Abstract. In this paper we describe AMT, a tool for monitoring temporal properties of continuous signals. We first introduce STL/PSL, a specification formalism based on the industrial standard language PSL and the real-time temporal logic MITL, extended with constructs that allow describing behaviors of real-valued variables. The tool automatically builds property observers from an STL/PSL specification and checks, in an offline or incremental fashion, whether simulation traces satisfy the property. The AMT tool is validated through a Flash memory case-study.
Introduction
The algorithmic verification field has been centered around the decision procedures for model-checking temporal logic formulae. Temporal logic [MP95] is a rigorous specification formalism used to describe desired behaviors of the system. A number of efficient algorithms for translating temporal logic formulae into corresponding automata have been developed [VW86,SB00,GPVW95,GO01], resulting in the success of logics such as LTL and CTL and their common integration into main verification tools. The temporal logic-based formalisms were adopted by the hardware industry with the standard PSL [HFE04] specification language.
In order to reason about timed systems, a number of real-time formalisms have been proposed, either as extensions of temporal logics (MTL [Koy90] ,MITL [AFH96] , TCTL [Y97] ) or regular expressions (timed regular expressions [ACM02] ). However, unlike in the untimed case, there is no simple correspondence between these logics and timed automata [AD94] used in the timed verification tools.
The verification in the continuous domain was made possible with the advent of hybrid automata [MMP92] as a model for describing systems that have continuous dynamics with switches, and the algorithms for exploring their state-space. Although a lot of progress has been done recently [ADF + 06] , the scalability still remains a major issue for the exhaustive verification of hybrid systems, due to the explosion of the state space. Moreover, property-based verification of hybrid systems is only at its beginning [FGP06] .
Hence, the preferred validation method for continuous systems remains simulation/testing. However, it has been noted that the specification element of verification can be exported to the simulation through property monitors. The essence of this approach is the automatic construction of an observer from the formula in the form of a program that can be interfaced with the simulator and alert the user if the property is violated by a simulation trace. This process is much more reliable and efficient than visual (graphical or textual) inspection of simulation traces, or manual construction of property monitors.
This procedure is called lightweight verification, where the property monitor checks whether a finite set of traces satisfy the property specification. In the framework of software runtime verification, temporal logic has been used as the specification language in a number of monitoring tools, including Temporal Rover (TR) [Dru00] , FoCs [ABG + 00], Java PathExplorer (JPaX) [HR01] [MN04] and this paper. Finally, a case-study on the behaviour of a FLASH memory cell is conducted in order to validate the performance of the tool.
The rest of the document is organized as follows: in Section 2, we introduce the STL/PSL logic along with its semantic domain. Section 3 discusses the offline property checking algorithm from [MN04] and presents its incremental extension. The AMT tool is presented in Section 4 and Section 5 describes the Flash memory case-study. Finally, in Section 6 we conclude with a discussion on the achievements and future work.
Signals and Their Temporal Logic
The specification of properties of continuous signals requires an adaptation of the semantic domain and the underlying logic.
Signals
Let the time domain T be the set R ≥0 of non-negative real numbers. A finite length signal ξ over an abstract domain D is a partial function ξ : T → D whose domain of definition is I = [0, r), r ∈ Q >0 . We say that the length of the signal ξ is r, and denote this fact by |ξ| = r. We use the notation ξ[t] = ⊥ when t ≥ |ξ|. In this paper, we restrict our attention to two particular types of signals, Boolean signals ξ b with D = B, and continuous signals ξ a with D = R.
