1 Multiset Rewriting Systems with Real Time
We follow  in formalizing dense time in the multiset rewriting framework.
Assume a finite first-order typed alphabet, , with variables, constants, function and predicate symbols. Terms and formulas are constructed as usual (see ) by applying symbols of correct type (or sort).
If is a predicate of type , where is the type for propositions, and are terms of types , respectively, then is a fact.
A fact is grounded if it does not contain any variables. We assume that the alphabet contains the constant denoting zero and the function denoting the successor function. Whenever it is clear from the context, we write for and for .
In order to specify timed systems, to each fact we attach a timestamp denoting time. Timestamped facts are of the form , where is a fact and is a non-negative real number called timestamp.111Notice that timestamps are not constructed by using the successor function or any other function from the alphabet. Similarly, time variables denoting timestamps, such as variable in , range over non-negative real numbers.
For simplicity, instead of timestamped facts, we often simply say facts. Also, when we want to emphasize a difference between a fact , and a timestamped fact , we say that is an untimed fact.
There is a special predicate symbol with arity zero, which will be used to represent global time. For example, the fact denotes that the current global time of the system is .
Given , we say that a fact is a future fact when its timestamp is greater than the global time , i.e. when . Similarly, a fact is a past fact when , and a fact is a present fact when .
A configuration is a multiset of ground timestamped facts,
with a single occurrence of a fact.
Configurations are to be interpreted as states of the system. Configurations are modified by multiset rewrite rules which can be interpreted as actions of the system. There is only one rule, , that modifies global time:
where is a time variable and can be instantiated by any non-negative real number. We also write when we refer to the rule (1) for a specific . Applied to a configuration, , advances global time by , resulting in configuration .
We point out that the rule changes only the timestamp of the fact , while the remaining facts in the configuration (those different from ) are unchanged.
The remaining rules are instantaneous as they do not modify global time, but may modify the remaining facts of configurations (those different from ). Instantaneous rules have the form:
where are natural numbers, is a multiset of timestamped facts, possibly containing variables, and is the guard of the rule which is a set of constraints involving the time variables appearing in the rule’s pre-condition, i.e. the variables .
Constraints may be of the form:
where and are time variables, and is a natural number.
Here, and in the rest of the paper, the symbol stands for either or , that is, constraints may involve addition or subtraction.
We use to denote the disjunction of and . All time variables in the guard of a rule are assumed to appear in the rule’s pre-condition.
Finally, the variables that are existentially quantified in the rule (Equation 2) are to be replaced by fresh values, also called nonces in protocol security literature [6, 10]. As in our previous work , we use nonces whenever a unique identification is required, for example for some protocol session or transaction identification.
A rule can be applied to a configuration if there is a ground substitution , where the variables in are fresh, such that and is true. The resulting configuration is .
More precisely, given some rule , an instance of a rule is obtained by substituting all variables appearing in the pre- and post-condition of the rule with constants. This substitution applies to variables appearing in terms inside facts, variables representing fresh values, as well as time variables used in specifying timestamps of facts. An instance of an instantaneous rule can only be applied if all the constraints in its guard are satisfied.
In order to express timed properties of the system, besides being attached to the rules, constraints may be attached to configurations. In particular, constraints may be used to express specific timed properties of configurations. For example,
represents a configuration where a deadline of process is in 7 time units.
Following  we say that a fact is consumed by some rule if that fact occurs more times in on the left side than on the right side. A fact is created by some rule if that fact occurs more times in on the right side than on the left side. Hence, are consumed by the rule (2) and are created by that rule. In a rule, we usually color red the consumed facts and blue the created facts.
We write for the one-step relation where configuration is rewritten to using an instance of rule . For a set of rules , we define as the transitive reflexive closure of the one-step relation on all rules in . We elide the subscript , when it is clear from the context, and simply write .
A trace of a timed MSR is constructed by a sequence of rules. A finite trace of a timed MSR starting from an initial configuration is a sequence
where for some , for all . Infinite traces can also be considered, as in , but in this paper only finite traces will be used.
Notice that by the nature of multiset rewriting there are various aspects of non-determinism in the model. For example, different actions and even different instantiations of the same rule may be applicable to the same configuration , which may lead to different resulting configurations .
