Organising LTL Monitors over Systems with a Global Clock

Size: px

Start display at page:

Download "Organising LTL Monitors over Systems with a Global Clock"

Juniper Robertson
5 years ago
Views:

Andreas Bauer (NICTA Canberra, Australia)

Univ. Grenoble Alpes, Inria, Laboratoire d

Workshop, Bertinoro, Italy Y. Falcone (Univ.

1 Organising LTL Monitors over Systems with a Global Clock Yliès Falcone joint work with Andreas Bauer (NICTA Canberra, Australia) and Christian Colombo (U of Malta, Malta) Univ. Grenoble Alpes, Inria, Laboratoire d Informatique de Grenoble, France DRV Workshop, Bertinoro, Italy Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 1 / 48

2 Outline 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 2 / 48

3 Outline Background 1 Background Monitoring Linear-time Temporal Logic (for monitoring) 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 3 / 48

4 Outline Background 1 Background Monitoring Linear-time Temporal Logic (for monitoring) 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 4 / 48

5 Classical runtime validation method: monitoring Runtime Verification [Klaus Havelund, Grigore Rosu] A lightweight verification technique bridging the gap between testing and verification Checking whether a run of the system under scrutiny satisfies a given correctness specification Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 5 / 48

6 Classical runtime validation method: monitoring Runtime Verification [Klaus Havelund, Grigore Rosu] A lightweight verification technique bridging the gap between testing and verification Checking whether a run of the system under scrutiny satisfies a given correctness specification Get a program/system Program Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 5 / 48

7 Classical runtime validation method: monitoring Runtime Verification [Klaus Havelund, Grigore Rosu] A lightweight verification technique bridging the gap between testing and verification Checking whether a run of the system under scrutiny satisfies a given correctness specification Get a program/system Synthesize a monitor: a decision procedure for the specification Program Monitor * e1 * e1 * e2 * * * Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 5 / 48

8 Classical runtime validation method: monitoring Runtime Verification [Klaus Havelund, Grigore Rosu] A lightweight verification technique bridging the gap between testing and verification Checking whether a run of the system under scrutiny satisfies a given correctness specification Get a program/system Synthesize a monitor: a decision procedure for the specification Instrument the underlying program to observe relevant events: e i Σ Program Monitor e1 e2 e5 e4 e2 e5 e3 * * e1 * e1 e * * * Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 5 / 48

9 Classical runtime validation method: monitoring Runtime Verification [Klaus Havelund, Grigore Rosu] A lightweight verification technique bridging the gap between testing and verification Checking whether a run of the system under scrutiny satisfies a given correctness specification Get a program/system Synthesize a monitor: a decision procedure for the specification Instrument the underlying program to observe relevant events: e i Σ A monitor acts at runtime as an oracle for the specification (validation/violation) Program e1 e2 e5 Monitor * e1 e2e4e2 * e1 e2 * e5 e4 e3 * * e2 * Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 5 / 48

10 Classical runtime validation method: monitoring Determine a set of atomic propositions AP of the system e.g., for a car AP = {speed low, seat belt 1 on,...} events 2 AP w = ϕ? Mon ϕ verdicts Several existing tools (e.g., Java-MOP [Rosu et al.], RuleR [Barringer et al.],... ) Applied to several domains: Java/C programs, Web services, Space flight software, system biology... Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 6 / 48

11 Outline Background 1 Background Monitoring Linear-time Temporal Logic (for monitoring) 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 7 / 48

12 Linear-time Temporal Logic Pnueli 77 One of the most widely used specification formalism Consider a set of atomic propositions AP Syntax: ϕ ::= p AP (ϕ) ϕ ϕ ϕ Xϕ ϕuϕ where:, are operators from propositional logic X is the next operator U is the until operator Additional operators: F is the eventually operator: Fϕ = true U ϕ G is the globally operator: Gϕ = (F( ϕ)) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 8 / 48

13 Linear-time Temporal Logic Semantics p AP Xp p arbitrary arbitrary arbitrary arbitrary arbitrary p arbitrary arbitrary arbitrary ϕ 1 Uϕ 2 ϕ 1 ϕ 2 ϕ 1 ϕ 2 ϕ 2 arbitrary arbitrary... Fϕ Gϕ ϕ ϕ ϕ arbitrary arbitrary ϕ ϕ ϕ ϕ ϕ Given w Σ and i 0 the (inductive) semantics is: w i = p p w(i), for any p AP w i = ϕ w i = ϕ w i = ϕ 1 ϕ 2 w i = ϕ 1 w i = ϕ 2 w i = Xϕ w i+1 = ϕ w i = ϕ 1 Uϕ 2 k [i, [. w k = ϕ 2 l [i, k[. w l = ϕ 1 Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 9 / 48

14 LTL for monitoring: LTL 3 - Bauer et al. LTL has mostly been used in validation techniques such as model-checking Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 10 / 48

15 LTL for monitoring: LTL 3 - Bauer et al. LTL has mostly been used in validation techniques such as model-checking The semantics needs to be adapted for monitoring 2 issues with a semantics over infinite sequences: liveness properties we do not know the future Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 10 / 48

16 LTL for monitoring: LTL 3 - Bauer et al. LTL has mostly been used in validation techniques such as model-checking The semantics needs to be adapted for monitoring 2 issues with a semantics over infinite sequences: liveness properties we do not know the future Fϕ Gϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ... unknown...false?... unknown...true? Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 10 / 48

17 LTL for monitoring: LTL 3 - Bauer et al. LTL has mostly been used in validation techniques such as model-checking The semantics needs to be adapted for monitoring 2 issues with a semantics over infinite sequences: liveness properties we do not know the future Fϕ Gϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ true ( ) false ( ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 10 / 48

18 LTL for monitoring: LTL 3 - Bauer et al. LTL has mostly been used in validation techniques such as model-checking The semantics needs to be adapted for monitoring 2 issues with a semantics over infinite sequences: liveness properties we do not know the future Fϕ Gϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ Definition (LTL 3 semantics for a formula ϕ) good(ϕ) = {u Σ u Σ ω L(ϕ)} bad(ϕ) = {u Σ u Σ ω Σ ω \ L(ϕ)} Given u Σ : if u good(ϕ) u = 3 ϕ if u bad(ϕ)? otherwise true ( ) false ( ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 10 / 48

19 Outline Motivations 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 11 / 48

20 An introductory example Most modern cars realise the following abstract requirement: Issue warning if one of the passengers is not wearing a seat belt (when the car has reached a certain speed). Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 12 / 48

21 An introductory example Most modern cars realise the following abstract requirement: Issue warning if one of the passengers is not wearing a seat belt (when the car has reached a certain speed). Could be formalised using LTL: ϕ := G ( speed low ((pressure sensor 1 high seat belt 1 on)... (pressure sensor n high seat belt n on)) ) and then monitored as usual... Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 12 / 48

22 An introductory example However, cars are nowadays highly distributed systems ( 130 CPUs): Legend: 3. Occupant sensing system (only one shown) 7. Seat-belt buckle sensors Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 13 / 48

23 An introductory example However, cars are nowadays highly distributed systems ( 130 CPUs): Legend: 3. Occupant sensing system (only one shown) 7. Seat-belt buckle sensors You can t easily monitor ϕ without central observation point! Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 13 / 48

24 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae Our setting and the intuitive idea Organising Decentralised LTL Monitors (overview) Migration-based Monitoring 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 14 / 48

25 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae Our setting and the intuitive idea Organising Decentralised LTL Monitors (overview) Migration-based Monitoring 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 15 / 48

26 Decentralised monitoring Our setting Distributed system operating under a global clock: Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 16 / 48

27 Decentralised monitoring Our setting Distributed system operating under a global clock: A set of components C 1,..., C n C 1... C i... C n Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 16 / 48

28 Decentralised monitoring Our setting Distributed system operating under a global clock: A set of components C 1,..., C n Σ = Σ 1... Σ n : all system events (where i, j : i j Σ i Σ j = ) C 1... C i... C n Σ 1 Σ i Σ n Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 16 / 48

29 Decentralised monitoring Our setting Distributed system operating under a global clock: A set of components C 1,..., C n Σ = Σ 1... Σ n : all system events (where i, j : i j Σ i Σ j = ) No central observation point but monitors M 1,..., M n are attached to components C 1... C i... C n Σ 1 Σ i Σ n M 1... M i... M n Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 16 / 48

30 Decentralised monitoring Our setting Distributed system operating under a global clock: A set of components C 1,..., C n Σ = Σ 1... Σ n : all system events (where i, j : i j Σ i Σ j = ) No central observation point but monitors M 1,..., M n are attached to components Synchronous bus: at time t a monitor may send/receive a message: At t + 1 this message is received by the recipient. That is, computation takes no time. C 1... C i... C n Σ 1 Σ i Σ n M 1... M i... M n SYNCHRONOUS BUS Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 16 / 48

31 Decentralised monitoring the idea C 1... C i... C n Σ 1 Σ i Σ n M 1... M i... M n SYNCHRONOUS BUS Monitoring ϕ(σ)? Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 17 / 48

32 Decentralised monitoring the idea Distribute ϕ s evaluation & exchange obligations Proposed Solution: C 1... C i... C n Σ 1 Σ i Σ n M 1 ϕ t 1... M i ϕ t i... M n ϕ t n SYNCHRONOUS BUS Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 17 / 48

