Monitoring Interfaces for Faults

Similar documents
Formal Verification Using Static and Dynamic Analyses. Aleksandr Zaks. A dissertation submitted in partial fulfillment

Formal Methods for Software Development

Behavioural Equivalences and Abstraction Techniques. Natalia Sidorova

Computer Science Technical Report

Model checking pushdown systems

CoVaC: Compiler Verification by Program Analysis of the Cross-Product. Anna Zaks, Amir Pnueli. May 28, FM 08, Turku, Finland

Verifying Liveness Properties of ML Programs

Safra's Büchi determinization algorithm

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Material from Recitation 1

THE MODEL CHECKER SPIN

Logic Model Checking

Formal Verification: Practical Exercise Model Checking with NuSMV

(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt

THREE LECTURES ON BASIC TOPOLOGY. 1. Basic notions.

PCP and Hardness of Approximation

Formal Specification and Verification

Verification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80

Incompatibility Dimensions and Integration of Atomic Commit Protocols

Lecture Notes on Static Semantics

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

CSC 501 Semantics of Programming Languages

Parallel Model Checking of ω-automata

Lecture 15 Software Testing

Principles of AI Planning. Principles of AI Planning. 7.1 How to obtain a heuristic. 7.2 Relaxed planning tasks. 7.1 How to obtain a heuristic

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.1

NONDETERMINISTIC MOORE

Formal Methods in Software Engineering. Lecture 07

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

1 Linear programming relaxation

1 Introduction. 3 Syntax

Asynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs

CS558 Programming Languages

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

SFWR ENG 3S03: Software Testing

junit RV Adding Runtime Verification to junit

C++ Data Types. 1 Simple C++ Data Types 2. 3 Numeric Types Integers (whole numbers) Decimal Numbers... 5

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

Lectures 20, 21: Axiomatic Semantics

Cover Page. The handle holds various files of this Leiden University dissertation

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Research Report. (Im)Possibilities of Predicate Detection in Crash-Affected Systems. RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages

Uncertain Data Models

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Verification of Transactional Memories and Recursive Programs

CLAN: A Tool for Contract Analysis and Conflict Discovery

Towards a Logical Reconstruction of Relational Database Theory

CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014

Tool demonstration: Spin

Announcements. CS 188: Artificial Intelligence Fall 2010

Partial-Order Boolean Games: Informational Independence in a Logic-based Model of Strategic Interaction

Java-MOP: A Monitoring Oriented Programming Environment for Java

Proving liveness. Alexey Gotsman IMDEA Software Institute

Theoretical Computer Science

Continuous functions and homeomorphisms

Höllische Programmiersprachen Hauptseminar im Wintersemester 2014/2015 Determinism and reliability in the context of parallel programming

CS103 Spring 2018 Mathematical Vocabulary

CMPSCI 250: Introduction to Computation. Lecture 20: Deterministic and Nondeterministic Finite Automata David Mix Barrington 16 April 2013

Symbolic Execution and Proof of Properties

Detecting Logical Errors in SQL Queries

Table : IEEE Single Format ± a a 2 a 3 :::a 8 b b 2 b 3 :::b 23 If exponent bitstring a :::a 8 is Then numerical value represented is ( ) 2 = (

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Variants of Turing Machines

6.852 Lecture 17. Atomic objects Reading: Chapter 13 Next lecture: Atomic snapshot, read/write register

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

Some notes about Event-B and Rodin

CS 188: Artificial Intelligence Fall 2011

Cyber Physical System Verification with SAL

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Decentralized Runtime Verification of LTL Specifications in Distributed Systems

Relaxed Memory-Consistency Models

Specifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.

Proving the Correctness of Distributed Algorithms using TLA

A Characterization of the Chomsky Hierarchy by String Turing Machines

Incompatibility Dimensions and Integration of Atomic Commit Protocols

7. Testing and Debugging Concurrent Programs

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

ALGORITHMS EXAMINATION Department of Computer Science New York University December 17, 2007

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Temporal Logic of Actions (TLA) (a brief introduction) Shmuel Katz Computer Science Department The Technion

Web Service Interfaces

CSC2108: Automated Verification Assignment 1 - Solutions

Faster and Dynamic Algorithms For Maximal End-Component Decomposition And Related Graph Problems In Probabilistic Verification

Logic Programming and Resolution Lecture notes for INF3170/4171

Program verification. Generalities about software Verification Model Checking. September 20, 2016

CS 4387/5387 SOFTWARE V&V LECTURE 4 BLACK-BOX TESTING

Overview. Game-Based Verification of Fair Exchange Protocols. The Problem of Fair Exchange. Game-Theoretic Model. Protocol as a Game Tree

Automated Reasoning. Model Checking with SPIN (II)

DATABASE THEORY. Lecture 18: Dependencies. TU Dresden, 3rd July Markus Krötzsch Knowledge-Based Systems

Semantics via Syntax. f (4) = if define f (x) =2 x + 55.