There is the additional non-determinism in the dense time model with respect to the discrete time model used in , provided by the choice of , representing the non-negative real value of time increase. While in the discrete time model, time is advancing using the rule
where time always advances by one time unit, in the dense time model, using the rule (Eq. 1), time can advance by any non-negative real value .
Notice that the consecutive time advancements and applied to some configuration have the same effect of the single tick , for arbitrary and .
Indeed, this is a property of the multiset rewriting formalism itself. In this context, above property reflects the continuity of time in the physical world.
With this property in mind, in any trace we can replace consecutive ticks
with a single tick
and vice versa, without compromising the semantics of the process that is being modelled.
1.1 Balanced Systems
A timed MSR with dense time is balanced if for all instantaneous rules , creates the same number of facts as it consumes, that is, instantaneous rules (Eq. 2) are of the form:
where is a multiset of timestamped facts.
By consuming and creating facts, rewrite rules can increase and decrease the number of facts in configurations throughout a trace. However, in balanced MSR systems, the number of facts in configurations in a trace is constant, as states the following proposition.
Let be a balanced timed MSR with dense time. Let be an initial configuration with exactly facts. For all traces of starting with , all configurations in have exactly facts.
Since all the rules in are balanced, rule application does not effect the number of facts in a configuration. That is, enabling configuration has the same number of facts as the resulting configuration. Hence, throughout the trace, all configurations have the same number of facts as the initial configuration . ∎
2 Quantitative Temporal Properties
2.1 Goals, Critical Configurations and Non-critical Traces in MSR Systems with Dense Time
In order to define quantitative temporal properties, we review the notion of critical configurations and compliant traces from our previous work  and introduce reachability problem for MSR systems with dense time which considers critical configurations.
Critical configuration specification (resp. a goal ) is a set of pairs
Each pair is of the form:
where are time variables, are facts (possibly containing variables) and is a set of time constraints involving only the variables .
Given a critical configuration specification (resp. a goal
), we classify a configurationas a critical configuration w.r.t (resp. goal configuration w.r.t. ) if for some , there is a grounding substitution, , such that:
All constraints in are satisfied;
where substitution application () is defined as usual , i.e., by mapping time variables in to natural numbers, nonce names to nonce names (renaming of nonces) and non time variables to terms.
For simplicity, when the corresponding critical configuration specification or goal is clear from the context, we will elide it and use terminology critical or goal configuration.
Notice that nonce renaming is assumed as the particular nonce name should not matter for classifying a configuration as a critical or a goal configuration. Nonce names cannot be specified in advance, since these are freshly generated in a trace, i.e. during the execution of the process being modelled.
Moving from discrete to dense time is not straightforward w.r.t. the notion of a compliant, i.e., non-critical trace. Consider, for example, a trace in a timed MSR with dense time, containing the following configurations and a :
which could potentially be considered as non-critcal w.r.t. with the critical configuration specification:
as it doesn’t contain any critical configurations. However, a trace containing rules:
would not be non-critical w.r.t. the same critical configuration specification since it contains the critical configuration . Above traces differ only in the representation of time flow and they model the same real-time process. In reality, due to continuity of time, the process would reach such a critical state, i.e. it would not skip over this undesired state. Clearly, this inconsistency is not what we want in our model.
As the above example suggests, in the setting with dense time it is particularly important that the notion of a non-critical trace is properly defined. While in systems with discrete time, time can increase only by one time unit at a time, when time is dense, time can increase by any value, however small, and however large. That is how we model the natural continuous aspect of time we know in our everyday life. In particular, recall Remark 1, illustrating how the continuity of time flow is implicitly embedded in the MSR formalism. Namely, given arbitrary and any positive , there exists such that the time for has the same effect as the for followed by the for . That is, if
Clearly, holds. Relying on above property, we now define which traces may be considered as compliant in the dense time setting.
Given a timed MSR with dense time and a critical configuration specification , a trace of is non-critical if no critical configuration is reached along any trace obtained by replacing any subtrace
for arbitrary , such that holds.
Above decomposition of the rules, in all possible ways of consecutive s, ensures that the continuity of time and the notion of non-critical traces are well combined.
