+ All Categories
Home > Documents > MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University...

MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University...

Date post: 13-Dec-2015
Category:
Upload: amy-patterson
View: 213 times
Download: 0 times
Share this document with a friend
44
MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urban a-Champaign
Transcript
Page 1: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

MOP: An Efficient and Generic Runtime Verification Framework

Feng Chen and Grigore Rosu

University of Illinois at Urbana-Champaign

Page 2: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 2

Monitoring of FormalSpecifications in Software

Runtime verification (RV 2001 – 2007)– Observe a run of the system

• Instrumentation

– Check it against desired properties• Explicit or implicit properties

– React /report if needed• Error messages, throw exceptions, recover

Page 3: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 3

Runtime Verification Systems

• ≤ 2001– MAC (UPenn), PAX* (NASA), TimeRover (commercial)

• 2002-2004– HAWK/Eagle (NASA), MOP* (UIUC), POTA (UTA)

• ≥ 2005:– PQL (Stanford), Tracematches (Oxford), PTQL– PEX (Microsoft)– MOP* (added universal parameters, more logics)

Page 4: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 4

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Monitors and Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 5: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 5

(MOP)*Monitoring-Oriented Programming

http://fsl.cs.uiuc.edu/mop- proposed in 2003 –

RV’03, ICFEM’04, RV’05, CAV’05,TACAS’05, CAV’06, CAV’07…

*(not to be confused with Meta-Object Protocol)

Page 6: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 6

What is MOP?

• Framework where the benefits of monitoring specifications may encourage us to use them– Monitoring is basic design discipline– Recovery allowed and encouraged– Provides to programmers and hides under the hood a

large body of formal methods knowledge/techniques– Generic for different application domains

• Tool supported– JavaMOP – “compiles” MOP for Java into AspectJ

Page 7: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 7

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 8: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 8

class Resource {/*@ scope = class logic = PTLTL { Event authenticate: end(exec(* authenticate())); Event use: begin(exec(* access())); Formula : use -> <*> authenticate } violation Handler { @this.authenticate(); }@*/void authenticate() {...}void access() {...}...}

JavaMOP Example: “Enforce authentication before use”

Page 9: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 9

/*@ scope = class logic = ERE {

Event openRegKey: end(exec(* openRegKey()));Event closeHandle: begin(exec(* closeHandle()));Formula : (openRegKey closeHandle)*

} validation handler { @this.closeRegKey(); return; }@*/

Method openRegKey should be followed b

y closeRegKey, not by closeHandle

JavaMOP Example: Correcting method matching

Page 10: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 10

/*@ scope = class logic = ERE [ int count = 0; int writes = 0;] {

Event open : end(call(* open(..))) {writes = 0;};Event write : end(call(* write(..))) {writes ++;} ;Event close : end(call(* close(..)));Formula : (open write+ close)*

} violation handler{ @RESET; } validation handler{

count ++; File2.log(count + ": " + writes);

}@*/

JavaMOP Example: ProfilingHow many times a file is open, written to, and then closed?

Page 11: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 11

Multi-Parameter Specifications

• Until now, MOP was limited to one-parameter specifications; the examples above showed only such specifications: parameter = current object

• Because of that restrictionmonitor states were always stored as fields into

the monitored objects in MOP

• Situation is more complex for multiple-parameter specifications …

Page 12: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 12

Fail Fast Iterators in Java

Vector v = new Vector();v.add(new Integer(1));Iterator i = v.iterator();v.add(new Integer(2));

• Following code throws exception in Java:

• No exception raised if one uses Enumeration instead of Iterator– Java language decision, showing that properties

referring to sets of objects are important

Page 13: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 13

JavaMOP Example:Safe Enumeration

• (borrowed from Tracematches)– We thank Tracematches team for their useful

collection of regular pattern properties!

• Safety property:– If nextElement() invoked on an enumeration

object, then the corresponding collection (vector) is not allowed to change after the creation of the enumeration object

create next* updatesource+ next

Page 14: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 14

/*@scope = globallogic = ERESafeEnum(Vector v, Enumeration+ e) {Event create<v,e> : end(call(Enumeration+.new(v, ..))) with e;Event updatesource<v> : end(call(* v.add*(..))) \/ … ;Event next<e> : begin(call(Object e.nextElement()));Formula : create next* updatesource+ next}validation handler { System.out.println("Error ...");}@*/

Multiple-Parameters in JavaMOPSafe Enumeration

JavaMOP generates >200 AspectJ LOC from above

Page 15: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 15

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Monitors and Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 16: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 16

MOP Features: Extensible logic framework

• Observation: no silver-bullet logic for specs• MOP logic plugins (the “How”): encapsulate moni

tor synthesizers; so far we have plugins for– ERE (extended regular expressions)– PtLTL (Past-time LTL) and FtLTL (Future-time LTL)– ATL (Allen temporal logic),– JML (fragment of Java modeling language);– NEW: CFG and ptCaRet plugins (need stack)

• Generic universal parameters– Allow monitor instances per groups of objects

Page 17: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 17

MOP Features: Configurable monitors

Working scope (the “Where”)– Check point: check spec at defined place– Method: pre-post condition– Class: check spec everywhere during obj lifetime– Interface: check spec at boundaries of methods– Global: may refer to more than one object

Running mode– Inline: shares resources with application– Outline: communicates with application via sockets– Offline: generated monitor has random access to log

Page 18: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 18

MOP Features: Programmable Actions

• Monitor variables

• Event-triggered actions (any code)

• Violation/validation handlers (any code)

• Logic-based AOP instance– Aspects are formal specifications– MOP aim: generate optimal AOP code

Page 19: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 19

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Monitors and Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 20: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 20

Decentralized Monitoring/Indexing(works only for inline MOP)

• The problem: how to monitor a universally quantified specification efficiently!

create<v,e>udatesource<v>next<e>

create next* updatesource+ next

( v,e)

Page 21: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 21

“Super-Logic” Approach

• Eagle, PQL, PTQL, Tracematches, …• Choose a universally quantified logic• Device monitor synthesizers for it:

• Doable in MOP, too, but against its spirit

– Logic plugins only know how to generate monitors for – No relationship between monitors for and for (p)

(p) Mon(p)

Page 22: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 22

MOP’s Decentralized Monitors

Monitor instances(one per parameter instance)

Mp1

Mp2

Mp3

… Mp1000

Page 23: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 23

Indexing …

• The next problem: how can we retrieve all needed monitor instances efficiently?

Mp1

Mv,e1

Mv,e2

… Mp1000

udatesource<v>

Naïve implementation can be very inefficient (both time- and memory-wise)

Page 24: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 24

MOP’s Centralized Indexing

• One index tree per parameter set

• Weak references

SafeEnum events

create<v,e>udatesource<v>next<e>

Page 25: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 25

MOP’s Decentralized Indexing

• Monitors scattered all over the code

• Monitor states piggybacked to object states

SafeEnum events

create<v,e>udatesource<v>next<e>

Page 26: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 26

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Monitors and Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 27: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 27

The JavaMOP Implementation

Short story:

1. Parse the MOP specifications– Generate all monitors using the logic plugins– Find instrumentation points

2. Generate standard AspectJ code

3. Wave everything (observation, monitoring, handlers) together using AspectJ compiler

Page 28: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 28

MOP Evaluation on DaCapo:Statistics

Page 29: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 29

MOP Evaluation on DaCapo:Runtime Overhead

Summary:MOP runtime overhead larger than 10% in only 8% of programs

Page 30: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 30

Evaluation of MOP on TM

• MOP is generic (logic, etc.), but its generality does not come at a performance cost!

• Following programs part of Tracematches’ (TM) benchmarks (hand optimized by TM)

Page 31: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 31

Overview

• What is MOP– Philosophy, Examples, Features

• Decentralized Monitors and Indexing

• Experiments and Evaluation

• Current limitations

• Conclusions and future work

Page 32: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 32

Limitations of the Current Implementation of JavaMOP

• No nested or existential parameters

• Monitor creating events must contain all the parameters of the specification

• No support for real-time

• Inherit the limitations of AspectJ– Would like to have dynamic aspects …– Though shouldn’t miss events that trigger actions

Page 33: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 33

Conclusions and Future Work

• MOP is a generic, yet efficient RV framework• Experiments showed that RV is feasible• Proposed a logic-independent approach to

support universally quantified specifications– With both centralized and decentralized indexing

• Future work– Use MOP for improved and rigorous testing

• Test case generation, sliced causality

– Real-time logic plugins– Static analysis (plugins) to reduce runtime overhead

Page 34: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 34

Related Work

Extensively discussed in paper• Programming languages

– PQL (Lam et al., OOPSLA ’05)– Tracematches (de Moor et al., OOPSLA ’05, ‘07)– PTQL (Goldsmith et al., OOPSLA’05)

• Runtime verification– MAC (Lee et al., RV’01)– PAX* (Havelund, Rosu, RV’01)– TimeRover (Drusinski, RV’02)– HAWK/Eagle (Barringer et al., VMCAI’04)– PEX (Schulte, Tilman; Microsoft)

Page 35: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 35

Page 36: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 36

Backup slides

Page 37: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 37

Application to Verification

isSorted?

No

Yes

FancySort

InsertionSort

/*@ logic = JML {

ensures isSorted(array); } Violation Handler {

insertionSort(array); }@*/

Here is an MOP approach to validate a sorting program:

Page 38: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 38

Monitoring-based Verification?

Monitor & Recover: presumably reduces the complexity of program verification

Monitor

Incorrect

CorrectComplex

Component

SimpleComponent

Architecture

φ p= φc & (φm \/ φs )

φcφm

φs

Is sorted?Correct sorting

Array elementsunchanged

Page 39: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 40

Why Monitoring I

• Monitoring is well-adopted in many engineering disciplines– Fuses, watchdogs, fire-alarms, etc.

• Monitoring adds redundancy– Increases reliability, robustness and

confidence in correct behavior, reduces risk

Page 40: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 41

Why Monitoring II

• Ideally, one would like to prove a program correct with respect to its specification …– Known to be hard

• Provably correct systems can fail, too– Unexpected environment, wrong/strong

assumptions, hardware or OS errors, etc.

Page 41: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 42

Monitoring of FormalSpecifications in Software

Runtime verification (RV 2001 – 2007)– Observe a run of the system

• Instrumentation

– Check it against desired properties• Explicit or implicit properties

– React /report if needed• Error messages, throw exceptions, recover

Page 42: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 43

MOP Conceptual InstancesMOP[logic, working-scope, running-mode]

• JPaX = MOP[LTL, class, outline/offline]– NASA (joint work with Havelund)

• TemporalRover = MOP[MiTL, class, inline]– Commercial (Drusinski)

• MAC = MOP[PastLTL, class, inline/outline]– UPenn (Lee, Sokolski, ...)

• Hawk = MOP[Eagle, global, inline]– NASA (Havelund and collaborators)

• Tracematches = MOP[RegExp, global, inline]– Oxford (de Moor and students)

• PQL = MOP[CFG, global, inline]– Stanford (Lam and students)

• PTQL = MOP[SQL, global, outline]– Berkeley, Stanford (Aiken and students)

Page 43: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 44

Why “Monitoring-Oriented” ?

• We think one can write reliable programs if one adopts a “monitor and recover” style– Not a substitute for writing good code upfront– Write good code, but, “just in case” also say

what to do if requirements are violated/validated

• MOP tools provide support for that

• … may reduce complexity of verification: prove what is easy, monitor the rest

Page 44: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign.

OOPSLA’07 – 25 Oct 2007

MOP – Grigore Rosu 45

MOP Approach to Monitoring: Divide & Conquer

• What properties/specifications to check?– Combine formal specification and implementation

• Where to check it?– Automatic monitor integration

• Currently using Aspect-Oriented Programming

• How to express the property?– Declarative, automatic monitor synthesis

• What if specification violated or validated?– Execute user provided “recovery” code


Recommended