Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
temporal logic CS 119 includes slides by Grigore Rosu propositional logic extended with temporal operators referring to past and future 2 future time properties • If A happens now B must happen ¤(A ! § B) A past now B future 3 past time properties • If A happens now B must have happened ¤(A ! ¨B) B past A now future 4 instances of MOP MOP JavaMOP today BusMOP 5 Chomsky’s language hierarchy http://en.wikipedia.org/wiki/Chomsky_hierarchy 6 temporal logic for finite traces: subset of regular languages p is even in every other state even 1 2 true regular temporal even /\ always(even implies (next next even)) 2 1 2 1 2 1 2 2 2 1 2 1 2 1 does not work 7 properties of temporal logic • some properties can be stated more succinctly in TL. • but TL properties can be hard to write and read for non-trivial scenarios. • now, many scenarios are trivial. • it is of course a debate at a practical engineering level what notation is most suitable in practice. Number of characters is one possible measure. 8 future and past time temporal logic semantics and algorithms future time semantics and algorithm monitoring Future Time LTL Syntax – Propositional Calculus plus o F (next) F (always) F (eventually) F U F’ (until) Executable Semantics – Rewriting _{_} : Formula x Event -> Formula (“consume” event e) F{e} formula that should hold after processing e p{e} (F op F’){e} (o F){e} ( F){e} ( F){e} (F U F’){e} is the atomic predicate p true on e ? F{e} op F’{e} F F{e} ∧ ( F) F{e} ∨ ( F) F’{e} ∨ (F{e} ∧ (F U F’)) 11 Future Time LTL - example Event stream: red X yellow X green X yellow X green X red X … Formula: (green → ¬red U yellow) {red} {yellow} * * * (green → ¬red (green U yellow){red} ∧ U(green ¬red U yellow) → ¬red yellow) → {green} * * (green{red} →yellow) (yellow{red} ∨ ¬red{red} U yellow)) ((¬red U ∧ (green → ¬red ∧ U ¬red yellow)) {yellow}∧ … ** (green → ¬red U yellow) (false → (false ∨ false ∧ ¬red U yellow)) ∧ …{green} ** ∧ (green → ¬red U yellow) ((¬red Utrue yellow) ∧ (green → ¬red U yellow)) {red} * (green U yellow) false false ∧ … (yellow{red} ∨ (¬red{red} ∧ ¬red→U ¬red yellow)) ∧… EventFormula red has was beenviolated! consumed! 12 timed temporal logic • add real time (RTL, MiTL, timed automata, etc.) (start → 5 stop) ( t F){e:δ} (δ≤t) ∧ (F{e:δ} ∨ t-δ F) 13 rewriting using Maude • implemented the algorithm above in PaX – Maude as rewriting engine • 15 lines of obviously correct code! • monitored 100 million events on 1.7GHz PC – 185 seconds, 220 million rewrites – Faster than modified Büchi automaton in Java (1,500 lines of code) • Is this 1,500 LOC Java program correct? • I/O + buffering take longer than rewriting … 14 building a minimal BTT_FSM • idea – do the rewrites for all possible values of predicates – get a finite state machine • nodes are LTL formulae • optimize using a validity checker (F ↔ F’ : one state) • edges are propositions • assign numbers to states • replace edges by Binary Transition Trees 15 Binary Transition Tree FSM • We can build minimal FSMs statically for LTL (green → ¬red U yellow) Formula State BTT 1 2 yellow ? 1 : green ? (red ? false : 2) : 1 Y N yellow 1 Y Y red yellow ? 1 : (red ? false : 2) N Y green yellow 1 N 1 Y false N red N 2 false 2 • Suitable for monitoring. New concept? 16 MOP does not operate with “the end of a trace” • so we cannot even write a formula of the form: (F → F’) and expect it to fail on for example the trace: F F’ F. • instead, we have to assume an end event E and write: (F → !E U F’), meaning: if we see an F then we should see no E before an F’. in MOP F U F’ does not mean that F’ eventually must happen. This is in contrast to traditional interpretations. 17 statistical approach just a thought Formula: ϕ = (A → !E U B) Trace: A A A A A A A B E Trace: A A A A A A A A A E Trace: A B A B A B A B A E ϕ violates ϕ violates ϕ satisfies is this trace better? was ok 4 out of 5 times maintain statistical information? 18 past time semantics and algorithm monitoring safety • Example: Safe Landing Land the space craft only after approval from ground and only if, since then, the radio signal has not been lost or formally where (MAC) ↑Landing → [Approved, ↓Radio} ↑F means start F, ↓F means end F, [F,F’} means F butnot F’ since then 20 past time operators Basic – Propositional Calculus plus F (prev.) F S F’ (since) F (always) F (eventually) in past Special – Suitable for monitoring (MaC) – ↑F - start of F – ↓F - end of F – [F,F’} - F butnot F’ F F’ x ↑F Theorem: ↑,↓,[ _,_ [ ↓F x }[↓F F’) , }) and ,_S_ defined in terms of each other! F.ex: [F,F’} = (¬F’) S F, ↑F = F ∧ ¬F Safety property: F, where F is a past time LTL formula 21 semantics • standard semantics e1 e2 … en-1 en |= [F,F’} iff there is 1 ≤ i ≤ n such that e1 e2 … ei |= F and / F’ for all i ≤ j ≤ n, e1 e2 … ej |= • recursive Semantics t e |= [F,F’} iff t e |= / F’ and ( t e |= F or t |= [F,F’} ) F not F’ 22 dynamic programming algorithm Formula: ↑Landing → [Approved, ↓Radio} Step 2: Dynamic progr. alg. 14:Optimization Step Step3: Further Optimization Memory m[0..6, 1..n] Memory now[0..6], Label nodes in BFS Global bits b 1,prev[0..6] border 2, b3 for i=1..n i) forTemporary i=1..n {process(e {process(e bits t 1,i)t2, t3 now[6] = holds(Radio) Trace: e1 e2 … en-1 en 0 → 1 3 ↑ Landing 2 [ } b3 _,_ 4 Approved 5 ↓ b2 6 Radio b1 m[6,i] = holds(Radio) now[5] = m[5,i] = prev[6] m[6,i-1]and andnot notnow[6] m[6,i] t1 = holds(Radio) now[4] = m[4,i] = holds(Approved) holds(Approved) t2 = holds(Landing) now[3] = m[3,i] = holds(Landing) holds(Landing) t3 = (not b1 or t1) and now[2] = m[2,i] (holds(Approved) = not not now[5] m[5,i] and and or b3) (m[4,i] or m[2,i-1]) if (t2 and (now[4] not (b2 or or prev[2]) t3)) now[1] = and m[1,i] then = now[3] m[3,i] and not not prev[3] m[3,i-1] “error” now[0] now[1] or m[0,i] =,bnot not or3)now[2] m[2,i] (b1,b2= 3) =m[1,i] (t1,t2,t if if now[0] m[0,i] == == 0 0 then then “Error” “Error” Time:= ≤now6 CPU clocks! }prev } 23 the monitoring matrix MATCH/VALIDATE FAIL/VIOLATE TOTAL SUFFIX 24 comparing ERE with LTL property: An p should be followed by a q [](p -> <>q) TOTAL + FAIL FTLTL [](p -> !E U q) PTLTL E implies ((! <*>p) or ((! p) S q)) ERE (q* (ε + (p p* q)))* E ERE SUFFIX + MATCH p p* E 25 Past Time LTL syntax for writing handlers, for example: @violation{…} 26 fomula explanation true true false false a event a occurs P and Q Boolean conjunction P or Q Boolean disjunction not P Boolean negation P implies Q Boolean implication (*) P in previous state P PSQ P since Q <*> P P sometime in the past [*] P always in the past P [P,Q} P sometime in the past and Q never since then 27 Future Time LTL syntax for writing handlers, for example: @violation{…} 28 true true false false a event a occurs !P Boolean negation P /\ Q Boolean conjunction P \/ Q Boolean disjunction P ++ Q Boolean exclusive disjunction P -> Q Boolean implication P <-> Q Boolean bi-implication [] P always P <> P eventually P oP next P PUQ P until Q 29 30 31 32 33 properties of Java library APIs R1: There should be no two calls to next() without a call to hasNext() in between, on the same iterator. 34 our hasNext example again should have been: if(it2.hasNext()) 35 recall ERE 1 next next i) suffix trace semantics ii)looking for match note: match = validation, fail = violation (MOP has changed) 36 recall ERE 2 (hasNext hasNext* next)* i) total trace semantics ii)looking for violation 37 LTL next implies (*)(!next S hasnext) PTLTL next implies (*)[hasnext,next} next implies (*)([hasnext,next} or !<*>next) FTLTL [](next -> o(!next U hasnext)) i) total trace semantics ii)looking for violation 38 39 40 properties of Java library APIs R2: An enumeration should not be propagated after the underlying vector has been changed. 41 many vectors and enumerators v1 Vector v1 = new Vector(); e1 Vector v2 = new Vector(); v1.add(1); v1.add(2); v2.add(4); v2.add(5); Enumeration e1 = v1.elements(); Enumeration e2 = v1.elements(); Enumeration e3 = v2.elements(); while(e1.hasMoreElements())print(e1.nextElement()); v1.add(99); while(e2.hasMoreElements())print(e2.nextElement()); while(e3.hasMoreElements())print(e3.nextElement()); v2 e2 e3 add next events: create(v,e) next(e) updatesource(v) 42 recall ERE 43 FTLTL 44 end 45