causality in message-based interface contracts: a temporal logic "whodunit"
DESCRIPTION
Interface contracts are sets of constraints specifying valid exchanges of messages between two or more peers. A contract violation occurs when one of the peers fails to fulfil one of these constraints and emits a message that is not a valid continuation of a message "trace". In some cases, the message that directly exposes the violation turns out to be the last of a succession of forced moves, while the "root cause" of the violation resides earlier in the trace and may emanate from a different peer. We formally define the notion of causality for interface contracts expressed in a first-order extension of Linear Temporal Logic. In particular, we show how the detection of root causes reduces to satisfiability solving of a precise set of formulæ. An experimental setup shows how causality can be analyzed automatically on a pre-recorded message trace.TRANSCRIPT
![Page 1: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/1.jpg)
Sylvain Hallé
NOSHOW
![Page 2: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/2.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
![Page 3: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/3.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Player ‘‘O’’ Player ‘‘X’’
![Page 4: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/4.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Player ‘‘O’’ Player ‘‘X’’
![Page 5: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/5.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
![Page 6: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/6.jpg)
Sylvain Hallé
Player ‘‘O’’ Player ‘‘X’’
A lighthearted introduction
2
SHOW
Moves
Rules
1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
![Page 7: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/7.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
![Page 8: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/8.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
![Page 9: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/9.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
![Page 10: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/10.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Player ‘‘O’’ Player ‘‘X’’
![Page 11: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/11.jpg)
Sylvain Hallé
A lighthearted introduction
2
SHOW
Moves
Rules
Game
Player ‘‘O’’ Player ‘‘X’’
![Page 12: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/12.jpg)
Sylvain Hallé
A lighthearted introduction
3
SHOW
‘‘O’’ web service
‘‘X’’ web service
![Page 13: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/13.jpg)
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Move
3
![Page 14: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/14.jpg)
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
3
![Page 15: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/15.jpg)
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
![Page 16: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/16.jpg)
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Game
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
![Page 17: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/17.jpg)
Sylvain Hallé
A lighthearted introduction
SHOW
‘‘O’’ web service
‘‘X’’ web service
Transaction
<Move> <Player>X</Player> <Row>1</Row> <Col>A</Col></Move>
Message
Interfacecontract
3
![Page 18: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/18.jpg)
Sylvain Hallé
Shop service
Customerservice
A more serious example
Each has its own on the course of a transaction
requirements
4
![Page 19: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/19.jpg)
Sylvain Hallé
A more serious example
S1.
S2.
S3.
All carts with more than three items arelabelled ‘‘large’’ and must be paid by credit
Every cart created must be cbecked out
Payment mode must be only one of‘‘Credit’’ or ‘‘PayPal’’
.
.
C1. A cart created with a mode of paymentmust be checked out with the same modeof payment
Interface contract = ‘ sum’ (i.e. logical of individual requirements
‘ ’conjunction)
5
![Page 20: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/20.jpg)
Sylvain Hallé
Formalizing interface contracts
The service’s behaviour follows constraints on...
1. Sequences of operations only2. Parameter values only3. Both at the same time
LTL-FO+: extension of LTL with quantifiers on message parameters (Hallé & Villemaire, EDOC 2008)
6
![Page 21: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/21.jpg)
Sylvain Hallé
Formalizing interface contracts
LTL formula= assertion on a (of messages)trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
But what about data contents?
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
7
![Page 22: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/22.jpg)
Sylvain Hallé
Formalizing interface contracts
What if symbols are XML documents?
LTL-FO+ = LTL + first-order quantification onelements
Let...
