temporal logic in JavaMOP includes slides CS 119 by Grigore Rosu - - PowerPoint PPT Presentation

temporal logic in JavaMOP

CS 119

includes slides by Grigore Rosu

propositional logic extended with temporal operators referring to past and future

2

3

past time properties

now

past past future future

A B

• If A happens now

B must have happened

¤(A ! ¨B)

4

future time properties

now

past past future future

A B

• If A happens now

B must happen

¤(A ! § B)

5 ERE LTL ptLTL ptCaRet logic plugins

… …

JavaMOP BusMOP

MOP

CFG languages

Instances of MOP

MOP JavaMOP BusMOP HardwareMOP …

today

6

http://fsl.cs.uiuc.edu/index.php/Special:PTLTLPlugin

7

http://fsl.cs.uiuc.edu/index.php/Special:FTLTLPlugin

8

Chomsky’s language hierarchy

http://en.wikipedia.org/wiki/Chomsky_hierarchy

9

temporal logic for finite traces: subset of regular languages

regular temporal

p is even in every other state even /\ always(even implies (next next even))

does not work

even true

1 2

10

advantages of temporal logic

• some properties can be stated more

succinctly

• where translation to automata will result in

state explosion

• it will of course be a debate at a practical

engineering level what notation is most suitable in practice

• everybody understand state machines right

away and temporal properties can be hard to write and read for complex scenarios

past time and future time temporal logic

semantics and algorithms

12

PathExplorer - overview

Running program socket Events Observer

13

Specification Based Monitoring

PathExplorer the observer

Dispatcher

datarace deadlock temporal

paxm odules m odule datarace = ‘ java pax.Datarace’ ; m odule deadlock = ‘ java pax.Deadlock’ ; m odule tem poral = ‘ java pax.Tem poral spec’ ; end

Event stream

warning

…

warning

…

warning

…

…

future time

semantics and algorithm

15

getting the events (Java)

program

Java Virtual Machine

bytecode compile instrument execute

instrumented bytecode

green yellow red g reen …

class Light{ void goRed(){ color = 1; } …

predicate red = (Light.color == 1); predicate yellow = (Light.color == 2); predicate green = (Light.color == 3); Instrumentation Script property p = [](green -> !red U yellow); Specification

16

monitoring Future Time LTL

Syntax – Propositional Calculus plus

• F (next)  F (always)  F (eventually) F U F’ (until)

Executable Semantics – Rewriting

_{_} : Formula x Event -> Formula (“consume” event e) F{e} formula that should hold after processing e

p{e}  is the atomic predicate p true on e ?

(F op F’){e}  F{e} op F’{e}

(o F){e}  F ( F){e}  F{e} ∧ ( F) ( F){e}  F{e} ∨ ( F) (F U F’){e}  F’{e} ∨ (F{e} ∧ (F U F’))

17

Future Time LTL - example

(green → ¬red U yellow)

Formula: Event stream: red yellow green yellow green red …

{red}



(green → ¬red U yellow){red} ∧ (green → ¬red U yellow) (green{red} → (yellow{red} ∨ ¬red{red} ∧ ¬red U yellow)) ∧ …

*

(false → (false ∨ false ∧ ¬red U yellow)) ∧ …

* *

true ∧ (green → ¬red U yellow)



(green → ¬red U yellow)

Event red has been consumed! X

{yellow}

*

(green → ¬red U yellow)

X

{green}

X *

((¬red U yellow) ∧ (green → ¬red U yellow)){yellow}

X *

(green → ¬red U yellow) {green}

X *

((¬red U yellow) ∧ (green → ¬red U yellow)){red} (yellow{red} ∨ ¬red{red} ∧ ¬red U yellow) ∧ …

* *

false ∧ …

*

false

X Formula was violated!

18

timed temporal logic

• Add real time (RTL, MiTL, timed automata,

etc.)

5

(start → stop)

t-δ t

( F){e:δ}  (δ≤t) ∧ (F{e:δ} ∨ F)

19

performance

• Implemented the algorithm above in PaX

– Maude as rewriting engine

• 15 lines of obviously correct code!
• Monitored 100 million events on 1.7GHz PC

– 185 seconds, 220 million rewrites – Faster than modified Büchi automaton in Java (1,500 lines of code)

• Is this 1,500 LOC Java program correct?
• I/O + buffering take longer than rewriting …

20

generating FSM observers

• There are applications where

– Little monitoring overhead is allowed (real time) – Few resources available for monitoring

• Challenge: efficient and simple monitors!
• Finite State Machine observers can be built

from formulae before monitoring

– Lower runtime overhead

• No inferences needed
• Only some atomic predicates need to be evaluated

– Higher start time overhead

21

building a minimal BTT_FSM

• Idea

– Do the rewrites for all possible values of predicates – Get a finite state machine

• Nodes are LTL formulae
• Optimize using a validity checker (F ↔ F’ : one state)
• Edges are propositions
• Assign numbers to states
• Replace edges by Binary Transition Trees

22

Binary Transition Tree FSM

• We can build minimal FSMs statically for LTL
• Suitable for monitoring. New concept?

Formula (green → ¬red U yellow) State 1 2 BTT yellow ? 1 : green ? (red ? false : 2) : 1 yellow ? 1 : (red ? false : 2) yellow green red 1 1 false 2

Y Y Y N N N

yellow red 1 false 2

Y Y N N

past time

semantics and algorithm

24

monitoring safety

• Example:
• r formally

where (MAC)

↑F means start F, ↓F means end F, [F,F’) means F butnot F’ since then Safe Landing Land the space craft only after approval from ground and only if, since then, the radio signal has not been lost

↑Landing → [Approved, ↓Radio)

25

past time operators

Basic – Propositional Calculus plus

F (prev.) F S F’ (since)  F (always) F (eventually) in past

Special – Suitable for monitoring (MaC)

– ↑F - start of F – ↓F - end of F – [F,F’) - F butnot F’

Theorem: ↑,↓,[_,_) and ,_S_ defined in terms of each other!

– F = (F →¬↑F) ∧ (¬F → ↓F), [F,F’) = (¬F’) S F, ↑F = F ∧ ¬F

F F’

↑F ↓F

[ )

x x

[↓F,F’)

Safety property:  F, where F is a past time LTL formula

26

semantics

• standard semantics
• recursive Semantics

e1 e2 … en-1 en = [F,F’) iff there is 1 ≤ i ≤ n such that e1 e2 … ei = F and for all i ≤ j ≤ n, e1 e2 … ej = F’ t e = [F,F’) iff t e = F’ and ( t e = F or t = [F,F’) ) / | | | | | | | /

27

http://en.wikipedia.org/wiki/Dynamic_programming

28

Step 1 Label nodes in BFS order

1 2 3 4 5 6

dynamic programming algorithm

→ ↑ [_,_) ↓

Landing Approved Radio

Formula: ↑Landing → [Approved, ↓Radio) Trace: e1 e2 … en-1 en Step 2: Dynamic progr. alg. Memory m[0..6, 1..n]

for i=1..n {process(ei) m[6,i] = holds(Radio) m[5,i] = m[6,i-1] and not m[6,i] m[4,i] = holds(Approved) m[3,i] = holds(Landing) m[2,i] = not m[5,i] and (m[4,i] or m[2,i-1]) m[1,i] = m[3,i] and not m[3,i-1] m[0,i] = not m[1,i] or m[2,i] if m[0,i] == 0 then “Error” }

Step 3: Optimization Memory now[0..6], prev[0..6]

for i=1..n {process(ei) now[6] = holds(Radio) now[5] = prev[6] and not now[6] now[4] = holds(Approved) now[3] = holds(Landing) now[2] = not now[5] and (now[4] or prev[2]) now[1] = now[3] and not prev[3] now[0] = not now[1] or now[2] if now[0] == 0 then “Error” prev = now }

Step 4: Further Optimization Global bits b1, b2, b3 Temporary bits t1, t2, t3

t1 = holds(Radio) t2 = holds(Landing) t3 = (not b1 or t1) and (holds(Approved) or b3) if (t2 and not (b2 or t3)) then “error” (b1,b2,b3) = (t1,t2,t3)

Time: ≤ 6 CPU clocks!

b1 b2 b3

future time versus past time

30

liveness vs. safety

• Monitoring liveness properties ...

... keep statistical information for eventualities?

• Focus on safety

– Often easier to express using past time LTL  F, where F is a past time LTL formula –  F equivalent to “monitor F”

Formula: ϕ =  (F →  F’) Trace F F’ F F’ F F’ ... F F’ F ⊥ violates ϕ Trace F F F F F F ... F F’ ⊥ does not violate ϕ

<>F can never be violated in JavaMOP

past time

In JavaMOP

32

syntax

33

properties of Java library APIs properties of Java library APIs

R1: There should be no two calls to next() without a call to hasNext() in between,

• n the same iterator.

34

class class Test { public public static tatic void

• id main(String[] args) {

Vector<Integer> v1 = new ew Vector(); Vector<Integer> v2 = new ew Vector(); v1.add(1); v1.add(3); v2.add(5); v2.add(7); Iterator it1 = v1.iterator(); Iterator it2 = v2.iterator(); int int sum = 0; if if(it2.hasNext()) sum += (Integer)it2.next(); if if(it1.hasNext()) sum += (Integer)it2.next(); System.out.println(”sum(v2) = " + sum); } } should have been: if if(it2 it2.hasNext())

• ur
• ur hasNext

hasNext example again xample again

unguarded call: it2 it2.next()

)

35

recall the recall the regular expression specification egular expression specification

partial, matching against suffix trace /*@ partial centralized scope = global logic = ERE HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : next next } validation handler{ System.err.println("*** call hasNext() before next()"); } @*/ validation (not violation)

36

PTLTL Property in PTLTL Property in JavaMOP avaMOP

package ltl.hasnext; import java.util.*; /*@ centralized scope = global logic = PTLTL HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : next /\ (*)next } validation handler { System.err.println("*** call hasNext() before next()"); } @*/ it does not look too different in this particular case, but PTLTL

• bviously does

not show more succinct here. partial matching does not make sense in PTLTL. Warning: PTLTL and validation does not currently work in JavaMOP. Likely a bug.

