Professional Documents
Culture Documents
Run - Time Verification : Thanks To Gian-Luigi Ferrari For The Slides
Run - Time Verification : Thanks To Gian-Luigi Ferrari For The Slides
Verification*
*Thanks to Gian-Luigi Ferrari for the slides
Verification
• Static: based on complete analysis of code/models
of code
o static analysis / abstract interpretation
o theorem proving
o model checking
Advantages:
Limitations:
+ good code coverage
-‐‑ undecidable problem, so
+ early in development
-‐‑ false positives/negatives or
+ mature field
-‐‑ does not scale
Runtime Verification
Event Trace
Highly
customized for
property of
Execute
interest
Code
Model
Bug 1
Analyze
Bug2
…
Advantages:
+ precise (no false alarms)
Limitations:
+ good scalability and rigor
-‐‑ code must be executable
+ recovery possible
-‐‑ less code coverage
How to address
RV Limitations
• Code must be executable
o Use complementary, static analysis, earlier in process
o Use symbolic execution via abstract interpretation
TRACES
e of program’s states
es of program’s events
tes/events
possible
uring execution:
future(s)
past now
Verdicts
Should detect success/failure as soon as possible
• Should detect success/failure as soon as possible
• Standard approach is to use four-‐‑valued verdict domain
• Standard approach is to use four-valued verdict domain
Consider all possible extensions of a trace
Consider all possible extensions of a trace
property&
verdict&
monitor&
Compute a verdict
for the trace
received
Dispatch each received event
observe& feedback&
to the monitor
Possibly generate
instrumenta,on& feedback to the system
Instrument the system
to record relevant events.
system&
Monitor
• Offline: the trace is analyzed aposteriori
e.g., analyzing log file/trace dump
• Online: the trace is analyzed in a lock-
step manner
o external monitor runs in parallel with the system e.g.,
communication infrastructure
• synchronous (system waits for response)
• asynchronous (buffered communication)
o internal: monitor’s code is embedded into the
application
Monitor placement
online&external&
system& monitor&
online&internal&
system& monitor&
About reaction
Reaction
Reaction can take several forms:
• Display an error message
• Throw an exception in the monitored program, and
monitored
• program then deals with it
• Launch some (recovery) code: the effect depends
on monitor’s placement
Monitor Specification
• Program (built-in algorithm focused on specific
problem)
o data race detection
o atomicity violation
o deadlock detection
Propositional
Record propositional events, for example
I open, close
Henceforth:
Next: φ is true at next step
Define a propertyϕ is always true;
over propositional events, for example
Until: close is true at some point,
not open is true until that time
I LTL (finite-trace) ⇤(open ! (¬open U close))
I RE (open.close)⇤ Implies
open
1 2
I DFA close
Parametric
Using the events
Using the
I open(f) whenevents:
file f is opened
• open(f)
I close(f) when file f is closed
• close(f)
the property
the property becomesbecomes
open(f)
1 2
close(f)