33 Decentralised monitoring the idea Distribute ϕ s evaluation & exchange obligations Proposed Solution: C 1... C i... C n Σ 1 Σ i Σ n M 1 ϕ t 1... M i ϕ t i... M n ϕ t n Three organizations of monitors: orchestration, migration, and choreography (borrowing terminology from Francalanza et al.) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 17 / 48

34 A note on the global clock and synchrony Is a global clock realistic? Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 18 / 48

35 A note on the global clock and synchrony Is a global clock realistic? Not always, but many safety critical systems use it. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 18 / 48

Automotive domain uses FlexRay data bus, which has (among others) a synchronous

implementation/verification systems used in this domain: SIGNAL, Lustre, Astrée

36 A note on the global clock and synchrony Is a global clock realistic? Not always, but many safety critical systems use it. Automotive domain uses FlexRay data bus, which has (among others) a synchronous transfer mode: Flight-control systems mostly synchronous (fly-by-wire): Examples for implementation/verification systems used in this domain: SIGNAL, Lustre, Astrée verifier, etc. Examples: Steer-by-wire, brake-by-wire, engine management, etc. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 18 / 48

37 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae Our setting and the intuitive idea Organising Decentralised LTL Monitors (overview) Migration-based Monitoring 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 19 / 48

38 Orchestration (simplified) M : G (Xa 1 c 1 (b 1 b 2 )) M : a 1 Comp. A M : b 1, b 2 M : c 1 Comp. B Comp. C Central point monitoring the global formula. Several communication protocols can be used to forward local observations. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 20 / 48

39 Orchestration (simplified) M : G (Xa 1 c 1 (b 1 b 2 )) M : a 1 Comp. A M : b 1, b 2 M : c 1 Comp. B Comp. C Central point monitoring the global formula. Several communication protocols can be used to forward local observations. At the central site, at each time step, when globally monitoring ϕ: 1 Wait for all observations to arrive from the remote components. 2 Merge all observations to form an event. 3 Progress ϕ with the event and simplify the progressed formula. 4 If a verdict is reached, stop monitoring and report result. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 20 / 48

40 Migration (simplified) M : Comp. A M : G (Xa 1 c 1 (b 1 b 2)) M : Comp. B Comp. C Migration takes place M : Comp. A M : M : G (Xa 1 c 1 (b 1 b 2)) (a 1 P c 1) Comp. B Comp. C Monitor state encoded by a formula traversing the network. Formula to be satisfied given the local observations of traversed components. Formula may contain references to past time instants. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 21 / 48

41 Migration (ctd) M : Comp. A M : G (Xa 1 c 1 (b 1 b 2)) M : Comp. B Comp. C Migration takes place M : Comp. A M : M : G (Xa 1 c 1 (b 1 b 2)) (a 1 P c 1) Comp. B Comp. C At each component with a formula ϕ to process, at each time step: 1 Use the current local observations to resolve relevant propositions. 2 Use the local history to resolve any past references to local observations. 3 Progress ϕ using obligations to earlier observations when not locally available. 4 If a verdict is reached, stop monitoring and report result. 5 Otherwise, select the component which can resolve the oldest obligation and send the formula to this component. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 22 / 48

42 Choreography (simplified) M : a 1 Comp. A M : X c 1 M : G ( (b 1 b 2)) Comp. C Comp. B Breaking down the formula across the network (following its syntax tree). Tree structure where results from subformulae flow up to the parent formula. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 23 / 48

43 Choreography (simplified) M : a 1 M : X c 1 M : G ( (b 1 b 2)) Comp. A Comp. C Comp. B Breaking down the formula across the network (following its syntax tree). Tree structure where results from subformulae flow up to the parent formula. At each time instant, on each component: 1 If a verdict from a child is received: 1 Substitute the verdict for the corresponding place holder in the local formula; 2 Apply simplification rules to the local formula. 2 Progress the local formula using the local observation. 3 If the local formula reaches a verdict, send the verdict to the parent (if any). 4 If the formula at the root of the tree reaches a verdict, stop monitoring and report result. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 23 / 48

44 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae Our setting and the intuitive idea Organising Decentralised LTL Monitors (overview) Migration-based Monitoring 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 24 / 48

