#### DMCA

## Runtime verification for LTL and TLTL (2007)

Citations: | 69 - 17 self |

### Citations

2650 | Timed Automata
- Alur
- 1999
(Show Context)
Citation Context ..., the occurrence of every event a ∈ Σ is associated with a corresponding time stamp and therefore a timed word is a sequence (a0, t0)(a1, t1)... of timed events (Σ × R ≥0 ): Definition 20 (Timed Word =-=[48]-=-) An (infinite) timed word w over the alphabet Σ is an (infinite) sequence (a0, t0)(a1, t1)... of timed events (ai, ti) consisting of symbols ai ∈ Σ, and non-negative numbers ti ∈ R ≥0 , such that • f... |

1651 |
The Temporal Logic of Programs.
- Pnueli
- 1977
(Show Context)
Citation Context ...some language. Correctness properties in runtime verification specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL =-=[4]-=-, as seen for example in [5], [6], [7], [8], [9], [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors ... |

1405 | Depth-first search and linear graph algorithms
- Tarjan
- 1971
(Show Context)
Citation Context ... the language of the automaton starting in state q is not empty. To determine F ϕ (q), we identify in linear time the strongly connected components in A ϕ , which can be done using Tarjan’s algorithm =-=[37]-=- or nested depth-first algorithms as examined in [38]. Using Fϕ , we define the NFA Âϕ = (Σ, Qϕ , Q ϕ 0 , δϕ , ˆ F ϕ ) with ˆF ϕ = {q ∈ Qϕ | Fϕ (q) = ⊤}. Analogously, we set Â ¬ϕ = (Σ, Q ¬ϕ , Q ¬ϕ 0 ,... |

694 |
An automata-theoretic approach to automatic program verification (preliminary report). In:
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ..., F ϕ ) denote the NBA, which accepts all models of ϕ, and let A ¬ϕ = (Σ, Q ¬ϕ , Q ¬ϕ 0 , δ¬ϕ , F ¬ϕ ) denote the NBA, which accepts all words falsifying ϕ. The corresponding construction is standard =-=[35]-=- and explained, for example in [36]. Note that in order to obtain the complement of an NBA, we merely need to complement the formula, rather than the original Büchi automaton itself. For the automaton... |

461 |
Temporal Verification of Reactive Systems: Safety (Springer-Verlag,
- Manna, Pnueli
- 1995
(Show Context)
Citation Context ...s true; • otherwise, the value is inconclusive since the observations so far are inconclusive, and neither true or false can be determined. While there are actually semantics for LTL on finite traces =-=[20]-=-, [21], these use (only) two truth values. We strongly believe that only two truth values lead to misleading results in runtime verification: Consider the formula ¬pUinit (read: not p until init) stat... |

375 |
An n logn algorithm for minimizing states in a finite automaton. In:
- Hopcroft
- 1971
(Show Context)
Citation Context ...ize, for a second time. In total the FSM of step 6 will have double exponential size with respect to |ϕ|. The size of the final FSM is in O(22n) but can be minimised with standard algorithms for FSMs =-=[39]-=- to derive an optimal deterministic monitor with a minimal number of states. In the worst case, however, a lower bound of O(22Ω(n) ) applies to the number of states, as proved in [40]. Thus, better co... |

326 | Model-Checking in Dense Real-Time
- Alur, Courcoubetis, et al.
(Show Context)
Citation Context ...t of equivalence classes of the underlying timeabstract bisimulation (following the condition given in Corollary 51). Finally, we recall the region equivalence for eventclock automata (Definition 52, =-=[51]-=-, [48]) as one particular instance of a bisimulation relation and show how to compute a set of regions which covers a given symbolic clock valuation. A Monitor Procedure for TLTL3 (Section IV-F): As i... |

305 |
Tense Logic and the Theory of Linear Order.
- Kamp
- 1968
(Show Context)
Citation Context ...p with a semantics for LTL on finite traces that mimics LTL’s semantics on infinite traces—which we do in the the first part of the paper. Note that LTL is originally defined on finite traces as well =-=[16]-=-. However, as we argue, this semantics is not suitable for runtime verification. From an application point of view, there are also important differences between model checking and runtime verification... |

295 | An automata-theoretic approach to linear temporal logic
- Vardi
- 1996
(Show Context)
Citation Context ...ts all models of ϕ, and let A ¬ϕ = (Σ, Q ¬ϕ , Q ¬ϕ 0 , δ¬ϕ , F ¬ϕ ) denote the NBA, which accepts all words falsifying ϕ. The corresponding construction is standard [35] and explained, for example in =-=[36]-=-. Note that in order to obtain the complement of an NBA, we merely need to complement the formula, rather than the original Büchi automaton itself. For the automaton A ϕ , we define a function F ϕ : Q... |

260 | Checking that finite state concurrent programs satisfy their linear specification.
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...otion of informativeness for a property ϕ depends on the syntactical representation of ϕ. The example further highlights that checking for informative prefixes is closely related to the tableau-based =-=[47]-=- and alternating-automata-based approach to model checking LTL formulae [36]: The witness ℓ for some formula ¬ϕ in u can be considered as a finite accepting tableaux for ¬ϕ, in the sense of [47]. The ... |

217 | Recognizing safety and liveness.
- Schneider
- 1987
(Show Context)
Citation Context ... good and bad prefixes. Bad prefixes may be used to derive the notion of safety properties. Consequently, in Section 3.2, we study monitoring for the subclass of (co)-safety properties [Lamport 1977; =-=Alpern and Schneider 1987-=-; Kupferman and Vardi 2001]. Moreover, we recall Pnueli and Zaks notion [Pnueli and Zaks 2006] of monitorable properties and show that monitorable properties are more than just safety properties. A re... |

163 | Adding Trace Matching with Free Variables to AspectJ. - Allan, Avgustinov, et al. - 2005 |

149 | Model Checking of Safety Properties,”
- Kupferman, Vardi
- 1999
(Show Context)
Citation Context ...rty to check may still occur. Originally, we proposed this three-valued semantics and its use for runtime verification in [1]. However, some essential concepts were defined by Kupferman and Vardi: In =-=[22]-=- a bad prefix (of a Büchi automaton) is defined as a finite prefix which cannot be the prefix of any accepting trace. Dually, a good prefix is a finite prefix such that any infinite continuation of th... |

145 |
Monitoring Java Programs with Java PathExplorer.
- Havelund, Rosu
- 2001
(Show Context)
Citation Context ...roperties in runtime verification specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in =-=[5]-=-, [6], [7], [8], [9], [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Univ... |

118 | Event-Clock Automata: A Determinizable Class of Timed Automata,
- Alur, Fix, et al.
- 1994
(Show Context)
Citation Context ...oduce symbolic timed runs and show their benefit for checking promises efficiently, avoiding a possible but generally expensive translation of event-clock automata to (predicting-free) timed automata =-=[30]-=-. So far, not many approaches for runtime verification of real-time properties have been given. [31] studies monitor generation based on LTL enriched with a freeze quantifier for time. In [32] and [33... |

78 | Temporal Assertions using Aspectj,”
- Stolz, Bodden
- 2006
(Show Context)
Citation Context ...fication specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in [5], [6], [7], [8], [9], =-=[10]-=-. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Universität München, Germany. ... |

77 | Run-time monitoring of instances and classes of web service compositions,” in ICWS.
- Barbon, Traverso, et al.
- 2006
(Show Context)
Citation Context ...d with a diagnosis and reconfiguration layer. Runtime verification is closely related to the field of runtime monitoring, which has recent applications in monitoring web services [Baresi et al. 2008; =-=Barbon et al. 2006-=-; Robinson 2006] and fault monitoring, see [Delgado et al. 2004] for an overview. A large number different runtime verification systems have been developed in recent years. We only list their names wi... |

72 | Analysis of timed systems using time-abstracting bisimulations. Formal Methods
- Tripakis, Yovine
- 2001
(Show Context)
Citation Context ...continues the given prefix and which leads the automaton to acceptance. Starting with general quotient automata (Definition 48) which work with any time-abstract bisimulation relation (Definition 49, =-=[50]-=-), and the emptiness check based upon such automata (Theorem 50, [48]), we obtain a look-up table which answers the question whether a pair consisting of a state and a bisimulation equivalence class h... |

66 |
Fault diagnosis for timed automata,”
- Tripakis
- 2002
(Show Context)
Citation Context ...utomata [30]. So far, not many approaches for runtime verification of real-time properties have been given. [31] studies monitor generation based on LTL enriched with a freeze quantifier for time. In =-=[32]-=- and [33], fault diagnosis for timed systems is examined, a problem that shares some similarities with runtime verification yet is more complicated. However, in these approaches, only timed automata o... |

64 | Monitoring temporal properties of continuous signals.
- Maler, Nickovic
- 2004
(Show Context)
Citation Context ...s, only timed automata or event-recording automata are used and no prediction of events is supported. TLTL is event-based, meaning that the system emits events when the system’s state has changed. In =-=[34]-=- monitoring of continuous signals is considered, which is intrinsically different to observing discrete signals in a continuous time domain. E. Outline In Section II, we develop our runtime verificati... |

59 | Black box checking. In:
- Peled, Vardi, et al.
- 1999
(Show Context)
Citation Context ... used for specifying properties of infinite 1 Note, that it is possible to automatically learn [17] and verify a system model, thereby applying model checking techniques to an a priori unknown system =-=[18]-=-. traces. In runtime verification, our goal is to check LTL properties given finite prefixes of infinite traces. Therefore, LTL3’s syntax coincides with LTL, while its semantics is given for finite tr... |

57 | Monitoring of real-time properties.
- Bauer, Leucker, et al.
- 2006
(Show Context)
Citation Context ..., such as LTL [4], as seen for example in [5], [6], [7], [8], [9], [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 =-=[1]-=-. The authors are with the Technische Universität München, Germany. Andreas Bauer, Martin Leucker, Christian Schallhart Runtime verification deals (only) with the detection of violations (or satisfact... |

42 | A formal language for electronic contracts
- Prisacariu, Schneider
- 2007
(Show Context)
Citation Context ...ures and thus it does not influence the program’s functional behaviour. However, runtime verification is at the core of those approaches which react on faults at runtime: Monitor-oriented programming =-=[12]-=-, for example, aims at a programming methodology that allows for the execution of code whenever monitors observe a violation of a given correctness property. Runtime reflection [13], to name a further... |

40 |
Model-based testing of reactive systems.
- Broy
- 2005
(Show Context)
Citation Context ...nder scrutiny satisfies or violates a given correctness property. It aims to be a lightweight verification technique complementing other verification techniques such as model checking [2] and testing =-=[3]-=-. In runtime verification, a correctness property ϕ is typically automatically translated into a monitor. Such a monitor is then used to check the current execution of a system or a (finite set of) re... |

35 | A note on on-the-fly verification algorithms,” in
- Schwoon, Esparza
- 2005
(Show Context)
Citation Context ... not empty. To determine F ϕ (q), we identify in linear time the strongly connected components in A ϕ , which can be done using Tarjan’s algorithm [37] or nested depth-first algorithms as examined in =-=[38]-=-. Using Fϕ , we define the NFA Âϕ = (Σ, Qϕ , Q ϕ 0 , δϕ , ˆ F ϕ ) with ˆF ϕ = {q ∈ Qϕ | Fϕ (q) = ⊤}. Analogously, we set Â ¬ϕ = (Σ, Q ¬ϕ , Q ¬ϕ 0 , δ¬ϕ , ˆ F ¬ϕ ) with ˆ F ¬ϕ = {q ∈ Q ¬ϕ | F ¬ϕ (q) = ... |

34 | PSL Model Checking and Run-Time Verification via Testers,” in
- Pnueli, Zaks
- 2006
(Show Context)
Citation Context ...constructions are more direct and therefore easier to understand. In this paper, we further discuss, which LTL3 properties are monitorable at all. We follow the definition given by Pnueli and Zaks in =-=[24]-=- essentially stating that a property is monitorable with respect to a trace whenever a corresponding monitor might still report a violation (or satisfaction). We point out the precise relation to Rosu... |

