temporal logic in JavaMOP includes slides CS 119 by Grigore Rosu propositional logic extended with temporal operators referring to past and future
2
past time properties • If A happens now B must have happened ¤ (A ! ¨ B) B A now future future past past 3
future time properties • If A happens now B must happen ¤ (A ! § B) A B now future future past past 4
Instances of MOP MOP JavaMOP BusMOP HardwareMOP … logic plugins MOP … CFG ptLTL ptCaRet ERE LTL languages JavaMOP BusMOP … today 5
http://fsl.cs.uiuc.edu/index.php/Special:PTLTLPlugin 6
http://fsl.cs.uiuc.edu/index.php/Special:FTLTLPlugin 7
Chomsky’s language hierarchy http://en.wikipedia.org/wiki/Chomsky_hierarchy 8
temporal logic for finite traces: subset of regular languages p is even in every other state even 1 2 true regular temporal even /\ always(even implies (next next even)) does not work 9
advantages of temporal logic • some properties can be stated more succinctly • where translation to automata will result in state explosion • it will of course be a debate at a practical engineering level what notation is most suitable in practice • everybody understand state machines right away and temporal properties can be hard to write and read for complex scenarios 10
past time and future time temporal logic semantics and algorithms
PathExplorer - overview Observer Events Running program socket 12
PathExplorer the observer paxm odules m odule datarace = ‘ java pax.Datarace’ ; m odule deadlock = ‘ java pax.Deadlock’ ; m odule tem poral = ‘ java pax.Tem poral spec’ ; end warning datarace … Event warning Dispatcher deadlock … stream warning temporal Specification Based … … Monitoring 13
future time semantics and algorithm
getting the events (Java) Instrumentation Script class Light{ predicate red = (Light.color == 1); void goRed(){ program predicate yellow = (Light.color == 2); color = 1; predicate green = (Light.color == 3); } … compile bytecode instrument Specification property instrumented p = [](green -> !red U yellow); bytecode execute green yellow red g reen … Java Virtual Machine 15
monitoring Future Time LTL Syntax – Propositional Calculus plus o F (next) F (always) F (eventually) F U F’ (until) Executable Semantics – Rewriting _{_} : Formula x Event -> Formula (“consume” event e) F{e} formula that should hold after processing e p {e} is the atomic predicate p true on e ? (F op F’ ){e} F {e} op F’ {e} (o F) {e} F ( F) {e} F {e} ∧ ( F) ( F) {e} F {e} ∨ ( F) (F U F’) {e} F’ {e} ∨ (F {e} ∧ (F U F’)) 16
Future Time LTL - example Event stream: red yellow green yellow green red … X X X X X X Formula : (green → ¬ red U yellow) {red} {yellow} * (green → ¬ red U yellow){red} ∧ (green → ¬ red U yellow) (green → ¬ red U yellow) {green} * * (green{red} → (yellow{red} ∨ ¬ red{red} ∧ ¬ red U yellow)) ∧ … (( ¬ red U yellow) ∧ (green → ¬ red U yellow)){yellow} * * (false → (false ∨ false ∧ ¬ red U yellow)) ∧ … (green → ¬ red U yellow) {green} * * true ∧ (green → ¬ red U yellow) (( ¬ red U yellow) ∧ (green → ¬ red U yellow)){red} * * * (green → ¬ red U yellow) false ∧ … (yellow{red} ∨ ¬ red{red} ∧ ¬ red U yellow) ∧ … false Event red has been consumed! Formula was violated! 17
timed temporal logic • Add real time (RTL, MiTL, timed automata, stop) (start → etc.) 5 ( F){e: δ } ( δ≤ t) ∧ (F{e: δ } ∨ F) t t- δ 18
performance • Implemented the algorithm above in PaX – Maude as rewriting engine • 15 lines of obviously correct code! • Monitored 100 million events on 1.7GHz PC – 185 seconds, 220 million rewrites – Faster than modified Büchi automaton in Java (1,500 lines of code) • Is this 1,500 LOC Java program correct? • I/O + buffering take longer than rewriting … 19
generating FSM observers • There are applications where – Little monitoring overhead is allowed (real time) – Few resources available for monitoring • Challenge: efficient and simple monitors! • Finite State Machine observers can be built from formulae before monitoring – Lower runtime overhead • No inferences needed • Only some atomic predicates need to be evaluated – Higher start time overhead 20
