Evaluation of Temporal Operators

As one would expect, the major part of the evaluation algorithm’s complexity is found within the cases for temporal operators. In fact, it is the ability to use interval operations for realizing the semantics of the temporal operators that makes SALMA’s evaluation algorithm efficient. Therefore, this subsection discusses the involved strategies and design decisions in detail. Algorithm 5.11 gives an overview of the three cases for temporal operators, namelyeventually, always, and until. It can be seen that eventually and always are handled by the same function that distinguishes the cases via its first parameter. This implies that the evaluation of both operators is similar to some extent, which is indeed confirmed below. On the other hand, there are several special difficulties for the evaluation of the until operator, so this case is handled separately in order to achieve a comprehensible presentation.

Algorithm 5.11: Evaluation of temporal operators.

. . .

case Φ =always(Tmax, P) h

res

R , Rov,Ψ,linkParamsi ← evaluateAlwaysOrEventually(,P, ˆ

p_Φ,level,scur, Ts,T_end, Tmax) end

case Φ =eventually(T_max, P) h

res

R , Rov,Ψ,linkParamsi ← evaluateAlwaysOrEventually(♦,P, ˆ

p_Φ,level,s_cur, T_s,T_end, T_max) end

case Φ =until(T_max, P, Q) h

res

R , Rov,Ψ,linkParamsi ← evaluateUntil(P, Q,

level,pˆ_Φ,s_cur, T_s,T_end, T_max) end

A Common procedure for always(Tmax, P) and eventually(Tmax, P) The common scaffolding for the evaluation of always and eventually is the function shown in Algorithm 5.12. First, the upper time bound for the evalu-ation intervalT^>is calculated as the minimum of the end of the time advance T_end and theevaluation limit T_lim. The latter is given by the latest point that is reachable from any point in the start time interval sequence T_s within the time bound of the operatorTmax. To calculate this, the operatormaxt from Definition 5.11 is used, which yields the latest time point in the given interval sequence. The other relevant time point,T_cur, is determined as before by eval-uating the fluenttime for the situation given by the current stepscur. After these initializations have been made, the algorithm has to distinguish between two cases. First, the subformula P of the temporal operator could be of the formsched(Id_sched, Id_cache), which implies that in fact the original subformula at this position has been scheduled as a subgoal because at least for one time instance the result of the evaluation was not definite. In this case, the formula is loaded from the cache using the id that was conveyed in the sched-term.

Otherwise, ifP is nosched-term, it is used directly for the further evaluation and the ids for the formula cache and the schedule are set to−1, which act as commands that will cause the creation of new entries as required.

The next step is to evaluate the subformula for all distinct time steps from the current time T_cur to the interval end T^>. As expected, this is per-formed by the function evaluateForAllTImesteps from Algorithm 5.2 that was already presented as part of the top-level property evaluation procedure (Algorithm 5.1). It was shown before that during this iteration, schedule

en-tries are created for each time point for which the evaluation did not pro-duce a definite result (?). Therefore, it can be assumed after the call to evaluateForAllTImesteps that the evaluation goal schedule is set up with all entries that are necessary for further calculations. The variables Id⁰_sched andId⁰_cachecontain either−1or the ids that refer to the relevant entries in the schedule and the cache forP after the lookahead evaluation, which could have been created in this process. Besides the updated ids, the call to evaluateFor-AllTImestepsreturns three other values, namely the result summaryRov1, the time of the earliest positive definite outcome, T_def^< , and the time of the latest possibility for a positive outcome, T_poss^> . While these time markers were ig-nored in the top-level evaluation procedure (Algorithm 5.1), they are crucial for the evaluation of temporal expressions.

