Recent Advances in Causality Checking Florian Leitner-Fischer - PowerPoint PPT Presentation

Recent Advances in Causality Checking � � Florian Leitner-Fischer � � University of Konstanz � Department of Computer and Information Science � Chair for Software Engineering � software software engineering engineering

Joint work with � Stefan Leue Chair for Software Engineering � Department of Computer and Information Science � University of Konstanz � Germany � software 2 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Analysis of Complex Systems � ♦ A Railroad Crossing � Train � Gate � Car � software 3 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Model Checking � � M |= S � model of the software � model checking 
 requirement specification � (transition system, 
 algorithm 
 (assertions, temporal 
 Kripke structure) � � logic, automata) � Train � state space search there is never a train in the � (depth-first or Approaching � On Crossing � crossing at the same time � breadth-first search) � Left Crossing � when there is a car in the 
 crossing � Gate � = ☐ ¬ (Tc Æ Cc) � Open � ϕ = Closed � Car � Approaching � On Crossing � Left Crossing � software 4 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Model Checking � ♦ Model Checking Result � 8 the path into a property violating state � – called an error path or counterexample � Ca � Ta � Cc � Gc � Tc � software 5 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Interpreting Counterexamples � ♦ Railroad Crossing Example: � 8 11 error-paths (only considering shortest paths) � • all lead into a property violating state [Ta, Gf, Tc, Ca, Cc] � [Ca, Ta, Gf, Tc, Cc] � (accident) � [Ta, Gf, Ca, Cc, Tc] � [Ta, Ca, Gf, Cc, Tc] � • for debugging � [Ca, Ta, Gf, Cc, Tc] � • [Ta, Ca, Cc, Gf, Tc] � what is the cause? � [Ca, Ta, Cc, Gf, Tc] � • [Ca, Cc, Ta, Gf, Tc] � manual analysis � [Ta, Ca, Cc, Gc, Tc] � • tedious � [Ca, Ta, Cc, Gc, Tc] � [Ca, Cc, Ta, Gc, Tc] � • error prone � ... � • essentially impossible � • our goal: � • algorithmic causality computation � software 6 www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

♦ Models of Causality � ♦ Causality Computation � ♦ Probability Computation for Causal Events � ♦ Evaluation � ♦ Conclusion � software 7 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

♦ Models of Causality � ♦ Causality Computation � ♦ Probability Computation for Causal Events � ♦ Evaluation � ♦ Conclusion � software 8 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Causality � ♦ (Naive) Lewis Counterfactual Reasoning � � c is causal for e (effect / hazard) if, had c not happened, then e would not have happened either � 8 logical foundation of some software debugging techniques, e.g., � – delta debugging � – nearest neighbor techniques � 8 best suited for single cause failures � software 9 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Halpern / Pearl Structural Equation Model (SEM) � ♦ Key Ideas � 8 events are represented by boolean variables � – specified using structural equations � 8 computes minimal boolean disjunction and conjunction of causal events � 8 causal dependency of events represented by causal networks � 8 reference � software 10 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Halpern / Pearl Structural Equation Model (SEM) � ♦ Actual Causality Conditions � 8 AC1: ensures that there exists a world where the boolean combination of causal events c and the effect e occur � 8 AC2: � 1. if at least one of the causal events does not happen, the effect e does not happen � 2. if the causal events occur, the occurrence of other events can not prevent the effect � 8 AC3: no subset of the causal events satisfies AC1 and AC2 (minimality) � software 11 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

♦ Models of Causality � ♦ Causality Computation � ♦ Probability Computation for Causal Events � ♦ Evaluation � ♦ Conclusion � software 12 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Causality Computation � ♦ Main Goal: 
 Computation of Causal Events for a Property Violation � 8 Consider event order as causal factor � 8 Make Structural Equation Model applicable to transition systems � Florian Leitner-Fischer and Stefan Leue: � Probabilistic Fault Tree Synthesis using Causality Computation , � accepted for publication in International Journal of Critical � Computer-Based Systems, 2013. � software 13 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Event Order Logic � ♦ Boolean Event Occurrence Conditions � 8 a Æ b, a Ç b, ¬ a � ♦ Event Ordering Conditions � 8 a b � – a and b occur, and a occurs before b � ♦ Interval Operators � 8 a b � – a occurs until eventually b will hold in every state � 8 a b � – a always holds until eventually b occurs � 8 a b c � – in the interval delimited by a and c, b always holds � ♦ Model-theoretic Semantics � 8 Event Order Logic is an LTL � software 14 www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Event Order Logic � ♦ Representation of Traces � ♦ Representation of Ordering Constraints � software 15 www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Causality Computation � ♦ Probabilistic Causality Computation � 8 Probabilistic counterexample and good paths are computed � 8 Causality computation performed as post-processing step � 8 Benefit � – Probability for combination of events causing a hazard � 8 Disadvantage � – Probability computation for each bad trace necessary � ♦ Causality Checking � 8 Integrated into the state space search algorithms used for model checking � 8 Benefit � – Enables on-the-fly causality computation � 8 Disadvantage � – No probabilities available � software 16 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Algorithmics � ♦ Sub-Executions � 8 reduce checks for AC1-AC3 and OC1 to sub-execution tests � – ordered and unordered sub-execution operators � 8 proofs in the paper � ♦ Implementation Variants � 8 Off-line Enumeration � – enumerate traces � – store counterexamples and good traces � – perform sub-trace computations � 8 On-the-fly � – use DFS / BFS on the state space � i store paths in an adequate data structure as you obtain them � * subset graph � Florian Leitner-Fischer and Stefan Leue: � Causality Checking for Complex System Models, � software In Proceedings of 14th International Conference on Verification, Model Checking, � and Abstract Interpretation (VMCAI2013), LNCS, Volume 7737, Springer Verlag, 2013. � 17 www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Result of Causality Checking � ♦ Railroad Crossing � 8 represented as Dynamic Fault Tree � crash � software 18 www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

♦ Models of Causality � ♦ Causality Computation � ♦ Probability Computation for Causal Events � ♦ Evaluation � ♦ Conclusion � software 19 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Causality Classes � ♦ Disjuncts of the EOL formula represent „causality classes“ � 8 Causality Classes: Represent a class of execution paths where the same events in the same order cause an effect or hazard � Ta, Ca, Gf, Cc, Tc � Ta, Ca, Gc, Gc, Tc � Ca, Ta, Gf, Cc, Tc � Ca, Ta, Cc, Gc, Tc � … � … � Causality 
 Causality 
 Class � Class � 1 � 2 � software 20 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering

Probability Computation for Causality Classes � ♦ Key Idea: � 1. Compute causal events using causality checking � 2. Compute probabilities of the paths represented by a causality class � Alternating PRISM Causality EOL Formula � Causality Classes � Class Module � Automata � 8 Causality classes are represented by alternating automata � 8 Alternating automata are translated to PRISM Causality Class Modules � 8 PRISM Causality Class Modules are synchronized with the PRISM model � Florian Leitner-Fischer and Stefan Leue: � On the Synergy of Probabilistic Causality Computation and Causality Checking , � In Proceedings of International SPIN Symposium on Model Checking 
 of Software, Stony Brook, NY, USA, 2013 (to appear). �� software 21 � www.se.uni-konstanz.de � Chair for Software Engineering – F. Leitner-Fischer � engineering