Trace Diagnostics using Temporal Implicants ATVA15 ere 1 Dejan - PowerPoint PPT Presentation

Trace Diagnostics using Temporal Implicants ATVA’15 ere 1 Dejan Nickovic 2 Oded Maler 1 Thomas Ferr` 1 VERIMAG, University of Grenoble / CNRS 2 Austrian Institute of Technology October 14, 2015

Motivation ◮ Practical question: understand why a simulation / formal verification violates MTL / LTL property. ◮ Problem: long simulation / counter-example trace with large (product) alphabet. ◮ Solution: isolate segments of the trace sufficient to cause violation. Example Diagnostics of � ( p → ♦ [1 , 2] q ) violation on sample trace p q 0 1 2 3 4 5 Implicant: p [1] ∧ � t ∈ [2 , 3] ¬ q [ t ] .

Outline Problem Formulation Dense-time Issues MTL Diagnostics

Outline Problem Formulation Dense-time Issues MTL Diagnostics

Diagnostics Problem (Diagnostics) Given specification ϕ and behavior w with w | = ϕ , find small implicant θ of ϕ with w | = θ . Applications ◮ Monitoring: find small subset of a finite variability , bounded counter-example of some MTL property. ◮ Model-checking: find small subset of an ultimately-periodic counter-example of some LTL property.

Implicants ◮ Propositional case Example ϕ = ( p ∧ q ) ∨ ( p ∧ ¬ q ) ∨ ¬ r, w = { p �→ 1 , q �→ 1 , r �→ 0 } Formula θ = p is a minimal diagnostic of ϕ relative to w . Semantically: any valuation that contains p �→ 1 satisfies ϕ . Proposition For every ϕ , w such that w | = ϕ there exists a minimal diagnostic: a prime implicant θ such that w | = θ . ◮ Temporal case ◮ syntactic representation of implicants? ◮ infinite valuation domain: are there prime temporal implicants?

Temporal Logic Signals ◮ A function w : ( T × P ) → { 0 , 1 } with T = [0 , d ] time domain and P finite set of propositions. ◮ Projection w p : T → { 0 , 1 } of signal w onto variable p , and also satisfaction signal w ϕ : T → { 0 , 1 } for any formula ϕ . Metric Temporal Logic ◮ syntax: ϕ := p | ¬ ϕ | ϕ 1 ∨ ϕ 1 | ♦ I ϕ | ϕ 1 U ϕ 2 ◮ semantics: ∃ t ′ ∈ t ⊕ I, ( w, t ′ ) | ( w, t ) | = ♦ I ϕ iff = ϕ ∃ t ′ > t, ( w, t ′ ) | = ψ and ∀ t < t ′′ < t ′ , ( w, t ′′ ) | ( w, t ) | = ϕ U ψ iff = ϕ ◮ derived operators: � I ϕ ≡ ¬ ♦ I ¬ ϕ , ϕ R ψ ≡ ¬ ( ¬ ϕ U ¬ ψ ) ◮ models: w | = ϕ iff ( w, 0) | = ϕ

Partial signals and refinements Definition ◮ sub-signal : partial function from T × P to { 0 , 1 } ◮ refinement relation : sub-signals u ⊑ v iff u − 1 ⊆ v − 1 and u p [ t ] = v p [ t ] where u is defined. Proposition Relation ⊑ defines a semi-lattice . Meet operation ⊓ such that ( u ⊓ v ) − 1 ⊆ u − 1 ∩ v − 1 , and minimal element ⊥ : ∅ → { 0 , 1 } .

Diagnostics (semantic reformulation) Definition Sub-signal u is sub-model of ϕ iff w | = ϕ for all signals w ⊒ v . Reformulation ◮ prime implicants of ϕ ∼ minimal sub-models of ϕ ◮ diagnostics of ϕ resp. w ∼ sub-model v of ϕ s.t. v ⊑ w

Outline Problem Formulation Dense-time Issues MTL Diagnostics

Unbounded variability sub-models Example ϕ := � ( p ∨ q ) has minimal sub-models I × { p } �→ 1 , J × { q } �→ 1 for arbitrary I, J partition of T . p w : q p p v 1 : v 2 : q q p v 3 : q

No minimal sub-model Example ϕ = p U ⊤ has sub-models (0 , t ) × { p } �→ 1 for arbitrary t > 0 . p w : v 1 : p v 2 : p v 3 : p . . .

Temporal terms ◮ Syntax: � θ := p [ t ] | ¬ p [ t ] | θ 1 ∧ θ 2 | Θ[ t ] t ∈ T T subset of time domain, Θ function from time to terms. ◮ Semantics: � w | = Θ[ t ] ↔ ∀ t ∈ T, w | = Θ[ t ] t ∈ T Example Temporal term � t ∈ [0 , 1] ¬ p [ t ] represents sub-signal [0 , 1] × { p } �→ 0 .

Solving dense-time issues Bounded variability Definition normal form terms: � m � t ∈ T i ℓ i [ t ] with T i intervals and ℓ i i =1 literals. Bounded variability terms can be put in normal form. Minimality ◮ introduce non-standard reals t + , t − for all t in the time domain with t − < t < t + ◮ terms over the extended time domain.

Existence of prime implicants Theorem Any satisfiable property ϕ admits prime implicants. Proof. ◮ Zorn’s Lemma: show that any chain of implicants θ 0 ⇒ θ 1 ⇒ θ 2 ⇒ . . . of ϕ has a maximum. ◮ Take θ ∗ ≡ � i ≥ 0 θ i and show that θ ∗ ⇒ ϕ . ◮ Given w | = θ ∗ there exists n such that w | = θ n . ◮ if not there exists ℓ and ( t i ) such that θ i ⇒ ℓ [ t i ] and w ℓ [ t i ] = 0 ◮ Bolzano Weierstrass: we may assume ( t i ) monotonic and converging to t ∗ ◮ for arbitrary δ > 0 there exists i such that t i is δ -close to t ∗ ◮ w ℓ [ t ∗ ] = 1 and by finite variability ∃ j, w ℓ [ t j ] = 1 . Contradiction

Outline Problem Formulation Dense-time Issues MTL Diagnostics

MTL semantics (non-standard extension) Definition ( w, t + ) | = ϕ iff lim t ′ → t + w ϕ [ t ′ ] = 1 Arithmetic on non-standard reals t < t ′ or t = t ′ / ◮ t ≪ t ′ iff ∈ R . ◮ t + I closure t ⊕ I in the non-standard reals. = Proposition = ♦ I ϕ iff ∃ t ′ ∈ t + I , ( w, t ′ ) | ◮ ( w, t ) | = ϕ = ϕ U ψ iff ∃ t ′ ≫ t , ( w, t ′ ) | = ψ and ∀ t ≪ t ′′ ≪ t ′ , ◮ ( w, t ) | ( w, t ′′ ) | = ϕ

Selection functions ◮ Used to select a witnesses of a formula. ◮ A function ξ labeled by a formula, such that ξ ϕ ∨ ψ [ t ] ∈ { ϕ, ψ } , ξ ♦ I ψ [ t ] ∈ t + I , and ξ ϕ U ψ [ t ] ≫ t . ◮ A correct selection function ξ when ( w, t ) | = ϕ verifies ◮ disjunction: ( w, t ) | = ξ [ t ] ◮ eventually: ( w, ξ [ t ]) | = ψ = ψ and ∀ t ≪ t ′ ≪ ξ [ t ] , ( w, t ′ ) | ◮ until: ( w, ξ [ t ]) | = ϕ ◮ Bounded variability: ξ piecewise constant / linear with slope 1.

Generating implicants The diagnostics of a formula ϕ : � E ( ϕ )[0] if ( w, 0) | = ϕ D ( ϕ ) = F ( ϕ )[0] otherwise Dual explanation and falsification operators: E ( p )[ t ] = p [ t ] F ( p )[ t ] = . . . E ( ¬ ϕ )[ t ] = F ( ϕ )[ t ] F ( ¬ ϕ )[ t ] = . . . E ( ϕ ∨ ψ )[ t ] = E ( ξ ϕ ∨ ψ [ t ])[ t ] F ( ϕ ∨ ψ )[ t ] = F ( ϕ )[ t ] ∧ F ( ψ )[ t ] � F ( ϕ )[ t ′ ] E ( ♦ I ϕ )[ t ] = E ( ϕ )[ ξ ♦ I ϕ [ t ]] F ( ♦ I ϕ )[ t ] = t ′ ∈ t + I E ( ϕ U ψ )[ t ] = E ( ψ )[ ξ ϕ U ψ [ t ]] ∧ . . . F ( ϕ U ψ )[ t ] = E ( ϕ R ψ )[ t ]

Selection of eventually witnesses t + I s ϕ ♦ I ϕ Old cover t R T Algorithm ◮ pick the latest witness s of ϕ in t + I with t start of domain to cover ◮ witness accounts for ♦ I ϕ throughout s − I ◮ remove s − I from the domain to cover

Selection of until witnesses W ( ϕ, ψ, t ) s · · · ϕ · · · ψ · · · ϕ U ψ Old cover t R T Algorithm ◮ pick the latest witness s of ψ such that ϕ holds throughout [ t, s ) with t start of domain to cover ◮ witness accounts for ϕ U ψ throughout [ t, s ) ◮ remove [ t, s ) from the domain to cover

Example solution “Between 1 to 2 time units from now, always if p holds then q does not hold until r ” p q r ¬ ( q U r ) p → ( ¬ ( q U r )) � ( p → ¬ ( q U r )) ♦ [1 , 2] � ( p → ¬ ( q U r )) 0 1 2 3 4 5 6

Results Correctness ◮ term D ( ϕ ) is solution to the diagnostics of ϕ and w ; ◮ small implicant, not necessarily a prime implicant. Complexity Proposition The computation of D ( ϕ ) takes time in O ( | ϕ | 2 · | w | ) . Minimal diagnostics: EXPSPACE-hard in | ϕ | + | w | .

Perspectives ◮ Advantages of minimal versus inductive diagnostic: ◮ minimal diagnostic � localize fault “in the execution” ◮ inductive diagnostic � localize fault “in the specification” ◮ Same technique applies to analysis of LTL model-checking counter-examples for ultimately-periodic signals ◮ Theory of implicants: possible extension from trace diagnostics to system diagnostics

Thank you.

Normalization of terms ◮ Inductive procedure yields normal form terms. ◮ Reductions: ◮ elimination of symbolic terms Example (explanation of disjunction) m n � � � � � E ( ξ [ t ])[ t ] ⇔ E ( ϕ )[ t ] ∧ E ( ψ )[ t ] t ∈ T i =1 t ∈ T i i =1 t ∈ T ′ i ◮ elimination of nesting Example (falsification of eventually) � � � F ( ϕ )[ t ′ ] ⇔ F ( ϕ )[ t ′ ] t ∈ T t ′ ∈ t + I t ′ ∈ T + I

MTL semantics Definition For signal w : ( T × P ) → { 0 , 1 } and time t ∈ T : ( w, t ) | = p ↔ w p [ t ] = 1 ( w, t ) | = ¬ ϕ ↔ ( w, t ) �| = ϕ ( w, t ) | = ϕ ∨ ψ ↔ ( w, t ) | = ϕ 1 or ( w, t ) | = ϕ 2 ∃ t ′ ∈ t ⊕ I, ( w, t ′ ) | ( w, t ) | = ♦ I ϕ ↔ = ϕ ∃ t ′ > t, ( w, t ′ ) | ( w, t ) | = ϕ U ψ ↔ = ψ and ∀ t ′′ ∈ ( t, t ′ ) , ( w, t ′′ ) | = ϕ Model of a formula w | = ϕ if and only if ( w, 0) | = ϕ