Embed Size (px)
DESCRIPTION
Gerardo Schneider Dept. of Informatics University of Oslo. Heisenberg-Effect-Free Runtime Verification of Real-Time Properties. January 2009. Heisenberg Effect. Observing reality... changes reality. We will see what all these mean in the context of Runtime Verification. - PowerPoint PPT Presentation
Citation preview
Gerardo Schneider
Department of InformaticsUniversity of Oslo
2009
Heisenberg-Effect-Free Runtime Verification ofReal-Time Properties
Gerardo SchneiderDept. of InformaticsUniversity of Oslo
January 2009
Gerardo Schneider
Department of InformaticsUniversity of Oslo
22009
Heisenberg Effect
Observing reality... changes reality
We will see what all these mean in the
context of Runtime Verification
Werner Heisenberg (1901-1976)Nobel Prize in Physics (1932)
Gerardo Schneider
Department of InformaticsUniversity of Oslo
32009
Outline
Runtime Verification
The Heisenberg effect in RV
How to solve the Heisenberg effect in RV?
Gerardo Schneider
Department of InformaticsUniversity of Oslo
42009
Runtime Verification
----------------------------Specification----------------------------
----------------------------Specification----------------------------
Gerardo Schneider
Department of InformaticsUniversity of Oslo
52009
A ’send’ should only be followed by an ’ack’
Runtime Verification
A
!send
?ack
B
?send
!ack
send
ack
send
ack
error
send
ack
else else
M
send
ack
send
ack
A B A B
Gerardo Schneider
Department of InformaticsUniversity of Oslo
62009
Heisenberg Effect in RV (with Time)
A
!send
?ack
B
?send
!ack
send
ack
A B
A ’send’ should only be followed by an ’ack’
Any ’send’ must be followed by an ’ack’ within 30 sec
0 1
2628
send
ack
0 2
2730
A B
B ”knows” that there is at most 3 sec delay between sending his ’ack’ and receiving it
Gerardo Schneider
Department of InformaticsUniversity of Oslo
72009
Heisenberg Effect in RV (with Time)
A
!send
?ack
B
?send
!ack
error
send; t:=0
ack; t<=30
else else
M
send
ack
A Bsend
ack
A B
2
2730
03
2732
0
B canot rely anymore on his ”knoweldge” of the system!
The monitor ”invalidates” a valid property,
because it slows down the system
Gerardo Schneider
Department of InformaticsUniversity of Oslo
82009
Heisenberg Effect in RV (with Time)
Adding a monitor at runtime slows down the system
and may invalidate certain properties which would be valid otherwise
Eliminating a monitor at runtime speeds up the system
and may invalidate certain properties which would be valid otherwise
Gerardo Schneider
Department of InformaticsUniversity of Oslo
92009
How to avoid the Heisenberg Effect in RV
Gerardo Schneider
Department of InformaticsUniversity of Oslo
102009
Slow-down and Speed-up Truth Preservation
normal
slowed
speeded
Gerardo Schneider
Department of InformaticsUniversity of Oslo
112009
Duration Calculus
Gerardo Schneider
Department of InformaticsUniversity of Oslo
122009
Duration Calculus - Examples
”For any period any leak should be detectable and stoppable withing 1 sec”
□ (ǁLeakǁ → l ≤ 1)
□ - for any subintervalǁ.ǁ - ”almost everywhere” insidel – ”length” of an interval
”After any leak in this period the gas burner cannot switch on gas for 30 sec”
□ ((ǁLeakǁ ; ǁ¬ Leakǁ ; ǁLeakǁ) → l ≥30)
; - ”chop” operator
Gerardo Schneider
Department of InformaticsUniversity of Oslo
132009
Slow-Down Truth Preserving Properties
”The number of bad logins cannot exceed 3 in a period of one hour”
□ (badlog > 3 → l > 3600)
”After any leak in this period the gas burner cannot switch on gas for 30 sec”
□ ((ǁLeakǁ ; ǁ¬ Leakǁ ; ǁLeakǁ) → l ≥ 30)
Gerardo Schneider
Department of InformaticsUniversity of Oslo
142009
Speed-Up Truth Preserving Properties
”Any ’send’ must be followed by an ’ack’ within 30 sec”
”For any period any leak should be detectable and stoppable withing 1 sec”
□ (ǁLeakǁ → l ≤ 1)
Gerardo Schneider
Department of InformaticsUniversity of Oslo
152009
Slow-down and Speed-up Truth Preservation
Remarks:
- Properties without time (duration) are both slow-down and speed-up truth preserving
- Properties containing both lower and upper bounds are none
Gerardo Schneider
Department of InformaticsUniversity of Oslo
162009
How to Avoid the Heisenberg Effect in RV?
Use a monitor at runtime only for
Slow-Down Truth Preserving properties
Use a monitor during testing only for
Speed-Up Truth Preserving properties
Gerardo Schneider
Department of InformaticsUniversity of Oslo
172009
What Is Behind the Stage?
Definition of suitable automata for RV with real-time (DATE)
A sound translation from Phase Automata into DATEs•There exists a translation from DC into Phase Automata (characterize ”implementable” DC) ([Bouajjani et al.95], [Hoenicke06])
Formal definition and theoretical results on time transformation•Time stretching and compressing•Slow-down and speed-up invariance
Theory applied to Duration Calculus•Syntactic characterization of sdtp and sutp•Semantic characterization of time stretching and compressing
Gerardo Schneider
Department of InformaticsUniversity of Oslo
182009
DATE: Dynamic Automata with Timers & Events
Gerardo Schneider
Department of InformaticsUniversity of Oslo
192009
What All These Mean in Practice?
Slowdown Truth Preserving prop.
(DC)
Monitor(DATE)
Monitor the System
(Java program)
At Runtime
Speedup Truth Preserving prop.
(DC)
Monitor(DATE)
Monitor the System
(Java program)
During Testing
Gerardo Schneider
Department of InformaticsUniversity of Oslo
202009
*
AspectJMatching method names
AspectJMatching method names
USERUSER
* Logical Automata for Runtime Verification and Analysis (http://www.cs.um.edu.mt/svrg/Tools/LARVA/)
Gerardo Schneider
Department of InformaticsUniversity of Oslo
212009
Conclusions
Gerardo Schneider
Department of InformaticsUniversity of Oslo
222009
Credits
Joint work with Christian Colombo and Gordon Pace
C. Colombo, G. Pace and G. Schneider. Dynamic event-based runtime monitoring of real-time and contextual properties. In FMICS’08. LNCS, to appear
C. Colombo, G. Pace and G. Schneider. Heisenberg-effect-free Runtime Verification of Java Programs with Real-Time Properties. To be submitted soon
LARVA: http://www.cs.um.edu.mt/svrg/Tools/LARVA/
