Trace-Checking Signal-based Temporal Properties: A Model-Driven Approach

.lu
software veriﬁcation & validation
VVS
Trace-Checking
Signal-based Temporal Properties:
A Model-Driven Approach
Chaima BOUFAIED, Claudio MENGHI, Domenico BIANCULLI, Lionel BRIAND, Yago ISASI PARACHE

Trace Checking (1)
•Run-time veriﬁcation technique
•Traces represent system executions
•Properties are based on the system’s requirements
•Uses an automated decision procedure to check properties on
traces
!2

Trace Checking (2)
•In this work, we consider tools that:
•support declarative speciﬁcation formalisms for expressing
requirements
•are deployed at ofﬂine stage
•yield a Boolean verdict using qualitative semantics
!3

Context
!4
Industrial case study in the
aerospace domain

Signal-based Temporal Properties
(SBTPs)
•SBTPs characterize the
behavior of the system when its
inputs and outputs are signals
over time
• “The velocity of the satellite
along the X-axis-Vel may
oscillate with a maximum
amplitude of 8000 km/h and a
maximum period of 180 min”
!5
t3t5
vl
vu
p1
p2
p3p5
p4
p2pAmp
period
time
signal value

Motivations
•SBTPs are common in many cyber-physical systems
•Several languages to express SBTPs (e.g., STL, STL*, SFO)
•either they are not expressive enough (e.g., STL)
•or they are not supported by efﬁcient trace checking procedures (e.g., SFO)
•There is trade-off between languages expressiveness and trace checking
procedure efﬁciency
!6

Contributions
•SB-TemPsy: a Trace-Checking approach for SBTPs
•SBTemPsy-DSL: an expressive speciﬁcation language for
SBTPs
•SBTemPsy-Check: an efﬁcient trace-checking procedure
!7

SB-TemPsy-DSL:
Signal-Based Temporal Properties
made easy

Speciﬁcation of
Temporal Properties
!9
Temporal
Logic
globally at most 2 P
before R at most 2 P
after Q at most 2 P
between Q and R at most 2 P
after Q until R at most 2 P
Domain-speciﬁc
Language (DSL)
•Syntax close to natural language
• Does not require a strong mathematical background
• Important for adoption among practitioners

SB-TemPsy-DSL
•Pattern-based speciﬁcation language
•Supports the common types of SBTPs identiﬁed in a recent taxonomy
•Spikes, Oscillations
•Rise/Fall Time
•Overshoot/Undershoot
Chaima Boufaied, Maris Jukss, Domenico Bianculli, Lionel Claude Briand, and Yago Isasi Parache. 2019. Signal-Based
Properties: Taxonomy and Logic-based Characterization. CoRR abs/1910.08330 (2019), 1–39. arXiv:1910.08330 http: //
arxiv.org/abs/1910.08330
!10
*
*

SB-TemPsy-DSL
!11
exist oscillations in X-axis-Vel
with p2pAmp <= 8000
with period <= 180
•“The velocity of the satellite along the X-axis-Vel shall oscillate
with a maximum amplitude of 8000 km/h and a maximum period
of 180 min”

SB-TemPsy-DSL
!12
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
spike width amplitude

SB-TemPsy-DSL
!13
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
Oscillations p2pAmp period

SB-TemPsy-DSL
!14
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
rises

SB-TemPsy-DSL
!15
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
falls

SB-TemPsy-DSL
!16
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
overshoots

SB-TemPsy-DSL
!17
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
undershoots

SB-TemPsy-DSL
!18
Propertyq::=q1andq2|q2orq1|notq|sc
Scope sc::=globallyp|beforetp|aftertp|attp|beforep1p
afterp1p|betweent1andt2p|betweenp1andp2p
Patternp::=assertc|sbecomes⇠v|ifp1then[withinùût]p2|
existsspikeins[with[width⇠v1][amplitude⇠v2]]|
existoscillationsins[with[p2pAmp⇠v1][period⇠v2]]|
srises[monotonically]reachingv|
sfalls[monotonically]reachingv|
sovershoots[monotonically]v1byv2|
sundershoots[monotonically]v1byv2
ùû::=exactly|at most|at least
Conditionc::=c1andc2|c1orc2|notc|s⇠v
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};
sis a signal in(or a mathematical expression over the signals in(
1
Scope

!19
Informal Semantics:
Oscillations
•“The velocity of the satellite along the X-axis shall oscillate with
a maximum amplitude of 8000 km/h and a maximum period of
180 min”
3060120180240320400
2k
4k
6k
8k
10k
12k
p2pAmp
period
X-axis
time (min)
signal value

Predicate Mathematical Formulation Description
uni_m_max(¯c,B,C, [C;,CD]) 5?(C,s)=Gand8C12[C;,CD],5?(C1,s)<Gand
8C1,C22[C;,C],ifC1<C2then5?(C1,s)5?(C2,s)and
8C1,C22[C;,C],ifC1<C2then5?(C1,s)$5?(C2,s)
The valueGof signalBat time instantCis the minimum value assigned
toBwithin the interval[C;,CD]. Furthermore, the value ofGchanges
according to a unimodal function, i.e., for every time instant in[C;,C]
the value ofBis monotonically increasing and for every time instant
in[C,CD]the value ofBis monotonically decreasing.
uni_sm_max(¯c,B,C, [C;,CD]) 5?(C,s)=Gand8C12[C;,CD],5?(C1,s)<Gand
8C1,C22[C;,C],ifC1<C2then5?(C1,s)<5?(C2,s)and
8C1,C22[C;,C],ifC1<C2then5?(C1,s)>5?(C2,s)
As above, except that for every time instant in[C;,C]the value of
Bisstrictlymonotonically increasing and for every time instant in
[C,CD]the value ofBisstrictlymonotonically decreasing.
Property
¯c|=sc,¯c,[C1,C<]|=sc
Condition
¯c,C|=s⇠v,5?(C,B)⇠v
¯c|=q1andq2,(¯c|=q1)and(¯c|=q2) ¯c,C|=c1andc2,(¯c,C|=c1)and(¯c,C|=c2)
¯c|=q1orq2,(¯c|=q1)or(¯c|=q2) ¯c,C|=c1orc2,(¯c,C|=c1)or(¯c,C|=c2)
¯c|=notq,(¯c6|=q) ¯c,C|=notc,(¯c,C6|=c)
Absolute
Scope
¯c,[C;,CD]|=globallyp,¯c,[C;,CD]|=p
Event
Scope
¯c,[C;,CD]|=beforep
1
p,8C1,C2,C;<C1<C2CD,¯c,[C1,C2]|=p
1
¯c,[C;,CD]|=beforetp,C;tCDand¯c,[C;,t]|=p and9C3,C4,C;<C3<C4<C1,¯c,[C3,C4]|=p
¯c,[C;,CD]|=aftertp,C;tCDand¯c,[t,CD]|=p ¯c,[C;,CD]|=afterp
1
p,8C1,C2,C;<C1<C2CD,¯c,[C1,C2]|=p
1
¯c,[C;,CD]|=betweennandmp,C;n<mCD and9C3,C4,C2<C3<C4<CD,¯c,[C3,C4]|=p
and¯c,[n,m]|=p ¯c,[C;,CD]|=betweenp
1
andp
2
p,8C1,C2,C3,C4,C;C1<C2<C3<C4CD,
¯c,[C;,CD]|=attp,9C:C;tCDand¯c,[t,t]|=p
!
¯c,[C1,C2]|=p
1
and[C3,C4]|=p
2
"
)¯c,[C2,C3]|=p
Data Assertion
Pattern
¯c,[C;,CD]|=assertc,8C2[C;,CD],(¯c,C|=c)
¯c,[C;,CD]|=sbecomes⇠v,9C2(C;,CD],
!
5?(C,s)⇠vand8C12(C;,C),
!
5?(C1,s)⌧v

