Software Reliability: Runtime Verification

Software Reliability: Runtime Verification Martin Leucker and the whole ISP team Institute for Software Engineering Universität zu Lübeck Riga, 21.07. 04.08.14 Martin Leucker Basoti, 2014 1/117 Runtime Verification (RV) M always (not x > 0 implies next x > 0) S 1 S 2 S 3 S 4 Characterisation Verifies (partially) correctness properties based on actual executions Simple verification technique Complementing Model Checking Testing Formal: w L(ϕ) Martin Leucker Basoti, 2014 2/117 Model Checking Specification of System as formula ϕ of linear-time temporal logic (LTL) with models L(ϕ) Model of System as transition system S with runs L(S) Model Checking Problem: Do all runs of the system satisfy the specification L(S) L(ϕ) Martin Leucker Basoti, 2014 3/117

Model Checking versus RV Model Checking: infinite words Runtime Verification: finite words yet continuously expanding words In RV: Complexity of monitor generation is of less importance than complexity of the monitor Model Checking: White-Box-Systems Runtime Verification: also Black-Box-Systems Martin Leucker Basoti, 2014 4/117 Testing Testing: Input/Output Sequence incomplete verification technique test case: finite sequence of input/output actions test suite: finite set of test cases test execution: send inputs to the system and check whether the actual output is as expected Testing: with Oracle test case: finite sequence of input actions test oracle: monitor test execution: send test cases, let oracle report violations similar to runtime verification Martin Leucker Basoti, 2014 5/117 Testing versus RV Test oracle manual RV monitor from high-level specification (LTL) Testing: How to find good test suites? Runtime Verification: How to generate good monitors? Martin Leucker Basoti, 2014 6/117

Outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 7/117 Conclusion Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 8/117 Conclusion Runtime Verification Definition (Runtime Verification) Runtime verification is the discipline of computer science that deals with the study, development, and application of those verification techniques that allow checking whether a run of a system under scrutiny (SUS) satisfies or violates a given correctness property. Its distinguishing research effort lies in synthesizing monitors from high level specifications. Definition (Monitor) A monitor is a device that reads a finite trace and yields a certain verdict. A verdict is typically a truth value from some truth domain. Martin Leucker Basoti, 2014 9/117

Taxonomy finite noncompleted finite infinite inline information collection performance evaluation trace integration outline security application area event sequence safety checking runtime verification stage online monitoring offline state sequence input/ output behavior steering interference invasive passive active non-invasive Martin Leucker Basoti, 2014 10/117 Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 11/117 Conclusion Runtime Verification for LTL Observing executions/runs Idea Specify correctness properties in LTL Commercial Specify correctness properties in Regular LTL Martin Leucker Basoti, 2014 12/117

Runtime Verification for LTL Definition (Syntax of LTL formulae) Let p be an atomic proposition from a finite set of atomic propositions AP. The set of LTL formulae, denoted with LTL, is inductively defined by the following grammar: ϕ ::= true p ϕ ϕ ϕ U ϕ Xϕ false p ϕ ϕ ϕ R ϕ Xϕ ϕ Martin Leucker Basoti, 2014 13/117 Linear-time Temporal Logic (LTL) Semantics over w (2 AP ) ω = Σ ω {p, q} p p q q... = p p puq X(pUq) X Abbreviation Fϕ trueuϕ Gϕ F ϕ Example G (critic 1 critic 2), G( alive Xalive) Martin Leucker Basoti, 2014 14/117 LTL on infinite words Definition (LTL semantics (traditional)) Semantics of LTL formulae over an infinite word w = a 0a 1... Σ ω, where w i = a i a i+1... w = true w = p if p a 0 w = p if p a 0 w = ϕ if not w = ϕ w = ϕ ψ if w = ϕ or w = ψ w = ϕ ψ if w = ϕ and w = ψ w = Xϕ if w 1 = ϕ w = Xϕ if w 1 = ϕ w = ϕ U ψ if there is k with 0 k < w : w k = ψ and for all l with 0 l < k w l = ϕ w = ϕ R ψ if for all k with 0 k < w : ( w k = ψ or there is l with 0 l < k w l = ϕ) Martin Leucker Basoti, 2014 15/117

LTL for the working engineer?? Simple?? LTL is for theoreticians but for practitioners? SALT Structured Assertion Language for Temporal Logic Syntactic Sugar for LTL [Bauer, L., Streit@ICFEM 06] Martin Leucker Basoti, 2014 16/117 SALT http://www.isp.uni-luebeck.de/salt Martin Leucker Basoti, 2014 17/117 Runtime Verification for LTL Idea Specify correctness properties in LTL Definition (Syntax of LTL formulae) Let p be an atomic proposition from a finite set of atomic propositions AP. The set of LTL formulae, denoted with LTL, is inductively defined by the following grammar: ϕ ::= true p ϕ ϕ ϕ U ϕ Xϕ false p ϕ ϕ ϕ R ϕ Xϕ ϕ Martin Leucker Basoti, 2014 18/117

Truth Domains Lattice A lattice is a partially ordered set (L, ) where for each x, y L, there exists 1. a unique greatest lower bound (glb), which is called the meet of x and y, and is denoted with x y, and 2. a unique least upper bound (lub), which is called the join of x and y, and is denoted with x y. A lattice is called finite iff L is finite. Every finite lattice has a well-defined unique least element, called bottom, denoted with, and analogously a greatest element, called top, denoted with. Martin Leucker Basoti, 2014 19/117 Truth Domains (cont.) Lattice (cont.) A lattice is distributive, iff x (y z) = (x y) (x z), and, dually, x (y z) = (x y) (x z). In a de Morgan lattice, every element x has a unique dual element x, such that x = x and x y implies y x. Definition (Truth domain) We call L a truth domain, if it is a finite distributive de Morgan lattice. Martin Leucker Basoti, 2014 20/117 LTL s semantics using truth domains Definition (LTL semantics (common part)) Semantics of LTL formulae over a finite or infinite word w = a 0 a 1... Σ Boolean constants Boolean combinations [w = true] L = [w = false] L = [w = ϕ] L = [w = ϕ] L [w = ϕ ψ] L = [w = ϕ] L [w = ψ] L [w = ϕ ψ] L = [w = ϕ] L [w = ψ] L atomic propositions [w = p] L = if p a 0 if p / a 0 [w = p] L = if p / a 0 if p a 0 next X/weak next X TBD until/release there is a k, 0 k < w : [w k = ψ] L = and [w = ϕ U ψ] L = for all l with 0 l < k : [w l = ϕ] = TBD else ϕ R ψ ( ϕ U ψ) Martin Leucker Basoti, 2014 21/117

LTL on finite words Application area: Specify properties of finite word Martin Leucker Basoti, 2014 23/117 LTL on finite words Definition (FLTL) Semantics of FLTL formulae over a word u = a 0... a n 1 Σ next [u 1 = ϕ] F if u 1 ǫ [u = Xϕ] F = otherwise weak next [u = Xϕ] F = [u = ϕ] F if u 1 ǫ otherwise Martin Leucker Basoti, 2014 24/117 Monitoring LTL on finite words (Bad) Idea just compute semantics... Martin Leucker Basoti, 2014 25/117

LTL on finite, but not completed words Application area: Specify properties of finite but expanding word Martin Leucker Basoti, 2014 27/117 LTL on finite, but not completed words Be Impartial! go for a final verdict ( or ) only if you really know be a man: stick to your word Martin Leucker Basoti, 2014 28/117 LTL on finite, but not complete words Impartiality implies multiple values Every two-valued logic is not impartial. Definition (FLTL) Semantics of FLTL formulae over a word u = a 0... a n 1 Σ next [u 1 = ϕ] F if u 1 ǫ [u = Xϕ] F = p otherwise weak next [u = Xϕ] F = [u = ϕ] F if u 1 ǫ otherwise Martin Leucker Basoti, 2014 29/117