Lecture Notes on Real-world SMT

CS422 - Programming Language Design

Multi-event IDS Categories. Introduction to Misuse Intrusion Detection Systems (IDS) Formal Specification of Intrusion Signatures and Detection Rules

Combined CPV-TLV Security Protocol Verifier

CS 125 Section #4 RAMs and TMs 9/27/16

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

A Gentle Introduction to Program Analysis

Transcription:

Monitoring Interfaces for Faults Aleksandr Zaks RV 05 - Fifth Workshop on Runtime Verification Joint work with: Amir Pnueli, Lenore Zuck

Motivation Motivation Consider two components interacting with each other. We will refer to them as module and interface. We assume that we have all the implementation details of the module while only partial (incomplete) specification is available for the interface. As usual, we want to make sure our system comprised of the above components is a correct one. A possible scenario is when an in-house application uses some third-party components. Monitoring Interfaces for Faults 1

Motivation Compile Time Approaches The interface specification being incomplete means that the interface displays only a strict subset of the behaviors allowed by the its specification. Therefore, while it might perfectly ok to use the external component (interface), applying formal methods, like model checking, will usually result in false negatives a system incorrectly declared faulty. Moreover, in our work, we also consider a case when the interface specification is not only partial, but simply wrong. Meaning the interface may not satisfy its own specification. A situation may arise when a third-party component is upgraded without notifying the end users. To conclude: it is impossible to rely solely on compile-time verification when the information about parts of the program is either missing or incorrect. Monitoring Interfaces for Faults 2

Motivation Towards Run-Time Monitoring Instead of formal verification, a user may prefer to employ some form of run-time monitoring A straightforward approach of run-time monitoring is to check that a currently observed execution trace satisfies the system specification. This approach avoids all the problems mentioned before by simply discarding all the information about the module and the interface. The main drawback is of course the loss of precision too many bugs are left undetected. Assuming traditional run-time monitoring is relatively fast, it might be desirable to trade efficiency for better precision. In particular, we propose to use all the information available: implementation details of the module, specification of the interface, run-time information, and of course the overall specification of the system. Monitoring Interfaces for Faults 3

Motivation Sketch of the Proposed Solution. View the module and the interface as players in a 2-player game. The interface has a winning strategy if it can guarantee that no matter what module does, the overall specification Φ is met. Interface can follow any strategy consistent with its own specification Φ I. At every point of the execution we check if the environment can win, assuming the strategies available for both the module and the interface are restricted according to the history of a computation. Since one can always view a particular implementation of the interface as a strategy, a fault-free interface can always win against a fault-free module. Therefore, we generate an alert when no suitable strategy exists. Monitoring Interfaces for Faults 4

Game Structures Game Structures Following [dah1,dah2] we define a (two-player) game G = (S, A, Γ 1, Γ 2, δ) to consist of: a finite set S of states; a finite set A of actions; action assignment functions Γ 1, Γ 2 : S 2 A \ that define, for each state, a non-empty set of actions available to player 1 and player 2 respectively; a transition function δ: S A A S that associates with each state s and each pair of actions (a, b) Γ 1 (s) Γ 2 (s) a successor state δ(s, a, b); Intuitively, from each state, each of the players chooses an action, which are taken simultaneously. The two actions define the next state of the system. Monitoring Interfaces for Faults 5

Game Structures Game Strategies and Runs Given a game G as above, and i {1, 2}, A player-i strategy is a function ξ i : S + A that maps, for every nonempty finite sequence σ S +, a single action that is consistent with Γ i, i.e., for every σ S and s S, ξ i (σ; s) Γ i (s). The set of strategies for player-i is denoted by Ξ i. A run r of the game structure G is a nonempty, possibly infinite sequence s 0 (a 0, b 0 )s 1 (a 1, b 1 )s 2... of alternating states and action pairs such that for every j 0, a j Γ 1 (s j ), b j Γ 2 (s j ), and s j+1 = δ(s j, a j, b j ). For a run r : s 0 (a 0, b 0 )s 1 (a 1, b 1 )s 2..., we refer to the state sequence σ(r) : s 0, s 1, s 2,... as the history induced by r. Given a pair of strategies ξ 1 Ξ 1 and ξ 2 Ξ 2 and a state s S, the outcome of the strategies from s, H ξ1,ξ 2 (s), is the history induced by the run whose initial state is s and whose actions are consistent with the strategies. Monitoring Interfaces for Faults 6

