Deciding Continuous-time Metric Temporal Logic with Counting Modalities

Transcription

1 Deciding Continuous-time Metric Temporal Logic with Counting Modalities RP 2013 Marcello M. Bersani Matteo Rossi Pierluigi San Pietro - Politecnico di Milano

2 Motivations Con+nuous +me is o%en used for modeling hybrid systems computer systems that interact with the physical world Also well suited to capture asynchrony in systems e.g., events occurring close to each other, but not at the same ;me Successful formalisms and tools to capture and analyze con;nuous systems e.g., Timed Automata (Uppaal) Con;nuous- ;me temporal logics are useful to capture the proper;es of systems e.g., high- level requirements descrip+ve models of systems: what vs how

3 Motivations Since 80s aiempts to embed explicit (real) ;me in Linear Temporal Logic (LTL, defined on discrete ;me only) Harel, Pnueli, Ostroff, etc. A Really Temporal Logic (TPTL), Alur&Henzinger, 1989, with explicit clocks But undecidable over dense ;me Shortly a%er, Metric Temporal Logic (MTL) A&H 90. Also undecidability over dense ;me No explicit clocks, but implicit use of ;me in parameterized modali;es <c Decidable fragment: Metric Interval Temporal Logic (MITL) A&H 96

4 Example: MTL (and MITL) φ MTL = p φ φ φ φu I φ φs I φ I = a,b or a, a<=b N (or 0 ) p atomic proposi;on in finite alphabet AP MITL = fragment of MTL with a<b (non punctual intervals) Seman;cs over non- Zeno Signals M: R 2 AP φu (1,2) ψ d (1,2), M,t+d' ψ and M,t φ, t (t,t+d )

5 QTL (Quantitative Temporal Log.) φ QTL = p φ φ φ φuφ φsφ F (0,1) φ P (0,1) φ Seman;cs over non- Zeno (finitely variable) Signals M: R 2 AP F (0,1) φ d (0,1), M,t+d' φ QTL has the same expressive power of MITL (Hirshfeld &Rabinovich 99)

6 Overview of SAT and inclusion for various continuous time logics TPTL Explicit clock + Freeze operator x.(pu(x<1)) No clocks MTL F [1,1] ü Q2MLO=QTLc=QTLp Undecidable EXPSPACE- c QMLO=QTL MITL MITL 0, ECL PSPACE- c F [1,1] û

7 Pnueli modalities Pnueli conjectured that QTL and MITL are unable to express: «A and B will both happen within 1 7me unit» Later proved by H&R 07, who generalized to any number n of events, required to occurr in order: Pnueli modality PNUELI n (θ 1, θ 2,.., θ n ) true at instant t iff there exist t<t 1 < <t n <t+1 s.t. each θ i holds at t i

8 Counting modalities H&R 12 defined a simpler coun+ng modality: C n (φ) holds at instant t iff φ holds at least n ;mes in interval (t,t+1) φ =1 C 2 φ t t+1 t+2

9 Background on Pnueli and Counting Modalities QTLc = QTL with (infinite) coun;ng modali;es QTLp = QTL with (infinite) Pnueli modali;es QTLc QTLp There was no tool suppor;ng QTL or QTLc (un;l now!)

10 Existing tool for QTL Recently, we developed and implemented a tool deciding SAT for QTL and all the equivalent real- ;me logics MITL, ECL, QMLO. On unrestricted (non Zeno) signals By using a new decidability procedure Now extended to deal with QTLc 1 From MITL to Timed Automata, Maler, Nickovic and Pnueli, 2006

11 Sketch of our solution QLTc CLTL- over- clocks 1 CLTL- oc is a discrete +me logic CLTL- oc decidable (PSPACE- c) CLTL- oc formulae contain explicit clocks Decision procedure Based on (PSPACE) SAT of CLTL 2 Using SMT tools (for solving bounded SAT) 3 1 A Tool for Deciding Con;nuos Time Metric Temporal Logic, Bersani, Rossi, San Pietro, An automata Theore;c Approach to Constraint LTL, Demri, D Souza, Constraint LTL Sa;sfiability Checking without Automata, Bersani et al., 2012

12 CLTL: Constraint LTL Constraint LTL [Demri et al., 2006] is an extension of LTL where atomic proposi;ons may be replaced by asser;ons (constraints) on the value of variables, e.g., x>0, x<y. The type of variables and the kinds of allowed constraints lead to different logics. The idea is interpre;ng variables over a constraint system. A constraint system is pair <Domain, Rela;ons>, e.g., (N,<,=). Depending on the constraint system, the resul;ng logic may s;ll be decidable.

13 Constraint LTL over clocks CLTL- oc is extension of CLTL with real variables behaving as Alur& Dill (;med automata) clocks. AP=finite set of proposi;ons V= finite set of clocks (real variables) Syntax as in LTL: φ = α φ φ φ φuφ φsφ Xφ Yφ But an atomic formula α = p τ<τ τ=τ p AP Term τ: τ = c z Xz constant c N, clock z R: Models: (π,σ) π: N 2 AP σ: N V R

14 From signals to CLTLoc models Given a QTLc formula, for every subformula θ let M θ be the signal represen;ng the changing points of θ b M: R 2 AP =1 M θ by QTL seman;cs a =1 C 1 a b C 1 a Finite variability assump+on: Changing points are denumerable subset of R

15 From signals to CLTLoc models Rela;on from signals M to CLTLoc models (π,σ) Changing point in M = a ;me instant in CLTLoc model φ r(m) F (0,1) φ (π,σ) (π 0,σ 0 ) (π i,σ i ) Finite variability assump;on: Denumerable subset of R r - 1 (π,σ)

16 From signals to CLTLoc models Each posi;on in π represents the truth of θ at the corresponding interval in M θ if atom f θ is true, θ holds in the first point of the current interval if atom h θ is true, θ holds in the rest of the points of the current interval f φ,h φ f φ,h φ f φ,h φ φ f φ, h φ f φ, h φ f φ, h φ f θ,h θ f θ,h θ θ=c 1 φ π {f φ,f θ, h φ,h θ } {f φ,f θ, h φ,h θ } {f φ } {} {h θ } {f φ,f θ, h φ,h θ }

17 From signals to CLTLoc models Instants in CLTLoc are always at distance one. Actual ;me progress between two instants is measured by clocks z θ0,z θ 1 are (alterna;vely) reset at each changing point of θ. φ C 1 φ π {f φ,f θ, h φ,h θ } σ z φ0 =0 z φ1 >0 {f φ,f θ, h φ,h θ } z φ0 =.3 z φ1 >0 {f φ } z φ0 =1 z φ1 =0 {} z φ0 =2.2 z φ1 =1.2 {h θ } z φ0 =2.4 z φ1 =1.4 {f φ,f θ, h φ,h θ } z φ0 =0 z φ1 =2.3

18 Equisatisfiability Given a QTLc formula Φ, we define set of equisa;sfiable CLTLoc formulae {m(θ) θ subformula of Φ} such that M,0 Φ iff (π,σ),0 f Φ θ G(m(θ)) (for all (π,σ) r(m))

19 Example Translation for U W φ = f φ h φ φ ψ W φ W φ W φ W φ W φ h ψ θ=φu ψ m(θ): f θ h θ h θ h φ (h ψ X(W φ U ( (W φ h ψ ) f ψ )))

20 Translation for C 1 (with 2 clocks) φ z φj =0 z φj >1 >1 φ θ=c 1 φ =1 θ z θi =0 z θi =1 m(θ): θ f θ z θ i =0 X(z θi >0 U ( φ z θi =1 z φj >1 )) θ Y(h θ ) h θ 20

21 Generalization to C n φ More Clocks: n pair of clocks for each subformula of φ If using only QTL operators, one pair of clocks for every subformula is enough Pairs of clocks are «recicled» between changing points For coun;ng modality C n φ, it is necessary to keep track of up to n changes in the interval for φ Defini;on in CLTLoc of the various cases in terms of clocks and f,h Classifica;on of all possible cases for φ being true at least n ;mes Update rules for clocks Raising (and falling) signals Closed/open intervals Singulari;es (isolated points) In the origin of ;me axis Transla;on is «complicated», but it is conceptually easy within the CLTLoc framework

22 Example of a case for θ = C n γ when θ becomes true with a raising in an instant t>0 then it does so in a le%- open manner, a clock z j θ is reset, and (i) either γ has n- 1 up- singulari;es before z j θ hits 1 and γ becomes true again also with an up- singularity when z j θ = 1, or (ii) γ has a raising edge when z j θ = 1 and it also has up to n- 1 (possibly 0) up- singulari;es before z j θ = 1

23 Satisfiability checking of CLTL-oc CLTL- oc can be encoded into a decidable Sa;sfiability Modulo Theory (SMT) problem [Gandalf2013, AVOCS 2013] Based on building a finite symbolic representaton of an ul;mately symbolic model for a formula The sa;sfiability is decided by solving at most a bounded amount of sa;sfiability problems of a decidable constraint system. «reduc;on to the sa;sfiability problem of the theory of Equality and Uninterpreted Func;ons combined with Linear Integers/Reals Arithme;c (QF- EUF ᴗLIRA). SMT solvers (e.g., Z3) can then be used to check sa;sfiability of CLTL- over- clocks. The procedure is complete.

24 Verification: K-bounded SAT Find a (infinite) periodic model over Subformulae Regions for clocks (not over values!!) with at most K changing points Complete procedure K=6 π { φ, θ } R σ R l - 1 {f φ } R l { φ, θ } {f φ } R k R k+1 = 12(3456) ω

25 Complexity Sa;sfiability of QTLc is: PSPACE- complete when indexes of coun;ng modali;es are encoded in unary EXPSPACE- complete if indexes encoded in binary Transla;on from QTLc to CLTLoc Polynomial in the size of the formula: linear for formulae without coun;ng modalites, quadra;c (in the unary encoding) for formulae inside coun;ng modali;es SAT of CLTLoc is PSPACE- complete 1

26 Implementation The transla;on from QLTc (and also QTL, MITL) has been implemented in a new tool, qtlsolver Implementa;on is then based on qtlsolver: hip://code.google.com/p/qtlsolver/ Transla;on MITL (QTL) to CLTLoc Java ae 2 Zot: arithme;cal plugin for Zot Bounded SAT for CLTL and CLTLoc SMT based (Sa;sfiability Modulo Theory)

27 Simple Experiments S = Fq q C 2 q G ( ) QTLc specifica;on S q ( ) P1 = G F (0,0.5) q MITL Proper;es P1 and P2 ( q ) P2 = G F (0,0.5) q Formula T K S 24s 25 S P1 50s 25 S P2 57m 25 SAT UNSAT

28 Conclusions CLTL- over- clocks can be considered as a target language to reduce decision problems of various con;nuous- ;me formalisms MITL, QTL and QTLc (this paper) QTLp= QTLc, but QTLp could be given a (more efficient) direct transla;on but in principle also Timed Automata or Timed Petri Nets. To the best of our knowledge, our approach is the first allowing an effec;ve implementa;on of a fully automated verifica;on tool for con;nuous- ;me metric temporal logics

29 The end!

30 Clocks Alur&Dill clocks (e.g., ;med automata) Nonnega;ve strongly monotonic (except for resets ) Xz > z z: Clock progressiveness 1 (non Zeno signals) G(z 0) G(Xz=0 Xz>z) (GF(z=0) FG(z>max z )) 1 A Theory of Timed Automata, Alur, Dill, 1994 G(φ) = F( φ) = (TU φ)