p = argument of a function f...filters acceptable values for x...according to the current message s0
$ x : j(x) Û $k : s |= j(k) AND k Îf(s ,p) p 0s |=
8
![Page 23: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/23.jpg)
Sylvain Hallé
Example:
p = a/b
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
![Page 24: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/24.jpg)
Sylvain Hallé
Example:
p = a/b
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
XPath expression
LTL-FO+
9
![Page 25: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/25.jpg)
Sylvain Hallé
Example:
0
p = a/bf(s ,p) =
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
![Page 26: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/26.jpg)
Sylvain Hallé
Example:
0
p = a/bf(s ,p) = {1,2}
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
![Page 27: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/27.jpg)
Sylvain Hallé
Example:
1
p = a/bf(s ,p) =
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
![Page 28: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/28.jpg)
Sylvain Hallé
Example:
1
p = a/bf(s ,p) = {}
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
s =
s0 s1
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
LTL-FO+
9
![Page 29: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/29.jpg)
Sylvain Hallé
Example:
<a>
</a>
12
5
<b> </b><b> </b>
<c> </c>
<d>
</d>
<e> </e><e> </e>
<c> </c><c> </c>
12
56
s =
s0 s1
"a/b x : x=1 x=2Ú
"c x : x=5
"c cx : F $ y : x=y"c x : x=5G
TRUE
TRUE
TRUE
FALSE
LTL-FO+
9
![Page 30: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/30.jpg)
Sylvain Hallé
LTL-FO+
10
‘‘ ’’X and must alternateO
![Page 31: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/31.jpg)
Sylvain Hallé
LTL-FO+
10
G ( )
‘‘ ’’X and must alternateO
![Page 32: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/32.jpg)
Sylvain Hallé
LTL-FO+
10
Move/Player p : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
![Page 33: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/33.jpg)
Sylvain Hallé
LTL-FO+
10
Move/Player p : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
![Page 34: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/34.jpg)
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )"
‘‘ ’’X and must alternateO
![Page 35: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/35.jpg)
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /
‘‘ ’’X and must alternateO
![Page 36: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/36.jpg)
Sylvain Hallé
LTL-FO+
10
Move/Player Move/Playerp : ( )X " p’ : p=p’G ( )" /
‘‘ ’’X and must alternateO
A trace of messages that an interface contractis noted
satisfies j
m j
m
![Page 37: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/37.jpg)
Sylvain Hallé
If , whose fault is it?
Contract compliance
11
m j/
who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.
(Wikipedia)
![Page 38: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/38.jpg)
Sylvain Hallé
If , whose fault is it?
Contract compliance
11
m j/
who dun·it·A whodunit (for "Who['s] done it?") is a complex, plot-driven variety of the detective story in which the puzzle is the main feature of interest. The reader is provided with clues from which the identity of the perpetrator of the crime may be deduced before the solution is revealed in the final pages of the book.
(Wikipedia)
![Page 39: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/39.jpg)
Sylvain Hallé
Applications:
Which component does not thestandard correctly?
Which component should the others for the violation?
At runtime: which component should to avoid a violation?
implement
compensate
takea different action
Contract compliance
12
![Page 40: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/40.jpg)
Sylvain Hallé
Direct violation
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
![Page 41: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/41.jpg)
Sylvain Hallé
Direct violation
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
![Page 42: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/42.jpg)
Sylvain Hallé
Direct violation
X
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
![Page 43: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/43.jpg)
Sylvain Hallé
Direct violation
X XO
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
![Page 44: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/44.jpg)
Sylvain Hallé
Direct violation
XOX
XXO
m
m jm.m j/
A message is a for a trace if:
· and·
m direct violation.
13
![Page 45: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/45.jpg)
Sylvain Hallé
Direct violation
A message is a for a trace if:
· and·
m direct violation.
XOX
XXO
m
m jm.m j/
13
![Page 46: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/46.jpg)
Sylvain Hallé
Direct violation
A message is a for a trace if:
· and·
m direct violation.
XOX
XXO
m
m jm.m j/1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
13
![Page 47: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/47.jpg)
Sylvain Hallé
A message is a for a trace if:
· and·
m direct violation.
Hypothesis #1 The sender of is responsible for the contract violationm
Direct violation
XOX
XXO
m
m jm.m j/WANTED
Player ‘ O’‘ ’for violating the
interface contract
13
![Page 48: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/48.jpg)
Sylvain Hallé
A message is a for a trace if:
· and·
m direct violation.
Hypothesis #1 The sender of is responsible for the contract violationm
Direct violation
XOX
XXO
m
m jm.m j/WANTED
Player ‘ O’‘ ’for violating the
interface contract
WANTED
Player ‘ O’‘ ’
for violating the
interface contract
13
![Page 49: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/49.jpg)
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
![Page 50: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/50.jpg)
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
![Page 51: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/51.jpg)
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
1. and must alternate
2. Can’t put two symbols
in same square
3. Eventually, there must be
a line of three ’s
X O
O
.
.
14
![Page 52: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/52.jpg)
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
14
![Page 53: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/53.jpg)
Sylvain Hallé
Another example:
Direct violation
XOX
XXO
WANTED
Player ‘ O’‘ ’for violating the
interface contractOO
O
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
WANTED
Player ‘ X’‘ ’for violating theinterface contract
14
![Page 54: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/54.jpg)
Sylvain Hallé
A message is a for a trace if:
· and· for any (infinite) suffix , we have
m root violation.
Root violation
m
m’m j
m.m.m’ j/
15
![Page 55: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/55.jpg)
Sylvain Hallé
A message is a for a trace if:
· and· for any (infinite) suffix , we have
Hypothesis #2: The sender of is responsible for the contract violation
m
m
root violation.
Root violation
m
m’m j
m.m.m’ j/
15
![Page 56: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/56.jpg)
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
Root violation
16
![Page 57: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/57.jpg)
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
Root violation
16
![Page 58: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/58.jpg)
Sylvain Hallé
XOX
XXO
OOO
O
XX
XX
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
X
WANTED
Player ‘ O’‘ ’for violating theinterface contract
Root violation
16
![Page 59: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/59.jpg)
Sylvain Hallé
Observations
SHOW
17
![Page 60: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/60.jpg)
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’forced moves
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
17
![Page 61: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/61.jpg)
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’
2. The faulty peer as in an ensuing direct violation
forced moves
may not be the same.
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
WANTED WANTED
vs.
17
![Page 62: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/62.jpg)
Sylvain Hallé
1. Root violations capture the fact that direct violations aresometimes the result of a sequence of ‘‘ ’’
2. The faulty peer as in an ensuing direct violation
3. The interface contract is not contradictoryin itself: a root violation depends on theactual taken
forced moves
may not be the same
course of actions
.
.
Observations
SHOW
OO
O
XX
XX
OOXX
XO
OXX O
O
O
XX
XOO
O
O
XX
XX
WANTED WANTED
vs.
17
![Page 63: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/63.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTLanticipatory semantics
18
![Page 64: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/64.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
anticipatory semantics
M j
a
a
a
b
b
b
18
![Page 65: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/65.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
anticipatory semantics
M.
j
a
a
a
b
b
b
18
![Page 66: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/66.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
a
a
a
b
b
b
18
![Page 67: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/67.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
m = a
a
a
a
b
b
b
18
![Page 68: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/68.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
j
m
m = a b
a
a
ab
b
b
18
![Page 69: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/69.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
j
m
m = a b
a
a
a
b
b
b
18
![Page 70: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/70.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
j
m
m = a b a
a
a
a
b
b
b
18
![Page 71: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/71.jpg)
Sylvain Hallé
How to find root violations?
Solution #1Bauer et al. (RV 2007): for LTL
1. Create the Büchi automaton equivalent to
2. Label each state based on language emptiness ( )or not ( )
3. Read by keeping pointers to states of
anticipatory semantics
M
M
.
.
.
:discard any pointer to
4. A message is a root violation ifno pointer is left
j
m
m = a b a
a
a
a
b
b
b
18
![Page 72: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/72.jpg)
Sylvain Hallé
a
a
a
b
b
b
Problem:
· Designed for LTL
Sylvain Hallé
How to find root violations?
19
![Page 73: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/73.jpg)
Sylvain Hallé
a
a
a
b
b
b
Problem:
· Designed for LTL
· With LTL-FO+, is infinite.
M
Sylvain Hallé
How to find root violations?
19
![Page 74: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/74.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
1. the domains for each path expression
2. Convert quantifiers into equivalent expressions
Bound.
How to find root violations?
f(_, a/b) Í {1,2}
"a/b a/bx : F $ y : x=y
a/bF $ y : 1=y a/bF $ y : 2=y
becomes
...and so on
If , then
Ù( ) ( )
20
![Page 75: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/75.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
20
![Page 76: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/76.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?
20
![Page 77: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/77.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?m1 m2 j ?
20
![Page 78: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/78.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL model checker
How to find root violations?
m1 j ?m1 m2 j ?
m1 m m2 3 j ?
20
![Page 79: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/79.jpg)
Sylvain Hallé
Solution #2Conversion to LTL
3. The formula is now pure LTL; use solution #1OR
4. Send messages one by one to an LTL
The first message that causes the validation to fail isa root violation
model checker
How to find root violations?
m1 j ?m1 m2 j ?
m1 m m2 3 j ?
20
![Page 80: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/80.jpg)
Sylvain Hallé
Problem:
· Requires bounded data domains
· Exponential blow-up of formula
· Non-incremental process
How to find root violations?
21
![Page 81: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/81.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
runtime monitoring
.
22
![Page 82: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/82.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas
runtime monitoring
.
22
s
![Page 83: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/83.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules
runtime monitoring
.
22
s
![Page 84: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/84.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules
runtime monitoring
.
22
s’
s
![Page 85: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/85.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules3. Compute an outcome function on resulting state
to decide if contract is violated
runtime monitoring
.
