definitions of logical causality for log analysis
play

Definitions of Logical Causality for Log Analysis ossler 1 Gregor G - PowerPoint PPT Presentation

Definitions of Logical Causality for Log Analysis ossler 1 Gregor G etayer 1 and Jean-Baptiste Raclet 2 Joint work with Daniel Le M 1 INRIA Grenoble Rh one-Alpes, France 2 IRIT - CNRS, Toulouse, France Synchron 2011 GG, DLM, and JBR


  1. Definitions of Logical Causality for Log Analysis ossler 1 Gregor G¨ etayer 1 and Jean-Baptiste Raclet 2 Joint work with Daniel Le M´ 1 INRIA Grenoble – Rhˆ one-Alpes, France 2 IRIT - CNRS, Toulouse, France Synchron 2011 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 1 / 1

  2. LISE: Liability Issues in Software Engineering Objectives General objective of the LISE project: Provide a set of methods and tools (both legal and technical) to Define liability in a precise and unambiguous way Establish liability in case of failure Scope: Contractual framework (not tort law) Liability for software defects (not intellectual property infringements) Priority: settle liability issues in an amicable way. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 2 / 1

  3. Context A component-based system � components are provided by different vendors Each component C i is equipped with a contract ( A i , G i ): used according to A i , C i promises to behave like G i . Components are black boxes : only the contracts are known, not the implementation � implementations may violate their contract Interactions between components are logged , logs may be distributed Problem: Define notions of causality between contract violations that can be used to establish liability of the component vendors. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 3 / 1

  4. Causality in distributed systems e 2 e 3 A B f e 1 C e 4 v Lamport causality ≺ too weak for our needs: f ≺ v does not mean that failure f causes the violation v of the specification of C . Lamport causality is a necessary but not sufficient condition for causality between contract violations. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 4 / 1

  5. Contracts Contract C = pair of automata ( A , G ). C specifies under which assumption A the component provides guarantee G . ⇒ clean specification and limitation of the responsibilities of components. Example (Contract satisfaction) A : a cannot reoccur before b G : c never occurs b, c c a, b a b tr : a b a a c c | = / A but | = C = ( A , G ) tr ′ : a b c a | = A and | = / G thus | = / C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 5 / 1

  6. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  7. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  8. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  9. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  10. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  11. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 Hypothesis If the implementations B i of all components are correct, then C is respected. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  12. Causality in Contract Violation: Overview C = ( A , G ) ( A 1 , G 1 ) ( A 2 , G 2 ) ( A 3 , G 3 ) B 1 B 2 B 3 tr 1 tr 2 tr 3 Hypothesis If the implementations B i of all components are correct, then C is respected. ⇒ Any contract violation is due to some faulty implementation B i . GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

  13. Logical Causality from Component Trace to Failure Necessary Causality Definition ( Necessary causality) Tr ր n C if tr 1 | = / C k Tr tr n ∃ tr | = / C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

  14. Logical Causality from Component Trace to Failure Necessary Causality Definition ( Necessary causality) Tr ր n C if tr 1 Tr tr n tr GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

  15. Logical Causality from Component Trace to Failure Necessary Causality Definition ( Necessary causality) Tr ր n C if tr 1 Tr | = C k tr n ∀ consistent tr ′ | = C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

  16. Logical Causality from Component Trace to Failure Necessary Causality Given: ( tr 1 , ..., tr n ) vector of observed traces Tr ⊆ { tr 1 , ..., tr n } set of traces to be analyzed jointly Definition (Necessary causality) Tr is a necessary cause of the violation of C if ∃ tr ∈ Tr : tr ր C and ∀ tr ′ : � ∀ j ∈ { 1 , ..., n } \ I : π j ( tr ′ ) = tr j ∧ � ⇒ tr ′ | ∀ k ∈ I : π k ( tr ′ ) | = C k = = C where I = { i | tr i ∈ Tr ∧ tr i | = / C i } . GG, DLM, and JBR (INRIA/IRIT) Logical Causality 8 / 1

  17. Logical Causality from Component Trace to Failure Sufficient Causality Definition ( Sufficient causality) Tr ր s C if tr 1 | = / C k Tr tr n ∃ tr | = / C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

  18. Logical Causality from Component Trace to Failure Sufficient Causality Definition ( Sufficient causality) Tr ր s C if tr 1 Tr tr n tr GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

  19. Logical Causality from Component Trace to Failure Sufficient Causality Definition ( Sufficient causality) Tr ր s C if tr 1 | = C 1 Tr tr n | = C n ∀ consistent tr ′ | = / C GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

  20. Properties Property (Soundness) Necessary and sufficient causality are sound: 1 Any (necessary or sufficient) cause contains at least one component trace violating its contract. 2 Any minimal set of traces forming a cause only contains traces violating the component contracts. Property (Completeness) Every violation of the system-level contract has a necessary and a sufficient cause. Remark Causality defined on contracts and observed traces , not implementations. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 10 / 1

  21. Example 1: Adaptive Cruise Control Sensor throttle ssr o sld i sld o SLD HMI brake tck hmi o , on hmi o , off sw i , on sw o , on bs i , user bs i , auto tck Clock Switch BS sw o , on sw o , off acc i , on acc i , off acc s tck i Radar tck ts i , auto acc b TS rdr o or i ACC o OR acc o or o ts i , user i acc t o GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

  22. Example 1: Adaptive Cruise Control acc i , on acc i , off acc s tck i Radar tck acc b ACC rdr o or i o OR acc o or o i acc t o Obstacle recognition (OR) � G OR : “output 1 time unit after sensing” Adaptive Cruise Control (ACC) � G ACC : “output 1 time unit after latest input” Global guarantee � G : “ACC output at most 3 time units after data acquisition” GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

  23. Example 1: Adaptive Cruise Control Two necessary causes Consider the following trace excerpts: OR: . . . or i , tck , tck , or o , tck , tck , . . . tck , tck , acc s i , tck , tck , acc b ACC: . . . o , . . . Both OR and ACC violate their contracts (∆ OR = 2, ∆ ACC = 2) = ⇒ violation of the global timing constraint (∆ = 4 > 3). Each of the OR and ACC failures is a necessary cause for the global failure. Taken together they are a sufficient cause. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 12 / 1

  24. Example 1: Adaptive Cruise Control One necessary and sufficient cause Consider the following trace excerpts: OR: . . . or i , tck , tck , tck , or o , tck , tck , . . . tck , tck , tck , acc s i , tck , tck , acc t ACC: . . . o , . . . Both OR and ACC violate their contracts but OR’s violation is more serious (∆ OR = 3, ∆ ACC = 2). OR’s violation is a necessary and sufficient cause for the global failure. The violation of ACC is no longer a necessary cause. GG, DLM, and JBR (INRIA/IRIT) Logical Causality 13 / 1

  25. Example 2: Travel Agency Travel agency: Hotel 1: GG, DLM, and JBR (INRIA/IRIT) Logical Causality 14 / 1

  26. Example 2: Travel Agency Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resa i . !resp yes i for i ∈ { 1 , 2 } ” GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

  27. Example 2: Travel Agency Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resa i . !resp yes i for i ∈ { 1 , 2 } ” Observed traces: agency: ?proc . !demand 1 . ?resp no 1 . !demand 2 . ?resp yes 2 . !conf GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

  28. Example 2: Travel Agency Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resa i . !resp yes i for i ∈ { 1 , 2 } ” Observed traces: agency: ?proc . !demand 1 . ?resp no 1 . !demand 2 . ?resp yes 2 . !conf hotel 1: ?demand 1 . resa 1 . !resp no 1 . wait 1 . debit 1 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

  29. Example 2: Travel Agency Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resa i . !resp yes i for i ∈ { 1 , 2 } ” Observed traces: agency: ?proc . !demand 1 . ?resp no 1 . !demand 2 . ?resp yes 2 . !conf hotel 1: ?demand 1 . resa 1 . !resp no 1 . wait 1 . debit 1 hotel 2: ?demand 2 . !resp yes 2 . wait 2 . debit 2 GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Recommend


More recommend