Runtime Verification for the Web (RV 2010 Tutorial)

Sylvain Hallé

Sylvain Hallé and Roger Villemaire

Runtime Verification for the Web

A Tutorial Introduction to Interface Contractsin Web Applications

.

Université du Québec à ChicoutimiCANADA

NOSHOW

Université du Québec à MontréalCANADA

Fonds de recherchesur la natureet les technologies

CRSNGNSERC

Sylvain Hallé

Web applications and cloud computing: a growing part of computing systems

Very simple protocols: no state, only basic type checking, the rest is up to the developers

Loose couplingg of components: nice but comes with problems!

Few works on verification / enforcement of web applications

A ‘‘call to arms’’ to the community: interesting opportunities for application of RV

Why this tutorial?

Sylvain Hallé

Part One: The basics of web applications

?What is a web application?An example: the Beep StoreConstraints and problems

Part Two: Interface contracts in web applications

Characterizing constraintsFormalizing constraintsMonitoring constraintsDoing this for real: back to the Beep StoreWhat’s next?

??

?????

Tutorial overview

Sylvain Hallé

SHOW

Part One

The basics of web applications

Sylvain Hallé

Desktop computing

SHOW

Sylvain Hallé

Desktop computing

NOINC

Sylvain Hallé

SHOW

Cloud computingCloud computing

Sylvain Hallé

NOINC


Sylvain Hallé

NOINC


Network connection

Sylvain Hallé

SHOW

Cloud computingA static web site

Sylvain Hallé


NOINC

Bee G

Beatles

Camel

Caravan

Sylvain Hallé


Bee G

Beatles

Camel

Caravan

beatles.html

NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


Sear

ch

The

Beep

Stor

e

Wha

t is th

is?

Login

Ask fo

r acc

ount

Conta

ct us

Versio

n inf

o

beatles.html

NOINC

Sylvain Hallé


Sear

ch

The

Beep

Stor

e

Wha

t is th

is?

Login

Ask fo

r acc

ount

Conta

ct us

Versio

n inf

o

beatles.html

<html>

<h1></h1>

</html>

...Results for

Beatles...

NOINC

Sylvain Hallé


Sear

ch

The

Beep

Stor

e

Wha

t is th

is?

Login

Ask fo

r acc

ount

Conta

ct us

Versio

n inf

o

beatles.html

<html>

<h1></h1>

</html>

...Results for

Beatles...

COnly page rendering instructions are sent

NOINC

Sylvain Hallé

Cloud computingA dynamic web site

SHOW

Bee G

Beatles

Camel

Caravan

Sylvain Hallé

Cloud computing

Bee G

Beatles

Camel

Caravan

page.php?artist beatles=

A dynamic web site

NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


artist beatles=

NOINC

Sylvain Hallé


artist beatles=

NOINC

Sylvain Hallé


artist beatles=

NOINC

Sylvain Hallé


artist beatles=

Sear

ch

The

Beep

Stor

e

Wha

t is th

is?

Login

Ask fo

r acc

ount

Conta

ct us

Versio

n inf

o

NOINC

Sylvain Hallé


CContent is generated programatically based on user input

artist beatles=

Sear

ch

The

Beep

Stor

e

Wha

t is th

is?

Login

Ask fo

r acc

ount

Conta

ct us

Versio

n inf

o

NOINC

Sylvain Hallé

SHOW

Cloud computingAjax web application

Sylvain Hallé


JavaScript

NOINC

Sylvain Hallé


Bee G

Beatles

Camel

Caravan

NOINC

Sylvain Hallé


Bee G

Beatles

Camel

Caravan

<a onclick=>

"javascript: findBand(’ ’)"Beatles

NOINC

Sylvain Hallé


findBand(’Beatles’)

NOINC

Sylvain Hallé



NOINC

Sylvain Hallé



artist beatles=

NOINC

Sylvain Hallé



artist beatles=

NOINC

Sylvain Hallé


document.innerHTML = findBand(’Beatles’)

artist beatles=

NOINC

Sylvain Hallé


document.innerHTML = findBand(’Beatles’)

artist beatles=

CPage is updated, not reloaded

NOINC

Sylvain Hallé



artist beatles=

CServer response only provides updated contents

document.innerHTML =

NOINC

Sylvain Hallé

SHOW

Ajax web applications: examples

Microsoft Office Live

Sylvain Hallé


eyeOS

SHOW

Sylvain Hallé


Chrome OS

SHOW

Sylvain Hallé

SHOW


Does not needto be a URL

Does not needto be HTML

Sylvain Hallé

NOINC




<Search>

</Search>

beatles

<Artist>

</Artist>

Sylvain Hallé




<SearchResults>

</SearchResults>

The Beatles Rubber Soul ...

<Item>

</Item>

<Artist>

</Artist><Title>

</Title>

<Search>

</Search>

beatles

<Artist>

</Artist>

NOINC

Sylvain Hallé

Cloud computingAjax web application<Search>

</Search>

beatles

<Artist>

</Artist> XMLThe eXtensible Markup

Language

?Nested collection ofelements

?Input/output data issemi-structured

.

.

<SearchResults>

</SearchResults>

The Beatles Rubber Soul ...

<Item>

</Item>

<Artist>

</Artist><Title>

</Title>

NOINC

Sylvain Hallé

SHOW

Cloud computingConceptually...

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


NOINC

Sylvain Hallé


Web serviceWeb client

NOINC

Sylvain Hallé

SHOW

An example: the Beep Store

? tutorial application

?Fake CD catalog + web service+ web client

?Functionalities typical of applications we studied

?Examples:

Session login/logout Shopping cart operations

Purpose-built

SQLite PHPJavaScript

real-world

.

..

.

.

TheBeepStore

GO

Sign in or register

What is this?

Login

Ask for account

Contact us

Fault parameters

Search: Your Cart

Search results for ‘Beatles’

Rubber SoulThe Beatles

Yellow SubmarineThe Beatles

Sylvain Hallé

Main issue

SHOW

Possible between messages sent and messages expected

mismatch

Not like traditional programming: all input-output is exchanged unverified!

Sylvain Hallé

Defining message formats

SHOW

?

Sylvain Hallé

1.

2.

...

?


NOINC

Sylvain Hallé

1.

2.

...

<ItemSearch>

</ItemSearch> beatles<Artist> </object>


NOINC

Sylvain Hallé

<ItemSearch>


<ItemSearchResponse> <Items>

</Items></ItemSearchResponse>

Help!The Beatles

<Item>

</Item> ...

<Title> </no> <Artist> </Artist>


NOINC

Sylvain Hallé

SHOW

<ItemSearch>




Help!The Beatles

<Item>

</Item> ...


XML request

XML response


Sylvain Hallé

<ItemSearch>


ItemSearch[ [string]]Artist



Help!The Beatles

<Item>

</Item> ...


XML request

XML response


NOINC

Sylvain Hallé

<ItemSearch>



ItemSearchResponse[ [ Item[ Title[string], Artist[string] ]{0,¥} ]]

Items<ItemSearchResponse> <Items>


Help!The Beatles

<Item>

</Item> ...


XML request

XML response


NOINC

Sylvain Hallé


ItemSearchResponse[ [ Item[ Title[string], Artist[string] ]{0,¥} ]]

Items

?

!


NOINC

Sylvain Hallé

SHOW


WSDL: Web Service Description Language


CartCreate[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ]]

ItemsSessionKeyItems

?

?

ItemSearchResponse[ [ Item[ Title[string], Artist[string], ]{0,¥} ]]

Items

CartCreateResponse[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ]]

SessionKeyCartIdItems

!

!

. . .

Sylvain Hallé

SHOW

http://webservices.amazon.com/AWSECommerceService/AWSECommerceService.wsdl

https://www.paypal.com/wsdl/PayPalSvc.wsdl

http://api.google.com/GoogleSearch.wsdl

WSDLs for real world web services

Sylvain Hallé

SHOW

<ItemSearch>

</ItemSearch>

beatles 1234<Artist> </Artist><Bizbiz> </Bizbiz>


Sylvain Hallé

<ItemSearch>

</ItemSearch>



ItemSearch[ [string]]Artist vs.?

NOINC

Sylvain Hallé

<ItemSearch>

</ItemSearch>




NOINC

Sylvain Hallé

<ItemSearch>

</ItemSearch>




NOINC

Sylvain Hallé

SHOW

<CartCreateResponse> <SessionKey> </SessionKey> <CartId> </CartId> <Items>


1234

abc

...


Sylvain Hallé



1234

abc

...




vs.

!

NOINC

Sylvain Hallé



1234

abc

...




vs.

!

NOINC

Sylvain Hallé



1234

abc

...




vs.

!

NOINC

Sylvain Hallé

SHOW

What happened?

Sylvain Hallé

?

What happened?

NOINC

Sylvain Hallé

?

What happened?

NOINC

Sylvain Hallé

1.

2.

...

What happened?

NOINC

Sylvain Hallé

1.

2.

...

What happened?

NOINC

Sylvain Hallé

2What happened?

NOINC

Sylvain Hallé

c

What happened?

NOINC

Sylvain Hallé

2

c

What happened?

NOINC

Sylvain Hallé

What happened?

NOINC

Sylvain Hallé

?2

c

2

c

Interface contracts

All messages comply with the WSDL but...

1.

2.

...

SHOW

Sylvain Hallé

?2

c

2

c

Interface contracts

You cannot add the same itemtwice to the shopping cart


1.

2.

...

NOINC

Sylvain Hallé

?2

c

2

c

Interface contracts

???

You cannot add the same itemtwice to the shopping cart


1.

2.

...

NOINC

Sylvain Hallé

Interface contracts

???

NOINC

Sylvain Hallé

???

Interface contracts

NOINC

Sylvain Hallé

Free-form messages

Stateful interactions, stateless protocols

No uniform contract notation

Constraints at message level

XML, but that’s about it. No assumptions on nesting,degree, etc.

HTTP / SOAP define only message structureNo protocol enforces sequential constraints

Plain-text documentation... but OWL, RDF, ...

Components are black boxes (e.g. Amazon)

What are the issues?

Sylvain Hallé

The big question

SHOW

Prevent contract

violations

Sylvain Hallé

1. A priori certification

A trustworthy authority assesses the client’s compliance to the contract...

A first solution

SHOW

Testing, staticverificationetc.

Sylvain Hallé


A trustworthy authority assesses the client’s compliance to the contract...

...and grants a digital certificate

NOINC

A first solution

Sylvain Hallé


NOINC

A+

The service needs a certificate to start an exchange with a client

A first solution

Sylvain Hallé

The service needs a certificate to start an exchange with a client

Example: iPhone app certification


NOINC

A+

A first solution

Sylvain Hallé


NOINC

Z+

Problem: the client can change after certification

iPhone jailbreaking,Javascript prototype hijacking, ...

A first solution

Sylvain Hallé

Proposed approach

SHOW

2. Client-side RuntimeMonitoring

A separate process checks each message...

CONTRACT

Sylvain Hallé

A

SHOW



CONTRACT

Proposed approach

Sylvain Hallé

A

SHOW

The message is relayed to the web service proper when it complies with the contract



Proposed approach

Sylvain Hallé



SHOW

...and is discarded when it violates the contract

Proposed approach

Sylvain Hallé

A web service interacts with a web client through the exchange of semi-structured XML documents called

The service and client are generally designed by

No verification is done on the incoming and outgoing messages: possible between sent and expected messages (in both directions)

A priori checking of a client for compliance isvery hard, if not impossible

Runtime monitoring is a possible solution

messages

different organisations

mismatch

.

.

.

.

Summary (I)

SHOW

Sylvain Hallé

NOSHOW

Part Two

Interface contracts inweb applications

Sylvain Hallé

SHOW

Interface contracts

All possible sequences of all possibles messages with all possible values

Sylvain Hallé

NOINC

Interface contracts

Constraintson individualmessages

Sylvain Hallé

NOINC

Interface contracts

Constraintson sequencesConstraints

on individualmessages

Sylvain Hallé

NOINC

Interface contracts

Constraintson sequences

Data-awaresequential constraints


Sylvain Hallé

NOINC

Interface contracts

Interface contract =valid (error-free) interactions

Constraintson sequences

Data-awaresequential constraints


Sylvain Hallé

SHOW

Interface contracts

As a tutorial tool, the Beep Store’s JavaScript client can be told to ‘‘forget’’ elements of the service’s interface contract

TheBeepStore

GO

Sign in or register

What is this?

Login

Ask for account

Contact us

Fault parameters

Search: Your Cart

Fault parameters

Don’t check Results’s typeIn the detailed search form, sends an ItemSearch message withoutchecking that the Results element is an integer.

"Add to cart" enabled if item present in cartMakes the "Add to cart" button available for items that are already in theuser's cart.

Message schemas

Cart manipulations

Highlightsdocumentation

Disables theverification

Sylvain Hallé

NOSHOW

Interface contracts

Dave, my mindis going...

As a tutorial tool, the Beep Store’s JavaScript client can be told to ‘‘forget’’ elements of the service’s interface contract

Sylvain Hallé

Constraints on individual messages

Examples:

Three types of constraints (I)

SHOWSHOW

<Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page></Message>

Sylvain Hallé


Examples:


SHOWSHOW

1. The element must be an integer between 1 and 20.Page "/M


Sylvain Hallé


SHOWSHOW

1. The element must be an integer between 1 and 20.

2. The element is mandatory only if is present,otherwise it is forbidden.

Page

Page Results

"/M



Examples:

Sylvain Hallé

Expressing data constraints

Simple XPathFetches portions of an XML document according to aquery path = sequence of tags

: set of messages: set of XML query paths: set of atomic values

: ́ ® 2

Examples:(‘‘/a/b/c’’, m) = {1,2,4}(‘‘/a/b/d’’, m) = Æ

M

M

Q

Q

V

Vp

pp

SHOW

m

{

<a> <b> <c>1</c> <c>2</c> </b> <d> <c>9</c> </d> <b> <c>3</c> </b></a>

Sylvain Hallé


XPath termExpresses properties over values fetched by XPath expressions

For some message Î , path Î ,

" x : j(x) Û j(v) for every Î ( , )

$ x : j(x) Û j(v) for some Î ( , )

Examples:" x : x < 5/a/b/c

$ x :/a/b

$ x : " y : y £ x/a/b/c /a/b/c

m M

mq

mq

q Q

q

q

v

v

p

p

2

SHOW

<a> <b> <c>1</c> <c>2</c> </b> <d> <c>9</c> </d> <b> <c>3</c> </b></a>

m

{

Sylvain Hallé


2

SHOW



Page

Page Results

"/M


Sylvain Hallé


2

SHOW

1. " x : x > 0 Ù x < 21/Message/Page


Page Results


Sylvain Hallé


2

SHOW

1. " x : x > 0 Ù x < 21/Message/Page

2. $ x : Û $ y : /Message/Page /Message/Results


Sylvain Hallé

Constraints on message sequences

Examples:

2

SHOW

<Message> <Action> Login </Action> ...</Message>

<Message> <Action> LoginResponse </Action> ...</Message>

<Message> <Action> CartCreate </Action> ...</Message>

Three types of constraints (II)

Sylvain Hallé


Examples:

2

SHOW

3. The request cannot be resent if its response is

successful..

Login "/

"/





X

Sylvain Hallé


Examples:

2

SHOW


successful..

4. must follow a successful LoginResponse.

Login

CartCreate

"/

"/

"/





X

Sylvain Hallé

Linear Temporal Logic

Alphabet (A)Set of possible messages

Trace (A*)Sequence of messages

Sylvain Hallé

LTL formula = assertion on the of states in a tracesequence

a "always a" a "a in the next" a "eventually a"

a b "a until b"

GXF

W


G (a ® b)X (d cÚ e) WØFALSE TRUE

. . .A A EC CDB B

Sylvain Hallé

Well-known results:

1. For every LTL formula j, there exists a Büchi automaton Asuch that for every (infinite) trace s:

i.e. LTL describes languages

2. The alphabet symbols can be generalized to finite sets ofBoolean propositions

w-regular

Þ Let’s use XPath terms as our Boolean propositions


j

s |= j Û s Î L(A )j

Sylvain Hallé


Examples:

2

SHOW


successful..


Login

CartCreate

"/

"/

"/





X

Sylvain Hallé


Examples:

2

SHOW

3. (" a : a = LoginResponse ®/Message/Action

( " a’ : a’ ¹ Login))/Message/Action.


G

X G

CartCreate "/





X

Sylvain Hallé


Examples:

2

SHOW


( " a’ : a’ ¹ Login))/Message/Action.


G

X G

CartCreate "/





X

Xpath terms

Sylvain Hallé


Examples:

2

SHOW


( " a’ : a’ ¹ Login))/Message/Action

4. (" a : a ¹ CartCreate)/Message/Action

(" a’ : a’ = LoginResponse)/Message/Action

G

X G

W

.





X

Xpath terms

Sylvain Hallé

The verification can be separated in two steps


G

X

Ú

"$

$ G

F

®

1. Temporal stepDetermine termporal relationships to current message

2. Data stepEvaluate relevant XPath terms on message

Sylvain Hallé

Runtime monitoring

Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j

Benefit:

" ": automaton states are built as thetrace is readon-the-fly

Sylvain Hallé

Runtime monitoring

j


Benefit:


Sylvain Hallé

Runtime monitoring

s =

j


Benefit:


Sylvain Hallé

Runtime monitoring

s = a

j


Benefit:


Sylvain Hallé

Runtime monitoring

s = a

ja


Benefit:


Sylvain Hallé

Runtime monitoring

s = ab

ja


Benefit:


Sylvain Hallé

Runtime monitoring

s = ab

ja b

b


Benefit:


Sylvain Hallé

Runtime monitoring

s = aba

ja b

b


Benefit:


Sylvain Hallé

Runtime monitoring

s = aba

ja

a

a

b

b


Benefit:


Sylvain Hallé


Benefit:

" ": automaton states are built as thetrace is read

Dead end: formula is false

on-the-fly

Runtime monitoring

s = aba

ja

a

a

b

b

Sylvain Hallé

Runtime monitoring

Algorithm overview:

1. An LTL formula is decomposed into nodes of the form

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state

Sylvain Hallé

Algorithm overview:

1. An LTL formula is decomposed into nodes of the form

Example:

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state

Runtime monitoring

Sylvain Hallé

2. Negations pushed inside (classical identities + dual of U = V)

3. At the leaves, G contains atoms + negations of atoms:we evaluate them

Verdict:

! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:

4. Next event: D copied into G and we continue

FALSEempty

Runtime monitoring

Sylvain Hallé

Example: G (a ® b)X

Runtime monitoring

Sylvain Hallé


G (a ® b)X ?

Runtime monitoring

Sylvain Hallé


G (a ® b)X ?

a ® bX G (a ® b)X?

Runtime monitoring

Sylvain Hallé


G (a ® b)X ?

Øa G (a ® b)X?

a ® bX G (a ® b)X?

Runtime monitoring

Sylvain Hallé


G (a ® b)X ?

a, X b G (a ® b)X?Øa G (a ® b)X?

a ® bX G (a ® b)X?

Runtime monitoring

Sylvain Hallé


G (a ® b)X ?

a, X b G (a ® b)X?

a G (a ® b), bX?

Øa G (a ® b)X?

a ® bX G (a ® b)X?

Runtime monitoring

Sylvain Hallé


a G (a ® b), bX?

Øa G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = a

a G (a ® b), bX?

Øa G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = a

a G (a ® b), bX?

Øa G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = a

a G (a ® b), bX?

Runtime monitoring

Sylvain Hallé


s = a

G (a ® b), bX?

Runtime monitoring

Sylvain Hallé


s = a

?G (a ® b), bX

G (a ® b), bX?

Runtime monitoring

Sylvain Hallé


s = a

a, X b, b G (a ® b)X?

a, b G (a ® b), bX?

Øa, b G (a ® b)X?

a ® b, bX G (a ® b)X?

?G (a ® b), bX

Runtime monitoring

Sylvain Hallé


s = a

a, b G (a ® b), bX?

Øa, b G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = a

a, b G (a ® b), bX?

Øa, b G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = a

Øa, b G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = ac

Øa, b G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = ac

Øa, b G (a ® b)X?

Runtime monitoring

Sylvain Hallé


s = ac

No way to extend the trace:formula is false

Runtime monitoring

Sylvain Hallé

Data-aware sequential constraints

Examples:

2

SHOW

5. There can be at most one active cart ID per session key."/

Three types of constraints (III)

<Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ...</Message>


Sylvain Hallé


Examples:

2

SHOW

5. (" k : " c : /Message/SessionKey /Message/CartId

(" k’ : " c’ : /Message/SessionKey /Message/CartId

k = k’ ® c = c’))

G

G




Sylvain Hallé


Examples:

2

SHOW



k = k’ ® c = c’))

G

G




Sylvain Hallé



2

SHOW



k = k’ ® c = c’))

G

G

Sylvain Hallé


·XPath terms and temporal operators aremixed

.

·Not just ‘‘LTL with syntactical sugar’’.

·Not just a pathological case



k = k’ ® c = c’))

G

G


2

SHOW

G

G

"

"

k

Sylvain Hallé


Examples:

2

SHOW

6. You cannot add the same item twice to the shopping cart."/


<Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ...


X

Sylvain Hallé


Examples:

2

SHOW

6. (" a : a = CartAdd ®/Message/Action

" i : (" a’ :/Message/ItemId /Message/Action

a’ = CartAdd ® " i’ : i ¹ i’ ))/Message/ItemId

G

X G




X

Sylvain Hallé

Quantification must be relative to the values in the current message, and not the whole set V of possible values!

Example: ‘‘In every message, the a parameter must equal the b parameter’’. Suppose V = {1,2}, and classical first-order quantification.

Runtime monitoring

" x : " y : x = ya b

(" y : 1 = y) Ù (" y : 1 = y)b b

( 1 = 1) Ù ( 1 = 2) Ù ( 1 = 1) Ù ( 1 = 2)

Contradiction

G

G G

G G G G

Sylvain Hallé

LTL-FO+

current

(Hallé & Villemaire, EDOC 2008)Extension of LTL with (limited) first-order quantification on message elements

·Boolean and LTL operators keep their original meaning·An XPath term is always meant to refer to the

message in the trace

Runtime monitoring

Sylvain Hallé

Adaptation of the runtime monitoring algorithm to handle LTL-FO+:

1. Atoms become equality tests

2. Decomposition rules for quantifiers

(and vice versa)

Runtime monitoring

Sylvain Hallé

SHOW

Six constraints for the Beep Store

Data-aware constraints



Sylvain Hallé

SHOW




Page

Page Results



Sylvain Hallé

SHOW




3. The request cannot be resent if its response issuccessful.


Page

Page Results

Login

CartCreate


Sylvain Hallé



3. The request cannot be resent if its response issuccessful.


5. There can be at most one active cart ID per session key.

6. You cannot add the same item twice to the shopping cart.

Page

Page Results

Login

CartCreate

SHOW


Sylvain Hallé

SHOW

Why are web service contracts special?

1. Presence of data-aware constraints

·Cannot separate data part from temporal partin specification AND enforcement

2. Complex messages

·Arbitrary nested structure·Cannot say ‘ ItemId’’:

there are many!·Rules out languages that

merely freeze a value in avariable

‘the

<Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... </Item> <Item> <ItemId>789</ItemId> ... </Item> ... </Items></Message>

Sylvain Hallé

Enforcing interface contracts at runtime

NOINC

XMLHttpRequest

·JavaScript object·Provided by the browser·All communications to monitor

already centralized: ‘‘no’’instrumentation

Sylvain Hallé


NOINC

XMLHttpRequestBB

Sylvain Hallé


NOINC

XMLHttpRequestBB

XMLHttpRequestLTL-FO+algorithm

·Wrapper around original·Provides same methods·Checks messages before

relaying them

Sylvain Hallé

Add BeepBeep to an application

myapplication.html

<html><head><title></title><script type=" " href=" "/>

</head><body>

</body></html>

My Application

...

text/javascriptmyapplication.js

?

�Include BeepBeep

Copy BeepBeep in the application's directoryhttp://beepbeep.sourceforge.net

Sylvain Hallé


myapplication.html


</head><body>

</body></html>

My Application

...


<script type="text/javascript" href="beepbeep.js"/>

?

�Include BeepBeep


Sylvain Hallé


myapplication.html myapplication.js


</head><body>

</body></html>

My Application

...



// Initializations

= ();

(){

( );}

...

req XMLHttpRequest

...

abc

... req. some_message

new

function

send

?

�Include BeepBeep


Sylvain Hallé


beepstore.html beepstore.js


</head><body>

</body></html>

My Application

...



// Initializations

= ();

(){

( );}

...

req

...

abc

... req. some_message

new

function

send

XMLHttpRequestBB

Include BeepBeep

?

�


Sylvain Hallé

Create a with LTL-FO+ formulascontract file ?


# -------------------------------------------------------# BeepBeep contract file for the Beep Store# -------------------------------------------------------

% The element Page must be an integer between 1 and 20.

% The element Page is mandatory only if Results is present, otherwise it is forbidden.

% The Login request cannot be resent if its response is successful.

; ( p /Message/Page (((p) > ({0})) ((p) < ({21}))))

; ( a /Message/Action (((a) = ({ItemSearch})) ( (( r /Message/Results ({TRUE}))

( p /Message/Page ({TRUE}))) (( p /Message/Page ({TRUE})) ( r /Message/Results ({TRUE}))))))

; ( a /Message/Action (((a) ({LoginResponse})) ( ( ( b /Message/Action ( ((b) ({Login}))))))))

G

G

GX G

[ ]

[ ]< >< >

< >< >

[ ][ ]

&

->->

&->

= ->! =

Caption: usedwhen violationsare discovered

Plain-textLTL-FO+(automaticallyparsed)

}

Sylvain Hallé


When loading the application, BeepBeep starts as a smallJava applet inside the page

TheBeepStore

GO

Sign in or register

What is this?

Login

Ask for account

Contact us

Fault parameters

Search: Your Cart




�

?/?/?/?/?/?:0:0

Sylvain Hallé


When loading the application, BeepBeep starts as a smallJava applet inside the page

TheBeepStore

GO

Sign in or register

What is this?

Login

Ask for account

Contact us

Fault parameters

Search: Your Cart




�

?/?/?/?/?/?:0:0

Sylvain Hallé

BeepBeep’s visible interface

?/?/?/?/?/?:0:0

Current state of monitorfor each property

Number ofmessagesprocessed

Cumulativeprocessingtime (in ms)

T: last message made it truet: is trueF: last message made it falsef: is false?: not yet true/false

Sylvain Hallé

An interface contract provides constraints cover the of each XML message, their and their

An extension of Linear Temporal Logic including a limited form of quantification over message elements specifies them

of these constraints can be doneefficiently, even with quantification

BeepBeep is a tool that allows it with on real applications

formatcontents ordering

Runtime monitoring

minimal modifications

http://beepbeep.sourceforge.net/

Summary (II)

SHOW

Sylvain Hallé

Bounded-memory fragments of LTL

The forward-only fragment of LTL(Hallé & Villemaire, SAC 2009)

Applications to runtime monitoring of Java programs

Java-MOP plugin under construction

Symbolic (rather than explicit) handling of quantification

LTL with past operators

Standard web service mechanism for interface contracts?

.

.

SHOW

Open issues and interesting questions

Sylvain Hallé


SHOW

In client-side monitoring...

NOINC

10

Sylvain Hallé


SHOW

In client-side monitoring...

NOINC

...the server has no guarantee that monitoring actually takes place

ZZ

Z

10

Sylvain Hallé

In server-side monitoring...

NOINC

9


Sylvain Hallé

In server-side monitoring...

NOINC

Too many clients may overwhelm the server’s verification process

9


Sylvain Hallé

Processing savings ofclient-side monitoring

SHOW

Guarantees of server-sidemonitoring

11


Sylvain Hallé

Processing savings ofclient-side monitoring

SHOW

11


COOPERATIVERUNTIME MONITORING

Best paper award

S. Hallé, Cooperative runtime monitoringof LTL Interface Contracts. Proc. EDOC 2010.Guarantees of server-side

monitoring

COOPERATIVERUNTIME MONITORING

Technology

Runtime Verification for the Web (RV 2010 Tutorial)