The RV System Tutorial

Size: px

Start display at page:

Download "The RV System Tutorial"

Carmel Manning
5 years ago
Views:

1 The RV System Tutorial Patrick Meredith and Grigore Rosu joint work with Feng Chen, Dongyun Jin, Dennis Griffith, Michael Ilseman Runtime Verification, Inc. University of Illinois

2 The RV System!"#$%&'(%)!"#*)+,'-(!9&('/+ $%&'(%)'&<1 7&8()9/+&(3('%&!3-+14+(+-('%& *3)3/+()'- ;2'-'&<1 *)+,'-('%&1 =%<<'&<1.86+-( =%<<'&< :398321;2'-'&<.(%/'-'(01 "'%23('%&1 4+(+-('%& *)+,'-('%&1 $%&'(%)1='>)3)0 5+&+)'-1*)%6+)(0 4+(+-('%& New Version of JavaMOP Fig. 1. System Overview New Version of jpredictor Combines Runtime Monitoring and Predictive Analysis 2

3 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

4 Why Monitoring Monitoring is well-adopted in many engineering disciplines Fuses, watchdogs, fire-alarms, etc. Monitoring adds redundancy Increases reliability, robustness and confidence in correct behavior, reduces risk Provably correct systems can fail, too Unexpected environment, wrong/strong assumptions, hardware or OS errors, etc.

5 Applications of Monitoring Debugging Development Error messages Testing Development Error messages Security/Reliability/Robustness/ Production Recovery mechanisms Programming Paradigm Production General actions

6 Runtime Monitoring Systems (a few of them) 2001 MAC (UPenn), PAX (NASA), TimeRover (commercial) HAWK/Eagle (NASA), MOP (UIUC), POTA (UTA) 2005: PQL (Stanford) Tracematches (Oxford) PTQL (Berkeley/Stanford/Novell) Pal (UPenn) RuleR (Manchester) many others

7 FailFast Iterator Following code throws exception in Java (FailFast): Vector v = new Vector(); Iterator i = v.iterator(); v.add(new Integer(2)); while (i.hasnext()) FailFast: if the underlying vector is changed when an iterator is used for enumerating elements, the iterator fails. However

8 MOP Example: Safe Enumeration No exception raised if one uses Enumeration instead of Iterator Java language decision, showing that SafeEnum(Vector v, Enumeration+ e) { event create after(vector v) returning(enumeration e):... event updatesource after(vector v) :... event next before(enumeration e) :... ere : create next* updatesource+ { System.out.println( Failed Enumeration!"); } } > 250 AspectJ LOC generated

9 Complexity of SafeEnum Tricky to check SafeEnum manually Two counters needed, one in the vector (the current timestamp) and the other in the enumeration (the vector s timestamp when creating the enumeration). Accesses to vector / enumerator can be scattered all over the code, both in program and in libraries Accesses to vector s counter must be synchronized Every implementation of the Enumeration interface should repeat the above work

10 Example of Unsafe Enumeration Bug found in jhotdraw Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); The underlying vector should not be changed when one of its enumerations is being used!

11 Example of Unsafe Enumeration Bug found in jhotdraw May cause unexpected behaviors, e.g., a NoSuchElement Exception or some errors later. Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); The underlying vector should not be changed when one of its enumerations is being used!

12 RV-Monitor (Based on Monitoring Oriented Programming - MOP) A generic runtime verification framework - proposed in 2003 RV 03, ICFEM 04, RV 05, CAV 05, TACAS 05, CAV 06, CAV 07, OOPSLA 07, ASE 08, RTSS 08, AOSD 08,TACAS 09,

13 What RV-Monitor Supports Observe a run of a system Requires instrumentation Can be offline or online Check it against desired properties Specified using patterns or in a logical formalism React/Report (if needed) Error messages Recovery mechanisms General code

14 RV-Monitor Model Program Execution

15 RV-Monitor Model Program Execution Observation/Abstraction Abstract Trace

16 RV-Monitor Model Program Execution Observation/Abstraction Abstract Trace Monitors Verification M 1 M 2 M 3

17 RV-Monitor Model Program Execution Observation/Abstraction Action Abstract Trace Monitors Verification M 1 M 2 M 3 Action

18 RV-Monitor Model Program Execution Observation/Abstraction Action Abstract Trace Monitors Verification M 1 M 2 M 3 Action Monitors verify abstract traces against desired properties; can be dynamically created or destroyed

19 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

20 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

21 Monitor Synthesis Program Execution Observation/Abstraction Action Abstract Trace Monitors Verification M 1 M 2 M 3 Action

22 Monitor Synthesis Program Execution Observation/Abstraction Action Abstract Trace Monitors Verification M 1 M 2 M 3 Action How do we generate efficient monitors?

