Runtime Monitoring of Functional Component Changes with Behavior Models

Runtime Monitoring of Functional
Component Changes with
Behavior Models
Carlo Ghezzi
Andrea Mocci
Mario Sangiorgio

OPEN ENVIRONMENT

Application Service

2

ISSUES

Lack of formal Services may change
speciﬁcations behavior

3

GOALS

Recover speciﬁcations
Detect changes
and keep them updated

4

GOALS

Recover speciﬁcations
Detect changes
and keep them updated

AT RUNTIME

4

APPROACH
DESIGN TIME RUN TIME
Speciﬁcation
Update
Speciﬁcation Monitoring
Change
Detection
Inference

5

pop()

pu
pop()

sh

)
(2

p(
Stack

)

po
size() = 0
Stack() top() push(2) push(1)

po
=Exception

)

p(
(1

)
sh
push(2)

SPECIFICATIONS

pu
pop()
pop()
Stack Stack
size() = 1 size() ≥ 2
top() = 2 top() = 2
push(2)
pop(), push(2)

Figure 2: Outline of the Synthesis Algorithm

pop() push(2)
Stack Stack Stack pop push
size() = 2 size() = 1 size() = 2
top() = 1 top() = 1 top() = 2 push
push(1) pop()
pop() S0 S1
Stack
push(1)
pop
Stack
size() = 0 pop
Stack() top() pop()
=Exception State push pop size top
Observer Abstraction
push(2)
S0 — EmptyStackException — EmptyStackException
pop()
pop() pop() S1 — — — —
Stack Stack Stack Modiﬁer Behavior Abstraction
size() = 2 size() = 1 size() = 2 S0 Variant Invariant Invariant Invariant
top() = 1 top() = 2 top() = 2
S1 Variant Variant Invariant Invariant
push(1) push(2)

Figure 3: Outline of the Synthesis Algorithm

Behavioral Protocol Behavior
Equivalence Models Models

6

BEHAVIORAL EQUIVALENCE MODELS
Based on behavioral equivalence
Two objects x and y are behaviorally equivalent if and
only if for every possible sequence s made of
modiﬁers and ending with an observer s(x) = s(y)

Built exploring exhaustively a small scope
Hypothesis: A small but Precise Finite-State Model
captures “by example” all the relevant behavior of a
component
7

pop() push(2)
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 1 top() = 2
push(1) pop()
pop()
push(1)

Stack
size() = 0
Stack() top() pop()
=Exception

push(2)
pop()
pop() pop()
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 2 top() = 2
push(1) push(2)

8

pop() push(2)
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 1 top() = 2
push(1) pop()
pop()
push(1)

Stack
size() = 0
Stack() top() pop()
=Exception

push(2)
pop()
pop() pop()
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 2 top() = 2
push(1) push(2)

Small scope 8

pop() push(2)
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 1 top() = 2
push(1) pop()
pop()
push(1)

Stack
size() = 0 Exhaustive
Stack() pop()
top() search
=Exception

push(2)
pop()
pop() pop()
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 2 top() = 2
push(1) push(2)

Small scope 8

pop() push(2)
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 1 top() = 2
push(1) pop()
pop()
push(1)
Up to a bound
Stack
size() = 0 Exhaustive
Stack() pop()
top() search
=Exception

push(2)
pop()
pop() pop()
Stack Stack Stack
size() = 2 size() = 1 size() = 2
top() = 1 top() = 2 top() = 2
push(1) push(2)

Small scope 8


PROs CONs

Precise description of the Limited to the observed
component behavior (small) scope

9


PROs CONs

Precise description of the Limited to the observed
component behavior (small) scope

NEED FOR MORE
GENERAL MODELS!
9

PROTOCOL BEHAVIOR MODELS

Abstraction of the information in the
Behavioral Equivalence Models

Normal or exceptional result

Effects on component’s state
10

pop push

push

Stack S0 S1
pop

pop
State push pop size top
S1 — — — —
Modiﬁer Behavior Abstraction
S0 Variant Invariant Invariant Invariant

11

No parameters
pop push

push

Stack S0 S1
pop

pop
S1 — — — —

11

No parameters
pop push

push

Stack S0 S1
pop
Result type pop
S1 — — — —

11

No parameters
pop push

push

Stack S0 S1
pop
Result type pop
S1 — — — —

Effects on state

11

A MORE COMPLEX EXAMPLE

void putNextEntry(Entry entry);
void write(String data);
void close();
StorageService

Exception thrown on not allowed operations

Set-like behavior and complex interaction protocol
12

INITIAL MODEL*
c, w w, pE S2
c c, w, pE
pE c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3

Legend: S:StorageService, w:write, c:close, pE:putNextEntry
State close putN extEntry write
S0 ZipException — ZipException
S1 — [−, ZipException] —
S2 — [−, ZipException] ZipException
S3 — ZipException —
S4 — ZipException ZipException
S5 — IOException IOException *derived from
Modiﬁer Behavior Abstraction test cases
S0 Invariant Variant Invariant containing
S1 Variant Variant Invariant
S2 Variant Invariant Invariant
entries e, f
S3 Variant Variant Invariant and writing
S4 Variant Invariant Invariant “0” 13
S5 Invariant Invariant Invariant

INITIAL MODEL*
c, w w, pE S2
c c, w, pE
pE c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3
First entry inserted
entries e, f

INITIAL MODEL* blocks write
Duplicate entry
c, w w, pE S2
c c, w, pE
pE c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3
First entry inserted
entries e, f

Duplicate entry
c, w w, pE S2
c c, w, pE
pE c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3
First entry inserted Two valid entries inserted
entries e, f

Duplicate entry
c, w w, pE S2
c c, w, pE
pE c
pE c
No more valid
S S0 S1 pE S4 S5
entries
pE pE
w, pE available?
w c
w S3
First entry inserted Two valid entries inserted
entries e, f

EXAMPLE

Let’s use the model and update it at runtime!

14

MONITORING

Behavior
Models

Execution traces are checked against the models

15

MONITORING ISSUES

Observed traces may
not be enough

Observations may affect
component’s state

16

ASSUMPTIONS

Behavior
Models

Clones available to the monitor

17

VIOLATION DETECTION

Execution Protocol
Trace Behavior Model

18

CHECKING THE PROTOCOL
OPERATION OUTCOME STATE
s = StorageService(); - S0
c, w w, pE S2
c c, w, pE
pE
s.putNextEntry(a) - S1 c
pE c
s.putNextEntry(a) - ? S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3

S5 — IOException IOException
S0 Invariant Variant Invariant
19

CHECKING THE PROTOCOL
c, w w, pE S2
c c, w, pE
pE
s.putNextEntry(a) - S1 c
pE c
s.putNextEntry(a) - ? S S0 S1 pE S4 S5
pE pE
w, pE
It depends on the w
w S3 c

outcome of next Legend:
State close
S:StorageService, w:write, c:close, pE:putNextEntry
putN extEntry write

operations S0 ZipException
— ZipException

Check on the clone S4
S5
—
—
ZipException
IOException
ZipException
IOException

results of a S0
S1
Invariant
Variant
Variant
Variant
Invariant
Invariant

discriminating operation

with known instances S5 Invariant Invariant Invariant
19

PROTOCOL VIOLATION (1)
c, w w, pE S2
c c, w, pE
S1 pE
s.putNextEntry(a) - c
pE c
s.putNextEntry(a) - S2 S S0 S1 pE S4 S5
pE pE
w, pE
s.putNextEntry(b) - S2
w c
w S3
s.write(data) - ?
20

c, w w, pE S2
c c, w, pE
S1 pE
s.putNextEntry(a) - c
pE c
s.putNextEntry(a) - S2 S S0 S1 pE S4 S5
pE pE
w, pE
s.putNextEntry(b) - S2
w c
w S3
s.write(data) - ?

As seen before the test S2
S3
S4
—
—
—
[−, ZipException]
ZipException
ZipException
—
ZipException

ZipException

scope was too small, but S5 — IOException
IOException

we can ﬁx the model!
20

c, w w, pE S2
c c, w, pE
pE
s.write(“”) - ? c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3

21

c, w w, pE S2
c c, w, pE
pE
s.write(“”) - ? c
pE c
S S0 S1 pE S4 S5
pE pE
w, pE
w c
w S3


ZipException expected! State close putN extEntry
write


Special values are S3
S4
S5
—
—
—
ZipException
ZipException
IOException
—
ZipException
IOException

unknown in advance S0 Invariant
Variant Invariant
21

VIOLATION INTERPRETATION

Protocol
Behavior Model
Behavioral
Equivalence
Model

22

IS THE VIOLATION A CHANGE?
We can tell it replaying the
traces contained in the
Behavioral Equivalence Model

Everything still works: Different results:
previously unobserved behavior change detected
23

MODEL UPDATES

Old Behavior
Equivalence Model

24

MODEL UPDATES

Old Behavior
Equivalence Model

Trace exposing
new behavior

24

MODEL UPDATES

Old Behavior
Equivalence Model

Extended scopes
for existing models

Trace exposing
new behavior

24

MODEL UPDATES

Old Behavior
Equivalence Model

Set of Behavior
Extended scopes
Equivalence
for existing models
Models

Trace exposing
new behavior

24

MODEL UPDATES

Old Behavior
Equivalence Model

Set of Behavior
Extended scopes
Equivalence
for existing models
Models

Trace exposing
new behavior

Incremental
Add only new information
24

MODEL UPDATES

Old Behavior
Equivalence Model

Set of Behavior
Extended scopes Updated Protocol
Equivalence
for existing models Behavior Model
Models

Trace exposing
new behavior

Incremental
Add only new information
24

UPDATED MODEL
c, w pE, w c

pE w, pE
pE c
S S0 S1 pE S2

c S5
pE pE c
pE c, w, pE
S3 S4

w w, pE
S5 Invariant Invariant Invariant 25

UPDATED MODEL
c, w pE, w c

pE w, pE
pE c
S S0 S1 pE S2

c S5
pE pE c
First entry inserted pE c, w, pE
S3 S4

w w, pE

UPDATED MODEL c
c, w pE, w Duplicate entry
pE w, pE
pE c
S S0 S1 pE S2

c S5
pE pE c
S3 S4

w w, pE

UPDATED MODEL c
c, w pE, w Duplicate entry
pE w, pE
pE c
S S0 S1 pE S2

c S5
pE pE c
S3 S4

w w, pE Scope effects

CHANGE DETECTION

Effectiveness of change
detection proved injecting
faults in the component

Always working and always exceptional
implementation for each method
26

CONCLUSIONS

✓Behavioral Models at run time
✓Speciﬁcation of a software component
✓Functional change detection

27

FUTURE WORK

•Relax assumptions
•Tackle scope effects
•Minimization of the scope size
•Model interacting objects

28

Runtime Monitoring of Functional Component Changes with Behavior Models

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (12)

Dernier

Dernier (20)

Runtime Monitoring of Functional Component Changes with Behavior Models

Notes de l'éditeur