Upload
sylvain-halle
View
472
Download
0
Embed Size (px)
DESCRIPTION
Interface contracts are sets of constraints specifying valid exchanges of messages between two or more peers. A contract violation occurs when one of the peers fails to fulfil one of these constraints and emits a message that is not a valid continuation of a message "trace". In some cases, the message that directly exposes the violation turns out to be the last of a succession of forced moves, while the "root cause" of the violation resides earlier in the trace and may emanate from a different peer. We formally define the notion of causality for interface contracts expressed in a first-order extension of Linear Temporal Logic. In particular, we show how the detection of root causes reduces to satisfiability solving of a precise set of formulæ. An experimental setup shows how causality can be analyzed automatically on a pre-recorded message trace.
Citation preview
Sylvain Hallé
NOSHOW
Sylvain Hallé
A lighthearted introduction
2
SHOW
Sylvain Hallé
A lighthearted introduction
2
SHOW
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
Player ‘‘O’’ Player ‘‘X’’
A lighthearted introduction
2
SHOW
Moves
Rules
1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Game
Player ‘‘O’’ Player ‘‘X’’
Sylvain Hallé
A lighthearted introduction
3
SHOW
‘‘O’’ web service
‘‘X’’ web service
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Move
3
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
3
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Game
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Transaction
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
Sylvain Hallé
Shop service
Customerservice
A more serious example
Each has its own on the course of a transaction
requirements
4
Sylvain Hallé
A more serious example
S1.
S2.
S3.
All carts with more than three items arelabelled ‘‘large’’ and must be paid by credit
Every cart created must be cbecked out
Payment mode must be only one of‘‘Credit’’ or ‘‘PayPal’’
.
.
C1. A cart created with a mode of paymentmust be checked out with the same modeof payment
Interface contract = ‘ sum’ (i.e. logical of individual requirements
‘ ’conjunction)
5
Sylvain Hallé
Formalizing interface contracts
The service’s behaviour follows constraints on...
1. Sequences of operations only2. Parameter values only3. Both at the same time
LTL-FO+: extension of LTL with quantifiers on message parameters (Hallé & Villemaire, EDOC 2008)
6
Sylvain Hallé
Formalizing interface contracts
LTL formula= assertion on a (of messages)trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
But what about data contents?
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
7
Sylvain Hallé
Formalizing interface contracts
What if symbols are XML documents?
LTL-FO+ = LTL + first-order quantification onelements
Let...
p = argument of a function f...filters acceptable values for x...according to the current message s0
$ x : j(x) Û $k : s |= j(k) AND k Îf(s ,p) p 0s |=
8
Sylvain Hallé
Example:
p = a/b
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
Sylvain Hallé
Example:
p = a/b
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
XPath expression
LTL-FO+
9
Sylvain Hallé
Example:
0
p = a/bf(s ,p) =
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
Sylvain Hallé
Example:
0
p = a/bf(s ,p) = {1,2}
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
Sylvain Hallé
Example:
1
p = a/bf(s ,p) =
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
Sylvain Hallé
Example:
1
p = a/bf(s ,p) = {}
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
Sylvain Hallé
Example:
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
s =
s0 s1
"a/b x : x=1 x=2Ú
"c x : x=5
"c cx : F $ y : x=y"c x : x=5G
TRUE
TRUE
TRUE
FALSE
LTL-FO+
9
Sylvain Hallé
LTL-FO+
10
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
G ( )
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
Move/Player p : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
Move/Player p : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /
‘‘ ’’X and must alternateO
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /
‘‘ ’’X and must alternateO
A trace of messages that an interface contractis noted
satisfies j
m j
m
Sylvain Hallé
If , whose fault is it?
Contract compliance
11
m j/
who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.
(Wikipedia)
Sylvain Hallé
If , whose fault is it?
Contract compliance
11
m j/
who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.
(Wikipedia)
Sylvain Hallé
Applications:
Which component does not thestandard correctly?
Which component should the others for the violation?
At runtime: which component should to avoid a violation?
implement
compensate
takea different action
Contract compliance
12
Sylvain Hallé
Direct violation
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
Sylvain Hallé
Direct violation
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
Sylvain Hallé
Direct violation
X
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
Sylvain Hallé
Direct violation
X XO
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
Sylvain Hallé
Direct violation
XOX
XXO
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
Sylvain Hallé
Direct violation
A message is a for a trace if:
· and·
m direct violation.
XOX
XXO
m
m jm.m j/
13
Sylvain Hallé
Direct violation
A message is a for a trace if:
· and·
m direct violation.
XOX
XXO
m
m jm.m j/1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
13
Sylvain Hallé
A message is a for a trace if:
· and·
m direct violation.
Hypothesis #1 The sender of is responsible for the contract violationm
Direct violation
XOX
XXO
m
m jm.m j/WANTED
Player ‘ O’‘ ’for violating the
interface contract
13
Sylvain Hallé
A message is a for a trace if:
· and·
m direct violation.
Hypothesis #1 The sender of is responsible for the contract violationm
Direct violation
XOX
XXO
m
m jm.m j/WANTED
Player ‘ O’‘ ’for violating the
interface contract
WANTED
Player ‘ O’‘ ’
for violating the
interface contract
13
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
14
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
WANTED
Player ‘ X’‘ ’for violating theinterface contract
14
Sylvain Hallé
A message is a for a trace if:
· and· for any (infinite) suffix , we have
m root violation.
Root violation
m
m’m j
m.m.m’ j/
15
Sylvain Hallé
A message is a for a trace if:
· and· for any (infinite) suffix , we have
Hypothesis #2: The sender of is responsible for the contract violation
m
m
root violation.
Root violation
m
m’m j
m.m.m’ j/
15
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
Root violation
16
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
Root violation
16
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
WANTED
Player ‘ O’‘ ’for violating theinterface contract
Root violation
16
Sylvain Hallé
Observations
SHOW
17
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’forced moves
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
17
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’
2. The faulty peer as in an ensuing direct violation
forced moves
may not be the same.
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
WANTED WANTED
vs.
17
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’
2. The faulty peer as in an ensuing direct violation
3. The interface contract is not contradictoryin itself: a root violation depends on theactual taken
forced moves
may not be the same
course of actions
.
.
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
WANTED WANTED
vs.
17
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTLanticipatory semantics
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
anticipatory semantics
M j
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
anticipatory semantics
M.
j
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
m = a
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
m = a b
a
a
ab
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
j
m
m = a b
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
j
m
m = a b a
a
a
a
b
b
b
18
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
4. A message is a root violation ifno pointer is left
j
m
m = a b a
a
a
a
b
b
b
18
Sylvain Hallé
a
a
a
b
b
b
Problem:
· Designed for LTL
Sylvain Hallé
How to find root violations?
19
Sylvain Hallé
a
a
a
b
b
b
Problem:
· Designed for LTL
· With LTL-FO+, is infinite.
M
Sylvain Hallé
How to find root violations?
19
Sylvain Hallé
Solution #2Conversion to LTL
1. the domains for each path expression
2. Convert quantifiers into equivalent expressions
Bound.
How to find root violations?
f(_, a/b) Í {1,2}
"a/b a/bx : F $ y : x=y
a/bF $ y : 1=y a/bF $ y : 2=y
becomes
...and so on
If , then
Ù( ) ( )
20
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
20
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?
20
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?m1 m2 j ?
20
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?m1 m2 j ?
m1 m m2 3 j ?
20
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL
The first message that causes the validation to fail isa root violation
model checker
How to find root violations?
m1 j ?m1 m2 j ?
m1 m m2 3 j ?
20
Sylvain Hallé
Problem:
· Requires bounded data domains
· Exponential blow-up of formula
· Non-incremental process
How to find root violations?
21
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
runtime monitoring
.
22
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas
runtime monitoring
.
22
s
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules
runtime monitoring
.
22
s
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules
runtime monitoring
.
22
s’
s
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules3. Compute an outcome function on resulting state
to decide if contract is violated
runtime monitoring
.
22
s’
s
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules3. Compute an outcome function on resulting state
to decide if contract is violated
runtime monitoring
.
22
s’
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Runtime monitoring
23
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of U = V)
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
FALSEempty
Runtime monitoring
24
Sylvain Hallé
Example:
Runtime monitoring
G (a ® )X Øa
25
Sylvain Hallé
Example:
G (a ® )X Øa ’
a, X Øa G (a ® )X Øa’
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
a ® X Øa G (a ® )X Øa’
Runtime monitoring
G (a ® )X Øa
25
Sylvain Hallé
Example:
Runtime monitoring
G (a ® )X Øa
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
25
Sylvain Hallé
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
Example:
s = a
Runtime monitoring
G (a ® )X Øa
25
Sylvain Hallé
a G (a ® ), X Ø Øa a’
Example:
s = a
Runtime monitoring
G (a ® )X Øa
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
G (a ® ), X Ø Øa a’
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
G (a ® ), X Ø Øa a’
’G (a ® ), X Ø Øa a
25
Sylvain Hallé
Example: G (a ® )X Øa
s = a
a, X , Ø Øa a G (a ® )X Øa’
a, Øa G (a ® ), X Ø Øa a’
a ® b, bX G (a ® )X Øa’
’G (a ® ), X Ø Øa a
Runtime monitoring
Øa G (a ® )X Øa’
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
a, Øa G (a ® ), X Ø Øa a’
G (a ® )X Øa
Øa G (a ® )X Øa’
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
a, Øa G (a ® ), X Ø Øa a’
G (a ® )X Øa
Øa G (a ® )X Øa’
A variable and its negationcan never be true at the sametime
25
Sylvain Hallé
Example:
a, Øa G (a ® ), X Ø Øa a’
s = a
Runtime monitoring
G (a ® )X Øa
Øa G (a ® )X Øa’
25
Sylvain Hallé
Example:
s = a
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
Sylvain Hallé
Example:
s = aa
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
Sylvain Hallé
Example:
s = aa
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
Sylvain Hallé
Example:
s = aa
No way to extend the trace:formula is false, i.e. message c
is a of the formuladirect violation
Runtime monitoring
G (a ® )X Øa
25
Sylvain Hallé
By construction (Gerth et al., PSTV 1995):
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains
for some proposition p.
N
Nm. direct
Detecting direct violations
p Ù Øp
26
Sylvain Hallé
By construction (Gerth et al., PSTV 1995):
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains
for some proposition p.
Consequence
is a if this happens for all leaf nodes
N
Nm
m
. direct
direct violation
Detecting direct violations
p Ù Øp
26
Sylvain Hallé
Theorem
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula
is unsatisfiable. (See paper for the proof!)
N
Nm. root
Detecting root violations
Ù D( )Ù G( ) Ù X
27
Sylvain Hallé
Theorem
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula
is unsatisfiable. (See paper for the proof!)
Consequence
is a if this happens for all leaf nodes
N
Nm
m
. root
root violation
Detecting root violations
Ù D( )Ù G( ) Ù X
27
Sylvain Hallé
1. In the algorithm, each leaf node represents a possible set ofconditions for a valid extension of the current trace
2. If the conditions are contradictory, no trace extension canever satisfy them
3. The formula p Ù Øp is a special case of ,where the contradiction occurs in the current message
4. Detection of root violations reduces to satisfiability solving ofsome set of LTL formulas
.
.
Intuition
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Ù D( )Ù G( ) Ù X
28
Sylvain Hallé
Decomposition rules can be added to deal with LTL-FO+; the definition of root violation does not change
1. Atoms become equality tests
2. Decomposition rules for quantifiers
Adding first-order quantifiers
(and vice versa)
29
Sylvain Hallé
A workflow for root violation detection
30
Sylvain Hallé
A workflow for root violation detection
1 1 n n. . . }
Leaf nodes from currentmonitor state
30
Sylvain Hallé
A workflow for root violation detection
m
1 1 n n. . . }
Incomingmessage
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . }
Monitorupdate function
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } }
. . .
1 1' '
k k' '
New leaf nodes
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } }
. . .
1 1' '
k k' '
Node sent to LTL-FO+satisfiability solver
S
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
SAT
Kept ifsatisfiable
S
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
SAT
UNSAT
X Deleted if not
S
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
SAT
SAT
UNSAT
UNSAT
X
Repeat for every node
S
S
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
SAT
SAT
UNSAT
UNSAT
X
New monitornodes
S
S
30
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
S
S
SAT
SAT
UNSAT
UNSAT
X
Declare root violation if no node remains after pruning
30
Sylvain Hallé
(Hallé & Villemaire, 2011) used as theLTL-FO+ runtime monitor
(Ludwig & Hustadt, 2010) used as thetemporal satisfiability solver
100 randomly-generated traces of shopping carttransactions
Validation of the shopping cart contract
BeepBeep
TSPASS
Experimental setup
S
31
Sylvain Hallé
< 1
40
20
30
10
0
1-2 2-3 3-4 > 4
Num
ber
of t
race
s
Overhead
Experiment 1: overhead incurred by use of a solver
Experimental results
Solver time:13 ms / message
32
Sylvain Hallé
Experiment 2: difference (in messages) between root and direct violation
0
80
60
40
20
0
1-5 6-10 11-15 16-20
Num
ber
of t
race
s
Length difference
Violation detected‘‘in advance’’: 18%
less messages consumed
Experimental results
33
Sylvain Hallé
The concept of violation is a one:parameterized
Future work
34
s’
s
Sylvain Hallé
The concept of violation is a one:parameterized
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’n
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’
· Direct violation=1, =1
n
n k
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’
· Direct violation=1, =1
· Root cause=1, =¥
n
n
n
k
k
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
Sylvain Hallé
1. The peer responsible for an interface contract violation
2. A occurs when no infinite extension of thecurrent transaction can ever fulfill an interface contract
3. Using LTL-FO+ as the specification language, reductionto the propositional case results in an
4. Leveraging on a runtime monitoring algorithm, root causedetection reduces to satisfiability solving
5. An experimental setup can detect directviolations ahead of time with reasonableoverhead
maynot cause it directly
root violation
infinite search problem
.
.
.
.
Take-home points
35