23 MOP: Extensible Logic Framework Generic in specification formalisms Logic plugin: plugable monitor synthesis components for different logics Already provides plugins for many logics FSM (Finite State Machine), ERE (extended regular expressions), PTLTL (Past-time LTL), FTLTL (Future-time LTL), ATL (Allen temporal logic), JML (Java modeling language), PtCaRet (Past-time Call/Return), CFG (Context-free grammars), The desired property can be arbitrarily complex: Raw specifications

24 FSM Plugin Finite State Machine Easy to use, yet powerful Many approaches/users encode important properties directly in finite state machines, e.g., Typestates Monitoring FSM Direct translation from an FSM specification to a monitor

25 ERE Plugin Extended Regular Expressions Regular expressions Widely used in programming, easy to master for ordinary programmers Existing monitor synthesis algorithm Extended regular expressions Extend regular exps with complement (negation) Specify properties non-elementarily more compactly More complicated to monitor

26 LTL Plugins Linear Temporal Logic MOP includes both a past-time plugin (PTLTL) and an over-all LTL plugin for LTL PTLTL uses a dynamic programming algorithm, low resources, suitable for hardware LTL uses a translation through alternating automata. Semantics of past is different than PTLTL

27 CFG Plugins Context-Free Grammar Most systems support finite state monitors Regular languages Linear temporal logics These cannot monitor structured properties: 21

28 CFG Plugins Context-Free Grammar Most systems support finite state monitors Regular languages Linear temporal logics These cannot monitor structured properties: 21

29 GLR Parsing Yields CFG Monitors Reads input Left to right, produces Rightmost derivation; table driven Bottom-up parsing keeps stack with the current, and previous states Efficient Handles all context-free grammars, even those with ambiguity Makes it a good candidate for CFG monitor synthesis! 22

30 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

31 MOP Monitoring Model Program Execution Observation/Abstraction Action Abstract Trace Monitors Verification M 1 M 2 M 3 Action Monitors can be dynamically created or destroyed Parametric monitoring

32 Parametric Properties Needed, but hard to monitor efficiently Parameters SafeEnum(Vector v, Enumeration+ e) { event create after(vector v) returning(enumeration e):... event updatesource after(vector v) :... event next before(enumeration e) :... } ere : create next* updatesource+ { System.out.println( Failed Enumeration!"); }

33 Safe Enumeration as Parametric Property Usage pattern (using regular expressions) of three events updatesource(v) : change vector v create(v,e) : create enumeration e from vector v next(e) : use enumeration e Monitor next updatesource 0 create updatesource 1 2 next 3 Violation state

34 Monitoring Safe Enum Main Thread: Task Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); v.remove(0); next updatesource 0 create updatesource 1 2 next 3

35 Monitoring Safe Enum Main Thread: Task Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); v.remove(0); next updatesource 0 create updatesource 1 2 next 3

36 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create next updatesource 0 create updatesource 1 2 next 3

37 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create next updatesource 0 create updatesource 1 2 next 3

38 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create next updatesource 0 create updatesource 1 2 next 3

39 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create updatesource next updatesource 0 create updatesource 1 2 next 3

40 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create updatesource next updatesource 0 create updatesource 1 2 next 3

41 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create updatesource next next updatesource 0 create updatesource 1 2 next 3

42 Monitoring Safe Enum Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); create updatesource next next updatesource 0 create updatesource 1 2 next 3

43 Lack of Parameters Leads to False Alarms Main Thread: Task Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); v.remove(0);

44 Lack of Parameters Leads to False Alarms Main Thread: Task Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); v.remove(0); v2.remove(0);

45 Lack of Parameters Leads to False Alarms Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); v2.remove(0); create updatesource next

46 Lack of Parameters Leads to False Alarms Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); v2.remove(0); create updatesource next Appear to be a violation but it is not; false alarm!

47 Adding Parameters to Events Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v2.remove(0);

48 Adding Parameters to Events Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v2.remove(0); create(v, e) update(v2) next(e)

49 Adding Parameters to Events Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); v2.remove(0); create(v, e) update(v2) update(v) next(e)

50 Adding Parameters to Events Main Thread: Vector v = //initialization; Enumeration e = v.elements(); Object obj = e.nextelement(); Task Thread: v.remove(0); v2.remove(0); create(v, e) update(v2) update(v) next(e) Parametric traces: traces containing events with parameters; Abundant in practice, especially in object-oriented programs

51 Checking Parametric Traces

52 Checking Parametric Traces parametric trace updatesource(v1) create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) next(e1)

53 Checking Parametric Traces parametric trace updatesource(v1) non-parametric monitor create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) 0 3 next create 1 updatesource next 2 updatesource next(e1)

54 Checking Parametric Traces parametric trace updatesource(v1) non-parametric monitor create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) 0 3 next create 1 updatesource next 2 updatesource next(e1)

55 Checking Parametric Traces parametric trace updatesource(v1) parametric monitor create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) 0 3 next create 1 updatesource next 2 updatesource next(e1)

56 Parametric Monitors Other approaches: Monolithic (centralized) monitors Tracematches [Oxford], Program Query Language (PQL) [Stanford], Eagle [NASA], etc. Bound to specific formalisms/checking mechanisms Limited expressiveness, specific to application domains Our solution: decentralized monitors Formalism-independent, works with any formalism More expressive, adaptive to different domains Facilitates optimization (separation of concerns) Evaluation shows better performance

57 Parametric Trace Slicing updatesource(v1) create create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) next(e1) For given parameters (v, e)

58 Parametric Trace Slicing v1, e1 v1, e2 v2, e1 v2, e2 updatesource(v1) create create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) next(e1) For given parameters (v, e)

59 Parametric Trace Slicing v1, e1 v1, e2 v2, e1 updatesource(v1) create create (v1,e1) updatesource(v2) next(e1) create(v1,e2) updatesource(v1) next(e1) For given parameters (v, e)

60 Parametric Trace Slicing v1, e1 v1, e2 v2, e1 updatesource(v1) updatesource create (v1,e1) create updatesource(v2) next(e1) next create(v1,e2) updatesource(v1) updatesource next(e1) next For given parameters (v, e)

61 Parametric Trace Slicing v1, e1 v1, e2 v2, e1 updatesource(v1) updatesource create (v1,e1) updatesource(v2) next(e1) create trace slice next create(v1,e2) updatesource(v1) updatesource next(e1) next For given parameters (v, e)

62 Parametric Trace Slicing v1, e1 v1, e2 v2, e1 updatesource(v1) updatesource updatesource create (v1,e1) create updatesource(v2) next(e1) trace slice next updatesource next create(v1,e2) create updatesource(v1) updatesource next(e1) next next For given parameters (v, e)

63 Naive monitoring of Parametric Traces Every parametric trace contains multiple nonparametric trace slices, each corresponding to a particular parameter binding next updatesource 0 create updatesource 1 2 next 3 next updatesource 0 create updatesource 1 2 next 3

64 Naive monitoring of Parametric Traces Every parametric trace contains multiple nonparametric trace slices, each corresponding to a particular parameter binding next updatesource v1, e1 0 create updatesource 1 2 next 3 next updatesource v1, e2 0 create updatesource 1 2 next 3

65 Parametric Trace Slicing - Challenges v1, e1 v1, e2 v2, e1 update(v1) update update createenum(v1,e1) createenum update(v2) update useenum(e1) useenum useenum createenum(v1,e2) createenum update(v1) update useenum(e1) useenum useenum For given parameters (v, e)

66 Parametric Trace Slicing - Challenges v1, e1 v1, e2 v2, e1 update(v1) update update createenum(v1,e1) How createenum to do it efficiently? update(v2) update useenum(e1) useenum useenum createenum(v1,e2) createenum update(v1) update useenum(e1) useenum useenum For given parameters (v, e)

67 Parametric Trace Slicing - Challenges v1, e1 v1, e2 v2, e1 update(v1) update update createenum(v1,e1) How createenum to do it efficiently? update(v2) update useenum(e1) createenum(v1,e2) useenum createenum useenum What if the trace is not complete? update(v1) update useenum(e1) useenum useenum For given parameters (v, e)

68 Online Parametric Trace Slicing Online: process events as receiving them and do not look back for the previous events Efficient Scan the trace once Events discarded immediately after being processed What information should be kept for the unknown future?