45 Monitoring by progression Definition (Progression function P : LTL Σ LTL) Let ϕ, ϕ 1, ϕ 2 LTL, and σ Σ be an event. P(p AP, σ) =, if p σ, otherwise P(ϕ 1 ϕ 2, σ) = P(ϕ 1, σ) P(ϕ 2, σ) P(ϕ 1Uϕ 2, σ) = P(ϕ 2, σ) P(ϕ 1, σ) ϕ 1Uϕ 2 P(Gϕ, σ) = P(ϕ, σ) G(ϕ) P(Fϕ, σ) = P(ϕ, σ) F(ϕ) P(, σ) = P(, σ) = P( ϕ, σ) = P(ϕ, σ) P(Xϕ, σ) = ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 25 / 48

46 Monitoring by progression Definition (Progression function P : LTL Σ LTL) Let ϕ, ϕ 1, ϕ 2 LTL, and σ Σ be an event. P(p AP, σ) =, if p σ, otherwise P(ϕ 1 ϕ 2, σ) = P(ϕ 1, σ) P(ϕ 2, σ) P(ϕ 1Uϕ 2, σ) = P(ϕ 2, σ) P(ϕ 1, σ) ϕ 1Uϕ 2 P(Gϕ, σ) = P(ϕ, σ) G(ϕ) P(Fϕ, σ) = P(ϕ, σ) F(ϕ) P(, σ) = P(, σ) = P( ϕ, σ) = P(ϕ, σ) P(Xϕ, σ) = ϕ Example (Progression) Let ϕ = G(a b c) At time t = 0, let u = {a} Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 25 / 48

47 Monitoring by progression Definition (Progression function P : LTL Σ LTL) Let ϕ, ϕ 1, ϕ 2 LTL, and σ Σ be an event. P(p AP, σ) =, if p σ, otherwise P(ϕ 1 ϕ 2, σ) = P(ϕ 1, σ) P(ϕ 2, σ) P(ϕ 1Uϕ 2, σ) = P(ϕ 2, σ) P(ϕ 1, σ) ϕ 1Uϕ 2 P(Gϕ, σ) = P(ϕ, σ) G(ϕ) P(Fϕ, σ) = P(ϕ, σ) F(ϕ) P(, σ) = P(, σ) = P( ϕ, σ) = P(ϕ, σ) P(Xϕ, σ) = ϕ Example (Progression) Let ϕ = G(a b c) At time t = 0, let u = {a} P(ϕ, u) = P(a b c, u) G(a b c) = ( P(a, u) P(b, u) P(c, u) ) G(a b c) = G(a b c) = Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 25 / 48

48 Monitoring by progression Definition (Progression function P : LTL Σ LTL) Let ϕ, ϕ 1, ϕ 2 LTL, and σ Σ be an event. P(p AP, σ) =, if p σ, otherwise P(ϕ 1 ϕ 2, σ) = P(ϕ 1, σ) P(ϕ 2, σ) P(ϕ 1Uϕ 2, σ) = P(ϕ 2, σ) P(ϕ 1, σ) ϕ 1Uϕ 2 P(Gϕ, σ) = P(ϕ, σ) G(ϕ) P(Fϕ, σ) = P(ϕ, σ) F(ϕ) P(, σ) = P(, σ) = P( ϕ, σ) = P(ϕ, σ) P(Xϕ, σ) = ϕ Example (Progression) Let ϕ = G(a b c) At time t = 0, let u = {a, c} P(ϕ, u) = P(a b c, u) G(a b c) = ( P(a, u) P(b, u) P(c, u) ) G(a b c) = G(a b c) = G(a b c) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 25 / 48

49 Monitoring by progression Progression provides a monitoring algorithm P(P(... P(ϕ, u(0))..., u(n 1)), u(n)) = = u good(ϕ) P(P(... P(ϕ, u(0))..., u(n 1)), u(n)) = = u bad(ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 26 / 48

50 Monitoring by progression Progression provides a monitoring algorithm P(P(... P(ϕ, u(0))..., u(n 1)), u(n)) = = u good(ϕ) P(P(... P(ϕ, u(0))..., u(n 1)), u(n)) = = u bad(ϕ) Observe: Efficiency does not depend on length of trace, but Potential formula explosion problem continuous syntactic simplification Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 26 / 48

51 Is (classical) progression adequate for migration? Example (Non-adequacy of (classical) progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 27 / 48

52 Is (classical) progression adequate for migration? Example (Non-adequacy of (classical) progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply progression on each component in separation (with their local observation) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 27 / 48

53 Is (classical) progression adequate for migration? Example (Non-adequacy of (classical) progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply progression on each component in separation (with their local observation) Let s take a look at what happens on M A : P A (ϕ, u) = P A (ϕ, {a}) = P A (a b c, {a}) G(a b c) = ( ) G(a b c) = Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 27 / 48