We first present some signal properties that are independent of the signal domain. The restriction of a signal ξ to length d is defined as
The concatenation ξ = ξ 1 · ξ 2 of two signals ξ 1 and ξ 2 defined over the intervals [0, r 1 ) and [0, r 2 ) is a signal over [0, r 1 + r 2 ) defined as
The d-suffix of a signal ξ is the signal ξ ′ = d\ξ obtained from ξ by removing the prefix ξ d from ξ, that is,
The Minkowski sum and difference of two sets P 1 and P 2 are defined as
Signals can also be combined and separated using the standard operations of pairing and projection defined as
In particular, π p (ξ) will denote the projection of the signal ξ on the dimension with domain B that corresponds to the proposition p (and likewise π s (ξ) denotes projection of the signal ξ on the dimension with domain R corresponding to the continuous variable s). Unlike Boolean signals, continuous signals do not admit an exact finite representation. However, numerical simulators usually produce a finite collection of sampling pairs (t, ξ a [t]) with t ranging over some interval [0, r) ⊆ T. This finite representation is in contrast to continuous signals defined as ideal mathematical objects consisting of an uncountable number of pairs (t, ξ a [t]) for all t ∈ [0, r). We adopt the approach of representing continuous signals of finite length by using a finite set of sampling points. The signal value at the missing time instants t ∈ (t i , t i+1 ) corresponds to the interpolation between sample points
STL/PSL Specification Language
In this section we describe the STL/PSL logic, as an extension of MITL [AFH96] and STL [MN04] logics. We use a layered approach in the fashion of PSL [HFE04] , with the analog layer allowing to reason about continuous signals and the temporal layer relating the temporal behavior of different input traces. The "communication" between the two layers is done via static abstractions that partition the continuous state space according to the satisfaction of some inequality constraints on the continuous variables.
Since STL/PSL is targeted for specifying properties to be used for lightweight verification over finite traces, we adopt the finitary interpretation used in PSL, by defining strong and weak forms of the temporal operators. The strong form of an operator requires the terminating condition to occur before the end of the signal, while the weak form makes no such requirements. In PSL for example, until! and until represent the strong and the weak forms of the until operator, respectively.
The analog layer of STL/PSL is defined by the following grammar:
where s belongs to a set S = {s 1 , s 2 , . . . , s n } of continuous variables, ⋆ ∈ {+,-, * }, c ∈ Q and k ∈ Q + . Note that the analog operators defined above are the ones currently supported by the AMT tool, but can be easily extended to new ones.
The semantics of the analog layer of STL/PSL is defined as an application of the analog operators to the input signal ξ:
The temporal layer of STL/PSL is defined as follows:
where p belongs to a set P = {p 1 , p 2 , . . . , p n } of propositional variables, a,b,c ∈ Q and • ∈ {>,>=,<,<=}. Note that we include explicitly in the syntax weak and strong versions of eventually operators 1 .
The satisfaction relation (ξ, t) |= ϕ, indicating that signal ξ satisfies ϕ at time t is defined inductively as follows:
An STL/PSL specification ϕ prop is an STL/PSL temporal formula. The signal ξ satisfies the specification ϕ prop , denoted by ξ |= ϕ prop , iff (ξ, 0) |= ϕ prop . Note that our definition of the semantics of the until and timed until operators differs slightly from their conventional definition since it requires a time instant t where both (ξ, t) |= ϕ 2 and (ξ, t) |= ϕ 1 . From the basic STL/PSL operators, one can define standard Boolean and temporal operators, namely always and weak until, as well as weak and strong forms of timed always operators.
A large part of analog design is based on comparing waveforms (signals) with some reference signal that specify a desired behavior. These notions are formalized using a distance function (metric) which quantifies numerically the resemblance of two signals. Mathematically speaking, a metric space is a pair (X, d) such that X is the domain and d :
There are many ways to define distance functions on waveforms, by taking the maximum of the pointwise distance at every time t, summing/integrating over the pointwise distance, etc. Once such a distance d is defined, it can be used to define distance-based logical operators of the form d(ξ, ξ ′ ) < c for some positive constant c. Below we define three such operators, the first is based on the maximal pointwise distance while the two others are based on the metric defined in [KC06a] which "tolerates" large pointwise deviations between the two signals if they last for a time shorter than t and occur at most once every T-t units. As one can see these operators constitute a syntactic sugar as they can be expressed in STL/PSL.
Checking STL/PSL Properties
In this section we describe two algorithms for checking STL/PSL properties. Both algorithms are based on a process that we call marking, namely determining truth value of each subformula at every time instant t. The marking is a doubly-recursive process going from the atomic propositions upward to the top formula, and, due to the nature of future temporal logic, from truth values at time t to truth values at time t ′ ≤ t. The marking process terminates when the value of the top formula at time 0 is determined.
Offline marking: This procedure assumes that the multi-dimensional input signal ξ is already available, and the marking procedure is applied to the entire signal, propagating backward at once the values of subformulae, up to obtaining the truth value of the main formula. Incremental marking: The incremental procedure updates the marking each time a new segment of the input signal is observed. It is useful in detecting early violation of an STL/PSL property and can be applied in parallel with the simulation process. It can also be used for monitoring real, rather than simulated systems.
The offline marking procedure takes as arguments a temporal STL/PSL specification ϕ prop and the input signal ξ that we treat as a global data structure and do not pass it explicitly as an argument to the procedure. The algorithm computes, from the bottomup, a signal χ ψ (ξ) for each subformula ψ of ϕ prop .
2 If ψ is a temporal STL/PSL formula ϕ, χ ϕ (ξ) is called the satisfaction signal. This signal satisfies χ ϕ (ξ)[t] = 1 iff (ξ, t) |= ϕ. If ψ is a formula φ from the analog layer of STL/PSL, χ φ (ξ) is the result of applying the operator φ to the (continuous) signal ξ. Whenever the identity of ξ is clear from the context, we will use the shorthand notation χ ψ .
The algorithm is decomposed into two methods OFFLINE-T and OFFLINE-A as shown in Algorithm 1, computing the χ ψ corresponding to the formula ψ from the temporal and the analog layer of STL/PSL, respectively. The top level formula ϕ prop is monitored by invoking OFFLINE-T(ϕ prop ). OFFLINE-T (ϕ1); χϕ := COMBINE(OP1, χϕ 1 )); end case OP2(ϕ1, ϕ2) OFFLINE-T (ϕ1, ϕ2); χϕ := COMBINE(OP2, χϕ 1 , χϕ 2 )); end end input : STL/PSL Analog Formula φ and signal ξ switch φ do case s χ φ := πs(ξ); end case OP1(φ1) OFFLINE-A(φ1);
Most of the work is done in the COMBINE procedure which takes one or two signals (possibly of different length) and computes from them a new signal based on the specific operation. The approach is based on [MN04] with some extensions to deal with both strong and weak operators. We illustrate the procedure on few representative operations: χ ϕ := COMBINE(or, χ ϕ1 , χ ϕ2 ) For the disjunction we first construct a refined interval covering I = {I 1 , . . . , I k } for χ ϕ1 ||χ ϕ2 so that the mutual values of both signals become uniform in every interval. Then we compute the disjunction intervalwise, that is, ϕ(I i ) = ϕ 1 (I i ) ∨ ϕ 2 (I i ). Finally we merge adjacent intervals having the same Boolean value to obtain the minimal interval covering I χϕ . Incremental marking is performed using a kind of piecewise-online procedure invoked each time a new segment of ξ, denoted by ∆ ξ , is observed. For each subformula ψ the algorithm stores its already-computed associated signal partitioned into a concatenation of two signals χ ψ · ∆ ψ with χ ψ consisting of values already propagated to the super-formula of ψ, and ∆ ψ , consisting of values that have already been computed but which have not yet propagated to the super-formula and can still influence it.
Initially all signals are empty. Each time a new segment ∆ ξ is read, a recursive procedure similar to the offline one is invoked, which updates every χ ψ and ∆ ψ from the bottom up. The difference with respect to the offline algorithm is that only segments of the signal that has not been propagated upwards participate in the update of their super-formulae. This may result in a considerable saving when the signal is very long. As an illustration consider ψ = OP(ψ 1 , ψ 2 ) and the corresponding truth signals of Figure 2 -(a). Before the update we always have |χ ψ · ∆ ψ | = |χ ψ1 | = |χ ψ2 |: the parts ∆ ψ1 and ∆ ψ2 that may still affect ψ are those that start at the point from which the value of χ ψ is still unknown. We apply COMBINE procedure on ∆ ψ1 and ∆ ψ2 to obtain a new (possibly empty) segment α ψ of ∆ ψ . This segment is appended to ∆ ψ in order to be propagated upwards, but before that we need to shift the borderline between χ ψ1 and ∆ ψ1 (as well as between χ ψ2 and ∆ ψ2 ) in order to reflect the update of ∆ ψ . The procedure is detailed in Algorithm 2.
Note that if χ ϕprop becomes determined for time 0, the incremental procedure can be stopped. The finitary interpretation of temporal operators is used only if χ ϕprop has not been determined after the end of simulation.
Overview of the AMT tool
AMT is a stand-alone tool with a graphical user interface which implements the above algorithms with respect to sampled continuous signal inputs. AMT was written in C++ for GNU/Debian Linux x86 machines. The user interface is based on the library QT 4 , while QWT 5 was used for visualizing plots.
Algorithm 2: INCREMENTAL-T and INCREMENTAL-A input : STL/PSL Temporal Formula ϕ and increment
∆ϕ 2 := d\∆ϕ 2 end end input : STL/PSL Analog Formula φ and increment ∆ ξ switch φ do case s ∆ φ := ∆ φ · πs(∆ ξ ); end case OP1(φ1) INCREMENTAL-A(φ1);
The main window of the application is partitioned into five frames that allow the user to manage STL/PSL properties and input signals, evaluate the correctness of the simulation traces with respect to a specification and finally visualize the results. The property edit frame contains a text editor for writing, importing and exporting STL/PSL specifications, which are then translated into an internal data structure based on the parse-tree of the formula stored in the property list frame. An STL/PSL specification is imported into the property evaluation frame for its monitoring with respect to a set of input simulation traces, in either offline or incremental modes. The static import of the input traces is done via the signal list frame. The imported input signals, as well as signals associated to the subformulae of a specification can be visualized by the user from the signal plots frame. A screenshot of the main window is shown in Figure 3. 
Property Management
The specifications in AMT are written in a simple editor with syntax highlighting for the extended STL/PSL language described below. An STL/PSL specification is then transformed into a structure adapted for the monitoring purpose, following the parsetree of the formula. The user can hold more than one specification that is ready for evaluation in the property list frame.
Fig. 3. AMT Main Window
Property Format AMT tool extends the STL/PSL language described in Section 2.2 with additional constructs that simplify the process of property specification. Each toplevel STL/PSL property is declared as an assertion, and a number of assertions can be grouped into a single logical unit in order to monitor them together at once. We also add a definition directive which allows the user to declare a formula and give it a name, and then refer to it as a variable within the assertions. The extended STL/PSL is defined with the following production rules stl_psl_prop :== vprop NAME { { define_directive } { assert_directive } } define_directive :== define b:NAME := stl_psl_property | define a:NAME := analog_expression assert_directive :== NAME assert : stl_psl_property where stl psl property and analog expression correspond to ϕ and φ from Section 2.2, respectively.
Property Evaluation
The correctness of an STL/PSL specification with respect to input traces is monitored through the property evaluation frame. The frame shows the set of assertions in a tree view, following the parse structure of the formula. The user can choose between offline and incremental evaluation of the specification. In the offline case, the input signals are fetched from the signal list frame and the assertions are checked with respect to them. If one or more signals are missing, the monitoring procedure still tries to evaluate the property, but without guaranteeing a conclusive result.
For the incremental procedure, AMT acts as a server that waits for a connection from a simulator. Once the connection is established, the simulator sends input segments incrementally. The monitor alternates between reception of new input segments and incremental evaluation of the assertions. The user can configure the timeout value that defines the period between two consecutive evaluations. In between two such periods, the monitor accumulates input received from the simulator. There are three manners to end the incremental monitoring procedure: 1) All assertions become determined and AMT stops the evaluation and closes the connection with the simulator; 2) The special termination packet is received from the simulator and 3) The user explicitly stops the procedure via the GUI.
AMT shows visually the evaluation result of an assertion, choosing a different color scheme for undetermined, correct and incorrect assertions. Each subformula of the specification has an associated signal with it, which can be visualized within the signal plots frame. The visualization of the associated signals can be used for understanding why an assertion holds/fails. During the incremental evaluation, all the signals within the signal plots frame are updated in real-time as new results are computed. The user can switch off the accumulation of intermediate results for better memory performance, thus discarding signals as soon as they are not needed anymore for the evaluation of super-formulae. In that case, the only output of the tool is the final answer.
Signal Management
The signals in AMT can be either continuous or Boolean. Signals are input traces that can be imported into the tool in an offline or incremental fashion. But signals are also associated to each subformula of an STL/PSL specification. The user can visualize them from the signal plots frame. Incremental Signal Input Signals can be imported incrementally to AMT, via a simple TCP/IP protocol. A simulator that produces input signals needs to connect to AMT during the incremental evaluation and send packets containing signal updates to the tool.
Offline Signal Input
The packets can be either Boolean or continuous signal updates, or a special termination packet, informing the tool that the simulation is over.
A FLASH Memory Case Study
The subject of the case study is the "Tricky" technology FLASH memory test chip in 0.13us process developed in ST Microelectronics Italy. The FLASH memory presents an advantage for the analog case study, in that it is a digital system whose logical behavior is implemented at the analog level. Hence, it is a good link between the analog and the digital world. For the lightweight verification, the system under test is seen as a black box, and we do not need to know further details about the underneath chip architecture. The memory cell can be in one of the programming, reading or erasing modes. The correct functioning of the chip at the analog level in a given mode is determined by the behavior of a number of signals extracted during the simulation: The memory cell was simulated in the programming and the erasing modes for the case study, with the simulation time being 5000 us and 30000 us respectively. Four STL/PSL properties were written to describe the correct behavior of the cell in the programming mode and one property in the erasing mode. The AMT monitoring was done on a Pentium 4 HT 2.4GHz machine with 2Gb of memory. All the properties were found to be correct with respect to the input traces.
A detailed description of the properties and the monitoring results can be found in [NMF + 06]. As an example, we consider the erasing property. The informal description of the property first defines the erasing condition, which is characterized by the wordline signal wl being lower than −6 and p-well pw above 5. Whenever the erasing condition holds, the pointwise distance between the source s and p-well pw voltages has to be smaller than 0.1 and the value of pw should not be greater than 0.83 from the value of bitline bl. The corresponding STL/PSL specification is: Figure 4 shows some of the representative signals of the erasing property. We can mainly see that, whenever the erasing condition in Figure 4 (e) holds (denoted between two dashed lines), the pointwise distance between s and pw remains smaller than 0.1 (Figure 4 (h) ) and the difference between bl and pw stays above the −0.83 threshold.
Tool Evaluation
The time and space requirements of AMT were studied with both offline and incremental algorithms. The complexity of the algorithm used in AMT is shown to be O(k · m) in [MN04] where k is the number of sub-formulae and m is the number of intervals. Table 1 shows the size of the input signals (number of intervals). We can see that the erasing mode simulation generated 10 times larger inputs from the programming mode simulation. Table 2 shows the evaluation results for the offline procedure of the tool. Monitoring the properties for the programming mode required less than half a second. Only the erasing property took more than 2 seconds, as it was tested against a larger simulation trace. We can also see that the evaluation time is linear in the number of intervals generated by the procedure and can deduce that the procedure evaluates about 1.000.000 intervals per second.
The execution times of the incremental algorithm are less meaningful because the procedure works in parallel with the simulator which, in most cases, is much more com- putationally demanding. In fact, one major attraction of the incremental procedure is the ability to detect property violation in the middle of the simulation and save simulation time. Another advantage of the incremental algorithm is its reduced space requirement as we can discard parts of the simulation after they have been fully used. Table 3 compares the memory consumptions of the offline and incremental procedures. For the former we take the total number of intervals generated by the tool while for the latter we take the maximal number of intervals kept simultaneously in memory. We can see that this ratio varies a lot from one property to another, going from 0.01% up to 70%. The general observation is that pointwise operators require less memory in the incremental mode, while properties involving the nesting of untimed temporal properties often fail to discard their inputs until the end of the simulation.
Conclusions
The main contribution of this paper is the implementation of the AMT tool that monitors temporal properties of continuous and mixed signals. The specification language for describing desired behaviors of continuous signals supported by the tool is STL/PSL, a subset of PSL, properly extended to express sequential properties of such signals. The monitoring algorithms used by AMT are the offline marking procedure from [MN04] and its incremental extension described in this paper. The tool is integrated with numerical simulators by supporting some standard input formats for continuous simulations and by direct communication between the two using a simple protocol built on top of TCP/IP. AMT was validated through a FLASH memory case-study. The results show that the tool can be effectively used in both its offline and incremental modes. A number of interesting properties concerning transient behavior of continuous signals were described in STL/PSL. Combinations of operators from the analog and temporal layers allow expressing properties such as ramp detection in an input trace, conditional distance-based comparisons between a reference and an input signal, or a stabilization of an input signal around an arbitrary value. The main class of properties that cannot be expressed in STL/PSL are those dealing with the frequency spectrum of signals. A typical English specification of such a property would be "At least 60% of the energy power spectrum of a signal is within its frequency band between 300 and 1500Hz". We hope to introduce such properties into future versions of the tool.