Spike
Pattern
¯c,[C;,CD]|=existsspikeins
⇥
with[width⇠v1]V[amplitude⇠v2]W
⇤
U
,9C1,C2,C32[C;,CD],C1<C2<C3,
⇣
(uni_m_min(¯c,B,C 1,[C;,C2])anduni_sm_max(¯c,B,C 2,[C1,C3])anduni_m_min(¯c,B,C 3,[C2,CD]))or
(uni_m_max(¯c,B,C 1,[C;,C2])anduni_sm_min(¯c,B,C 2,[C1,C3])anduni_m_max(¯c,B,C 3,[C2,CD]))
h
[and|C3*C1|⇠v1]
V
⇥
andmax
!'
'
5?(C1,s)*5?(C2,s)
'
'
,
'
'
5?(C2,s)*5?(C3,s)
'
'
"
⇠v2
⇤
W
i
U
⌘
Oscillation
Pattern
¯c,[C;,CD]|=existoscillationsins
⇥
with[p2pAmp⇠v1]
V[period⇠v2]
W
⇤
U
,9C1,C2,C3,C4,C52[C;,CD],C1<C2<C2<C3<C4<C5,
⇣
(uni_sm_min(¯c,B,C 2,[C1,C3])anduni_sm_max(¯c,B,C 3,[C2,C4])anduni_sm_min(¯c,B,C 4,[C3,C5]))or
(uni_sm_max(¯c,B,C 2,[C1,C3])anduni_sm_min(¯c,B,C 3,[C2,C4])anduni_sm_max(¯c,B,C 4,[C3,C5]))
h
⇥
and
'
'
5?(C2,s)*5?(C3,s)
'
'
⇠v1and
'
'
5?(C3,s)*5?(C4,s
"
|⇠v1
⇤
V
[and(C4*C2)⇠v2]
W
i
U
⌘
Rise Time
Pattern
¯c,[C;,CD]|=srises[monotonically]Ureachingv,9C2(C;,CD],
⇣
5?(C,s)$vand8C12(C;,C),
!
5?(C1,s)<v
"
⇥
and8C22(C;,C),8C32(C2,C],
!
5?(C2,s)<5?(C3,s)
"⇤
U
⌘
Overshoot
Pattern
¯c,[C;,CD]|=sovershoots[monotonically]Uv1byv2,9C2(C;,CD],
⇣
5?(C,s)$v1and8C12(C,CD],
!
5?(C1,s)v1+v2
"
[and8C22(C;,C),8C32(C2,C],
!
5?(C2,s)<5?(C3,s)
"⇤
U
⌘
Order
Relationship
Pattern
¯c,[C;,CD]|=ifp
1
then[within(exactly|at most|at least)t]Up
2
,8C1,C22[C;,CD],C1<C2,
⇣
¯c,[C1,C2]|=p
1
)
9C3,C42[C2,CD],C3<C4,
!
¯c,[C3,C4]|=p
2
⇥
and(C3*C2)»ùû…t
⇤
U
"
⌘
whereùû2{exactly,at most,at least}and»ùû…is dened such that»exactly…⌘‘=’,»at most…⌘‘<=’,»at least…⌘‘>=’
t,t1,t22R;v,v1,v22R;⇠2{<,>,=,<,,$};sis a signal in(or a mathematical expression over the signals in(;scis a scope;pis a pattern.
1
Details are in the paper ;-)
!20
Formal Semantics

SB-TemPsy-Check:
Model-driven Trace-Checking
Procedure

Model-driven Trace Checking
!22
Problem of checking a
temporal property on a trace
Evaluation of an OCL constraint
on an instance of the trace
meta-model
Reduction
Equivalent to
the temporal
property
Wei Dou, Domenico Bianculli, and Lionel Briand. 2017. A Model-Driven Approach to Trace Checking of
Pattern-based Temporal Properties. In Proc. MODELS2017. IEEE Computer Society, 323–333.
*
*

Why Model-driven
Trace Checking?
•OCL is a standardized constraint speciﬁcation language
•Supported by mature constraint checking technologies
•Existing Model-driven Trace Checking approaches have
shown to be efﬁcient
•For “simple” temporal logic properties [Dou et al.,
Models’17] and temporal properties with temporal
aggregation [Boufaied et al, ECMFA’19]
!23
Conjecture
A model-driven trace checking approach can analyze SBTPs on real
world execution traces within practical time limits

SB-TemPsy-Check
!24

Pre-processing
!25
Trace
PreProcessing
signal values are
recorded for every
simulation time
signal values are
recorded at different
simulation times
Preprocessed
Trace

Model-driven Trace Checking
•Two phases:
•Input preparation
•Constraint evaluation
!26

Input Preparation Phase (1)
!27
•Building an instance of trace meta-model from the pre-
processed trace
contains
Record
1..*
- signal ID
- Value
contains
Entry
1..*
Trace
- simulationTime

Input Preparation Phase (2)
!28
•Translating the SB-TemPsy-DSL property into an OCL
constraint
•A syntax-directed translation
•It covers all constructs of SB-TemPsy-DSL

!29
Constraint Evaluation
•Using the OCL checker to evaluate the OCL constraint on the
instance of the pre-processed trace
•It returns a Boolean verdict
•True: if the property holds on the execution trace
•False: otherwise

Time Complexity (1)
•The time complexity of our procedure depends on
• the size of the trace
•the OCL deﬁnitions for the different constructs of
SB-TemPsy-DSL
!30

•Time Complexity w.r.t trace size:
•Data Assertion: linear
•Other patterns: polynomial
!31
Time Complexity (1)

Evaluation

Evaluation
•Our evaluation focuses on two points:
•Expressiveness of SB-TemPsy-DSL (RQ1)
•Applicability of SB-TemPsy-Check in industrial settings
(RQ2)
!33

RQ1: Expressiveness of
SB-TemPsy-DSL
•To which extent can SB-TemPsy-DSL express requirements of
real-world, industrial CPS applications?
•How does it compare with state-of-the-art speciﬁcation
languages in terms of expressiveness?
!34

• We deﬁned 101 requirements in collaboration with a domain
expert of our industrial partner
• We tried to express these requirements in SB-TemPsy-DSL,
STL and SFO
!35
RQ1: Expressiveness of
SB-TemPsy-DSL

•SB-TemPsy-DSL: 98 out of 101 requirements
•STL: 59 requirements
•SFO: 101 requirements
!36
RQ1: Expressiveness of
SB-TemPsy-DSL

•Dataset: 18 traces
•Sizes range between 41K and 1.2M entries
•217 distinct combinations of traces/properties
•Comparison with the Breach tool
•State-of-the-art ofﬂine trace checking tool for STL
RQ2: SB-TemPsy-Check
Applicability
!37

RQ2: SB-TemPsy-Check
Applicability
!38
•87% of the runs: SBTemPsy-Check could complete within
practical time limits, with an average execution time of 48.7 s
•13% of the runs: SB-TemPsy-Check did not ﬁnish within the
timeout (120 minutes)
•“Event-based” scope
•“Order relationship between signals” pattern

!39
• We ran 110 common combinations of properties/traces among tools
• SB-TemPsy-Check ﬁnished within the timeout in ≈ 97% of the runs
• SB-TemPsy-Check was able to yield a verdict within 10 s in ≈ 99%
of the cases
• SB-TemPsy-Check is slower than Breach (max exec time for
Breach is 0.15 s)
• SB-TemPsy-Check supports the veriﬁcation of a much larger
set of property types
RQ2: SB-TemPsy-Check
Applicability

Discussion (1)
•SB-TemPsy represents a viable trade-off between:
•an expressive speciﬁcation language for SBTPs
•an efﬁcient trace-checking procedure
!40

•SB-TemPsy-DSL comes with a performance penalty
compared to STL
•SB-TemPsy and Breach complement each other:
•Check SBTPs that can be expressed in STL with Breach
•Check more complex SBTPs with SB-TemPsy
!41
Discussion (2)

Summing up…

!43
Trace-Checking
Signal-based Temporal Properties:
A Model-Driven Approach

Future work
•Extending SB-TemPsy-DSL with additional constructs
•Optimizing the OCL implementation
•Providing Trace Diagnostics information
!44

.lu
software veriﬁcation & validation
VVS
Trace-Checking
Signal-based Temporal Properties:
A Model-Driven Approach
Chaima BOUFAIED, Claudio MENGHI, Domenico BIANCULLI, Lionel BRIAND, Yago ISASI PARACHE

Trace-Checking
Signal-based Temporal Properties:
A Model-Driven Approach
!46

Trace-Checking Signal-based Temporal Properties: A Model-Driven Approach

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Trace-Checking Signal-based Temporal Properties: A Model-Driven Approach

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx