![Page 1: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/1.jpg)
Sylvain Hallé
NOSHOW
Fonds de recherchesur la natureet les technologies
CRSNGNSERC
![Page 2: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/2.jpg)
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain
![Page 3: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/3.jpg)
Sylvain Hallé
SHOW
TheClient
Context
2
![Page 4: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/4.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
Context
2
![Page 5: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/5.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
A
Context
2
![Page 6: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/6.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
RequestmessageA
Context
2
![Page 7: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/7.jpg)
Sylvain Hallé
NOINC
TheServer
TheClient
B
A
Context
2
![Page 8: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/8.jpg)
Sylvain Hallé
Context
NOINC
TheServer
TheClient
BResponsemessage
A
2
![Page 9: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/9.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Context
SHOW
3
![Page 10: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/10.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
3
![Page 11: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/11.jpg)
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
StateAbstraction of a trace
3
![Page 12: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/12.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
d
3
![Page 13: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/13.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
d
3
![Page 14: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/14.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
d
3
![Page 15: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/15.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
3
![Page 16: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/16.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
3
![Page 17: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/17.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 18: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/18.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 19: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/19.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 20: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/20.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
Û
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
![Page 21: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/21.jpg)
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
d(a a ... a ) ¹ 0 1 n Æ
Û
k(a a ...a )=0 1 n T
d : A ́S ® S
3
![Page 22: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/22.jpg)
Sylvain Hallé
A general framework
SHOW
A
Interface contract
MessageServer
Client
4
![Page 23: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/23.jpg)
Sylvain Hallé
NOINC
A
Two calls of the method must be separated by at least one occurrence of
.
next()
hasNext()
Methodcall
Iterator class
Java program
A general framework
4
![Page 24: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/24.jpg)
Sylvain Hallé
SHOW
A
If is invoked, no or can occur before a new
.
CartClear CartModifyCartRemoveCartAdd
XML message
Ajax web client
webservice
A general framework
5
![Page 25: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/25.jpg)
Sylvain Hallé
What happens when the contract is violated?
- Error messages- Non-sensical data returned- Compensation mechanisms- Wasted processing time- Security breaches- Etc.
Contract violations
SHOW
6
![Page 26: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/26.jpg)
Sylvain Hallé
The big question
SHOW
Prevent contract
violations
7
![Page 27: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/27.jpg)
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
Current solutions
SHOW
Testing, staticverificationetc.
8
![Page 28: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/28.jpg)
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
...and grants a digital certificate
Current solutions
NOINC
8
![Page 29: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/29.jpg)
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
A+
The service needs a certificate to start an exchange with a client
8
![Page 30: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/30.jpg)
Sylvain Hallé
The service needs a certificate to start an exchange with a client
Example: iPhone app certification
1. A priori certification
Current solutions
NOINC
A+
8
![Page 31: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/31.jpg)
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
Z+
Problem: the client can change after certification
iPhone jailbreaking,Javascript prototype hijacking, ...
8
![Page 32: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/32.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
SHOW
A
9
![Page 33: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/33.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
The message is relayed to the application proper when it complies with the contract
A
9
![Page 34: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/34.jpg)
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
...and is discarded when it violates the contract
9
![Page 35: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/35.jpg)
Sylvain Hallé
Current solutions
NOINC
Problem: computational load on the server side
2. Server-side RuntimeMonitoring
9
![Page 36: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/36.jpg)
Sylvain Hallé
3. Client-side RuntimeMonitoring
Each client has a separate process that validates its messages before sending them
Current solutions
A
SHOW
10
![Page 37: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/37.jpg)
Sylvain Hallé
3. Client-side RuntimeMonitoring
Current solutions
NOINC
Problem: server has no guarantee that monitoring actually takes place
ZZ
Z
10
![Page 38: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/38.jpg)
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
SHOW
Guarantees of server-sidemonitoring
11
![Page 39: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/39.jpg)
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
NOINC
Guarantees of server-sidemonitoring
COOPERATIVERUNTIME MONITORING
COOPERATIVERUNTIME MONITORING
11
![Page 40: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/40.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Goal
SHOW
12
![Page 41: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/41.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Goal
NOINC
12
![Page 42: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/42.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 43: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/43.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
?
NOINC
12
![Page 44: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/44.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 45: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/45.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
No wayto preservecompleteguarantees
Goal
NOINC
12
![Page 46: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/46.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
![Page 47: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/47.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Potential forcooperation
Goal
NOINC
12
![Page 48: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/48.jpg)
Sylvain Hallé
Cooperative runtime monitoring
SHOW
Both the server- and client-side monitors maintain the current of the message exchange
state
s
s
13
![Page 49: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/49.jpg)
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
13
![Page 50: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/50.jpg)
Sylvain Hallé
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
Cooperative runtime monitoring
NOINC
g(,) = (, )s A s’
The new contract state
A ‘‘proof’’ that is a valid extension of the message exchange
A
s’
13
![Page 51: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/51.jpg)
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
The proof is sent with the message
+
13
![Page 52: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/52.jpg)
Sylvain Hallé
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
Cooperative runtime monitoring
NOINC
13
![Page 53: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/53.jpg)
Sylvain Hallé
Cooperative runtime monitoring
NOINC
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
n(, ) = s s’
If the proof is consistent with the accompanying message
The new contract states’
m(, ) = A T/F
T/F
13
![Page 54: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/54.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
SHOW
s’
s’
14
![Page 55: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/55.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
14
![Page 56: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/56.jpg)
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
The server computes it from and s
14
![Page 57: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/57.jpg)
Sylvain Hallé
Requirements
SHOW
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 58: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/58.jpg)
Sylvain Hallé
1. The proof must be unspoofableIf A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
2. The proof must be equivalent to contract monitoringIf A is a valid continuation from state s to state s’, then
, m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 59: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/59.jpg)
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 60: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/60.jpg)
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
![Page 61: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/61.jpg)
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
AA
ss m n ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
d( , )s A = Æ
15
![Page 62: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/62.jpg)
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m
m
n
n
?
s’s’g(, ) = (, )s A s’
d( , )s A = Æ
15
![Page 63: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/63.jpg)
Sylvain Hallé
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m and n must be in NP
m
m
n
n
?
s’s’
Requirements
NOINC
g(, ) = (, )s A s’
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
Þ
d( , ) = Æs A
15
![Page 64: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/64.jpg)
Sylvain Hallé
LTL formula= assertion on a (of messages)
Gerth, Peled, Vardi, Wolper (PSTV 1995): on-the-fly runtime monitoring algorithm for LTL
trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
Expressing an interface contract
SHOW
16
![Page 65: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/65.jpg)
Sylvain Hallé
Classical LTL runtime monitoring
SHOW
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
17
![Page 66: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/66.jpg)
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Classical LTL runtime monitoring
NOINC
17
![Page 67: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/67.jpg)
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of = )
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
U V
FALSEempty
Classical LTL runtime monitoring
SHOW
18
![Page 68: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/68.jpg)
Sylvain Hallé
Example:
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
G
X
F1 F2
p
p
1
2
SHOW
19
![Page 69: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/69.jpg)
Sylvain Hallé
Example:
If p is true and s is false in thecurrent message m, then...
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
s
G
X
F1 F2
p
p
p
p
1
2
SHOW
20
![Page 70: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/70.jpg)
Sylvain Hallé
1. This algorithm computes
Intuition for g
SHOW
s
G
X
F1 F2
p
p
p
p
1
2
s
s’
s’
d( , ) = s A s’
21
![Page 71: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/71.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
NOINC
=
s
F1 F2
p
p
p
2
p
X
1
G
d( , ) = s A s’
Intuition for g
21
![Page 72: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/72.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G=
s
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
G
21
![Page 73: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/73.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù=
s
G
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
21
![Page 74: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/74.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú1=
s
G
F1 F2
p
p
p
2
p
X
NOINC
d( , ) = s A s’
Intuition for g
1
21
![Page 75: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/75.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú, 1 X=
s
G
F1 F2
p
p
p
1
2
p
NOINC
d( , ) = s A s’
Intuition for g
X
21
![Page 76: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/76.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X, Ù, Ú, , 1 p=
s
G
X
F1 F2
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
p
21
![Page 77: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/77.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
d( , ) = s A s’
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
=
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
Intuition for g
21
![Page 78: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/78.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
21
![Page 79: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/79.jpg)
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
3. The combination gives us
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
g(, ) = (, )s A s’
d( , ) = s A s’
Intuition for g
21
![Page 80: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/80.jpg)
Sylvain Hallé
Given a message ( ) and a proof ( ), one can check that the atoms in the paths are indeed true in the message...
A
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
m(, )A
Is p truein A?
...this computes
Intuition for m
22
![Page 81: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/81.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G X F (p Ù ( q Ú s))
Intuition for n
23
![Page 82: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/82.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G p Ù ( q Ú s)( )X F
Intuition for n
G
G
23
![Page 83: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/83.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( ) p Ù ( q Ú s)X F
Intuition for n
23
![Page 84: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/84.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù ) p ( q Ú s)X F
Intuition for n
Ù
Ù
23
![Page 85: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/85.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( )) p q Ú sX F
Intuition for n
,
23
![Page 86: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/86.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( Ú)) p q sX F
Intuition for n
,
Ú1
Ú
23
![Page 87: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/87.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( p qX
Intuition for n
,
23
![Page 88: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/88.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X p q
Intuition for n
,
X
X
23
![Page 89: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/89.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X q p
Intuition for n
q
23
![Page 90: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/90.jpg)
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
p
p
23
![Page 91: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/91.jpg)
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
23
![Page 92: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/92.jpg)
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
...if the operation comes to an end, we accept the leaf given in as the resulting end state s’
Intuition for n
{q, G (p Ù (X q Ú F s))}
n(, ) = s s’...this computes
q
23
![Page 93: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/93.jpg)
Sylvain Hallé
What about complexity?
g(, ) s A( )n(, )s ( )
number of witnesses total number of leaves
SHOW
Does not expand‘‘dead-end’’ branches
<<
<<
24
![Page 94: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/94.jpg)
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
24
![Page 95: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/95.jpg)
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
check the proof compute the proof
No gain...
{Solution: restrict LTL to fragment that produces at most one witness at every step
Non-branching LTLÞ
24
![Page 96: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/96.jpg)
Sylvain Hallé
Non-branching LTL
SHOW
Follows three conditions:
25
![Page 97: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/97.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
25
![Page 98: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/98.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
No temporal operator
25
![Page 99: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/99.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. ( ... )F( ... ) Ú ( ... )
No temporal operator
25
![Page 100: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/100.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. F ( ... )( ... ) Ú ( ... )
No temporal operator
25
![Page 101: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/101.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
![Page 102: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/102.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
![Page 103: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/103.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
![Page 104: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/104.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
![Page 105: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/105.jpg)
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
Non-branching LTL contracts can be efficiently enforcedthrough cooperative runtime monitoring
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
Þ
25
![Page 106: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/106.jpg)
Sylvain Hallé
Experimental results
SHOW
26
![Page 107: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/107.jpg)
Sylvain Hallé
Experimental results
NOINC
A
26
![Page 108: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/108.jpg)
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
26
![Page 109: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/109.jpg)
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
= 5.08 ms
26
![Page 110: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/110.jpg)
Sylvain Hallé
Experimental results
NOINC
A+
= 5.08 ms
26
![Page 111: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/111.jpg)
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
26
![Page 112: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/112.jpg)
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
= 0.35 ms
26
![Page 113: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/113.jpg)
Sylvain Hallé
Experimental results
NOINC
= 0.35 ms
= 5.08 msServer is spared of 90% of the computation
26
![Page 114: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/114.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Experimental results
SHOW
27
![Page 115: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/115.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
![Page 116: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/116.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
![Page 117: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/117.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
Experimental results
NOINC
27
![Page 118: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/118.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
Experimental results
NOINC
27
![Page 119: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/119.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
![Page 120: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/120.jpg)
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Theoreticalupper bound
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
![Page 121: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/121.jpg)
Sylvain Hallé
Take-home points
SHOW
28
![Page 122: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/122.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
interface contract
.
28
![Page 123: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/123.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
interface contract
Cooperative runtime monitoring.
.
28
![Page 124: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/124.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
interface contract
Cooperative runtime monitoring
90% of the work
.
..
28
![Page 125: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/125.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
.
..
.
28
![Page 126: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/126.jpg)
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
5. This is a : guarantees, computationalload and expressiveness can be modulated
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
3D problem
.
..
.
.
28
![Page 127: Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)](https://reader035.vdocuments.us/reader035/viewer/2022062707/55855109d8b42a0a3a8b4bf1/html5/thumbnails/127.jpg)
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain