mop: an efficient and generic runtime verification framework feng chen and grigore rosu university...
TRANSCRIPT
![Page 1: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/1.jpg)
MOP: An Efficient and Generic Runtime Verification Framework
Feng Chen and Grigore Rosu
University of Illinois at Urbana-Champaign
![Page 2: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/2.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 2
Monitoring of FormalSpecifications in Software
Runtime verification (RV 2001 – 2007)– Observe a run of the system
• Instrumentation
– Check it against desired properties• Explicit or implicit properties
– React /report if needed• Error messages, throw exceptions, recover
![Page 3: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/3.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 3
Runtime Verification Systems
• ≤ 2001– MAC (UPenn), PAX* (NASA), TimeRover (commercial)
• 2002-2004– HAWK/Eagle (NASA), MOP* (UIUC), POTA (UTA)
• ≥ 2005:– PQL (Stanford), Tracematches (Oxford), PTQL– PEX (Microsoft)– MOP* (added universal parameters, more logics)
![Page 4: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/4.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 4
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Monitors and Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 5: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/5.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 5
(MOP)*Monitoring-Oriented Programming
http://fsl.cs.uiuc.edu/mop- proposed in 2003 –
RV’03, ICFEM’04, RV’05, CAV’05,TACAS’05, CAV’06, CAV’07…
*(not to be confused with Meta-Object Protocol)
![Page 6: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/6.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 6
What is MOP?
• Framework where the benefits of monitoring specifications may encourage us to use them– Monitoring is basic design discipline– Recovery allowed and encouraged– Provides to programmers and hides under the hood a
large body of formal methods knowledge/techniques– Generic for different application domains
• Tool supported– JavaMOP – “compiles” MOP for Java into AspectJ
![Page 7: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/7.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 7
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 8: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/8.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 8
class Resource {/*@ scope = class logic = PTLTL { Event authenticate: end(exec(* authenticate())); Event use: begin(exec(* access())); Formula : use -> <*> authenticate } violation Handler { @this.authenticate(); }@*/void authenticate() {...}void access() {...}...}
JavaMOP Example: “Enforce authentication before use”
![Page 9: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/9.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 9
/*@ scope = class logic = ERE {
Event openRegKey: end(exec(* openRegKey()));Event closeHandle: begin(exec(* closeHandle()));Formula : (openRegKey closeHandle)*
} validation handler { @this.closeRegKey(); return; }@*/
Method openRegKey should be followed b
y closeRegKey, not by closeHandle
JavaMOP Example: Correcting method matching
![Page 10: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/10.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 10
/*@ scope = class logic = ERE [ int count = 0; int writes = 0;] {
Event open : end(call(* open(..))) {writes = 0;};Event write : end(call(* write(..))) {writes ++;} ;Event close : end(call(* close(..)));Formula : (open write+ close)*
} violation handler{ @RESET; } validation handler{
count ++; File2.log(count + ": " + writes);
}@*/
JavaMOP Example: ProfilingHow many times a file is open, written to, and then closed?
![Page 11: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/11.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 11
Multi-Parameter Specifications
• Until now, MOP was limited to one-parameter specifications; the examples above showed only such specifications: parameter = current object
• Because of that restrictionmonitor states were always stored as fields into
the monitored objects in MOP
• Situation is more complex for multiple-parameter specifications …
![Page 12: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/12.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 12
Fail Fast Iterators in Java
Vector v = new Vector();v.add(new Integer(1));Iterator i = v.iterator();v.add(new Integer(2));
• Following code throws exception in Java:
• No exception raised if one uses Enumeration instead of Iterator– Java language decision, showing that properties
referring to sets of objects are important
![Page 13: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/13.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 13
JavaMOP Example:Safe Enumeration
• (borrowed from Tracematches)– We thank Tracematches team for their useful
collection of regular pattern properties!
• Safety property:– If nextElement() invoked on an enumeration
object, then the corresponding collection (vector) is not allowed to change after the creation of the enumeration object
create next* updatesource+ next
![Page 14: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/14.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 14
/*@scope = globallogic = ERESafeEnum(Vector v, Enumeration+ e) {Event create<v,e> : end(call(Enumeration+.new(v, ..))) with e;Event updatesource<v> : end(call(* v.add*(..))) \/ … ;Event next<e> : begin(call(Object e.nextElement()));Formula : create next* updatesource+ next}validation handler { System.out.println("Error ...");}@*/
Multiple-Parameters in JavaMOPSafe Enumeration
JavaMOP generates >200 AspectJ LOC from above
![Page 15: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/15.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 15
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Monitors and Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 16: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/16.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 16
MOP Features: Extensible logic framework
• Observation: no silver-bullet logic for specs• MOP logic plugins (the “How”): encapsulate moni
tor synthesizers; so far we have plugins for– ERE (extended regular expressions)– PtLTL (Past-time LTL) and FtLTL (Future-time LTL)– ATL (Allen temporal logic),– JML (fragment of Java modeling language);– NEW: CFG and ptCaRet plugins (need stack)
• Generic universal parameters– Allow monitor instances per groups of objects
![Page 17: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/17.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 17
MOP Features: Configurable monitors
Working scope (the “Where”)– Check point: check spec at defined place– Method: pre-post condition– Class: check spec everywhere during obj lifetime– Interface: check spec at boundaries of methods– Global: may refer to more than one object
Running mode– Inline: shares resources with application– Outline: communicates with application via sockets– Offline: generated monitor has random access to log
![Page 18: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/18.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 18
MOP Features: Programmable Actions
• Monitor variables
• Event-triggered actions (any code)
• Violation/validation handlers (any code)
• Logic-based AOP instance– Aspects are formal specifications– MOP aim: generate optimal AOP code
![Page 19: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/19.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 19
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Monitors and Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 20: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/20.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 20
Decentralized Monitoring/Indexing(works only for inline MOP)
• The problem: how to monitor a universally quantified specification efficiently!
create<v,e>udatesource<v>next<e>
create next* updatesource+ next
( v,e)
![Page 21: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/21.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 21
“Super-Logic” Approach
• Eagle, PQL, PTQL, Tracematches, …• Choose a universally quantified logic• Device monitor synthesizers for it:
• Doable in MOP, too, but against its spirit
– Logic plugins only know how to generate monitors for – No relationship between monitors for and for (p)
(p) Mon(p)
![Page 22: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/22.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 22
MOP’s Decentralized Monitors
Monitor instances(one per parameter instance)
Mp1
Mp2
Mp3
… Mp1000
![Page 23: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/23.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 23
Indexing …
• The next problem: how can we retrieve all needed monitor instances efficiently?
Mp1
Mv,e1
Mv,e2
… Mp1000
udatesource<v>
Naïve implementation can be very inefficient (both time- and memory-wise)
![Page 24: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/24.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 24
MOP’s Centralized Indexing
• One index tree per parameter set
• Weak references
SafeEnum events
create<v,e>udatesource<v>next<e>
![Page 25: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/25.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 25
MOP’s Decentralized Indexing
• Monitors scattered all over the code
• Monitor states piggybacked to object states
SafeEnum events
create<v,e>udatesource<v>next<e>
![Page 26: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/26.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 26
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Monitors and Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 27: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/27.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 27
The JavaMOP Implementation
Short story:
1. Parse the MOP specifications– Generate all monitors using the logic plugins– Find instrumentation points
2. Generate standard AspectJ code
3. Wave everything (observation, monitoring, handlers) together using AspectJ compiler
![Page 28: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/28.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 28
MOP Evaluation on DaCapo:Statistics
![Page 29: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/29.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 29
MOP Evaluation on DaCapo:Runtime Overhead
Summary:MOP runtime overhead larger than 10% in only 8% of programs
![Page 30: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/30.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 30
Evaluation of MOP on TM
• MOP is generic (logic, etc.), but its generality does not come at a performance cost!
• Following programs part of Tracematches’ (TM) benchmarks (hand optimized by TM)
![Page 31: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/31.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 31
Overview
• What is MOP– Philosophy, Examples, Features
• Decentralized Monitors and Indexing
• Experiments and Evaluation
• Current limitations
• Conclusions and future work
![Page 32: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/32.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 32
Limitations of the Current Implementation of JavaMOP
• No nested or existential parameters
• Monitor creating events must contain all the parameters of the specification
• No support for real-time
• Inherit the limitations of AspectJ– Would like to have dynamic aspects …– Though shouldn’t miss events that trigger actions
![Page 33: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/33.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 33
Conclusions and Future Work
• MOP is a generic, yet efficient RV framework• Experiments showed that RV is feasible• Proposed a logic-independent approach to
support universally quantified specifications– With both centralized and decentralized indexing
• Future work– Use MOP for improved and rigorous testing
• Test case generation, sliced causality
– Real-time logic plugins– Static analysis (plugins) to reduce runtime overhead
![Page 34: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/34.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 34
Related Work
Extensively discussed in paper• Programming languages
– PQL (Lam et al., OOPSLA ’05)– Tracematches (de Moor et al., OOPSLA ’05, ‘07)– PTQL (Goldsmith et al., OOPSLA’05)
• Runtime verification– MAC (Lee et al., RV’01)– PAX* (Havelund, Rosu, RV’01)– TimeRover (Drusinski, RV’02)– HAWK/Eagle (Barringer et al., VMCAI’04)– PEX (Schulte, Tilman; Microsoft)
![Page 35: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/35.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 35
![Page 36: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/36.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 36
Backup slides
![Page 37: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/37.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 37
Application to Verification
isSorted?
No
Yes
FancySort
InsertionSort
/*@ logic = JML {
ensures isSorted(array); } Violation Handler {
insertionSort(array); }@*/
Here is an MOP approach to validate a sorting program:
![Page 38: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/38.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 38
Monitoring-based Verification?
Monitor & Recover: presumably reduces the complexity of program verification
Monitor
Incorrect
CorrectComplex
Component
SimpleComponent
Architecture
φ p= φc & (φm \/ φs )
φcφm
φs
Is sorted?Correct sorting
Array elementsunchanged
![Page 39: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/39.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 40
Why Monitoring I
• Monitoring is well-adopted in many engineering disciplines– Fuses, watchdogs, fire-alarms, etc.
• Monitoring adds redundancy– Increases reliability, robustness and
confidence in correct behavior, reduces risk
![Page 40: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/40.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 41
Why Monitoring II
• Ideally, one would like to prove a program correct with respect to its specification …– Known to be hard
• Provably correct systems can fail, too– Unexpected environment, wrong/strong
assumptions, hardware or OS errors, etc.
![Page 41: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/41.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 42
Monitoring of FormalSpecifications in Software
Runtime verification (RV 2001 – 2007)– Observe a run of the system
• Instrumentation
– Check it against desired properties• Explicit or implicit properties
– React /report if needed• Error messages, throw exceptions, recover
![Page 42: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/42.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 43
MOP Conceptual InstancesMOP[logic, working-scope, running-mode]
• JPaX = MOP[LTL, class, outline/offline]– NASA (joint work with Havelund)
• TemporalRover = MOP[MiTL, class, inline]– Commercial (Drusinski)
• MAC = MOP[PastLTL, class, inline/outline]– UPenn (Lee, Sokolski, ...)
• Hawk = MOP[Eagle, global, inline]– NASA (Havelund and collaborators)
• Tracematches = MOP[RegExp, global, inline]– Oxford (de Moor and students)
• PQL = MOP[CFG, global, inline]– Stanford (Lam and students)
• PTQL = MOP[SQL, global, outline]– Berkeley, Stanford (Aiken and students)
![Page 43: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/43.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 44
Why “Monitoring-Oriented” ?
• We think one can write reliable programs if one adopts a “monitor and recover” style– Not a substitute for writing good code upfront– Write good code, but, “just in case” also say
what to do if requirements are violated/validated
• MOP tools provide support for that
• … may reduce complexity of verification: prove what is easy, monitor the rest
![Page 44: MOP: An Efficient and Generic Runtime Verification Framework Feng Chen and Grigore Rosu University of Illinois at Urbana-Champaign](https://reader030.vdocument.in/reader030/viewer/2022032723/56649f525503460f94c75cc2/html5/thumbnails/44.jpg)
OOPSLA’07 – 25 Oct 2007
MOP – Grigore Rosu 45
MOP Approach to Monitoring: Divide & Conquer
• What properties/specifications to check?– Combine formal specification and implementation
• Where to check it?– Automatic monitor integration
• Currently using Aspect-Oriented Programming
• How to express the property?– Declarative, automatic monitor synthesis
• What if specification violated or validated?– Execute user provided “recovery” code