Region (model Checking)

In model checking, a field of computer science, a region is a convex polytope in $\mathbb R^d$ for some dimension $d$, and more precisely a zone, satisfying some minimality property. The regions partition $\mathbb R^d$.

The set of zones depends on a set $K$ of constraints of the form $x\le c$, $x\ge c$, $x_1\le x_2+c$ and $x_1\ge x_2+c$, with $x_1$ and $x_2$ some variables, and $c$ a constant. The regions are defined such that if two vectors $\vec x$ and $\vec x'$ belong to the same region, then they satisfy the same constraints of $K$. Furthermore, when those vectors are considered as a tuple of clocks, both vectors have the same set of possible futures. Intuitively, it means that any timed propositional temporal logic-formula, or timed automaton or signal automaton using only the constraints of $K$ can not distinguish both vectors.

The set of region allows to create the region automaton, which is a directed graph in which each node is a region, and each edge $r\to r'$ ensure that $r'$ is a possible future of $r$. Taking a product of this region automaton and of a timed automaton $\mathcal A$ which accepts a language $L$ creates a finite automaton or a Büchi automaton which accepts untimed $L$. In particular, it allows to reduce the emptiness problem for $\mathcal A$ to the emptiness problem for a finite or Büchi automaton. This technique is used for example by the software UPPAAL.

Definition

Let $C=\$ a set of clocks. For each $x\in\mathbb N$ let $c_x\in\mathbb N$. Intuitively, this number represents an upper bound on the values to which the clock $x$ can be compared. The definition of a region over the clocks of $C$ uses those numbers $c_x$'s. Three equivalent definitions are now given.

Given a clock assignment $\nu$, nu/math> denotes the region in which $\nu$ belongs. The set of regions is denoted by $\mathcal R$.

Equivalence of clocks assignment

The first definition allow to easily test whether two assignments belong to the same region.

A region may be defined as an equivalence class for some equivalence relation. Two clocks assignments $\nu_1$ and $\nu_2$ are equivalent if they satisfy the following constraints:
* $\nu_1(x)\sim c$ iff $\nu_2(x)\sim c$, for each $x\in C$ and $0\le c\le c_x$ an integer, and ~ being one of the following relation ''='', ''<'' or ''≤''.
* $\\sim \$ iff $\\sim \$, for each $x,y\in C$, $\nu_1(x)\le c_x$, $\nu_1(y)\le c_y$, $\$ being the fractional part of the real $r$, and ~ being one of the following relation ''='', ''<'' or ''≤''.

The first kind of constraints ensures that $\nu_1$ and $\nu_2$ satisfies the same constraints. Indeed, if $\nu_1(x)=0.5$ and $\nu_2(x)=1$, then only the second assignment satisfies $x=1$. On the other hand, if $\nu_1(x)=0.5$ and $\nu_2(x)=0.6$, both assignment satisfies exactly the same set of constraint, since the constraints use only integral constants.

The second kind of constraints ensures that the future of two assignments satisfy the same constraints. For example, let $\nu_1=\$ and $\nu_2=\$. Then, the constraint $y=1\land x< 1$ is eventually satisfied by the future of $\nu_1$ without clock reset, but not by the future of $\nu_2$ without clock reset.

Explicit definition of a region

While the previous definition allow to test whether two assignments belong to the same region, it does not allow to easily represents a region as a data structure. The third definition given below allow to give a canonical encoding of a region.

A region can be explicitly defined as a zone, using a set $S$ of equations and inequations satisfying the following constraints:
* for each $x\in C$, $S$ contains either:
** $x=c$ for some integer $0\le c\le c_x$
** $x\in(c,c+1)$ for some integer $0\le c< c_x$,
** $x> c_x$,
* furthermore, for each pair of clocks $x,y\in C$, where $S$ contains constraints of the form $x\in (c,c+1)$ and $y\in (c',c'+1)$, then $S$ contains an (in) equality of the form $\\sim \$ with $\sim$ being either ''='', ''<'' or ''≤''.

Since, when $c$ and $c'$ are fixed, the last constraint is equivalent to $x\sim y+c-c'$.

This definition allow to encode a region as a data structure. It suffices, for each clock, to state to which interval it belongs and to recall the order of the fractional part of the clocks which belong in an open interval of length 1. It follows that the size of this structure is $O\left(\sum\log(c_k)+, C, \log(, C, )\right)$ with $, C,$ the number of clocks.

Timed bisimulation

Let us now give a third definition of regions. While this definition is more abstract, it is also the reason why regions are used in model checking. Intuitively, this definition states that two clock assignments belong to the same region if the differences between them are such that no timed automaton can notice them. Given any run $r$ starting with a clock assignment $\nu$, for any other assignment $\nu'$ in the same region, there is a run $r'$, going through the same locations, reading the same letters, where the only difference is that the time waited between two successive transition may be different, and thus the successive clock variations are different.

The formal definition is now given. Given a set of clock $C$, two assignments two clocks assignments $\nu_1$ and $\nu_2$ belongs to the same region if for each timed automaton $\mathcal A$ in which the guards never compare a clock $x$ to a number greater than $c_x$, given any location $\ell$ of $\mathcal A$, there is a timed bisimulation between the extended states $(\ell,\nu_1)$ and $(\ell,\nu_2)$. More precisely, this bisimulation preserves letters and locations but not the exact clock assignments.

