Upload
alena-wenman
View
226
Download
3
Embed Size (px)
Citation preview
Runtime Verification
Ali Akkaya
Boğaziçi University
Motivation
The Remote Agent Experiment
During the May 1999 RAX mission, the satellite
deadlocked in space, causing the ground crew
to put the spacecraft on standby.
Ariane 5 Flight 501
Airane 5 Flight 501 was destroyed 40 seconds after
takeoff. The US$1 billion prototype rocket self-
destructed due to a bug in the on-board guidance
software
Motivation
Air-Traffic Control System in LA
Airport
The controllers lost contact with the planes when
the main voice communications system shut down
unexpectedly. To make matters worse, a backup
system that was supposed to take over in such an
event crashed within a minute after it was turned
on. The outage disrupted about 800 flights across
the country.
Introduction Runtime Verification Tools Java PathExplorer (JPaX) Java MultiPathExplorer (JMPaX) Conclusion Further Study
Outline
Runtime Verification is the study of monitoring and analyzing system executions to detect/recover faults.
Two important aspects of program verification are Testing Use of Formal Methods
Runtime Verification
Runtime Verification
Testing
Formal Methods
Ideal
Runtime Verification
Scalibility
Coverage
Runtime Verification Architecture
Reaction
Instrumentation
Specification
Code MonitoringExecution
while (true) {
lock(r1);
processShared();
unlock(r2);
}
while (true) {
lock(r1);
logLock(p,r1);
processShared();
release(r2);
logRelease(p,r1);
}
Instrumentation
Execution
Traces:
lock(p1,r1)release(p1,r1)lock(p2,r1)release(p2,r1)
Dispatching of trace events to a set of specification rules.
Specification Language Boolean Logic provides formulation of statements for a
specific time. Not sufficient to express time based changes in states
Monitoring
If A happens now, B must happen (A → ◊B)
Future Time Temporal Logic
A B
p q = p and q∧p q = p or q∨p → q = p implies q¬p = not p
p = always p◊p = eventually pp U q = p until q
If A happens now, B must have happened (A → ♦B)
Past Time Temporal Logic
B A
p q = p and q∧p q = p or q∨p → q = p implies q¬p = not p
■p = sofar p♦p = previously pp S q = p since q
Offline Monitor does not run in parallel but runs after program
Online
Outline: Runs in parallel with program as an external entity.
Inline: Runs in parallel with program as embedded in the code.
Monitoring
Action to be taken in case faults are detected
Error mesage Exception Seperate code execution Integrated code execution
Reaction
Java PathExplorer (JPaX) Java MultiPathExplorer (JMPaX) Temporal ROVER (Commercial) Cadence, Synopsys, Mentor (Commercial HW Tools) Java MaC Partial Order Trace Analyzer (POTA) ….
Runtime Verification Tools
Java PathExplorer (JPaX)
Monitors Java programs by analyzing (exploring) particular execution traces.
The observer performs two kinds of verification
Logic based monitoring Future Time Temporal Logic Past Time Temporal Logic
Error pattern analysis Deadlocks Data Races
JPaX Architecture
Data Race Analysis
class Value { private int x = 1 ; public synchronized void add(Value v) { x = x + v.get() } ; public int get() { return x ; }}
class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){v1.add(v2)} ;}
class Main { public static void main(String [] args) { Value d1 = new Value() ; Value d2 = new Value() ; new Task(d1, d2) ; new Task(d2, d1) ; }}
Data Race Analysis Task 1
start()d1.lock.acquire()d1. add(d2)
d1.x = d1.x + d2.get()R1 = d2.get() = 1
d1.x = 1 + R1 = 2
Task 2
start()d2.lock.acquire() d2. add(d1)
d2.x = d2.x + d1.get()R2 = d1.get() = 1
d2.x = 1 + R2 = 2
Data Race Analysis Task 1 Task 2
start()d1.lock.acquire() Thread-map[Task1] = {d1.lock}d1. add(d2) start()
d2.lock.acquire() Thread-map[Task2] = {d2.lock}
d2. add(d1)d1.x = d1.x + d2.get() Variable-map[d1] = {d1.lock}
R1 = d2.get() = 1 Variable-map[d2] = {d1.lock}
d1.x = 1 + R1 = 2
d2.x = d2.x + d1.get() Variable-map[d1] = {}
R2 = d1.get() = 2 Variable-map[d1] = {}
d2.x = 1 + R2 = 3
Deadlock Analysis
class Value { private int x = 1 ; public synchronized void add(Value v) { x = x + v.get() } ; public synchronized int get() { return x ; }}
class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){v1.add(v2)} ;}
class Main { public static void main(String [] args) { Value d1 = new Value() ; Value d2 = new Value() ; new Task(d1, d2) ; new Task(d2, d1) ; }}
Deadlock Analysis Task 1
start()d1.lock.acquire()d1. add(d2)
d1.x = d1.x + d2.get()d2.lock.acquire()
Task 2
start()d2.lock.acquire() d2. add(d1)
d2.x = d2.x + d1.get()d1.lock.acquire()
Deadlock occurred!!
Deadlock Analysis Task 1 Task 2
start()d1.lock.acquire() Thread-map[Task1] = {d1.lock}d1. add(d2)d1.x = d1.x + d2.get() d2.lock.acquire() Thread-map[Task1] = {d1.lock, d2.lock} d1.lock→
d2.lock
R1 = d2.get() = 1d1.x = 1 + R1 = 2
start() d2.lock.acquire() Thread-map[Task2] =
{d2.lock}
d2. add(d1) d2.x = d2.x + d1.get() d1.lock.acquire() Thread-map[Task2] =
{d2.lock, d1.lock}
d2.lock→ d1.lock Cycle!! R2 = d1.get() = 2 d2.x = 1 + R2 = 3
Possible Implementation
class Value { private int x = 1 ; public void add(Value v) { x = x + v.get() } ; public int get() { return x ; }}
class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){
synchronized (lock) {v1.add(v2)} ;
}}
class Main { public static Object lock = new Object(); public static void main(String [] args) {
Value d1 = new Value() ; Value d2 = new Value() ;new Task(d1, d2) ; new Task(d2, d1) ;
}}
Possible Implementation Task 1
start()lock.acquire()d1. add(d2)d1.x = d1.x + d2.get()R1 = d2.get() = 1d1.x = 1 + R1 = 2
lock.release()
Task 2 start()
lock.acquire()
d2. add(d1)d2.x = d2.x + d1.get() R2 = d1.get() d2.x = 1 + R2lock.release()
Java MultiPathExplorer (JMPaX)
Monitors multithreaded Java programs.
The observer performs Logic based monitoring based on Past Time Temporal Logic
Have the ability to predict safety violation errors in multithreaded programs by observing successful executions.
JMPaX Architecture
Vector Clocks
Vector Clocks is an algorithm for generating a partial ordering of events in a distributed system and detecting causality violations.
AA:0
BB:0
CC:0
C:1
B:1C:1
B:2C:1
A:1B:2C:1
A:2B:2C:1
B:3C:1
A:3B:4C:1
B:3C:2
B:3C:3
A:3B:3C:3
Example
Suppose that one wants to monitor some safety property of the multithreaded program below. The program involves relevant variables x, y and z:
Initially: x = −1; y = 0; z = 0;
thread T1{ ...x++;...y = x + 1;...
}
thread T2{ ...z = x + 1;...x++;...
}
Example
Multithreaded Safety Analysis
Checking safety against single run Suppose we want to monitor “if (x > 0), then (x = 0) has
been true in the past, and since then (y > z) was always false.”
(x > 0) → [(x = 0), y >z)s
(−1, 0, 0), (0, 0, 0), (0, 0, 1), (0, 1, 1), (1, 1, 1) -> satisfied
(−1, 0, 0), (0, 0, 0), (0, 1, 0), (0, 1, 1), (1, 1, 1) -> not satisfied
Multithreaded Safety Analysis
Checking safety against all runs
The major hurdle in monitoring all possible runs is that the number of possible runs can be exponential in the length of the computation
The problem is avoided by traversing the computation lattice level by level.
JPaX vs JMPaX
JPaX uses total ordering of events JMPaX uses partial ordering of events In JPaX it is possible to reveal errors in multithreaded
programs that are hard to detect by observing successful executions.
JMPaX extends JPaX
Conclusion
Runtime verification combines testing and formal methods to provide scalable solutions with bigger coverage.
Several academic and commercial tools available to be used for runtime verification.
Further Study
Other runtime verification tools. Use of tools on small scale real-life problems.
References
“Runtime Safety Analysis of Multithreaded Programs”, Koushik Sen, Grigore Rosu, and Gul Agha.
“Monitoring Java Programs with Java PathExplore”, K. Havelund and G. Rosu,
http://pswlab.kaist.ac.kr/lab-orientation/presentation-file/trace_97.ppt
http://www.runtime-verification.org/course/slides/lecture1.pdf
http://www.cse.lehigh.edu/~gtan/bug/softwarebug.html http://en.wikipedia.org/wiki/List_of_notable_software_bugs
Thank you
Questions ?