Download temporal logic - Runtime Verification

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts
no text concepts found
Transcript 
temporal logic
CS 119
includes slides
by Grigore Rosu
propositional logic extended with
temporal operators referring to
past and future
2
future time properties
•  If A happens now
B must happen
¤(A ! § B)
A
past
now
B
future
3
past time properties
•  If A happens now
B must have happened
¤(A ! ¨B)
B
past
A
now
future
4
instances of MOP
MOP
JavaMOP
today
BusMOP
5
Chomsky’s
language hierarchy
http://en.wikipedia.org/wiki/Chomsky_hierarchy
6
temporal logic for finite traces:
subset of regular languages
p is even in every other state
even
1
2
true
regular
temporal
even /\ always(even implies (next next even))
2 1 2 1 2 1 2 2 2 1 2 1 2 1
does not work
7
properties of temporal logic
•  some properties can be stated more
succinctly in TL.
•  but TL properties can be hard to write and
read for non-trivial scenarios.
•  now, many scenarios are trivial.
•  it is of course a debate at a practical
engineering level what notation is most
suitable in practice. Number of characters is
one possible measure.
8
future and past time
temporal logic
semantics and algorithms
future time
semantics and algorithm
monitoring Future Time LTL
Syntax – Propositional Calculus plus
o F (next)  F (always)  F (eventually) F U F’ (until)
Executable Semantics – Rewriting
_{_} : Formula x Event -> Formula (“consume” event e)
F{e} formula that should hold after processing e
p{e}
(F op F’){e}
(o F){e}
( F){e}
( F){e}
(F U F’){e}
 is the atomic predicate p true on e ?
 F{e} op F’{e}
 F
F{e} ∧ ( F)
 F{e} ∨ ( F)
 F’{e} ∨ (F{e} ∧ (F U F’))

11
Future Time LTL - example
Event stream: red
X yellow
X green
X yellow
X green
X red
X …
Formula:
(green → ¬red U yellow) {red}
{yellow}
*
*
*
(green → ¬red (green
U yellow){red}
∧ U(green
¬red U yellow)
→ ¬red
yellow) →
{green}
* *
(green{red}
→yellow)
(yellow{red}
∨ ¬red{red}
U yellow))
((¬red U
∧ (green
→ ¬red ∧
U ¬red
yellow))
{yellow}∧ …

**
(green
→ ¬red
U yellow)
(false → (false ∨ false
∧ ¬red
U yellow))
∧ …{green}

**
∧ (green
→ ¬red
U yellow)
((¬red Utrue
yellow)
∧ (green
→ ¬red
U yellow)) {red}

*
(green
U yellow)
false
false ∧ …
(yellow{red} ∨ (¬red{red}
∧ ¬red→U ¬red
yellow))
∧…
EventFormula
red has was
beenviolated!
consumed!
12
timed temporal logic
•  add real time (RTL, MiTL, timed automata,
etc.)
(start →
5
stop)
( t F){e:δ}  (δ≤t) ∧ (F{e:δ} ∨
t-δ
F)
13
rewriting using Maude
•  implemented the algorithm above in PaX
–  Maude as rewriting engine
•  15 lines of obviously correct code!
•  monitored 100 million events on 1.7GHz PC
–  185 seconds, 220 million rewrites
–  Faster than modified Büchi automaton in Java
(1,500 lines of code)
•  Is this 1,500 LOC Java program correct?
•  I/O + buffering take longer than rewriting …
14
building a minimal BTT_FSM
•  idea
–  do the rewrites for all possible values of predicates
–  get a finite state machine
•  nodes are LTL formulae
•  optimize using a validity checker (F ↔ F’ : one state)
•  edges are propositions
•  assign numbers to states
•  replace edges by Binary Transition Trees
15
Binary Transition Tree FSM
•  We can build minimal FSMs statically for LTL
(green → ¬red U yellow)
Formula
State
BTT
1
2
yellow ? 1 : green ? (red ? false : 2) : 1
Y
N
yellow
1
Y
Y
red
yellow ? 1 : (red ? false : 2)
N
Y
green
yellow
1
N
1
Y
false
N
red
N
2
false
2
•  Suitable
for monitoring. New
concept?
16
MOP does not operate with
“the end of a trace”
•  so we cannot even write a formula of
the form:  (F →  F’) and expect it to
fail on for example the trace: F F’ F.
•  instead, we have to assume an end
event E and write:  (F → !E U F’),
meaning: if we see an F then we should
see no E before an F’.
in MOP F U F’ does not mean
that F’ eventually must happen.
This is in contrast to traditional
interpretations.
17
statistical approach
just a thought
Formula: ϕ =  (A → !E U B)
Trace: A A A A A A A B E
Trace: A A A A A A A A A E
Trace: A B A B A B A B A E
ϕ
violates ϕ
violates ϕ
satisfies
is this trace
better?
was ok 4 out of
5 times
maintain statistical information?
18
past time
semantics and algorithm
monitoring safety
•  Example:
Safe Landing
Land the space craft only after approval from ground
and only if, since then, the radio signal has not been lost
or formally
where (MAC)
↑Landing → [Approved, ↓Radio}
↑F means start F,
↓F means end F,
[F,F’} means F butnot F’ since then
20
past time operators
Basic – Propositional Calculus plus
F (prev.) F S F’ (since)  F (always) F (eventually) in past
Special – Suitable for monitoring (MaC)
–  ↑F - start of F
–  ↓F - end of F
–  [F,F’} - F butnot F’
F
F’
x
↑F
Theorem: ↑,↓,[
_,_
[ ↓F
x
}[↓F F’)
,
}) and ,_S_ defined in terms of each other! F.ex:
[F,F’} = (¬F’) S F,
↑F = F ∧ ¬F
Safety property:

