Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"

Sylvain Hallé

NOSHOW

Sylvain Hallé

A lighthearted introduction

2

SHOW

Sylvain Hallé


2

SHOW

Player ‘‘O’’ Player ‘‘X’’

Sylvain Hallé


2

SHOW

Moves


Sylvain Hallé


2

SHOW

Moves

Rules


Sylvain Hallé



2

SHOW

Moves

Rules

1. and must alternate

2. Can’t put two symbols

in same square

3. Eventually, there must be

a line of three ’s

X O

O

.

.

Sylvain Hallé


2

SHOW

Moves

Rules


Sylvain Hallé


2

SHOW

Moves

Rules


Sylvain Hallé


2

SHOW

Moves

Rules


Sylvain Hallé


2

SHOW

Moves

Rules


Sylvain Hallé


2

SHOW

Moves

Rules

Game


Sylvain Hallé


3

SHOW

‘‘O’’ web service

‘‘X’’ web service

Sylvain Hallé


SHOW



Move

3

Sylvain Hallé


SHOW



<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>

Message

3

Sylvain Hallé


SHOW




Message

Interfacecontract

3

Sylvain Hallé


SHOW



Game


Message

Interfacecontract

3

Sylvain Hallé


SHOW



Transaction


Message

Interfacecontract

3

Sylvain Hallé

Shop service

Customerservice

A more serious example

Each has its own on the course of a transaction

requirements

4

Sylvain Hallé

A more serious example

S1.

S2.

S3.

All carts with more than three items arelabelled ‘‘large’’ and must be paid by credit

Every cart created must be cbecked out

Payment mode must be only one of‘‘Credit’’ or ‘‘PayPal’’

.

.

C1. A cart created with a mode of paymentmust be checked out with the same modeof payment

Interface contract = ‘ sum’ (i.e. logical of individual requirements

‘ ’conjunction)

5

Sylvain Hallé

Formalizing interface contracts

The service’s behaviour follows constraints on...

1. Sequences of operations only2. Parameter values only3. Both at the same time

LTL-FO+: extension of LTL with quantifiers on message parameters (Hallé & Villemaire, EDOC 2008)

6

Sylvain Hallé


LTL formula= assertion on a (of messages)trace

a "always a" a "the next message is a" a "eventually a"

a b "a until b

But what about data contents?

GXF

W

abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE

7

Sylvain Hallé


What if symbols are XML documents?

LTL-FO+ = LTL + first-order quantification onelements

Let...

p = argument of a function f...filters acceptable values for x...according to the current message s0

$ x : j(x) Û $k : s |= j(k) AND k Îf(s ,p) p 0s |=

8

Sylvain Hallé

Example:

p = a/b

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

LTL-FO+

9

Sylvain Hallé

Example:

p = a/b

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

XPath expression

LTL-FO+

9

Sylvain Hallé

Example:

0

p = a/bf(s ,p) =

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

LTL-FO+

9

Sylvain Hallé

Example:

0

p = a/bf(s ,p) = {1,2}

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

LTL-FO+

9

Sylvain Hallé

Example:

1

p = a/bf(s ,p) =

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

LTL-FO+

9

Sylvain Hallé

Example:

1

p = a/bf(s ,p) = {}

<a>

</a>

12

5

 

<c> </c>

s =

s0 s1

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

LTL-FO+

9

Sylvain Hallé

Example:

<a>

</a>

12

5

 

<c> </c>

<d>

</d>

<e> </e><e> </e>

<c> </c><c> </c>

12

56

s =

s0 s1

"a/b x : x=1 x=2Ú

"c x : x=5

"c cx : F $ y : x=y"c x : x=5G

TRUE

TRUE

TRUE

FALSE

LTL-FO+

9

Sylvain Hallé

LTL-FO+

10

‘‘ ’’X and must alternateO

Sylvain Hallé

LTL-FO+

10

G ( )


Sylvain Hallé

LTL-FO+

10

Move/Player p : ( )X " p’ : p=p’G ( )"


Sylvain Hallé

LTL-FO+

10

Move/Player p : ( )X " p’ : p=p’G ( )"


Sylvain Hallé

LTL-FO+

10

Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )"


Sylvain Hallé

LTL-FO+

10

Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /


Sylvain Hallé

LTL-FO+

10

Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /


A trace of messages that an interface contractis noted

satisfies j

m j

m

Sylvain Hallé

If , whose fault is it?

