Generating Optimal Linear Temporal Logic Monitors by Coinduction Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors: Grigore Rosu and Gul Agha.

Increasing Software Reliability Current solutions Human review of code and testing Most used in practice Usually ad-hoc, intensive human support (Advanced) Static analysis Often scales up False positives and negatives, annotations (Traditional) Formal methods Model checking and theorem proving General, good confidence, do not always scale up 12/4/2018

Runtime Verification Merge testing and temporal logic specification Specify safety properties in temporal logic. Monitor safety properties against a run of the program. Examples: JPaX (NASA Ames), Upenn's Java MaC analyzes the observed run. JMPaX (UIUC) predicts errors by analyzing all consistent runs. 12/4/2018

Specification Based Monitoring predicate red = (Light.color == 1); predicate yellow = (Light.color == 2); predicate green = (Light.color == 3); Instrumentation Script class Light{ int color; void goRed(){ color = 1; } … Program property p = [](green -> !red U yellow); Specification 12/4/2018

Monitoring Future Time LTL Syntax – Propositional Calculus plus o F (next)  F (always)  F (eventually) F UF’ (until) Executable Semantics – Rewriting _{_} : Formula x State -> Formula (“consume” state s) F{s} formula that should hold after processing s p{s}  is the atomic predicate p true on s ? (F op F’){s}  F{s} op F’{s} (o F){s}  F ( F){s}  F{s}  ( F) ( F){s}  F{s}  ( F) (F U F’){s}  F’{s}  (F{s}  (F U F’)) 12/4/2018

Future Time LTL - Example Event stream: red yellow green yellow green red … X * ((red U yellow)  (green  red U yellow)) X * ((red U yellow)  (green  red U yellow)) Event red has been consumed! X * (green  red U yellow) X X * (green  red U yellow) X Formula was violated! (green  red U yellow) Formula: {red} {yellow}  (green  red U yellow){red}  (green  red U yellow) {green} (green{red}  (yellow{red}  red{red}  red U yellow))  … * {yellow} (false  (false  false  red U yellow))  … * {green} * true  (green  red U yellow) {red}  (green  red U yellow) (yellow{red}  red{red}  red U yellow)  … * * false  … * false 12/4/2018

Problem… Previous algorithm is not synchronous ! (°  p) Æ (°  : p ) Unless we check for validity after processing each event, which is very expensive How to generate a minimal monitor for LTL to detect bad and good prefixes? Deterministic Finite Automaton called GB-Automaton Solution: Circular Coinduction? Related work for ERE (Extended Regular Expressions) 12/4/2018

Good and Bad Prefixes  is a bad prefix for   is a good prefix for  ) 8 infinite traces  . . 2   is a good prefix for  ) 8 infinite traces  . . ²   is a minimal good (or bad) prefix  is a good (or bad) prefix there is no prefix ’ of  that is good (or bad) p.p.p.: p is a minimal bad prefix for  p 12/4/2018

Good and Bad Prefix Equivalence 1 ´G 2 (good prefix equivalent) iff both 1 and 2 have the exactly same set of good prefixes. 1 ´B 2 (bad prefix equivalent) iff both 1 and 2 have the exactly same set of bad prefixes. 1 ´GB 2 (good-bad prefix equivalent) iff both 1 and 2 have the exactly same set of good and bad prefixes. 12/4/2018

Hidden Logic Behavioral Specification Tuple (V, H, Γ, Σ, E), or simply (Γ, Σ, E) Sorts S = V  H V = visible sorts (stay for data: integers, reals, chars, etc.) H = hidden sorts (stay for states, objects, blackboxes, etc.) Operations Γ  Σ Σ is an S-signature Γ is a subsignature of Σ of behavioral operations E is a set of Σ-equations 12/4/2018

Contexts and Experiments Γ-context is a Γ-term with a hidden “slot” Γ-experiment is a Γ-context of visible result visible if Γ-experiment operations in Γ z : h 12/4/2018

Behavioral Equivalence Models called hidden Σ-algebras; A, A’, … Behavioral equivalence on A: a ≡ a’ Identity on visible carriers a ≡h a’ iff Aξ(a) = Aξ(a’) for any Γ-experiment ξ Γ a a’ visible Aξ(a) Aξ(a’) = Γ Γ 12/4/2018

Circular Coinduction in a Nutshell “Derive” the original proof goal until end up in circles All possibilities to distinguish the two are exhaustively explored Moreover, all the behavioral equalities on the proof graph are true: lemma descovery! Modulo substitutions, “special” contexts and equational reasoning ▲ = ♥ a m1 m2 ☺ = ☼ ♣ = ► 5 = 5 ♣ = ► a m1 m2 ♣ = ► ☺ = ☼ 9 = 9 ☺ = ☼ a m1 m2 0 = 0 12/4/2018

Behavioral Specification of LTL B = (V, H, Γ, Σ, E) where V contains State and Bool H contains LTL Σ contains true,false,_Æ_,_Ç_, _U_, _○_, _, ◊_ E contains all equations defined before Γ contains GB : LTL -> {0,1,?} _{_} : LTL State -> LTL Theorem: B beh. satisfies F = F’ iff F ´GB F’ 12/4/2018

Moreover, all the equivalences in the proof graph below are true! (p Ç q) ´GB (p U q) Theorem: Circular Coinduction is a decision procedure for LTL good-bad prefix equivalence (p Ç q) = (p U q) _{p,q} GB (p Ç q) = (p U q) ? = ? _{;} _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ (p U q) _{p,q} GB _{;} (p Ç q) = (p U q) ? = ? _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ (p U q) 12/4/2018

Generating Minimal DFAs (GB-Automaton) for LTL F’{s} F F{s} F{s’} …… F’’ …… s s’ …… F’ …… equivalent? Maintain a set C of pairs of good-bad prefix equivalent LTLs Check each new LTL formula for good-bad prefix equivalence with already existing LTL formulas in the DFA First in C Then by CC. If equivalent LTL formula found, then add new circularities to C 12/4/2018

Complexity The size of the GB-automaton accepting good and bad prefixes of an LTL formula of size m is O(22m) (22m½) Space and time requirement of the algorithm is 2O(m) 12/4/2018

Implementation BOBJ cannot be used because it does not return the set of circularities Can be implemented as a specialized circular coinduction algorithm in Maude Implementation of the algorithm adapted to EREs available online at http://fsl.cs.uiuc.edu/rv/ 12/4/2018

Conclusion and Future Work Behavioral specification of LTL Two LTL formulae are monitoring equivalent iff they are indistinguishable under chosen experiments Optimal monitors are generated by co-induction in a single go. To be part of NASA Ames’s Java PathExplorer (JPaX) tool. Replace edges from a state by Binary Decision Diagrams. Future work to apply coinductive techniques to generate monitors for other logics such as NASA Ames Eagle 12/4/2018