runtime monitoring of object invariants with guarantees
play

Runtime Monitoring of Object Invariants with Guarantees Sriram - PowerPoint PPT Presentation

Jul 24, 2023 •322 likes •637 views

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science) Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key

  1. Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science)

  2. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  3. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  4. Object invariants interface Key{ //this < k? boolean Less(Key k); } class Node { Key k; Node left; Node right; Node(Key key) { k = key }; //object invariant of this node boolean Inv(){ return((left==null || left.k.Less(k) && left.Inv()) && (right==null || k.Less(right.k)&& right.Inv())); } }

  5. Another example from JDBC Connection con = DriverManager.getConnection(..); Statement stmt = con.createStatement(); ResultSet rs1 = stmt.executeQuery("SELECT EMPNOFROM EMPLOYEE"); .. con.close(); .. ResultSet rs2 = stmt.executeQuery("SELECT EMPNAME FROM EMPLOYEE");

  6. Another example from JDBC Connection con = DriverManager.getConnection(..); Statement stmt = con.createStatement(); ResultSet rs1 = stmt.executeQuery("SELECT EMPNOFROM EMPLOYEE"); .. con.close(); .. ResultSet rs2 = stmt.executeQuery("SELECT EMPNAME FROM EMPLOYEE");

  7. Another example - Iterators //list is of type ArrayList<Integer> //with integers 1,2,3 added for(Iterator<Integer> i = list.iterator(); i.hasNext(); ) { int v = i.next(); if(v == 1) list.remove(v); else System.out.println(v); }

  8. Another example - Iterators //list is of type ArrayList<Integer> //with integers 1,2,3 added for(Iterator<Integer> i = list.iterator(); i.hasNext(); ) { int v = i.next(); if(v == 1) list.remove(v); else System.out.println(v); }

  9. Our goal • A runtime scheme to monitor object invariants • Guarantee to detect invariant violations when they happen

  10. Two issues with checking invariants • When does an object invariant hold? – When object o is in a “stable state” • When object o’s invariant depends on p, what happens when p changes without o’s knowledge?

  11. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; } o ObjWInv o . inv true o . Inv () � � = �

  12. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } o ObjWInv o . inv true o . Inv () � � = �

  13. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } o ObjWInv o . inv true o . Inv () � � = �

  14. Reusable Monitor role ObjWInv { boolean Inv(); CheckAndSetInv(ObjWInv o) { boolean inv; assert o.Inv(); Set<ObjWInv> dependents; o.inv = true; } } Init(ObjWInv o) { o.inv := false; Add(ObjWInv o, ObjWInv p) { o.dependents := nullset; assert(o.inv = false); } p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  15. Reusable Monitor role ObjWInv { boolean Inv(); boolean inv; Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  16. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { o.inv := false; o.dependents := nullset; } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  17. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { Stop(ObjWInv o) { o.inv := false; assert(o.inv = true); o.dependents := nullset; o.inv := false; } } CheckAndSetInv(ObjWInv o) { assert o.Inv(); o.inv = true; } Add(ObjWInv o, ObjWInv p) { assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  18. Reusable Monitor role ObjWInv { Start(ObjWInv o) { boolean Inv(); assert(o.inv = false); CheckAndSetInv(o); boolean inv; } Set<ObjWInv> dependents; } Init(ObjWInv o) { Stop(ObjWInv o) { o.inv := false; assert(o.inv = true); o.dependents := nullset; o.inv := false; } } CheckAndSetInv(ObjWInv o) { assert o.Inv(); Validate(ObjWInv p) { o.inv = true; for(o in p.dependents) { } if(o.inv = true) CheckAndSetInv(o); } Add(ObjWInv o, ObjWInv p) { } assert(o.inv = false); p.dependents.Add(o); } o ObjWInv o . inv true o . Inv () � � = �

  19. role ObjWInv { Calling the monitor boolean Inv(); boolean inv; Set<ObjWInv> dependents; from the program } Init(ObjWInv o) { o.inv := false; Connection con = o.dependents := nullset; DriverManager.getConnection(..); } Init(con); Start(con); CheckAndSetInv(ObjWInv o) { assert o.Inv(); Statement stmt = o.inv = true; con.createStatement(); } Init(stmt); Add(ObjWInv o, ObjWInv p) { Add(con, stmt); assert(o.inv = false); Start(stmt); p.dependents.Add(o); } ... Stop(stmt); Start(ObjWInv o) { assert(o.inv = false); ResultSet rs1 = CheckAndSetInv(o); stmt.executeQuery("SELECT..”); } Start(stmt); Stop(ObjWInv o) { ... assert(o.inv = true); o.inv := false; con.close(); } Validate(con); Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  20. role ObjWInv { Calling the monitor boolean Inv(); boolean inv; Set<ObjWInv> dependents; from the program } Init(ObjWInv o) { o.inv := false; Connection con = o.dependents := nullset; DriverManager.getConnection(..); } Init(con); Start(con); CheckAndSetInv(ObjWInv o) { assert o.Inv(); Statement stmt = o.inv = true; con.createStatement(); } Init(stmt); Add(ObjWInv o, ObjWInv p) { Add(con, stmt); assert(o.inv = false); Start(stmt); p.dependents.Add(o); } ... Stop(stmt); Start(ObjWInv o) { assert(o.inv = false); ResultSet rs1 = CheckAndSetInv(o); stmt.executeQuery("SELECT..”); } Start(stmt); Stop(ObjWInv o) { ... assert(o.inv = true); o.inv := false; con.close(); } Validate(con); Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  21. Automated instrumentation • When an object o is created, called Init(o) • When a public method of o is entered, call Stop(o) • When a public method of o is exited, call Start(o) • Whenever o or dependents change, call “validate(o)” !

  22. Automatic role ObjWInv { boolean Inv(); Dependency boolean inv; Set<ObjWInv> dependents; } Tracking Init(ObjWInv o) { o.inv := false; o.dependents := nullset; • Compute a relation D } such that (o,p,f) in D CheckAndSetInv(ObjWInv o) { assert o.Inv(); iff the object invariant of o o.inv = true; } depends on the value of Add(ObjWInv o, ObjWInv p) { the field p.f assert(o.inv = false); p.dependents.Add(o); – Can be done by AOP by } monitoring all accesses Start(ObjWInv o) { assert(o.inv = false); during execution of o.Inv() CheckAndSetInv(o); } Stop(ObjWInv o) { assert(o.inv = true); • Invoke Validate(p) o.inv := false; } whenever p.f changes. Validate(ObjWInv p) { for(o in p.dependents) { if(o.inv = true) CheckAndSetInv(o); } }

  23. Example monitor API o: Statement p: Connection + binding user code new Statement(p) Init(o) connection = p 1 return Start(o) o.Inv() p.isClosed() return inv = true p.close() isClosed = true 2 Validate(p) o.Inv() return

  24. Correctness Let r be any run of program P composed with the monitor using binding B. Suppose r does not have any assertion violations. Then, the following holds in all states of r: o ObjWInv o . inv true o . Inv () � � = �

  25. Implementation : I NV COP • Reusable Monitor • Aspect Generator • At runtime: – Populate D by tracking p.f read during the execution of o.Inv() – if p.f changes, invoke Validate(p)

  26. Custom Binding Default Required Binding class T { public boolean Inv() { return 0 <= x && x < y; For objects o of } type ObjWInv , public void method1() { x++; – invoke Start(o) y++; user.m(this,..); after the .. construction of o } – invoke Stop(o) public float method2() { return 1/(y-x); before every } } public method call on o class User { public void m(T t,..) { – invoke Start(o) //callback t.method2(); after every public .. } method call on o }

  27. Detecting Violations in JDOM Document Document Content Iterator List API Iterator User getDescendants() hasNext() next() next() get() detach() remove(this) next() next() ConcurrentModificationException

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

Runtime Monitoring Quantified Event Automata Efficient monitoring Using MarQ MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz, David Rydeheard at University of Manchester, UK April 17th, 2015 Runtime

1.01k views • 97 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu Amjad Nusayr, anusayr@cs.nmsu.edu The 2009 Workshop on Dynamic Analysis New Mexico State University Runtime Monitoring The act of observing an

590 views • 23 slides
COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A

COMP 213 Advanced Object-oriented Programming Lecture 25 Class Invariants Class Invariants A class invariant is definition of Class Invariant some property that is always true of all instances of the class in question. i.e., some statement,

1.34k views • 96 slides
Runtime systems Programmation Fonctionnelle Avance

Runtime systems Programmation Fonctionnelle Avance

Introduction and hardware architecture reminders Object representation and runtime typing Automatic memory management Runtime systems Programmation Fonctionnelle Avance http://www-lipn.univ-paris13.fr/~saiu/teaching/PFA-2010 Luca Saiu

1.26k views • 82 slides
Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani

Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani

Strong Invariants for Weak Consistency Gustavo Petri Marc Shapiro Masoud Saeida-Ardekani Consistency &amp; Invariants Consistency in 3D Characterization of consistency models according to the guarantees they provide Dimensions of

299 views • 26 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond &amp; Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on works with: Yong Kiam Tan 1 , Stefan Mitsch 1 , Andrew Sogokon 1 , Edward Ahn 1 , David Held 1 , John Dolan 1 , Aman Khurana 1 , Magnus O. Myreen 2 ,

637 views • 44 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin

Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin

Making Runtime Monitoring of Parametric Properties Practical - PhD Thesis Defense - Dongyun Jin Department of Computer Science University of Illinois at Urbana-Champaign Thesis Advisor Grigore Rosu Committee Members Klaus Havelund Gul Agha

662 views • 49 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand,

Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand,

13th International Workshop on Models@run.time Towards software architecture runtime models for continuous adaptive monitoring Thomas Brand, Holger Giese 14.10.2018 Agenda Show why it is relevant to investigate and support: Continuous

421 views • 29 slides
Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio Chimento 1 , Gerardo Schneider 2 , Gordon J. Pace 3 1 Chalmers University of Technology, Gothenburg, Sweden 2 University of Gothenburg, Sweden 3

449 views • 32 slides
Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie Liu Tom Rothamel Scott D. Stoller Computer Science Department State University of New York at Stony Brook Invariants An invariant is a predicate

532 views • 17 slides
Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko Yoshida On the importance of time On the importance of time } Web services (timeouts): } Twitter Streaming API: Reconnect no more than twice

521 views • 50 slides
Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

1.29k views • 54 slides
Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Toward an Energy Frontier Muon Collider Fermilab Estia Eichten Fermilab The Long View Return to the Energy Frontier Staging Physics Milestones Summary 2013 Community Summer Study Snowmass on the Mississippi University of

282 views • 24 slides
Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17, 2013 Introduction Low-level systems programming with dependent types Simpson, 1989. Four slot fully asynchronous communication mechanism .

703 views • 24 slides
Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero , Giuseppe Di Guglielmo , Luciano Lavagno , Luca P. Carloni Politecnico Di Torino

218 views • 18 slides
QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm,

QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm,

The surface impedance of Nb/Cu coated QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm, A.Sublet, M. Therasse, W.Venturini Delsolaro Outline HIE-ISOLDE Project Quarter-Wave Resonator

225 views • 18 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
t P

t P

t P rs r s t r t

464 views • 29 slides
Geometry of Soergel Bimodules Ben Webster (joint with Geordie Williamson) IAS/MIT June 17th,

Geometry of Soergel Bimodules Ben Webster (joint with Geordie Williamson) IAS/MIT June 17th,

Geometry of Soergel Bimodules Ben Webster (joint with Geordie Williamson) IAS/MIT June 17th, 2007 Ben Webster (IAS/MIT) Geometry of Soergel Bimodules June 17th, 2007 1 / 20 Outline 1 Soergel bimodules Algebra Geometry 2 Hochschild

909 views • 61 slides

More recommend