Runtime Verification

Ali Akkaya

Boğaziçi University

Motivation

The Remote Agent Experiment

During the May 1999 RAX mission, the satellite

deadlocked in space, causing the ground crew

to put the spacecraft on standby.

Ariane 5 Flight 501

Airane 5 Flight 501 was destroyed 40 seconds after

takeoff. The US$1 billion prototype rocket self-

destructed due to a bug in the on-board guidance

software

Motivation

Air-Traffic Control System in LA

Airport

The controllers lost contact with the planes when

the main voice communications system shut down

unexpectedly. To make matters worse, a backup

system that was supposed to take over in such an

event crashed within a minute after it was turned

on. The outage disrupted about 800 flights across

the country.

Introduction Runtime Verification Tools Java PathExplorer (JPaX) Java MultiPathExplorer (JMPaX) Conclusion Further Study

Outline

Runtime Verification is the study of monitoring and analyzing system executions to detect/recover faults.

Two important aspects of program verification are Testing Use of Formal Methods

Runtime Verification

Runtime Verification

Testing

Formal Methods

Ideal

Runtime Verification

Scalibility

Coverage

Runtime Verification Architecture

Reaction

Instrumentation

Specification

Code MonitoringExecution

while (true) {

lock(r1);

processShared();

unlock(r2);

}

while (true) {

lock(r1);

logLock(p,r1);

processShared();

release(r2);

logRelease(p,r1);

}

Instrumentation

Execution

Traces:

lock(p1,r1)release(p1,r1)lock(p2,r1)release(p2,r1)

Dispatching of trace events to a set of specification rules.

Specification Language Boolean Logic provides formulation of statements for a

specific time. Not sufficient to express time based changes in states

Monitoring

If A happens now, B must happen (A → ◊B)

Future Time Temporal Logic

A B

p q = p and q∧p q = p or q∨p → q = p implies q¬p = not p

p = always p◊p = eventually pp U q = p until q

If A happens now, B must have happened (A → ♦B)

Past Time Temporal Logic

B A

p q = p and q∧p q = p or q∨p → q = p implies q¬p = not p

■p = sofar p♦p = previously pp S q = p since q

Offline Monitor does not run in parallel but runs after program

Online

Outline: Runs in parallel with program as an external entity.

Inline: Runs in parallel with program as embedded in the code.

Monitoring

Action to be taken in case faults are detected

Error mesage Exception Seperate code execution Integrated code execution

Reaction

Java PathExplorer (JPaX) Java MultiPathExplorer (JMPaX) Temporal ROVER (Commercial) Cadence, Synopsys, Mentor (Commercial HW Tools) Java MaC Partial Order Trace Analyzer (POTA) ….

Runtime Verification Tools

Java PathExplorer (JPaX)

Monitors Java programs by analyzing (exploring) particular execution traces.

The observer performs two kinds of verification

Logic based monitoring Future Time Temporal Logic Past Time Temporal Logic

Error pattern analysis Deadlocks Data Races

JPaX Architecture

Data Race Analysis

class Value { private int x = 1 ; public synchronized void add(Value v) { x = x + v.get() } ; public int get() { return x ; }}

class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){v1.add(v2)} ;}

class Main { public static void main(String [] args) { Value d1 = new Value() ; Value d2 = new Value() ; new Task(d1, d2) ; new Task(d2, d1) ; }}

Data Race Analysis Task 1

start()d1.lock.acquire()d1. add(d2)

d1.x = d1.x + d2.get()R1 = d2.get() = 1

d1.x = 1 + R1 = 2

Task 2

start()d2.lock.acquire() d2. add(d1)

d2.x = d2.x + d1.get()R2 = d1.get() = 1

d2.x = 1 + R2 = 2

Data Race Analysis Task 1 Task 2

start()d1.lock.acquire() Thread-map[Task1] = {d1.lock}d1. add(d2) start()

d2.lock.acquire() Thread-map[Task2] = {d2.lock}

d2. add(d1)d1.x = d1.x + d2.get() Variable-map[d1] = {d1.lock}

R1 = d2.get() = 1 Variable-map[d2] = {d1.lock}

d1.x = 1 + R1 = 2

d2.x = d2.x + d1.get() Variable-map[d1] = {}

R2 = d1.get() = 2 Variable-map[d1] = {}

d2.x = 1 + R2 = 3

Deadlock Analysis

class Value { private int x = 1 ; public synchronized void add(Value v) { x = x + v.get() } ; public synchronized int get() { return x ; }}

class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){v1.add(v2)} ;}

class Main { public static void main(String [] args) { Value d1 = new Value() ; Value d2 = new Value() ; new Task(d1, d2) ; new Task(d2, d1) ; }}

Deadlock Analysis Task 1

start()d1.lock.acquire()d1. add(d2)

d1.x = d1.x + d2.get()d2.lock.acquire()

Task 2

start()d2.lock.acquire() d2. add(d1)

d2.x = d2.x + d1.get()d1.lock.acquire()

Deadlock occurred!!

Deadlock Analysis Task 1 Task 2

start()d1.lock.acquire() Thread-map[Task1] = {d1.lock}d1. add(d2)d1.x = d1.x + d2.get() d2.lock.acquire() Thread-map[Task1] = {d1.lock, d2.lock} d1.lock→

d2.lock

R1 = d2.get() = 1d1.x = 1 + R1 = 2

start() d2.lock.acquire() Thread-map[Task2] =

{d2.lock}

d2. add(d1) d2.x = d2.x + d1.get() d1.lock.acquire() Thread-map[Task2] =

{d2.lock, d1.lock}

d2.lock→ d1.lock Cycle!! R2 = d1.get() = 2 d2.x = 1 + R2 = 3

Possible Implementation

class Value { private int x = 1 ; public void add(Value v) { x = x + v.get() } ; public int get() { return x ; }}

class Task extends Thread { Value v1 ; Value v2 ; public Task(Value v1, Value v2) {this.v1=v1;this.v2=v2;this.start()} public void run(){

synchronized (lock) {v1.add(v2)} ;

}}

class Main { public static Object lock = new Object(); public static void main(String [] args) {

Value d1 = new Value() ; Value d2 = new Value() ;new Task(d1, d2) ; new Task(d2, d1) ;

}}

Possible Implementation Task 1

start()lock.acquire()d1. add(d2)d1.x = d1.x + d2.get()R1 = d2.get() = 1d1.x = 1 + R1 = 2

lock.release()

Task 2 start()

lock.acquire()

d2. add(d1)d2.x = d2.x + d1.get() R2 = d1.get() d2.x = 1 + R2lock.release()

Java MultiPathExplorer (JMPaX)

Monitors multithreaded Java programs.

The observer performs Logic based monitoring based on Past Time Temporal Logic

Have the ability to predict safety violation errors in multithreaded programs by observing successful executions.

JMPaX Architecture

Vector Clocks

Vector Clocks is an algorithm for generating a partial ordering of events in a distributed system and detecting causality violations.

AA:0

BB:0

CC:0

C:1

B:1C:1

B:2C:1

A:1B:2C:1

A:2B:2C:1

B:3C:1

A:3B:4C:1

B:3C:2

B:3C:3

A:3B:3C:3

Example

Suppose that one wants to monitor some safety property of the multithreaded program below. The program involves relevant variables x, y and z:

Initially: x = −1; y = 0; z = 0;

thread T1{ ...x++;...y = x + 1;...

}

thread T2{ ...z = x + 1;...x++;...

}

Example

Multithreaded Safety Analysis

Checking safety against single run Suppose we want to monitor “if (x > 0), then (x = 0) has

been true in the past, and since then (y > z) was always false.”

(x > 0) → [(x = 0), y >z)s

(−1, 0, 0), (0, 0, 0), (0, 0, 1), (0, 1, 1), (1, 1, 1) -> satisfied

(−1, 0, 0), (0, 0, 0), (0, 1, 0), (0, 1, 1), (1, 1, 1) -> not satisfied

Multithreaded Safety Analysis

Checking safety against all runs

The major hurdle in monitoring all possible runs is that the number of possible runs can be exponential in the length of the computation

The problem is avoided by traversing the computation lattice level by level.

JPaX vs JMPaX

JPaX uses total ordering of events JMPaX uses partial ordering of events In JPaX it is possible to reveal errors in multithreaded

programs that are hard to detect by observing successful executions.

JMPaX extends JPaX

Conclusion

Runtime verification combines testing and formal methods to provide scalable solutions with bigger coverage.

Several academic and commercial tools available to be used for runtime verification.

Further Study

Other runtime verification tools. Use of tools on small scale real-life problems.

References

“Runtime Safety Analysis of Multithreaded Programs”, Koushik Sen, Grigore Rosu, and Gul Agha.

“Monitoring Java Programs with Java PathExplore”, K. Havelund and G. Rosu,

http://pswlab.kaist.ac.kr/lab-orientation/presentation-file/trace_97.ppt

http://www.runtime-verification.org/course/slides/lecture1.pdf

http://www.cse.lehigh.edu/~gtan/bug/softwarebug.html http://en.wikipedia.org/wiki/List_of_notable_software_bugs

Thank you

Questions ?