Definitions of Logical Causality for Log Analysis

Definitions of Logical Causality for Log Analysis Gregor Gössler 1 Joint work with Daniel Le Métayer 1 and Jean-Baptiste Raclet 2 1 INRIA Grenoble Rhône-Alpes, France 2 IRIT - CNRS, Toulouse, France Synchron 2011 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 1 / 1

LISE: Liability Issues in Software Engineering Objectives General objective of the LISE project: Provide a set of methods and tools (both legal and technical) to Define liability in a precise and unambiguous way Establish liability in case of failure Scope: Contractual framework (not tort law) Liability for software defects (not intellectual property infringements) Priority: settle liability issues in an amicable way. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 2 / 1

Context A component-based system components are provided by different vendors Each component C i is equipped with a contract (A i, G i ): used according to A i, C i promises to behave like G i. Components are black boxes: only the contracts are known, not the implementation implementations may violate their contract Interactions between components are logged, logs may be distributed Problem: Define notions of causality between contract violations that can be used to establish liability of the component vendors. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 3 / 1

Causality in distributed systems A e 2 e 3 B f e 1 C e 4 v Lamport causality too weak for our needs: f v does not mean that failure f causes the violation v of the specification of C. Lamport causality is a necessary but not sufficient condition for causality between contract violations. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 4 / 1

Contracts Contract C = pair of automata (A, G). C specifies under which assumption A the component provides guarantee G. clean specification and limitation of the responsibilities of components. Example (Contract satisfaction) A: a cannot reoccur before b G: c never occurs b, c c a, b a b tr: a b a a c c =/ A but = C = (A, G) tr : a b c a = A and =/ G thus =/ C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 5 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 Hypothesis If the implementations B i of all components are correct, then C is respected. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview C = (A, G) (A 1, G 1 ) (A 2, G 2 ) (A 3, G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 Hypothesis If the implementations B i of all components are correct, then C is respected. Any contract violation is due to some faulty implementation B i. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Logical Causality from Component Trace to Failure Necessary Causality Definition (Necessary causality) Tr n C if tr 1 Tr =/ C k tr n tr =/ C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure Necessary Causality Definition (Necessary causality) Tr n C if tr 1 Tr tr n tr GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure Necessary Causality Definition (Necessary causality) Tr n C if tr 1 Tr = C k tr n consistent tr = C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure Necessary Causality Given: (tr 1,..., tr n ) vector of observed traces Tr {tr 1,..., tr n } set of traces to be analyzed jointly Definition (Necessary causality) Tr is a necessary cause of the violation of C if tr Tr: tr C and tr : ( j {1,..., n} \ I : π j (tr ) = tr j where I = {i tr i Tr tr i =/ C i }. k I : π k (tr ) = C k ) = tr = C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 8 / 1

Logical Causality from Component Trace to Failure Sufficient Causality Definition (Sufficient causality) Tr s C if tr 1 Tr =/ C k tr n tr =/ C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Logical Causality from Component Trace to Failure Sufficient Causality Definition (Sufficient causality) Tr s C if tr 1 Tr tr n tr GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Logical Causality from Component Trace to Failure Sufficient Causality Definition (Sufficient causality) Tr s C if tr 1 = C 1 Tr tr n = C n consistent tr =/ C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Properties Property (Soundness) Necessary and sufficient causality are sound: 1 Any (necessary or sufficient) cause contains at least one component trace violating its contract. 2 Any minimal set of traces forming a cause only contains traces violating the component contracts. Property (Completeness) Every violation of the system-level contract has a necessary and a sufficient cause. Remark Causality defined on contracts and observed traces, not implementations. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 10 / 1

Example 1: Adaptive Cruise Control Sensor ssr o sld i SLD sld o HMI throttle brake tck hmi o,on hmi o,off sw i,on sw o,on bsi,user Clock tck Switch bs i,auto BS sw o,on sw o,off tck Radar rdr o or i OR or o acc s i tck acc i,on acc o i ACC acc i,off acc b o ts i,auto TS ts i,user acc t o GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

Example 1: Adaptive Cruise Control rdr o or i OR Radar tck or o acc s i tck acc i,on acc o i ACC acc i,off acc b o acc t o Obstacle recognition (OR) G OR : output 1 time unit after sensing Adaptive Cruise Control (ACC) G ACC : output 1 time unit after latest input Global guarantee G: ACC output at most 3 time units after data acquisition GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

Example 1: Adaptive Cruise Control Two necessary causes Consider the following trace excerpts: OR:... or i, tck, tck, or o, tck, tck,... ACC:... tck, tck, acc s i, tck, tck, accb o,... Both OR and ACC violate their contracts ( OR = 2, ACC = 2) = violation of the global timing constraint ( = 4 > 3). Each of the OR and ACC failures is a necessary cause for the global failure. Taken together they are a sufficient cause. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 12 / 1

Example 1: Adaptive Cruise Control One necessary and sufficient cause Consider the following trace excerpts: OR:... or i, tck, tck, tck, or o, tck, tck,... ACC:... tck, tck, tck, acc s i, tck, tck, acct o,... Both OR and ACC violate their contracts but OR s violation is more serious ( OR = 3, ACC = 2). OR s violation is a necessary and sufficient cause for the global failure. The violation of ACC is no longer a necessary cause. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 13 / 1

Example 2: Travel Agency Travel agency: Hotel 1: GG, DLM, and JBR (INRIA/IRIT) Logical Causality 14 / 1

Example 2: Travel Agency Spec 1: at any time, #(debits) #(confirmations) Spec 2: each request is ack ed by either fail or resa i.!resp yes i for i {1, 2} GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency Spec 1: at any time, #(debits) #(confirmations) Spec 2: each request is ack ed by either fail or resa i.!resp yes i for i {1, 2} Observed traces: agency:?proc.!demand 1.?resp no 1.!demand 2.?resp yes 2.!conf GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency Spec 1: at any time, #(debits) #(confirmations) Spec 2: each request is ack ed by either fail or resa i.!resp yes i for i {1, 2} Observed traces: agency:?proc.!demand 1.?resp no 1.!demand 2.?resp yes 2.!conf hotel 1:?demand 1. resa 1.!resp no 1. wait 1. debit 1 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency Spec 1: at any time, #(debits) #(confirmations) Spec 2: each request is ack ed by either fail or resa i.!resp yes i for i {1, 2} Observed traces: agency:?proc.!demand 1.?resp no 1.!demand 2.?resp yes 2.!conf hotel 1:?demand 1. resa 1.!resp no 1. wait 1. debit 1 hotel 2:?demand 2.!resp yes 2. wait 2. debit 2 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency Spec 1: at any time, #(debits) #(confirmations) Spec 2: each request is ack ed by either fail or resa i.!resp yes i for i {1, 2} Observed traces: agency:?proc.!demand 1.?resp no 1.!demand 2.?resp yes 2.!conf hotel 1:?demand 1. resa 1.!resp no 1. wait 1. debit 1 hotel 2:?demand 2.!resp yes 2. wait 2. debit 2 Results of causality analysis: spec 1 spec 2 travel agency hotel 1 N, S S hotel 2 S GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Causality Analysis with Bounded Past Given: (tr 1,..., tr n ) vector of observed traces tr i a suffix of tr i, i = 1,..., n, such that tr i : π i (tr) = tr i. Tr {tr 1,..., tr n } set of traces to be analyzed jointly Definition (Necessary causality) Tr is a necessary cause of the violation of C if tr Tr: tr C and tr : ( j {1,..., n} \ I : π j (tr ) = tr j where I = {i tr i Tr tr i =/ C i }. k I : π k (tr ) = C k ) = tr = C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Causality Analysis with Bounded Past Given: (tr 1,..., tr n ) vector of observed traces tr i a suffix of tr i, i = 1,..., n, such that tr i : π i (tr) = tr i. Tr {tr 1,..., tr n } set of traces to be analyzed jointly Definition (Necessary causality) Tr is a necessary cause of the violation of C if tr Tr: tr C and tr : ( j {1,..., n} \ I : π j (tr ) = tr j k I : π k (tr ) = C k = tr = C where I = {i tr i Tr tr i =/ C i }. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Causality Analysis with Bounded Past Given: (tr 1,..., tr n ) vector of observed traces tr i a suffix of tr i, i = 1,..., n, such that tr i : π i (tr) = tr i. Tr {tr 1,..., tr n } set of traces to be analyzed jointly Definition (Necessary causality) Tr is a necessary cause of the violation of C if tr Tr: tr : ( j {1,..., n} \ I : π j (tr ) = tr + j tr C = and k I : π k (tr ) = C k = tr = C where I = {i tr i Tr tr i =/ C i = }. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Related Work Actual causality (Halpern & Pearl) for Boolean expressions, no native support for sequential behavior weak notion of logical causality Dependability: fault trees: from failure to potential causes FME(C)A: from cause to potential failures Blaming in contract languages verify satisfaction of assumption and guarantee; no notion of causality, no concurrency. Diagnosis: determine (unobservable) faults from observations no notion of logical causality. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 17 / 1

Discussion Contributions: General definitions for logical causality, supporting group causality (vertical) causality: a component causes the violation of a system-level contract. horizontal causality: a component causes the violation of the guarantee provided by another component. Effective decision procedure. Causality analysis on bounded past. Implementation in analysis tool Loca. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 18 / 1

Future Work Generalize framework, instantiate with existing models of computation and communication: synchronous, timed automata,... Allow for uncertainty, e.g., partial observability of events. Generalize to a quantitative notion of causality. Constructiveness? GG, DLM, and JBR (INRIA/IRIT) Logical Causality 19 / 1