Operation on regions

Some operations are now defined over regions: Resetting some of its clock, and letting time pass.

Resetting clocks

Given a region $\alpha$ defined by a set of (in)equations $S$, and a set of clocks $C'\subseteq C$, the region similar to $\alpha$ in which the clocks of $C'$ are restarted is now defined. This region is denoted by \alpha '\mapsto 0/math>, it is defined by the following constraints:
* each constraints of $S$ not containing the clock $x$,
* the constraints $x=0$ for $x\in C'$.

The set of assignments defined by \alpha '\mapsto 0/math> is exactly the set of assignments \nu '\mapsto0/math> for $\nu\in\alpha$.

Time-successor

Given a region $\alpha$, the regions which can be attained without resetting a clock are called the time-successors of $\alpha$. Two equivalent definitions are now given.

Definition

A clock region $\alpha'$ is a time-successor of another clock region $\alpha$ if for each assignment $\nu\in\alpha$, there exists some positive real $t_>0$ such that $\nu+t_\in\alpha'$.

Note that it does not mean that $\alpha+t_=\alpha'$. For example, the region $\alpha$ defined by the set of constraint $\$ has the time-successor $\alpha'$ defined by the set of constraint $\$. Indeed, for each $\nu\in\alpha$, it suffices to take $t_=1-\nu(y)$. However, there exists no real $t$ such that $\alpha+t=\alpha'$ or even such that $\alpha+t\subseteq\alpha'$; indeed, $\alpha$ defines a triangle while $\alpha'$ defines a segment.

Computable definition

The second definition now given allow to explicitly compute the set of time-successor of a region, given by its set of constraints.

Given a region $\alpha$ defined as a set of constraints $S$, let us define its set of time-successors. In order to do so, the following variables are required. Let $T\subseteq S$ the set of constraints of $S$ of the form $x_i=c_i$. Let $Y\subseteq C$ the set of clocks $y$ such that $S$ contains the constraint $y>c_y$. Let $Z\subseteq C\setminus Y$ the set of clocks $\$ such that there are no constraints of the form $\<\$ in $S$.

If $T$ is empty, $\alpha$ is its own time successor. If $Y=C$, then $\alpha$ is the only time-successor of $\alpha$. Otherwise, there is a least time-successor of $\alpha$ not equal to $\alpha$. The least time-successor, if $T$ is non-empty, contains:
* the constraints of $S\setminus T$
* $x_i>c_i$,
* $\=\$, and
* for each $y$ such that $y>c_y$ does not belong to $S$, the constraint $x_i< y$.
If $T$ is empty, the least time-successor is defined by the following constraints:
* the constraints of $S$ not using the clocks of $Z$,
* the constraint $z=c+1$, for each constraint $c< z< c+1$ in $S$, with $z\in Z$.

Properties

There are at most $, C, !2^\prod_(2c_x+2)$ regions, where $, C,$ is the number of clocks.

Region automaton

Given a timed automaton $\mathcal A$, its region automaton is a finite automaton or a Büchi automaton which accepts untimed $L$. This automaton is similar to $\mathcal A$, where clocks are replaced by region. Intuitively, the region automaton is contructude as a product of $\mathcal A$ and of the region graph. This region graph is defined first.

Region graph

The region graph is a rooted directed graph which models the set of possible clock valuations during a run of a timed-autoamton. It is defined as follows:
* its nodes are regions,
* its root is the initial region $\alpha_0$, defined by the set of constraints $\$,
* the set of edges are (\alpha,\alpha' '\mapsto 0, for $\alpha'$ a time-successor of $\alpha$.

Region automaton

Let $\mathcal A=\langle \Sigma,L,L_0,C,F,E\rangle$ a timed automaton. For each clock $x\in C$, let $c_x$ the greatest number $c$ such that there exists a guard of the form $x\sim c$ in $\mathcal A$. The region automaton of $\mathcal A$, denoted by $R(\mathcal A)$ is a finite or Büchi automaton which is essentially a product of $\mathcal A$ and of the region graph defined above. That is, each state of the region automaton is a pair containing a location of $\mathcal A$ and a region. Since two clocks assignment belonging to the same region satisfies the same guard, each region contains enough information to decide which transitions can be taken.

Formally, the region automaton is defined as follows:
* its alphabet is $\Sigma$,
* its set of states is $L\times\mathcal R$,
* its set of states is $L_0\times\$ with $\alpha_0$ the initial region,
* its set of accepting states is $F\times\mathcal R$,
* its transition relation $\delta$ contains ((\ell,\alpha),a,(\ell',\alpha' '\mapsto0), for $(\ell,a,g,C',\ell')\in E$, such that $\gamma\models\alpha'$ and $\alpha'$ is a time-successor of $\alpha$.

Given any run r=(\ell_0,\nu_0)\xrightarrow _1\ell_1,\nu_1)\dots of $\mathcal A$, the sequence (\ell_0, nu_0\xrightarrow(\ell_1, nu_1\dots is denoted /math>, it is a run of $R(\mathcal A)$ and is accepting if and only if $r$ is accepting. It follows that $L(R(\mathcal A))=\operatorname(L(\mathcal A))$. In particular, $\mathcal A$ accepts a timed-word if and only if $R(\mathcal A)$ accepts a word. Furthermore, an accepting run of $\mathcal A$ can be computed from an accepting run of $R(\mathcal A)$.

References

{{DEFAULTSORT:Model checking
*

Polytopes
Polytope