Generating System-Agnostic Runtime Verification Benchmarks from MLTL - - PowerPoint PPT Presentation

generating system agnostic runtime verification
SMART_READER_LITE
LIVE PREVIEW

Generating System-Agnostic Runtime Verification Benchmarks from MLTL - - PowerPoint PPT Presentation

May 28, 2023 334 likes •737 views

Motivation Background Naive Encoding Interval-Aware Encoding Future Work Generating System-Agnostic Runtime Verification Benchmarks from MLTL Formulas Josh Wallin & Kristin Yvonne Rozier Iowa State University September 29, 2018 Midwest

slide-1
SLIDE 1

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Generating System-Agnostic Runtime Verification Benchmarks from MLTL Formulas

Josh Wallin & Kristin Yvonne Rozier Iowa State University September 29, 2018 Midwest Verification Day 2018

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-2
SLIDE 2

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 21

1https://robonaut.jsc.nasa.gov/R2/ Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-3
SLIDE 3

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 2

How can we debug/validate our monitor specifications?

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-4
SLIDE 4

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 2

How can we debug/validate our monitor specifications? ֒ → Satisfiability checking!

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-5
SLIDE 5

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 2

How can we debug/validate our monitor specifications? ֒ → Satisfiability checking! How can we test our monitors?

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-6
SLIDE 6

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 2

How can we debug/validate our monitor specifications? ֒ → Satisfiability checking! How can we test our monitors? ֒ → Benchmark generation!

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-7
SLIDE 7

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Runtime Verification for Robonaut 2

How can we debug/validate our monitor specifications? ֒ → Satisfiability checking! How can we test our monitors? ֒ → Benchmark generation! We need a procedure to check satisfiability for properties, and return a satisfying assignment

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-8
SLIDE 8

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Mission-Time Linear Temporal Logic 2

Mission-Time Linear Temporal Logic (MLTL) reasons about finite, integer-bounded timelines: Symbol Operator Timeline

G[2,6]p Always[2,6]

1 2 3 4 5 6 7 8 p p p p p

F[0,7]p Eventually[0,7]

1 2 3 4 5 6 7 8 p

p U[1,5]q Until[1,5]

1 2 3 4 5 6 7 8 p p q

  • 2T. Reinbacher, K.Y. Rozier, J. Schumann. “Temporal-Logic Based Runtime Observer Pairs for System Health

Management of Real-Time Systems.” TACAS 2014. Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-9
SLIDE 9

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Mission-Time Linear Temporal Logic

Why? Naturally aligns with (some) real mission applications e.g. actual UAS flights are predictably bounded Bounded logics may provide faster procedures for determining SAT Can we just use BMC?

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-10
SLIDE 10

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of:

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-11
SLIDE 11

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . .

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-12
SLIDE 12

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . . MLTL Formula, ϕ e.g. ϕ = G[0,1](a ∨ b)

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-13
SLIDE 13

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . . MLTL Formula, ϕ e.g. ϕ = G[0,1](a ∨ b) Oracle, O e.g. O = 0, T, 1, F, . . .

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-14
SLIDE 14

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . . MLTL Formula, ϕ e.g. ϕ = G[0,1](a ∨ b) Oracle, O e.g. O = 0, T, 1, F, . . . t a b c O T F F T 1 T T F F 2 F F F . . . . . . . . . . . . . . .

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-15
SLIDE 15

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . . MLTL Formula, ϕ e.g. ϕ = G[0,1](a ∨ b) Oracle, O e.g. O = 0, T, 1, F, . . . t a b c O T F F T 1 T T F F 2 F F F . . . . . . . . . . . . . . .

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-16
SLIDE 16

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Benchmarks

An MLTL benchmark is a 3-tuple consisting of: Trace, or computation, π e.g. π = 0, {a, ¬b, ¬c}, 1, {a, b, ¬c}, 2, {¬a, ¬b, ¬c} . . . MLTL Formula, ϕ e.g. ϕ = G[0,1](a ∨ b) Oracle, O e.g. O = 0, T, 1, F, . . . t a b c O T F F T 1 T T F F 2 F F F . . . . . . . . . . . . . . .

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-17
SLIDE 17

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Peculiarities

The bounded nature of MLTL formulas permits application of certain transformations. Nested temporal operators can be eliminated G[0,2](F[2,10]a) F[2,10]a

[2, 10] + [0, 0]

∧ F[3,11]a

[2, 10] + [1, 1]

[2, 10] + [2, 2]

F[4,12]a

G[x,y] = “must hold at each time step in interval [x, y]” Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-18
SLIDE 18

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

MLTL Peculiarities

The bounded nature of MLTL formulas permits application of certain transformations. Each temporal operator can be encoded in terms of Globally F[2,4]c

F[x,y] = “must hold at some time step in interval [x, y]”

G[2,2]c ∨ G[3,3]c ∨ G[4,4]c ≡ F[2,2]c ≡ F[4,4]c ≡ F[3,3]c

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-19
SLIDE 19

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b))

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-20
SLIDE 20

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b)) ↓ ϕ′ = G[1,2](a ∨ b) ∨ G[2,3](a ∨ b)

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-21
SLIDE 21

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b)) ↓ ϕ′ = G[1,2](a ∨ b) ∨ G[2,3](a ∨ b) ↓ ϕ′ = ((a1 ∨ b1) ∧ (a2 ∨ b2)) ∨ ((a2 ∨ b2) ∧ (a3 ∨ b3))

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-22
SLIDE 22

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b)) ↓ ϕ′ = G[1,2](a ∨ b) ∨ G[2,3](a ∨ b) ↓ ϕ′ = ((a1 ∨ b1) ∧ (a2 ∨ b2)) ∨ ((a2 ∨ b2) ∧ (a3 ∨ b3)) ↓ SMT Solver*

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-23
SLIDE 23

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b)) ↓ ϕ′ = G[1,2](a ∨ b) ∨ G[2,3](a ∨ b) ↓ ϕ′ = ((a1 ∨ b1) ∧ (a2 ∨ b2)) ∨ ((a2 ∨ b2) ∧ (a3 ∨ b3)) ↓ SMT Solver* ↓ {SAT, UNSAT}

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-24
SLIDE 24

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Naive Encoding

We can explicitly generate a benchmark by “expanding” a formula: ϕ = F[1,2](G[0,2](a ∨ b)) ↓ ϕ′ = G[1,2](a ∨ b) ∨ G[2,3](a ∨ b) ↓ ϕ′ = ((a1 ∨ b1) ∧ (a2 ∨ b2)) ∨ ((a2 ∨ b2) ∧ (a3 ∨ b3)) ↓ SMT Solver* ↓ {SAT, UNSAT} *a, b could resolve to FO properties with respect to some theories

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-25
SLIDE 25

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Problems

Doesn’t distinguish SAT from Benchmark Generation A benchmark must be generated to check SAT

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-26
SLIDE 26

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Problems

Doesn’t distinguish SAT from Benchmark Generation A benchmark must be generated to check SAT Simple formulas over long intervals can blow up query e.g. G[0, 10000]a → really just need to check a itself once

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-27
SLIDE 27

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Problems

Doesn’t distinguish SAT from Benchmark Generation A benchmark must be generated to check SAT Simple formulas over long intervals can blow up query e.g. G[0, 10000]a → really just need to check a itself once Doesn’t utilize intervals beyond expanding formulas e.g. G[0, 10]a ∧ G[20, 30]b → can check a and b separately

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-28
SLIDE 28

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Reducing Our Encoding

How can we use the explicitly bounded nature of MLTL effectively to support checking satisfiability and generating benchmarks?

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-29
SLIDE 29

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Interval-Aware Encoding

Abstract away arguments Convert to GNF Compute Conflict Sets Replace arguments MLTL Formula SMT Query

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-30
SLIDE 30

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure

  • 1. Abstract away arguments

ϕ = (G[0,4](altitude > 1000ft ∨ !airborne) ∨ G[5,10](altitude > 1000ft ∨ !airborne)) ∧ G[0,10](AMS1.valid ∧ AMS2.valid) ∧ F[1,3](received takeoff command) ↓ ϕ′ = (G[0,4]a ∨ G[5,10]a) ∧ G[0,10]b ∧ F[1,3]c

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-31
SLIDE 31

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure

  • 2. Convert to Globally Normal Form (GNF)
  • i. Convert all temporal operators to Globally

ϕ = (G[0,4]a ∨ G[5,10]a) ∧ G[0,10]b ∧ F[1,3]c ↓ ϕ′ = (G[0,4]a ∨ G[5,10]a) ∧ G[0,10]b ∧ (G[1,1]c ∨ G[2,2]c ∨ G[3,3]c)

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-32
SLIDE 32

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure

  • 2. Convert to Globally Normal Form (GNF)
  • ii. Rewrite as a disjunction of conjunctions

ϕ′ = (G[0,4]a ∨ G[5,10]a) ∧ G[0,10]b ∧ (G[1,1]c ∨ G[2,2]c ∨ G[3,3]c) ↓ ϕ′

GNF =

(G[0,4]a ∧ G[0,10]b ∧ G[1,1]c) ∨ (G[0,4]a ∧ G[0,10]b ∧ G[2,2]c) ∨ (G[0,4]a ∧ G[0,10]b ∧ G[3,3]c) ∨ (G[5,10]a ∧ G[0,10]b ∧ G[1,1]c) ∨ (G[5,10]a ∧ G[0,10]b ∧ G[2,2]c) ∨ (G[5,10]a ∧ G[0,10]b ∧ G[3,3]c)

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-33
SLIDE 33

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure

  • 3. For each clause, compute the overlap between sub-formula intervals

(conflict set) C1 = (G[0,4]a ∧ G[0,10]b ∧ G[1,1]c) . . . C6 = (G[5,10]a ∧ G[0,10]b ∧ G[3,3]c) ↓ SC1 = {a ∧ b, a ∧ c, b ∧ c, b} . . . SC6 = {a ∧ b, b ∧ c, b} If, for any clause, Ci ∈ ϕ′

GNF, every formula in SCi is satisfiable,

then ϕ is satisfiable.

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-34
SLIDE 34

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure

  • 4. Substitute the original arguments back in

SC1 = {a ∧ b, a ∧ c, b ∧ c, b} . . . SC6 = {a ∧ b, b ∧ c, b} for a = (altitude > 1000ft ∨ !airborne), b = (AMS1.valid ∧ AMS2.valid), c = (received takeoff command) Check the corresponding sets of formulas for satisfiability

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-35
SLIDE 35

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Procedure (for Benchmark Generation)

(5.) Conjunct the satisfying clause, increment bounds, and repeat SC6 = {a ∧ b, b ∧ c, b} ↓ ϕ′

GNF =

(G[5,10]a ∧ G[0,10]b ∧ G[3,3]c) ∧ ((G[6,11]a ∧ G[1,11]b ∧ G[2,2]c) ∨ (G[6,11]a ∧ G[1,11]b ∧ G[3,3]c) ∨ (G[6,11]a ∧ G[1,11]b ∧ G[4,4]c))

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-36
SLIDE 36

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

An MLTL Front End (SAT)

Conflict sets need only be computed once (not online) MLTL Front End

SC1 = {a ∧ b ∧ c, d ∧ e, . . .} . . . SCi = {a, c ∧ f , d ∧ e, . . .}

Standard SMT Solver {SAT, UNSAT}

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-37
SLIDE 37

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

An MLTL Front End (Benchmark Generation)

A satisfiable conflict set can be backpropagated to generate a valid benchmark MLTL Benchmark Generator t alt airborne speed O 1040m T 812m/s T . . . . . . . . . . . . . . . Standard SMT Solver SC2 = {a, d ∧ e, . . .}

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-38
SLIDE 38

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Questions?

What have we proposed? Rewrite rules SAT procedure System-Agnostic Benchmark Generation Integration with existing SMT infrastructure Open Questions

1 Can we perform this technique with CNF instead of DNF? 2 How can we avoid recomputing the same conflicts multiple times? 3 How do our assumptions on formulas hold up in the literature?

e.g. Is nesting operators deeply really uncommon?

4 How might data structures be altered to support the problem? Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-39
SLIDE 39

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Eliminating Nested Temporal Operators

Let ◦1, ◦2 be either of the temporal operators G or F. The appropriate rewrite rule for ◦1, ◦2 = U follows intuitively from the other two. F[x,y](◦1

[a,b]ϕ1) = y i=x ◦1 [a+i,b+i]ϕ1

G[x,y](◦1

[a,b]ϕ1) = y i=x ◦1 [a+i,b+i]ϕ1

  • 1

[a,b]ϕ1 U[x,y] ◦2 [c,d] ϕ2 =

  • 2

[c+x,d+x]ϕ2 ∨ y i=x+1 ◦1 [a+i−1,b+i−1]ϕ1 ∧ ◦2 [c+i,c+i]ϕ2

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas

slide-40
SLIDE 40

Motivation Background Naive Encoding Interval-Aware Encoding Future Work

Converting Temporal Operators to Globally

F[x,y]ϕ1 = y

i=x G[i,i]ϕ1

ϕ1U[x,y]ϕ2 = G[x,x]ϕ2 ∨ y

i=x+1(G[x,i−1]ϕ1 ∧ G[i,i]ϕ2)

Laboratory for

Temporal Logic

  • J. Wallin & K.Y. Rozier

Generating RV Benchmarks from MLTL Formulas