Definitions of Logical Causality for Log Analysis ossler 1 Gregor G - - PowerPoint PPT Presentation

Definitions of Logical Causality for Log Analysis

Gregor G¨

• ssler1

Joint work with Daniel Le M´ etayer1 and Jean-Baptiste Raclet2

1INRIA Grenoble – Rhˆ

• ne-Alpes, France

2IRIT - CNRS, Toulouse, France

Synchron 2011

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 1 / 1

LISE: Liability Issues in Software Engineering

Objectives

General objective of the LISE project: Provide a set of methods and tools (both legal and technical) to Define liability in a precise and unambiguous way Establish liability in case of failure Scope: Contractual framework (not tort law) Liability for software defects (not intellectual property infringements) Priority: settle liability issues in an amicable way.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 2 / 1

Context

A component-based system components are provided by different vendors Each component Ci is equipped with a contract (Ai, Gi): used according to Ai, Ci promises to behave like Gi. Components are black boxes: only the contracts are known, not the implementation implementations may violate their contract Interactions between components are logged, logs may be distributed

Problem:

Define notions of causality between contract violations that can be used to establish liability of the component vendors.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 3 / 1

Causality in distributed systems

B C A v

f e1

e2 e3 e4 Lamport causality ≺ too weak for our needs: f ≺ v does not mean that failure f causes the violation v of the specification of C. Lamport causality is a necessary but not sufficient condition for causality between contract violations.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 4 / 1

Contracts

Contract C = pair of automata (A, G). C specifies under which assumption A the component provides guarantee G. ⇒ clean specification and limitation of the responsibilities of components.

Example (Contract satisfaction)

A: a cannot reoccur before b G: c never occurs

a, b b, c a c b

tr: a b a a c c | = / A but | = C = (A, G) tr′: a b c a | = A and | = / G thus | = / C

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 5 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A2, G2) C = (A, G) (A3, G3)

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A3, G3) C = (A, G) (A2, G2)

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) C = (A, G) (A2, G2) (A3, G3)

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A2, G2) (A3, G3) C = (A, G)

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A2, G2) (A3, G3) C = (A, G)

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A2, G2) (A3, G3) C = (A, G)

Hypothesis

If the implementations Bi of all components are correct, then C is respected.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Causality in Contract Violation: Overview

B1 B2 B3 tr1 tr3 tr2

(A1, G1) (A2, G2) (A3, G3) C = (A, G)

Hypothesis

If the implementations Bi of all components are correct, then C is respected. ⇒ Any contract violation is due to some faulty implementation Bi.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 6 / 1

Logical Causality from Component Trace to Failure

Necessary Causality

Definition (Necessary causality)

Tr րn C if

tr1 trn ∃ tr Tr | = / Ck | = / C

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure

Necessary Causality

Definition (Necessary causality)

Tr րn C if

tr tr1 trn Tr

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure

Necessary Causality

Definition (Necessary causality)

Tr րn C if

tr1 trn ∀ consistent tr′ Tr | = Ck | = C

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 7 / 1

Logical Causality from Component Trace to Failure

Necessary Causality

Given: (tr1, ..., trn) vector of observed traces Tr ⊆ {tr1, ..., trn} set of traces to be analyzed jointly

Definition (Necessary causality)

Tr is a necessary cause of the violation of C if ∃tr ∈ Tr: tr ր C and ∀tr′:

• ∀j ∈ {1, ..., n} \ I : πj(tr′) = trj ∧

∀k ∈ I : πk(tr′) | = Ck

• =

⇒ tr′ | = C where I = {i | tri ∈ Tr ∧ tri | = / Ci}.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 8 / 1

Logical Causality from Component Trace to Failure

Sufficient Causality

Definition (Sufficient causality)

Tr րs C if

tr1 trn ∃ tr Tr | = / Ck | = / C

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Logical Causality from Component Trace to Failure

Sufficient Causality

Definition (Sufficient causality)

Tr րs C if

tr tr1 trn Tr

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Logical Causality from Component Trace to Failure

Sufficient Causality

Definition (Sufficient causality)

Tr րs C if

tr1 trn Tr | = C1 | = Cn | = / C ∀ consistent tr′

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 9 / 1

Properties

Property (Soundness)

Necessary and sufficient causality are sound:

1 Any (necessary or sufficient) cause contains at least one component

trace violating its contract.

2 Any minimal set of traces forming a cause only contains traces

violating the component contracts.

Property (Completeness)

Every violation of the system-level contract has a necessary and a sufficient cause.

Remark

Causality defined on contracts and observed traces, not implementations.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 10 / 1

Example 1: Adaptive Cruise Control

ACC Switch SLD Sensor HMI TS BS Radar OR Clock sldo brake throttle ssro sldi swo,on hmio,off bsi,user tsi,auto tsi,user bsi,auto hmio,on swo,on swo,off acci,off accb

• acct
• swi,on

tck tck accs

i

tck acco

i

acci,on rdro

• ri

tck

• ro

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

Example 1: Adaptive Cruise Control

OR ACC Radar

acci,off accb

• acct
• accs

i

tck acco

i

acci,on rdro

• ri

tck

• ro

Obstacle recognition (OR) GOR: “output 1 time unit after sensing” Adaptive Cruise Control (ACC) GACC: “output 1 time unit after latest input” Global guarantee G: “ACC output at most 3 time units after data acquisition”

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 11 / 1

Example 1: Adaptive Cruise Control

Two necessary causes

Consider the following trace excerpts: OR: . . .

• ri, tck, tck,
• ro,

tck, tck, . . . ACC: . . . tck, tck, accs

i , tck, tck, accb

• , . . .

Both OR and ACC violate their contracts (∆OR = 2, ∆ACC = 2) = ⇒ violation of the global timing constraint (∆ = 4 > 3). Each of the OR and ACC failures is a necessary cause for the global failure. Taken together they are a sufficient cause.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 12 / 1

Example 1: Adaptive Cruise Control

One necessary and sufficient cause

Consider the following trace excerpts: OR: . . .

• ri, tck, tck, tck,
• ro,

tck, tck, . . . ACC: . . . tck, tck, tck, accs

i , tck, tck, acct

• , . . .

Both OR and ACC violate their contracts but OR’s violation is more serious (∆OR = 3, ∆ACC = 2). OR’s violation is a necessary and sufficient cause for the global failure. The violation of ACC is no longer a necessary cause.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 13 / 1

Example 2: Travel Agency

Travel agency: Hotel 1:

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 14 / 1

Example 2: Travel Agency

Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resai . !resp yesi for i ∈ {1, 2}”

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency

Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resai . !resp yesi for i ∈ {1, 2}” Observed traces: agency: ?proc . !demand1 . ?resp no1 . !demand2 . ?resp yes2 . !conf

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency

Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resai . !resp yesi for i ∈ {1, 2}” Observed traces: agency: ?proc . !demand1 . ?resp no1 . !demand2 . ?resp yes2 . !conf hotel 1: ?demand1 . resa1 . !resp no1 . wait1 . debit1

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency

Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resai . !resp yesi for i ∈ {1, 2}” Observed traces: agency: ?proc . !demand1 . ?resp no1 . !demand2 . ?resp yes2 . !conf hotel 1: ?demand1 . resa1 . !resp no1 . wait1 . debit1 hotel 2: ?demand2 . !resp yes2 . wait2 . debit2

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Example 2: Travel Agency

Spec 1: “at any time, #(debits) ≤ #(confirmations)” Spec 2: “each request is ack’ed by either fail or resai . !resp yesi for i ∈ {1, 2}” Observed traces: agency: ?proc . !demand1 . ?resp no1 . !demand2 . ?resp yes2 . !conf hotel 1: ?demand1 . resa1 . !resp no1 . wait1 . debit1 hotel 2: ?demand2 . !resp yes2 . wait2 . debit2 Results of causality analysis: spec 1 spec 2 travel agency – – hotel 1 N, S S hotel 2 – S

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 15 / 1

Causality Analysis with Bounded Past

Given: (tr1, ..., trn) vector of observed traces tr′

i a suffix of tri, i = 1, ..., n, such that ∃tr ∀i : πi(tr) = tr′ i .

Tr ⊆ {tr1, ..., trn} set of traces to be analyzed jointly

Definition (Necessary causality)

Tr is a necessary cause of the violation of C if ∃tr ∈ Tr: tr ր C and ∀tr′:

• ∀j ∈ {1, ..., n} \ I′ : πj(tr′) = trj ∧

∀k ∈ I′ : πk(tr′) | = Ck

• =

⇒ tr′ | = C where I = {i | tri ∈ Tr ∧ tri | = / Ci}.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Causality Analysis with Bounded Past

Given: (tr1, ..., trn) vector of observed traces tr′

i a suffix of tri, i = 1, ..., n, such that ∃tr ∀i : πi(tr) = tr′ i .

Tr ⊆ {tr1, ..., trn} set of traces to be analyzed jointly

Definition (Necessary causality)

Tr is a necessary cause of the violation of C if ∃tr ∈ Tr: tr ր C and ∀tr′:

• ∀j ∈ {1, ..., n} \ I : πj(tr′) = trj

∧ ∀k ∈ I : πk(tr′) | = Ck = ⇒ tr′ | = C where I = {i | tri ∈ Tr∧ tri | = / Ci }.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Causality Analysis with Bounded Past

Given: (tr1, ..., trn) vector of observed traces tr′

i a suffix of tri, i = 1, ..., n, such that ∃tr ∀i : πi(tr) = tr′ i .

Tr ⊆ {tr1, ..., trn} set of traces to be analyzed jointly

Definition (Necessary causality)

Tr is a necessary cause of the violation of C if ∃tr ∈ Tr: tr ր C

= and

∀tr′:

• ∀j ∈ {1, ..., n} \ I : πj(tr′) = trj

+ ∧

∀k ∈ I : πk(tr′) | = Ck = ⇒ tr′ | = C where I = {i | tri ∈ Tr∧ tri | = / Ci

=}.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 16 / 1

Related Work

Actual causality (Halpern & Pearl)

◮ for Boolean expressions, no “native” support for sequential behavior ◮ weak notion of logical causality

Dependability:

◮ fault trees: from failure to potential causes ◮ FME(C)A: from cause to potential failures

Blaming in contract languages verify satisfaction of assumption and guarantee; no notion of causality, no concurrency. Diagnosis: determine (unobservable) faults from observations no notion of logical causality.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 17 / 1

Discussion

Contributions: General definitions for logical causality, supporting group causality

◮ (vertical) causality: a component causes the violation of a

system-level contract.

◮ horizontal causality: a component causes the violation of the

guarantee provided by another component.

Effective decision procedure. Causality analysis on bounded past. Implementation in analysis tool Loca.

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 18 / 1

Future Work

Generalize framework, instantiate with existing models of computation and communication: synchronous, timed automata, ... Allow for uncertainty, e.g., partial observability of events. Generalize to a quantitative notion of causality. Constructiveness?

GG, DLM, and JBR (INRIA/IRIT) Logical Causality 19 / 1