Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Published byMaría Mercedes Núñez Castro Modified over 5 years ago

Similar presentations

Presentation on theme: "Generating Optimal Linear Temporal Logic Monitors by Coinduction"— Presentation transcript:

1 Generating Optimal Linear Temporal Logic Monitors by Coinduction
Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors: Grigore Rosu and Gul Agha.

2 Increasing Software Reliability
Current solutions Human review of code and testing Most used in practice Usually ad-hoc, intensive human support (Advanced) Static analysis Often scales up False positives and negatives, annotations (Traditional) Formal methods Model checking and theorem proving General, good confidence, do not always scale up 12/4/2018

3 Runtime Verification Merge testing and temporal logic specification
Specify safety properties in temporal logic. Monitor safety properties against a run of the program. Examples: JPaX (NASA Ames), Upenn's Java MaC analyzes the observed run. JMPaX (UIUC) predicts errors by analyzing all consistent runs. 12/4/2018

4 Specification Based Monitoring
predicate red = (Light.color == 1); predicate yellow = (Light.color == 2); predicate green = (Light.color == 3); Instrumentation Script class Light{ int color; void goRed(){ color = 1; } Program property p = [](green -> !red U yellow); Specification 12/4/2018

5 Monitoring Future Time LTL
Syntax – Propositional Calculus plus o F (next)  F (always)  F (eventually) F UF’ (until) Executable Semantics – Rewriting _{_} : Formula x State -> Formula (“consume” state s) F{s} formula that should hold after processing s p{s}  is the atomic predicate p true on s ? (F op F’){s}  F{s} op F’{s} (o F){s}  F ( F){s}  F{s}  ( F) ( F){s}  F{s}  ( F) (F U F’){s}  F’{s}  (F{s}  (F U F’)) 12/4/2018

6 Future Time LTL - Example
Event stream: red yellow green yellow green red … X * ((red U yellow)  (green  red U yellow)) X * ((red U yellow)  (green  red U yellow)) Event red has been consumed! X * (green  red U yellow) X X * (green  red U yellow) X Formula was violated! (green  red U yellow) Formula: {red} {yellow} (green  red U yellow){red}  (green  red U yellow) {green} (green{red}  (yellow{red}  red{red}  red U yellow))  … * {yellow} (false  (false  false  red U yellow))  … * {green} * true  (green  red U yellow) {red} (green  red U yellow) (yellow{red}  red{red}  red U yellow)  … * * false  … * false 12/4/2018

7 Problem… Previous algorithm is not synchronous !
(°  p) Æ (°  : p ) Unless we check for validity after processing each event, which is very expensive How to generate a minimal monitor for LTL to detect bad and good prefixes? Deterministic Finite Automaton called GB-Automaton Solution: Circular Coinduction? Related work for ERE (Extended Regular Expressions) 12/4/2018

8 Good and Bad Prefixes  is a bad prefix for   is a good prefix for 
) 8 infinite traces  . . 2   is a good prefix for  ) 8 infinite traces  . . ²   is a minimal good (or bad) prefix  is a good (or bad) prefix there is no prefix ’ of  that is good (or bad) p.p.p.: p is a minimal bad prefix for  p 12/4/2018

9 Good and Bad Prefix Equivalence
1 ´G 2 (good prefix equivalent) iff both 1 and 2 have the exactly same set of good prefixes. 1 ´B 2 (bad prefix equivalent) iff both 1 and 2 have the exactly same set of bad prefixes. 1 ´GB 2 (good-bad prefix equivalent) iff both 1 and 2 have the exactly same set of good and bad prefixes. 12/4/2018

10 Hidden Logic Behavioral Specification
Tuple (V, H, Γ, Σ, E), or simply (Γ, Σ, E) Sorts S = V  H V = visible sorts (stay for data: integers, reals, chars, etc.) H = hidden sorts (stay for states, objects, blackboxes, etc.) Operations Γ  Σ Σ is an S-signature Γ is a subsignature of Σ of behavioral operations E is a set of Σ-equations 12/4/2018

11 Contexts and Experiments
Γ-context is a Γ-term with a hidden “slot” Γ-experiment is a Γ-context of visible result visible if Γ-experiment operations in Γ z : h 12/4/2018

12 Behavioral Equivalence
Models called hidden Σ-algebras; A, A’, … Behavioral equivalence on A: a ≡ a’ Identity on visible carriers a ≡h a’ iff Aξ(a) = Aξ(a’) for any Γ-experiment ξ Γ a a’ visible Aξ(a) Aξ(a’) = Γ Γ 12/4/2018

13 Circular Coinduction in a Nutshell
“Derive” the original proof goal until end up in circles All possibilities to distinguish the two are exhaustively explored Moreover, all the behavioral equalities on the proof graph are true: lemma descovery! Modulo substitutions, “special” contexts and equational reasoning ▲ = ♥ a m1 m2 ☺ = ☼ ♣ = ► 5 = 5 ♣ = ► a m1 m2 ♣ = ► ☺ = ☼ 9 = 9 ☺ = ☼ a m1 m2 0 = 0 12/4/2018

14 Behavioral Specification of LTL
B = (V, H, Γ, Σ, E) where V contains State and Bool H contains LTL Σ contains true,false,_Æ_,_Ç_, _U_, _○_, _, ◊_ E contains all equations defined before Γ contains GB : LTL -> {0,1,?} _{_} : LTL State -> LTL Theorem: B beh. satisfies F = F’ iff F ´GB F’ 12/4/2018

15 Moreover, all the equivalences in the proof graph below are true!
(p Ç q) ´GB (p U q) Theorem: Circular Coinduction is a decision procedure for LTL good-bad prefix equivalence (p Ç q) = (p U q) _{p,q} GB (p Ç q) = (p U q) ? = ? _{;} _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ (p U q) _{p,q} GB _{;} (p Ç q) = (p U q) ? = ? _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ (p U q) 12/4/2018

16 Generating Minimal DFAs (GB-Automaton) for LTL
F’{s} F F{s} F{s’} …… F’’ …… s s’ …… F’ …… equivalent? Maintain a set C of pairs of good-bad prefix equivalent LTLs Check each new LTL formula for good-bad prefix equivalence with already existing LTL formulas in the DFA First in C Then by CC. If equivalent LTL formula found, then add new circularities to C 12/4/2018

17 Complexity The size of the GB-automaton accepting good and bad prefixes of an LTL formula of size m is O(22m) (22m½) Space and time requirement of the algorithm is 2O(m) 12/4/2018

18 Implementation BOBJ cannot be used because it does not return the set of circularities Can be implemented as a specialized circular coinduction algorithm in Maude Implementation of the algorithm adapted to EREs available online at 12/4/2018

19 Conclusion and Future Work
Behavioral specification of LTL Two LTL formulae are monitoring equivalent iff they are indistinguishable under chosen experiments Optimal monitors are generated by co-induction in a single go. To be part of NASA Ames’s Java PathExplorer (JPaX) tool. Replace edges from a state by Binary Decision Diagrams. Future work to apply coinductive techniques to generate monitors for other logics such as NASA Ames Eagle 12/4/2018

Download ppt "Generating Optimal Linear Temporal Logic Monitors by Coinduction"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.

Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Runtime Verification Ali Akkaya Boğaziçi University.

Runtime Verification Ali Akkaya Boğaziçi University.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
System Design Research Laboratory Model-based Testing and Monitoring for Hybrid Embedded Systems Li Tan Jesung Kim Oleg Sokolsky Insup Lee University of.

System Design Research Laboratory Model-based Testing and Monitoring for Hybrid Embedded Systems Li Tan Jesung Kim Oleg Sokolsky Insup Lee University of.

Similar presentations

Ads by Google