quite complex spatial formulas may be defined.
Some examples involving the reachability operator are shown in Figure 5.We refer to the caption of that figure for more detailed explanation.Notably, we illustrate the derived operator grow(a, b), that also played an important role in the brain tumour segmentation procedure presented in [BCLM19b].The operator grow is reminiscent of the technique of region growing in Medical Imaging, and it is used to characterise those areas of space satisfying b that are in contact with areas of space satisfying a, or, in other words, the operator lets a "grow" inside b (and no further).The formal definition is grow Note that the same polyhedron P can be associated with different simplicial complexes: our semantics is not sensitive to such presentational ambiguity in the description of P .7This is because, although we need to specify K to spell out the restriction on the range of V , K itself does not play a role in the semantics, as shown in the following proposition.
Lemma 3.4.Let X = P, K, V and X = P, K , V be two models sharing the same P and V .For each x ∈ P and φ we have: X , x φ ⇐⇒ X , x φ.
Therefore, for the sake of readability, we will sometimes indicate a polyhedral model with the notation X = P, V , abstracting from the particular choice of K. Nevertheless, we require V to range over unions of cells of some polyhedral partition, thus restricting the semantics to spatial regions definable in terms of polyhedra.We will call a simplicial complex K as in Definition 3.2 coherent with the model X = P, V .
We mentioned that employing polyhedra allows for a finitary treatment of the semantics.The following results are essential to formalize this intuition, which will be further investigated in Section 4. Definition 3.5.Let X = P, V be a polyhedral model.Logical equivalence ≡ is the binary relation on P such that x ≡ y if and only if, for every formula φ: X , x φ ⇐⇒ X , y φ.Lemma 3.6.Let X be a polyhedral model and K a simplicial complex coherent with X .Then for each cell σ ∈ K and x, y ∈ σ we have x ≡ y.
In particular, for every formula φ, φ X is a (finite) union of cells of K. Proposition 3.7.Given a polyhedral model X , the relation ≡ has only finitely many equivalence classes.Furthermore, each equivalence class C has a characteristic formula φ C such that X , x φ C ⇐⇒ x ∈ C.
The above facts are also useful to prove an interesting feature of polyhedral models, namely that the 2 modality can be considered a derived operator, since it is expressible using γ.This considerably simplifies proofs.
Another property of polyhedral models which turns out to be fundamental in this work is that we can restrict our attention to a special class of paths -rather than arbitrary paths -to study the reachability operator γ: piecewise linear paths.Definition 3.9 (PL-path).We call a path π : [0, 1] → P piecewise linear (or simply PLpath) if there exist values r 0 = 0, r 1 , . . ., r k = 1 such that for every i = 0, . . ., k − 1 and t ∈ [0, 1]: Figure 6 shows two examples of piecewise linear paths.We indicate that a path is piecewise linear with the notation π : [0, 1] P L → P .Intuitively, a PL-path is obtained by connecting a finite number of segments and parametrizing them in a suitable way.Even if PL-paths are much simpler than arbitrary paths, when it comes to connectivity in polyhedral models the two classes are interchangeable, as shown in the following lemma.
Lemma 3.10.Let K be a simplicial complex and x, y ∈ |K|.Then there exists a path in |K| from x to y if and only if there is a PL-path in |K| from x to y.Using the previous result, we can give an alternative semantic characterization of the reachability operator, which is relevant for the proofs of decidability of model checking (Section 4) and the characterisation of logical equivalence via bisimilarity (Section 6).
We conclude this section by pointing out an interesting property of PL-paths in connection to simplicial complexes.By definition, PL-paths are obtained by concatenating a finite number of line segments, but in general each segment might traverse different cells of the simplicial complex K. However we can give an alternative decomposition of these paths so that each portion is fully contained in a unique cell; paths that admit such a decomposition are called simplicial paths.Definition 3.12.A path π : [0, 1] → P is simplicial if and only if there is a finite sequence s 0 = 0 < • • • < s k = 1 of values in [0, 1] and cells σ 1 , . . ., σ k ∈ K such that, for all i = 1, . . ., k, we have π(( Notice that the property of being simplicial depends on the simplicial complex K, since a path might be simplicial with respect to a certain triangulation of P , but not with respect to another.For PL-paths, this property holds independently from the simplicial complex considered.