Monitoring LTL on finite but expanding words Left-to-right! Martin Leucker Basoti, 2014 30/117 Monitoring LTL on finite but expanding words Rewriting Idea: Use rewriting of formula Evaluating FLTL4 for each subsequent letter evaluate atomic propositions evaluate next-formulas that s it thanks to ϕ U ψ ψ (ϕ Xϕ U ψ) and ϕ R ψ ψ (ϕ Xϕ R ψ) and remember what to evaluate for the next letter Martin Leucker Basoti, 2014 31/117 Evaluating FLTL4 for each subsequent letter Pseudo Code evalfltl4 true a = (, ) evalfltl4 false a = (, ) evalfltl4 p a = ((p in a),(p in a)) evalfltl4 ϕ a = let (valphi,phirew) = evalfltl4 ϕ a in (valphi, phirew) evalfltl4 ϕ ψ a = let (valphi,phirew) = evalfltl4 ϕ a (valpsi,psirew) = evalfltl4 ψ a in (valphi valpsi,phirew psirew) evalfltl4 ϕ ψ a = let (valphi,phirew) = evalfltl4 ϕ a (valpsi,psirew) = evalfltl4 ψ a in (valphi valpsi,phirew psirew) evalfltl4 ϕ U ψ a = evalfltl4 ψ (ϕ X(ϕ U ψ)) a evalfltl4 ϕ R ψ a = evalfltl4 ψ (ϕ X(ϕ R ψ)) a evalfltl4 Xϕ a = ( p,ϕ) evalfltl4 Xϕ a = ( p,ϕ) Martin Leucker Basoti, 2014 32/117

Monitoring LTL on finite but expanding words Automata-theoretic approach Synthesize automaton Monitoring = stepping through automaton Martin Leucker Basoti, 2014 33/117 Rewriting vs. automata Rewriting function defines transition function evalfltl4 true a = (, ) evalfltl4 false a = (, ) evalfltl4 p a = ((p in a),(p in a)) evalfltl4 ϕ a = let (valphi,phirew) = evalfltl4 ϕ a in (valphi, phirew) evalfltl4 ϕ ψ a = let (valphi,phirew) = evalfltl4 ϕ a (valpsi,psirew) = evalfltl4 ψ a in (valphi valpsi,phirew psirew) evalfltl4 ϕ ψ a = let (valphi,phirew) = evalfltl4 ϕ a (valpsi,psirew) = evalfltl4 ψ a in (valphi valpsi,phirew psirew) evalfltl4 ϕ U ψ a = evalfltl4 ψ (ϕ X(ϕ U ψ)) a evalfltl4 ϕ R ψ a = evalfltl4 ψ (ϕ X(ϕ R ψ)) a evalfltl4 Xϕ a = ( p,ϕ) evalfltl4 Xϕ a = ( p,ϕ) Martin Leucker Basoti, 2014 34/117 Automata-theoretic approach The roadmap alternating Mealy machines Moore machines alternating machines non-deterministic machines deterministic machines state sequence for an input word Martin Leucker Basoti, 2014 35/117

Supporting alternating finite-state machines Definition (Alternating Mealy Machine) A alternating Mealy machine is a tupel M = (Q, Σ, Γ, q 0, δ) where Q is a finite set of states, Σ is the input alphabet, Γ is a finite, distributive lattice, the output lattice, q 0 Q is the initial state and δ : Q Σ B + (Γ Q) is the transition function Convention Understand δ : Q Σ B + (Γ Q) as a function δ : Q Σ Γ B + (Q) Martin Leucker Basoti, 2014 36/117 Supporting alternating finite-state machines Definition (Run of an Alternating Mealy Machine) A run of an alternating Mealy machine M = (Q, Σ, Γ, q 0, δ) on a finite word u = a 0... a n 1 Σ + (a 0,b 0 ) (a is a sequence t 0 t 1,b 1 ) (a n 1,b n 1 ) 1... t n 1 t n such that t 0 = q 0 and (t i, b i 1 ) = ˆδ(t i 1, a i 1 ) where ˆδ is inductively defined as follows ˆδ(q, a) = δ(q, a), ˆδ(q q, a) = (ˆδ(q, a) 1 ˆδ(q, a) 1, ˆδ(q, a) 2 ˆδ(q, a) 2), and ˆδ(q q, a) = (ˆδ(q, a) 1 ˆδ(q, a) 1, ˆδ(q, a) 2 ˆδ(q, a) 2) The output of the run is b n 1. Martin Leucker Basoti, 2014 37/117 Transition function of an alternating Mealy machine Transition function δ4 a : Q Σ B+ (Γ Q) δ4(true, a a) = (, true) δ4(false, a a) = (, false) δ4(p, a a) = (p a, [p a]) δ4(ϕ a ψ, a) = δ4(ϕ, a a) δ4(ψ, a a) δ4(ϕ a ψ, a) = δ4(ϕ, a a) δ4(ψ, a a) δ4(ϕ a U ψ, a) = δ4(ψ a (ϕ X(ϕ U ψ)), a) = δ4(ψ, a a) (δ4(ϕ, a a) (ϕ U ψ)) δ4(ϕ a R ψ, a) = δ4(ψ a (ϕ X(ϕ R ψ)), a) = δ4(ψ, a a) (δ4(ϕ, a a) (ϕ R ψ)) δ4(xϕ, a a) = ( p, ϕ) δ4( Xϕ, a a) = ( p, ϕ) Martin Leucker Basoti, 2014 38/117