On the other hand, however, checking whether a given trace in a system with dense time is non-critical is potentially more challenging than in the untimed setting  and models with discrete time [22, 20]. Testing whether a trace is non-critical in models with dense time requires potentially checking through an infinite number of traces. This could possibly effect the complexity of the corresponding non-critical reachability problem. Fortunately, we can rely on our equivalence relation among configurations, i.e. on our technical machinery called circle-configurations, with respect to this issue as well. We show this result in Section 3.1.
2.2 Verification Problem
[Non-critical reachability problem]
Given a timed MSR , a goal , a critical configuration specification and an initial configuration , is there a non-critical trace, , that leads from to a goal configuration?
Our complexity results, for a given MSR , an initial configuration , a critical configuration specification and a goal , mention the value which is an upper-bound on the natural numbers appearing in , , and , which is syntactically inferred from timestamps and numbers appearing in facts, rules and constraints of , , and .
For the complexity results for non-critical reachability problem (bisimulation of non-critical traces) with dense time we define immediate successors for configurations, motivated by the non-determinism in the model related to the choice of the positive real number used in the rule. Namely, unless some restrictions are imposed on a trace by some time sampling, rule is applicable to every configuration, and for every . However, the choice of is important as it may have different effects on representation of time in a trace. Consider, for example, configuration
Applying a rule to for any has the same effect w.r.t time constraints satisfied by the resulting configuration, regardless of a particular used. In fact, it has no effect in that sense, since the same set of constraints is satisfied by the resulting configuration as by configuration . Advancing time in by is different. Resulting configuration
satisfies e.g. constraint , related to facts and , which is not satisfied by . Now, applying a to for any would change the set of constraints satisfied by the resulting configuration . The set of constraints satisfied by will depend on the value of . For example, for constraint , where relate to facts and , would be satisfied in () and would not, while for constraint would hold.
With the above consideration on the importance on how much the time advances by a single rule, we define the following, successor, relation among configurations.
Given a timed MSR with dense time, and a natural number , let be a set of all constrains containing natural numbers up to :
We say that configuration is an immediate successor of configuration w.r.t. if
There exists such that ;
and do not satisfy the same set of constraints from , where variables and refer to timestamps of same facts from and ;
For all if then satisfies the same constraints from either as or as .
When is an immediate successor of w.r.t. we write .
When is clear from the context we simply say that is an immediate successor of and write .
Notice that in the above example, is an immediate successor of , while configuration is not because, e.g.
where all of the above configurations satisfy different time constraints.
In general, the immediate successor of a configuration is not unique. For example, and are both immediate successors of . On the other hand, the immediate successor of is unique, .
There is a clear connection between non-critical traces and immediate successor configurations. Notice that if neither nor its immediate successor configuration is critical, then the condition on non-critical traces given in Definition 4 is satisfied.
Let be a timed MSR with dense time, and a natural number. Let . If and are not critical w.r.t. some critical configuration specification involving constraints form , then for any , , the configuration such that , is not critical.
Let , and assume neither nor is critical. Let
Since is an immediate successor of , as per Definition 6, such configuration satisfies the same set of constraints form as either or . This includes the constrains used in . Since both and are not critical, is not critical as well. ∎
3 Complexity Results for Balanced Timed MSR with Dense Time
Reachability and the related problems for MSR are undecidable in general . However, by imposing some restrictions on the form of the rewrite rules, such as using only balanced rules and bounding the size of facts, these problems become decidable, even in timed models with fresh values.
A summary of related complexity results in shown in Table 1.
|MSR||Reachability Problem||Non-critical Reachability|
|[23, 13]||[23, 13]|
|Not necessarily balanced||Undecidable||Undecidable|
In this section we investigate the complexity of the non-critical reachability problem for balanced systems with facts of bounded size.
In this new setting with dense time, the non-critical reachability problem combines quantitative temporal properties defined for timed MSR with the refined notion of compliance. Our results rely heavily on the abstractions called circle-configurations. As we will show in Section 3.1, circle-configurations and the related time advancement rules, , are defined in such a way to reflect similar characteristics related to advancement of time in dense time models.
As discussed above, we assume a bound, , on the size of facts. However, we do not impose an upper bound on the values of timestamps. Also, our timed MSRs with dense time are constructed over , a finite alphabet with predicate symbols and constant and function symbols and can involve an unbounded number of fresh values.