69 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

70 Slicing Example For given parameters (v, e)

71 Slicing Example v1 update(v1) update For given parameters (v, e)

72 Slicing Example v1 v1, e1 update(v1) update createenum(v1,e1) For given parameters (v, e)

73 Slicing Example v1 v1, e1 update(v1) update update createenum(v1,e1) For given parameters (v, e)

74 Slicing Example v1 v1, e1 update(v1) update update createenum(v1,e1) createenum For given parameters (v, e)

75 Slicing Example v1 v1, e1 v2 update(v1) update update createenum(v1,e1) createenum update(v2) update For given parameters (v, e)

76 Slicing Example v1 v1, e1 v2 e1 update(v1) update update createenum(v1,e1) createenum update(v2) update useenum(e1) useenum For given parameters (v, e)

77 Slicing Example v1 v1, e1 v2 e1 update(v1) update update createenum(v1,e1) createenum update(v2) update useenum(e1) useenum useenum For given parameters (v, e)

78 Slicing Example v1 v1, e1 v2 e1 v2, e1 update(v1) update update createenum(v1,e1) createenum update(v2) update useenum(e1) useenum useenum For given parameters (v, e)

79 Slicing Example v1 v1, e1 v2 e1 v2, e1 update(v1) update update createenum(v1,e1) createenum update(v2) update update useenum(e1) useenum useenum useenum For given parameters (v, e)

80 Slicing Example v1 v1, e1 v2 e1 v2, e1 v1, e2 update(v1) update update update createenum(v1,e1) createenum update(v2) update update useenum(e1) useenum useenum useenum createenum(v1,e2) createenum For given parameters (v, e)

81 Slicing Example v1 v1, e1 v2 e1 v2, e1 v1, e2 update(v1) update update update createenum(v1,e1) createenum update(v2) update update useenum(e1) useenum useenum useenum createenum(v1,e2) createenum For given parameters (v, e)

82 Slicing Example v1 v1, e1 v2 e1 v2, e1 v1, e2 update(v1) update update update createenum(v1,e1) Optimization: based on static property analysis, generate createenum specialized slicing code for the given specification update(v2) update update useenum(e1) useenum useenum useenum createenum(v1,e2) createenum For given parameters (v, e)

83 Slicing Example v1 v1, e1 v2 v1, e2 update(v1) update update update createenum(v1,e1) Optimization: based on static property analysis, generate createenum specialized slicing code for the given specification update(v2) update useenum(e1) useenum createenum(v1,e2) createenum For given parameters (v, e)

84 RV-Monitor Performance HasNext UnsafeIter Unsafe- MapIter Unsafe- SyncColl Unsafe- SyncMap Comparison of Tracematches (TM), JavaMOP (MOP), and RV: Average percent runtime overhead All Prop TM MOP RV TM MOP RV TM MOP RV TM MOP RV TM MOP RV RV antlr bloat OOM chart eclipse fop hsqldb jython luindex lusearch pmd OOM xalan g. 6. Comparison of Tracematches (TM), JavaMOP (MOP), and RV: 38

85 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

86 Why Prediction Concurrent programs are hard to analyze Model checking: number of interleavings is prohibitively large Testing: interleavings depend on environment Combine dynamic and static methods to find bad behaviors near correct executions 40

87 Our Solution Sliced Causality General purpose technique to predict (bad) behaviors from correct runs Sound: No false alarms RV-Predict Tool implementing Sliced Causality Allows for prediction of any property for which an algorithm exists Better than tools specialized simply for data race or atomicity violations 41

88 Prediction Example Property: authenticate before access Main Thread: Task Thread: s 1 : resource.authenticate(); s 2 : flag.value = true; Observed execution: s 1 s 2 s 3 s 4 s 3 : if while (! (! flag.value) Thread.yield() ; s 4 : resource.access(); 42

89 Prediction Example Property: authenticate before access Main Thread: Task Thread: s 1 : resource.authenticate(); s 2 : flag.value = true; s 3 : if (! flag.value) Observed execution: s 1 s 2 s 3 s 4 Thread.yield() ; s 4 : resource.access(); Buggy: s can be executed before s Buggy S4 can be executed before S1 Low possibility to hit error in testing 43

90 Prediction Example Property: authenticate before access Main Thread: Task Thread: s 1 : resource.authenticate(); s 2 : flag.value = true; s 3 : if (! flag.value) Thread.yield() ; s 4 : resource.access(); execution is observed? Yes! Observed But not execution: in the traditional s 1 s 2 s 3 s 4 way Can we predict the error even when the above Buggy: s can be executed before s Buggy S4 can be executed before S1 Low possibility to hit error in testing 43

91 Special Case: Data Races Our techniques work for any behavioral property One of the simplest properties is race detection Two accesses to a shared variable can take place concurrently At least one of the accesses is a write 44

92 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

93 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

94 Predictive Runtime Analysis Predictive Runtime Analysis Search space 47

95 Predictive Runtime Analysis Search space Observed execution 48

96 Predictive Runtime Analysis Search space Observed execution Causal model 49

97 Predictive Runtime Analysis Search space Observed execution Causal model Inferred executions Bug 50

98 Predictive Runtime Analysis Search space Observed execution Causal model Inferred executions Bug More relaxed causal model yields more inferred executions 50

99 Originally for distributed systems [Lamport-78] Applied to shared memory systems by several authors Causal model = non-permutable pairs of events a Traditional Predictive Runtime Analysis: Happens-Before = {intra-thread total orders} U {causal dependencies} Causal dependency: if two events access the same location and one writes it, then their execution order matters Inferred executions = extending the causal model 51

100 Happens-Before Works... If Lucky Property: authenticate before access Main Thread: Task Thread: s 3 : if (! flag.value) Thread.yield() ; s 1 : resource.authenticate() s 2 : flag.value = true; s 4 : resource.access(); Observed execution: s 3 s 1 s 2 s 4 52

101 Happens-Before Works... If Lucky Property: authenticate before access Main Thread: Task Thread: s 3 : if (! flag.value) Thread.yield() ; s 1 : resource.authenticate() s 2 : flag.value = true; s 4 : resource.access(); Observed execution: s 3 s 1 s 2 s 4 Causal dependency: s 3 < s 2 Bad execution inferred: s 3 s 4 s 1 s 2. Bug detected! Chances of observing this execution are very low 53

102 Happens-Before Limitations Property: authenticate before access Main Thread: s 1 : resource.authenticate() s 2 : flag.value = true; Task Thread: s 3 : if (! flag.value) Thread.yield() ; s 4 : resource.access(); Observed execution: s 1 s 2 s 3 s 4 Causal dependency: s 2 < s 3. No bug found Too constrained: access will be performed regardless of the flag 54

103 Sliced Causality Relaxes the Happens-Before causal model Formally proved in [chen-rosu-07] How? Focus on the property Use static information about the program Remove events and causalities irrelevant to the property Smaller and more relaxed causal model (Exponentially) more inferred executions Better predictive capability 55

104 Sliced Causality Start with those events relevant to the property Add events on which they are control dependent (transitively, intrathread) Add events on which they are data dependent (transitively, interthread) 56

105 Static Information: Control Scope S2 is in the control scope of S1 if its execution depends on a choice at S1 s 1 : if (flag) { s 2 :... } else { s 3 :... } s 4 :... s 0 : i=0; s 1 : while (i<3) { s 2 :... s 3 : } s 4 :... i++ s 1 : while (!flag) { s 2 :... } s 3 :... Extends to other control statements break/continue, return, exceptions 57

106 Static Information: Control Scope S2 is in the control scope of S1 if its execution depends on a choice at S1 s if 1 : if (flag) { s 2 :... } else { s 3 :... } s 4 :... s 0 : i=0; s 1 : while (i<3) { s 2 :... s 3 : } s 4 :... i++ s 1 : while (!flag) { s 2 :... } s 3 :... Extends to other control statements break/continue, return, exceptions 57

107 Static Information: Control Scope S2 is in the control scope of S1 if its execution depends on a choice at S1 s if 1 : if (flag) { s 2 :... } else { s 3 :... } s 4 :... s 0 : i=0; s 1 : while (i<3) { s 2 :... s 3 : i++ } s 4 :... s 1 : while (!flag) { s 2 :... } s 3 :... Extends to other control statements break/continue, return, exceptions 57

108 Static Information: Control Scope S2 is in the control scope of S1 if its execution depends on a choice at S1 s if 1 : if (flag) { s 2 :... } else { s 3 :... } s 4 :... s 0 : i=0; s 1 : while (i<3) { s 2 :... s 3 : i++ } s 4 :... s { 1 : while (!flag) { s... 2 :... } 3... s 3 :... Extends to other control statements break/continue, return, exceptions 57

109 Slice Causality Works! Property: authenticate before access Main Thread: s 1 : resource.authenticate() s 2 : flag.value = true; Task Thread: s 3 : if (! flag.value) Thread.yield() ; s 4 : resource.access(); Observed execution: s 1 s 2 s 3 s 4 Only s 1 and s 4 directly relevant to the property 58

110 Slice Causality Works! Property: authenticate before access Main Thread: s 1 : resource.authenticate() s 2 : flag.value = true; Task Thread: s 3 : if (! flag.value) Thread.yield() ; s 4 : resource.access(); Observed execution: s 1 s 2 s 3 s 4 Only s 1 and s 4 directly relevant to the property Execution of s 4 not dependent of s 3 ; ignore the causal dependency s 2 < s 3 Sliced causality: s 1 <> s 4 ; s 4 s 1 is a potential execution. Bug detected! 59

111 No False Alarms Property: authenticate before access Main Thread: s 1 : resource.authenticate() s 2 : flag.value = true; Task Thread: s 3 : while (! flag.value) Thread.yield(); s 4 : resource.access(); Observed execution: s 1 s 2 s 3 s 4 60

112 No False Alarms Property: authenticate before access Main Thread: s 1 : resource.authenticate() s 2 : flag.value = true; Task Thread: s 3 : while (! flag.value) Thread.yield(); s 4 : resource.access(); Observed execution: s 1 s 2 s 3 s 4 Execution of s 4 depends on flag.value being true at s 3 causal dependency s 2 < s 3 matters Sliced causality: s 1 <s 2 < s 3 < s 4, no false alarm! 61

113 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

114 RV-Predict Pipeline jpredictor: Filling the box Original Program Property Predicted Violations: Counter-Examples 63

115 RV-Predict Pipeline jpredictor: Filling the box Original Program Static Analyzer Property Predicted Violations: Counter-Examples 64

116 RV-Predict Pipeline jpredictor: Filling the box Original Program Instrumented Program Static Analyzer Structural Information Property Predicted Violations: Counter-Examples 65

117 RV-Predict Pipeline jpredictor: Filling the box Original Program Instrumented Program Static Analyzer Recorded Trace Complete Trace JVM Preprocessor Structural Information Property Predicted Violations: Counter-Examples 66

118 RV-Predict Pipeline jpredictor: Filling the box Original Program Instrumented Program Static Analyzer Recorded Trace Complete Trace JVM Preprocessor Trace Slicer Structural Information Sliced Trace Property Predicted Violations: Counter-Examples 67

119 RV-Predict Pipeline jpredictor: Filling the box Original Program Instrumented Program Static Analyzer Recorded Trace Complete Trace JVM Preprocessor Trace Slicer Structural Information Sliced Trace Property Vector Clock Calculator Causal Model Predicted Violations: Counter-Examples 68

120 RV-Predict Pipeline jpredictor: Filling the box Original Program Instrumented Program Static Analyzer Recorded Trace Complete Trace JVM Preprocessor Trace Slicer Structural Information Sliced Trace Property Vector Clock Calculator Causal Model Property Checker Predicted Violations: Counter-Examples 69

121 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation Monitor Synthesis Parametric Monitoring Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation Sliced Causality Pipeline Race Prediction

122 Data Race Prediction Consider all pairs of accesses in the trace We actually do something smarter Check if either access is a write We are not worried about read-read races Check if they have incomparable VCs Incomparable VCs means accesses could be reordered If they have different lock sets then race found 71

123 RV-Predict Performance jpredictor RV-Predict Name Input Real Time Disk Usage Real Time Disk Usage account - 0: K 0: K elevator - 5: M 1: K tsp map4 2 4: M 1: K tsp map5 2 8: M 2: K tsp map10 2 > 3 hours > 230M 33: M huge - crash crash 0: M medium - crash crash 0: K small - crash crash 0: K mixedlockshuge - > 2 hours > 250M 0: M mixedlocksbig - 4: M 0: K mixedlocksmedium - 0: M 0: K mixedlockssmall - 0: M 0: K jpredictor vs. RV-Predict 72

124 Conclusion RV-Monitor is a generic yet efficient monitoring system Extensible logic framework: FSM, ERE, PTLTL, FTLTL, LTL, CFG, PTCaRet, RV-Predict provides very efficient causal predict of generic properties Race detection, atomicity violations, monitoring properties

Monitoring-Oriented Programming

Monitoring-Oriented Programming Seyed Mohammad Mehdi Ahmadpanah smahmadpanah@aut.ac.ir ceit.aut.ac.ir/~ahmadpanah Supervisor Dr. Mehran S. Fallah Formal Security Lab. CEIT@AUT Mar. 12, 2017 Outline Introduction