37

PTLTL Property in PTLTL Property in JavaMOP avaMOP

package ltl.hasnext; import java.util.*; /*@ centralized scope = global logic = PTLTL HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : !(next /\ (*)next) } violation handler { System.err.println("*** call hasNext() before next()"); } @*/ less attractive but simularity to regular exp can still be noticed. partial matching does not make sense in PTLTL. In PTLTL: validation = not violation

38

(hasNext hasNext* next)* which was slightly too strong, but let’s try to emulate it i) total trace semantics ii)looking for violation recall recall this other regular expression his other regular expression

39

PTLTL Property in PTLTL Property in JavaMOP avaMOP - attempt 1 attempt 1

package ltl.hasnext; import java.util.*; /*@ centralized scope = global logic = PTLTL HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : next -> <*>hasnext } violation handler{ System.err.println("*** call hasNext() before next()"); } @*/ no longer partial not correct, will allow for example: it.hasNext(); it.next(); it.next()

40

package ltl.hasnext; import java.util.*; /*@ centralized scope = global logic = PTLTL HasNext(Iterator i) { event hasnext<i> : end(call(* i.hasNext())); event next<i> : begin(call(* i.next())); formula : next -> (*)(!next Ss hasnext) } violation handler{ System.err.println("*** call hasNext() before next()"); } @*/

PTLTL Property in PTLTL Property in JavaMOP avaMOP - attempt attempt 2

correct, will not allow: it.hasNext(); it.next(); it.next() formula: next -> (*)[hasnext,next)s

41

properties of Java library APIs properties of Java library APIs

R2: An enumeration should not be propagated after the underlying vector has been changed.

42

Vector v1 = new ew Vector(); Vector v2 = new ew Vector(); v1.add(1); v1.add(2); v2.add(4); v2.add(5); Enumeration e1 = v1.elements(); Enumeration e2 = v1.elements(); Enumeration e3 = v2.elements(); while while(e1.hasMoreElements())print(e1.nextElement()); v1.add(99); while while(e2.hasMoreElements())print(e2.nextElement()); while while(e3.hasMoreElements())print(e3.nextElement());

many vectors and enumerators

v1 v2 e1 e2 e3 create(v,e) next(e) updatesource(v) events: add next

43

/*@ partial centralized scope = global logic = ERE SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ end(call(* v.clear())) \/ end(call(* v.insertElementAt(..))) && \/ end(call(* v.remove*(..))) \/ end(call(* v.retainAll(..))) \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement())); formula : create next* updatesource updatesource* next } validation handler { System.out.println("datasource changed during iteration!"); } @*/

recall ERE specification

44

PTLTL Property in PTLTL Property in JavaMOP avaMOP - using sing ‘Ss’

/*@ centralized scope = global logic = PTLTL SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement())); formula : next -> !(<*>(updatesource /\ <*>create)) } violation handler { System.out.println("the datasource is changed during iteration!"); } @*/

45

PTLTL Property in PTLTL Property in JavaMOP avaMOP - using sing ‘[_,_) _,_)s’

/*@ centralized scope = global logic = PTLTL SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement())); formula : next -> [create,updatesource)s } violation handler { System.out.println("the datasource is changed during iteration!"); } @*/

future time

In JavaMOP

47

syntax

48

back to this one, now back to this one, now referring to future eferring to future

R2: An enumeration should not be propagated after the underlying vector has been changed.

49

Vector v1 = new ew Vector(); Vector v2 = new ew Vector(); v1.add(1); v1.add(2); v2.add(4); v2.add(5); Enumeration e1 = v1.elements(); Enumeration e2 = v1.elements(); Enumeration e3 = v2.elements(); while while(e1.hasMoreElements())print(e1.nextElement()); v1.add(99); while while(e2.hasMoreElements())print(e2.nextElement()); while while(e3.hasMoreElements())print(e3.nextElement());

many vectors and enumerators

v1 v2 e1 e2 e3 create(v,e) next(e) updatesource(v) events: add next

50

/*@ centralized scope = global logic = PTLTL SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ … \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement())); formula : next -> [create,updatesource)s } violation handler { System.out.println("the datasource is changed during iteration!"); } @*/

recall past time formulation

51

/*@ centralized scope = global logic = FTLTL SafeEnum (Vector v, Enumeration+ e) { event create<e, v> : end(call(Enumeration v.elements())) with (e); event updatesource<v> : end(call(* v.add*(..))) \/ end(call(* v.clear())) \/ end(call(* v.insertElementAt(..))) \/ end(call(* v.remove*(..))) \/ end(call(* v.retainAll(..))) \/ end(call(* v.set*(..))); event next<e> : begin(call(Object e.nextElement())); formula : [](create -> o [](updatesource -> [](!next))) } violation handler { System.out.println("the datasource is changed during iteration!"); } @*/

FTLTL specification

52

end