Generating Optimal Linear Temporal Logic Monitors by Coinduction
19
Generating Optimal Linear Temporal Logic Monitors by Coinduction Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors: Grigore Rosu and Gul Agha.
-
Upload
madaline-dunlap -
Category
Documents
-
view
24 -
download
0
description
Generating Optimal Linear Temporal Logic Monitors by Coinduction. Koushik Sen University of Illinois at Urbana-Champaign, USA. Co-authors: Grigore Rosu and Gul Agha. Increasing Software Reliability. Current solutions Human review of code and testing Most used in practice - PowerPoint PPT Presentation
Transcript of Generating Optimal Linear Temporal Logic Monitors by Coinduction
Generating Optimal Linear Temporal Logic Monitors
by Coinduction
Koushik Sen University of Illinois at
Urbana-Champaign, USA
Co-authors: Grigore Rosu and Gul Agha.
04/19/232
Increasing Software Reliability
Current solutions Human review of code and testing
Most used in practice Usually ad-hoc, intensive human support
(Advanced) Static analysis Often scales up False positives and negatives, annotations
(Traditional) Formal methods Model checking and theorem proving General, good confidence, do not always scale up
04/19/233
Runtime Verification
Merge testing and temporal logic specification Specify safety properties in temporal logic.
Monitor safety properties against a run of the program.
Examples: JPaX (NASA Ames), Upenn's Java MaC analyzes the observed run.
JMPaX (UIUC) predicts errors by analyzing all consistent runs.
04/19/234
Specification Based Monitoring
class Light{ int color; void goRed(){ color = 1; } …}
Programpredicate red = (Light.color == 1);predicate yellow = (Light.color == 2);predicate green = (Light.color == 3);
Instrumentation Script
property p = [](green -> !red U yellow);
Specification
04/19/235
Monitoring Future Time LTL
Syntax – Propositional Calculus plus o F (next) F (always) F (eventually) F UF’ (until)
Executable Semantics – Rewriting _{_} : Formula x State -> Formula (“consume” state s)
F{s} formula that should hold after processing s
p{s} is the atomic predicate p true on s ? (F op F’){s} F{s} op F’{s} (o F){s} F ( F){s} F{s} ( F) ( F){s} F{s} ( F) (F U F’){s} F’{s} (F{s} (F U F’))
04/19/236
Future Time LTL - Example
(green red U yellow)Formula:
Event stream: red yellow green yellow green red …
{red}
(green red U yellow){red} (green red U yellow)
(green{red} (yellow{red} red{red} red U yellow)) …*
(false (false false red U yellow)) …*
*true (green red U yellow)
(green red U yellow)
Event red has been consumed!Event red has been consumed!
X
*
(green red U yellow)
X
{green}
X
*
((red U yellow) (green red U yellow)){yellow}
X
*(green red U yellow){green}
X
*
((red U yellow) (green red U yellow)){red}
(yellow{red} red{red} red U yellow) …*
*
false … *
false
X
Formula was violated!Formula was violated!
{yellow}
04/19/237
Problem…
Previous algorithm is not synchronous ! (° p) Æ (° : p )
Unless we check for validity after processing each event, which is very expensive
How to generate a minimal monitor for LTL to detect bad and good prefixes? Deterministic Finite Automaton called GB-Automaton
Solution: Circular Coinduction? Related work for ERE (Extended Regular Expressions)
04/19/238
Good and Bad Prefixes
is a bad prefix for
) 8 infinite traces . . 2
is a good prefix for
) 8 infinite traces . . ²
is a minimal good (or bad) prefix is a good (or bad) prefix
there is no prefix ’ of that is good (or bad)
p.p.p.: p is a minimal bad prefix for p
04/19/239
Good and Bad Prefix Equivalence
1 ´G 2 (good prefix equivalent) iff both 1 and 2 have the exactly same set of good prefixes.
1 ´B 2 (bad prefix equivalent) iff both 1 and 2 have the exactly same set of bad prefixes.
1 ´GB 2 (good-bad prefix equivalent) iff both 1 and 2 have the exactly same set of good and bad prefixes.
04/19/2310
Hidden Logic Behavioral Specification
Behavioral specification Tuple (V, H, Γ, Σ, E), or simply (Γ, Σ, E)
Sorts S = V HV = visible sorts (stay for data: integers, reals,
chars, etc.)H = hidden sorts (stay for states, objects,
blackboxes, etc.) Operations Γ Σ
Σ is an S-signatureΓ is a subsignature of Σ of behavioral operations
E is a set of Σ-equations
04/19/2311
Contexts and Experiments
Γ-context is a Γ-term with a hidden “slot”
Γ-experiment is a Γ-context of visible result
z : h
operations in Γvisible if Γ-experiment
04/19/2312
Behavioral Equivalence
Models called hidden Σ-algebras; A, A’, …
Behavioral equivalence on A: a ≡ a’ Identity on visible carriers
a ≡h a’ iff Aξ(a) = Aξ(a’) for any Γ-experiment ξ
a a’
visible
=Aξ(a) Aξ(a’)
Γ Γ
Γ
04/19/2313
Circular Coinduction in a Nutshell
“Derive” the original proof goal until end up in circles
▲ = ♥
☺ = ☼
♣ = ► ☺ = ☼
5 = 5
9 = 9
0 = 0 ☺ = ☼
a m1 m2
♣ = ►a m1
m2
a m1m2
♣ = ►
Modulo substitutions,
“special” contexts and
equational reasoning
Moreover, all the behavioral equalities on the proof graph are true:lemma descovery!
Moreover, all the behavioral equalities on the proof graph are true:lemma descovery!
All possibilities to distinguish the two are exhaustively explored
All possibilities to distinguish the two are exhaustively explored
04/19/2314
Behavioral Specification of LTL
B = (V, H, Γ, Σ, E) where V contains State and Bool
H contains LTL
Σ contains true,false,_Æ_,_Ç_, _U_, _○_, , ◊_
E contains all equations defined before
Γ contains
GB : LTL -> {0,1,?}
_{_} : LTL State -> LTL
Theorem: B beh. satisfies F = F’ iff F ´GB F’
04/19/2315
p Ç q) ´GB (p U q)
p Ç q) = (p U q)
? = ?
false = false p Ç q) = (p U q)
p Ç q) = (p U q)
p Ç q) = (p U q) Æ (p U q)
GB
_{;} _{p
}
_{q}
_{p,q}
? = ?
false = false
p Ç q) = (p U q) Æ (p U q)
p Ç q) = (p U q)
p Ç q) = (p U q)
GB
_{;} _{p
}
_{q}
_{p,q}
Moreover, all the equivalences in the proof graph below are true!
Moreover, all the equivalences in the proof graph below are true!
Theorem:Circular Coinduction is a decision procedure for LTL good-bad prefix equivalence
Theorem:Circular Coinduction is a decision procedure for LTL good-bad prefix equivalence
04/19/2316
F’{s}
F
F{s} F{s’}
…… F’’ ……
s s’
s s’
…… F’ ……s s’equivalent?
1. Maintain a set C of pairs of good-bad prefix equivalent LTLs
2. Check each new LTL formula for good-bad prefix equivalence with already existing LTL formulas in the DFA
• First in C
• Then by CC. If equivalent LTL formula found, then add new circularities to C
Generating Minimal DFAs (GB-Automaton) for LTL
04/19/2317
Complexity
The size of the GB-automaton accepting good and bad prefixes of an LTL formula of size m is O(22m)
(22m½
)
Space and time requirement of the algorithm is 2O(m)
04/19/2318
Implementation
BOBJ cannot be used because it does not return the set of circularities
Can be implemented as a specialized circular coinduction algorithm in Maude
Implementation of the algorithm adapted to EREs available online at http://fsl.cs.uiuc.edu/rv/
04/19/2319
Conclusion and Future Work
Behavioral specification of LTL Two LTL formulae are monitoring equivalent iff they are
indistinguishable under chosen experiments
Optimal monitors are generated by co-induction in a single go. To be part of NASA Ames’s Java PathExplorer (JPaX) tool.
Replace edges from a state by Binary Decision Diagrams.
Future work to apply coinductive techniques to generate monitors for other logics such as NASA Ames Eagle
