runtime monitoring of object invariants with guarantees
play

Runtime Monitoring of Object Invariants with Guarantees Sriram - PowerPoint PPT Presentation

Jul 24, 2023 •322 likes •637 views

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science) Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key

  1. Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science)

  2. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  3. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  4. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  5. Another example from JDBC Connection con = DriverManager.getConnection(..); Statement stmt = con.createStatement(); ResultSet rs1 = stmt.executeQuery("SELECT EMPNOFROM EMPLOYEE"); .. con.close(); .. ResultSet rs2 = stmt.executeQuery("SELECT EMPNAME FROM EMPLOYEE");

  6. Another example from JDBC Connection con = DriverManager.getConnection(..); Statement stmt = con.createStatement(); ResultSet rs1 = stmt.executeQuery("SELECT EMPNOFROM EMPLOYEE"); .. con.close(); .. ResultSet rs2 = stmt.executeQuery("SELECT EMPNAME FROM EMPLOYEE");

  7. Another example - Iterators //list is of type ArrayList<Integer> //with integers 1,2,3 added for(Iterator<Integer> i = list.iterator(); i.hasNext(); ) { int v = i.next(); if(v == 1) list.remove(v); else System.out.println(v); }

  8. Another example - Iterators //list is of type ArrayList<Integer> //with integers 1,2,3 added for(Iterator<Integer> i = list.iterator(); i.hasNext(); ) { int v = i.next(); if(v == 1) list.remove(v); else System.out.println(v); }

  9. Our goal • A runtime scheme to monitor object invariants • Guarantee to detect invariant violations when they happen

  10. Two issues with checking invariants • When does an object invariant hold? – When object o is in a “stable state” • When object o’s invariant depends on p, what happens when p changes without o’s knowledge?

  11. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; } o ObjWInv o . inv true o . Inv () � � = �

  12. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } o ObjWInv o . inv true o . Inv () � � = �

  13. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } o ObjWInv o . inv true o . Inv () � � = �

  14. Reusable Monitor role ObjWInv { boolean Inv(); CheckAndSetInv(ObjWInv o) { boolean inv; assert o.Inv(); Set<ObjWInv> dependents; o.inv = true; } } Init(ObjWInv o) { o.inv := false; Add(ObjWInv o, ObjWInv p) { o.dependents := nullset; assert(o.inv = false); } p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  15. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  16. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  17. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { Stop(ObjWInv o) { o.inv := false; assert(o.inv = true); o.dependents := nullset; o.inv := false; } } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  18. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { Stop(ObjWInv o) { o.inv := false; assert(o.inv = true); o.dependents := nullset; o.inv := false; } } CheckAndSetInv(ObjWInv o) { assert o.Inv(); Validate(ObjWInv p) { o.inv = true; for(o in p.dependents) { } if(o.inv = true) CheckAndSetInv(o); } Add(ObjWInv o, ObjWInv p) { } assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  19. role ObjWInv { Calling the monitor boolean Inv(); boolean inv; Set<ObjWInv> dependents; from the program } Init(ObjWInv o) { o.inv := false; Connection con = o.dependents := nullset; DriverManager.getConnection(..); } Init(con); Start(con); CheckAndSetInv(ObjWInv o) { assert o.Inv(); Statement stmt = o.inv = true; con.createStatement(); } Init(stmt); Add(ObjWInv o, ObjWInv p) { Add(con, stmt); assert(o.inv = false); Start(stmt); p.dependents.Add(o); } ... Stop(stmt); Start(ObjWInv o) { assert(o.inv = false); ResultSet rs1 = CheckAndSetInv(o); stmt.executeQuery("SELECT..”); } Start(stmt); Stop(ObjWInv o) { ... assert(o.inv = true); o.inv := false; con.close(); } Validate(con); Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  20. role ObjWInv { Calling the monitor boolean Inv(); boolean inv; Set<ObjWInv> dependents; from the program } Init(ObjWInv o) { o.inv := false; Connection con = o.dependents := nullset; DriverManager.getConnection(..); } Init(con); Start(con); CheckAndSetInv(ObjWInv o) { assert o.Inv(); Statement stmt = o.inv = true; con.createStatement(); } Init(stmt); Add(ObjWInv o, ObjWInv p) { Add(con, stmt); assert(o.inv = false); Start(stmt); p.dependents.Add(o); } ... Stop(stmt); Start(ObjWInv o) { assert(o.inv = false); ResultSet rs1 = CheckAndSetInv(o); stmt.executeQuery("SELECT..”); } Start(stmt); Stop(ObjWInv o) { ... assert(o.inv = true); o.inv := false; con.close(); } Validate(con); Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  21. Automated instrumentation • When an object o is created, called Init(o) • When a public method of o is entered, call Stop(o) • When a public method of o is exited, call Start(o) • Whenever o or dependents change, call “validate(o)” !

  22. Automatic role ObjWInv { boolean Inv(); Dependency boolean inv; Set<ObjWInv> dependents; } Tracking Init(ObjWInv o) { o.inv := false; o.dependents := nullset; • Compute a relation D } such that (o,p,f) in D CheckAndSetInv(ObjWInv o) { assert o.Inv(); iff the object invariant of o o.inv = true; } depends on the value of Add(ObjWInv o, ObjWInv p) { the field p.f assert(o.inv = false); p.dependents.Add(o); – Can be done by AOP by } monitoring all accesses Start(ObjWInv o) { assert(o.inv = false); during execution of o.Inv() CheckAndSetInv(o); } Stop(ObjWInv o) { assert(o.inv = true); • Invoke Validate(p) o.inv := false; } whenever p.f changes. Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  23. Example monitor API o: Statement p: Connection + binding user code new Statement(p) Init(o) connection = p 1 return Start(o) o.Inv() p.isClosed() return inv = true p.close() isClosed = true 2 Validate(p) o.Inv() return

  24. Correctness Let r be any run of program P composed with the monitor using binding B. Suppose r does not have any assertion violations. Then, the following holds in all states of r: o ObjWInv o . inv true o . Inv () � � = �

  25. Implementation : I NV COP • Reusable Monitor • Aspect Generator • At runtime: – Populate D by tracking p.f read during the execution of o.Inv() – if p.f changes, invoke Validate(p)

  26. Custom Binding Default Required Binding class T { public boolean Inv() { return 0 <= x && x < y; For objects o of } type ObjWInv , public void method1() { x++; – invoke Start(o) y++; user.m(this,..); after the .. construction of o } – invoke Stop(o) public float method2() { return 1/(y-x); before every } } public method call on o class User { public void m(T t,..) { – invoke Start(o) //callback t.method2(); after every public .. } method call on o }

  27. Detecting Violations in JDOM Document Document Content Iterator List API Iterator User getDescendants() hasNext() next() next() get() detach() remove(this) next() next() ConcurrentModificationException

Recommend

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

Runtime Monitoring Quantified Event Automata Efficient monitoring Using MarQ MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz, David Rydeheard at University of Manchester, UK April 17th, 2015 Runtime

1.01k views • 97 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu Amjad Nusayr, anusayr@cs.nmsu.edu The 2009 Workshop on Dynamic Analysis New Mexico State University Runtime Monitoring The act of observing an

590 views • 23 slides
COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A class invariant is definition of Class Invariant some property that is always true of all instances of the class in question. i.e., some statement,

1.34k views • 96 slides
Runtime systems Programmation Fonctionnelle Avance

Runtime systems Programmation Fonctionnelle Avance

Introduction and hardware architecture reminders Object representation and runtime typing Automatic memory management Runtime systems Programmation Fonctionnelle Avance http://www-lipn.univ-paris13.fr/~saiu/teaching/PFA-2010 Luca Saiu

1.26k views • 82 slides
Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani

Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani

Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani Consistency &amp; Invariants Consistency in 3D Characterization of consistency models according to the guarantees they provide Dimensions of

299 views • 26 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond &amp; Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on works with: Yong Kiam Tan 1 , Stefan Mitsch 1 , Andrew Sogokon 1 , Edward Ahn 1 , David Held 1 , John Dolan 1 , Aman Khurana 1 , Magnus O. Myreen 2 ,

637 views • 44 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin

Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin

Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin Department of Computer Science University of Illinois at Urbana-Champaign Thesis Advisor Grigore Rosu Committee Members Klaus Havelund Gul Agha

662 views • 49 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand,

Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand,

13th International Workshop on Models@run.time Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand, Holger Giese 14.10.2018 Agenda Show why it is relevant to investigate and support: Continuous

421 views • 29 slides
Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio Chimento 1 , Gerardo Schneider 2 , Gordon J. Pace 3 1 Chalmers University of Technology, Gothenburg, Sweden 2 University of Gothenburg, Sweden 3

449 views • 32 slides
Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie Liu Tom Rothamel Scott D. Stoller Computer Science Department State University of New York at Stony Brook Invariants An invariant is a predicate

532 views • 17 slides
Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko Yoshida On the importance of time On the importance of time } Web services (timeouts): } Twitter Streaming API: Reconnect no more than twice

521 views • 50 slides
Reliable Multicast topics critical applications may require some guarantees about the

Reliable Multicast topics critical applications may require some guarantees about the

Reliable Multicast topics critical applications may require some guarantees about the delivery of messages to the group members financial transactions, monitoring and management of

124 views • 8 slides
Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France

Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France

Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France Christine Rochange, Univ. of Toulouse, France Motivation Static analysis provides safe but pessimistic WCET estimates safe WCET estimation

257 views • 10 slides
Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff,

Searching for Program Invariants using Genetic Programming and Mutation Testing Sam Ratcliff, David R. White and John A. Clark. The 13th CREST Open Workshop Thursday 12 May 2011 Outline Invariants Using GP to find Invariants Identifying

417 views • 38 slides
GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a

GENERATING INVARIANTS IN POSITIVE CHARACTERISTIC VISU MAKAM Abstract. The ring of invariants for a rational representation of a reductive group is finitely generated by the results of Hilbert, Nagata and Haboush. However, the proof is not

482 views • 3 slides
Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Introduction Generic critical value sets Integer invariants mod2 invariants Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference Legacy of Vladimir Arnold Fields Institute, Toronto 25 November

1.37k views • 84 slides
Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

4/13/2017 OOP Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object oriented Programming (Using C++) ht t p: / / www. com pgeom . com / ~pi yush/ t each/ 3330 Objects: State (fields), Behavior (member

632 views • 6 slides
Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin

Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin

Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin Cheung Sam Madden MIT CSAIL August 25, 2008 Collecting System Runtime Data Many uses Real-time system monitoring Detect security breaches

357 views • 25 slides
Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants &lt;precondition: n&gt;0&gt; int i = 0; while (i &lt; n){ i = i+1; We want to prove: } i==n right after the loop &lt;post condition: i==n&gt;

80 views • 7 slides

More recommend