In model checking, a subfield of computer science, a clock is a mathematical object used to model time. More precisely, a clock measures how much time passed since a particular event occurs, in this sense, a clock is more precisely an abstraction of a stopwatch. In a model of some particular program, the value of the clock may either be the time since the program was started, or the time since a particular event occurred in the program. Those clocks are used in the definition of timed automaton, signal automaton, timed propositional temporal logic and clock temporal logic. They are also used in programs such as UPPAAL which implement timed automata.[1]
Generally, the model of a system uses many clocks. Those multiple clocks are required in order to track a bounded number of events. All of those clocks are synchronized. That means that the difference in value between two fixed clocks is constant until one of them is restarted. In the language of electronics, it means that clock's jitter is null.
Let us assume that we want to modelize an elevator in a building with ten floors. Our model may have
n
c0,...,c9
ci
i
i
i
s
A model of this elevator can then use those clocks to assert whether the elevator's program satisfies properties such as "assuming the elevator is not kept on a floor for more than fifteen seconds, then no one has to wait for the elevator for more than three minutes". In order to check whether this statement holds, it suffices to check that, in every run of the model in which the clock
s
ci
Formally, a set
X
A clock valuation or clock interpretation
\nu
X=\{x1,...,xn\}
X
| n | |
| R | |
| \ge0 |
The initial assignment
\nu0
Given a clock assignment
\nu
t\ge0
\nu+t
x\inC
\nu(x)+t
\nu
t
Given a subset
r\subseteqC
\nu[r → 0]
\nu
r
\nu[r → 0]
x\inr
x\not\inr
\nu(x)
The program UPPAAL introduce the notion of inactive clocks.[2] A clock is inactive at some time if there is no possible future in which the clock's value is checked without being reset first. In our example above, the clock
ci
i
i
When allowing for inactive clock, a valuation may associate a clock
x
\bot
\nu(x)=\bot
(\nu+t)(x)
\bot
An atomic clock constraint is simply a term of the form
x\simc
x
\sim
c\inN
ci\le180
i
s>15
\nu
x\simc
\nu(x)\simc
A clock constraint is either a finite conjunction of atomic clock constraint or is the constant "true" (which can be considered as the empty conjunction). A valuation
\nu
| nx | |
| wedge | |
| i\sim |
ici
xi\simici
Depending on the context, an atomic clock constraint may also be of the form
xi\simxj+c
x1=x2+c
| 2 | |
| R | |
| \ge0 |
Allowing diagonal constraints may allow to decrease the size of a formula or of an automaton used to describe a system. However, algorithm's complexity may increase when diagonal constraints are allowed. In most system using clocks, allowing diagonal constraint does not increase the expressivity of the logic. We now explain how to encode such constraint with Boolean variable and non-diagonal constraint.
A diagonal constraint
xi\simxj+c
xj
xi\simc
bi,j,c
xi\simxj+c
xi
bi,j,c
\sim
\sim
c=0
The way to encode a Boolean variable depends on the system which uses the clock. For example, UPPAAL supports Boolean variables directly. Timed automata and signal automata can encode a Boolean value in their locations. In clock temporal logic over timed words, the Boolean variable may be encoded using a new clock
xi,j,c
bi,j,c
xi,j,c
xi,j,c
xi.\phi
xi
\phi
xi.((xi\simxj+c\implies\phi\top)\land(\negxi\simxj+c\implies\phi\bot))
\phi\top
\phi\bot
\phi
xi\simxj+c
A clock constraint defines a set of valuations. Two kinds of such sets are considered in the literature.
A zone is a non-empty set of valuations satisfying a clock constraint. Zones and clock constraints are implemented using difference bound matrix.
Given a model
M
K
K