In order to handle dense time, and in particular for our complexity results, in our previous work  we introduced an equivalence relation among configurations. We now review main ideas behind this machinery. For a more detailed exposition of this approach see .
The equivalence of configurations involves an upper bound on the numeric values mentioned in the specification of the considered system and problems: We set to be a natural number such that for any number (both real or natural) appearing in the timestamps of the initial configuration, or the s and s in constraints (Eq.3) or rules (Eq.2) of the timed MSR, in goal and critical configuration specification.
Notice that immediate successor configurations also involve an upper bound, , on natural numbers appearing in time constraints. For a given problem, we will extract the value as described above, and we will consider immediate successor configurations w.r.t. the same bound .
Configurations are defined as equivalent if they contain the same (untimed) facts, up to nonce renaming, and if they satisfy the exact same set of constraints. When we say that some configurations satisfy the same constraint, we intend to say that time variables of that constraint refer to the same facts in both configurations.
Given a timed MSR with dense time, a goal , a critical configuration specification and an initial configuration , let be an upper bound on the numeric values appearing in , , and . Let
be two configurations written in canonical way where the two sequences of timestamps and are non-decreasing. (For the case of equal timestamps, we sort the facts in alphabetical order, if necessary.) We say that configurations and are equivalent configurations if the following conditions hold:
There is a bijection that maps the set of all nonce names appearing in configuration to the set of all nonce names appearing in configuration , such that , for each ; and
Configurations and satisfy the same constraints, that is:
for all , and .
When and are equivalent we write , or simply .
As we already pointed out , when we say that and satisfy the same constraints, we mean that the time variables in the constraint refer to the same facts and , up to nonce renaming.
Notice that no configuration is equivalent to its immediate successor configuration.
In  we also introduced an illustrative representation of the above equivalence relation, called circle-configuration.
Let be a timed MSR with dense time, a goal, a critical configuration specification and an initial configuration. Let be an upper bound on the numeric values appearing in , , and , and The pair is the circle-configuration of the configuration defined as follows. The -configuration of , , is:
where , timestamps of facts have the same integer part, , , and
The unit circle of , , is:
where , timestamps of facts in the same class, have the same decimal part, , timestamps of facts are integers, and the classes are ordered in the increasing order, i.e., for all , where , , , .
We write to denote the class in which the fact appears in .
For simplicity, we sometimes write and instead of and , when the corresponding configuration is clear from the context.
We graphically represent a unit circle as shown in Figure 1. The class marked with the subscript , , is called the zero point and is marked as the (green) ellipse at the top of the circle. The remaining classes are placed on the circle as the (red) squares ordered clockwise starting from the zero point. From the above graphical representation, given in Figure 1, it can easily be seen that the decimal part of the timestamp of the fact is smaller than the decimal of the timestamp of the fact , while the decimal part of the timestamps of the facts and are equal. The exact points where the classes are placed on the circle are not important, only their relative positions matter. As an example, the circle-configuration of configuration
for consists of the -configuration
and the unit circle
as illustrated in Figure 2.
Notice that, although the graphical representation of the circle-configuration is very illustrative, a circle-configuration is given as a pair of sequences containing a finite number of symbols. Although these sequences do not contain any real numbers, they provide enough information related to satisfaction of time constraints, which is necessary e.g. for rule application. Circle-configurations are, hence, an elegant representation of configurations, considering that timestamps range over dense, real time domain and that there is no upper bound on the values of timestamps.
When compared to the equivalence relation between configurations (Definition 7), circle-configurations contain an additional bit of information. While for the equivalence relation only relative differences between concrete values of timestamps of facts are important, because of the zero point on the unit circle, circle-configurations may differentiate configurations based on the decimal part of their timestamps. For example, configurations are equivalent, but have different unit circles, related only to the placement of facts at the zero point.
In  we have shown how the notion of circle-configurations corresponds to equivalence relation between configurations. In particular, configurations corresponding to the same circle-configuration are equivalent. We are, therefore, able to say that a circle-configuration corresponding to a configuration satisfies a constraint if the configuration satisfies constraint . We also say that a rule is applicable to a circle-configuration if that rule is applicable to the corresponding configuration. Furthermore, we say that a circle-configuration is critical iff it is the circle-configuration of a critical configuration. Analogously, we say that a circle-configuration is a goal circle-configuration iff it is the circle-configuration of a goal configuration.
In  we show in detail how both instantaneous rules and the time advancement over circle-configurations are compiled and applied (for more details see [18, Section 4.2]). For an instantaneous rule , we write for the corresponding rewrite rule over circle-configurations.
Time advancement rule is represented with a set of rules, shown in Figure 3 and Figure 4. For a given circle-configuration, exactly one of the 8 rules applies, depending on the position of the fact on the unit circle with respect to the remaining facts. For example, if the fact is alone on the unit circle (and not at the zero point, nor in the last class), time advancement is modelled by placing in the next class (clock-wise), see Rule 1. If we want to advance time from a circle-configuration where is in a class on a unit circle together with other facts (and not at the zero point, nor in the last class), we would place alone on the unit circle, at any point just before the next class (clock-wise) on the unit circle, see Rule 2. Cases when is in the last class, in addition to changes in the unit circle, require updating of the -configuration of the resulting circle-configuration, see Figure 4.
Since, application of a rule changes the placement of the fact on the unit circle w.r.t. remaining facts, the enabling and the resulting circle-configurations are different. Moreover, they represent configurations that may not not be equivalent. In fact resulting configuration is either equivalent to the enabling configuration or is its immediate successor.
Correspondence to immediate successors refines our previous result [18, Lemma 1], stating that to a single rule corresponds a sequence of rules, and, vice versa, a sequence of rules represents a single rule for an adequately chosen value of time advancement. Here, we show how rule relates to rule.
be an MSR with dense time, a goal, a critical configuration specification and an initial configuration.
Let be an upper bound on the numeric values appearing in , , and , and consider immediate successors of configurations w.r.t. the set of constraints from .
If then , or (in case is Rule 0, for , Figure 3, or Rule 4, for , Figure 4).
Both circle-configurations (i.e., equivalence of configurations) and immediate successor configurations are defined w.r.t. an upper bound . We set the value of to be an upper bound on numeric values in , and and refer to the same bound in both cases. Let and be the circle-configurations of the configurations and , respectively.
Notice that, as per Definition 8, facts in the same class on the unit circle satisfy some constraint of the form , while facts placed in different classes on the unit circle satisfy some constraint of the form .
There are two possibilities. In one case fact is moved from a class containing some fact to a new class (see Rules 0,2,3). In the other case there exists some fact in such that and are in different classes in , but in the same class in (see Rules1,4-7). Configurations and do not satisfy the same constraints referring to facts and , except in the two cases shown below:
In the case shown to the left (Figure 3, Rule 0, for ) fact is the only fact placed at zero point, while in the case shown to the right (Figure 4, Rule 4, for ) there are no facts at the zero point and is alone in the last class of the unit circle. Only in this two cases configurations are equivalent, .
Moreover, fact is placed clock-wise, either to a position immediately following its previous position, but before any existing class, or it is places exactly to the first class clock-wise. This ensures that there are no ”intermediate” configurations, i.e. that is an immediate successor of , i.e., , except in above two cases.
Conversely, if is an immediate successor of , then is transformed into by means of a rule. Then, when representing this time advancement with circle-configurations, the placement of the facts different from on the unit circle of does not change. At the same time, the change in placement of the fact on the unit circle should be such to satisfy the condition of immediate successor configuration w.r.t the corresponding configurations. Figure 3 and Figure 4 illustrate exactly such change in the placement of on the unit circle, updating the -configuration as well, when necessary. The change in placement of the fact on the unit circle represents a minimal (or the exact) time advancement such that some constraint is no longer satisfied. Above two exceptions, related to the placement of the fact at the zero point, require 2 or 3 rules, as shown below:
Intermediate circle-configurations correspond to the configurations equivalent to the first one, but not to the final one. ∎
The above result ensures that the representation of time advancement on circle-configurations using rules is sound and complete. To rules correspond rules, and conversely, any rule can be decomposed into a finite number of rules (see Remark 1), each of which corresponds to one, two or three rules.
