temporal logic in javamop - runtime-verification.org · succinctly •where translation to automata...
TRANSCRIPT
temporal logicin JavaMOP
CS 119includes slidesby Grigore Rosu
propositional logic extended withtemporal operators referring to past and future
2
3
past time properties
nowpast future
AB
• If A happens now B must have happened
¤(A ! ¨B)
4
future time properties
nowpast future
A B
• If A happens now B must happen
¤(A ! § B)
5
ERE LTL ptLTL ptCaRetlogic plugins
…
…JavaMOP
BusMOP
MOP CFG
lang
uage
s
Instances of MOP
MOP
JavaMOP BusMOP HardwareMOP …
today
6
http://fsl.cs.uiuc.edu/index.php/Special:PTLTLPlugin
7
http://fsl.cs.uiuc.edu/index.php/Special:FTLTLPlugin
8
Chomsky’slanguage hierarchy
http://en.wikipedia.org/wiki/Chomsky_hierarchy
9
temporal logic for finite traces:subset of regular languages
regular
temporal
p is even in every other state
even /\ always(even implies (next next even))
does not work
even
true
1 2
10
advantages of temporal logic
• some properties can be stated moresuccinctly
• where translation to automata will result instate explosion
• it will of course be a debate at a practicalengineering level what notation is mostsuitable in practice
• everybody understand state machines rightaway and temporal properties can be hard towrite and read for complex scenarios
past time and future timetemporal logic
semantics and algorithms
12
PathExplorer - overview
Runningprogram
socket
EventsObserver
13
Specification BasedMonitoring
PathExplorerthe observer
Dispatcher
datarace
deadlock
temporal
paxmodules m odule datarace = ‘java pax.Datarace’; m odule deadlock = ‘java pax.Deadlock’; m odule temporal = ‘java pax.Temporal spec’;end
Eventstream
warning
…
warning
…
warning
…
…
future time
semantics and algorithm
15
getting the events (Java)
program
Java Virtual Machine
bytecode
compile
instrument
execute
instrumentedbytecode
g reen yellow red g reen …
class Light{ void goRed(){ color = 1; } …
predicate red = (Light.color == 1);predicate yellow = (Light.color == 2);predicate green = (Light.color == 3);
Instrumentation Script
property p = [](green -> !red U yellow);
Specification
16
monitoring Future Time LTLSyntax – Propositional Calculus plus
o F (next) F (always) F (eventually) F U F’ (until)
Executable Semantics – Rewriting_{_} : Formula x Event -> Formula (“consume” event e)F{e} formula that should hold after processing e
p{e} is the atomic predicate p true on e ? (F op F’){e} F{e} op F’{e} (o F){e} F ( F){e} F{e} ∧ ( F) ( F){e} F{e} ∨ ( F) (F U F’){e} F’{e} ∨ (F{e} ∧ (F U F’))
17
Future Time LTL - example
(green → ¬red U yellow)Formula:
Event stream: red yellow green yellow green red …
{red}
(green → ¬red U yellow){red} ∧ (green → ¬red U yellow)
(green{red} → (yellow{red} ∨ ¬red{red} ∧ ¬red U yellow)) ∧ …*
(false → (false ∨ false ∧ ¬red U yellow)) ∧ …*
*true ∧ (green → ¬red U yellow)
(green → ¬red U yellow)
Event red has been consumed!
X
{yellow}*
(green → ¬red U yellow)
X
{green}
X
*((¬red U yellow) ∧ (green → ¬red U yellow)){yellow}
X
*(green → ¬red U yellow) {green}
X
*((¬red U yellow) ∧ (green → ¬red U yellow)){red}
(yellow{red} ∨ ¬red{red} ∧ ¬red U yellow) ∧ …*
*
false ∧ … *
false
X
Formula was violated!
18
timed temporal logic
• Add real time (RTL, MiTL, timed automata,etc.) 5(start → stop)
t-δt( F){e:δ} (δ≤t) ∧ (F{e:δ} ∨ F)
19
performance• Implemented the algorithm above in PaX
– Maude as rewriting engine• 15 lines of obviously correct code!
• Monitored 100 million events on 1.7GHz PC– 185 seconds, 220 million rewrites– Faster than modified Büchi automaton in Java
(1,500 lines of code)• Is this 1,500 LOC Java program correct?
• I/O + buffering take longer than rewriting …
20
generating FSM observers• There are applications where
– Little monitoring overhead is allowed (real time)– Few resources available for monitoring
• Challenge: efficient and simple monitors!• Finite State Machine observers can be built
from formulae before monitoring– Lower runtime overhead
• No inferences needed• Only some atomic predicates need to be evaluated
– Higher start time overhead
21
building a minimal BTT_FSM
• Idea– Do the rewrites for all possible values of predicates– Get a finite state machine
• Nodes are LTL formulae• Optimize using a validity checker (F ↔ F’ : one state)• Edges are propositions• Assign numbers to states• Replace edges by Binary Transition Trees
22
Binary Transition Tree FSM• We can build minimal FSMs statically for LTL
• Suitable for monitoring. New concept?
Formula (green → ¬red U yellow)
State 1 2
BTT yellow ? 1 : green ? (red ? false : 2) : 1 yellow ? 1 : (red ? false : 2)
yellow
green
red
1
1
false 2
Y
Y
Y
N
N
N
yellow
red1
false 2
Y
Y
N
N
past time
semantics and algorithm
24
monitoring safety• Example:
or formally
where (MAC)↑F means start F,
↓F means end F,
[F,F’) means F butnot F’ since then
Safe LandingLand the space craft only after approval from groundand only if, since then, the radio signal has not been lost
↑Landing → [Approved, ↓Radio)
25
past time operatorsBasic – Propositional Calculus plus F (prev.) F S F’ (since) F (always) F (eventually) in past
Special – Suitable for monitoring (MaC)– ↑F - start of F– ↓F - end of F– [F,F’) - F butnot F’
Theorem: ↑,↓,[_,_) and ,_S_ defined in terms of each other!– F = (F →¬↑F) ∧ (¬F → ↓F), [F,F’) = (¬F’) S F, ↑F = F ∧ ¬F
FF’
↑F ↓F[ )x x
[↓F,F’)
Safety property: F, where F is a past time LTL formula
26
semantics
• standard semantics
• recursive Semantics
e1 e2 … en-1 en = [F,F’) iff there is 1 ≤ i ≤ n such that e1 e2 … ei = F and for all i ≤ j ≤ n, e1 e2 … ej = F’
t e = [F,F’) iff t e = F’ and ( t e = F or t = [F,F’) )
/
||
|
|| | |/
27
http://en.wikipedia.org/wiki/Dynamic_programming
28
Step 1
Label nodes in BFS order0
1 2
3 4 5
6
dynamic programming algorithm
→
↑ [_,_)
↓Landing Approved
Radio
Formula: ↑Landing → [Approved, ↓Radio)
Trace: e1 e2 … en-1 en Step 2: Dynamic progr. alg. Memory m[0..6, 1..n]for i=1..n {process(ei) m[6,i] = holds(Radio) m[5,i] = m[6,i-1] and not m[6,i] m[4,i] = holds(Approved) m[3,i] = holds(Landing) m[2,i] = not m[5,i] and (m[4,i] or m[2,i-1]) m[1,i] = m[3,i] and not m[3,i-1] m[0,i] = not m[1,i] or m[2,i] if m[0,i] == 0 then “Error”}
Step 3: Optimization Memory now[0..6], prev[0..6]for i=1..n {process(ei) now[6] = holds(Radio) now[5] = prev[6] and not now[6] now[4] = holds(Approved) now[3] = holds(Landing) now[2] = not now[5] and (now[4] or prev[2]) now[1] = now[3] and not prev[3] now[0] = not now[1] or now[2] if now[0] == 0 then “Error” prev = now}
Step 4: Further Optimization Global bits b1, b2, b3
Temporary bits t1, t2, t3
t1 = holds(Radio) t2 = holds(Landing) t3 = (not b1 or t1) and (holds(Approved) or b3) if (t2 and not (b2 or t3)) then “error” (b1,b2,b3) = (t1,t2,t3)
Time: ≤ 6 CPU clocks!b1
b2
b3
future time versus past time
30
liveness vs. safety• Monitoring liveness properties ...
... keep statistical information for eventualities?• Focus on safety
– Often easier to express using past time LTL
F, where F is a past time LTL formula
– F equivalent to “monitor F”
Formula: ϕ = (F → F’)Trace F F’ F F’ F F’ ... F F’ F ⊥ violates ϕTrace F F F F F F ... F F’ ⊥ does not violate ϕ
<>F can never be violated in JavaMOP
past time
In JavaMOP
32
syntax
33
properties of Java library APIs
R1: There should be no two calls to next() without a call to hasNext() in between, on the same iterator.
34
class Test { public static void main(String[] args) { Vector<Integer> v1 = new Vector(); Vector<Integer> v2 = new Vector(); v1.add(1); v1.add(3); v2.add(5); v2.add(7); Iterator it1 = v1.iterator(); Iterator it2 = v2.iterator(); int sum = 0; if(it2.hasNext()) sum += (Integer)it2.next(); if(it1.hasNext()) sum += (Integer)it2.next(); System.out.println(”sum(v2) = " + sum); }}
should have been:if(it2.hasNext())
our hasNext example again
unguarded call:it2.next()
)
35
recall the regular expression specification
partial, matchingagainst suffix trace
/*@partial centralizedscope = globallogic = ERE
HasNext(Iterator i){ event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : next next}
validation handler{ System.err.println("*** call hasNext() before next()");}
@*/
validation (not violation)
36
PTLTL Property in JavaMOP
package ltl.hasnext;import java.util.*;
/*@centralizedscope = globallogic = PTLTL
HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next()));
formula : next /\ (*)next}
validation handler { System.err.println("*** call hasNext() before next()");}@*/
it does not looktoo different inthis particularcase, but PTLTLobviously does not show moresuccinct here.
partial matchingdoes not make sense in PTLTL.
Warning:PTLTL and validationdoes not currentlywork in JavaMOP.Likely a bug.
37
PTLTL Property in JavaMOP
package ltl.hasnext;import java.util.*;
/*@centralizedscope = globallogic = PTLTL
HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next()));
formula : !(next /\ (*)next)}
violation handler { System.err.println("*** call hasNext() before next()");}@*/
less attractivebut simularityto regular expcan still benoticed.
partial matchingdoes not make sense in PTLTL.
In PTLTL:
validation = not violation
38
(hasNext hasNext* next)* which was slightly too strong,but let’stry to emulate it
i) total trace semanticsii)looking for violation
recall this other regular expression
39
PTLTL Property in JavaMOP - attempt 1
package ltl.hasnext;import java.util.*;
/*@centralizedscope = globallogic = PTLTLHasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next()));
formula : next -> <*>hasnext}
violation handler{ System.err.println("*** call hasNext() before next()");}@*/
no longer partial
not correct, willallow for example:it.hasNext(); it.next(); it.next()
40
package ltl.hasnext;import java.util.*;
/*@centralizedscope = globallogic = PTLTLHasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next()));
formula : next -> (*)(!next Ss hasnext)}
violation handler{ System.err.println("*** call hasNext() before next()");}@*/
PTLTL Property in JavaMOP - attempt 2
correct, will not allow:it.hasNext(); it.next(); it.next()
formula: next -> (*)[hasnext,next)s
41
properties of Java library APIs
R2: An enumeration should not be propagated after the underlying vector has been changed.
42
Vector v1 = new Vector();Vector v2 = new Vector();v1.add(1); v1.add(2); v2.add(4); v2.add(5);Enumeration e1 = v1.elements();Enumeration e2 = v1.elements();Enumeration e3 = v2.elements();while(e1.hasMoreElements())print(e1.nextElement());v1.add(99);while(e2.hasMoreElements())print(e2.nextElement());while(e3.hasMoreElements())print(e3.nextElement());
many vectors and enumerators
v1 v2
e1 e2 e3
create(v,e)next(e)updatesource(v)
events:
add
next
43
/*@partial centralizedscope = globallogic = ERESafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ end(call(* v.clear())) \/ end(call(* v.insertElementAt(..))) && \/ end(call(* v.remove*(..))) \/ end(call(* v.retainAll(..))) \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement()));
formula : create next* updatesource updatesource* next}
validation handler { System.out.println("datasource changed during iteration!");}@*/
recall ERE specification
44
PTLTL Property in JavaMOP - using ‘Ss’
/*@ centralizedscope = globallogic = PTLTL
SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement()));
formula : next -> !(<*>(updatesource /\ <*>create))}
violation handler { System.out.println("the datasource is changed during iteration!");}@*/
45
PTLTL Property in JavaMOP - using ‘[_,_)s’
/*@ centralizedscope = globallogic = PTLTL
SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement()));
formula : next -> [create,updatesource)s}
violation handler { System.out.println("the datasource is changed during iteration!");}@*/
future time
In JavaMOP
47
syntax
48
back to this one, now referring to future
R2: An enumeration should not be propagated after the underlying vector has been changed.
49
Vector v1 = new Vector();Vector v2 = new Vector();v1.add(1); v1.add(2); v2.add(4); v2.add(5);Enumeration e1 = v1.elements();Enumeration e2 = v1.elements();Enumeration e3 = v2.elements();while(e1.hasMoreElements())print(e1.nextElement());v1.add(99);while(e2.hasMoreElements())print(e2.nextElement());while(e3.hasMoreElements())print(e3.nextElement());
many vectors and enumerators
v1 v2
e1 e2 e3
create(v,e)next(e)updatesource(v)
events:
add
next
50
/*@ centralizedscope = globallogic = PTLTL
SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement()));
formula : next -> [create,updatesource)s}
violation handler { System.out.println("the datasource is changed during iteration!");}@*/
recall past time formulation
51
/*@ centralizedscope = globallogic = FTLTL
SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ end(call(* v.clear())) \/ end(call(* v.insertElementAt(..))) \/ end(call(* v.remove*(..))) \/ end(call(* v.retainAll(..))) \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement()));
formula : [](create -> o [](updatesource -> [](!next)))}
violation handler { System.out.println("the datasource is changed during iteration!");}@*/
FTLTL specification
52
end