54 Is (classical) progression adequate for migration? Example (Non-adequacy of (classical) progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply progression on each component in separation (with their local observation) Let s take a look at what happens on M A : P A (ϕ, u) = P A (ϕ, {a}) = P A (a b c, {a}) G(a b c) = ( ) G(a b c) = However, u is not a bad prefix! Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 27 / 48

55 Decentralising progression on some component C i Not much changes except for atomic propositions... Definition (Decentralised progression for atomic propositions) On some component C i with atomic propositions AP i if p σ P(p, σ, AP i ) = if p / σ p AP i Xp otherwise Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 28 / 48

56 Decentralising progression on some component C i Not much changes except for atomic propositions... Definition (Decentralised progression for atomic propositions) On some component C i with atomic propositions AP i if p σ P(p, σ, AP i ) = if p / σ p AP i Xp otherwise Definition (Decentralised progression for past goals) On some component C i with atomic propositions AP i if p AP i Π i (σ( m)) P(X m p, σ, AP i ) = if p AP i \ Π i (σ( m)) X m+1 p otherwise where Π i (σ( m)) is the event observed m times ago on C i Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 28 / 48

57 Back to the example Example (Adequacy of decentralised progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply decentralised progression on each component in separation (with their local observation) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 29 / 48

58 Back to the example Example (Adequacy of decentralised progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply decentralised progression on each component in separation (with their local observation) Let s take a look at what happens on M A : P A (ϕ, u) = P A (ϕ, {a}) = P A (a b c, {a}, {a}) G(a b c) = P A (a b c, {a}, {a}) P A (a b c, {b}, {a}) P A (a b c, {c}, {a}) G(a b c) = ( Xb Xc) G(a b c) = (Xb Xc) G(a b c) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 29 / 48

59 Back to the example Example (Adequacy of decentralised progression) Architecture with components A, B, C, resp. observing propositions a, b, c At time t = 0, u = {a, c} and ϕ = G(a b c) We apply decentralised progression on each component in separation (with their local observation) Let s take a look at what happens on M A : P A (ϕ, u) = P A (ϕ, {a}) = P A (a b c, {a}, {a}) G(a b c) = P A (a b c, {a}, {a}) P A (a b c, {b}, {a}) P A (a b c, {c}, {a}) G(a b c) = ( Xb Xc) G(a b c) = (Xb Xc) G(a b c) Monitoring can continue :-) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 29 / 48

60 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae Our setting and the intuitive idea Organising Decentralised LTL Monitors (overview) Migration-based Monitoring Decentralised Monitoring 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 30 / 48

61 Decentralised Monitoring: local algorithm at time t C 1... C i... C n M 1... M i... M n SYNCHRONOUS BUS Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

62 Decentralised Monitoring: local algorithm at time t C 1... C i... C n M 1 ϕ t 1... M i ϕ t i... M n ϕ t n SYNCHRONOUS BUS L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

63 Decentralised Monitoring: local algorithm at time t C 1... C i... C n M 1 ϕ t 1... M i ϕ t i... M n ϕ t n conjunct conjunct conjunct {ϕ j } j [1,m],j 1 SYNCHRONOUS {ϕ j } j [1,m],j i BUS {ϕ j } j [1,m],j n L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) L2. [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

64 Decentralised Monitoring: local algorithm at time t C 1... C i... C n Σ 1 Σ i Σ n M 1 ϕ t 1... M i ϕ t i... M n ϕ t n SYNCHRONOUS BUS L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) L2. [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j L3. [Receive event.] Read next σ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

65 Decentralised Monitoring: local algorithm at time t C 1... C i... C n Progr. ϕ t Progr. ϕ t+1 i... Progr. ϕ t+1 n SYNCHRONOUS BUS L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) L2. [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j L3. [Receive event.] Read next σ L4. [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

66 Decentralised Monitoring: local algorithm at time t C 1... C i... C n Progr. ϕ t Progr. ϕ t+1 i... Progr. ϕ t+1 n SYNCHRONOUS BUS L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) L2. [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j L3. [Receive event.] Read next σ L4. [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) L5. [Evaluate and return.] If ϕ t+1 i = return, if ϕ t+1 i = return Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

67 Decentralised Monitoring: local algorithm at time t C 1... C i... C n Progr. ϕ t Progr. ϕ t+1 i... Progr. ϕ t+1 n SYNCHRONOUS BUS L1. [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) L2. [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j L3. [Receive event.] Read next σ L4. [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) L5. [Evaluate and return.] If ϕ t+1 i = return, if ϕ t+1 i = return L6. [Communicate.] If ϕ t+1 i is urgent send it to the most relevant monitor Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 31 / 48

68 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

69 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} A B C Σ A Σ B Σ B M A M B M C Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

70 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A ϕ M B ϕ M C ϕ [L1.] [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

71 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A ϕ M B ϕ M C ϕ [L2.] [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

72 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C {a} {b} M A ϕ M B ϕ M C ϕ [L3.] [Receive event.] Read next σ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

73 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A Xb Xc ϕ M B Xa Xc ϕ M C ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 1 A := P(ϕ, {a}, AP A) = P(a b c, {a}, AP A ) ϕ = Xb Xc ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

74 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A Xb Xc ϕ M B Xa Xc ϕ M C ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 1 A := P(ϕ, {a}, AP A) = P(a b c, {a}, AP A ) ϕ = Xb Xc ϕ ϕ 1 B := P(ϕ, {b}, AP B) = P(a b c, {b}, AP B ) ϕ = Xa Xc ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

75 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A Xb Xc ϕ M B Xa Xc ϕ M C ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 1 A := P(ϕ, {a}, AP A) = P(a b c, {a}, AP A ) ϕ = Xb Xc ϕ ϕ 1 B := P(ϕ, {b}, AP B) = P(a b c, {b}, AP B ) ϕ = Xa Xc ϕ ϕ 1 C := P(ϕ,, AP C) = P(a b c,, AP C ) ϕ = ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

76 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A Xb Xc ϕ M B Xa Xc ϕ M C ϕ [L5.] [Evaluate and return.] If ϕ t+1 i = return, if ϕ t+1 i = return Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

77 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 0 A B C M A Xb Xc ϕ M B Xa Xc ϕ M C ϕ [L6.] [Communicate.] If ϕ t+1 i is urgent send it to the most relevant monitor urgency(ϕ 1 A ) = urgency(xb Xc ϕ) = 1 M B urgency(ϕ 1 B ) = urgency(xa Xc ϕ) = 1 M A urgency(ϕ 1 C ) = urgency(ϕ) = 0 Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

78 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A # M B # M C ϕ [L1.] [Next goal.] Let ϕ t i be the monitor s current local obligation (ϕ 0 i := ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

79 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A Xa Xc ϕ M B Xb Xc ϕ M C ϕ [L2.] [Receive messages.] ({ϕ j } j [1,m],j i : received obligations) Set ϕ t i := ϕ t i j [1,m],j i ϕ j Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

80 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C {a} {b} {c} M A Xa Xc ϕ M B Xb Xc ϕ M C ϕ [L3.] [Receive event.] Read next σ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

81 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A X 2 c (Xb Xc ϕ) M B X 2 c (Xb Xc ϕ) M C Xa Xb ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 2 A := P( Xa Xc ϕ #, {a}, AP A ) = X 2 c (Xb Xc ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

82 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A X 2 c (Xb Xc ϕ) M B X 2 c (Xb Xc ϕ) M C Xa Xb ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 2 A := P( Xa Xc ϕ #, {a}, AP A ) = X 2 c (Xb Xc ϕ) ϕ 2 B := P(Xb Xc ϕ #, {b}, AP B) = X 2 c (Xa Xc ϕ) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

83 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A X 2 c (Xb Xc ϕ) M B X 2 c (Xb Xc ϕ) M C Xa Xb ϕ [L4.] [Progress.] Let the rewriting engine determine ϕ t+1 i := P(ϕ t i, σ, AP i) ϕ 2 A := P( Xa Xc ϕ #, {a}, AP A ) = X 2 c (Xb Xc ϕ) ϕ 2 B := P(Xb Xc ϕ #, {b}, AP B) = X 2 c (Xa Xc ϕ) ϕ 2 C := P(ϕ, {c}, AP C) = Xa Xb ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

84 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A X 2 c (Xb Xc ϕ) M B X 2 c (Xb Xc ϕ) M C Xa Xb ϕ [L5.] [Evaluate and return.] If ϕ t+1 i = return, if ϕ t+1 i = return Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

85 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with AP A = {a}, AP B = {b}, AP C = {c} t = 1 A B C M A X 2 c (Xb Xc ϕ) M B X 2 c (Xb Xc ϕ) M C Xa Xb ϕ [L6.] [Communicate.] If ϕ t+1 i urgency(x 2 c (Xa Xc ϕ)) = 2 M C urgency(x 2 c (Xa Xc ϕ)) = 2 M C urgency(xa Xb ϕ) = 1 M A is urgent send it to the most relevant monitor Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 32 / 48

86 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with Σ A = {a}, Σ B = {b}, Σ C = {c} t: 0 1 σ: {a, b} {a, b, c} M A : M B : M C : ϕ 1 A ϕ 1 B ϕ 1 C := P(ϕ, {a}, AP A ) = P(a b c, {a}, AP A ) ϕ = Xb Xc ϕ := P(ϕ, {b}, AP B ) = P(a b c, {b}, AP B ) ϕ = Xa Xc ϕ := P(ϕ, {c}, AP C ) = P(a b c,, AP C ) ϕ = ϕ ϕ 2 A := P(ϕ 1 B #, {a}, AP A) = X 2 c (Xb Xc ϕ) ϕ 2 B := P(ϕ 1 A #, {b}, AP B) = X 2 c (Xa Xc ϕ) ϕ 2 C := P(ϕ, {c}, AP C ) = Xa Xb ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 33 / 48

87 Decent. progress. of ϕ = F(a b c), 3 components Monitoring ϕ = F(a b c) over {a, b} {a, b, c} with Σ A = {a}, Σ B = {b}, Σ C = {c} t: 0 1 σ: {a, b} {a, b, c} M A : M B : M C : ϕ 1 A ϕ 1 B ϕ 1 C := P(ϕ, {a}, AP A ) = P(a b c, {a}, AP A ) ϕ = Xb Xc ϕ := P(ϕ, {b}, AP B ) = P(a b c, {b}, AP B ) ϕ = Xa Xc ϕ := P(ϕ, {c}, AP C ) = P(a b c,, AP C ) ϕ = ϕ t: 2 3 σ: M A : ϕ 3 A := P(ϕ 2 C #,, AP A) = X 2 b (Xb Xc ϕ) ϕ 4 A := P(ϕ 3 C #,, AP A) = X 3 b (Xb Xc ϕ) M B : ϕ 3 B := P(#,, AP B ) ϕ 4 B := P(ϕ 3 A #,, AP B) = # = M C : ϕ 3 C := P(ϕ 2 A ϕ2 B #,, AP C) ϕ 4 = X 2 a X 2 C := P(#,, AP C ) b ϕ = # ϕ 2 A := P(ϕ 1 B #, {a}, AP A) = X 2 c (Xb Xc ϕ) ϕ 2 B := P(ϕ 1 A #, {b}, AP B) = X 2 c (Xa Xc ϕ) ϕ 2 C := P(ϕ, {c}, AP C ) = Xa Xb ϕ Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 33 / 48

88 Some properties of the algorithm Let ϕ LTL and u Σ What is the link between: = 3 : centralised LTL 3 semantics = D : decentralised LTL 3 semantics Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 34 / 48

89 Some properties of the algorithm Let ϕ LTL and u Σ What is the link between: = 3 : centralised LTL 3 semantics = D : decentralised LTL 3 semantics Theorem (Soundness) u = D ϕ = / u = 3 ϕ = / u = 3 ϕ =? u = D ϕ =? Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 34 / 48

90 Some properties of the algorithm Let ϕ LTL and u Σ What is the link between: = 3 : centralised LTL 3 semantics = D : decentralised LTL 3 semantics Theorem (Soundness) u = D ϕ = / u = 3 ϕ = / u = 3 ϕ =? u = D ϕ =? Theorem (Completeness) u = 3 ϕ = / u Σ. u M u u = D ϕ = / Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 34 / 48

91 How much a monitor has to remember? Theorem (Maximum delay) Let X m p LTL be a local obligation on some monitor M i M In the worst case, m min( M, t + 1) at any time t N 0 Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 35 / 48

92 How much a monitor has to remember? Theorem (Maximum delay) Let X m p LTL be a local obligation on some monitor M i M In the worst case, m min( M, t + 1) at any time t N 0 This, at the same time, reflects the communication delay by which a decentralised monitor may come to a verdict! Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 35 / 48

93 How much a monitor has to remember? Theorem (Maximum delay) Let X m p LTL be a local obligation on some monitor M i M In the worst case, m min( M, t + 1) at any time t N 0 This, at the same time, reflects the communication delay by which a decentralised monitor may come to a verdict! However Unless, there could be a (possibly infinite) delay not due to communication: XXtrue and G(trueU(Gb F b)) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 35 / 48

94 How much a monitor has to remember? Theorem (Maximum delay) Let X m p LTL be a local obligation on some monitor M i M In the worst case, m min( M, t + 1) at any time t N 0 This, at the same time, reflects the communication delay by which a decentralised monitor may come to a verdict! However Unless, there could be a (possibly infinite) delay not due to communication: XXtrue and G(trueU(Gb F b)) Corollary Given a clean input : communication delay = memory requirements = verdict delay. (Otherwise, we can t say much at all.) Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 35 / 48

95 Outline Decentralised Monitoring of LTL formulae 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 36 / 48

96 DecentMon: an OCaml benchmark DecentMon: an OCaml benchmark simulating the decentralised algorithm LTL formula or LTL specification pattern Trace(s) Architecture DecentMon Verdict Monitoring statistics Occurrences of atomic propositions can be parameterised according to several probability distributions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 37 / 48

97 What we wanted to compare Two monitoring modes: decentralised mode (i.e., each trace is read by a separate monitor) centralised mode by merging the traces and using a central monitor C 1 M 1 C 2 M 2 C 3 M 3 C 4 M 4 C 1 C 2 C 3 C 4 M VS. Four metrics: length of the trace needed to reach a verdict number and size of messages exchanged between monitors number of progressions performed by local monitors Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 38 / 48

98 Experimental Results - trace length random formula generation biased formula generation orchestration migration choreography orchestration migration choreography orchestration migration orchestration migration 20 choreography 20 choreography Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 39 / 48

99 Experimental Results - number of messages random formula generation biased formula generation orchestration migration choreography 40 orchestration migration choreography orchestration migration 60 orchestration migration 100 choreography 40 choreography Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 40 / 48

100 Experimental Results - size of messages random formula generation biased formula generation 20 orchestration migration 6 orchestration migration 15 choreography 4 choreography orchestration orchestration migration choreography 10 migration choreography Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 41 / 48

101 Experimental Results - number of progressions random formula generation orchestration migration choreography biased formula generation orchestration migration choreography orchestration migration orchestration migration 3000 choreography 1000 choreography Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 42 / 48

102 Outline Conclusions 1 Background 2 Motivations 3 Decentralised Monitoring of LTL formulae 4 Implementation and Evaluation 5 Conclusions Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 43 / 48

103 Conclusions Summary [FM12, RV14, FMSD16a, FMSD16b] Monitoring of (off the shelf) LTL specifications in a decentralised fashion No central observation point Keeping the communication at a minimum with negligible delay Validated by experimental results Future Work Operational description of specifications (e.g. automata). Heuristics based on syntactic criteria to determine the organisation of monitor. Rigorous analysis of the cost of decentralised monitoring. Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 44 / 48

Please consider submitting to RV 2016 :-)! The 16th International Conference on Runtime Verification, September 23-30 2016, Madrid, Spain http://rv2016.imag.

104 Please consider submitting to RV 2016 :-)! The 16th International Conference on Runtime Verification, September , Madrid, Spain Abstract deadline: May 20, 2016 Paper and tutorial deadline: May 27, 2016 COST ARVI Summer school on Runtime Verification: September 23-25, 2016 Workshops and tutorials: September 26-27, 2016 Conference: September 28-30, 2016 Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 45 / 48

105 References I Andreas Klaus Bauer and Yliès Falcone. Decentralised LTL monitoring. In FM 2012: Formal Methods - 18th International Symposium, Paris, France, August 27-31, Proceedings, pages , Andreas Bauer and Yliès Falcone. Decentralised LTL monitoring. Formal Methods in System Design, To appear. Online version at Springer. Christian Colombo and Yliès Falcone. Organising LTL monitors over distributed systems with a global clock. Formal Methods in System Design, To appear. Online version at Springer. Christian Colombo and Yliès Falcone. Organising LTL monitors over distributed systems with a global clock. In Runtime Verification - 5th International Conference, RV 2014, Toronto, ON, Canada, September 22-25, Proceedings, pages , Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 46 / 48

106 Related Work Diagnosis of DES detect the occurrence of a fault after a finite number of discrete steps diagnosability: a system model is diagnosable if it is always the case that the occurrence of a fault can be detected after a finite number of discrete steps Uses the model of a system (usually contains faulty + nominal behaviours) Decentralised observability Various degrees of observability depending on available memory of local observers Combine the local observers states after reading some trace to a truthful verdict w.r.t. the monitored property Comparison with our approach: No central-observation point Observability is taken for granted Minimisation of communication overhead Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 47 / 48

107 Related Work (ctd) Monitoring MtTL monitoring properties of asynchronous systems [Sen et al.] systems operating concurrently partially ordered traces LTL + modalities about the distributed nature of the system Comparison with our approach: synchronous systems not restricted to safety properties no collection of global behavior Monitoring distributed controllers [Genon et al.] partially ordered traces (asynchronous systems) exploration of execution interleavings restricted to bad prefixes Y. Falcone (Univ. Grenoble Alpes, Inria, LIG) DRV, Bertinoro, Italy 48 / 48

Formal Verification. Lecture 5: Computation Tree Logic (CTL)

Formal Verification. Lecture 5: Computation Tree Logic (CTL) Formal Verification Lecture 5: Computation Tree Logic (CTL) Jacques Fleuriot 1 jdf@inf.ac.uk 1 With thanks to Bob Atkey for some of the diagrams. Recap Previously: Linear-time Temporal Logic This time: