Web service message contracts are constraints on the values and sequences of XML messages that can be exchanged between a client’s web browser and an application server. This tutorial presents BeepBeep, a lightweight Java monitor that can check and enforce message contracts expressed as LTL formulae with first-order quantification over data fields. Its use is illustrated on real world web applications submitted to these kinds of contracts.
Boost Fertility New Invention Ups Success Rates.pdf
Runtime Verification for the Web (RV 2010 Tutorial)
1. Sylvain Hallé
Sylvain Hallé and Roger Villemaire
Runtime Verification for the Web
A Tutorial Introduction to Interface Contracts
in Web Applications
.
Université du Québec à Chicoutimi
CANADA
Université du Québec à Montréal
CANADA
Fonds de recherche
sur la nature
et les technologies
CRSNG
NSERC
2. Sylvain Hallé
Web applications and cloud computing: a growing part of
computing systems
Very simple protocols: no state, only basic type checking, the
rest is up to the developers
Loose couplingg of components: nice but comes with problems!
Few works on verification / enforcement of web applications
A ‘‘call to arms’’ to the community: interesting opportunities for
application of RV
Why this tutorial?
3. Sylvain Hallé
Part One: The basics of web applications
?What is a web application?
An example: the Beep Store
Constraints and problems
Part Two: Interface contracts in web applications
Characterizing constraints
Formalizing constraints
Monitoring constraints
Doing this for real: back to the Beep Store
What’s next?
?
?
?
?
?
?
?
Tutorial overview
15. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html
16. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html
<html>
<h1>
</h1>
</html>
...
Results for
Beatles
...
17. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html
<html>
<h1>
</h1>
</html>
...
Results for
Beatles
...
COnly page rendering
instructions are sent
26. Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
27. Sylvain Hallé
Cloud computingA dynamic web site
C
Content is generated
programatically based on
user input
artist
beatles=
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
43. Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<Search>
</Search>
beatles
<Artist>
</Artist>
44. Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<SearchResults>
</SearchResults>
The Beatles
Rubber Soul
...
<Item>
</Item>
<Artist>
</Artist>
<Title>
</Title>
<Search>
</Search>
beatles
<Artist>
</Artist>
45. Sylvain Hallé
Cloud computingAjax web application
<Search>
</Search>
beatles
<Artist>
</Artist> XML
The eXtensible Markup
Language
?Nested collection of
elements
?Input/output data is
semi-structured
.
.
<SearchResults>
</SearchResults>
The Beatles
Rubber Soul
...
<Item>
</Item>
<Artist>
</Artist>
<Title>
</Title>
53. Sylvain Hallé
An example: the Beep Store
? tutorial application
?Fake CD catalog + web service
+ web client
?Functionalities typical of applications we studied
?Examples:
Session login/logout
Shopping cart
operations
Purpose-built
SQLite PHP
JavaScript
real-world
.
..
.
.
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles
87. Sylvain Hallé
Free-form messages
Stateful interactions, stateless protocols
No uniform contract notation
Constraints at message level
XML, but that’s about it. No assumptions on nesting,
degree, etc.
HTTP / SOAP define only message structure
No protocol enforces sequential constraints
Plain-text documentation... but OWL, RDF, ...
Components are black boxes (e.g. Amazon)
What are the issues?
89. Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
A first solution
Testing, static
verification
etc.
90. Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
...and grants a digital
certificate
A first solution
91. Sylvain Hallé
1. A priori certification
A+
The service needs a certificate to
start an exchange with a client
A first solution
92. Sylvain Hallé
The service needs a certificate to
start an exchange with a client
Example: iPhone app certification
1. A priori certification
A+
A first solution
93. Sylvain Hallé
1. A priori certification
Z+
Problem: the client can change after
certification
iPhone jailbreaking,
Javascript prototype hijacking, ...
A first solution
96. Sylvain Hallé
A
The message is relayed to the web service
proper when it complies with the contract
2. Client-side Runtime
Monitoring
A separate process checks
each message...
Proposed approach
97. Sylvain Hallé
2. Client-side Runtime
Monitoring
A separate process checks
each message...
...and is discarded when it violates the
contract
Proposed approach
98. Sylvain Hallé
A web service interacts with a web client through the exchange
of semi-structured XML documents called
The service and client are generally designed by
No verification is done on the incoming and outgoing messages:
possible between sent and expected messages (in both
directions)
A priori checking of a client for compliance is
very hard, if not impossible
Runtime monitoring is a possible solution
messages
different
organisations
mismatch
.
.
.
.
Summary (I)
105. Sylvain Hallé
Interface contracts
As a tutorial tool, the Beep Store’s JavaScript client can be told
to ‘‘forget’’ elements of the service’s interface contract
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Fault parameters
Don’t check Results’s type
In the detailed search form, sends an ItemSearch message without
checking that the Results element is an integer.
"Add to cart" enabled if item present in cart
Makes the "Add to cart" button available for items that are already in the
user's cart.
Message schemas
Cart manipulations
Highlights
documentation
Disables the
verification
106. Sylvain Hallé
Interface contracts
Dave, my mind
is going...
As a tutorial tool, the Beep Store’s JavaScript client can be told
to ‘‘forget’’ elements of the service’s interface contract
107. Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
108. Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
1. The element must be an integer between 1 and 20.Page "/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
109. Sylvain Hallé
Three types of constraints (I)
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
"/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
Constraints on individual messages
Examples:
110. Sylvain Hallé
Expressing data constraints
Simple XPath
Fetches portions of an XML document according to a
query path = sequence of tags
:set of messages
: set of XML query paths
: set of atomic values
: ´®2
Examples:
(‘‘/a/b/c’’, m) = {1,2,4}
(‘‘/a/b/d’’, m) = Æ
M
M
Q
Q
V
V
p
p
p m
{
<a>
<b>
<c>1</c>
<c>2</c>
</b>
<d>
<c>9</c>
</d>
<b>
<c>3</c>
</b>
</a>
111. Sylvain Hallé
Expressing data constraints
XPath term
Expresses properties over values fetched by XPath expressions
For some message Î, path Î,
"x : j(x) Ûj(v) for every Î( , )
$x : j(x) Ûj(v) for some Î( , )
Examples:
"x : x < 5/a/b/c
$x :/a/b
$x : "y : y £x/a/b/c /a/b/c
m M
mq
mq
q Q
q
q
v
v
p
p
2
<a>
<b>
<c>1</c>
<c>2</c>
</b>
<d>
<c>9</c>
</d>
<b>
<c>3</c>
</b>
</a>
m
{
112. Sylvain Hallé
Expressing data constraints
2
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
"/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
113. Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page Results
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
114. Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. $ x : Û$ y :/Message/Page /Message/Results
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
115. Sylvain Hallé
Constraints on message sequences
Examples:
2
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
116. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
Login "/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
117. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
4. must follow a successful LoginResponse.
Login
CartCreate
"/
"/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
119. Sylvain Hallé
LTL formula = assertion on the of states in a tracesequence
a "always a"
a "a in the next"
a "eventually a"
a b "a until b"
G
X
F
W
Linear Temporal Logic
G (a ®b)X (d cÚe) WØFALSE TRUE
. . .A A EC CDB B
120. Sylvain Hallé
Well-known results:
1. For every LTL formula j, there exists a Büchi automaton A
such that for every (infinite) trace s:
i.e. LTL describes languages
2. The alphabet symbols can be generalized to finite sets of
Boolean propositions
w-regular
ÞLet’s use XPath terms as our Boolean propositions
Linear Temporal Logic
j
s|= jÛsÎL(A )j
121. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
4. must follow a successful LoginResponse.
Login
CartCreate
"/
"/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
122. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
.
4. must follow a successful LoginResponse.
G
X G
CartCreate "/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
123. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
.
4. must follow a successful LoginResponse.
G
X G
CartCreate "/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
Xpath terms
124. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
4. (" a : a ¹CartCreate)/Message/Action
(" a’ : a’ =LoginResponse)/Message/Action
G
X G
W
.
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
Xpath terms
125. Sylvain Hallé
The verification can be separated in two steps
Three types of constraints (II)
G
X
Ú
"$
$ G
F
®
1. Temporal step
Determine termporal
relationships to current
message
2. Data step
Evaluate relevant XPath
terms on message
126. Sylvain Hallé
Runtime monitoring
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
127. Sylvain Hallé
Runtime monitoring
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
128. Sylvain Hallé
Runtime monitoring
s=
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
129. Sylvain Hallé
Runtime monitoring
s=a
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
130. Sylvain Hallé
Runtime monitoring
s=a
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
131. Sylvain Hallé
Runtime monitoring
s=ab
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
132. Sylvain Hallé
Runtime monitoring
s=ab
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
133. Sylvain Hallé
Runtime monitoring
s=aba
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly
135. Sylvain Hallé
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
Dead end: formula is false
on-the-fly
Runtime monitoring
s=aba
j
a
a
a
b
b
136. Sylvain Hallé
Runtime monitoring
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas that
must be true now
sub-formulas that must
be true in the next state
137. Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas that
must be true now
sub-formulas that must
be true in the next state
Runtime monitoring
138. Sylvain Hallé
2. Negations pushed inside (classical identities +
dual of U = V)
3. At the leaves, Gcontains atoms + negations of atoms:
we evaluate them
Verdict:
! All leaves contain : formula is false
! A leaf is : formula is true
! Otherwise:
4. Next event: Dcopied into Gand we continue
FALSE
empty
Runtime monitoring
151. Sylvain Hallé
Example: G (a ®b)X
s= a
a, X b, b G (a ®b)X?
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
a ®b, bX G (a ®b)X?
?G (a ®b), bX
Runtime monitoring
157. Sylvain Hallé
Example: G (a ®b)X
s= ac
No way to extend the trace:
formula is false
Runtime monitoring
158. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. There can be at most one active cart ID per session key."/
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
159. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
160. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
161. Sylvain Hallé
Data-aware sequential constraints
Three types of constraints (III)
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
162. Sylvain Hallé
Data-aware sequential constraints
·XPath terms and temporal operators are
mixed
.
·Not just ‘‘LTL with syntactical sugar’’
.
·Not just a pathological case
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
2
G
G
"
"
k
163. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. You cannot add the same item twice to the shopping cart."/
Three types of constraints (III)
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
X
164. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. (" a : a = CartAdd ®/Message/Action
" i : (" a’ :/Message/ItemId /Message/Action
a’ = CartAdd ®" i’ : i ¹i’ ))/Message/ItemId
G
X G
Three types of constraints (III)
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
X
165. Sylvain Hallé
Quantification must be relative to the values in the current
message, and not the whole set V of possible values!
Example: ‘‘In every message, the a parameter must equal the b
parameter’’. Suppose V = {1,2}, and classical first-order
quantification.
Runtime monitoring
"x : "y : x = ya b
("y : 1 = y) Ù("y : 1 = y)b b
(1 = 1) Ù(1 = 2) Ù(1 = 1) Ù(1 = 2)
Contradiction
G
G G
G G G G
166. Sylvain Hallé
LTL-FO+
current
(Hallé & Villemaire, EDOC 2008)
Extension of LTL with (limited) first-order quantification on
message elements
·Boolean and LTL operators keep their original meaning
·An XPath term is always meant to refer to the
message in the trace
Runtime monitoring
167. Sylvain Hallé
Adaptation of the runtime monitoring algorithm to handle
LTL-FO+:
1. Atoms become equality tests
2. Decomposition rules for quantifiers
(and vice versa)
Runtime monitoring
168. Sylvain Hallé
Six constraints for the Beep Store
Data-aware constraints
Constraints on message sequences
Constraints on individual messages
169. Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
Data-aware constraints
Constraints on message sequences
170. Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
3. The request cannot be resent if its response is
successful.
4. must follow a successful LoginResponse.
Page
Page Results
Login
CartCreate
Data-aware constraints
171. Sylvain Hallé
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
3. The request cannot be resent if its response is
successful.
4. must follow a successful LoginResponse.
5. There can be at most one active cart ID per session key.
6. You cannot add the same item twice to the shopping cart.
Page
Page Results
Login
CartCreate
Six constraints for the Beep Store
172. Sylvain Hallé
Why are web service contracts special?
1. Presence of data-aware constraints
·Cannot separate data part from temporal part
in specification AND enforcement
2. Complex messages
·Arbitrary nested structure
·Cannot say ‘ ItemId’’:
there are many!
