Leveraging DTrace for runtime verification

Similar documents
Leveraging DTrace for Runtime Verification

Formal Methods in Software Engineering. Lecture 07

junit RV Adding Runtime Verification to junit

The SPIN Model Checker

Proving the Correctness of Distributed Algorithms using TLA

Formal Methods for Software Development

Model checking pushdown systems

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

T Reactive Systems: Kripke Structures and Automata

Erlang-DTrace. Garry Bulmer. Team DTrace: Tim Becker

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Java-MOP: A Monitoring Oriented Programming Environment for Java

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

A Frame Study for Post-Processing Analysis on System Behavior: A Case Study of Deadline Miss Detection

The Maude LTL Model Checker and Its Implementation

Timo Latvala. January 28, 2004

DTrace for Web2.0 JavaScript, PHP and Coolstack (SAMP) Philip Torchinsky Solaris Evangelist Sun Microsystems

Test-Case Generation and Coverage Analysis for Nondeterministic Systems Using Model-Checkers

Software Model Checking: Theory and Practice

Model Checking with Automata An Overview

Lecture 6. Abstract Interpretation

[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Model-checking with the TimeLine formalism

DTrace Topics: Java. Brendan Gregg Sun Microsystems March 2007

Performance Tuning Linux Applications With DTrace

Erlang-DTrace. Garry Bulmer. Team DTrace: Tim Becker

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Cover Page. The handle holds various files of this Leiden University dissertation

Behavioural Equivalences and Abstraction Techniques. Natalia Sidorova

Introduction to using DTrace with MySQL. Vince Carbone Performance Technology Group, Sun MC Brown - MySQL

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

INF5140: Specification and Verification of Parallel Systems

Parallel Model Checking of ω-automata

Verifying Liveness Properties of ML Programs

Liveness and Fairness Properties in Multi-Agent Systems

DTrace & MySQL. MySQL Users Conference Ben Rockwood Director of Systems Joyent

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Mestrado Informática CPD/ESC 2016/2017

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Monitoring Interfaces for Faults

Typestate Checking for Actionscript 3

Formal Methods for Software Development

Memory Efficient Algorithms for the Verification of Temporal Properties

THE MODEL CHECKER SPIN

Real-time node.js: Instrumentation, Visualization & Debugging. Bryan Cantrill SVP,

Dynamic Tracing and Instrumentation

Decentralized Runtime Verification of LTL Specifications in Distributed Systems

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Proving liveness. Alexey Gotsman IMDEA Software Institute

Informatics 1. Computation and Logic. Lecture 17 The Big Ideas

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Scenario Graphs Applied to Security (Summary Paper)

Software Design, Modelling and Analysis in UML

Combining Runtime Verification and Property Adaptation through Neural-Symbolic Integration

Introduction to Lexing and Parsing

DTrace for Linux. Tomas Jedlicka Sat

CSE 105 THEORY OF COMPUTATION

Counting multiplicity over infinite alphabets

Specification and Analysis of Real-Time Systems Using Real-Time Maude

Fiona A Tool to Analyze Interacting Open Nets

Application: Programming Language Semantics

A Fair Extension of (Soft) Concurrent Constraint Languages

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

A Novel Approach for Software Property Validation

CS5371 Theory of Computation. Lecture 8: Automata Theory VI (PDA, PDA = CFG)

Towards a Logical Reconstruction of Relational Database Theory

Automatic Synthesis of a Voting Machine Design

Running Aground: Debugging Docker in production. Bryan Cantrill CTO, Joyent

Deductive Methods, Bounded Model Checking

CLAN: A Tool for Contract Analysis and Conflict Discovery

COMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY

Model checking Timber program. Paweł Pietrzak

Timed Automata: Semantics, Algorithms and Tools

Network Protocol Design and Evaluation

Lecture 02: Semantical Model

Learning-Based Assume-Guarantee Verification (Tool Paper)

Parallel Run-Time Verification

Thesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods

Linear-Time Model Checking: Automata Theory in Practice

Runtime Verification of Cryptographic Protocols

Formal Specification and Verification

Operating Systems. Designed and Presented by Dr. Ayman Elshenawy Elsefy

M. Vardi IBM Almaden P. Wolper. M. Yannakakis AT&T Bell Labs

Detecting Logical Errors in SQL Queries

Issues on Decentralized Consistency Checking of Multi-lateral Collaborations


Automated Reasoning. Model Checking with SPIN (II)

Polynomial-Time What-If Analysis for Prefix-Manipulating MPLS Networks

Design and Analysis of Distributed Interacting Systems

Using Monterey Phoenix to Formalize and Verify System Architectures

Formal Verification. Lecture 10

Mutant Minimization for Model-Checker Based Test-Case Generation

Profiling Applications!!! Mark using DTrace!

Formal Verification: Practical Exercise Model Checking with NuSMV

DTrace integration and quick start

CSE 4/521 Introduction to Operating Systems

Safe Stratified Datalog With Integer Order Does not Have Syntax

Transcription:

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo

Context: Runtime verification

Desired properties System Every request gets an answer Buffers should never overflow Variables should never enter an inconsistent state 1

Runtime verification is the discipline of computer science that deals with the study, development and application of those verification techniques that allow checking whether a run of a system under scrutiny [ ] satisfies or violates a given correctness property. [6, p. 36, emphasis mine] 2

3

4

How to do runtime verification 1. Rigorously specify a correctness property (typically using formal logic). 2. Collect runtime data from the system. 3. Find a way to automatically check if the collected data indicates that the correctness property is violated or satisfied. 5

Key idea: Exploit formal connections between logic and automata theory 5

How to do runtime verification 1. There are ways of deriving automata from logical expressions that accept or reject their input based on whether the input satisfies or falsifies a logical formula. 2. This can be used to create monitors. 6

Monitors A monitor is a program that consumes data from the system under scrutiny, interprets this data as a run of a system and reports whether the specified property is satisfied by the data, falsified by the data or that the data is insufficient to derive a verdict [7, p. 294 295]. 7

System being analyzed Specification formula Trace extractor Monitor generator Trace Monitor ACCEPT REJECT INCONCLUSIVE 8

Specification formula in LTL3 Mapping graphviz2dtrace System being analyzed D script Dtrace ACCEPT REJECT INCONCLUSIVE 9

Specification formalism: LTL3

LTL 3 is a three-valued variety of Linear Temporal Logic (LTL): Same syntax, different semantics. 9

LTL: Linear Temporal Logic In the context of formal methods, Temporal Logic is used to reason about the evolution of some system over time. LTL is based on the notion of time as an infinite sequence of time slices: Time is linear. The idea of using Linear Temporal Logic for program verification originated with Pnueli [8]. 10

Linear time p,q r,s p,s 11

LTL Syntax Syntactically, LTL extends the familiar Propositional Logic with temporal operators. The temporal operators are: (always), (eventually), (next), U (until), R (release), W (weak until/waiting for). 12

LTL Semantics LTL formulas are interpreted on sequences of states, where each state contains a set of atomic propositions that are true in that state. In the standard view, these sequences of states are considered infinite, and we call such sequences of states traces. 13

LTL Semantics p,q r,s p,s Some observations: σ = p U s, σ = s, σ = r, σ = p and σ = p W s. 14

Key idea of LTL 3 : A reasonable way of dealing with finite traces. 14

LTL 3 Semantics LTL 3 is defined for finite traces, which makes it suitable for runtime verification: We can only observere finite runs. 15

Key idea of LTL 3 : Identify good and bad prefixes [5]. 15

Good prefix A trace fragment u is a good prefix with respect to some property ϕ if ϕ holds in all possible futures following u. 16

Bad prefix A trace fragment u is a bad prefix with respect to some property ϕ if ϕ holds in no possible futures following u. 17

LTL 3 Semantics summarized We can thus state the truth-value of an LTL 3 formula ϕ with respect to a finite trace u as follows: if u is a good prefix wrt. ϕ u = 3 ϕ = if u is a bad prefix wrt. ϕ? otherwise. 18

Foundational idea: For an LTL formula ϕ, a corresponding Büchi automaton [2] can be derived. 18

Büchi Automata are defined on infinite traces and accept a trace if and only if the automaton visits some accepting state infinitely often. 19

Bauer et al. give an algorithm for creating LTL 3 -monitors [1, 14:10-14:13] This algorithm is implemented in LamaConv [9], which we make use of in the thesis. 20

21

System being analyzed Specification formula Trace extractor Monitor generator Trace Monitor ACCEPT REJECT INCONCLUSIVE 22

Specification formula in LTL3 System being analyzed Trace extractor Monitor generator Trace Monitor ACCEPT REJECT INCONCLUSIVE 23

DTrace

DTrace is an operating system technology for monitoring running software systems. Originally written by Bryan Cantrill, Adam Leventhal and Mike Shapiro for the Sun Solaris 10 operating system, DTrace is now available for Mac OS X, FreeBSD and other systems [4] If a running system has DTrace installed, an administrative user can log into the system, write a DTrace script and get insights about the system without having to reboot, stop or alter the system in any way. 24

DTrace s two most compelling features 1. DTrace gives a unified view of the whole system: Events within the kernel and in userland processes can be analyzed simultaneously. 2. DTrace provides facilities for dynamic tracing: Instrumentation which does not rely on static artifacts in the source code. 25

Using DTrace: The D scripting language Users interact with the DTrace framework via a domain-specific AWK-like scripting language called D. D is an event-driven programming langauge, where users specify actions that DTrace should take when an event of interest occurs. 26

Using DTrace: The D scripting language #!/usr/sbin/dtrace -qs syscall::read:entry /execname!= "dtrace" / { printf("%s\n", execname); } 27

Main components of D Probes (4-tuples) Action blocks Predicates Probe clauses 28

DTrace Probes DTrace provides the user with an enormous list of possible instrumentation points representing events of interest. These instrumentation points are called probes. The available probes reflect aspects of the system that can be monitored at the current point in time. Probes are identified by a four-tuple <provider:module:function:name>. When the event a probe represents occurs, one says that the probe fires ). 29

Design and Implementation of graphviz2dtrace

Basic idea: Associate atomic propositions in LTL specifications with DTrace probe specifications (with optional predicates). 29

push pid$target::push:entry pop pid$target::pop:return empty pid$target::empty:return/arg1 == 1/ 30

Mapping graphviz2dtrace D script 31

graphviz2dtrace In essence, graphviz2dtrace is a source-to-source compiler which takes LTL 3 -based automata and creates corresponding D scripts. The resulting scripts have the automaton s transition function encoded in an array, and the automaton state stored in a variable. When an event occurs, the state of the automaton is updated according to the transition function. 32

Anticipation graphviz2dtrace creates monitors that terminate immediately upon finding a good or bad prefix: They are anticipatory. The scripts achieve this by understanding which state it is about to enter. 33

Anticipation pid$target::empty:return / (arg1 == 1) && (state == 1)/ { trace("rejected"); HAS_VERDICT = 1; exit(0); } 34

Implementation The essential implemenation concern is creating three types of probe clauses: rejecting, accepting and neutral clauses. Rejecting clauses are clauses dealing with situations where bad prefixes are found. Accepting clauses are clauses dealing with situations where good prefixes are found. Neutral clauses simply update the state of the automaton. 35

36

Implementation Since all clauses use predicates to reason about the automaton states, and since probes are processed top to bottom, neutral clauses must be placed last in the script. 37

Key limitation: Race conditions occur if two neutral probe clauses fire simultaneously. 37

Specification formula in LTL3 System being analyzed Trace extractor Monitor generator Trace Monitor ACCEPT REJECT INCONCLUSIVE 38

Specification formula in LTL3 Mapping graphviz2dtrace System being analyzed D script Dtrace ACCEPT REJECT INCONCLUSIVE 39

Case study 1: The stack

Demo time! https://vimeo.com/169470067 (03:00) 39

Gregg s dictum Brendan Gregg [10] Don t worry too much about pid provider probe cost at < 1000 events/sec. At > 10,000 events/sec, pid provider probe cost will be noticeable. At > 100,000 events/sec, pid provider probe cost may be painful. [3] 40

Monitor overhead 1 10 2 72.363 30.718 Running time in seconds 10 1 10 0 10 1 10 2 0.353 0.414 0.003 0.057 1.096 0.398 0.003 8.011 3.176 0.067 0.602 Uninstrumented with pid with printf 10 4 10 5 10 6 10 7 10 8 Iterations 1 Averaged, measured with time, largest of real or user+sys 41

Case study 2: Node.js and PostgreSQL

Demo time! https://vimeo.com/169585739 (02:55) 41

Mean processed requests per second at various concurrency levels 2 Mean processed requests 2,000 1,800 1,600 1,400 1,200 0 20 40 60 80 100 N concurrent connections Monitored Unmonitored 2 Averaged, measured with ab 42

Conclusion and Evaluation

Questions? 42

References I A. Bauer, M. Leucker, and C. Schallhart. Runtime verification for ltl and tltl. ACM Trans. Softw. Eng. Methodol., 20(4):14:1 14:64, Sept. 2011. J. R. Büchi. On a decision method in restricted second order arithmetic. In Proc. Internat. Congr. Logic, Method. and Philos. Sci, pages 1 12, 1960. B. Gregg. DTrace pid Provider Overhead. http://dtrace.org/blogs/brendan/2011/02/18/ dtrace-pid-provider-overhead/, 2011.

References II B. Gregg and J. Mauro. DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X, and FreeBSD. Prentice Hall Professional, 2011. O. Kupferman and M. Y. Vardi. Model checking of safety properties. Formal Methods in System Design, 19(3):291 314, 2001. M. Leucker. Teaching runtime verification. In S. Khurshid and K. Sen, editors, Runtime Verification, volume 7186 of Lecture Notes in Computer Science, pages 34 48. Springer Berlin Heidelberg, 2012.

References III M. Leucker and C. Schallhart. A brief account of runtime verification. The Journal of Logic and Algebraic Programming, 78(5):293 303, 2009. The 1st Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS 07). A. Pnueli. The temporal logic of programs. In Foundations of Computer Science, 1977., 18th Annual Symposium on, pages 46 57. IEEE, 1977. T. Scheffel and M. S. et al. Lamaconv logics and automata converter library. http://www.isp.uni-luebeck.de/lamaconv.

References IV D. Straughan. Brendan Gregg speaking at ZFS Day, Oct 2, 2012, San Francisco., 2012. (Own work) [CC BY-SA 3.0], via Wikimedia Commons.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback