On Signal Temporal Logic

Transcription

1 On Signal Temporal Logic Alexandre Donzé University of California, Berkeley February 3, 2014 Alexandre Donzé EECS Spring / 52

2 Outline Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé Signal Temporal Logic EECS Spring / 52

3 Outline Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé Signal Temporal Logic EECS Spring / 52

4 Temporal logics in a nutshell Temporal logics specify patterns that timed behaviors of systems may or may not satisfy. The most intuitive is the Linear Temporal Logic (LTL), dealing with discrete sequences of states. Based on logic operators (,, ) and temporal operators: next, always (G), eventually (F) and until (U) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

5 Linear Temporal Logic An LTL formula ϕ is evaluated on a sequence, e.g., w = aaabbaaa... At each step of w, we can define a truth value of ϕ, noted χ ϕ (w, i) LTL atoms are symbols: a, b: i = w = a a a b b a a a... χ a (w, i) = χ b (w, i) = Alexandre Donzé Signal Temporal Logic EECS Spring / 52

6 LTL, Temporal Operators ( next ), G ( globally ), F ( eventually ) and U ( until ). They are evaluated at each step wrt the future of sequences Trace w = a a a b b a a a... b (next) χ b (w, i) = ?... G a (always) χ Ga (w, i) = ? 1? 1?... F b (eventually) χ Fb (w, i) = ? 0? 0?... a U b (until) χ aub (w, i) = ? 0? 0?... Remarks χ is acausal: it depends on future events Finite sequences semantics allows to define a unique value (w, i) Notation: w = ϕ χ ϕ (w, 0) = 1 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

7 LTL, Temporal Operators ( next ), G ( globally ), F ( eventually ) and U ( until ). They are evaluated at each step wrt the future of sequences Trace w = a a a b b a a a... b (next) χ b (w, i) = ?... G a (always) χ Ga (w, i) = ? 1? 1?... F b (eventually) χ Fb (w, i) = ? 0? 0?... a U b (until) χ aub (w, i) = ? 0? 0?... Remarks χ is acausal: it depends on future events Finite sequences semantics allows to define a unique value (w, i) Notation: w = ϕ χ ϕ (w, 0) = 1 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

8 LTL, Temporal Operators ( next ), G ( globally ), F ( eventually ) and U ( until ). They are evaluated at each step wrt the future of sequences Trace w = a a a b b a a a... b (next) χ b (w, i) = ?... G a (always) χ Ga (w, i) = ? 1? 1?... F b (eventually) χ Fb (w, i) = ? 0? 0?... a U b (until) χ aub (w, i) = ? 0? 0?... Remarks χ is acausal: it depends on future events Finite sequences semantics allows to define a unique value (w, i) Notation: w = ϕ χ ϕ (w, 0) = 1 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

9 LTL, Temporal Operators ( next ), G ( globally ), F ( eventually ) and U ( until ). They are evaluated at each step wrt the future of sequences Trace w = a a a b b a a a... b (next) χ b (w, i) = ?... G a (always) χ Ga (w, i) = ? 1? 1?... F b (eventually) χ Fb (w, i) = ? 0? 0?... a U b (until) χ aub (w, i) = ? 0? 0?... Remarks χ is acausal: it depends on future events Finite sequences semantics allows to define a unique value (w, i) Notation: w = ϕ χ ϕ (w, 0) = 1 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

10 LTL, Temporal Operators ( next ), G ( globally ), F ( eventually ) and U ( until ). They are evaluated at each step wrt the future of sequences Trace w = a a a b b a a a... b (next) χ b (w, i) = ?... G a (always) χ Ga (w, i) = ? 1? 1?... F b (eventually) χ Fb (w, i) = ? 0? 0?... a U b (until) χ aub (w, i) = ? 0? 0?... Remarks χ is acausal: it depends on future events Finite sequences semantics allows to define a unique value (w, i) Notation: w = ϕ χ ϕ (w, 0) = 1 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

11 Model-Checking Suppose w are execution traces of some system M System M aaaabbbaa... Property ϕ Model-checking: proving that M = ϕ where M = ϕ For all w in traces(m), χ ϕ (w, 0) = 1 Monitoring: computing χ ϕ (w, 0) for finite sets of w Remark: Statistical model checking Doing statistics on χ ϕ (w, 0) for populations of w Alexandre Donzé Signal Temporal Logic EECS Spring / 52