Game Structures Winning for an LTL Objective Let h : s 0, s 1,..., s k =s be a finite history and Ψ a linear temporal logic formula over S. History h is said to be a winning history for player-i, i {1, 2}, with respect to objective Ψ in G if player-i has a strategy ξ i Ξ i such that for all strategies ξ 3 i Ξ 3 i, h H ξ1,ξ 2 (s) = Ψ. A suitable strategy ξ i is a winning player-i strategy for Ψ from h in G. In case a winning history h consists of the single state s, we refer to s as a player-i winning state. Monitoring Interfaces for Faults 7

Game Structures Example of A Game Structure (1/2) c, a c, c s 1 a, c s 4 c, c s 0 s 3 c, b s 2 c, c b, c s 5 c, c Blue/Red means player 1/2 can force to take the transition. Our objective Ψ = ((s 1 s 4 ) (s 2 s 5 )). Let s identify which states are winning for which of the players. Monitoring Interfaces for Faults 8

Game Structures Example of A Game Structure (2/2) c, a c, c s 1 a, c s 4 c, c s 0 s 3 c, b s 2 c, c b, c s 5 c, c Blue states are player-1 winning. Magenta states are winning for both players. Our objective Ψ = ((s 1 s 4 ) (s 2 s 5 )). Consider two histories h : s 0, s 1, s 3, s 4 and h : s 0, s 2, s 3, s 4. Clearly, h is a winning history for player-2, while h is not. Therefore, whenever the game reaches s 4 we cannot immediately decide whether we should raise an alarm. We say that a game G is partitionable when all the states are winning regardless of the history of the game. Note that non-partitionable games are not suitable for run-time monitoring since we must take into account the history of the game, which can be arbitrarily long. Monitoring Interfaces for Faults 9

Game Structures Universal Liveness An LTL formula Ω represents a universal liveness property if the following holds: For every σ 1 Σ and σ 2 Σ ω, σ 1 σ 2 = Ω iff σ 2 = Ω. It can be shown that if the objective Ψ of game G is a universal liveness property, then G is a partitionable game. Universal liveness should not be confused with the concept of memoryless strategies. Consider the objective Ψ = s 1 s 2 and the game below. c, a s 1 c, c s 0 c, b s 2 c, c Monitoring Interfaces for Faults 10

Game Structures Constructing a Partitionable Game Compose non-partitionable game G with a deterministic Büchi/Rabin automaton for the objective of the game G to obtain a new game G. The objective of the composed game G is the acceptance condition of the automaton. Since the acceptance condition only depends on the states that appear infinitely often, the new objective represents a universal liveness property. Therefore, the composed game must be partitionable. Monitoring Interfaces for Faults 11

Our Model Fair Discrete Systems We take a fair discrete system (FDS), which is a variant of fair transition system [MP95], as our computational model. Under this model, a system M : V, W, Θ, ρ, J consists of the following components: V : A finite set of system variables. A state of the system S provides a typeconsistent interpretation of the system variables V. For a state s and a variable v V, we denote the value assigned to v by the state s by s[v]. Let Σ denote the set of all states over V. We assume that Σ is finite. W V : A subset of owned variables which only the system itself can modify. All other variables can also be modified by the environment. Θ: The initial condition. A state is defined to be initial if it satisfies the assertion (state formula) Θ. ρ(v, V ): The transition relation. J : A set of justice (weak fairness) requirements(assertions). For every J J, σ contains infinitely many occurrences of J-states. Monitoring Interfaces for Faults 12

Associating a Game with an FDS Associating a Game with an FDS (1/3) Given: an FDS M = (V M, W, Θ, ρ, J ) that corresponds to some SPL module (our system) a goal specification Φ an interface (off-the-shelf component) specification Φ I We define a game G = (S, A, Γ 1, Γ 2, δ) between the module M and the interface as follows: Let V = V M {turn}, where turn {1, 2} is a variable not in V M. S is the set of all type-consistent interpretations over V. We take A, the set of G s actions, to be S. Monitoring Interfaces for Faults 13

Associating a Game with an FDS Associating a Game with an FDS (2/3) In the game G, player 1 (the module) can take any step consistent with ρ, nondeterministically setting turn, thus deciding whether or not it wishes to take another step. Player 2 (the interface) can change one variable that is not owned by M, but it must let Player 1 take the next step. Formally: Γ 1 (s) = {s ρ(s, s )} Γ 2 (s) = {s s [turn] = 1 ( pres(v \ {v, turn})} v V M \W δ(s, a 1, a 2 ) = a s[turn] Thus, each player expresses its preference for the state it would like to see next. The final decision is determined as the choice of the player whose turn it is. Monitoring Interfaces for Faults 14

Associating a Game with an FDS Associating a Game with an FDS (3/3) The objective of the game is defined by Ψ = (Φ Φ I ) (turn = 1 J) J J Thus, the objective of the game (wishing the interface to win) is to ensure that all computations either satisfy both Φ and Φ I, or violate one of the justice requirements, or allow the interface to take only finitely many steps. Monitoring Interfaces for Faults 15

Proposed Solution Proposed Solution Construct a a partitionable game G given the module, interface specification Φ I, and goal specification Φ. Compute the set W in of winning states for the interface. Monitor the execution of the system to make sure the game stays within the set W in. Monitoring Interfaces for Faults 16

Proposed Solution Monitoring Example shared boolean flag 1, flag 2 = 0 local boolean error = 0 l 0 : while error l 1 : flag 1 := 0 l 2 : await flag 1 l 4 : l 3 : if flag 2 then error := 1 (a) Module M shared boolean flag 1, flag 2 = 0 m 0 : loop forever do m 1 : await flag 1 m 2 : flag 2 := 1 m 3 : flag 2 := 0 m 4 : flag 1 := 1 m 5 : (b) Interface I Assume the system specification is Φ : at l 0 flag 2 and the interface specification is the trivial Φ I : 1. Consider a state at l 2 flag 1 flag 2. It is easy to verify that it is a losing state for the interface, assuming it is the module s turn. Consequently, our monitor will raise an alarm when such state is reached. The alarm is really an early warning. Although the violation is unpreventable(by the interface), it would take infinitely many steps to confirm the violation. Monitoring Interfaces for Faults 17

Conclusion Main Features of our Monitors. Our approach is sound. An alert from the monitor implies the existence of a bug. However, it does not mean a violation will occur in the observed trace. Alerts are really early warnings. However, we can change the game slightly (let the interface decide for the module) to detected the situations when a violation must occur in the observed trace. Our method is not complete. Too much power is given to the interface. In particular, the interface can observe local variables of the module. Therefore, sometimes we may fail to infer a bug. It should be stressed that we always generate an alert as soon as a violation happens in the observed trace. Monitoring Interfaces for Faults 18

Conclusion Efficiency vs Precision. System: Module Interface Interface is empty model checking. Module is empty traditional run-time monitoring. Both parts are present our framework. We assume the split(abstraction) is defined by the user and the presence of third-party components. Our approach, with some exceptions, yields the most precise results for the given abstraction. Although our approach will handle the extreme cases it might be more efficient to use a dedicated solution. For example, in case everything is treated as an interface one may want to use approach described in Efficient Monitoring of Omega-Languages by Marcelo d Amorim and Grigore Rosu. Monitoring Interfaces for Faults 19

Conclusion Computing Winning States (1/2). The objective of the game is defined by Ψ = (Φ Φ I ) (turn = 1 J J J) After composition with a Büchi automaton for (Φ Φ I ) Ψ = F (turn = 1 J) J J Consider an LTL objective Φ in the form: p n i=1 ( r i), where p, r 1,..., r n are assertions. Clearly, the objective of Ψ has such a form. Let Win be a set of player-2 winning states for Φ. Monitoring Interfaces for Faults 20

Conclusion Computing Winning States (2/2). Following [kesten03cav], we can compute Win as follows: n Win = νz.µy.( νx.(p Z) Y (r i X)), i=1 where [[ f]] e G = {s S b Γ 2 (s). a Γ 1 (s). δ(s, a, b) [[f]] e G }. That is, [[ f]] e G characterizes the set of states from which player-2 can force the game to move to a state belonging to [[f]] e G in one step. The above formula can be evaluated symbolically, requiring at most S 2 steps, in spite of the fact that it has three alternating fix-point operators [LBC94]. Monitoring Interfaces for Faults 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback