cooperative runtime monitoring of ltl interface contracts (edoc 2010)
DESCRIPTION
Requirements on message-based interactions can be formalized as an interface contract that specifies constraints on the sequence of possible messages that can be exchanged by multiple parties. At runtime, each peer can monitor incoming messages and check that the contract is correctly being followed by their respective senders. We introduce cooperative runtime monitoring, where a recipient “delegates” its monitoring task to the sender, which is required to provide evidence that the message it sends complies with the contract. In turn, this evidence can be quickly checked by the recipient, which is then guaranteed of the sender’s compliance to the contract without doing the monitoring computation by itself. A particular application of this concept is shown on web services, where service providers can monitor and enforce contract compliance of third-party clients at a small cost on the server side, while avoiding to certify or digitally sign them.TRANSCRIPT
![Page 1: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/1.jpg)
Sylvain Hallé
NOSHOW
Fonds de recherchesur la natureet les technologies
CRSNGNSERC
![Page 2: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/2.jpg)
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain
![Page 3: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/3.jpg)
Sylvain Hallé
SHOW
TheClient
Context
2
![Page 4: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/4.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
Context
2
![Page 5: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/5.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
A
Context
2
![Page 6: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/6.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
RequestmessageA
Context
2
![Page 7: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/7.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
B
A
Context
2
![Page 8: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/8.jpg)
Sylvain Hallé
Context
NOINC
TheServer
TheClient
BResponsemessage
A
2
![Page 9: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/9.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Context
SHOW
3
![Page 10: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/10.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
3
![Page 11: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/11.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
StateAbstraction of a trace
3
![Page 12: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/12.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
d
3
![Page 13: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/13.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
d
3
![Page 14: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/14.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
d
3
![Page 15: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/15.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
3
![Page 16: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/16.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
3
![Page 17: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/17.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 18: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/18.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 19: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/19.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 20: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/20.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
Û
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 21: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/21.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
d(a a ... a ) ¹ 0 1 n Æ
Û
k(a a ...a )=0 1 n T
d : A ́S ® S
3
![Page 22: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/22.jpg)
Sylvain Hallé
A general framework
SHOW
A
Interface contract
MessageServer
Client
4
![Page 23: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/23.jpg)
Sylvain Hallé
NOINC
A
Two calls of the method must be separated by at least one occurrence of
.
next()
hasNext()
Methodcall
Iterator class
Java program
A general framework
4
![Page 24: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/24.jpg)
Sylvain Hallé
SHOW
A
If is invoked, no or can occur before a new
.
CartClear CartModifyCartRemoveCartAdd
XML message
Ajax web client
webservice
A general framework
5
![Page 25: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/25.jpg)
Sylvain Hallé
What happens when the contract is violated?
- Error messages- Non-sensical data returned- Compensation mechanisms- Wasted processing time- Security breaches- Etc.
Contract violations
SHOW
6
![Page 26: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/26.jpg)
Sylvain Hallé
The big question
SHOW
Prevent contract
violations
7
![Page 27: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/27.jpg)
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
Current solutions
SHOW
Testing, staticverificationetc.
8
![Page 28: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/28.jpg)
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
...and grants a digital certificate
Current solutions
NOINC
8
![Page 29: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/29.jpg)
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
A+
The service needs a certificate to start an exchange with a client
8
![Page 30: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/30.jpg)
Sylvain Hallé
The service needs a certificate to start an exchange with a client
Example: iPhone app certification
1. A priori certification
Current solutions
NOINC
A+
8
![Page 31: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/31.jpg)
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
Z+
Problem: the client can change after certification
iPhone jailbreaking,Javascript prototype hijacking, ...
8
![Page 32: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/32.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
SHOW
A
9
![Page 33: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/33.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
The message is relayed to the application proper when it complies with the contract
A
9
![Page 34: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/34.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
...and is discarded when it violates the contract
9
![Page 35: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/35.jpg)
Sylvain Hallé
Current solutions
NOINC
Problem: computational load on the server side
2. Server-side RuntimeMonitoring
9
![Page 36: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/36.jpg)
Sylvain Hallé
3. Client-side RuntimeMonitoring
Each client has a separate process that validates its messages before sending them
Current solutions
A
SHOW
10
![Page 37: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/37.jpg)
Sylvain Hallé
3. Client-side RuntimeMonitoring
Current solutions
NOINC
Problem: server has no guarantee that monitoring actually takes place
ZZ
Z
10
![Page 38: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/38.jpg)
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
SHOW
Guarantees of server-sidemonitoring
11
![Page 39: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/39.jpg)
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
NOINC
Guarantees of server-sidemonitoring
COOPERATIVERUNTIME MONITORING
COOPERATIVERUNTIME MONITORING
11
![Page 40: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/40.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Goal
SHOW
12
![Page 41: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/41.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Goal
NOINC
12
![Page 42: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/42.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 43: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/43.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
?
NOINC
12
![Page 44: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/44.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 45: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/45.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
No wayto preservecompleteguarantees
Goal
NOINC
12
![Page 46: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/46.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 47: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/47.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Potential forcooperation
Goal
NOINC
12
![Page 48: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/48.jpg)
Sylvain Hallé
Cooperative runtime monitoring
SHOW
Both the server- and client-side monitors maintain the current of the message exchange
state
s
s
13
![Page 49: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/49.jpg)
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
13
![Page 50: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/50.jpg)
Sylvain Hallé
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
Cooperative runtime monitoring
NOINC
g(,) = (, )s A s’
The new contract state
A ‘‘proof’’ that is a valid extension of the message exchange
A
s’
13
![Page 51: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/51.jpg)
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
The proof is sent with the message
+
13
![Page 52: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/52.jpg)
Sylvain Hallé
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
Cooperative runtime monitoring
NOINC
13
![Page 53: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/53.jpg)
Sylvain Hallé
Cooperative runtime monitoring
NOINC
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
n(, ) = s s’
If the proof is consistent with the accompanying message
The new contract states’
m(, ) = A T/F
T/F
13
![Page 54: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/54.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
SHOW
s’
s’
14
![Page 55: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/55.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
14
![Page 56: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/56.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
The server computes it from and s
14
![Page 57: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/57.jpg)
Sylvain Hallé
Requirements
SHOW
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 58: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/58.jpg)
Sylvain Hallé
1. The proof must be unspoofableIf A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
2. The proof must be equivalent to contract monitoringIf A is a valid continuation from state s to state s’, then
, m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 59: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/59.jpg)
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 60: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/60.jpg)
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 61: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/61.jpg)
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
AA
ss m n ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
d( , )s A = Æ
15
![Page 62: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/62.jpg)
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m
m
n
n
?
s’s’g(, ) = (, )s A s’
d( , )s A = Æ
15
![Page 63: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/63.jpg)
Sylvain Hallé
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m and n must be in NP
m
m
n
n
?
s’s’
Requirements
NOINC
g(, ) = (, )s A s’
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
Þ
d( , ) = Æs A
15
![Page 64: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/64.jpg)
Sylvain Hallé
LTL formula= assertion on a (of messages)
Gerth, Peled, Vardi, Wolper (PSTV 1995): on-the-fly runtime monitoring algorithm for LTL
trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
Expressing an interface contract
SHOW
16
![Page 65: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/65.jpg)
Sylvain Hallé
Classical LTL runtime monitoring
SHOW
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
17
![Page 66: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/66.jpg)
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Classical LTL runtime monitoring
NOINC
17
![Page 67: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/67.jpg)
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of = )
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
U V
FALSEempty
Classical LTL runtime monitoring
SHOW
18
![Page 68: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/68.jpg)
Sylvain Hallé
Example:
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
G
X
F1 F2
p
p
1
2
SHOW
19
![Page 69: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/69.jpg)
Sylvain Hallé
Example:
If p is true and s is false in thecurrent message m, then...
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
s
G
X
F1 F2
p
p
p
p
1
2
SHOW
20
![Page 70: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/70.jpg)
Sylvain Hallé
1. This algorithm computes
Intuition for g
SHOW
s
G
X
F1 F2
p
p
p
p
1
2
s
s’
s’
d( , ) = s A s’
21
![Page 71: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/71.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
NOINC
=
s
F1 F2
p
p
p
2
p
X
1
G
d( , ) = s A s’
Intuition for g
21
![Page 72: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/72.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G=
s
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
G
21
![Page 73: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/73.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù=
s
G
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
21
![Page 74: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/74.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú1=
s
G
F1 F2
p
p
p
2
p
X
NOINC
d( , ) = s A s’
Intuition for g
1
21
![Page 75: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/75.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú, 1 X=
s
G
F1 F2
p
p
p
1
2
p
NOINC
d( , ) = s A s’
Intuition for g
X
21
![Page 76: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/76.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X, Ù, Ú, , 1 p=
s
G
X
F1 F2
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
p
21
![Page 77: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/77.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
d( , ) = s A s’
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
=
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
Intuition for g
21
![Page 78: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/78.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
21
![Page 79: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/79.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
3. The combination gives us
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
g(, ) = (, )s A s’
d( , ) = s A s’
Intuition for g
21
![Page 80: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/80.jpg)
Sylvain Hallé
Given a message ( ) and a proof ( ), one can check that the atoms in the paths are indeed true in the message...
A
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
m(, )A
Is p truein A?
...this computes
Intuition for m
22
![Page 81: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/81.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G X F (p Ù ( q Ú s))
Intuition for n
23
![Page 82: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/82.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G p Ù ( q Ú s)( )X F
Intuition for n
G
G
23
![Page 83: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/83.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( ) p Ù ( q Ú s)X F
Intuition for n
23
![Page 84: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/84.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù ) p ( q Ú s)X F
Intuition for n
Ù
Ù
23
![Page 85: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/85.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( )) p q Ú sX F
Intuition for n
,
23
![Page 86: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/86.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( Ú)) p q sX F
Intuition for n
,
Ú1
Ú
23
![Page 87: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/87.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( p qX
Intuition for n
,
23
![Page 88: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/88.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X p q
Intuition for n
,
X
X
23
![Page 89: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/89.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X q p
Intuition for n
q
23
![Page 90: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/90.jpg)
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
p
p
23
![Page 91: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/91.jpg)
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
23
![Page 92: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/92.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
...if the operation comes to an end, we accept the leaf given in as the resulting end state s’
Intuition for n
{q, G (p Ù (X q Ú F s))}
n(, ) = s s’...this computes
q
23
![Page 93: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/93.jpg)
Sylvain Hallé
What about complexity?
g(, ) s A( )n(, )s ( )
number of witnesses total number of leaves
SHOW
Does not expand‘‘dead-end’’ branches
<<
<<
24
![Page 94: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/94.jpg)
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
24
![Page 95: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/95.jpg)
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
check the proof compute the proof
No gain...
{Solution: restrict LTL to fragment that produces at most one witness at every step
Non-branching LTLÞ
24
![Page 96: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/96.jpg)
Sylvain Hallé
Non-branching LTL
SHOW
Follows three conditions:
25
![Page 97: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/97.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
25
![Page 98: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/98.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
No temporal operator
25
![Page 99: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/99.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. ( ... )F( ... ) Ú ( ... )
No temporal operator
25
![Page 100: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/100.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. F ( ... )( ... ) Ú ( ... )
No temporal operator
25
![Page 101: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/101.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
![Page 102: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/102.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
![Page 103: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/103.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
![Page 104: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/104.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
![Page 105: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/105.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
Non-branching LTL contracts can be efficiently enforcedthrough cooperative runtime monitoring
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
Þ
25
![Page 106: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/106.jpg)
Sylvain Hallé
Experimental results
SHOW
26
![Page 107: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/107.jpg)
Sylvain Hallé
Experimental results
NOINC
A
26
![Page 108: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/108.jpg)
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
26
![Page 109: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/109.jpg)
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
= 5.08 ms
26
![Page 110: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/110.jpg)
Sylvain Hallé
Experimental results
NOINC
A+
= 5.08 ms
26
![Page 111: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/111.jpg)
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
26
![Page 112: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/112.jpg)
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
= 0.35 ms
26
![Page 113: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/113.jpg)
Sylvain Hallé
Experimental results
NOINC
= 0.35 ms
= 5.08 msServer is spared of 90% of the computation
26
![Page 114: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/114.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Experimental results
SHOW
27
![Page 115: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/115.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
![Page 116: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/116.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
![Page 117: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/117.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
Experimental results
NOINC
27
![Page 118: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/118.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
Experimental results
NOINC
27
![Page 119: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/119.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
![Page 120: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/120.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Theoreticalupper bound
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
![Page 121: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/121.jpg)
Sylvain Hallé
Take-home points
SHOW
28
![Page 122: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/122.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
interface contract
.
28
![Page 123: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/123.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
interface contract
Cooperative runtime monitoring.
.
28
![Page 124: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/124.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
interface contract
Cooperative runtime monitoring
90% of the work
.
..
28
![Page 125: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/125.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
.
..
.
28
![Page 126: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/126.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
5. This is a : guarantees, computationalload and expressiveness can be modulated
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
3D problem
.
..
.
.
28
![Page 127: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/127.jpg)
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain