Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gerardo Schneider Department of Informatics University of Oslo 2009 Heisenberg-Effect-Free Runtime Verification of Real-Time Properties Gerardo Schneider.

Similar presentations


Presentation on theme: "Gerardo Schneider Department of Informatics University of Oslo 2009 Heisenberg-Effect-Free Runtime Verification of Real-Time Properties Gerardo Schneider."— Presentation transcript:

1 Gerardo Schneider Department of Informatics University of Oslo 2009 Heisenberg-Effect-Free Runtime Verification of Real-Time Properties Gerardo Schneider Dept. of Informatics University of Oslo January 2009

2 Gerardo Schneider Department of Informatics University of Oslo 2 2009 Heisenberg Effect Observing reality... changes reality We will see what all these mean in the context of Runtime Verification Werner Heisenberg (1901-1976) Nobel Prize in Physics (1932)

3 Gerardo Schneider Department of Informatics University of Oslo 3 2009 Outline  Runtime Verification  The Heisenberg effect in RV  How to solve the Heisenberg effect in RV?

4 Gerardo Schneider Department of Informatics University of Oslo 4 2009 Runtime Verification -------------- -------------- Specification-------------- --------------

5 Gerardo Schneider Department of Informatics University of Oslo 5 2009 A ’send’ should only be followed by an ’ack’ Runtime Verification A !send ?ack B ?send !ack send ack send ack error send ack else M send ack send ack A B A B

6 Gerardo Schneider Department of Informatics University of Oslo 6 2009 Heisenberg Effect in RV (with Time) A !send ?ack B ?send !ack send ack A B A ’send’ should only be followed by an ’ack’ Any ’send’ must be followed by an ’ack’ within 30 sec 0 1 26 28 send ack 0 2 27 30 A B B ”knows” that there is at most 3 sec delay between sending his ’ack’ and receiving it

7 Gerardo Schneider Department of Informatics University of Oslo 7 2009 Heisenberg Effect in RV (with Time) A !send ?ack B ?send !ack error send; t:=0 ack; t<=30 else M send ack A B 0 1 26 28 send ack 0 2 27 30 A B 2 27 30 0 3 27 32 0 B canot rely anymore on his ”knoweldge” of the system! The monitor ”invalidates” a valid property, because it slows down the system

8 Gerardo Schneider Department of Informatics University of Oslo 8 2009 Heisenberg Effect in RV (with Time) Adding a monitor at runtime slows down the system and may invalidate certain properties which would be valid otherwise Eliminating a monitor at runtime speeds up the system and may invalidate certain properties which would be valid otherwise

9 Gerardo Schneider Department of Informatics University of Oslo 9 2009 How to avoid the Heisenberg Effect in RV Good for testing; not when you really want runtime monitoring Monitor off-line Costly Dedicate a machine for the monitor Not always possible Not useful for critical systems Develop very small monitors Instantiation in Duration Calculus Characterize real-time properties invariant when slowing down

10 Gerardo Schneider Department of Informatics University of Oslo 10 2009 Slow-down and Speed-up Truth Preservation We define the notions of time-stretching and time-compression It formalizes time transformation We study properties of such time transformations for durations An interpretation is the evaluation of a set of variables with respect to time normal slowed speeded

11 Gerardo Schneider Department of Informatics University of Oslo 11 2009 Duration Calculus DC is an interval logic: It expresses properties which hold over time intervals It formalizes the concept of duration A duration calculus formula is said to hold with respect to a particular interpretation An interpretation is the evaluation of a set of variables with respect to time The calculus is based on two main concepts Integration: it measures the duration of a Boolean variable over an interval The chop operator: which splits an interval into two with different formulae which must hold on each subinterval

12 Gerardo Schneider Department of Informatics University of Oslo 12 2009 Duration Calculus - Examples ”For any period any leak should be detectable and stoppable withing 1 sec” □ ( ǁ Leak ǁ → l ≤ 1) □ - for any subinterval ǁ. ǁ - ”almost everywhere” inside l – ”length” of an interval ”After any leak in this period the gas burner cannot switch on gas for 30 sec” □ (( ǁ Leak ǁ ; ǁ ¬ Leak ǁ ; ǁ Leak ǁ ) → l ≥30) ; - ”chop” operator

13 Gerardo Schneider Department of Informatics University of Oslo 13 2009 Slow-Down Truth Preserving Properties Any upper-bound formula is sdtp Duration > bound ”Almost-everywhere” preserves sdtpchop preserves sdtp If D and E are sdtp then D;E (D chop E) is also sdtp Diamond preserves sdtp If E is sdtp then ”there exists a subinterval s.t. E” is also sdtp Box preserves sdtp If E is sdtp then ”for any subinterval s.t. E” is also sdtp ”The number of bad logins cannot exceed 3 in a period of one hour” □ (badlog > 3 → l > 3600) ”After any leak in this period the gas burner cannot switch on gas for 30 sec” □ (( ǁ Leak ǁ ; ǁ ¬ Leak ǁ ; ǁ Leak ǁ ) → l ≥ 30)

14 Gerardo Schneider Department of Informatics University of Oslo 14 2009 Any timeout or deadline formula is sutp Duration < bound ”Almost-everywhere” preserves sutpchop preserves sutp If D and E are sutp then D;E (D chop E) is also sutp Diamond preserves sutp If E is sutp then ”there exists a subinterval s.t. E” is also sutp Box preserves sutp If E is sutp then ”for any subinterval s.t. E” is also sutp Speed-Up Truth Preserving Properties ”Any ’send’ must be followed by an ’ack’ within 30 sec” ”For any period any leak should be detectable and stoppable withing 1 sec” □ ( ǁ Leak ǁ → l ≤ 1)

15 Gerardo Schneider Department of Informatics University of Oslo 15 2009 Slow-down and Speed-up Truth Preservation Remarks: - Properties without time (duration) are both slow- down and speed-up truth preserving - Properties containing both lower and upper bounds are none

16 Gerardo Schneider Department of Informatics University of Oslo 16 2009 How to Avoid the Heisenberg Effect in RV? Use a monitor at runtime only for Slow-Down Truth Preserving properties Use a monitor during testing only for Speed-Up Truth Preserving properties

17 Gerardo Schneider Department of Informatics University of Oslo 17 2009 What Is Behind the Stage? Definition of suitable automata for RV with real-time (DATE) A sound translation from Phase Automata into DATEs There exists a translation from DC into Phase Automata (characterize ”implementable” DC) ([Bouajjani et al.95], [Hoenicke06]) Formal definition and theoretical results on time transformation Time stretching and compressing Slow-down and speed-up invariance Theory applied to Duration Calculus Syntactic characterization of sdtp and sutp Semantic characterization of time stretching and compressing

18 Gerardo Schneider Department of Informatics University of Oslo 18 2009 DATE: Dynamic Automata with Timers & Events Communicating symbolic automata enriched with events and timers Events: e.g. method calls and exception handling Timers can reset, pause and resume Automata are dynamic: automatically replicated according to context Context is taken into account It supports: Conditions and actions on transitions Communication between automata Actions can access code and data from the monitored program Communication is through channel synchronization

19 Gerardo Schneider Department of Informatics University of Oslo 19 2009 What All These Mean in Practice? Slowdown Truth Preserving prop. (DC) Monitor (DATE) Monitor the System (Java program ) At Runtime Speedup Truth Preserving prop. (DC) Monitor (DATE) Monitor the System (Java program ) During Testing

20 Gerardo Schneider Department of Informatics University of Oslo 20 2009 * AspectJ Matching method names AspectJ Matching method names USER * Logical Automata for Runtime Verification and Analysis (http://www.cs.um.edu.mt/svrg/Tools/LARVA/)

21 Gerardo Schneider Department of Informatics University of Oslo 21 2009 Conclusions RV of real-time properties should be taken carefully Monitors affect behavior We have a theory of slow-down and speed-up truth preserving properties We know which properties to monitor at runtime and which during testing We have a characterization of such properties in Duration Calculus A tool for RV of Java – LARVA Mathematical framework – DATE Highly expressive (contextual and real-time properties)

22 Gerardo Schneider Department of Informatics University of Oslo 22 2009 Credits  Joint work with Christian Colombo and Gordon Pace  C. Colombo, G. Pace and G. Schneider. Dynamic event- based runtime monitoring of real-time and contextual properties. In FMICS’08. LNCS, to appear  C. Colombo, G. Pace and G. Schneider. Heisenberg- effect-free Runtime Verification of Java Programs with Real-Time Properties. To be submitted soon  LARVA: http://www.cs.um.edu.mt/svrg/Tools/LARVA/


Download ppt "Gerardo Schneider Department of Informatics University of Oslo 2009 Heisenberg-Effect-Free Runtime Verification of Real-Time Properties Gerardo Schneider."

Similar presentations


Ads by Google