cooperative runtime monitoring of ltl interface contracts (edoc 2010)
Post on 20-Jun-2015
477 Views
Preview:
DESCRIPTION
TRANSCRIPT
Sylvain Hallé
NOSHOW
Fonds de recherchesur la natureet les technologies
CRSNGNSERC
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain
Sylvain Hallé
SHOW
TheClient
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
A
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
RequestmessageA
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
B
A
Context
2
Sylvain Hallé
Context
NOINC
TheServer
TheClient
BResponsemessage
A
2
Sylvain Hallé
Alphabet (A)Set of possible messages
Context
SHOW
3
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
3
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
StateAbstraction of a trace
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
Û
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
d(a a ... a ) ¹ 0 1 n Æ
Û
k(a a ...a )=0 1 n T
d : A ́S ® S
3
Sylvain Hallé
A general framework
SHOW
A
Interface contract
MessageServer
Client
4
Sylvain Hallé
NOINC
A
Two calls of the method must be separated by at least one occurrence of
.
next()
hasNext()
Methodcall
Iterator class
Java program
A general framework
4
Sylvain Hallé
SHOW
A
If is invoked, no or can occur before a new
.
CartClear CartModifyCartRemoveCartAdd
XML message
Ajax web client
webservice
A general framework
5
Sylvain Hallé
What happens when the contract is violated?
- Error messages- Non-sensical data returned- Compensation mechanisms- Wasted processing time- Security breaches- Etc.
Contract violations
SHOW
6
Sylvain Hallé
The big question
SHOW
Prevent contract
violations
7
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
Current solutions
SHOW
Testing, staticverificationetc.
8
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
...and grants a digital certificate
Current solutions
NOINC
8
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
A+
The service needs a certificate to start an exchange with a client
8
Sylvain Hallé
The service needs a certificate to start an exchange with a client
Example: iPhone app certification
1. A priori certification
Current solutions
NOINC
A+
8
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
Z+
Problem: the client can change after certification
iPhone jailbreaking,Javascript prototype hijacking, ...
8
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
SHOW
A
9
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
The message is relayed to the application proper when it complies with the contract
A
9
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
...and is discarded when it violates the contract
9
Sylvain Hallé
Current solutions
NOINC
Problem: computational load on the server side
2. Server-side RuntimeMonitoring
9
Sylvain Hallé
3. Client-side RuntimeMonitoring
Each client has a separate process that validates its messages before sending them
Current solutions
A
SHOW
10
Sylvain Hallé
3. Client-side RuntimeMonitoring
Current solutions
NOINC
Problem: server has no guarantee that monitoring actually takes place
ZZ
Z
10
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
SHOW
Guarantees of server-sidemonitoring
11
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
NOINC
Guarantees of server-sidemonitoring
COOPERATIVERUNTIME MONITORING
COOPERATIVERUNTIME MONITORING
11
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Goal
SHOW
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
?
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
No wayto preservecompleteguarantees
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Potential forcooperation
Goal
NOINC
12
Sylvain Hallé
Cooperative runtime monitoring
SHOW
Both the server- and client-side monitors maintain the current of the message exchange
state
s
s
13
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
13
Sylvain Hallé
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
Cooperative runtime monitoring
NOINC
g(,) = (, )s A s’
The new contract state
A ‘‘proof’’ that is a valid extension of the message exchange
A
s’
13
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
The proof is sent with the message
+
13
Sylvain Hallé
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
Cooperative runtime monitoring
NOINC
13
Sylvain Hallé
Cooperative runtime monitoring
NOINC
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
n(, ) = s s’
If the proof is consistent with the accompanying message
The new contract states’
m(, ) = A T/F
T/F
13
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
SHOW
s’
s’
14
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
14
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
The server computes it from and s
14
Sylvain Hallé
Requirements
SHOW
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofableIf A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
2. The proof must be equivalent to contract monitoringIf A is a valid continuation from state s to state s’, then
, m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
AA
ss m n ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
d( , )s A = Æ
15
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m
m
n
n
?
s’s’g(, ) = (, )s A s’
d( , )s A = Æ
15
Sylvain Hallé
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m and n must be in NP
m
m
n
n
?
s’s’
Requirements
NOINC
g(, ) = (, )s A s’
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
Þ
d( , ) = Æs A
15
Sylvain Hallé
LTL formula= assertion on a (of messages)
Gerth, Peled, Vardi, Wolper (PSTV 1995): on-the-fly runtime monitoring algorithm for LTL
trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
Expressing an interface contract
SHOW
16
Sylvain Hallé
Classical LTL runtime monitoring
SHOW
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
17
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Classical LTL runtime monitoring
NOINC
17
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of = )
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
U V
FALSEempty
Classical LTL runtime monitoring
SHOW
18
Sylvain Hallé
Example:
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
G
X
F1 F2
p
p
1
2
SHOW
19
Sylvain Hallé
Example:
If p is true and s is false in thecurrent message m, then...
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
s
G
X
F1 F2
p
p
p
p
1
2
SHOW
20
Sylvain Hallé
1. This algorithm computes
Intuition for g
SHOW
s
G
X
F1 F2
p
p
p
p
1
2
s
s’
s’
d( , ) = s A s’
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
NOINC
=
s
F1 F2
p
p
p
2
p
X
1
G
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G=
s
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
G
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù=
s
G
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú1=
s
G
F1 F2
p
p
p
2
p
X
NOINC
d( , ) = s A s’
Intuition for g
1
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú, 1 X=
s
G
F1 F2
p
p
p
1
2
p
NOINC
d( , ) = s A s’
Intuition for g
X
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X, Ù, Ú, , 1 p=
s
G
X
F1 F2
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
p
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
d( , ) = s A s’
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
=
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
3. The combination gives us
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
g(, ) = (, )s A s’
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
Given a message ( ) and a proof ( ), one can check that the atoms in the paths are indeed true in the message...
A
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
m(, )A
Is p truein A?
...this computes
Intuition for m
22
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G X F (p Ù ( q Ú s))
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G p Ù ( q Ú s)( )X F
Intuition for n
G
G
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( ) p Ù ( q Ú s)X F
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù ) p ( q Ú s)X F
Intuition for n
Ù
Ù
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( )) p q Ú sX F
Intuition for n
,
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( Ú)) p q sX F
Intuition for n
,
Ú1
Ú
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( p qX
Intuition for n
,
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X p q
Intuition for n
,
X
X
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X q p
Intuition for n
q
23
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
p
p
23
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
...if the operation comes to an end, we accept the leaf given in as the resulting end state s’
Intuition for n
{q, G (p Ù (X q Ú F s))}
n(, ) = s s’...this computes
q
23
Sylvain Hallé
What about complexity?
g(, ) s A( )n(, )s ( )
number of witnesses total number of leaves
SHOW
Does not expand‘‘dead-end’’ branches
<<
<<
24
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
24
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
check the proof compute the proof
No gain...
{Solution: restrict LTL to fragment that produces at most one witness at every step
Non-branching LTLÞ
24
Sylvain Hallé
Non-branching LTL
SHOW
Follows three conditions:
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. ( ... )F( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. F ( ... )( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
Non-branching LTL contracts can be efficiently enforcedthrough cooperative runtime monitoring
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
Þ
25
Sylvain Hallé
Experimental results
SHOW
26
Sylvain Hallé
Experimental results
NOINC
A
26
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
26
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
A+
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
= 0.35 ms
26
Sylvain Hallé
Experimental results
NOINC
= 0.35 ms
= 5.08 msServer is spared of 90% of the computation
26
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Experimental results
SHOW
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Theoreticalupper bound
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
Sylvain Hallé
Take-home points
SHOW
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
interface contract
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
interface contract
Cooperative runtime monitoring.
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
interface contract
Cooperative runtime monitoring
90% of the work
.
..
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
.
..
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
5. This is a : guarantees, computationalload and expressiveness can be modulated
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
3D problem
.
..
.
.
28
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain
top related