12 Model-Checking Suppose w are execution traces of some system M System M aaaabbbaa... Property ϕ Model-checking: proving that M = ϕ where M = ϕ For all w in traces(m), χ ϕ (w, 0) = 1 Monitoring: computing χ ϕ (w, 0) for finite sets of w Remark: Statistical model checking Doing statistics on χ ϕ (w, 0) for populations of w Alexandre Donzé Signal Temporal Logic EECS Spring / 52

13 Model-Checking Suppose w are execution traces of some system M System M aaaabbbaa... Property ϕ Model-checking: proving that M = ϕ where M = ϕ For all w in traces(m), χ ϕ (w, 0) = 1 Monitoring: computing χ ϕ (w, 0) for finite sets of w Remark: Statistical model checking Doing statistics on χ ϕ (w, 0) for populations of w Alexandre Donzé Signal Temporal Logic EECS Spring / 52

14 Temporal Logics in the Wild Model checking temporal logics successful in formal verification and synthesis for hardware digital circuits Most on-going research in model checking aims at software But growing interest/needs in even scarier fields such as analog/mixed-signal circuits, systems biology, cyber-physical systems Tendency to move from discrete-time discrete systems to hybrid (discrete-continuous) systems Alexandre Donzé Signal Temporal Logic EECS Spring / 52

15 Temporal Logics in the Wild Model checking temporal logics successful in formal verification and synthesis for hardware digital circuits Most on-going research in model checking aims at software But growing interest/needs in even scarier fields such as analog/mixed-signal circuits, systems biology, cyber-physical systems Tendency to move from discrete-time discrete systems to hybrid (discrete-continuous) systems Alexandre Donzé Signal Temporal Logic EECS Spring / 52

16 Temporal Logics in the Wild Model checking temporal logics successful in formal verification and synthesis for hardware digital circuits Most on-going research in model checking aims at software But growing interest/needs in even scarier fields such as analog/mixed-signal circuits, systems biology, cyber-physical systems Tendency to move from discrete-time discrete systems to hybrid (discrete-continuous) systems Alexandre Donzé Signal Temporal Logic EECS Spring / 52

17 Temporal Logics in the Wild Model checking temporal logics successful in formal verification and synthesis for hardware digital circuits Most on-going research in model checking aims at software But growing interest/needs in even scarier fields such as analog/mixed-signal circuits, systems biology, cyber-physical systems Tendency to move from discrete-time discrete systems to hybrid (discrete-continuous) systems Alexandre Donzé Signal Temporal Logic EECS Spring / 52

18 Temporal Logics in the Wild Vdd ids1 ids2 Vd1 C C Vd2 Vctrl L R R L IL1 IL2 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

19 Temporal Logics in the Wild Alexandre Donzé Signal Temporal Logic EECS Spring / 52

20 Temporal Logics in the Wild Alexandre Donzé Signal Temporal Logic EECS Spring / 52

21 Temporal Logics in the Wild On Temporal Logic and Signal Processing, A. Donzé, O. Maler, E. Bartocci, D. Nickovic, R. Grosu, S. Smolka ATVA 2012 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

22 From LTL to STL Extension of LTL with real-time and real-valued constraints Ex: request-grant property LTL G( r => F g) Boolean predicates, discrete-time Alexandre Donzé Signal Temporal Logic EECS Spring / 52

23 From LTL to STL Extension of LTL with real-time and real-valued constraints Ex: request-grant property LTL G( r => F g) Boolean predicates, discrete-time Alexandre Donzé Signal Temporal Logic EECS Spring / 52

24 From LTL to STL Extension of LTL with real-time and real-valued constraints Ex: request-grant property LTL G( r => F g) Boolean predicates, discrete-time MTL G( r => F [0,.5s] g ) Boolean predicates, real-time Alexandre Donzé Signal Temporal Logic EECS Spring / 52

25 From LTL to STL Extension of LTL with real-time and real-valued constraints Ex: request-grant property LTL G( r => F g) Boolean predicates, discrete-time MTL G( r => F [0,.5s] g ) Boolean predicates, real-time STL G( x[t] > 0 => F [0,.5s] y[t] > 0 ) Predicates over real values, real-time Alexandre Donzé Signal Temporal Logic EECS Spring / 52

26 STL Syntax MTL/STL Formulas ϕ := µ ϕ ϕ ψ ϕ U [a,b] ψ = Eventually is F [a,b] ϕ = U [a,b] ϕ Always is G [a,b] ϕ = ( F [a,b] ϕ) STL Predicates STL adds an analog layer to MTL. Assume signals x 1 [t], x 2 [t],..., x n [t], then atomic predicates are of the form: µ = f (x 1 [t],..., x n [t]) > 0 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

27 STL Syntax MTL/STL Formulas ϕ := µ ϕ ϕ ψ ϕ U [a,b] ψ = Eventually is F [a,b] ϕ = U [a,b] ϕ Always is G [a,b] ϕ = ( F [a,b] ϕ) STL Predicates STL adds an analog layer to MTL. Assume signals x 1 [t], x 2 [t],..., x n [t], then atomic predicates are of the form: µ = f (x 1 [t],..., x n [t]) > 0 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

28 STL Semantics The satisfaction of a formula ϕ by a signal x = (x 1,..., x n ) at time t is (x, t) = µ f (x 1 [t],..., x n [t]) > (x, t) = ϕ ψ (x, t) = ϕ (x, t) = ψ (x, t) = ϕ ((x, t) = ϕ) (x, t) = ϕ U [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ t [t, t ], (x, t ) = ϕ} Eventually is F [a,b] ϕ = U [a,b] ϕ (x, t) = F [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Always is G [a,b] ϕ = ( F [a,b] ϕ) (x, t) = G [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Alexandre Donzé Signal Temporal Logic EECS Spring / 52

29 STL Semantics The satisfaction of a formula ϕ by a signal x = (x 1,..., x n ) at time t is (x, t) = µ f (x 1 [t],..., x n [t]) > (x, t) = ϕ ψ (x, t) = ϕ (x, t) = ψ (x, t) = ϕ ((x, t) = ϕ) (x, t) = ϕ U [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ t [t, t ], (x, t ) = ϕ} Eventually is F [a,b] ϕ = U [a,b] ϕ (x, t) = F [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Always is G [a,b] ϕ = ( F [a,b] ϕ) (x, t) = G [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Alexandre Donzé Signal Temporal Logic EECS Spring / 52

30 STL Semantics The satisfaction of a formula ϕ by a signal x = (x 1,..., x n ) at time t is (x, t) = µ f (x 1 [t],..., x n [t]) > (x, t) = ϕ ψ (x, t) = ϕ (x, t) = ψ (x, t) = ϕ ((x, t) = ϕ) (x, t) = ϕ U [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ t [t, t ], (x, t ) = ϕ} Eventually is F [a,b] ϕ = U [a,b] ϕ (x, t) = F [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Always is G [a,b] ϕ = ( F [a,b] ϕ) (x, t) = G [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ Alexandre Donzé Signal Temporal Logic EECS Spring / 52

31 STL Examples Alexandre Donzé Signal Temporal Logic EECS Spring / 52

32 STL Examples The signal is never above 3.5 ϕ := G (x[t] < 3.5) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

33 STL Examples Between 2s and 6s the signal is between -2 and 2 ϕ := G [2,6] ( x[t] < 2) s 6 s 2 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

34 STL Examples Always x >0.5 after 1 s, x settles under 0.5 for 1.5 s ϕ := G(x[t] >.5 F [0,.6] ( G [0,1.5] x[t] < 0.5)) s 1.5 s 1 s 1.5 s 1 s 1.5 s Alexandre Donzé Signal Temporal Logic EECS Spring / 52

35 Model-Checking STL Models are generally hybrid systems producing hybrid traces Model-Checking untractable except in restrictive cases, resort to monitoring Quantitative satisfaction of STL can accomodate noise/approximations and more Hybrid System ẋ = f q (x) q 1 q 0 q 2 Simulation q 0 q 1 Tool Support: Breach Toolbox Alexandre Donzé Signal Temporal Logic EECS Spring / 52

36 Model-Checking STL Models are generally hybrid systems producing hybrid traces Model-Checking untractable except in restrictive cases, resort to monitoring Quantitative satisfaction of STL can accomodate noise/approximations and more Hybrid System ẋ = f q (x) q 1 q 0 q 2 Simulation q 0 q 1 x(t) STL monitoring Property ϕ G [ q 0 F[0, 1] q 2U[0,.2](x.5) ] ok ok Tool Support: Breach Toolbox Alexandre Donzé Signal Temporal Logic EECS Spring / 52

37 Model-Checking STL Models are generally hybrid systems producing hybrid traces Model-Checking untractable except in restrictive cases, resort to monitoring Quantitative satisfaction of STL can accomodate noise/approximations and more ok Hybrid System ẋ = f q (x) q 0 q 1 q 2 Simulation q 0 q 1 x(t) ± ε STL monitoring Property ϕ G [ q 0 F[0, 1] q 2U[0,.2](x.5) ] Tool Support: Breach Toolbox ok Alexandre Donzé Signal Temporal Logic EECS Spring / 52

38 Model-Checking STL Models are generally hybrid systems producing hybrid traces Model-Checking untractable except in restrictive cases, resort to monitoring Quantitative satisfaction of STL can accomodate noise/approximations and more ok Hybrid System ẋ = f q (x) q 0 q 1 q 2 Simulation q 0 q 1 x(t) ± ε STL monitoring Property ϕ G [ q 0 F[0, 1] q 2U[0,.2](x.5) ] ε Tool Support: Breach Toolbox ok Alexandre Donzé Signal Temporal Logic EECS Spring / 52

39 Outline Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé Signal Temporal Logic EECS Spring / 52

40 STL Semantics The validity of a formula ϕ with respect to a signal x = (x 1,..., x n ) at time t is (x, t) = µ f (x 1 [t],..., x n [t]) > 0 (x, t) = ϕ ψ (x, t) = ϕ (x, t) = ψ (x, t) = ϕ ((x, t) = ϕ) (x, t) = ϕ U [a,b] ψ t [t + a, t + b] such that (x, t ) = ψ t [t, t ], (x, t ) = ϕ} Alexandre Donzé Signal Temporal Logic EECS Spring / 52

41 STL Satisfaction Function The semantics can be defined as function χ ϕ (x, t) such that: x, t = ϕ χ ϕ (x, t) = Considering Booleans (B, <, ) as an order with involution: χ µ (x, t) = f (x 1 [t],..., x n [t]) > 0 χ ϕ (x, t) = χ ϕ (x, t) χ ϕ 1 ϕ 2 (x, t) = min(χ ϕ 1 (x, t), χ ϕ 2 (w, t)) χ ϕ 1 U [a,b] ϕ 2 (x, t) = max τ t+[a,b] (min(χϕ 2 (x, τ), min s [t,τ] χϕ 1 (x, s)) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

42 Example Consider a simple piecewise affine signal: x t Satisfaction signal of : ϕ = x 2 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

43 Example Consider a simple piecewise affine signal: x t Satisfaction signal of : ϕ = x 2 Alexandre Donzé Signal Temporal Logic EECS Spring / 52

44 Example Consider a simple piecewise affine signal: x t Satisfaction signal of : ϕ = x 2 ϕ = F(x 2) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

45 Example Consider a simple piecewise affine signal: x t Satisfaction signal of : ϕ = x 2 ϕ = F [0,0.5] (x 2) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

46 Robust Satisfaction Signal The Reals (R, <, ) also form an order with involution: ρ µ (x, t) = f (x 1 [t],..., x n [t]) ρ ϕ (x, t) = ρ ϕ (x, t) ρ ϕ 1 ϕ 2 (x, t) = min(ρ ϕ 1 (x, t), ρ ϕ 2 (w, t)) ρ ϕ 1 U [a,b] ϕ 2 (x, t) = sup (min(ρ ϕ 2 (x, τ), τ t+[a,b] inf s [t,τ] ρϕ 1 (x, s)) Alexandre Donzé Signal Temporal Logic EECS Spring / 52

47 Property of Robust Satisfaction Signal Sign indicates satisfaction status ρ ϕ (x, t) > 0 x, t ϕ ρ ϕ (x, t) < 0 x, t ϕ Absolute value indicates tolerance x, t ϕ and x x ρ ϕ (x, t) x, t ϕ x, t ϕ and x x ρ ϕ (x, t) x, t ϕ Alexandre Donzé Signal Temporal Logic EECS Spring / 52

48 Property of Robust Satisfaction Signal Sign indicates satisfaction status ρ ϕ (x, t) > 0 x, t ϕ ρ ϕ (x, t) < 0 x, t ϕ Absolute value indicates tolerance x, t ϕ and x x ρ ϕ (x, t) x, t ϕ x, t ϕ and x x ρ ϕ (x, t) x, t ϕ Alexandre Donzé Signal Temporal Logic EECS Spring / 52

49 Outline Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

50 Robust Monitoring A robust STL monitor is a transducer that transform x into ρ ϕ (x,.) In practice Trace: time words over alphabet R, linear interpolation Input: x( ) (t i, x(t i )) i N 0utput: ρ ϕ (x, ) (r j, z(r j )) j N Continuity, and piecewise affine property preserved Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

51 Robust Monitoring A robust STL monitor is a transducer that transform x into ρ ϕ (x,.) x[t] STL Monitor Formula ϕ ρ ϕ (x, )/χ ϕ (x, ) Quant. sat Bool. sat In practice Trace: time words over alphabet R, linear interpolation Input: x( ) (t i, x(t i )) i N 0utput: ρ ϕ (x, ) (r j, z(r j )) j N Continuity, and piecewise affine property preserved Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

52 Robust Monitoring A robust STL monitor is a transducer that transform x into ρ ϕ (x,.) x[t] STL Monitor Formula ϕ ρ ϕ (x, )/χ ϕ (x, ) Quant. sat Bool. sat In practice Trace: time words over alphabet R, linear interpolation Input: x( ) (t i, x(t i )) i N 0utput: ρ ϕ (x, ) (r j, z(r j )) j N Continuity, and piecewise affine property preserved Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

53 Computing the Robust Satisfaction Function ( Donze, Ferrere, Maler, Efficient Robust Monitoring of STL Formula, CAV 13) Atomic transducers compute in linear time in the size of the input Key idea is to exploit efficient streaming algorithm (Lemire s) computing the max and min over a moving window The function ρ ϕ (x, t) is computed inductively on the structure of ϕ linear time complexity in size of x is preserved exponential worst case complexity in the size of ϕ Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

54 Boolean operators Negation Input signal: (t i, x(t i )) i nx Output signal: (t i, x(t i )) i nx Conjunction Input signals: (t i, x(t i )) i nx, (t i, x (t i)) i nx Output signal: (r i, z(r i )) i nz Time sequence r contains t, t, and punctual intersections x x Value z(r i ) = min{x(r i ), x (r i )} Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

55 Boolean operators Negation Input signal: (t i, x(t i )) i nx Output signal: (t i, x(t i )) i nx Conjunction Input signals: (t i, x(t i )) i nx, (t i, x (t i)) i nx Output signal: (r i, z(r i )) i nz Time sequence r contains t, t, and punctual intersections x x Value z(r i ) = min{x(r i ), x (r i )} Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

56 Until Rewrite Property Boolean Semantics ϕu [a,b] ψ G [0,a] ϕ F [a,b] ψ F {a} (ϕuψ) Quantitative Semantics ρ ϕu[a,b]ψ (x, t) = ρ G [0,a]ϕ F [a,b] ψ F {a} (ϕuψ) (x, t) Combines untimed until and timed eventually Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

57 Until Rewrite Property Boolean Semantics ϕu [a,b] ψ G [0,a] ϕ F [a,b] ψ F {a} (ϕuψ) Quantitative Semantics ρ ϕu[a,b]ψ (x, t) = ρ G [0,a]ϕ F [a,b] ψ F {a} (ϕuψ) (x, t) Combines untimed until and timed eventually Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

58 Untimed Until Computed by backward induction: For all s < t, we note x [s,t) the restriction of x to [s, t). Boolean Semantics x, s ϕuψ iff x [s,t), s ϕuψ or ( x [s,t), s Gϕ and x, t ϕuψ ) Quantitative Semantics ρ ϕuψ (x, s) = max { ρ ϕuψ (x [s,t), s), min{ρ(gϕ, x [s,t), s), ρ(ϕuψ, x, t)} } Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

59 Untimed Until Computed by backward induction: For all s < t, we note x [s,t) the restriction of x to [s, t). Boolean Semantics x, s ϕuψ iff x [s,t), s ϕuψ or ( x [s,t), s Gϕ and x, t ϕuψ ) Quantitative Semantics ρ ϕuψ (x, s) = max { ρ ϕuψ (x [s,t), s), min{ρ(gϕ, x [s,t), s), ρ(ϕuψ, x, t)} } Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

60 Timed Eventually Definition: ρ F [a,b]ϕ (x, t) = sup ρ ϕ (x, t) = sup x t [t+a,t+b] [t+a,t+b] Computation: the maximum is reached at t + a, t + b, or at sample point in {t i t i (t + a, t + b]} max{x(t i ) t i (t + a, t + b]} computed by Lemire s algorithm: we maintain an ordered set M such that max{x(t i ) i M } = max{x(t i ) t i (t + a, t + b]} Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

61 Timed Eventually: two steps in Lemire s algorithm a b Maximum candidates {x(t i ) i M } = {u 1, u 2, u 3, u 4 } Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

62 Timed Eventually: two steps in Lemire s algorithm t+a t+b Maximum candidates {x(t i ) i M } = {u 1, u 2, u 3 } Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

63 Timed Eventually: two steps in Lemire s algorithm t+a t+b Maximum candidates {x(t i ) i M } = {u 2, u 3 } Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

64 Performance Results ϕ = 50,Time ρ n y Computation Time (s) ϕ = 25,Time ρ n y 0.5 ϕ = 1,Time ρ n y 0 0 2e4 4e4 6e4 8e4 10e4 Signal size n y Alexandre Donzé Robust Monitoring of STL EECS Spring / 52

65 1 Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé STL Problems EECS Spring / 52

66 Parametric STL Informally, a PSTL formula is an STL formula where (some) numeric constants are left unspecified, represented by symbolic parameters. Definition (PSTL syntax) ϕ := µ(x[t]) > π ϕ ϕ ψ ϕ U [τ1,τ 2 ] ψ where π is a scale parameter τ 1, τ 2 are time parameters Alexandre Donzé STL Problems EECS Spring / 52

67 Parametric STL - Illustration After 2s, the signal is never above 3 ϕ := F [2, ] (x[t] < 3) Alexandre Donzé STL Problems EECS Spring / 52

68 Parametric STL - Illustration After 2s, the signal is never above 3 ϕ := F [2, ] (x[t] < 3) Alexandre Donzé STL Problems EECS Spring / 52

69 Parametric STL - Illustration After τ s, the signal is never above π ϕ := G [τ, ] (x[t] < π) τ? π? Alexandre Donzé STL Problems EECS Spring / 52

70 Parameter synthesis for PSTL Problem Given a system S with a PSTL formula with n symbolic parameters ϕ(p 1,..., p n ), find a tight valuation function v such that x, t = ϕ(v(p 1 ),..., v(p n )), Informally, a valuation v is tight if there exists a valuation v in a δ-close neighborhood of v, with δ small, such that x, t =/ ϕ(v (p 1 ),..., v (p n )) Alexandre Donzé STL Problems EECS Spring / 52

71 Example ( ) ϕ := G x[t] > π F [0,τ1 ] ( G [0,τ2 ] x[t] < π) Valuation 1: π 1.5, τ 1 1s, τ s Valuation 2 (tight): π.5, τ s, τ 2 2 s Alexandre Donzé STL Problems EECS Spring / 52

72 Example ( ) ϕ := G x[t] > π F [0,τ1 ] ( G [0,τ2 ] x[t] < π) Valuation 1: π 1.5, τ 1 1s, τ s Valuation 2 (tight): π.5, τ s, τ 2 2 s π τ 1 s τ 2 s Alexandre Donzé STL Problems EECS Spring / 52

73 Example ( ) ϕ := G x[t] > π F [0,τ1 ] ( G [0,τ2 ] x[t] < π) Valuation 1: π 1.5, τ 1 1s, τ s Valuation 2 (tight): π.5, τ s, τ 2 2 s π τ 1 s τ 2 s Alexandre Donzé STL Problems EECS Spring / 52

74 Parameter synthesis Challenges Multiple solutions: which one to chose? Tightness implies to optimize the valuation v(p i ) for each p i The problem can be greatly simplified if the formula is monotonic in each p i. Definition A PSTL formula ϕ(p 1,, p n ) is monotonically increasing wrt p i if x = ϕ(v(p 1 ),..., v(p i ),...) x, v, v, v(p j ) = v (p j ), j i x = ϕ(v (p 1 ),..., v (p i ),...) v (p i ) v(p i ) It is monotonically decreasing if this holds when replacing v (p i ) v(p i ) with v (p i ) v(p i ). Alexandre Donzé STL Problems EECS Spring / 52

75 Parameter synthesis Challenges Multiple solutions: which one to chose? Tightness implies to optimize the valuation v(p i ) for each p i The problem can be greatly simplified if the formula is monotonic in each p i. Definition A PSTL formula ϕ(p 1,, p n ) is monotonically increasing wrt p i if x = ϕ(v(p 1 ),..., v(p i ),...) x, v, v, v(p j ) = v (p j ), j i x = ϕ(v (p 1 ),..., v (p i ),...) v (p i ) v(p i ) It is monotonically decreasing if this holds when replacing v (p i ) v(p i ) with v (p i ) v(p i ). Alexandre Donzé STL Problems EECS Spring / 52

76 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) Exact D(x, ϕ) p 2 Alexandre Donzé STL Problems EECS Spring / 52

77 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x p 2 Alexandre Donzé STL Problems EECS Spring / 52

78 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x p 2 Alexandre Donzé STL Problems EECS Spring / 52

79 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x p 2 Alexandre Donzé STL Problems EECS Spring / 52

80 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x p 2 Alexandre Donzé STL Problems EECS Spring / 52

81 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x x p 2 Alexandre Donzé STL Problems EECS Spring / 52

82 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x x x p 2 Alexandre Donzé STL Problems EECS Spring / 52

83 Monotonic Validity Domains The validity domain D of ϕ and x is the set of valuations v s.t. x = ϕ(v) A tight valuation is a valuation in D close to its boundary 100 D 120 In case of monoticity, D has the structure of a Pareto front which can be estimated with generalized binary search heuristics p 1 D(x, ϕ) D(x, ϕ) x x x p 2 Alexandre Donzé STL Problems EECS Spring / 52

84 Deciding Monotonicity Simple cases f (x) > π Deciding monotonicity can be encoded in an SMT query However, the problem is undecidable, due to undecidabilty of STL f (x) < π G [0,τ] ϕ F [0,τ] ϕ etc General case In practice, monotonicity can be decided easily (in our experience so far) Alexandre Donzé STL Problems EECS Spring / 52

85 Deciding Monotonicity Simple cases f (x) > π Deciding monotonicity can be encoded in an SMT query However, the problem is undecidable, due to undecidabilty of STL f (x) < π G [0,τ] ϕ F [0,τ] ϕ etc General case In practice, monotonicity can be decided easily (in our experience so far) Alexandre Donzé STL Problems EECS Spring / 52

86 1 Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé STL Problems EECS Spring / 52

87 Solving the Falsification problem Problem Given the system: u(t) System S S(u(t)) Find an input signal u U such that S(u(t)), 0 =/ ϕ In practice We parameterize U and reduce the problem to a parameter synthesis problem within some set P u The search of a solution is guided by the quantitative measure of satisfaction of ϕ Alexandre Donzé STL Problems EECS Spring / 52

88 Solving the Falsification problem Problem Given the system: u(t) System S S(u(t)) Find an input signal u U such that S(u(t)), 0 =/ ϕ In practice We parameterize U and reduce the problem to a parameter synthesis problem within some set P u The search of a solution is guided by the quantitative measure of satisfaction of ϕ Alexandre Donzé STL Problems EECS Spring / 52

89 Parameterizing the Input Space Input parameter set P u Input signals u(t) U Note The set of input signals generated by P u is in general a subset of U I.e., we do not guarantee completeness. Alexandre Donzé STL Problems EECS Spring / 52

90 Falsification with Quantitative Satisfaction Given a formula ϕ, a signal x and a time t, recall that we have: ρ ϕ (x, t) > 0 x, t ϕ ρ ϕ (x, t) < 0 x, t ϕ ok p u System S x(t) STL Monitor ϕ ρ ϕ (x, t) As x is obtained by simulation using input parameters p u, the falsification problem can be reduced to solving If ρ < 0, we found a counterexample. ρ = min p u P u ρ ϕ (x, 0) ok Alexandre Donzé STL Problems EECS Spring 2014 / 52

91 Falsification with Quantitative Satisfaction Given a formula ϕ, a signal x and a time t, recall that we have: ρ ϕ (x, t) > 0 x, t ϕ ρ ϕ (x, t) < 0 x, t ϕ ok p u System S x(t) STL Monitor ϕ ρ ϕ (x, t) As x is obtained by simulation using input parameters p u, the falsification problem can be reduced to solving If ρ < 0, we found a counterexample. ρ = min p u P u ρ ϕ (x, 0) ok Alexandre Donzé STL Problems EECS Spring 2014 / 52

92 Optimizing Satisfaction Function Solving ρ = min p u P u F(p u ) = ρ ϕ (x, 0) is difficultin general, as nothing can be assumed on F. In practice, use of global nonlinear optimization algorithms Success will depend on how smooth is F u, its local optima, etc Critical is the ability to compute ρ efficiently. Alexandre Donzé STL Problems EECS Spring / 52

93 Smoothing Quantitative Satisfaction Functions Depending on how ρ is defined, the function to optimize can have different profiles Alexandre Donzé STL Problems EECS Spring / 52

94 Smoothing Quantitative Satisfaction Functions Depending on how ρ is defined, the function to optimize can have different profiles (not (ev_[0, 5] (gear4w))) and (not ((ev (speed[t]>70)) and (alw_[, inf] (speed[t]<30)))) Quantitative Satisfaction throttle_u dt_u0 Alexandre Donzé STL Problems EECS Spring / 52

95 Smoothing Quantitative Satisfaction Functions Depending on how ρ is defined, the function to optimize can have different profiles (not (ev_[0, 5] (gear4w))) and (not ((ev (speed[t]>70)) and (alw_[, inf] (speed[t]<30)))) Quantitative Satisfaction throttle_u dt_u0 Alexandre Donzé STL Problems EECS Spring / 52

96 1 Signal Temporal Logic From LTL to STL Robust Semantics 2 Robust Monitoring of STL 3 STL Problems PSTL and Parameter Synthesis Falsification Specification Mining Alexandre Donzé STL Problems EECS Spring / 52

97 Specification Mining Problem Consider the following automatic transmission system: 1 throttle Ti Throttle speed up_th Engine down_th Ne ShiftLogic ImprellerTorque EngineRPM gear CALC_TH Ne gear Ti OutputTorque Tout Nout Transmission Vehicle RPM 3 gear down_th run() gear up_th throttle ThresholdCalculation 2 TransmissionRPM VehicleSpeed 1 speed What is the maximum speed that the vehicule can reach? What is the minimum dwell time in a given gear? etc Alexandre Donzé STL Problems EECS Spring / 52

98 Specification Synthesis Our approach takes two major ingredients PSTL to formulate template specifications A counter-example guided inductive synthesis loop alternating parameter synthesis and falsification Alexandre Donzé STL Problems EECS Spring / 52

99 Template Specification Examples the speed is always below π 1 and RPM below π 2 ϕ sp_rpm (π 1, π 2 ) := G ( (speed < π 1 ) (RPM < π 2 ) ). the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕ rpm100 (τ, π) := ( F [0,τ] (speed > 100) G(RPM < π)). whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds (( ) ) gear 2 ϕ stay (τ) := G G F [0,ε] gear = 2 [ε,τ] gear = 2. Alexandre Donzé STL Problems EECS Spring / 52

100 Template Specification Examples the speed is always below π 1 and RPM below π 2 ϕ sp_rpm (π 1, π 2 ) := G ( (speed < π 1 ) (RPM < π 2 ) ). the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕ rpm100 (τ, π) := ( F [0,τ] (speed > 100) G(RPM < π)). whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds (( ) ) gear 2 ϕ stay (τ) := G G F [0,ε] gear = 2 [ε,τ] gear = 2. Alexandre Donzé STL Problems EECS Spring / 52

101 Template Specification Examples the speed is always below π 1 and RPM below π 2 ϕ sp_rpm (π 1, π 2 ) := G ( (speed < π 1 ) (RPM < π 2 ) ). the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕ rpm100 (τ, π) := ( F [0,τ] (speed > 100) G(RPM < π)). whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds (( ) ) gear 2 ϕ stay (τ) := G G F [0,ε] gear = 2 [ε,τ] gear = 2. Alexandre Donzé STL Problems EECS Spring / 52

102 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

103 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

104 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

105 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

106 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

107 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1.7, π 1 2, π 2 3 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

108 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1 1.1, π 1 3.7, π 2 5 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

109 Specification Synthesis Algorithm init e u + Controller Plant Model y Simulation Traces Counterexample Traces Counterexample Found FindParam F [0,τ1](x 1 < π 1 G [0,τ2](x 2 > π 2 )) Template Specification Candidate Specification τ 1 1.1, π 1 3.7, π 2 5 FalsifyAlgo No Counterexample F [0,1.1] (x 1 < 3.7 G [0,5] (x 2 > 0.1)) Inferred Specification Alexandre Donzé STL Problems EECS Spring / 52

110 Results the speed is always below π 1 and RPM below π ϕ sp_rpm (π 1, π 2 ) := G ( (speed < π 1 ) (RPM < π 2 ) ). the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕ rpm100 (τ, π) := ( F [0,τ] (speed > 100) G(RPM < π)). whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds (( ) ) gear 2 ϕ stay (τ) := G G F [0,ε] gear = 2 [ε,τ] gear = 2. Template Parameter values Fals. Synth. #Sim. Sat./x ϕ sp_rpm(π 1, π 2 ) (155 mph, 4858 rpm) s 23.1 s s ϕ rpm100(π, τ) ( rpm, s) s s s ϕ rpm100(τ, π) (4997 rpm, s) s s s ϕ stay(π) 1.79 s s s s Alexandre Donzé STL Problems EECS Spring / 52

111 0 Results on Industrial-scale Model 00+ Simulink blocks Look-up tables nonlinear dynamics Attempt to mine maximum observed settling time: stops after 4 iterations gives answer tsettle = simulation time horizon... Alexandre Donzé STL Problems EECS Spring / 52

112 0 Results on Industrial-scale Model The above trace found an actual (unexpected) bug in the model The cause was identified as a wrong value in a look-up table Alexandre Donzé STL Problems EECS Spring / 52

113 Conclusion A lot of work still to be done: Online monitoring and mining STL and timed/hybrid automa Better falsification/optimization of satisfaction functions STL templates mining (beyond parameters in PSTL) Helping designers writing and using STL Alexandre Donzé Conclusion EECS Spring / 52