Create Presentation
Download Presentation

Download Presentation

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Download Presentation
## Generating Optimal Linear Temporal Logic Monitors by Coinduction

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Generating Optimal Linear Temporal Logic Monitors by**Coinduction Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors: Grigore Rosu and Gul Agha.**Increasing Software Reliability**• Current solutions • Human review of code and testing • Most used in practice • Usuallyad-hoc, intensive human support • (Advanced) Static analysis • Often scales up • False positives and negatives, annotations • (Traditional) Formal methods • Model checking and theorem proving • General, good confidence, do not always scale up**Runtime Verification**• Merge testing and temporal logic specification • Specify safety properties in temporal logic. • Monitor safety properties against a run of the program. • Examples: JPaX (NASA Ames), Upenn's Java MaC analyzes the observed run. • JMPaX (UIUC) predicts errors by analyzing all consistent runs.**Program**class Light{ int color; void goRed(){ color = 1; } … } Instrumentation Script predicate red = (Light.color == 1); predicateyellow = (Light.color == 2); predicategreen = (Light.color == 3); Specification property p = [](green -> !red U yellow); Specification Based Monitoring**Monitoring Future Time LTL**• Syntax – Propositional Calculus plus • o F (next) F (always) F (eventually) F UF’ (until) • Executable Semantics – Rewriting • _{_} : Formula x State -> Formula (“consume” state s) • F{s} formula that should hold after processing s p{s} is the atomic predicatep true on s ? (FopF’){s} F{s} opF’{s} (o F){s} F ( F){s} F{s} ( F) ( F){s} F{s} ( F) (F U F’){s} F’{s} (F{s} (F U F’))**X**X X X X X Formula: (greenred U yellow) * (greenred U yellow){red} (greenred U yellow) (greenred U yellow) * * (green{red} (yellow{red} red{red} red U yellow)) … ((red U yellow) (greenred U yellow)) * * (false (false falsered U yellow)) … (greenred U yellow) * * true (greenred U yellow) ((red U yellow) (greenred U yellow)) * * * (greenred U yellow) false … (yellow{red} red{red} red U yellow) … false Event red has been consumed! Formula was violated! Future Time LTL - Example Event stream: redyellowgreenyellowgreenred … {red} {yellow} {green} {yellow} {green} {red}**Problem…**• Previous algorithm is not synchronous ! • (° p) Æ (°: p ) • Unless we check for validity after processing each event, which is very expensive • How to generate a minimal monitor for LTL to detect bad and good prefixes? • Deterministic Finite Automaton called GB-Automaton • Solution: Circular Coinduction? • Related work for ERE (Extended Regular Expressions)**Good and Bad Prefixes**• is a bad prefix for )8 infinite traces . .2 • is a good prefix for )8 infinite traces . .² • is a minimal good (or bad) prefix • is a good (or bad) prefix • there is no prefix ’ of that is good (or bad) • p.p.p.: p is a minimal bad prefix for p**Good and Bad Prefix Equivalence**• 1´G2(good prefix equivalent) iff both 1 and 2 have the exactly same set of good prefixes. • 1´B2(bad prefix equivalent) iff both 1 and 2 have the exactly same set of bad prefixes. • 1´GB2(good-bad prefix equivalent) iff both 1 and 2 have the exactly same set of good and bad prefixes.**Hidden Logic Behavioral Specification**• Behavioral specification • Tuple (V, H,Γ,Σ, E), or simply (Γ,Σ, E) • Sorts S = V H • V = visible sorts (stay for data: integers, reals, chars, etc.) • H= hidden sorts (stay for states, objects, blackboxes, etc.) • Operations ΓΣ • Σis an S-signature • Γis a subsignature ofΣof behavioral operations • Eis a set ofΣ-equations**Contexts and Experiments**• Γ-context is a Γ-term with a hidden “slot” • Γ-experiment is a Γ-context of visible result visible if Γ-experiment operations in Γ z : h**a**a’ Behavioral Equivalence • Models called hidden Σ-algebras; A, A’, … • Behavioral equivalence on A: a ≡ a’ • Identity on visible carriers • a ≡h a’iff Aξ(a) = Aξ(a’) for any Γ-experiment ξ Γ visible Aξ(a) Aξ(a’) = Γ Γ**m1**m2 a m2 a m1 m2 a m1 ☺ = ☼ ♣ = ► Circular Coinduction in a Nutshell “Derive” the original proof goal until end up in circles All possibilities to distinguish the two are exhaustively explored Moreover, all the behavioral equalities on the proof graph are true: lemma descovery! Modulo substitutions, “special” contexts and equational reasoning ▲ = ♥ ☺ = ☼ ♣ = ► 5 = 5 ☺ = ☼ ♣ = ► 9 = 9 0 = 0**Behavioral Specification of LTL**B = (V, H,Γ,Σ, E) where • V contains Stateand Bool • H contains LTL • Σcontainstrue,false,_Æ_,_Ç_, _U_, _○_, _, ◊_ • Econtains all equations defined before • Γcontains GB : LTL -> {0,1,?} _{_} : LTL State -> LTL Theorem:B beh. satisfies F = F’iff F´GBF’**Moreover, all the equivalences in the proof graph below are**true! (p Ç q) ´GB(p U q) Theorem: Circular Coinduction is a decision procedure for LTL good-bad prefix equivalence (p Ç q) = (p U q) _{p,q} GB (p Ç q) = (p U q) ? = ? _{;} _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ(p U q) _{p,q} GB _{;} (p Ç q) = (p U q) ? = ? _{q} _{p} false = false (p Ç q) = (p U q) (p Ç q) = (p U q) Æ(p U q)**F**s s’ F{s’} F{s} s s’ …… F’’ …… …… F’ …… s s’ F’{s} equivalent? Generating Minimal DFAs (GB-Automaton) for LTL • Maintain a set C of pairs of good-bad prefix equivalent LTLs • Check each new LTL formula for good-bad prefix equivalence with already existing LTL formulas in the DFA • First in C • Then by CC. If equivalent LTL formula found, then add new circularities to C**Complexity**• The size of the GB-automaton accepting good and bad prefixes of an LTL formula of size m is • O(22m) • (22m½) • Space and time requirement of the algorithm is 2O(m)**Implementation**• BOBJ cannot be used because it does not return the set of circularities • Can be implemented as a specialized circular coinduction algorithm in Maude • Implementation of the algorithm adapted to EREs available online at http://fsl.cs.uiuc.edu/rv/**Conclusion and Future Work**• Behavioral specification of LTL • Two LTL formulae are monitoring equivalent iff they are indistinguishable under chosen experiments • Optimal monitors are generated by co-induction in a single go. • To be part of NASA Ames’s Java PathExplorer (JPaX) tool. • Replace edges from a state by Binary Decision Diagrams. • Future work to apply coinductive techniques to generate monitors for other logics • such as NASA Ames Eagle