Geometric Model Checking
Given a polyhedral model X , this section is devoted to identifying a corresponding Kripkestyle, finite model M(X ).Notably, M(X ) is also a topological model in the sense of [BB07] when equipped with the Alexandrov topology, and it is a quotient of X that preserves and reflects the semantics of each formula.The goal of this section is to extend the standard Kripkean semantics of modal logic to the language of SLCS, by defining a suitable semantics for γ and by showing that X and M(X ) are logically equivalent, in the sense that, for all x ∈ X and for all formulas Φ, letting σ be the only cell such that x ∈ σ, we have: X , x |= Φ if and only if M(X ), σ |= Φ.To do so, we introduce a suitable notion of path in M(X ) corresponding to a simplicial path in X .Model checking on X can then be carried out using M(X ).Definition 4.1.Given a polyhedral model X = P, K, V , we define the Kripke model M(X ) = K, , V , where • K is the simplicial partition of |K| generated by K, as Defined in Lemma 2.4, where is the face relation of the simplicial complex K.
Notice that, since is reflexive, anti-symmetric and transitive, then so is .An example of a 2D polyhedral model together with its corresponding Kripke model M(X ) is depicted in Figure 7 (where reflexive and transitive relations are omitted).Each cell is identified by the vertices of the corresponding simplexes indicated in the polyhedron on the left in Figure 7.
Such Kripke models can be depicted as a number of rows.The nodes in the bottom row represent the zero-dimensional cells (i.e., the vertices), the middle row the one-dimensional ones (i.e., the line segments) and the top-row the two-dimensional cells (i.e., the triangles).To represent 3D polyhedral models we would have one more row representing the threedimensional cells (i.e., tetrahedrons), and so on for higher dimensions.We emphasize that M(X ), although disregarding much of the information about a polyhedral model (e.g., the position and size of the simplexes) encodes all the information which is expressible using SLCS, while being a finite -thus computationally tractable -representation of X .
By definition of the relation , we have that for two different cells σ 1 and σ 2 , σ 1 σ 2 entails that the two cells are spatially adjacent -more precisely, σ 1 is part of the boundary of σ 2 .This becomes particularly relevant when studying PL-paths in P .In fact, a PL-path can transit between two different cells σ 1 and σ 2 only if either σ 1 σ 2 or σ 1 σ 2 holds.Based on this intuition, the next definition introduces special paths on these Kripke models corresponding to PL-paths on the polyhedron.Definition 4.2 (±-path).Given a polyhedral model X , with M(X ) = K, , V as in Definition 4.1, let ± be the relation ∪ .We say that π : {0, . . ., k} → K is a ±-path (and we indicate it with π : {0, . . ., k} Intuitively, a ±-path π represents the cells traversed by a PL-path π in P ; π(0) is the cell containing the first point π (0) of the PL-path π ; π(1) is the cell containing the the next portion of PL-path π , i.e., the image via the PL-path π of an interval of the 7:13 Figure 8: On the left, a PL-path π (in blue); on the right, the corresponding ±-path π (again in blue).Only π (0) belongs to the simplex AB and the path enters immediately into the cell ABC: this is possible since AB ABC.Likewise, the path ends with a transition from the cell BCD to D, which is possible since BCD D. These are exactly the requirements on the first and last steps of a ±-path.
form (0, s) or (0, s], for some s, and so on, up to cell π(k) that contains the end-point π (1) of the PL-path π .An example of a PL-path and its corresponding ±-path is shown in Figure 8.Notice that the first step π(0)π(1) in the ±-path π reflects the move from the starting point in the PL-path to the subsequent segment on the PL-path in polyhedron P .The starting point must obviously be 'connected' to this subsequent path segment.This is only possible if the starting point is in the closure of the cell that contains the interval, in other words, π(0) π(1), that is π(0) must be on the boundary of C P (π(1)).Moreover, if π(0) = π(1), then, depending on the dimension of the cell containing the starting point, the subsequent portion of the path can be in the same cell as the starting point.This is for example the case in path y in Figure 6.Obviously, the path segment following the starting point cannot be part of a cell that, in the poset, is strictly below the cell containing the starting point, because then the point and the segment cannot be connected to each other.A similar situation holds for the end-point of the PL-path and the last segment of the path leading to it.In that case the end-point should be in a cell that is in the closure of the cell containing the last segment of the PL-path before reaching the end-point, in other words, π(k − 1) π(k).Figure 6 illustrates this situation in both path x and path y for different situations.
We are now ready to define the formal semantics of SLCS on M(X ).
Definition 4.3 (SLCS semantics on M(X )).Consider M(X ) = K, , V .Given σ ∈ K, satisfaction M(X ), σ φ over formulas φ is given by the following inductive clauses, where we let φ M denote the set { σ ∈ K | M(X ), σ φ}: The clauses for the Boolean operators and for 2 are the standard interpretation of modal formulas on Kripke models (and on topological spaces, via the Alexandrov topology, see [BB07]).In the semantic clause for γ we use ±-paths since, as previously pointed out, these paths naturally correspond to PL-paths and Lemma 3.11 allows us to restrict our attention to this class of topological paths.We can give an example of this correspondence based on Figure 8: the PL-path π (on the left) witnesses that x ∈ γ(r, ¬(r ∨ g)) X , and the corresponding ±-path π (on the right) witnesses that AB ∈ γ(r, ¬(r ∨ g)) M .
The following theorem shows that this correspondence holds for every formula of the logic.
Theorem 4.4.Let X = P, K, V be a polyhedral model and x a point of P .Let σ ∈ K be the unique simplex such that x ∈ σ.For every formula φ of SLCS we have X , x φ ⇐⇒ M(X ), σ φ.
4.1.Geometric Model-checking Algorithm.We briefly present the main aspects of the geometric model checking algorithm for SLCS over polyhedra.The model checking algorithm takes as inputs a Kripke model M(X ) of polyhedron X and an SLCS formula φ.The output is the satisfaction set Sat(φ) = { σ ∈ K | M(X ), σ φ} = φ M of nodes in the model M(X ) that correspond to the set of cells in X that satisfy formula φ, i.e., the algorithm is a global model checking algorithm.The satisfaction set Sat is defined recursively on the structure of SLCS formulas in the usual way (see for example [BK08]).The algorithms for the Boolean operators are straightforward, and thus omitted.The algorithm for the 2 operator takes a set Sat(φ) = φ M and computes the corresponding satisfaction set Sat(2φ) = 2φ M = { σ ∈ Sat(φ) | out( σ) ⊆ Sat(φ)}, where out( σ) is the out-neighbourhood of σ, i.e., out( σ) = { τ | σ τ }.We omit a detailed description of the algorithm, since it only involves basic set-theoretic operations.We give a more detailed description of the algorithm for the spatial reachability operator γ that, given Sat(φ) = φ M and Sat(ψ) = ψ M , computes the satisfaction set Sat(γ(φ, ψ)) = γ(φ, ψ) M .
The semantics of γ, as of Definition 4.3, is computed via a variant of the flooding procedure that was already successfully employed in our previous work on point-based spatial model checking algorithms [CLLM16a, CGL + 15, Gri16], retaining its asymptotic complexity (in the geometric case linear in the number of nodes in M(X )).
The pseudo-code with comments is reported in Algorithm 4.5.In the code, we make use of the additional operators on cells out (previously introduced) and in, the in-neighbourhood, defined as in( σ) = { τ | σ τ }.Both operators are lifted to sets in the obvious way.Therein, for brevity, we call a ±-path π a "good" path if it is witnessing the formula γ(φ, ψ), i.e., the path must map (0,1) to φ M and {1} to ψ M .Figure 9 shows a step-by-step example of an execution of the flooding algorithm described in Algorithm 4.5 for the property γ(r, g), where r denoted red and g denotes green, in the polyhedral model and corresponding Kripke model shown in Figure 9a.Recall that the definition of the reachability operator γ states that the first point of the paths passing by red and reaching green does not need to be red itself, which explains why also point B is included in the results.
We include a concise proof of the correctness of the algorithm.
Correctness, sketch.To be consistent with the comments in the pseudo-code, we keep calling a ±-path π : {0, . . ., k} → K witnessing the satisfaction of γ(φ, ψ) a "good" path.First, notice that we can divide a good path into three parts: the initial point π(0), the points on the central segment π({1, . . ., k − 1}) all satisfying φ and the final point π(k) satisfying ψ.To compute the set γ(φ, ψ) M we work "backwards" from an initial set of nodes that satisfy φ and that have an outgoing edge to a node satisfying ψ.So, first, we compute the set C := φ M ∩ out( ψ M ) (the cells corresponding to nodes with index π(k − 1) on some good path π).Then we use a standard flooding procedure to build the set D of the nodes of the graph that are connected to C via a non-directed path, i.e., abstracting from the direction of the edges, passing only through nodes satisfying φ M (these correspond to the cells of the form π(j), with j = 1, . . ., k − 1, for any good path π in the polyhedron).Finally we compute the set γ(φ, ψ) M = in(D) (the cells corresponding to the initial nodes of good paths, i.e., π(0) for any good path π).