At this point, the treatment of always and eventually diverges into the functionshandleAlwaysandhandleEventuallythat are shown in Algorithms 5.13 and 5.15 and are discussed below. Both functions return a result mapping

res

R1 and an interval sequenceT_s⁰ that contains the start times fromTs for which no definite result could be determined. Consequently, the intervals in T_s⁰ are labeled with ?and combined with the results from before into the final result mapping

res

R. In the rest of Algorithm 5.12, a result summary is determined and, if the result is not entirely definite, asched-term is established as replace-ment for P that, together with the link parameters that are created along the way, reference the goal that represents P in the evaluation goal schedule.

In the following, the individual algorithms for the evaluation ofalwaysand eventually are described. Although they are structured very similarly, the full functions are shown to make them easier to understand.

The Evaluation of always(T_max, P)

Algorithm 5.13 shows the functionhandleAlways, which expects as arguments the previously calculated result summary of the lookahead evaluation Rov1, the time of the latest possible positive result T_poss^> , the time bound of the always-expressionT_max, the evaluation interval endT^>, the start time interval sequenceTs, and the schedule id of the goal that represents the subformula P, which could also be −1as described above.

The interval-based calculations described above are visualized in Figure 5.15.

In the top row (Figure 5.15a), the first part ofhandleAlwayscan be seen, where the algorithm tries to leverage results from the lookahead evaluation that was done beforehand. This is possible when a negative result was found at some point in evaluateForAllTimesteps. Then,T_poss^> will point to the last time at which a positive result is still possible, which has to be the step just before the one in which the negative result was found. This implies that all scheduled in-stances ofP that start not longer thanT_maxbeforeT_poss^> will be terminated by the negative result. Therefore, these time points can be marked as negative,

Algorithm 5.12: Evaluation ofalwaysor eventually.

functionevaluateAlwaysOrEventually(mode, P, pˆΦ, level,scur, T_s, T_end,T_max) T_start^> ←maxt(Ts)

T_lim←T_start^> +T_max T^>←min(T_lim, T_end)

Tcur ←time(do(tick(scur), S0)) if P =sched(Id_sched, Id_cache) then

P⁰ ←loadFromCache(Id_cache) else

P⁰ ←P, Id_sched← −1, Id_cache← −1 end

hR_ov1, T_def^< , T_poss^> , Id⁰_sched, Id⁰_cachei ←

evaluateForAllTimesteps(mode, P⁰,pˆ_Φ◦2, level+ 1, scur,Tcur,T^>, Idsched,Idcache) assume A schedule entry has been added for every time point

where the evaluation of P yielded ?. if mode= then

h

res

R₁, T_s⁰i ← handleAlways(R_ov1, T_poss^> ,

Tmax, T^>, Ts, Id⁰_sched) else

h

res

R₁, T_s⁰i ← handleEventually(R_ov1, T_def^< ,

T_max, T^>, T_s, Id⁰_sched) end

res

R₂ ←T_s⁰|_?

res

R ←

res

R₁∪

res

R₂ Rov ←summary(

res

R) if Rov =?then

Ψ← {27→sched(∗, Id⁰_cache)} /* ∗ represents

a placeholder for the concrete schedule id */

linkParams ← {ˆp_Φ◦27→Id⁰_sched} else

Ψ← ∅,linkParams ← ∅ end

returnh

res

R , Rov,Ψ,linkParamsi end

which is done by building the intersection of Ts with the described interval and labeling it with the unique assignment operator |, which creates a result mapping that is stored in the variable

res

R₁. The relative complement of the original start times Ts and the said interval yields an interval sequence that contains the time start time instances for which the result is still open. How-ever, it is still possible that more definite results can be found. First, if there is an entry forP in the evaluation goal schedule, the evaluation history could convey enough information to determine additional results. This is pursued in the function checkScheduleAlwaysin Algorithm 5.14.

In Algorithm 5.14, the goal evaluation history is loaded from the schedule using the given id. By matching all intervals within the negative historyG. T⊥

against the start timesT_s, it is possible to mark all those instances as failed that are at mostTmax time units before a time point with negative result. Similar to the first step in handleAlways, this labeling of multiple time instances is reduced to a single intersection between an interval sequence and an interval.

The result mapping that is created in this way is appended to a collective result mapping

res

Rtot that is returned later, and as before, the sequence of undetermined start time intervals is updated using the relative complement.

Figure 5.15c shows an example for the negative labeling of several interval segments based on one interval from G. T⊥.

The other source for determining definite results is the positive history G. T_>. Indeed, this sequence might contain positive intervals that are at least as long as Tmax. Then, any goal instance that starts within that interval and at least T_max time units before its end, can be labeled as positive because the invariant is guaranteed to have been fulfilled within the given time bound.

This can be seen in Figure 5.15d. All results that are calculated based on the evaluation history are returned back tohandleAlways, together with the start time intervals for no results have been found, yet, which will later be marked with?, as shown in Algorithm 5.12.

Back in handleAlways, it is also possible that no schedule entry exists.

However, some definite results can still be found if the overall result of the lookahead evaluation was positive. This means that there must have been positive results for all time points up to T^>. Hence, all instances in T_s that begin at least T_max time units before T^> must be satisfied and can be la-beled with >. Figure 5.15b shows the involved interval operations. It can be seen that the algorithm effectively assumes that the evaluation results for the subformula P have also been positive for all relevant time points that are overlapped by intervals in Ts. Indeed, this assumption is justified because if any of these time points had yielded a negative result, then the intervals in T_s that are within a distance of T_max would have been negated already in a previous evaluation step.

Algorithm 5.13: Handling of temporal operatoralways. functionhandleAlways(Rov1, T_poss^> ,Tmax, T^>, Ts, Id_sched)

if Rov1 =⊥then

// See Figure 5.15a T_l←T_poss^> −T_max

res

R1 ←(Ts∩[T_l, T^>])|_⊥ T_s⁰ ←T_s\[T_l, T^>] else

res

R1 ← ∅, T_s⁰ ←Ts

end

if T_s⁰ 6=∅ then

if Id_sched >−1then h

res

R2, T_s⁰⁰i ←checkScheduleAlways(Idsched, T_s⁰, Tmax) else

// There is no schedule entry for the subformula P. if Rov1 =>then

// See Figure 5.15b T_r←T^>−T_max

res

R2 ←(T_s⁰∩[0, T_r])|_>

T_s⁰⁰←T_s⁰\[0, T_r] else

res

R2 ← ∅, T_s⁰⁰ ←T_s⁰ end

end else

res

R₂ ← ∅, T_s⁰⁰ ← ∅ end

returnh

res

R1∪

res

R2, T_s⁰⁰i end

Algorithm 5.14:Calculating schedule decisions for always. functioncheckScheduleAlways(Id_sched, T_s, T_max)

G←loadFromSchedule(Idsched) T_s⁰ ←T_s

res

R_tot ← ∅

/* Negate all starting points within range of ⊥

instances. */

foreach[T₁, T₂]∈G. T⊥ do

// See Figure 5.15c T_l ←max(0, T1−Tmax)

res

R ←(T_s⁰∩[T_l, T₂])|_⊥

res

Rtot ←

res

Rtot∪

res

R T_s⁰ ←T_s⁰\[T_l, T2] end

/* Confirm goals that are entirely covered in >

intervals. */

foreach[T1, T2]∈G. T> do

// See Figure 5.15d if T₂−T₁ ≥T_max then

Tr ←T2−Tmax res

R ←(T_s⁰∩[T₁, Tr])|_>

res

R_tot ←

res

R_tot∪

res

R T_s⁰ ←T_s⁰\[T₁, Tr] end

end returnh

res

R_tot, T_s⁰i end

(a) Determining⊥instances through lookahead evaluation results.

(b) Determining>instances through lookahead evaluation results.

(c) Determining ⊥instances through schedule history.

(d) Determining>instances through schedule history.