building a minimal BTT_FSM • Idea – Do the rewrites for all possible values of predicates – Get a finite state machine • Nodes are LTL formulae • Optimize using a validity checker (F ↔ F’ : one state) • Edges are propositions • Assign numbers to states • Replace edges by Binary Transition Trees 21
Binary Transition Tree FSM • We can build minimal FSMs statically for LTL Formula (green → ¬ red U yellow) State 1 2 BTT yellow ? 1 : green ? (red ? false : 2) : 1 yellow ? 1 : (red ? false : 2) Y N Y N yellow yellow 1 1 Y Y N N green red 1 false 2 Y N red • Suitable for monitoring. New concept? false 2 22
past time semantics and algorithm
monitoring safety • Example: Safe Landing Land the space craft only after approval from ground and only if, since then, the radio signal has not been lost or formally ↑ Landing → [ Approved, ↓ Radio ) where (MAC) ↑ F means start F, ↓ F means end F, [ F , F’ ) means F butnot F’ since then 24
past time operators Basic – Propositional Calculus plus F (prev.) F S F’ (since) F (always) F (eventually) in past Special – Suitable for monitoring (MaC) – ↑ F - start of F F – ↓ F - end of F F’ – [ F , F’ ) - F butnot F’ [ ) x x ↓ F [ ↓ F , F’ ) ↑ F Theorem: ↑ , ↓ , [ _,_ ) and , _ S _ defined in terms of each other! – F = (F → ¬ ↑ F) ∧ ( ¬ F → ↓ F), [ F , F’ ) = ( ¬ F’) S F, ↑ F = F ∧ ¬ F Safety property: F, where F is a past time LTL formula 25
semantics • standard semantics | e 1 e 2 … e n-1 e n = [ F,F’ ) iff there is 1 ≤ i ≤ n such that e 1 e 2 … e i = F and | for all i ≤ j ≤ n, e 1 e 2 … e j = F’ | / • recursive Semantics | t e = [ F,F’ ) iff | | | t e = F’ and ( t e = F or t = [ F,F’ ) ) / 26
http://en.wikipedia.org/wiki/Dynamic_programming 27
dynamic programming algorithm Formula: ↑ Landing → [ Approved, ↓ Radio ) Trace: e 1 e 2 … e n-1 e n Step 2: Dynamic progr. alg. Step 1 Step 3: Optimization Step 4: Further Optimization Memory m[0..6, 1..n] Memory now[0..6], prev[0..6] Global bits b 1 , b 2 , b 3 Label nodes in BFS order for i=1..n {process(e i ) Temporary bits t 1 , t 2 , t 3 for i=1..n {process(e i ) 0 now[6] = holds(Radio) m[6,i] = holds(Radio) → now[5] = prev[6] and not now[6] m[5,i] = m[6,i-1] and not m[6,i] t 1 = holds(Radio) 1 2 now[4] = holds(Approved) m[4,i] = holds(Approved) t 2 = holds(Landing) [ _,_ ) b 3 ↑ now[3] = holds(Landing) m[3,i] = holds(Landing) t 3 = (not b 1 or t 1 ) and 3 4 5 now[2] = not now[5] and m[2,i] = not m[5,i] and (holds(Approved) or b 3 ) Approved (now[4] or prev[2]) Landing ↓ (m[4,i] or m[2,i-1]) if (t 2 and not (b 2 or t 3 )) now[1] = now[3] and not prev[3] b 2 m[1,i] = m[3,i] and not m[3,i-1] then “error” now[0] = not now[1] or now[2] 6 Radio m[0,i] = not m[1,i] or m[2,i] (b 1 ,b 2 ,b 3 ) = (t 1 ,t 2 ,t 3 ) if now[0] == 0 then “Error” if m[0,i] == 0 then “Error” b 1 Time: ≤ 6 CPU clocks! prev = now } } 28
future time versus past time
liveness vs. safety • Monitoring liveness properties ... Formula: ϕ = (F → F’) Trace F F’ F F’ F F’ ... F F’ F ⊥ violates ϕ Trace F F F F F F ... F F’ ⊥ does not violate ϕ ... keep statistical information for eventualities? • Focus on safety <>F can never be violated in JavaMOP – Often easier to express using past time LTL F, where F is a past time LTL formula – F equivalent to “monitor F” 30
past time In JavaMOP
syntax 32
properties of Java library APIs properties of Java library APIs R 1 : There should be no two calls to next() without a call to hasNext() in between, on the same iterator . 33
our our hasNext hasNext example again xample again class Test { class public public static tatic void oid main(String[] args) { Vector<Integer> v1 = new ew Vector(); Vector<Integer> v2 = new ew Vector(); v1.add(1); v1.add(3); v2.add(5); v2.add(7); Iterator it1 = v1.iterator(); Iterator it2 = v2.iterator(); int int sum = 0; should have been: if if(it2.hasNext()) if(it2 if it2.hasNext()) sum += (Integer)it2.next(); if if(it1.hasNext()) sum += (Integer)it2.next(); ) System. out .println(”sum(v2) = " + sum); } unguarded call: } it2 it2.next() 34
Recommend
More recommend