Web service message contracts are constraints on the values and sequences of XML messages that can be exchanged between a client’s web browser and an application server. This tutorial presents BeepBeep, a lightweight Java monitor that can check and enforce message contracts expressed as LTL formulae with first-order quantification over data fields. Its use is illustrated on real world web applications submitted to these kinds of contracts.

1. Sylvain Hallé
Sylvain Hallé and Roger Villemaire
Runtime Verification for the Web
A Tutorial Introduction to Interface Contracts
in Web Applications
.
Université du Québec à Chicoutimi
CANADA
Université du Québec à Montréal
CANADA
Fonds de recherche
sur la nature
et les technologies
CRSNG
NSERC

2. Sylvain Hallé
Web applications and cloud computing: a growing part of
computing systems
Very simple protocols: no state, only basic type checking, the
rest is up to the developers
Loose couplingg of components: nice but comes with problems!
Few works on verification / enforcement of web applications
A ‘‘call to arms’’ to the community: interesting opportunities for
application of RV
Why this tutorial?

3. Sylvain Hallé
Part One: The basics of web applications
?What is a web application?
An example: the Beep Store
Constraints and problems
Part Two: Interface contracts in web applications
Characterizing constraints
Formalizing constraints
Monitoring constraints
Doing this for real: back to the Beep Store
What’s next?
?
?
?
?
?
?
?
Tutorial overview

4. Sylvain Hallé
Part One
The basics of web applications

5. Sylvain Hallé
Desktop computing

6. Sylvain Hallé
Desktop computing

7. Sylvain Hallé
Cloud computingCloud computing

8. Sylvain Hallé
Cloud computingCloud computing

9. Sylvain Hallé
Cloud computingCloud computing
Network connection

10. Sylvain Hallé
Cloud computingA static web site

11. Sylvain Hallé
Cloud computingA static web site
Bee G
Beatles
Camel
Caravan

12. Sylvain Hallé
Cloud computingA static web site
Bee G
Beatles
Camel
Caravan
beatles.html

13. Sylvain Hallé
Cloud computingA static web site

14. Sylvain Hallé
Cloud computingA static web site

15. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html

16. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html
<html>
<h1>
</h1>
</html>
...
Results for
Beatles
...

17. Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info
beatles.html
<html>
<h1>
</h1>
</html>
...
Results for
Beatles
...
COnly page rendering
instructions are sent

18. Sylvain Hallé
Cloud computingA dynamic web site
Bee G
Beatles
Camel
Caravan

19. Sylvain Hallé
Cloud computing
Bee G
Beatles
Camel
Caravan
page.php?artist beatles=
A dynamic web site

20. Sylvain Hallé
Cloud computingA dynamic web site

21. Sylvain Hallé
Cloud computingA dynamic web site

22. Sylvain Hallé
Cloud computingA dynamic web site

23. Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=

24. Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=

25. Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=

26. Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info

27. Sylvain Hallé
Cloud computingA dynamic web site
C
Content is generated
programatically based on
user input
artist
beatles=
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta
ct
us
Ve
rsion
info

28. Sylvain Hallé
Cloud computingAjax web application

29. Sylvain Hallé
Cloud computingAjax web application
JavaScript

30. Sylvain Hallé
Cloud computingAjax web application
Bee G
Beatles
Camel
Caravan

31. Sylvain Hallé
Cloud computingAjax web application
Bee G
Beatles
Camel
Caravan
<a onclick=
>
"javascript:
findBand(’ ’)"Beatles

32. Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)

33. Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)

34. Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=

35. Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=

36. Sylvain Hallé
Cloud computingAjax web application
document.innerHTML = findBand(’Beatles’)
artist
beatles=

37. Sylvain Hallé
Cloud computingAjax web application
document.innerHTML = findBand(’Beatles’)
artist
beatles=
CPage is updated,
not reloaded

38. Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=
CServer response only provides
updated contents
document.innerHTML =

39. Sylvain Hallé
Ajax web applications: examples
Microsoft Office Live

40. Sylvain Hallé
Ajax web applications: examples
eyeOS

41. Sylvain Hallé
Ajax web applications: examples
Chrome OS

42. Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML

43. Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<Search>
</Search>
beatles
<Artist>
</Artist>

44. Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<SearchResults>
</SearchResults>
The Beatles
Rubber Soul
...
<Item>
</Item>
<Artist>
</Artist>
<Title>
</Title>
<Search>
</Search>
beatles
<Artist>
</Artist>

45. Sylvain Hallé
Cloud computingAjax web application
<Search>
</Search>
beatles
<Artist>
</Artist> XML
The eXtensible Markup
Language
?Nested collection of
elements
?Input/output data is
semi-structured
.
.
<SearchResults>
</SearchResults>
The Beatles
Rubber Soul
...
<Item>
</Item>
<Artist>
</Artist>
<Title>
</Title>

46. Sylvain Hallé
Cloud computingConceptually...

47. Sylvain Hallé
Cloud computingConceptually...

48. Sylvain Hallé
Cloud computingConceptually...

49. Sylvain Hallé
Cloud computingConceptually...

50. Sylvain Hallé
Cloud computingConceptually...

51. Sylvain Hallé
Cloud computingConceptually...

52. Sylvain Hallé
Cloud computingConceptually...
Web service
Web client

53. Sylvain Hallé
An example: the Beep Store
? tutorial application
?Fake CD catalog + web service
+ web client
?Functionalities typical of applications we studied
?Examples:
Session login/logout
Shopping cart
operations
Purpose-built
SQLite PHP
JavaScript
real-world
.
..
.
.
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles

54. Sylvain Hallé
Main issue
Possible
between messages sent
and messages expected
mismatch
Not like traditional programming: all
input-output is exchanged unverified!

55. Sylvain Hallé
Defining message formats
?

56. Sylvain Hallé
1.
2.
...
?
Defining message formats

57. Sylvain Hallé
1.
2.
...
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
Defining message formats

58. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchResponse>
Help!
The Beatles
<Item>
</Item>
...
<Title> </no>
<Artist> </Artist>
Defining message formats

59. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchResponse>
Help!
The Beatles
<Item>
</Item>
...
<Title> </no>
<Artist> </Artist>
XML request
XML response
Defining message formats

60. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
ItemSearch[
[string]
]
Artist
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchResponse>
Help!
The Beatles
<Item>
</Item>
...
<Title> </no>
<Artist> </Artist>
XML request
XML response
Defining message formats

61. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
ItemSearch[
[string]
]
Artist
ItemSearchResponse[
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
Items
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchResponse>
Help!
The Beatles
<Item>
</Item>
...
<Title> </no>
<Artist> </Artist>
XML request
XML response
Defining message formats

62. Sylvain Hallé
ItemSearch[
[string]
]
Artist
ItemSearchResponse[
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
Items
?
!
Defining message formats

63. Sylvain Hallé
Defining message formats
WSDL: Web Service Description Language
ItemSearch[
[string]
]
Artist
CartCreate[
[int],
[int],
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
Items
SessionKey
Items
?
?
ItemSearchResponse[
[
Item[
Title[string],
Artist[string],
]{0,¥}
]
]
Items
CartCreateResponse[
[int],
[int],
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
SessionKey
CartId
Items
!
!
. . .

64. Sylvain Hallé
http://webservices.amazon.com/AWSECommerceService/
AWSECommerceService.wsdl
https://www.paypal.com/wsdl/PayPalSvc.wsdl
http://api.google.com/GoogleSearch.wsdl
WSDLs for real world web services

65. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats

66. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemSearch[
[string]
]
Artist vs.
?

67. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemSearch[
[string]
]
Artist vs.
?

68. Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemSearch[
[string]
]
Artist vs.
?

69. Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
1234
abc
...
Defining message formats

70. Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
1234
abc
...
Defining message formats
CartCreateResponse[
[int],
[int],
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
SessionKey
CartId
Items
vs.
!

71. Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
1234
abc
...
Defining message formats
CartCreateResponse[
[int],
[int],
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
SessionKey
CartId
Items
vs.
!

72. Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
1234
abc
...
Defining message formats
CartCreateResponse[
[int],
[int],
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
SessionKey
CartId
Items
vs.
!

73. Sylvain Hallé
What happened?

74. Sylvain Hallé
?
What happened?

75. Sylvain Hallé
?
What happened?

76. Sylvain Hallé
1.
2.
...
What happened?

77. Sylvain Hallé
1.
2.
...
What happened?

78. Sylvain Hallé
2
What happened?

79. Sylvain Hallé
c
What happened?

80. Sylvain Hallé
2
c
What happened?

81. Sylvain Hallé
What happened?

82. Sylvain Hallé
?
2
c
2
c
Interface contracts
All messages comply with the WSDL but...
1.
2.
...

83. Sylvain Hallé
?
2
c
2
c
Interface contracts
You cannot add the same item
twice to the shopping cart
All messages comply with the WSDL but...
1.
2.
...

84. Sylvain Hallé
?
2
c
2
c
Interface contracts
???
You cannot add the same item
twice to the shopping cart
All messages comply with the WSDL but...
1.
2.
...

85. Sylvain Hallé
Interface contracts
???

86. Sylvain Hallé
???
Interface contracts

87. Sylvain Hallé
Free-form messages
Stateful interactions, stateless protocols
No uniform contract notation
Constraints at message level
XML, but that’s about it. No assumptions on nesting,
degree, etc.
HTTP / SOAP define only message structure
No protocol enforces sequential constraints
Plain-text documentation... but OWL, RDF, ...
Components are black boxes (e.g. Amazon)
What are the issues?

88. Sylvain Hallé
The big question
Prevent
contract
violations

89. Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
A first solution
Testing, static
verification
etc.

90. Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
...and grants a digital
certificate
A first solution

91. Sylvain Hallé
1. A priori certification
A+
The service needs a certificate to
start an exchange with a client
A first solution

92. Sylvain Hallé
The service needs a certificate to
start an exchange with a client
Example: iPhone app certification
1. A priori certification
A+
A first solution

93. Sylvain Hallé
1. A priori certification
Z+
Problem: the client can change after
certification
iPhone jailbreaking,
Javascript prototype hijacking, ...
A first solution

94. Sylvain Hallé
Proposed approach
2. Client-side Runtime
Monitoring
A separate process checks
each message...
CONTRACT

95. Sylvain Hallé
A
2. Client-side Runtime
Monitoring
A separate process checks
each message...
CONTRACT
Proposed approach

96. Sylvain Hallé
A
The message is relayed to the web service
proper when it complies with the contract
2. Client-side Runtime
Monitoring
A separate process checks
each message...
Proposed approach

97. Sylvain Hallé
2. Client-side Runtime
Monitoring
A separate process checks
each message...
...and is discarded when it violates the
contract
Proposed approach

98. Sylvain Hallé
A web service interacts with a web client through the exchange
of semi-structured XML documents called
The service and client are generally designed by
No verification is done on the incoming and outgoing messages:
possible between sent and expected messages (in both
directions)
A priori checking of a client for compliance is
very hard, if not impossible
Runtime monitoring is a possible solution
messages
different
organisations
mismatch
.
.
.
.
Summary (I)

99. Sylvain Hallé
Part Two
Interface contracts in
web applications

100. Sylvain Hallé
Interface contracts
All possible sequences
of all possibles messages
with all possible values

101. Sylvain Hallé
Interface contracts
Constraints
on individual
messages

102. Sylvain Hallé
Interface contracts
Constraints
on sequencesConstraints
on individual
messages

103. Sylvain Hallé
Interface contracts
Constraints
on sequences
Data-aware
sequential constraints
Constraints
on individual
messages

104. Sylvain Hallé
Interface contracts
Interface contract =
valid (error-free) interactions
Constraints
on sequences
Data-aware
sequential constraints
Constraints
on individual
messages

105. Sylvain Hallé
Interface contracts
As a tutorial tool, the Beep Store’s JavaScript client can be told
to ‘‘forget’’ elements of the service’s interface contract
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Fault parameters
Don’t check Results’s type
In the detailed search form, sends an ItemSearch message without
checking that the Results element is an integer.
"Add to cart" enabled if item present in cart
Makes the "Add to cart" button available for items that are already in the
user's cart.
Message schemas
Cart manipulations
Highlights
documentation
Disables the
verification

106. Sylvain Hallé
Interface contracts
Dave, my mind
is going...
As a tutorial tool, the Beep Store’s JavaScript client can be told
to ‘‘forget’’ elements of the service’s interface contract

107. Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>

108. Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
1. The element must be an integer between 1 and 20.Page "/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>

109. Sylvain Hallé
Three types of constraints (I)
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
"/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>
Constraints on individual messages
Examples:

110. Sylvain Hallé
Expressing data constraints
Simple XPath
Fetches portions of an XML document according to a
query path = sequence of tags
:set of messages
: set of XML query paths
: set of atomic values
: ´®2
Examples:
(‘‘/a/b/c’’, m) = {1,2,4}
(‘‘/a/b/d’’, m) = Æ
M
M
Q
Q
V
V
p
p
p m
{
<a>
<b>
<c>1</c>
<c>2</c>
</b>
<d>
<c>9</c>
</d>
<b>
<c>3</c>
</b>
</a>

111. Sylvain Hallé
Expressing data constraints
XPath term
Expresses properties over values fetched by XPath expressions
For some message Î, path Î,
"x : j(x) Ûj(v) for every Î( , )
$x : j(x) Ûj(v) for some Î( , )
Examples:
"x : x < 5/a/b/c
$x :/a/b
$x : "y : y £x/a/b/c /a/b/c
m M
mq
mq
q Q
q
q
v
v
p
p
2
<a>
<b>
<c>1</c>
<c>2</c>
</b>
<d>
<c>9</c>
</d>
<b>
<c>3</c>
</b>
</a>
m
{

112. Sylvain Hallé
Expressing data constraints
2
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
"/M
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>

113. Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page Results
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>

114. Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. $ x : Û$ y :/Message/Page /Message/Results
<Message>
<Action>ItemSearch</Action>
<Results>5</Results>
<Keyword>beatles</Keyword>
<Page>1</Page>
</Message>

115. Sylvain Hallé
Constraints on message sequences
Examples:
2
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)

116. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
Login "/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X

117. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
4. must follow a successful LoginResponse.
Login
CartCreate
"/
"/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X

118. Sylvain Hallé
Linear Temporal Logic
Alphabet (A)
Set of possible messages
Trace (A*)
Sequence of messages

119. Sylvain Hallé
LTL formula = assertion on the of states in a tracesequence
a "always a"
a "a in the next"
a "eventually a"
a b "a until b"
G
X
F
W
Linear Temporal Logic
G (a ®b)X (d cÚe) WØFALSE TRUE
. . .A A EC CDB B

120. Sylvain Hallé
Well-known results:
1. For every LTL formula j, there exists a Büchi automaton A
such that for every (infinite) trace s:
i.e. LTL describes languages
2. The alphabet symbols can be generalized to finite sets of
Boolean propositions
w-regular
ÞLet’s use XPath terms as our Boolean propositions
Linear Temporal Logic
j
s|= jÛsÎL(A )j

121. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
.
4. must follow a successful LoginResponse.
Login
CartCreate
"/
"/
"/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X

122. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
.
4. must follow a successful LoginResponse.
G
X G
CartCreate "/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X

123. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
.
4. must follow a successful LoginResponse.
G
X G
CartCreate "/
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
Xpath terms

124. Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login))/Message/Action
4. (" a : a ¹CartCreate)/Message/Action
(" a’ : a’ =LoginResponse)/Message/Action
G
X G
W
.
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Action>
LoginResponse
</Action>
...
</Message>
<Message>
<Action>
CartCreate
</Action>
...
</Message>
Three types of constraints (II)
X
Xpath terms

125. Sylvain Hallé
The verification can be separated in two steps
Three types of constraints (II)
G
X
Ú
"$
$ G
F
®
1. Temporal step
Determine termporal
relationships to current
message
2. Data step
Evaluate relevant XPath
terms on message

126. Sylvain Hallé
Runtime monitoring
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

127. Sylvain Hallé
Runtime monitoring
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

128. Sylvain Hallé
Runtime monitoring
s=
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

129. Sylvain Hallé
Runtime monitoring
s=a
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

130. Sylvain Hallé
Runtime monitoring
s=a
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

131. Sylvain Hallé
Runtime monitoring
s=ab
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

132. Sylvain Hallé
Runtime monitoring
s=ab
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

133. Sylvain Hallé
Runtime monitoring
s=aba
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

134. Sylvain Hallé
Runtime monitoring
s=aba
j
a
a
a
b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
on-the-fly

135. Sylvain Hallé
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefit:
" ": automaton states are built as the
trace is read
Dead end: formula is false
on-the-fly
Runtime monitoring
s=aba
j
a
a
a
b
b

136. Sylvain Hallé
Runtime monitoring
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas that
must be true now
sub-formulas that must
be true in the next state

137. Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas that
must be true now
sub-formulas that must
be true in the next state
Runtime monitoring

138. Sylvain Hallé
2. Negations pushed inside (classical identities +
dual of U = V)
3. At the leaves, Gcontains atoms + negations of atoms:
we evaluate them
Verdict:
! All leaves contain : formula is false
! A leaf is : formula is true
! Otherwise:
4. Next event: Dcopied into Gand we continue
FALSE
empty
Runtime monitoring

139. Sylvain Hallé
Example: G (a ®b)X
Runtime monitoring

140. Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
Runtime monitoring

141. Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a ®bX G (a ®b)X?
Runtime monitoring

142. Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime monitoring

143. Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a, X b G (a ®b)X?Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime monitoring

144. Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a, X b G (a ®b)X?
a G (a ®b), bX?
Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime monitoring

145. Sylvain Hallé
Example: G (a ®b)X
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring

146. Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring

147. Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring

148. Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Runtime monitoring

149. Sylvain Hallé
Example: G (a ®b)X
s= a
G (a ®b), bX?
Runtime monitoring

150. Sylvain Hallé
Example: G (a ®b)X
s= a
?G (a ®b), bX
G (a ®b), bX?
Runtime monitoring

151. Sylvain Hallé
Example: G (a ®b)X
s= a
a, X b, b G (a ®b)X?
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
a ®b, bX G (a ®b)X?
?G (a ®b), bX
Runtime monitoring

152. Sylvain Hallé
Example: G (a ®b)X
s= a
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
Runtime monitoring

153. Sylvain Hallé
Example: G (a ®b)X
s= a
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
Runtime monitoring

154. Sylvain Hallé
Example: G (a ®b)X
s= a
Øa, b G (a ®b)X?
Runtime monitoring

155. Sylvain Hallé
Example: G (a ®b)X
s= ac
Øa, b G (a ®b)X?
Runtime monitoring

156. Sylvain Hallé
Example: G (a ®b)X
s= ac
Øa, b G (a ®b)X?
Runtime monitoring

157. Sylvain Hallé
Example: G (a ®b)X
s= ac
No way to extend the trace:
formula is false
Runtime monitoring

158. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. There can be at most one active cart ID per session key."/
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>

159. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>

160. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>
<Message>
<SessionKey>123</SessionKey>
<CartId>789</CartId>
...
</Message>

161. Sylvain Hallé
Data-aware sequential constraints
Three types of constraints (III)
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G

162. Sylvain Hallé
Data-aware sequential constraints
·XPath terms and temporal operators are
mixed
.
·Not just ‘‘LTL with syntactical sugar’’
.
·Not just a pathological case
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c’ :/Message/SessionKey /Message/CartId
k = k’ ®c = c’))
G
G
Three types of constraints (III)
2
G
G
"
"
k

163. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. You cannot add the same item twice to the shopping cart."/
Three types of constraints (III)
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
X

164. Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. (" a : a = CartAdd ®/Message/Action
" i : (" a’ :/Message/ItemId /Message/Action
a’ = CartAdd ®" i’ : i ¹i’ ))/Message/ItemId
G
X G
Three types of constraints (III)
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
X

165. Sylvain Hallé
Quantification must be relative to the values in the current
message, and not the whole set V of possible values!
Example: ‘‘In every message, the a parameter must equal the b
parameter’’. Suppose V = {1,2}, and classical first-order
quantification.
Runtime monitoring
"x : "y : x = ya b
("y : 1 = y) Ù("y : 1 = y)b b
(1 = 1) Ù(1 = 2) Ù(1 = 1) Ù(1 = 2)
Contradiction
G
G G
G G G G

166. Sylvain Hallé
LTL-FO+
current
(Hallé & Villemaire, EDOC 2008)
Extension of LTL with (limited) first-order quantification on
message elements
·Boolean and LTL operators keep their original meaning
·An XPath term is always meant to refer to the
message in the trace
Runtime monitoring

167. Sylvain Hallé
Adaptation of the runtime monitoring algorithm to handle
LTL-FO+:
1. Atoms become equality tests
2. Decomposition rules for quantifiers
(and vice versa)
Runtime monitoring

168. Sylvain Hallé
Six constraints for the Beep Store
Data-aware constraints
Constraints on message sequences
Constraints on individual messages

169. Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
Page
Page Results
Data-aware constraints
Constraints on message sequences

170. Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
3. The request cannot be resent if its response is
successful.
4. must follow a successful LoginResponse.
Page
Page Results
Login
CartCreate
Data-aware constraints

171. Sylvain Hallé
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwise it is forbidden.
3. The request cannot be resent if its response is
successful.
4. must follow a successful LoginResponse.
5. There can be at most one active cart ID per session key.
6. You cannot add the same item twice to the shopping cart.
Page
Page Results
Login
CartCreate
Six constraints for the Beep Store

172. Sylvain Hallé
Why are web service contracts special?
1. Presence of data-aware constraints
·Cannot separate data part from temporal part
in specification AND enforcement
2. Complex messages
·Arbitrary nested structure
·Cannot say ‘ ItemId’’:
there are many!
·Rules out languages that
merely freeze a value in a
variable
‘the
<Message>
<Action>CartAdd</Action>
<Items>
<Item>
<ItemId>567</ItemId>
...
</Item>
<Item>
<ItemId>789</ItemId>
...
</Item>
...
</Items>
</Message>

173. Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequest
·JavaScript object
·Provided by the browser
·All communications to monitor
already centralized: ‘‘no’’
instrumentation

174. Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequestBB

175. Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequestBB
XMLHttpRequest
LTL-FO+
algorithm
·Wrapper around original
·Provides same methods
·Checks messages before
relaying them

176. Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net

177. Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net

178. Sylvain Hallé
Add BeepBeep to an application
myapplication.html myapplication.js
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
// Initializations
= ();
()
{
( );
}
...
req XMLHttpRequest
...
abc
...
req. some_message
new
function
send
?
Include BeepBeep
Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net

179. Sylvain Hallé
Add BeepBeep to an application
beepstore.html beepstore.js
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>
</head>
<body>
</body>
</html>
My Application
...
text/javascript
myapplication.js
<script type="text/javascript"
href="beepbeep.js"/>
// Initializations
= ();
()
{
( );
}
...
req
...
abc
...
req. some_message
new
function
send
XMLHttpRequestBB
Include BeepBeep
?

Copy BeepBeep in the application's directory
http://beepbeep.sourceforge.net

180. Sylvain Hallé
Create a with LTL-FO+ formulascontract file?
Add BeepBeep to an application
# -------------------------------------------------------
# BeepBeep contract file for the Beep Store
# -------------------------------------------------------
% The element Page must be an integer between 1 and 20.
% The element Page is mandatory only if Results is
present, otherwise it is forbidden.
% The Login request cannot be resent if its response
is successful.
; ( p /Message/Page (((p) > ({0})) ((p) < ({21}))))
; ( a /Message/Action (((a) = ({ItemSearch})) (
(( r /Message/Results ({TRUE}))
( p /Message/Page ({TRUE})))
(( p /Message/Page ({TRUE})) (
r /Message/Results ({TRUE}))))))
; ( a /Message/Action (((a) ({LoginResponse}))
( ( ( b /Message/Action ( ((b) ({Login}))))))))
G
G
G
X G
[ ]
[ ]
< >
< >
< >
< >
[ ]
[ ]
&
->
->
&
->
= ->
! =
Caption: used
when violations
are discovered
Plain-text
LTL-FO+
(automatically
parsed)
}

181. Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside the page
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles

?/?/?/?/?/?:0:0

182. Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside the page
The
Beep
Store
GO
Sign in or register
What is this?
Login
Ask for account
Contact us
Fault parameters
Search: Your Cart
Search results for ‘Beatles’
Rubber Soul
The Beatles
Yellow Submarine
The Beatles

?/?/?/?/?/?:0:0

183. Sylvain Hallé
BeepBeep’s visible interface
?/?/?/?/?/?:0:0
Current state of monitor
for each property
Number of
messages
processed
Cumulative
processing
time (in ms)
T: last message made it true
t: is true
F: last message made it false
f: is false
?: not yet true/false

184. Sylvain Hallé
An interface contract provides constraints cover the of
each XML message, their and their
An extension of Linear Temporal Logic including a limited form
of quantification over message elements specifies them
of these constraints can be done
efficiently, even with quantification
BeepBeep is a tool that allows it with
on real applications
format
contents ordering
Runtime monitoring
minimal modifications
http://beepbeep.sourceforge.net/
Summary (II)

185. Sylvain Hallé
Bounded-memory fragments of LTL
The forward-only fragment of LTL
(Hallé & Villemaire, SAC 2009)
Applications to runtime monitoring of Java programs
Java-MOP plugin under construction
Symbolic (rather than explicit) handling of quantification
LTL with past operators
Standard web service mechanism for interface contracts?
.
.
Open issues and interesting questions

186. Sylvain Hallé
Open issues and interesting questions
In client-side monitoring...
10

187. Sylvain Hallé
Open issues and interesting questions
In client-side monitoring...
...the server has no guarantee that
monitoring actually takes place
Z
Z
Z
10

188. Sylvain Hallé
In server-side monitoring...
9
Open issues and interesting questions

189. Sylvain Hallé
In server-side monitoring...
Too many clients may overwhelm the
server’s verification process
9
Open issues and interesting questions

190. Sylvain Hallé
Processing savings of
client-side monitoring
Guarantees of server-side
monitoring
11
Open issues and interesting questions

191. Sylvain Hallé
Processing savings of
client-side monitoring
11
Open issues and interesting questions
COOPERATIVE
RUNTIME MONITORING
Best paper award
S. Hallé, Cooperative
runtime monitoring
of LTL Interface Contracts.
Proc. EDOC 2010.Guarantees of server-side
monitoring
COOPERATIVE
RUNTIME MONITORING