Figure 5.15: Calculation of results for always.

The Evaluation of eventually(T_max, P)

As expected, the operator eventually is treated very similarly to its always counterpart. In fact, the only difference is that the roles of positive results are reversed. This means that exactly the same structure that is used to “reject”

goal instances based on negative lookahead results in the case ofalwaysis used to confirm goal instances with positive results. The same congruence obviously holds also for the other cases. Therefore, it is not very instructional to discuss the algorithms for eventually in detail. Nonetheless, both the algorithms (Algorithm 5.15, 5.16) and the interval diagrams (Figure 5.16) are included here for the sake of completeness.

Algorithm 5.15: Handling of temporal operatoreventually. functionhandleEventually(R_ov1, T_def^< , T_max,T^>, T_s, Id_sched)

if Rov1 =>then T_l←T_def^< −T_max

res

R₁ ←(T_s∩[T_l, T^>])|_>

T_s⁰ ←T_s\[T_l, T^>] else

res

R₁ ← ∅,T_s⁰ ←T_s end

if T_s⁰ 6=∅ then

if Id_sched >−1then h

res

R2, T_s⁰⁰i ←checkScheduleEventually(Id_sched, T_s⁰, Tmax) else

// There is no schedule entry for P.

if Rov1 =⊥then T_r←T^>−T_max

res

R₂ ←(T_s⁰∩[0, T_r])|_⊥ T_s⁰⁰←T_s⁰\[0, T_r] else

res

R₂ ← ∅,T_s⁰⁰←T_s⁰ end

end else

res

R₂ ← ∅,T_s⁰⁰← ∅ end

returnh

res

R1∪

res

R2, T_s⁰⁰i end

(a) Determining >instances through lookahead evaluation results.

(b) Determining⊥instances through lookahead evaluation results.

(c) Determining>instances through schedule history.

(d) Determining⊥instances through schedule history.

Figure 5.16: Calculation of results for eventually.

Algorithm 5.16: Calculating schedule decisions foreventually. functioncheckScheduleEventually(Id_sched, T_s, T_max)

G←loadFromSchedule(Id_sched) T_s⁰ ←Ts

res

R_tot ← ∅

/* Acknowledge all starting points within range of >

instances. */

foreach[T1, T2]∈G. T> do T_l←max(0, T₁−T_max)

res

R ←(T_s⁰∩[T_l, T2])|_>

res

Rtot ←

res

Rtot∪

res

R T_s⁰ ←T_s⁰\[T_l, T₂] end

/* Handle time-outs. */

foreach[T1, T2]∈G. T⊥ do if T2−T1 ≥Tmax then

T_r←T₂−T_max

res

R ←(T_s⁰∩[T₁, Tr])|_⊥

res

Rtot ←

res

Rtot∪

res

R T_s⁰ ←T_s⁰\[T₁, T_r] end

end returnh

res

R_tot, T_s⁰i end

Evaluation of until(Tmax, P, Q)

For the efficient evaluation of until-expressions, the algorithm has to extend and combine the ideas from the handlers for eventually / always so that definite results can be found as early as possible. The main procedure foruntil is shown in Algorithm 5.17. The first part performs an initialization that is very similar to that of the Algorithms 5.13 and 5.15. Of course, two subformulas have to be set up, namely P for the invariant part and Q for the goal part.

After the initialization, lookahead evaluation is performed for bothP and Q, withQ treated like aneventually formula (♦) and P as in always(). It is worth noticing that forQ, the iteration is not necessarily performed up to the general end of the evaluation period (T^>), but only to the earliest point where

Algorithm 5.17:Evaluation of until.

functionevaluateUntil(P, Q, pˆ_Φ, level, s_cur, T_s, T_end, T_max) T_start^> ←maxt(Ts)

T_lim ←T_start^> +T_max T^>←min(T_lim, T_end)

Tcur ←time(do(tick(scur), S0))

if P =sched(Id_sched,P, Id_cache,P)then P⁰← loadFromCache(Id_cache,P) else

P⁰←P

Id_sched,P ←new, Id_cache,P ←new // force scheduling end

if Q=sched(Id_sched,Q, Id_cache,Q) then Q⁰← loadFromCache(Id_cache,Q) else

Q⁰←Q, Id_sched,Q←new, Id_cache,Q←new end

hT_def^< _,Q, Id⁰_sched,Q, Id⁰_cache,Qi ← evaluateForAllTimesteps(♦, Q⁰, pˆΦ◦3,level+ 1, scur, Tcur, T^>, Idsched,Q, Idcache,Q) if T_def^< _,Q6=? thenT_P^>←T_def^< _,QelseT_P^>←?

hId⁰_sched,P, Id⁰_cache,Pi ←evaluateForAllTimesteps(, P⁰, pˆ_Φ◦2, level+ 1, s_cur, T_cur,T_P^>, Id_sched,P, Id_cache,P)

assume all relevant results betweenTcur and T^>

have been added to the goal schedule.

h

res

R , T⁰i ← checkScheduleUntil(Id⁰_sched,P, Id⁰_sched,Q, T_s, T_max)

res

R ←

res

R ∪T⁰|_? R_ov ←summary(

res

R) if Rov =? then

Ψ← {27→sched(∗, Id⁰_cache,P),37→sched(∗, Id⁰_cache,Q)}

linkParams ← {ˆpΦ◦27→Id⁰_sched,P,pˆΦ◦37→Id⁰_sched,Q} else

Ψ← ∅,linkParams ← ∅ end

returnh

res

R , Rov,Ψ,linkParamsi end

a positive definite result forQis found – if that is the case. Another specialty of theuntil-case is that the creation of evaluation goal schedule entries is forces by the new flag, even in cases where the lookahead evaluation produced only definite results. This guarantees that a history for bothP and Q exists that contains all results up to T^>. The evaluation algorithm can therefore use the same decision mechanisms over the whole relevant time span, which allows for a much clearer design. In that sense, the function checkScheduleUntil in Algorithm 5.18 arranges all schedule-based calculations into four phases that are by themselves sourced out to four separate functions.

In the first phase, the functionconfirmScheduledUntilGoals(Algorithm 5.19) uses the evaluation goal history of bothP and Qto determine instances that can be confirmed definitively. First, this is possible when the goal Q is true directly at the start time of a goal instance, i.e. when the intersection between an interval inG_Q. T> andTs is not empty. Figure 5.17a demonstrates this situation. Therefore, the function in Algorithm 5.19 iterates through all intervals in the positive history of Q and successively fills a result mapping with >-entries that are retrieved by means of the intersection operator from Definition 5.8. Besides that, the start time points that are confirmed in this way are “cut out” ofT_sby the relative complement and the iteration is canceled at the end of the loop body ifTs is empty.

As shown at in the right part of Figure 5.17a, even if Q is not true at an instance’s start, a positive outcome can still be confirmed when a true result for Q is found within Tmax time units and P is true up to that point. The second part of this condition is equivalent to the existence of an interval in GP. T> that is left adjacent to a positiveQinterval. If such an interval exists, then all time points can be confirmed that are both within that interval and

Algorithm 5.18: Calculating schedule decisions foruntil. functioncheckScheduleUntil(Id_sched,P, Id_sched,Q,T_s, T_max)

GP ←loadFromSchedule(Idsched,P) G_Q←loadFromSchedule(Id_sched,Q)

T⁰ ←T_s /* unhandled start times */

h

res

R1, T⁰i ← confirmScheduledUntilGoals(T⁰, GP, GQ, Tmax) h

res

R₂, T⁰i ← rejectUntilGoalsP(T⁰, G_P) h

res

R₃, T⁰i ← rejectUntilGoalsPQ(T⁰,G_P, G_Q) h

res

R4, T⁰i ← detectTimedOutUntilGoals(T⁰, GQ, Tmax) returnh

res

R1∪

res

R2∪

res

R3∪

res

R4, T⁰i end

not farther thanT_max from the positiveQinterval. This is done in the middle block of Algorithm 5.19, again using the intersection operator and the relative complement to compile results and to remove handled start times from T_s.

After all positive results have been gathered, the produced result mapping is returned tocheckScheduleUntiltogether with a temporal interval sequence T⁰ that contains the “unhandled” start times, i.e. the goal instances that have not been confirmed yet. In the next step, this remaining start time interval sequence is passed to the function rejectUntilGoalsP(Algorithm 5.20) that processes cases in which goal instances can be rejected because P is known to be violated at their start point (see right part of Figure 5.17b). On the other hand, goal instances can also be identified as failed when the period between their start and the earliest time point where Q is true is interrupted by a negative outcome for P. Transferred to the interval-based viewpoint, this situation can be identified when an interval ofG_Q. T⊥overlaps intervals of G_P. T⊥. Then, all goal instances that start within the interval with negativeQ and before the last time point in the overlapped region ofGP. T⊥are inevitably interrupted and can thus be marked as failed (see Algorithm 5.21 and left part of Figure 5.17b). Finally, in the last step of checkScheduleUntil, the algorithm searches for goal instances that have expired their time bounds (see Algorithm 5.22 and Figure 5.17c). After all these possible definite cases have been handled, the result for evaluateUntilis combined very similarly to the cases for eventually and always.

Algorithm 5.19: Confirmation ofuntil goals.

functionconfirmScheduledUntilGoals(T_s, G_P, G_Q,T_max) T⁰ ←T_s,

res

R ← ∅

foreach[T_s,Q, T_e,Q]∈G_Q. T> do

/* Confirm instances where Q holds directly at the

start point. */

res

R₁ ←(T⁰∩[T_s,Q, T_e,Q])|_>

T⁰ ←T⁰\[T_s,Q, Te,Q]

/* If P has been true continuously for an interval before T_s,Q, we can confirm additional goals. */

if ∃[t_s, te]∈GP. T>. Ts,Q ∈[ts, te]then T_l←max(t_s, T_s,Q−T_max)

res

R₂ ←(T⁰∩[T_l, T_s,Q])|_>

T⁰ ←T⁰\[T_l, Ts,Q] else

res

R₂ ← ∅ end

res

R ←

res

R ∪

res

R₁∪

res

R₂ if T⁰ =∅ then break end

returnh

res

R , T⁰i end

Algorithm 5.20:Rejection ofuntilgoals that lie within a¬P-interval.

functionrejectUntilGoalsP(Ts,GP)

T⁰←Ts /* unhandled start times */

res

R ← ∅

foreach[T_s, T_e]∈G_P. T⊥ do

res

R⁰ ←(T⁰∩[T_s, T_e])|_⊥

res

R ←

res

R ∪

res

R⁰ T⁰←T⁰\[T_s, T_e] if T⁰=∅then break end

returnh

res

R , T⁰i end

Algorithm 5.21:Rejection of inevitably interrupteduntil goals.

functionrejectUntilGoalsPQ(T_s, G_P, G_Q)

T⁰←T_s /* unhandled start times */

res

R ← ∅

foreach[Ts,Q, Te,Q]∈G_Q. T⊥ do Tintr ←GP. T⊥∩[T_s,Q, Te,Q] if Tintr 6=∅then

T_r ←max_t(T_intr)

res

R⁰ ←(T⁰ ∩[T_s,Q, Tr])|_⊥

res

R ←

res

R ∪

res

R⁰ T⁰←T⁰\[T_s,Q, Tr] end

if T⁰=∅then break end

returnh

res

R , T⁰i end

Im Dokument Simulation and statistical model-checking of logic-based multi-agent system models (Seite 183-200)