Contract compliance

11

m j/

who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.

(Wikipedia)

Sylvain Hallé

If , whose fault is it?

Contract compliance

11

m j/

who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.

(Wikipedia)

Sylvain Hallé

Applications:

Which component does not thestandard correctly?

Which component should the others for the violation?

At runtime: which component should to avoid a violation?

implement

compensate

takea different action

Contract compliance

12

Sylvain Hallé

Direct violation

m

m jm.m j/

A message is a for a trace if:

· and·

m direct violation.

13

Sylvain Hallé

Direct violation

m

m jm.m j/


· and·

m direct violation.

13

Sylvain Hallé

Direct violation

X

m

m jm.m j/


· and·

m direct violation.

13

Sylvain Hallé

Direct violation

X XO

m

m jm.m j/


· and·

m direct violation.

13

Sylvain Hallé

Direct violation

XOX

XXO

m

m jm.m j/


· and·

m direct violation.

13

Sylvain Hallé

Direct violation


· and·

m direct violation.

XOX

XXO

m

m jm.m j/

13

Sylvain Hallé

Direct violation


· and·

m direct violation.

XOX

XXO

m

m jm.m j/1. and must alternate


in same square



X O

O

.

.

13

Sylvain Hallé


· and·

m direct violation.

Hypothesis #1 The sender of is responsible for the contract violationm

Direct violation

XOX

XXO

m

m jm.m j/WANTED

Player ‘ O’‘ ’for violating the

interface contract

13

Sylvain Hallé


· and·

m direct violation.

Hypothesis #1 The sender of is responsible for the contract violationm

Direct violation

XOX

XXO

m

m jm.m j/WANTED


interface contract

WANTED

Player ‘ O’‘ ’

for violating the

interface contract

13

Sylvain Hallé

Another example:

Direct violation

XOX

XXO

WANTED


interface contractOO

O

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

14

Sylvain Hallé

Another example:

Direct violation

XOX

XXO

WANTED



O

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

14

Sylvain Hallé

Another example:

Direct violation

XOX

XXO

WANTED



O

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

1. and must alternate


in same square



X O

O

.

.

14

Sylvain Hallé

Another example:

Direct violation

XOX

XXO

WANTED



O

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

14

Sylvain Hallé

Another example:

Direct violation

XOX

XXO

WANTED



O

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

WANTED

Player ‘ X’‘ ’for violating theinterface contract

14

Sylvain Hallé


· and· for any (infinite) suffix , we have

m root violation.

Root violation

m

m’m j

m.m.m’ j/

15

Sylvain Hallé


· and· for any (infinite) suffix , we have

Hypothesis #2: The sender of is responsible for the contract violation

m

m

root violation.

Root violation

m

m’m j

m.m.m’ j/

15

Sylvain Hallé

XOX

XXO

OOO

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

Root violation

16

Sylvain Hallé

XOX

XXO

OOO

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

Root violation

16

Sylvain Hallé

XOX

XXO

OOO

O

XX

XX

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

X

WANTED

Player ‘ O’‘ ’for violating theinterface contract

Root violation

16

Sylvain Hallé

Observations

SHOW

17

Sylvain Hallé

1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’forced moves

Observations

SHOW

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

XOO

O

O

XX

XX

17

Sylvain Hallé

1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’

2. The faulty peer as in an ensuing direct violation

forced moves

may not be the same.

Observations

SHOW

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

XOO

O

O

XX

XX

WANTED WANTED

vs.

17

Sylvain Hallé

1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’

2. The faulty peer as in an ensuing direct violation

3. The interface contract is not contradictoryin itself: a root violation depends on theactual taken

forced moves

may not be the same

course of actions

.

.

Observations

SHOW

OO

O

XX

XX

OOXX

XO

OXX O

O

O

XX

XOO

O

O

XX

XX

WANTED WANTED

vs.

17

Sylvain Hallé

How to find root violations?

Solution #1Bauer et al. (RV 2007): for LTLanticipatory semantics

18

Sylvain Hallé


Solution #1Bauer et al. (RV 2007): for LTL

1. Create the Büchi automaton equivalent to

anticipatory semantics

M j

a

a

a

b

b

b

18

Sylvain Hallé




2. Label each state based on language emptiness ( )or not ( )


M.

j

a

a

a

b

b

b

18

Sylvain Hallé





3. Read by keeping pointers to states of


M

M

.

.

.

j

m

a

a

a

b

b

b

18

Sylvain Hallé







M

M

.

.

.

j

m

m = a

a

a

a

b

b

b

18

Sylvain Hallé







M

M

.

.

.

j

m

m = a b

a

a

ab

b

b

18

Sylvain Hallé







M

M

.

.

.

:discard any pointer to

j

m

m = a b

a

a

a

b

b

b

18

Sylvain Hallé







M

M

.

.

.


j

m

m = a b a

a

a

a

b

b

b

18

Sylvain Hallé







M

M

.

.

.


4. A message is a root violation ifno pointer is left

j

m

m = a b a

a

a

a

b

b

b

18

Sylvain Hallé

a

a

a

b

b

b

Problem:

· Designed for LTL

Sylvain Hallé


19

Sylvain Hallé

a

a

a

b

b

b

Problem:

· Designed for LTL

· With LTL-FO+, is infinite.

M

Sylvain Hallé


19

Sylvain Hallé

Solution #2Conversion to LTL

1. the domains for each path expression

2. Convert quantifiers into equivalent expressions

Bound.


f(_, a/b) Í {1,2}

"a/b a/bx : F $ y : x=y

a/bF $ y : 1=y a/bF $ y : 2=y

becomes

...and so on

If , then

Ù( ) ( )

20

Sylvain Hallé


3. The formula is now pure LTL; use solution #1OR

4. Send messages one by one to an LTL model checker


20

Sylvain Hallé





m1 j ?

20

Sylvain Hallé





m1 j ?m1 m2 j ?

20

Sylvain Hallé





m1 j ?m1 m2 j ?

m1 m m2 3 j ?

20

Sylvain Hallé



4. Send messages one by one to an LTL

The first message that causes the validation to fail isa root violation

model checker


m1 j ?m1 m2 j ?

m1 m m2 3 j ?

20

Sylvain Hallé

Problem:

· Requires bounded data domains

· Exponential blow-up of formula

· Non-incremental process


21

Sylvain Hallé

Proposed solution

Exploit an on-the-fly algorithm for linear temporal logic

runtime monitoring

.

22

Sylvain Hallé

Proposed solution


1. Monitor state = set of LTL-FO+ formulas

runtime monitoring

.

22

s

Sylvain Hallé

Proposed solution


1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to

transformation rules

runtime monitoring

.

22

s

Sylvain Hallé

Proposed solution



transformation rules

runtime monitoring

.

22

s’

s

Sylvain Hallé

Proposed solution



transformation rules3. Compute an outcome function on resulting state

to decide if contract is violated

runtime monitoring

.

22

s’

s

Sylvain Hallé

Proposed solution



transformation rules3. Compute an outcome function on resulting state

to decide if contract is violated

runtime monitoring

.

22

s’

Sylvain Hallé

Algorithm overview:

1. An LTL formula is decomposed into nodes of the form

Example:

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state

Runtime monitoring

23

Sylvain Hallé

2. Negations pushed inside (classical identities + dual of U = V)

3. At the leaves, G contains atoms + negations of atoms:we evaluate them

Verdict:

! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:

4. Next event: D copied into G and we continue

FALSEempty

Runtime monitoring

24

Sylvain Hallé

Example:

Runtime monitoring

G (a ® )X Øa

25

Sylvain Hallé

Example:

G (a ® )X Øa ’

a, X Øa G (a ® )X Øa’

a G (a ® ), X Ø Øa a’

Øa G (a ® )X Øa’

a ® X Øa G (a ® )X Øa’

Runtime monitoring

G (a ® )X Øa

25

Sylvain Hallé

Example:

Runtime monitoring

G (a ® )X Øa

a G (a ® ), X Ø Øa a’


25

Sylvain Hallé

Example:

s = a

Runtime monitoring

G (a ® )X Øa

a G (a ® ), X Ø Øa a’


25

Sylvain Hallé

a G (a ® ), X Ø Øa a’


Example:

s = a

Runtime monitoring

G (a ® )X Øa

25

Sylvain Hallé

a G (a ® ), X Ø Øa a’

Example:

s = a

Runtime monitoring

G (a ® )X Øa

25

Sylvain Hallé

Example:

s = a

Runtime monitoring

G (a ® )X Øa

G (a ® ), X Ø Øa a’

25

Sylvain Hallé

Example:

s = a

Runtime monitoring

G (a ® )X Øa

G (a ® ), X Ø Øa a’

’G (a ® ), X Ø Øa a

25

Sylvain Hallé

Example: G (a ® )X Øa

s = a

a, X , Ø Øa a G (a ® )X Øa’

a, Øa G (a ® ), X Ø Øa a’

a ® b, bX G (a ® )X Øa’

’G (a ® ), X Ø Øa a

Runtime monitoring


25

Sylvain Hallé

Example:

s = a

Runtime monitoring


G (a ® )X Øa


25

Sylvain Hallé

Example:

s = a

Runtime monitoring


G (a ® )X Øa


A variable and its negationcan never be true at the sametime

25

Sylvain Hallé

Example:


s = a

Runtime monitoring

G (a ® )X Øa


25

Sylvain Hallé

Example:

s = a

Runtime monitoring


G (a ® )X Øa

25

Sylvain Hallé

Example:

s = aa

Runtime monitoring


G (a ® )X Øa

25

Sylvain Hallé

Example:

s = aa

Runtime monitoring


G (a ® )X Øa

25

Sylvain Hallé

Example:

s = aa

No way to extend the trace:formula is false, i.e. message c

is a of the formuladirect violation

Runtime monitoring

G (a ® )X Øa

25

Sylvain Hallé

By construction (Gerth et al., PSTV 1995):

Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains

for some proposition p.

N

Nm. direct

Detecting direct violations

p Ù Øp

26

Sylvain Hallé

By construction (Gerth et al., PSTV 1995):

Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains

for some proposition p.

Consequence

is a if this happens for all leaf nodes

N

Nm

m

. direct

direct violation

Detecting direct violations

p Ù Øp

26

Sylvain Hallé

Theorem

Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula

is unsatisfiable. (See paper for the proof!)

N

Nm. root

Detecting root violations

Ù D( )Ù G( ) Ù X

27

Sylvain Hallé

Theorem

Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula

is unsatisfiable. (See paper for the proof!)

Consequence

is a if this happens for all leaf nodes

N

Nm

m

. root

root violation

Detecting root violations

Ù D( )Ù G( ) Ù X

27

Sylvain Hallé

1. In the algorithm, each leaf node represents a possible set ofconditions for a valid extension of the current trace

2. If the conditions are contradictory, no trace extension canever satisfy them

3. The formula p Ù Øp is a special case of ,where the contradiction occurs in the current message

4. Detection of root violations reduces to satisfiability solving ofsome set of LTL formulas

.

.

Intuition

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state

Ù D( )Ù G( ) Ù X

28

Sylvain Hallé

Decomposition rules can be added to deal with LTL-FO+; the definition of root violation does not change

1. Atoms become equality tests

2. Decomposition rules for quantifiers

Adding first-order quantifiers

(and vice versa)

29

Sylvain Hallé

A workflow for root violation detection

30

Sylvain Hallé


1 1 n n. . . }

Leaf nodes from currentmonitor state

30

Sylvain Hallé


m

1 1 n n. . . }

Incomingmessage

30

Sylvain Hallé


m UPDATE

1 1 n n. . . }

Monitorupdate function

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } }

. . .

1 1' '

k k' '

New leaf nodes

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } }

. . .

1 1' '

k k' '

Node sent to LTL-FO+satisfiability solver

S

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } } 1 1

' '

. . .

1 1' '

k k' '

SAT

Kept ifsatisfiable

S

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } } 1 1

' '

. . .

1 1' '

k k' '

SAT

UNSAT

X Deleted if not

S

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } } 1 1

' '

. . .

1 1' '

k k' '

k k' '

SAT

SAT

UNSAT

UNSAT

X

Repeat for every node

S

S

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } } 1 1

' '

. . .

1 1' '

k k' '

k k' '

SAT

SAT

UNSAT

UNSAT

X

New monitornodes

S

S

30

Sylvain Hallé


m UPDATE

1 1 n n. . . } } 1 1

' '

. . .

1 1' '

k k' '

k k' '

S

S

SAT

SAT

UNSAT

UNSAT

X

Declare root violation if no node remains after pruning

30

Sylvain Hallé

(Hallé & Villemaire, 2011) used as theLTL-FO+ runtime monitor

(Ludwig & Hustadt, 2010) used as thetemporal satisfiability solver

100 randomly-generated traces of shopping carttransactions

Validation of the shopping cart contract

BeepBeep

TSPASS

Experimental setup

S

31

Sylvain Hallé

< 1

40

20

30

10

0

1-2 2-3 3-4 > 4

Num

ber

of t

race

s

Overhead

Experiment 1: overhead incurred by use of a solver

Experimental results

Solver time:13 ms / message

32

Sylvain Hallé

Experiment 2: difference (in messages) between root and direct violation

0

80

60

40

20

0

1-5 6-10 11-15 16-20

Num

ber

of t

race

s

Length difference

Violation detected‘‘in advance’’: 18%

less messages consumed

Experimental results

33

Sylvain Hallé

The concept of violation is a one:parameterized

Future work

34

s’

s

Sylvain Hallé

The concept of violation is a one:parameterized

Future work

34

Call an error whenthe current trace cannot be

extended by at least suffixes with at leastn

k messages

s’

s

Sylvain Hallé

The concept of violation is a one:

= ‘ lookahead’

parameterized

k ‘ ’ = ‘‘degree of freedom’’n

Future work

34



k messages

s’

s

Sylvain Hallé


= ‘ lookahead’

parameterized

k ‘ ’ = ‘‘degree of freedom’’

· Direct violation=1, =1

n

n k

Future work

34



k messages

s’

s

Sylvain Hallé


= ‘ lookahead’

parameterized

k ‘ ’ = ‘‘degree of freedom’’

· Direct violation=1, =1

· Root cause=1, =¥

n

n

n

k

k

Future work

34



k messages

s’

s

Sylvain Hallé

1. The peer responsible for an interface contract violation

2. A occurs when no infinite extension of thecurrent transaction can ever fulfill an interface contract

3. Using LTL-FO+ as the specification language, reductionto the propositional case results in an

4. Leveraging on a runtime monitoring algorithm, root causedetection reduces to satisfiability solving

5. An experimental setup can detect directviolations ahead of time with reasonableoverhead

maynot cause it directly

root violation

infinite search problem

.

.

.

.

Take-home points

35

Technology

Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"