·Rules out languages that
merely freeze a value in a
variable
‘the
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
</Item>
<Item>
<ItemId>789</ItemId>
...
</Item>
...
</Items>
</Message>
173. Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequest
·JavaScript object
·Provided by the browser
·All communications to monitor
already centralized: ‘‘no’’
instrumentation
175. Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequestBB
XMLHttpRequest
LTL-FO+
algorithm
·Wrapper around original
·Provides same methods
·Checks messages before
relaying them
176. Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net
177. Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net
178. Sylvain Hallé
Add BeepBeep to an application
myapplication.html myapplication.js
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
// Initializations
= ();
()
{
( );
}
...
req XMLHttpRequest
...
abc
...
req. some_message
new
function
send
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net
179. Sylvain Hallé
Add BeepBeep to an application
beepstore.html beepstore.js
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
// Initializations
= ();
()
{
( );
}
...
req
...
abc
...
req. some_message
new
function
send
XMLHttpRequestBB
Include BeepBeep
?
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net
180. Sylvain Hallé
Create a with LTL-FO+ formulascontract file?
Add BeepBeep to an application
# -------------------------------------------------------
# BeepBeep contract file for the Beep Store
# -------------------------------------------------------
% The element Page must be an integer between 1 and 20.
% The element Page is mandatory only if Results is
present, otherwise it is forbidden.
% The Login request cannot be resent if its response
is successful.
; ( p /Message/Page (((p) > ({0})) ((p) < ({21}))))
; ( a /Message/Action (((a) = ({ItemSearch})) (
(( r /Message/Results ({TRUE}))
( p /Message/Page ({TRUE})))
(( p /Message/Page ({TRUE})) (
r /Message/Results ({TRUE}))))))
; ( a /Message/Action (((a) ({LoginResponse}))
( ( ( b /Message/Action ( ((b) ({Login}))))))))
G
G
G
X G
[ ]
[ ]
< >
< >
< >
< >
[ ]
[ ]
&
->
->
&
->
= ->
! =
Caption: used
when violations
are discovered
Plain-text
LTL-FO+
(automatically
parsed)
}
181. Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside the page
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles
?/?/?/?/?/?:0:0
182. Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside the page
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles
?/?/?/?/?/?:0:0
183. Sylvain Hallé
BeepBeep’s visible interface
?/?/?/?/?/?:0:0
Current state of monitor
for each property
Number of
messages
processed
Cumulative
processing
time (in ms)
T: last message made it true
t: is true
F: last message made it false
f: is false
?: not yet true/false
184. Sylvain Hallé
An interface contract provides constraints cover the of
each XML message, their and their
An extension of Linear Temporal Logic including a limited form
of quantification over message elements specifies them
of these constraints can be done
efficiently, even with quantification
BeepBeep is a tool that allows it with
on real applications
format
contents ordering
Runtime monitoring
minimal modifications
http://beepbeep.sourceforge.net/
Summary (II)
185. Sylvain Hallé
Bounded-memory fragments of LTL
The forward-only fragment of LTL
(Hallé & Villemaire, SAC 2009)
Applications to runtime monitoring of Java programs
Java-MOP plugin under construction
Symbolic (rather than explicit) handling of quantification
LTL with past operators
Standard web service mechanism for interface contracts?
.
.
Open issues and interesting questions
187. Sylvain Hallé
Open issues and interesting questions
In client-side monitoring...
...the server has no guarantee that
monitoring actually takes place
Z
Z
Z
10
189. Sylvain Hallé
In server-side monitoring...
Too many clients may overwhelm the
server’s verification process
9
Open issues and interesting questions
190. Sylvain Hallé
Processing savings of
client-side monitoring
Guarantees of server-side
monitoring
11
Open issues and interesting questions
191. Sylvain Hallé
Processing savings of
client-side monitoring
11
Open issues and interesting questions
COOPERATIVE
RUNTIME MONITORING
Best paper award
S. Hallé, Cooperative
runtime monitoring
of LTL Interface Contracts.
Proc. EDOC 2010.Guarantees of server-side
monitoring
COOPERATIVE
RUNTIME MONITORING