Anticipatory Semantics Consider possible extensions of the non-completed word Martin Leucker Basoti, 2014 40/117 LTL for RV [BLS@FSTTCS 06] Basic idea LTL over infinite words is commonly used for specifying correctness properties finite words in RV: prefixes of infinite, so-far unknown words re-use existing semantics 3-valued semantics for LTL over finite words if σ Σ ω : uσ = ϕ [u = ϕ] = if σ Σ ω : uσ = ϕ? else Martin Leucker Basoti, 2014 42/117 Impartial Anticipation Impartial Stay with and Anticipatory Go for or Consider XXXfalse ǫ = XXXfalse a = XXfalse aa = Xfalse aaa = false if σ Σ ω : ǫσ = XXXfalse [ǫ = XXXfalse] = if σ Σ ω : ǫσ = XXXfalse? else Martin Leucker Basoti, 2014 43/117

Büchi automata (BA) Emptiness test: SCCC, Tarjan a, b a a 2 0 1 b b a 3 4 b a b a b... (ab) ω L(A) (ab) aa{a, b} ω L(A) Martin Leucker Basoti, 2014 44/117 LTL to BA [Vardi & Wolper 86] Translation of an LTL formula ϕ into Büchi automata A ϕ with L(A ϕ) = L(ϕ) Complexity: Exponential in the length of ϕ Martin Leucker Basoti, 2014 45/117 Monitor construction Idea I [u = ϕ] = if σ Σ ω : uσ = ϕ if σ Σ ω : uσ = ϕ? else a, b? a a 2 0 1 b b a 3 4 b Martin Leucker Basoti, 2014 46/117

monitor construction Idea II a, b a a 2 0 1 b b a 3 4 b NFA F ϕ : Q ϕ {, } Emptiness per state Martin Leucker Basoti, 2014 47/117 The complete construction The construction ϕ ϕ BA ϕ F ϕ NFA ϕ ϕ BA ϕ F ϕ NFA ϕ DFA ϕ DFA ϕ M Lemma [u = ϕ] = if u / L(NFA ϕ ) if u / L(NFA ϕ )? else Martin Leucker Basoti, 2014 48/117 Complexity The construction ϕ ϕ BA ϕ F ϕ NFA ϕ ϕ BA ϕ F ϕ NFA ϕ DFA ϕ DFA ϕ M Complexity M 2 2 ϕ Optimal result! FSM can be minimised (Myhill-Nerode) Martin Leucker Basoti, 2014 49/117

On-the-fly Construction The construction ϕ ϕ BA ϕ F ϕ NFA ϕ ϕ BA ϕ F ϕ NFA ϕ DFA ϕ DFA ϕ M Martin Leucker Basoti, 2014 50/117 Towards richer and more expressive logics [DLS@ATVA 08] Many linear-time logics LTL with Past linear-time µ-calculus RLTL LTL with integer constraints G(fopen x ((x = Xx) U fclose x)) Martin Leucker Basoti, 2014 52/117 Linear-time Logic Definition (Linear-time Logic) A linear-time logic L defines a set F L of L-formulae and a two-valued semantics = L. Every L-formula ϕ F L has an associated and possibly infinite alphabet Σ ϕ. Moreover, for every formula ϕ F L and every word σ Σ ω ϕ, we require (L1) ϕ F L : ϕ F L. (L2) σ Σ ω ϕ : (σ = L ϕ σ = L ϕ). Martin Leucker Basoti, 2014 53/117

Anticipation Semantics Definition (Anticipation Semantics) Let L be a linear-time logic. We define the anticipation semantics [π = ϕ] L of an L-formula ϕ F L and a finite word π Σ ϕ with if σ Σ ω ϕ : πσ = L ϕ [π = ϕ] L = if σ Σ ω ϕ : πσ = L ϕ? otherwise Martin Leucker Basoti, 2014 54/117 Evaluation using decide decide if decide ϕ(π) = [π = ϕ] L = if decide ϕ(π) =? otherwise where decide ϕ(π) is defined to return for ϕ F L and π Σ ϕ if σ Σ ω ϕ : πσ = L ϕ holds, and otherwise. Martin Leucker Basoti, 2014 55/117 The automata theoretic approach to SAT Definition (Satisfiability Check by Automata Abstraction) Given a linear-time logic L with its formulae F L, the satisfiability check by automata abstraction proceeds as follows. For formula ϕ F L, 1. define alphabet abstraction Σ ϕ Σ ϕ finite, abstract alphabet 2. define a word abstraction α( ) : Σ ω ϕ Σ ω ϕ 3. define an automaton construction ϕ ω-automaton A ϕ over Σ ϕ such that for all σ Σ ω ϕ it holds σ L(A ϕ) iff σ Σ ω : σ = α(σ) and σ = ϕ Then ϕ satisfiable iff L(A ϕ) iff non-empty(a ϕ) Martin Leucker Basoti, 2014 56/117

From finite to infinite Definition (extrapolate) extrapolate(π) = {α(πσ) 0...i i + 1 = π, σ Σ ω} Definition (Accuracy of Abstract Automata) accuracy of abstract automata property holds, if, for all π Σ, ( σ : πσ = L ϕ) ( π σ : π σ L(A ϕ)) with π extrapolate(π), ( σ : π σ L(A ϕ)) ( π σ : πσ = L ϕ) with π extrapolate(π). Martin Leucker Basoti, 2014 57/117 Non-incremental version Theorem (Correctness of decide) Given a satisfiability check by automata abstraction for a linear-time logic L satisfying the accuracy of automata property, we have decide(π) = non-empty δ(q, π) q Q 0, π extrapolate(π) Martin Leucker Basoti, 2014 58/117 Faithful abstraction Definition (Forgettable Past and Faithful Abstraction) Given α of a satisfiability check by automata abstraction. We say that α satisfies the forgettable past property, iff α(πaσ) i+1...i+1 = α(aσ) 0...0 for all π Σ, π = i + 1, a Σ, and σ Σ ω. α is called faithful, iff for all π Σ, π = i + 1, a Σ, σ, σ Σ ω for which there is some σ Σ ω with α(πσ) 0...i α(aσ ) 0...0 = α(σ ) 0...i+1 there also exists a σ Σ ω with α(πσ) 0...i α(aσ ) 0...0 = α(πaσ ) 0...i+1 Martin Leucker Basoti, 2014 59/117

Incremental version Theorem (Incremental Emptiness for Extrapolation) Let A be a Büchi automaton obtained via a satisfiability check by automata abstraction satisfying the accuracy of automaton abstraction property with a faithful abstraction function having the forgettable past property. Then, for all π Σ and a Σ, it holds L(A(extrapolate(πa))) = L(A(extrapolate(π)extrapolate(a))) Martin Leucker Basoti, 2014 60/117 Further logics Indeed works LTL with Past linear-time µ-calculus RLTL LTL with integer constraints Martin Leucker Basoti, 2014 61/117 Monitorability When does anticipation help? Martin Leucker Basoti, 2014 63/117

Monitors revisited Structure of Monitors? bad ugly? good Classification of Prefixes of Words Bad prefixes [Kupferman & Vardi 01] Good prefixes [Kupferman & Vardi 01] Ugly prefixes Martin Leucker Basoti, 2014 64/117 Monitorable Non-Monitorable [Pnueli & Zaks 07] ϕ is non-monitorable after u, if u cannot be extended to a bad oder good prefix. Monitorable ϕ is monitorable if there is no such u.? bad ugly? good Martin Leucker Basoti, 2014 65/117 Monitorable Properties Safety Properties Co-Safety Properties Note Safety and Co-Safety Properties are monitorable Martin Leucker Basoti, 2014 66/117

Safety- and Co-Safety-Properties Theorem The class of monitorable properties comprises safety- and co-safety properties, but is strictly larger than their union. Proof Consider ((p q)ur) Gp Martin Leucker Basoti, 2014 67/117 Fusing model checking and runtime verification LTL with a predictive semantics Martin Leucker Basoti, 2014 69/117 Recall anticipatory LTL semantics The truth value of a LTL 3 formula ϕ wrt. u, denoted by [u = ϕ], is an element of B 3 defined by if σ Σ ω : uσ = ϕ [u = ϕ] = if σ Σ ω : uσ = ϕ? otherwise. Martin Leucker Basoti, 2014 70/117

Applied to the empty word Empty word ǫ [ǫ = ϕ] P = iff iff σ Σ ω with ǫσ P : ǫσ = ϕ L(P) = ϕ RV more difficult than MC? Then runtime verification implicitly answers model checking Martin Leucker Basoti, 2014 71/117 Abstraction An over-abstraction or and over-approximation of a program P is a program ˆP such that L(P) L( ˆP) Σ ω. Martin Leucker Basoti, 2014 72/117 Predictive Semantics Definition (Predictive semantics of LTL) Let P be a program and let ˆP be an over-approximation of P. Let u Σ denote a finite trace. The truth value of u and an LTL 3 formula ϕ wrt. ˆP, denoted by [u = ˆP ϕ], is an element of B 3 and defined as follows: if σ Σ ω with uσ ˆP : uσ = ϕ [u = ˆP ϕ] = if σ Σ ω with uσ ˆP : uσ = ϕ? else We write LTL P whenever we consider LTL formulas with a predictive semantics. Martin Leucker Basoti, 2014 73/117

Properties of Predictive Semantics Let ˆP be an over-approximation of a program P over Σ, u Σ, and ϕ LTL. Model checking is more precise than RV with the predictive semantics: P = ϕ implies [u = ˆP ϕ] {,?} RV has no false negatives: [u = ˆP ϕ] = implies P = ϕ The predictive semantics of an LTL formula is more precise than LTL 3: [u = ϕ] = implies [u = ˆP ϕ] = [u = ϕ] = implies [u = ˆP ϕ] = The reverse directions are in general not true. Martin Leucker Basoti, 2014 74/117 Monitor generation The procedure for getting [u = ˆP ϕ] for a given ϕ and over-approximation ˆP Input Formula NBA ˆP NBA Emptiness per state NFA DFA FSM ϕ Aϕ Bϕ Fϕ ˆBϕ Bϕ ϕ, ˆP Mϕ ϕ A ϕ B ϕ F ϕ ˆB ϕ B ϕ Martin Leucker Basoti, 2014 75/117 Intermediate Summary Semantics completed traces two valued semantics non-completed traces Impartiality at least three values Anticipation finite traces infinite traces... monitorability Prediction Monitors left-to-right time versus space trade-off rewriting alternating automata non-deterministic automata deterministic automata Martin Leucker Basoti, 2014 77/117

Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 78/117 Conclusion Extensions LTL is just half of the story Martin Leucker Basoti, 2014 79/117 Extensions LTL with data J-LO MOP (parameterized LTL) RV for LTL with integer constraints Further rich approaches LOLA Eagle (etc.) Further dimensions real-time concurrency distribution Martin Leucker Basoti, 2014 80/117

Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 81/117 Conclusion Example Application Some application for data entry Connects to a server Data can be read, modified and committed Martin Leucker Basoti, 2014 82/117 Example Application Frontend handles GUI Backend handles communication to the server Frontend and backend communicate via the following interface: Example public interface DataService { void connect(string userid) throws UnknownUserException; void disconnect(); Data readdata(string field); void modifydata(string field, Data data); void commit() throws CommitException; } Martin Leucker Basoti, 2014 83/117

A simple Test Frontend has to use backend correctly Data has to be committed before disconnecting Example @Test public void test1() { DataService service = new MyDataService("http://myserver.net"); MyDataClient client = new MyDataClient(service); client.authenticate("daniel"); client.addpatient("mr. Smith"); client.switchtouser("ruth"); asserttrue(service.debug_committed()); // switching means logout client.getpatientfile("miller-2143-1"); client.setphone("miller-2143-1", "012345678"); client.exit(); asserttrue(service.debug_committed()); } Martin Leucker Basoti, 2014 84/117 Observations Test inputs are interleaved with assertions Requires internal knowledge about the class under scrutiny Requires refactoring of interfaces between components Components might need additional logic to track temporal properties Production code is polluted by test code Program logic for temporal properties can be complicated Classical unit testing is not suitable to assure temporal properties on internal interfaces Martin Leucker Basoti, 2014 85/117 junit RV junit RV = junit + RV Martin Leucker Basoti, 2014 86/117

Events and Propositions Formal runs consist of discrete steps in time When does a program perform a step? Explicitly specify events triggering time steps Only one event occurs at a point of time Propositions may be evaluated in the current state Martin Leucker Basoti, 2014 87/117 Events and Propositions Example (Specifying Events) String dataservice = "mypackage.dataservice"; private static Event modify = called(dataservice, "modify"); private static Event committed = returned(dataservice, "commit"); private static Event disconnect = called(dataservice, "disconnect"); Example (Specifying Propositions) private static Proposition auth = new Proposition(eq(invoke($this, "getstatus"),auth); Martin Leucker Basoti, 2014 88/117 Temporal Assertion LTL is used to specify temporal properties Generated monitors only observe the specified events G(modify = disconnectucommitted) Example (Specifying Monitors) private static Monitor commitbeforedisconnect = new FLTL4Monitor( Always(implies( modify, Until(not(disconnect), committed) ) )); Martin Leucker Basoti, 2014 89/117

Testcase Example @Test @Monitors({"commitBeforeDisconnect"}) public void test1() { DataService service = new MyDataService("http://myserver.net"); MyDataClient client = new MyDataClient(service); client.authenticate("daniel"); client.addpatient("mr. Smith"); client.switchtouser("ruth"); client.getpatientfile("miller-2143-1"); client.setphone("miller-2143-1", "012345678"); client.exit(); } Martin Leucker Basoti, 2014 90/117 The Complete Picture @RunWith(RVRunner.class) public class MyDataClientTest { private static final String dataserviceqname = "junitrvexamples.dataservice"; private static Event modify = called(dataserviceqname, "modifydata"); private static Event committed = returned(dataserviceqname, "commit"); private static Event disconnect = invoke(dataserviceqname, "disconnect"); // create a monitor for LTL4 property G(modify ->!close U commit) private static Monitor commitbeforeclose = new FLTL4Monitor( Always( implies( modify, Until(not(disconnect), committed)))); } @Test @Monitors({"commitBeforeClose", "authwhenmodify"}) public void test1() {... } Martin Leucker Basoti, 2014 91/117 Architecture Martin Leucker Basoti, 2014 92/117

Runners and Classloaders junit uses test runners to execute tests junit provides a default implementation junit RV provides RVRunner extending the default implementation junit RV provides a custom Classloader Class loading by program under scrutiny is intercepted Bytecode is manipulated to intercept events Martin Leucker Basoti, 2014 93/117 Features junit RV is provided as single class jar file that has to be made available on the Java class path It can easily integrated into build systems and IDEs It may be used to test third party components where no byte code is available It may be extended with custom specification formalisms Test failures are reported as soon as a monitor fails Stack traces show the exact location of the failure in the program under scrutiny Martin Leucker Basoti, 2014 94/117 Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 95/117 Conclusion

Monitoring Systems/Logging: Overview dedicated tracing/- monitoring hardware source code trace tools monitoring systems /logging instrumentation byte code binary code logging APIs Martin Leucker Basoti, 2014 96/117 Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 97/117 Conclusion Monitoring Systems/Logging: Overview exception manual monitoring results/ steering steer automatically print Martin Leucker Basoti, 2014 98/117

React! Runtime Verification Observe do not react Realising dynamic systems self-healing systems adaptive systems, self-organising systems... use monitors for observation then react Martin Leucker Basoti, 2014 99/117 jmop [Rosu et al.] Java Implementation Martin Leucker Basoti, 2014 100/117 Runtime Reflection [Bauer, L., Schallhart@ASWEC 06] Monitor-based Runtime Reflection Software Architecture Pattern Martin Leucker Basoti, 2014 101/117

Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 102/117 Conclusion Diagnosis Main Ideas Here Knowledge base Knowledge Explanation of Knowledge with Respect to the Knowledge base System description Observations Diagnosis: Explanation of the Observations with respect to the System description Martin Leucker Basoti, 2014 104/117 System Description in First-Order Logic Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 Formally SD = ok(i 1 ) AB(C 1 ) l 1 = C 1 (i 1 ) ok(i 2) AB(C 2) l 2 = C 2(i 2) ok(l 1 ) ok(l 2) AB(C 3) o 1 = C 3(l 1, l 2) ok(l 1 ) ok(l 2) AB(C 4 ) o 2 = C 4 (l 1, l 2) Martin Leucker Basoti, 2014 105/117

System Description in Propositional Logic Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 Propositional Logic SD = i 1 C 1 l 1 i 2 C 2 l 2 l 1 l 2 C 3 o 1 l 1 l 2 C 4 o 2 Martin Leucker Basoti, 2014 106/117 Observation Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 Observation (Truth) values for (some of) the propositions involved Formally: a formula OBS Observation o 1 i 1 i 2 o 2 Martin Leucker Basoti, 2014 107/117 Diagnosis Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 Diagnosis A minimal set of components such that SD OBS is satisfiable, where encodes the chosen components. Martin Leucker Basoti, 2014 108/117

Example Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 Propositional Logic SD = i 1 C 1 l 1 i 2 C 2 l 2 Observations o 1 i 1 i 2 o 2 l 1 l 2 C 3 o 1 l 1 l 2 C 4 o 2 Martin Leucker Basoti, 2014 109/117 Example Propositional Logic SD = i 1 C 1 l 1 i 2 C 2 l 2 Observations o 1 i 1 i 2 o 2 l 1 l 2 C 3 o 1 l 1 l 2 C 4 o 2 CNF SD Observations SD = C 1 l 1 SD = i 1 C 1 l 1 C 2 l 2 i 2 C 2 l 2 l 1 l 2 C 3 l 1 l 2 C 3 o 1 l 1 l 2 C 4 o 2 o 1 i 1 i 2 o 2 Martin Leucker Basoti, 2014 110/117 Example Example i 1 l 1 o 1 C 1 C 3 i 2 l 2 o 2 C 2 C 4 SD Observations SD = C 1 l 1 C 2 l 2 l 1 l 2 C 3 o 1 i 1 i 2 o 2 Diagnoses 1 = {C 1 } 2 = {C 2} 3 = {C 3} Martin Leucker Basoti, 2014 111/117

Monitors yield Obervations We have... Monitor reports line is false Monitor reports? line is? (no assignment) Monitor reports line is? (no assignment) Omniscent Monitors A monitor is called omnicscent if its output implies that the results on the monitored output are indeed correct. For Omniscent Monitors Monitor reports line is false Monitor reports? line is? (no assignment) Monitor reports line is true Martin Leucker Basoti, 2014 113/117 Oniscent Monitors Example i l o C 1 C 2 SD = i C 1 l l C 2 o SD = i C 1 l l C 2 o Observation: i o SD = C 1 l l C 2 Diagnoses: C 2 or C 1 If additionally l known to be correct, only C 2 diagnosed. notion of omniscent diagnoses Martin Leucker Basoti, 2014 114/117 Presentation outline Runtime Verification Runtime Verification for LTL LTL over Finite, Completed Words LTL over Finite, Non-Completed Words: Impartiality LTL over Non-Completed Words: Anticipation LTL over Infinite Words: With Anticipation Generalisations: LTL with modulo Constraints Monitorable Properties LTL with a Predictive Semantics LTL wrap-up Extensions Testing Temporal Properties with RV: junitrv Monitoring Systems/Logging Steering Diagnosis Ideas RV and Diagnosis Martin Leucker Basoti, 2014 115/117 Conclusion

Conclusion Summary RV for Failure detection various, multi-valued approaches various existing systems does generally identifies failure detection and identification Diagonis for Failure identification? Future work What is the right combination? Martin Leucker Basoti, 2014 116/117 That s it! Thanks! - Comments? Martin Leucker Basoti, 2014 117/117