Skip to main content
SpringerLink
Log in

Model-driven generation of runtime checks for system properties

  • Regular Paper
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Creating runtime monitors for interesting properties is an important research problem. Existing approaches to runtime verification require specifications that not only define the property to monitor, but also contain details of the implementation, sometimes even requiring the implementation to add special variables or methods for monitoring. Often intuitive properties such as “event X should only happen when objects A and B agree” have to be translated by developers into complex specifications, for example, pre- and post-conditions on several methods that only in concert express this simple property. In most specification languages, the result of this manual translation are specifications that are so strongly tailored to the program at hand and the objects involved that, even if the property occurs again in a similar program, the whole translation process has to be repeated to create a new specification. In this paper, we introduce the concept of property templates. Property templates are pre-defined constraints that can be easily reused in specifications. They are part of a model-driven framework that translates high-level specifications into runtime monitors specialized to the problem at hand. The framework is extensible: Developers can define property templates for constraints they often need and can specialize the code generation when the default implementation is not satisfactory. We demonstrate the use of the framework in some case studies using a set of functional and structural constraints that we developed through an extensive study of existing software specifications. The key innovations of the approach we present are three. First, the properties developed with this approach are reusable and apply to a wide range of software systems, rather than being ad hoc and tailored to one particular program. Second, the properties are defined at a relatively high level of abstraction, so that no detailed knowledge of the implementation is needed to decide whether a given property applies. Third, we separate the definition of precise assertions for properties, and the use of properties. That way, experts can determine which assertions are needed to assure properties, and other developers can easily use these definitions to annotate systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. http://tomcat.apache.org.

  2. http://www.eclipse.org/modeling/m2t/?project=jet.

  3. http://java.sun.com/j2ee/overview.html.

  4. http://myfaces.apache.org/.

  5. https://javaserverfaces.dev.java.net/.

  6. https://glassfish.dev.java.net/.

  7. https://issues.apache.org/bugzilla/show_bug.cgi?id=46397.

  8. The unique property on associations is so far the only property that can be directly specified in OCL using the semantics of OCLs Set collection.

References

  1. Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: an overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) Proceedings of the International Workshop on the Construction and Analysis of Safe, Secure, and Interoperable Systems, CASSIS 2004, Series. Lecture Notes in Computer Science, vol. 3362, pp. 49–69. Springer, New York (2004)

    Google Scholar 

  2. de Caso, G., Braberman, V., Garbervetsky, D., Uchitel, S.: Validation of contracts using enabledness preserving finite state abstractions. In: Proceedings of the 31st International Conference on Software Engineering, ICSE ’09. IEEE Computer Society, pp. 452–462 (2009)

  3. Leavens, G.T‘., Baker, A.L., Ruby, C.: JML: a notation for detailed design. In: Kiloc, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems, Chapter 12, pp. 175–188. Kluwer, Boston (1999)

    Chapter  Google Scholar 

  4. Meyer, B.: Object-Oriented Software Construction, 2nd edn. Prentice Hall, London (1997)

    MATH  Google Scholar 

  5. Rosenblum, D.S.: A practical approach to programming with assertions. IEEE Trans. Softw. Eng. 21(1), 19–31 (1995)

    Article  Google Scholar 

  6. Allan, C., Avgustinov, P., Christensen, A.S., Hendren, L., Kuzins, S., Lhoták, O., de Moor, O., Sereni, D., Sittampalam, G., Tibble, J.: Adding trace matching with free variables to AspectJ. In: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, Series OOPSLA ’05, pp. 345–364 (Online). doi:10.1145/1094811.1094839 (2005)

  7. Avgustinov, P., Tibble, J., de Moor, O.: Making trace monitors feasible. In: Proceedings of the 22nd ACM SIGPLAN Conference on Object-Oriented Programming Systems and Applications, Series OOPSLA ’07, pp. 589–608 (online). doi:10.1145/1297027.1297070 (2007)

  8. Barringer, H., Rydeheard, D., Havelund, K.: Rule systems for run-time monitoring: from EAGLE to RULER. J. Logic Comput. 20(3), 675–706 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  9. Bodden, E., Lam, P., Hendren, L.: Clara: a framework for partially evaluating finite-state runtime monitors ahead of time. In: Proceedings of the First International Conference on Runtime Verification ’10. Springer, Berlin, pp. 183–197. doi:10.1007/978-3-642-16612-9_15 (2010)

  10. Chen, F., Roşu, G.: MOP: an efficient and generic runtime verification framework. In: Proceedings of the 22nd ACM SIGPLAN Conference on Object-Oriented Programming Systems and Applications, OOPSLA ’07. ACM, pp. 569–588 (2007)

  11. Drusinsky, D., Shing, M.-T.: Using UML statecharts with knowledge logic guards. In: Schürr, A., Selic, B. (eds.) Model Driven Engineering Languages and Systems, Series Lecture Notes in Computer Science, vol. 5795, pp. 586–590. Springer, Berlin (2009). doi:10.1007/978-3-642-04425-0_45

    Chapter  Google Scholar 

  12. Havelund, K., Roşu, G.: Monitoring Java programs with Java PathExplorer. Electron. Notes Theor. Comput. Sci. 55(2), 200–217 (2001)

    Article  Google Scholar 

  13. Meredith, P., Jin, D., Chen, F., Roşu, G.: Efficient monitoring of parametric context-free patterns. J Autom. Softw. Eng. 17(2), 149–180 (2010)

    Article  Google Scholar 

  14. Dzidek, W.J., Briand, L.C., Labiche, Y.: Lessons learned from developing a dynamic OCL constraint enforcement tool for Java. In: Satellite Events at the MoDELS 2005 Conference, Series Lecture Notes in Computer Science, vol. 3844. Springer, Berlin, pp 10–19 (2005)

  15. Luckham, D.C., Kerry, J.J., Augustin, L.M., Vare, J., Bryan, D., Mann, W.: Specification and analysis of system architecture using Rapide. IEEE Trans. Softw. Eng. 21(4), 336–355 (1995)

    Article  Google Scholar 

  16. Stirewalt, K., Rugaber, S.: Automated invariant maintenance via OCL compilation. In: Proceedings of the 8th International Conference on Model Driven Engineering Languages and Systems, MODELS 2005. Springer, Berlin, pp. 616–632 (2005)

  17. Wang, K., Shen, W.: Runtime checking of UML association-related constraints. In: Proceedings of the 5th International Workshop on Dynamic Analysis, WODA ’07. IEEE Computer Society (2007)

  18. Ciupa, I., Meyer, B., Oriol, M., Pretschner, A.: Finding faults: manual testing vs. random testing + vs. user reports. In: Technical Report, vol. 595. Department of Computer Science, ETH Zurich (2008)

  19. Voas, J.M., Miller, K.W.: Putting assertions in their place. In: Proceedings of the 5th International Symposium on Software Reliability Engineering, ISSRE’ 94, pp. 152–157 (1994)

  20. Pike, L., Niller, S., Wegmann, N.: Runtime verification for ultra-critical systems. In: Khurshid, S., Sen, K. (eds.) Runtime Verification, Series Lecture Notes in Computer Science, vol. 7186, pp. 310–324. Springer, Berlin (2012). doi:10.1007/978-3-642-29860-8_23

    Google Scholar 

  21. Wu, G., Wei, J., Ye, C., Shao, X., Zhong, H., Huang, T.: Runtime verification of data-centric properties in service based systems. In: Khurshid, S., Sen, K. (eds.) Runtime Verification, Series Lecture Notes in Computer Science, vol. 7186, pp. 325–341. Springer, Berlin (2012). doi:10.1007/978-3-642-29860-8_24

    Google Scholar 

  22. Goldsmith, S.F., O’Callahan, R., Aiken, A.: Relational queries over program traces. In: Proceedings of the 20th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Series OOPSLA ’05, pp. 385–402 (online). doi:10.1145/1094811.1094841 (2005)

  23. Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: Proceedings of the 20th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Series OOPSLA ’05, ACM, New York, pp. 365–383 (online). doi:10.1145/1094811.1094840 (2005)

  24. Chen, F., d’Amorim, M., Roşu, G.: Checking and correcting behaviors of Java programs at runtime with Java-MOP. Electron. Notes Theor. Comput.Sci. 144(4), 3–20 (2006) (online). http://www.sciencedirect.com/science/article/pii/S1571066106003008

  25. Kim, M., Viswanathan, M., Kannan, S., Lee, I., Sokolsky, O.: Java-MaC: a run-time assurance approach for Java programs. Formal Methods Syst. Des. 24, 129–155 (2004)

    Article  MATH  Google Scholar 

  26. The Object Management Group: OMG Unified Modeling Language Superstructure. (adopted specification formal/2007-11-02, http://www.omg.org). Accessed 02 Jan 2008 (2007)

  27. The Object Management Group: Object Constraint Language (available specification formal/06-05-01, http://www.omg.org). Accessed 11 Dec 2006 (2005)

  28. Hein, C., Ritter, T., Wagner, M.: System monitoring using constraint checking as part of model based system management. In: 2nd International Workshop on Models@run.time (2007)

  29. Richters, M., Gogolla, M.: Aspect-oriented monitoring of UML and OCL constraints. In: AOSD Modeling with UML Workshop at the 6th International Conference on the Unified Modeling Language (UML) (2003)

  30. Aldrich, J., Chambers, C., Notkin, D.: ArchJava: connecting software architecture to implementation. In: Proceedings of the 24th International Conference on Software Engineering, ICSE ’02. ACM, pp. 187–197 (2002)

  31. Taylor, R.N., Medvidovic, N., Dashofy, E.: Software Architecture: Foundations, Theory, and Practice. Wiley, New York (2009)

    Book  Google Scholar 

  32. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional, New York (1994)

    Google Scholar 

  33. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE 1999: Proceedings of the 1999 International Conference on Software Engineering, pp. 411–420 (1999)

  34. Cobleigh, R.L., Avrunin, G.S., Clarke, L.A.: User guidance for creating precise and accessible property specifications. In: FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 208–218 (2006)

  35. Wuttke, J.: Property templates and assertions supporting runtime failure detection. In: Technical Report, University of Lugano, Switzerland, 04 Aug 2008 (2008)

  36. Wuttke, J.: Automatically generated runtime checks for design-level properties. Ph.D. dissertation, University of Lugano, Lugano (2010)

  37. Laddad, R.: AspectJ in Action: Enterprise AOP with Spring, 2nd edn. Manning Publications, New York (2009)

    Google Scholar 

  38. Gorla, A., Pezzé, M., Wuttke, J., Mariani, L., Pastore, F.: Achieving cost-effective software reliability through self-healing. Comput. Inform. 2(1), 1001–1022 (2010)

    Google Scholar 

  39. Denaro, G., Gorla, A., Pezzè, M.: Datec: dataflow testing of Java classes. In: 31st International Conference on Software Engineering, ICSE’09—Companion Volume. IEEE Computer Society, pp. 421–422 (tool demonstration) (2009)

  40. Lee, C., Jin, D., Meredith, P.O., Rosu, G.: Towards categorizing and formalizing the JDK API. In: Technical Report, University of Illinois (online). http://hdl.handle.net/2142/30006 (2012)

  41. Java Server Pages 2.1 Specification. http://jcp.org/en/jsr/detail?id=245 (JSR 245). Accessed Jan 2008 (2006)

  42. Unkel, C., Lam, M.S.: Automatic inference of stationary fields: a generalization of Java’s final fields. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’08. ACM, pp. 183–195 (2008)

  43. The Objective-C 2.0 Programming Language. Apple Inc., Cupertino (2008)

  44. König, D.: Groovy in Action. Manning Publications, New York (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Lugano, Lugano, Switzerland

    Mauro Pezzé

  2. University of Milano Bicocca, Milan, Italy

    Mauro Pezzé

  3. University of Washington, Seattle, USA

    Jochen Wuttke

Authors
  1. Mauro Pezzé
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jochen Wuttke
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jochen Wuttke.

Appendix A Property template catalog

Appendix A Property template catalog

With the language for the formal semantics defined in Sect. 3, we can now fully and formally describe our property templates. The property template catalog in this section lists the example set of property templates we identified, describes their semantics, and defines the assertions used to detect violations of the properties.

1.1 A.1 Comparable

The comparable property (Fig. 8) addresses the case where language frameworks and libraries provide consistent sets of container classes following a common super interface, or as is more often the case, assume that classes using the framework implement a set of well-defined comparison methods, denoted \(M\). This is a special case of explicit \(\mathtt{< }\) I \(\mathtt{> }\), because instead of requiring an explicit interface, it checks for the existence of a set of methods.

Fig. 8
figure 8

Catalog entry for comparable

Full size image

For example, in the Java Collection Framework, \(M\) would contain equals() and hashCode(). The precise contents of \(M\) are language and framework dependent; hence, they have to be specified by the transformation, and not as part of the high-level semantics.

1.2 A.2 Explicit \(\mathtt{< }\) I \(\mathtt{> }\)

The explicit property (Fig. 9) declares that annotated classifiers must directly implement the interface I. By directly, we mean that the classifier must provide its own implementation of the interfaces methods. This property is violated if the classifier only inherits the interface’s methods from a superclass.

Fig. 9
figure 9

Catalog entry for explicit

Full size image

A good example for when this property is useful is in implementations of the AbstractFactory or FactoryMethod design patterns [32]. The patterns are centered around the concept of concrete classes explicitly implementing an abstract method or interface that decouple concrete implementations from client code.

This property is particular in the sense that at a first glance it appears that checks for implicit implementation would best be done statically by a compiler. However, even though technically this is possible, to the best of our knowledge, no programming language provides declarative means to specify this property. Furthermore, it would be even harder to statically enforce this property across library and component boundaries. The compiled binaries would have to contain enough information to enable static checking of clients, which requires additional infrastructure to be used by the developers of the components and the final system, while runtime checks of this property only require additional infrastructure deployed together with the final system.

1.3 A.3 Immutable

The immutable property (Fig. 10) declares that instances of annotated classifiers must not change their visible state after creation or the invocation of an explicit locking operation. If no locking operation is specified, the object must not change its visible state after instance construction completes. The latter is inspired by Unkel and Lam’s research, which indicates that immutable behavior after explicit locking or from a certain location in the code on is typical for many kinds of programs [42]. The current implementation considers the constructor to be the locking operation.

Fig. 10
figure 10

Catalog entry for immutable

Full size image

1.4 A.4 Initialized

The initialized property (Fig. 11) implies that classifier-specific initialization has completed before any references to instances of the classifier are used. The basic semantics for a classifier \(C\) annotated with initialized state that whenever a method that is not a constructor or the specified initializer is executed, then initialization must have occurred. Note that this refers only to method executions, not to field accesses. The rationale for this is that typical idioms in object-oriented languages suggest that fields be only accessible through dedicated accessor methods. Many languages, for example, Objective C [43] and Groovy [44], even generate accessor methods automatically if programmers do not specify them explicitly, hence making direct field access unnecessary.

Fig. 11
figure 11

Catalog entry for initialized

Full size image

To allow for various design patterns that require initialization of objects outside the object constructor, the initialized property takes an optional parameter that specifies a dedicated initialization operation. initializer methods are exempt from the rule that instances of the classifier have to be initialized before operations can be used. If there is no explicit initializer defined on an initialized classifier, the constructor is considered the initializer. In this case, initialized is merely a tag with no effect.

We discuss an example of this property in Sect. 4.2.

1.5 A.5 Language \(\mathtt{< }\) L \(\mathtt{> }\)

The language property (Fig. 12) declares that a visible string value must match a regular language L. Formally, the annotation language \(\mathtt{< }\) L \(\mathtt{> }\) on a method parameter \(p\) or class attribute \(a\) denotes that \(p \in \mathtt {L}\) or \(a \in \mathtt {L}\), respectively. Since we require that L be a regular language, we use common regular expressions to specify L. The assertions shown in Fig. 12 should be considered an exclusive choice. If and only if the annotation is placed on a parameter, then the assertions with the method call pointcut is used, and vice versa.

Fig. 12
figure 12

Catalog entry for language \(\mathtt{< }\) L \(\mathtt{> }\)

Full size image

This property effectively defines method pre-conditions or class invariants. As such it is at the same abstraction level as the implementation. However, the actual constraint to be expressed can stem from system-level requirements, like in the example in Sect. 4.2, or from implementation-specific choices, and thus represent both high- and low-level constraints.

1.6 A.6 Notnull

The notnull property (Fig. 13) constrains parameters or return values not to be null. Even though the concept of null values exists only at the implementation level, this property emerged from the definition of more abstract properties, such as initialized, and has proven itself to be useful for debugging and quality assessment in component-based software (see the nanoxml case study in Sect. 4.2).

Fig. 13
figure 13

Catalog entry for notnull

Full size image

1.7 A.7 Singleton

The singleton property (Fig. 14) checks that a class maintains the semantics of the Singleton design pattern, that is, there is only one instance of the class in the entire system.

Fig. 14
figure 14

Catalog entry for singleton

Full size image

Even though the pattern is structurally simple, concurrent programs and language-specific issues can introduce corner cases that are easily missed by implementers. For example, the naive implementation in Fig. 15 is not thread safe. Given two threads \(T1\) and \(T2\), the sequence \(T1.8,T2.8,T\)1.9-11, \(T\)2.9-11 leads to two instances of the same class being created and returned to the respective callers.

Fig. 15
figure 15

Naive Singleton implementation

Full size image

Other, language-specific factors, for example, the time and order of static variable creation and class loading, can also introduce subtle problems with straightforward implementations of this pattern.

1.8 A.8 Unique

The unique property (Fig. 16) declares that instances of a given type must be unique within some context. The context is determined by the annotated model element. An annotation on a classifier declares that instances of this type must be globally unique. An annotation on an association declares that instances must be unique within the context of the annotated association relation. Uniqueness of an instance is determined by an attribute of the involved classifiers. By default, the hashCode of instances is used. If this is not appropriate, the optional parameter uniquenessProperty declares which property of the classifier determines uniqueness.

Fig. 16
figure 16

Catalog entry for unique

Full size image

Intuitively, monitoring tracks potential changes to the uniqueness attribute and evaluates the assertions every time a change occurred. For unique, annotations placed on classifiers, the context, and thus the container is the entire heap rather than a specific association.Footnote 8

Treatment of annotated classifiers is straightforward. Instance creation and destruction are monitored, and every new instance is compared against all currently existing instances.

Handling of annotated associations is more involved, because the context of the association must be included. First, associations may only be annotated if they are 1-to-\(n\) or a \(n\)-to-\(m\) relationships. Instances participating in 1-to-1 relationships are naturally unique and no monitoring is necessary. Additionally, the container must expose operations to query its contents, so that the generated assertions have access to this state information. Defaults can be based on common implementation patterns, or alternatively, property template users could specify the relevant operations through parameters to the annotation (this is not expressed in the above semantics and not yet implemented). For the semantics above, null values are not considered objects and they are skipped in the checks for uniqueness.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pezzé, M., Wuttke, J. Model-driven generation of runtime checks for system properties. Int J Softw Tools Technol Transfer 18, 1–19 (2016). https://doi.org/10.1007/s10009-014-0325-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-014-0325-2

Keywords

Search

Navigation