Clock (model checking)

From HandWiki
Revision as of 07:13, 27 June 2023 by HamTop (talk | contribs) (change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In model checking, a subfield of computer science, a clock is a mathematical object used to model time. More precisely, a clock measures how much time passed since a particular event occurs, in this sense, a clock is more precisely an abstraction of a stopwatch. In a model of some particular program, the value of the clock may either be the time since the program was started, or the time since a particular event occurred in the program. Those clocks are used in the definition of timed automaton, signal automaton, timed propositional temporal logic and clock temporal logic. They are also used in programs such as UPPAAL which implement timed automata.[1] Generally, the model of a system uses many clocks. Those multiple clocks are required in order to track a bounded number of events. All of those clocks are synchronized. That means that the difference in value between two fixed clocks is constant until one of them is restarted. In the language of electronics, it means that clock's jitter is null.

Example

Let us assume that we want to modelize an elevator in a building with ten floors. Our model may have [math]\displaystyle{ n }[/math] clocks [math]\displaystyle{ c_{0},\dots,c_{9} }[/math], such that the value of the clock [math]\displaystyle{ c_i }[/math] is the time someone had wait for the elevator at floor [math]\displaystyle{ i }[/math]. This clock is started when someone calls the elevator on floor [math]\displaystyle{ i }[/math] (and the elevator was not already called on this floor since last time it visited that floor). This clock can be turned off when the elevator arrives at floor [math]\displaystyle{ i }[/math]. In this example, we actually need ten distinct clocks because we need to track ten independent events. Another clock [math]\displaystyle{ s }[/math] may be used to check how much time an elevator spent at a particular floor.

A model of this elevator can then use those clocks to assert whether the elevator's program satisfies properties such as "assuming the elevator is not kept on a floor for more than fifteen seconds, then no one has to wait for the elevator for more than three minutes". In order to check whether this statement holds, it suffices to check that, in every run of the model in which the clock [math]\displaystyle{ s }[/math] is always smaller than fifteen seconds, each clock [math]\displaystyle{ c_i }[/math] is turned off before it reaches three minutes.

Definition

Formally, a set [math]\displaystyle{ X }[/math] of clocks is simply a finite set[1]:191. Each element of a set of clock is called a clock. Intuitively, a clock is similar to a variable in first-order logic, it is an element which may be used in a logical formula and which may takes a number of differente values.

Clock valuations

A clock valuation or clock interpretation[1]:193 [math]\displaystyle{ \nu }[/math] over [math]\displaystyle{ X=\{x_1,\dots,x_n\} }[/math] is usually defined as a function from [math]\displaystyle{ X }[/math] to the set of non-negative real. Equivalently, a valuation can be considered as a point in [math]\displaystyle{ \mathbb R_{\ge0}^n }[/math].

The initial assignment [math]\displaystyle{ \nu_0 }[/math] is the constant function sending each clock to 0. Intuitively, it represents the initial time of the program, where each clocks are initialized simultaneously.

Given a clock assignment [math]\displaystyle{ \nu }[/math], and a real [math]\displaystyle{ t\ge0 }[/math], [math]\displaystyle{ \nu+t }[/math] denotes the clock assignment sending each clock [math]\displaystyle{ x\in C }[/math] to [math]\displaystyle{ \nu(x)+t }[/math]. Intuitively, it represents the valuation [math]\displaystyle{ \nu }[/math] after which [math]\displaystyle{ t }[/math] time units passed.

Given a subset [math]\displaystyle{ r\subseteq C }[/math] of clocks, [math]\displaystyle{ \nu[r\rightarrow 0] }[/math] denotes the assignment similar to [math]\displaystyle{ \nu }[/math] in which the clocks of [math]\displaystyle{ r }[/math] are reset. Formally, [math]\displaystyle{ \nu[r\rightarrow 0] }[/math] sends each clock [math]\displaystyle{ x\in r }[/math] to 0 and each clock [math]\displaystyle{ x\not\in r }[/math] to [math]\displaystyle{ \nu(x) }[/math].

Inactive clocks

The program UPPAAL introduce the notion of inactive clocks.[2] A clock is inactive at some time if there is no possible future in which the clock's value is checked without being reset first. In our example above, the clock [math]\displaystyle{ c_i }[/math] is considered to be inactive when the elevator arrive at floor [math]\displaystyle{ i }[/math], and remains inactive until someone call the elevator at floor [math]\displaystyle{ i }[/math].

When allowing for inactive clock, a valuation may associate a clock [math]\displaystyle{ x }[/math] to some special value [math]\displaystyle{ \bot }[/math] to indicate that it is inactive. If [math]\displaystyle{ \nu(x)=\bot }[/math] then [math]\displaystyle{ (\nu+t)(x) }[/math] also equals [math]\displaystyle{ \bot }[/math].

Clock constraint

An atomic clock constraint is simply a term of the form [math]\displaystyle{ x\sim c }[/math], where [math]\displaystyle{ x }[/math] is a clock, [math]\displaystyle{ \sim }[/math] is a comparison operator, such as <, ≤, = ≥, or >, and [math]\displaystyle{ c\in\mathbb N }[/math] is an integral constant. In our previous example, we may use the atomic clock constraints [math]\displaystyle{ c_i\le180 }[/math] to state that the person at floor [math]\displaystyle{ i }[/math] waited for less than three minutes, and [math]\displaystyle{ s\gt 15 }[/math] to state that the elevator stayed at some floor for more than fifteen seconds. A valuation [math]\displaystyle{ \nu }[/math] satisfies an atomic clock valuation [math]\displaystyle{ x\sim c }[/math] if and only if [math]\displaystyle{ \nu(x)\sim c }[/math].

A clock constraint is either a finite conjunction of atomic clock constraint or is the constant "true" (which can be considered as the empty conjunction). A valuation [math]\displaystyle{ \nu }[/math] satisfies a clock constraint [math]\displaystyle{ \bigwedge_{i=1}^nx_i\sim_ic_i }[/math] if it satisfies each atomic clock constraint [math]\displaystyle{ x_i\sim_ic_i }[/math].

Diagonal constraint

Depending on the context, an atomic clock constraint may also be of the form [math]\displaystyle{ x_i\sim x_j+c }[/math]. Such a constraint is called a diagonal constraint, because [math]\displaystyle{ x_1=x_2+c }[/math] defines a diagonal line in [math]\displaystyle{ \mathbb R_{\ge0}^2 }[/math].

Allowing diagonal constraints may allow to decrease the size of a formula or of an automaton used to describe a system. However, algorithm's complexity may increase when diagonal constraints are allowed. In most system using clocks, allowing diagonal constraint does not increase the expressivity of the logic. We now explain how to encode such constraint with Boolean variable and non-diagonal constraint.

A diagonal constraint [math]\displaystyle{ x_i\sim x_j+c }[/math] may be simulated using non-diagonal constraint as follows. When [math]\displaystyle{ x_j }[/math] is reset, check whether [math]\displaystyle{ x_i\sim c }[/math] holds or not. Recall this information in a Boolean variable [math]\displaystyle{ b_{i,j,c} }[/math] and replace [math]\displaystyle{ x_i\sim x_j+c }[/math] by this variable. When [math]\displaystyle{ x_i }[/math] is reset, set [math]\displaystyle{ b_{i,j,c} }[/math] to true if [math]\displaystyle{ \sim }[/math] is < or ≤ or if [math]\displaystyle{ \sim }[/math] is = and [math]\displaystyle{ c=0 }[/math].

The way to encode a Boolean variable depends on the system which uses the clock. For example, UPPAAL supports Boolean variables directly. Timed automata and signal automata can encode a Boolean value in their locations. In clock temporal logic over timed words, the Boolean variable may be encoded using a new clock [math]\displaystyle{ x_{i,j,c} }[/math], whose value is 0 if and only if [math]\displaystyle{ b_{i,j,c} }[/math] is false. That is, [math]\displaystyle{ x_{i,j,c} }[/math] is reset as long as [math]\displaystyle{ x_{i,j,c} }[/math] is supposed to be false. In timed propositional temporal logic, the formula [math]\displaystyle{ x_i.\phi }[/math], which restart [math]\displaystyle{ x_i }[/math] and then evaluates [math]\displaystyle{ \phi }[/math], can be replaced by the formula [math]\displaystyle{ x_i.((x_i\sim x_j+c\implies\phi_\top)\land(\neg x_i\sim x_j+c\implies\phi\bot)) }[/math], where [math]\displaystyle{ \phi_\top }[/math] and [math]\displaystyle{ \phi_\bot }[/math] are copies of the formulas [math]\displaystyle{ \phi }[/math], where [math]\displaystyle{ x_i\sim x_j+c }[/math] are replaced by the true and false constant respectively.

Sets defined by clock constraints

A clock constraint defines a set of valuations. Two kinds of such sets are considered in the literature.

A zone is a non-empty set of valuations satisfying a clock constraint. Zones and clock constraints are implemented using difference bound matrix.

Given a model [math]\displaystyle{ M }[/math], it uses a finite number of constants in its clock constraints. Let [math]\displaystyle{ K }[/math] be the greatest constant used. A region is a non-empty zone in which no constraint greater than [math]\displaystyle{ K }[/math] are used, and furthermore, such that it is minimal for the inclusion.

See also

Notes

  1. 1.0 1.1 1.2 Alur, Rajeev; Dill, David L (April 25, 1994). "A theory of timed automata". Theoretical Computer Science 126 (2): 183–235. doi:10.1016/0304-3975(94)90010-8. https://www.cis.upenn.edu/~alur/TCS94.pdf. 
  2. Behrmann, Gerd; David, Alexandre; Larsen, Kim G (November 28, 2006). A Tutorial on Uppaal 4.0. p. 28. http://www.it.uu.se/research/group/darts/papers/texts/new-tutorial.pdf.