We have considered traces over circle-configurations and showed that obtained traces over circle-configurations are a sound and complete representation of the set of traces over concrete configurations with dense time. Notice that circle-configurations are symbolic form, containing only untimed facts, a few auxiliary symbols and a bounded number of natural numbers. The are no real numbers included, and yet there is enough information for the sound and faithful representation of timed systems with dense time. This means that we can search for solutions of some problems symbolically, that is, without writing down the explicit values of the timestamps, i.e., the real numbers, in a trace.
In  we investigated reachability problem which did not involve critical configurations. The notion of a non-critical trace in a timed MSR with dense time has not been investigated yet. Since we now address the non-critical reachability problem which involves non-critical traces, for our complexity results for timed MSR with dense time, we need to show that searching for traces in a symbolic form, using circle-configurations, is sound and complete also with respect to compliance i.e., preserves non-critical traces.
The notion of non-critical traces over circle-configurations is not as complicated and delicate as the notion of a non-critical traces over configurations in systems with dense time, given in Definition 4. Recall that the rule can be instantiated for any non-negative real value , denoting an arbitrary advancement of time, which can cause ”skipping” over critical configurations. Such a phenomena does not appear in traces over circle-configurations where rules are used for time advancement. Following Proposition 2 and Proposition 3, there is no issue of ”skipping” over critical circle-configurations with the time advancement . When a rule is applied, the configuration corresponding to the resulting circle-configuration is an immediate successor of the configuration corresponding to the enabling configuration, or equivalent to it. That is, each of 8 rules corresponds to a time advancement that is just enough, or exactly enough, so that some time constraint involving the global time is no longer satisfied. In such a way, a single rule models either the minimal or the exact advancement of time for which the equivalence class changes. Since there is no ”skipping” over circle-configurations, there is no need for decomposition of time advancements , as is the case with the rule. Hence, the related notion of compliance, i.e., non-critical traces, is straightforward.
Let be a a timed MSR with dense time and a critical configuration specification. A trace over corresponding circle-configurations is non-critical if it does not contain any critical circle-configuration.
Recall that the notion of a non-critical trace in timed MSR with dense time potentially involves checking compliance through an infinite number of traces. Fortunately, this is not the case for non-critical traces over circle-configurations. Since there is no ”skipping” over circle-configurations when using rules, there is no need for decomposition of time advancements , as is the case with the rule. Smaller advancements of time would have either the exact same effect or no effect on a corresponding equivalence class. On the other hand, larger advancements of time are modelled by a sequence of several rules. This is essential for the complexity of the problems involving non-critical traces, and we, therefore, rely on non-critical traces over circle-configurations when searching for the solutions of our problems involving timed MSR with dense time. The following proposition states that such a bisimulation is sound and complete w.r.t. application of rules and non-critical traces.
Given any timed MSR with dense time, a goal , a critical configuration specification and an initial configuration , any non-critical trace starting from the given initial configuration to a goal configuration can be conceived as a non-critical trace over circle-configurations, starting from initial circle-configuration and reaching a goal circle-configuration.
In our previous work [18, Theorem 2] we have shown a related bisimulation result for the reachability problem. Here we need to also address critical configurations. In particular, we must check time advancements more carefully in order to provide non-critical traces.
To the given set of instantaneous rules of timed MSR with dense time , , correspond the rules over circle-configurations, so that
is the set of rules over circle-configurations. Let be the circle-configuration of .
In [18, Theorem 2] we have shown that the equivalence among configurations is well defined with respect to application of rules. Namely, we have shown that for any instantaneous rule , it is the case that if and only if , that is:
where and are circle-configurations of the configurations , and , respectively. Also, it is the case that if and only if , that is:
Again, and are circle-configurations of the configurations , and , respectively. Notice that to each rule in the trace over configurations corresponds a (possibly empty) sequence of rules in the matching trace over circle-configurations.
Using induction on the length od a subtrace we can easily show that any trace of a timed MSR can be represented as a trace over corresponding circle-configurations, and vice versa, as shown below:
We can easily conclude that bisimulation preserves goals. Since is the circle-configuration of , it immediately follows that is a goal configuration iff is a goal circle-configuration.
It remains to show that bisimulation preserves non-critical traces. For that purpose we decompose multiple rules in . As per Proposition 3 the following correspondences for one or none applications of rules holds:
We can hence consider corresponding traces and as: