SLIDE 1 software
engineering
software
engineering
Recent Advances in Causality Checking
- Florian Leitner-Fischer
- University of Konstanz
Department of Computer and Information Science Chair for Software Engineering
SLIDE 2 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Joint work with
2
Stefan Leue
Chair for Software Engineering Department of Computer and Information Science University of Konstanz Germany
SLIDE 3 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Analysis of Complex Systems
♦ A Railroad Crossing
3
Train Car Gate
SLIDE 4 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Model Checking
model of the software (transition system,
Kripke structure) model checking
algorithm
- requirement specification
(assertions, temporal
logic, automata)
Train Approaching On Crossing Left Crossing Gate Open Closed Car Approaching On Crossing Left Crossing
there is never a train in the crossing at the same time when there is a car in the
crossing ϕ = = ☐¬(Tc ÆCc)
state space search (depth-first or breadth-first search) 4
SLIDE 5 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Model Checking
♦ Model Checking Result 8 the path into a property violating state – called an error path or counterexample
5
Ca Ta Cc Gc Tc
SLIDE 6 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Railroad Crossing Example: 8 11 error-paths (only considering shortest paths)
Interpreting Counterexamples
6 [Ta, Gf, Tc, Ca, Cc] [Ca, Ta, Gf, Tc, Cc] [Ta, Gf, Ca, Cc, Tc] [Ta, Ca, Gf, Cc, Tc] [Ca, Ta, Gf, Cc, Tc] [Ta, Ca, Cc, Gf, Tc] [Ca, Ta, Cc, Gf, Tc] [Ca, Cc, Ta, Gf, Tc] [Ta, Ca, Cc, Gc, Tc] [Ca, Ta, Cc, Gc, Tc] [Ca, Cc, Ta, Gc, Tc] ...
- all lead into a property violating state
(accident)
- for debugging
- what is the cause?
- manual analysis
- tedious
- error prone
- essentially impossible
- ur goal:
- algorithmic causality
computation
SLIDE 7 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
7
SLIDE 8 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
8
SLIDE 9 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Causality
♦ (Naive) Lewis Counterfactual Reasoning c is causal for e (effect / hazard) if, had c not happened, then e would not have happened either 8 logical foundation of some software debugging techniques, e.g., – delta debugging – nearest neighbor techniques 8 best suited for single cause failures
9
SLIDE 10 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Halpern / Pearl Structural Equation Model (SEM)
♦ Key Ideas 8 events are represented by boolean variables – specified using structural equations 8 computes minimal boolean disjunction and conjunction of causal events 8 causal dependency of events represented by causal networks 8 reference
10
SLIDE 11 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Halpern / Pearl Structural Equation Model (SEM)
♦ Actual Causality Conditions 8 AC1: ensures that there exists a world where the boolean combination of causal events c and the effect e occur 8 AC2: 1. if at least one of the causal events does not happen, the effect e does not happen 2. if the causal events occur, the occurrence of other events can not prevent the effect 8 AC3: no subset of the causal events satisfies AC1 and AC2 (minimality)
11
SLIDE 12 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
12
SLIDE 13 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Causality Computation
♦ Main Goal:
Computation of Causal Events for a Property Violation 8 Consider event order as causal factor 8 Make Structural Equation Model applicable to transition systems
13
Florian Leitner-Fischer and Stefan Leue: Probabilistic Fault Tree Synthesis using Causality Computation, accepted for publication in International Journal of Critical Computer-Based Systems, 2013.
SLIDE 14 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Event Order Logic
♦ Boolean Event Occurrence Conditions 8 a Æ b, a Ç b, ¬ a ♦ Event Ordering Conditions 8 a b – a and b occur, and a occurs before b ♦ Interval Operators 8 a b – a occurs until eventually b will hold in every state 8 a b – a always holds until eventually b occurs 8 a b c – in the interval delimited by a and c, b always holds ♦ Model-theoretic Semantics 8 Event Order Logic is an LTL
14
SLIDE 15 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Event Order Logic
♦ Representation of Traces ♦ Representation of Ordering Constraints
15
SLIDE 16 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Causality Computation
♦ Probabilistic Causality Computation 8 Probabilistic counterexample and good paths are computed 8 Causality computation performed as post-processing step 8 Benefit – Probability for combination of events causing a hazard 8 Disadvantage – Probability computation for each bad trace necessary ♦ Causality Checking 8 Integrated into the state space search algorithms used for model checking 8 Benefit – Enables on-the-fly causality computation 8 Disadvantage – No probabilities available
16
SLIDE 17 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Algorithmics
♦ Sub-Executions 8 reduce checks for AC1-AC3 and OC1 to sub-execution tests – ordered and unordered sub-execution operators 8 proofs in the paper ♦ Implementation Variants 8 Off-line Enumeration – enumerate traces – store counterexamples and good traces – perform sub-trace computations 8 On-the-fly – use DFS / BFS on the state space i store paths in an adequate data structure as you obtain them * subset graph
17
Florian Leitner-Fischer and Stefan Leue: Causality Checking for Complex System Models, In Proceedings of 14th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI2013), LNCS, Volume 7737, Springer Verlag, 2013.
SLIDE 18 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Result of Causality Checking
♦ Railroad Crossing 8 represented as Dynamic Fault Tree
18 crash
SLIDE 19 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
19
SLIDE 20 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Causality Classes
♦ Disjuncts of the EOL formula represent „causality classes“ 8 Causality Classes: Represent a class of execution paths where the same events in the same order cause an effect or hazard
20
Ta, Ca, Gf, Cc, Tc Ca, Ta, Gf, Cc, Tc … Ta, Ca, Gc, Gc, Tc Ca, Ta, Cc, Gc, Tc … Causality
Class 1 Causality
Class 2
SLIDE 21 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Probability Computation for Causality Classes
♦ Key Idea: 1. Compute causal events using causality checking 2. Compute probabilities of the paths represented by a causality class
8 Causality classes are represented by alternating automata 8 Alternating automata are translated to PRISM Causality Class Modules 8 PRISM Causality Class Modules are synchronized with the PRISM model
21
Florian Leitner-Fischer and Stefan Leue: On the Synergy of Probabilistic Causality Computation and Causality Checking, In Proceedings of International SPIN Symposium on Model Checking
- f Software, Stony Brook, NY, USA, 2013 (to appear).
- EOL Formula
Causality Classes Alternating Automata PRISM Causality Class Module
SLIDE 22 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
22
SLIDE 23 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Experimental Evaluation
♦ Combined Approach: 8 Causality Checking + Probability Computation for Causality Classes ♦ Combined Apporach outperforms Probabilistic Causality Computation
23
SLIDE 24 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
♦ Models of Causality ♦ Causality Computation ♦ Probability Computation for Causal Events ♦ Evaluation ♦ Conclusion
24
SLIDE 25 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
Conclusion
♦ Causality Checking 8 technique complementing model checking – aim: algorithmic support for the debugging of models 8 defined / adopted causality model 8 proposed implementation 8 probability computation for causality classes 8 applicable to non-trivial case studies ♦ Future Work 8 causality checking at the limits of scalability – dealing with incomplete information 8 causality checking in a symbolic environment 8 specific adaptions to functional safety analysis – minimal cut sets – root, common and cascading causes
25
SLIDE 26 www.se.uni-konstanz.de Chair for Software Engineering – F. Leitner-Fischer
software
engineering
26
?