22
s’
s
![Page 86: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/86.jpg)
Sylvain Hallé
Proposed solution
Exploit an on-the-fly algorithm for linear temporal logic
1. Monitor state = set of LTL-FO+ formulas2. Upon each new message: update state according to
transformation rules3. Compute an outcome function on resulting state
to decide if contract is violated
runtime monitoring
.
22
s’
![Page 87: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/87.jpg)
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Runtime monitoring
23
![Page 88: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/88.jpg)
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of U = V)
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
FALSEempty
Runtime monitoring
24
![Page 89: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/89.jpg)
Sylvain Hallé
Example:
Runtime monitoring
G (a ® )X Øa
25
![Page 90: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/90.jpg)
Sylvain Hallé
Example:
G (a ® )X Øa ’
a, X Øa G (a ® )X Øa’
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
a ® X Øa G (a ® )X Øa’
Runtime monitoring
G (a ® )X Øa
25
![Page 91: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/91.jpg)
Sylvain Hallé
Example:
Runtime monitoring
G (a ® )X Øa
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
25
![Page 92: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/92.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
25
![Page 93: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/93.jpg)
Sylvain Hallé
a G (a ® ), X Ø Øa a’
Øa G (a ® )X Øa’
Example:
s = a
Runtime monitoring
G (a ® )X Øa
25
![Page 94: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/94.jpg)
Sylvain Hallé
a G (a ® ), X Ø Øa a’
Example:
s = a
Runtime monitoring
G (a ® )X Øa
25
![Page 95: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/95.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
G (a ® ), X Ø Øa a’
25
![Page 96: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/96.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
G (a ® )X Øa
G (a ® ), X Ø Øa a’
’G (a ® ), X Ø Øa a
25
![Page 97: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/97.jpg)
Sylvain Hallé
Example: G (a ® )X Øa
s = a
a, X , Ø Øa a G (a ® )X Øa’
a, Øa G (a ® ), X Ø Øa a’
a ® b, bX G (a ® )X Øa’
’G (a ® ), X Ø Øa a
Runtime monitoring
Øa G (a ® )X Øa’
25
![Page 98: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/98.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
a, Øa G (a ® ), X Ø Øa a’
G (a ® )X Øa
Øa G (a ® )X Øa’
25
![Page 99: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/99.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
a, Øa G (a ® ), X Ø Øa a’
G (a ® )X Øa
Øa G (a ® )X Øa’
A variable and its negationcan never be true at the sametime
25
![Page 100: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/100.jpg)
Sylvain Hallé
Example:
a, Øa G (a ® ), X Ø Øa a’
s = a
Runtime monitoring
G (a ® )X Øa
Øa G (a ® )X Øa’
25
![Page 101: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/101.jpg)
Sylvain Hallé
Example:
s = a
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
![Page 102: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/102.jpg)
Sylvain Hallé
Example:
s = aa
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
![Page 103: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/103.jpg)
Sylvain Hallé
Example:
s = aa
Runtime monitoring
Øa G (a ® )X Øa’
G (a ® )X Øa
25
![Page 104: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/104.jpg)
Sylvain Hallé
Example:
s = aa
No way to extend the trace:formula is false, i.e. message c
is a of the formuladirect violation
Runtime monitoring
G (a ® )X Øa
25
![Page 105: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/105.jpg)
Sylvain Hallé
By construction (Gerth et al., PSTV 1995):
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains
for some proposition p.
N
Nm. direct
Detecting direct violations
p Ù Øp
26
![Page 106: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/106.jpg)
Sylvain Hallé
By construction (Gerth et al., PSTV 1995):
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if it contains
for some proposition p.
Consequence
is a if this happens for all leaf nodes
N
Nm
m
. direct
direct violation
Detecting direct violations
p Ù Øp
26
![Page 107: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/107.jpg)
Sylvain Hallé
Theorem
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula
is unsatisfiable. (See paper for the proof!)
N
Nm. root
Detecting root violations
Ù D( )Ù G( ) Ù X
27
![Page 108: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/108.jpg)
Sylvain Hallé
Theorem
Let = be a monitor node resulting from theprocessing of a message The message is a violation of the conditions in if and only if the formula
is unsatisfiable. (See paper for the proof!)
Consequence
is a if this happens for all leaf nodes
N
Nm
m
. root
root violation
Detecting root violations
Ù D( )Ù G( ) Ù X
27
![Page 109: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/109.jpg)
Sylvain Hallé
1. In the algorithm, each leaf node represents a possible set ofconditions for a valid extension of the current trace
2. If the conditions are contradictory, no trace extension canever satisfy them
3. The formula p Ù Øp is a special case of ,where the contradiction occurs in the current message
4. Detection of root violations reduces to satisfiability solving ofsome set of LTL formulas
.
.
Intuition
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Ù D( )Ù G( ) Ù X
28
![Page 110: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/110.jpg)
Sylvain Hallé
Decomposition rules can be added to deal with LTL-FO+; the definition of root violation does not change
1. Atoms become equality tests
2. Decomposition rules for quantifiers
Adding first-order quantifiers
(and vice versa)
29
![Page 111: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/111.jpg)
Sylvain Hallé
A workflow for root violation detection
30
![Page 112: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/112.jpg)
Sylvain Hallé
A workflow for root violation detection
1 1 n n. . . }
Leaf nodes from currentmonitor state
30
![Page 113: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/113.jpg)
Sylvain Hallé
A workflow for root violation detection
m
1 1 n n. . . }
Incomingmessage
30
![Page 114: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/114.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . }
Monitorupdate function
30
![Page 115: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/115.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } }
. . .
1 1' '
k k' '
New leaf nodes
30
![Page 116: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/116.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } }
. . .
1 1' '
k k' '
Node sent to LTL-FO+satisfiability solver
S
30
![Page 117: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/117.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
SAT
Kept ifsatisfiable
S
30
![Page 118: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/118.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
SAT
UNSAT
X Deleted if not
S
30
![Page 119: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/119.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
SAT
SAT
UNSAT
UNSAT
X
Repeat for every node
S
S
30
![Page 120: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/120.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
SAT
SAT
UNSAT
UNSAT
X
New monitornodes
S
S
30
![Page 121: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/121.jpg)
Sylvain Hallé
A workflow for root violation detection
m UPDATE
1 1 n n. . . } } 1 1
' '
. . .
1 1' '
k k' '
k k' '
S
S
SAT
SAT
UNSAT
UNSAT
X
Declare root violation if no node remains after pruning
30
![Page 122: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/122.jpg)
Sylvain Hallé
(Hallé & Villemaire, 2011) used as theLTL-FO+ runtime monitor
(Ludwig & Hustadt, 2010) used as thetemporal satisfiability solver
100 randomly-generated traces of shopping carttransactions
Validation of the shopping cart contract
BeepBeep
TSPASS
Experimental setup
S
31
![Page 123: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/123.jpg)
Sylvain Hallé
< 1
40
20
30
10
0
1-2 2-3 3-4 > 4
Num
ber
of t
race
s
Overhead
Experiment 1: overhead incurred by use of a solver
Experimental results
Solver time:13 ms / message
32
![Page 124: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/124.jpg)
Sylvain Hallé
Experiment 2: difference (in messages) between root and direct violation
0
80
60
40
20
0
1-5 6-10 11-15 16-20
Num
ber
of t
race
s
Length difference
Violation detected‘‘in advance’’: 18%
less messages consumed
Experimental results
33
![Page 125: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/125.jpg)
Sylvain Hallé
The concept of violation is a one:parameterized
Future work
34
s’
s
![Page 126: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/126.jpg)
Sylvain Hallé
The concept of violation is a one:parameterized
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
![Page 127: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/127.jpg)
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’n
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
![Page 128: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/128.jpg)
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’
· Direct violation=1, =1
n
n k
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
![Page 129: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/129.jpg)
Sylvain Hallé
The concept of violation is a one:
= ‘ lookahead’
parameterized
k ‘ ’ = ‘‘degree of freedom’’
· Direct violation=1, =1
· Root cause=1, =¥
n
n
n
k
k
Future work
34
Call an error whenthe current trace cannot be
extended by at least suffixes with at leastn
k messages
s’
s
![Page 130: Causality in Message-Based Interface Contracts: A Temporal Logic "Whodunit"](https://reader033.vdocuments.pub/reader033/viewer/2022051110/54b755f24a7959737d8b45a4/html5/thumbnails/130.jpg)
Sylvain Hallé
1. The peer responsible for an interface contract violation
2. A occurs when no infinite extension of thecurrent transaction can ever fulfill an interface contract
3. Using LTL-FO+ as the specification language, reductionto the propositional case results in an
4. Leveraging on a runtime monitoring algorithm, root causedetection reduces to satisfiability solving
5. An experimental setup can detect directviolations ahead of time with reasonableoverhead
maynot cause it directly
root violation
infinite search problem
.
.
.
.
Take-home points
35