F, where F is a past time LTL formula
21
semantics
•  standard semantics
e1 e2 … en-1 en |= [F,F’} iff
there is 1 ≤ i ≤ n such that e1 e2 … ei |= F and
/ F’
for all i ≤ j ≤ n, e1 e2 … ej |=
•  recursive Semantics
t e |= [F,F’} iff
t e |=
/ F’ and ( t e |= F or t |= [F,F’} )
F
not F’
22
dynamic programming algorithm
Formula: ↑Landing → [Approved, ↓Radio}
Step
2:
Dynamic
progr. alg.
14:Optimization
Step
Step3:
Further Optimization
Memory
m[0..6,
1..n]
Memory
now[0..6],
Label nodes
in BFS
Global
bits
b
1,prev[0..6]
border
2, b3
for
i=1..n
i)
forTemporary
i=1..n {process(e
{process(e
bits
t
1,i)t2, t3
now[6] = holds(Radio)
Trace: e1 e2 … en-1 en
0
→
1
3
↑
Landing
2
[ } b3
_,_
4
Approved
5
↓
b2
6 Radio
b1
m[6,i] = holds(Radio)
now[5]
=
m[5,i]
= prev[6]
m[6,i-1]and
andnot
notnow[6]
m[6,i]
t1 = holds(Radio)
now[4]
=
m[4,i]
= holds(Approved)
holds(Approved)
t2 = holds(Landing)
now[3]
=
m[3,i]
= holds(Landing)
holds(Landing)
t3 = (not
b1 or t1) and
now[2]
=
m[2,i] (holds(Approved)
= not
not now[5]
m[5,i] and
and or b3)
(m[4,i]
or
m[2,i-1])
if (t2 and (now[4]
not (b2 or
or prev[2])
t3))
now[1]
=
and
m[1,i] then
= now[3]
m[3,i]
and not
not prev[3]
m[3,i-1]
“error”
now[0]
now[1]
or
m[0,i]
=,bnot
not
or3)now[2]
m[2,i]
(b1,b2=
3) =m[1,i]
(t1,t2,t
if
if now[0]
m[0,i] ==
== 0
0 then
then “Error”
“Error”
Time:= ≤now6 CPU clocks!
}prev
}
23
the monitoring matrix
MATCH/VALIDATE
FAIL/VIOLATE
TOTAL
SUFFIX
24
comparing ERE with LTL
property:
An p should be followed by a q
[](p -> <>q)
TOTAL + FAIL
FTLTL
[](p -> !E U q)
PTLTL
E implies
((! <*>p) or ((! p) S q))
ERE
(q* (ε + (p p* q)))* E
ERE
SUFFIX + MATCH
p p* E
25
Past Time LTL syntax
for writing handlers, for example:
@violation{…}
26
fomula
explanation
true
true
false
false
a
event a occurs
P and Q
Boolean conjunction
P or Q
Boolean disjunction
not P
Boolean negation
P implies Q
Boolean implication
(*) P
in previous state P
PSQ
P since Q
<*> P
P sometime in the past
[*] P
always in the past P
[P,Q}
P sometime in the past and Q never since then
27
Future Time LTL syntax
for writing handlers, for example:
@violation{…}
28
true
true
false
false
a
event a occurs
!P
Boolean negation
P /\ Q
Boolean conjunction
P \/ Q
Boolean disjunction
P ++ Q
Boolean exclusive disjunction
P -> Q
Boolean implication
P <-> Q
Boolean bi-implication
[] P
always P
<> P
eventually P
oP
next P
PUQ
P until Q
29
30
31
32
33
properties of Java library APIs
R1: There should be no two calls to next()
without a call to hasNext() in between,
on the same iterator.
34
our hasNext example again
should have been:
if(it2.hasNext())
35
recall ERE 1
next next
i) suffix trace semantics
ii)looking for match
note: match = validation, fail = violation (MOP has changed)
36
recall ERE 2
(hasNext hasNext* next)*
i) total trace semantics
ii)looking for violation
37
LTL
next implies (*)(!next S hasnext)
PTLTL
next implies (*)[hasnext,next}
next implies (*)([hasnext,next} or !<*>next)
FTLTL
[](next -> o(!next U hasnext))
i) total trace semantics
ii)looking for violation
38
39
40
properties of Java library APIs
R2: An enumeration should not be
propagated after the underlying
vector has been changed.
41
many vectors and enumerators
v1
Vector v1 = new Vector();
e1
Vector v2 = new Vector();
v1.add(1); v1.add(2); v2.add(4); v2.add(5);
Enumeration e1 = v1.elements();
Enumeration e2 = v1.elements();
Enumeration e3 = v2.elements();
while(e1.hasMoreElements())print(e1.nextElement());
v1.add(99);
while(e2.hasMoreElements())print(e2.nextElement());
while(e3.hasMoreElements())print(e3.nextElement());
v2
e2
e3
add
next
events:
create(v,e)
next(e)
updatesource(v)
42
recall ERE
43
FTLTL
44
end
45
Related documents
Desired articles in the philosophy of language If you are interested
Desired articles in the philosophy of language If you are interested
Formal Semantics of Programming Languages
Formal Semantics of Programming Languages
formato Word
formato Word
Landing Page Assignment
Landing Page Assignment
Bushra`s Response - Open Online Courses
Bushra`s Response - Open Online Courses
Lecture 10 Notes
Lecture 10 Notes
false - rlsmart.net
false - rlsmart.net
Symbols of Logic
Symbols of Logic
Electrical and Electronics Engineering Department
Electrical and Electronics Engineering Department
Chapter 31 - TeacherWeb
Chapter 31 - TeacherWeb
LTL and CTL - UT Computer Science
LTL and CTL - UT Computer Science