Computational Complexity.
In what follows, we indicate by n the number of cells of K and by d the dimension of K, that is, the maximum dimension of a simplex σ in K. Therefore, the number of nodes of the encoding M(X ) is n.Each simplex σ having dimension d σ ≤ d has d σ + 1 vertices.Furthermore, in the graph encoding K, the in-neighbourhood of each σ ∈ K is precisely the set of the proper faces of σ, having cardinality 2 dσ+1 − 1.By this, the total number of edges of M(X ) is at most n • (2 d+1 − 1).We let N to be the size of this encoding, that is, the sum of the number of nodes and edges, which is at most equal to n Note that the complexity of our encoding grows exponentially in d if d is not fixed.The design space for algorithms that scale better with d, possibly exploiting specialised data structures (see, e.g., the recent work [BM14]) will be explored in future research, depending   For each subfigure the value of the relevant variables at the end of the computation step are indicated and illustrated in corresponding colours in both models (blue for frontier, orange for flooded and purple for result).
on the considered use case.In the case under consideration (i.e., 3D meshes) we have the fixed dimension d = 3. Therefore the "exponential" contribution of d to the computational complexity becomes a constant.In other words, when the dimension d is fixed, as in 3D meshes, the size of M(X ) is of order O(n).
Note that the flooding procedure (Algorithm 4.5) has linear computational complexity in the number of nodes and edges of M(X ), that is, N .The computation of the Boolean operators and of the 2-operator are also linear in N .As in [CLLM16a], since each subformula is checked independently from the others, the asymptotic computational complexity of the model checking algorithm is of order O(N • h), where h is the cardinality of the set of subformulas of the SLCS formula to be checked.
As remarked before, once the dimension d of the image is fixed the exponential contribution of d to the computational complexity is negligible and therefore the total complexity of the spatial model checking algorithm is of order O(n • h).
Finally, we briefly address the complexity of the encoding.In the current prototype implementation of the model-checking algorithm (see Section 5 for further details), the input polyhedron is described by a list of n simplexes with maximum dimension d, each one being represented by a list of vertices.To compute the Kripke frame of Definition 4.1 from this description, an explicit enumeration is performed of the subsets of each simplex, incrementally building the arrays of out-and in-neighbourhoods.This results in a time complexity in O(N ), which becomes O(n) once the dimension d is fixed.Therefore, for d fixed, the total complexity (encoding plus model checking) is in O(n • h).

PolyLogicA: a Model Checker for Polyhedra
Based on the theory and the model checking algorithm presented in Section 4, we developed the prototype model checker PolyLogicA: a Polyhedral Logic-based Analysis tool.The model checker is implemented in the functional language FSharp.8PolyLogicA is Free and Open Source Software, distributed under the Apache 2.0 license. 9urrently PolyLogicA represents a polyhedral model X through an explicit encoding of the Kripke model M(X ) according to Definition 4.1.The encoding is stored as a graph having the cells as nodes and with the covering relation of as the edge relation.The current implementation stores the out-neighbourhood and the in-neighbourhood of each node σ in two separate arrays, allowing access in constant time to these sets.

Functional description.
A PolyLogicA specification consists of a text file that can make use of four commands: let, for declaring functions and constants; import, for importing libraries of such declarations; load, to specify the file to be loaded as a model; save, to specify the logic formulas that need to be computed, and saved, possibly making use of previous let declarations.
Models are required to be based on a fixed simplicial complex.The given simplicial complex constitutes the subspace of R d that is explored by the tool.Thus, one needs to explicitly include, in the input model, the "environment" in which the objects live.As an example, consider the simplicial complex depicted in Figure 4.The semantics of the formula φ = g ∨ r ∨ b is indeed the set of points S that belong to the whole coloured triangle (made up of four smaller ones).
The file describing the input model uses a custom json-based10 format.The information contained in the file consists of: a list p of d-dimensional vectors, denoting the coordinates of the 0-cells of the polyhedron; a list of atomic proposition identifiers; a list of simplexes.Each simplex is specified by the list of the indexes of its vertices in p, and its specification also contains the list of atomic propositions holding at the cell corresponding to the simplex.
Logic formulas are just a concrete syntax for SLCS as presented in Section 3. Currently, PolyLogicA does not implement additional extra-logical operators (contrary to VoxLogicA, which also implements imaging primitives).PolyLogicA is in spirit a global, explicit-state model checker, that is, the set of simplexes satisfying a given formula is computed and returned at once.The output of the model checker is a list, in json format, containing an element for each formula φ that the specification requires to be checked.Each element of such list contains in turn a list representing the truth values of φ at each point (cell) of the input model.Finally, a simple 3D, web-based visualizer has been implemented along with the prototype (see the screenshot in Figure 5.4.2), which will be refined in future work.

Implementation Details. The current version of PolyLogicA has been implemented
sharing part of the code base for point-based spatial model checking with VoxLogicA.PolyLogicA inherits from its parent tool the multithreaded, memoizing computation engine, and the parser for the input language of the tool.Basically, after expanding let bindings, each formula is converted into a directed acyclic graph where nodes are tasks, and arcs are dependencies.Each task is a basic logical primitive, to be applied to specific arguments.Task A depends upon task B if and only if the result of B is an argument of A. The implementation guarantees that, while being constructed, such data structure is kept minimal in the sense that the same primitive on the same arguments will never be added twice to the graph, thus implementing memoization at a syntactic level, without the need to hash possibly large sets of states at run-time.After having been constructed, the task graph is executed in parallel as much as possible, exploiting the available CPU cores.

5.3.
A Visualiser for PolyLogicA.In addition to the polyhedra model checker we developed PolyVisualiser, a prototype polyhedra visualiser.The user interface of the visualiser is shown in the screenshots in Figure 10.The visualiser is an interactive tool with which polyhedra can be explored from different perspectives by means of the mouse or an other pointing device.The tool allows to zoom in and out on the visualised model, to translate it rigidly and to turn it around a fixed point.The main purpose of the visualiser is to inspect the result of spatial properties that were checked using PolyLogicA.From a pop-up menu, shown on the right of the screenshot, a property can be selected and from further menu items one can select the way in which the results of the evaluation of the property will be visualised.For example, in the screenshot in Figure 10 the cells that satisfy the selected property are shown in green and the cells that do not satisfy the property are shown in red.Also the degree of transparency of the colours can be set, thus facilitating the inspection of the interior of 3D objects.Cells that are points or line segments or triangles are coloured in a direct way.To facilitate inspection of the solid components, being them covered by triangles, tetrahedra are reduced in size and coloured without transparency.Moreover, the 7:19 Figure 10: Visualiser for PolyLogicA: Model of a simple cube showing cells satisfying the atomic propositions "p" and "q" in green ((10a) and (10b), respectively) and model checking result (in green) of cells satisfying "grow p with q" (10c).
relative size of tetrahedra can be manipulated real-time through the appropriate control panel.
In the following sections PolyVisualiser is used to illustrate two examples of realistic size.In those examples, rather than using the colour green for cells in the polyhedron that satisfy the selected formula and the colour red for those cells that do not satisfy the formula, we will use different levels of transparency while retaining the original colour of the cells.Cells that satisfy the selected property are shown in their original colour but made less transparent (i.e., more opaque) than cells that do not satisfy the property.This way the contours of the complete model are preserved and may serve as a visual reference framework for the interpretation of the 3D spatial model checking results which pop-out as opaque objects as shown in Figure 14.

Proof of Concept Experiments.
In order to obtain a first impression of the actual feasibility of our (first-in-its-kind) geometric model checking approach we present two examples: one involving the analysis of a 3D maze (generated by the authors) and one involving the analysis of an existing mesh model of the anatomy of the human body.Both examples are analysed with PolyLogicA and we show screenshots of the PolyVisualiser to illustrate the results.The results are also made available online11 for inspection in an interactive way.

5.4.1.
A 3D Maze.The first example concerns a 3D maze. 12The maze, shown in Figure 13a, consists of "rooms" that are connected by "corridors".The rooms come in four colours: white, black, green and one room in red.The green rooms are all situated at the outer boundary of the maze and represent the surroundings of the maze that can be reached via an exit.The white, black and red rooms, and related corridors, are situated inside the cube and form the maze itself.Figure 13b shows all the white and black rooms.Figure 13c shows the red room situated at the centre of the maze.All corridors between rooms are dark grey.The valid paths through the maze should only pass by white rooms (and related corridors) to reach a green room without passing by black rooms or corridors that connect to black rooms.
Typical spatial queries or properties that are of interest for such a maze are: Q1: Which are the white rooms and connecting corridors from which one can reach a green room (i.e., an exit) without having to pass by a black room?Show those white rooms, the related corridors and the green exit.Q2: Which are the white rooms and connecting corridors from which both a green room (exit) and a red room can be reached, without having to pass by black rooms (and related corridors)?Show those white rooms, the related corridors, the green exit and the red room.Q3: Which are the white rooms (and related corridors) from which it is not possible to reach a green room without having to pass by a black room? Figure 12 shows the specification of the above properties in a syntax close to the spatial logic introduced in Section 3.This syntax is shared with that of VoxLogicA (see [CBLM21] for a tutorial) and is mostly self-explanatory.The boolean operators are | (or), & (and), !(not).The spatial reachability operator γ is denoted by the keyword through.The surround operator sur is implicitly defined in terms of the operator through according to its definition provided in Section 3. In the first line of Figure 12, the model file is loaded.In lines 4 to 7 atomic propositions are defined for the simplicial cells of the various coloured rooms.In line 8, the atomic proposition of cells belonging to corridors is defined.These definitions make direct reference to the information stored in the elements of the model file, in json format, representing the cells of the polyhedron model.In particular, ap denotes an atomic proposition associated with such elements.
In line 11, a simple application of these atomic propositions is defined.The property blackOrWhite is satisfied by all cells of black rooms and those of white rooms.The result of this property can be saved (as shown in line 44) and used by PolyVisualiser to visualise the outcome.The saved file essentially consists of a list of booleans indicating for each cell whether it satisfies the property.The result is shown in a screenshot of the visualiser in Figure 13b where the cells that satisfy the property are opaque and all the others almost transparent.Similarly, in Figure 13c the cells that satisfy the atomic proposition red are shown.
Lines 14 to 20 define properties to distinguish different kinds of corridors.In particular, corridors that connect white rooms (corridorWW), those between white and green rooms (corridorWG), those between white and red rooms (corridorWR) and those between white and black rooms (corridorWB).These will turn useful in the specification of the three properties Q1, Q2 and Q3.A point satisfies corridorWW if it (lays in a cell that) belongs to a corridor (i.e., a cell satisfying corridor) and from which only white rooms can be reached Figure 11: SLCS formulas expressing properties Q1, Q2 and Q3; atomic proposition letters G, W, B, R, C are assumed given and their meaning is the obvious one (C for "corridor", G for green and similarly for the other colours).
via the corridor itself (i.e., only cells satisfying white but neither green, nor black, nor red can be reached from cells of the corridor).
In lines 24 and 27 property Q1 is specified as whiteToGreen.It is expressed in terms of the through-operator (γ).It says that we want all (cells of) white rooms, corridors between white rooms and corridors between white and green rooms by which one can reach a green room, i.e., without passing by black rooms or corridors connected to black rooms.If we also want to include the green room that is being reached in the set of results we have to add it, as is done in line 27 in connWG, leading to all cells satisfying whiteToGreen and the (cells of) green rooms from which cells satisfying whiteToGreen can be reached.Cells satisfying connWG are shown in their original opaque colour in Figure 14a.Cells that do not satisfy the property are shown in a transparent manner.Note that, in general, the through(x,y)-operator would also admit satisfaction by cells that are adjacent to those satisfying x in that case, as shown in the example of Figure 5b.In the model of the maze rooms and corridors do not have such adjacent cells.However, in general one could consider the use of (x | y) & through(x,y) to make sure that only cells satisfying at least x or y are part of the result.The choice for the particular definition of through (and γ) has been motivated by the fact that it poses minimal restrictions.More restricted variants can be easily defined based on through.This would not be the case if one opts for a less basic definition of through.
In line 30 property Q2 is specified as connRWG.In this case we are looking for white rooms and related corridors from which both a green room and a red one can be reached, and we also want to include in the result such red and green rooms.The specification makes use of connWG and allows passing by corridors connecting white rooms to red rooms corridorWR.The result is shown in Figure 14b.
In line 34 property Q3 is specified as whiteNoGreen.In this case we are looking for white rooms and related corridors from which it is not possible to reach a green room without passing by a black room.This can be specified as white rooms and corridors between white rooms that are not satisfying whiteToGreen (i.e., property Q1 above).The same property could also be specified in an alternative way making use of the surround operator sur defined in lines 37-38.In that case these cells are characterised as those belonging to white rooms and corridors between white rooms that are completely surrounded by corridors leading only to black rooms in specification whiteSblack in line 41.The result is shown in Figure 14c.Finally, in line 44 an example is shown of saving a particular result, in this case that of property blackOrWhite.Saving the other results can be performed in a similar manner and is not shown in the specification.
For completeness, in Figure 11, the SLCS formulas expressing properties Q1, Q2 and Q3 are shown.
Table 1 shows information on the model checking time for the properties Q1-Q3 individually and when evaluated all together.Also the total time is shown that includes the parsing of the model, the generation of the Kripke model and the actual model checking time.It is easy to see that most of the time goes in preparing the model (4 seconds for parsing and 1 second for building the Kripke model) rather than the actual model checking which only takes a few hundred milliseconds.This is very encouraging, because it means that the actual model checking procedure is not the bottleneck and we are confident that more efficient parsing and Kripke model generating procedures can be found than the non-optimised ones we used for this first proof-of-concept set-up.Work on such optimisations is planned as part of future work.Note also that it is possible to verify several properties at once in which case the Kripke structure needs to be generated only one time.In future work an option could be to enable saving and loading such Kripke structures once they have been generated in order to reduce the total time needed for analysis.The evaluation was performed on a desktop machine equipped with an Intel core i9 9900k cpu and 32Gb of RAM.
Even though the 3D maze example seems simple, the fact that examples like this can be generated in various forms makes it a promising example for a future benchmark.The example lends itself for endless variations in size and shape of the maze, introducing "holes" or forms of "rings".Setting up a suitable benchmark for geometric model checking of polyhedra is planned as part of future work.5.4.2.Digital Anatomy.In the second example we apply PolyLogicA on an existing 3D mesh from the medical domain with the aim to assess the feasibility of the geometric model checking approach on existing meshes of realistic size.The mesh visualised in Figure 16(a) consists of about 1.5 milion simplicial cells.A custom converter has been implemented to    Figure 14: Spatial model checking results of the properties in Figure 12 for the 3D maze of Figure 13.Q1: White rooms and their connecting corridors from which a green room can be reached not passing by black rooms, including the green room that is reached (connWG); Q2: White rooms and their connecting corridors from which both a red and a green room can be reached not passing by black rooms (connRWG); Q3: White rooms and their connecting corridors with no path to green rooms (whiteNoGreen or equivalently whiteSblack).
obtain a model file in json format from the input obj mesh; 13 the atomic propositions used are strings of the form "Ci" for C in {r, g, b} (standing for red, green, blue) and i an integer between 0 and 3.Each such atomic proposition denotes the intensity level at each point of the red, green or blue component of the colour vector associated to the simplicial cell, with intensities quantised to four discrete target levels indicated by the integers.
Based on such atomic propositions, it is possible to encode spatial properties involving approximations of the colour gradients 14 that are visible in the rendered mesh.Using the specification of spatial properties shown in Figure 15, we have checked the properties heart 13 Wavefront obj is a widely used file format for 3D meshes.See https://en.wikipedia.org/wiki/Wavefront_.obj_file 14 This type of mesh has colours associated to vertices, and no textures.In future versions of the tool we plan to encode colour intervals in the logic, in a similar way as has been done in the parent tool VoxLogicA.The syntax of the specification is the same as the one explained in the 3D maze example.Some definitions (e.g., spleenWithError) need to handle errors in the segmentations due to the usage of quantised colours leading to somewhat loose approximations; this is no problem for our purposes, as in this example we merely want to illustrate a first feasibility test and performance of the tool on existing meshes.After loading the model file (line 1), in the specification first some areas are identified based on their approximative colour (lines 3-8).
In particular, a blueish colour is defined as a combination of the blue and red intensity levels.
The core of the spleen can be found in a similar way, as well as an over-approximation of the spleen by a relaxation of the constraint on the level of red.Heart, spleen or kidneys are identified by a particular combination of the levels of red and green.This simple first approximation is then used to identify the individual organs exploiting, for example, the knowledge that veins are blueish and leading to the core of the spleen (line 10, definition vein).The spleen itself is first approximated by spleenOver, an overapproximation of the spleen that touches the veins, but may have some overlap with the heart.Recall here that the through-operator may be satisfied by some points (cells) that do not satisfy spleenOver (see the example in Figure 5b).
The heart is specified as that part of heartOrSpleenOrKidneys that is not part of the over-approximated spleen that can reach a vein spleenWithError, but can reach a vein by itself.Subsequently, the spleen can be characterised more precisely by excluding the points belonging to the heart (line 12).Finally, the reachability operator through is used (line 14) to identify the veins that reach the spleen but not the heart.
We have tested the specification using PolyLogicA on a desktop machine equipped with an Intel core i9 9900k cpu and 32Gb of RAM. 15 Three models have been used: the original one, and two versions that have been obtained by simplifying the original mesh, using a built-in algorithm in MeshLab [CCC + 08].The number of tasks executed (the nodes of the directed acyclic graph described in Section 5.2, that is, the cardinality of the set of subformulas) is 33.Table 2 reports the model size and the execution time, broken down into parsing of the json model file, computing the Kripke structure, and actual model checking.Note that parsing a terse textual format for such large objects is time consuming, and ought to be replaced in future work by functions to load and save more specific mesh-based file formats.However, in the meantime, we find these results particularly encouraging, as the model checking times are quite small, and would permit to check many more formulas in a single run, thus compensating for the time needed to generate the Kripke structure.
Future work will include the implementation of a fast loader for 3D meshes, in order to eliminate the parsing of (very large) model files in json format, and the optimisation of the translation from simplicial complexes to Kripke models, which currently exploits purely-functional data structures for ease of prototyping.We note in passing that the intermediate Kripke model may be cached, for speeding up the execution of multiple analyses on the same model.Future work will also include further experiments with more complex spatial formulas and different kinds of meshes with the aim to generate a basic benchmark suitable for future comparisons of performance.
However, this is ongoing work, as the presence or colours, textures, materials, and so on, may depend upon the chosen file format of the mesh and will require further investigation. 15The memory limit is actually never hit, even with lower amounts of available RAM on other machines.Table 2: PolyLogicA performance results of the evaluation of the specification in Figure 15 on three variants of the 3D Medical mesh shown in Figure 16a.
Figure 15: Specification of the spatial properties to produce the results shown in Figure 16.

Simplicial Bisimilarity
A further, more theoretically inspired, direction of research aiming at increasing the performance of geometric spatial model checking is to exploit suitable spatial bisimilarity to reduce the models.The main idea is to identify areas that satisfy the same spatial properties, before applying model checking.Similar approaches have been exploited in traditional model checking techniques, based on bisimilarity for modal logics (see e.g.[Ben84]).As a first step into this direction, in this section we characterise logical SLCS equivalence via simplicial bisimilarity.Recall the results summarised in [APB07b], defining bisimilarity for topological spatial logics, so that any two points are bisimilar if and only if they are logically equivalent.
To account for the addition of the reachability operator in the logical language, the definition of bisimilarity makes use of the point-wise lifting of a relation to a path, defined in a formal way below.In the following, fix a model X := P, K, V .Definition 6.1.Given a relation R ⊆ P × P , let the extension of R to paths be the binary relation between paths R, such that π 1 Rπ 2 if and only for all t ∈ [0, 1] we have π 1 (t)Rπ 2 (t).Definition 6.2 (Simplicial bisimilarity).A binary relation ∼ ⊆ P × P is a simplicial bisimulation if and only if for all x, y with x ∼ y: (1) for all p ∈ AP, x ∈ V (p) ⇐⇒ y ∈ V (p); (2) for each simplicial path π x , with π x (0) = x, there is a simplicial path π y with π y (0) = y, and π x ∼π y ; (3) for each simplicial path π y , with π y (0) = y, there is a simplicial path π x with π x (0) = x, and π x ∼π y .The largest simplicial bisimulation, if it exists, is called simplicial bisimilarity.
The notion of simplicial bisimulation resembles that of stuttering equivalence for process calculi [BCG88, DV95, GJKW17] but it should be noted that it is defined for continuous structures.In the following, we state the three main facts that conclude this section.Detailed proofs can be found in Appendix A. Theorem 6.3.Logical equivalence is a simplicial bisimulation.Theorem 6.4.Each simplicial bisimulation is included in logical equivalence.
preliminary results presented in [CLMV20], including the tool MiniLogicA could be useful in this research direction.Note that the quotient mapping each simplex in P to a point in K in Definition 4.1 is an open map, thus it preserves and reflects logical equivalence of the modal fragment of our language; additionally, as shown in Section 6, it preserves and reflects logical equivalence of the full language, thus simplicial bisimilarity.Not all open maps do so (just consider, e.g., the quotient with respect to classical modal logical equivalence).In future work, we plan to formalise the conditions on an arbitrary open map that make it preserve and reflect simplicial bisimilarity.The relationship between spatial logics and temporal logics, and related bisimilarities [KR97] is also of interest, and in particular, comparing path-based spatial notions such as simplicial bisimilarity, to the so-called stuttering equivalences, and their associated minimisation algorithms (see e.g.[BCG88,GJKW17]).
Spatio-temporal model checking in the style of [Gri16, CGL + 15] is a planned future development, the simplest case being the one where the underlying polyhedron does not change over time, and only the valuation of atomic propositions depends upon the temporal state of a system.More complex forms of dynamic spatial structures where the underlying polyhedron evolves over time are also of interest.
A promising application of PolyLogicA is fully automated, declarative analysis of 3D meshes.Clearly, we foresee 3D medical imaging to be a promising landscape for future applications.Furthermore, note that 3D meshes play a central role in several other fields, including architecture and computer-aided design (CAD), geographic information systems (GIS), see e.g., [BBJ + 20], or the entertainment industry (consider 3D games or 3D animation movies), in education and in scientific visualisation.
Implementation-wise, GPU computing could provide a computational boost to PolyLog-icA.See [BCG21] for a GPU implementation of the parent tool VoxLogicA.Finally, a user interface could be useful to explore large datasets, and to better visualise the interpretation of logic formulas, possibly exploiting results in [BM Ö19] for validation.

Figure 1 :
Figure1: On the left, a graphical representation of a simplicial complex is shown in grey and black.On the right, we highlight some of the faces of the simplicial complex, of dimension 2, 1 and 0 (the green triangle, blue segment and red point, respectively).

Figure 4 :
Figure 4: Examples of basic topological operators on Polyhedra.4a) Polyhedral model A.Circles denote 0-dimensional simplexes.The valuation of atomic propositions r, g, b in model A is given by the colours red, green, and blue, respectively.The points in model A that satisfy the following example formulas are shown in orange in: 4b) 2g, i.e., points satisfying the topological interior of the part in green in model A; 4c) 3g, i.e., points satisfying the topological closure of the part in green in model A; 4d) 3(2g), i.e., points satisfying the closure of the interior of the part in green in model A.

Figure 5 :
Figure 5: Examples illustrating the reachability operator on Polyhedra.5a) Polyhedral model C. Circles and colours have the same meaning as in Figure 4. Dashed segments and white points and triangles do not satisfy any atomic proposition.5b) In orange: Points satisfying γ(g, b) applied to the model in 5a.Note that these include points in the closure of the green area since the first point of the paths passing by green and reaching blue do not need to be green themselves.5c) In orange: Points satisfying grow(r, g).Note that only the points corresponding to the red area and one green triangle in the model in 5a satisfy this formula.5d) In orange: Points satisfying g ∧ γ(g, γ(b, r)); by nesting reachability, quite complex spatial formulas may be defined.

Figure 6 :
Figure 6: Two examples of piecewise linear paths, one starting in point x and the other in point y.

Figure 7 :
Figure 7: The polyhedral model X of Figure 17 (7a) and its corresponding Kripke model M(X ) (7b).We indicate a cell by the set of the vertices of the corresponding simplex.The accessibility relation is represented via its Hasse diagram (reflexive and transitive edges are omitted).The atomic propositions g and r are indicated in green and red respectively.

Figure 9 :
Figure 9: An example of application of the algorithm described in Algorithm 4.5.Subfigure 9a depicts a polyhedral model X (on the left) and its corresponding Kripke model M(X ).Subfigures from 9b to 9e depict the steps performed on M(X ) to compute the satisfaction set Sat(γ(r, g)), with reference to the pseudo-code in Algorithm 4.5.For each subfigure the value of the relevant variables at the end of the computation step are indicated and illustrated in corresponding colours in both models (blue for frontier, orange for flooded and purple for result).

Figure 12 :
Figure12: PolyLogicA specification of some spatial properties for the 3D maze model.

Figure 16
Figure 16: (16a) A 3D medical illustration, courtesy of www.sketchfab.com(copyright: COEUR et vaissaaux by Chair Digital Anatomy -The Unesco Chair of digital anatomy (Paris University) -is licensed under Creative Commons Attribution, see https://creativecommons.org/licenses/by/4.0/legalcode),visualized using MeshLab [CCC + 08].PolyLogicA is used to segment the heart (16b) shown in red, spleen (16c) shown in brown, and some veins (16d) shown in violet, and then to segment a specific vein (the one that reaches the spleen) using a reachability predicate (16e), also shown in violet.In each image, the non segmented parts are shown as mostly transparent cells.

Table 1 :
Number of tasks Check (ms.)Total time (ms.)PolyLogicAperformanceresults(rounded to the nearest multiple of 50ms) of the evaluation of the specification in Figure12on three properties of the 3D mesh of the maze shown in Figure13.The size of the model is 147,245 cells.The time spent in parsing the input file (circa 12 megabytes) is about 4 seconds, whereas building the Kripke structure takes about 1 second.If all properties are evaluated in the same specification, the execution time is just slightly above the maximum one, since the machine has 8 physical cores, and PolyLogicA evaluates independent properties in parallel needing less than 8 cores for the maze example.