33 | Constructing Büchi automata from linear temporal logic using simulation relations for alternating büchi automata
- Fritz
- 2003
(Show Context)
Citation Context ...he future. • Finally, until either happens, it should return ?, indicating the necessity for further observation. Using the translation algorithm from formulae of LTL to Büchi automata as proposed by =-=[45]-=-, one obtains for ϕ, respectively ¬ϕ, the Büchi automata depicted in Figure 2. ¬spawn true q0 q0 init q1 (a) Büchi automaton A ϕ . ¬init true spawn ∧ ¬init (b) Büchi automaton A ¬ϕ . Fig. 2. The Büchi... |

29 | Fault Diagnosis Using Timed Automata.
- Bouyer, Chevalier, et al.
- 2005
(Show Context)
Citation Context ...30]. So far, not many approaches for runtime verification of real-time properties have been given. [31] studies monitor generation based on LTL enriched with a freeze quantifier for time. In [32] and =-=[33]-=-, fault diagnosis for timed systems is examined, a problem that shares some similarities with runtime verification yet is more complicated. However, in these approaches, only timed automata or event-r... |

28 | On the Construction of Monitors for Temporal Logic Properties.
- Geilen
- 2001
(Show Context)
Citation Context ...rties. Finally, we discuss runtime verification based on good/bad-prefixes compared to approaches based on Kupferman’s and Vardi’s notion of informative prefixes, as for example the approach shown in =-=[25]-=-. We argue that runtime verification should be based on good/bad prefixes rather than on informative prefixes, as it follows the as early as possible maxim. Note that multi-valued versions of LTL have... |

27 | Reasoning with temporal logic on truncated paths.
- Eisner, Fisman, et al.
- 2003
(Show Context)
Citation Context ...; • otherwise, the value is inconclusive since the observations so far are inconclusive, and neither true or false can be determined. While there are actually semantics for LTL on finite traces [20], =-=[21]-=-, these use (only) two truth values. We strongly believe that only two truth values lead to misleading results in runtime verification: Consider the formula ¬pUinit (read: not p until init) stating th... |

27 | Model-checking infinite state-space systems with fine-grained abstractions using SPIN
- Chechik, Deverux, et al.
- 2001
(Show Context)
Citation Context ...ion should be based on good/bad prefixes rather than on informative prefixes, as it follows the as early as possible maxim. Note that multi-valued versions of LTL have been considered, for example in =-=[26]-=-. There, the semantics is defined for infinite traces and the resulting logics and model checking approaches are completely different from LTL3. Moreover, these logics are helpful in model checking ab... |

23 |
Automata and Classical Theories for Deciding Real-Time
- Logics
- 1999
(Show Context)
Citation Context ...ring of Real-time Properties In the second part of the paper, we address real-time systems. We base our ideas on the timed lineartime temporal logic (TLTL), a logic originally introduced by Raskin in =-=[28]-=-. TLTL, as argued by D’Souza, can be considered a natural counterpart of LTL in the timed setting: He showed in [29] that, over timed traces, TLTL is equally expressive as first-order logic, transferr... |

22 | Program monitoring with LTL in Eagle.
- Barringer, Goldberg, et al.
- 2004
(Show Context)
Citation Context ...extended regular expressions [Sen and Rosu 2003] or tracematches by the AspectJ team [Allan et al. 2005], to query-oriented languages (PQL, [Martin et al. 2005]) and rule-based approaches like Eagle [=-=Barringer et al. 2004-=-] and RuleR [Barringer et al. 2007]. Moreover, temporal logic-based formalisms, which are well-known from model checking, are also very popular in runtime verification, especially variants of linear t... |

20 |
The complexity of propositional temporal logics
- Sistla, Clarke
- 1985
(Show Context)
Citation Context ...n problem. In contrast, runtime verification deals with the word problem. For most logical frameworks, the word problem is of far lower complexity than the inclusion problem, e. g. in case of LTL see =-=[14]-=- and [15]. • While model checking, especially when considering LTL, considers infinite traces, runtime verification deals with finite traces—as non-idealised executions are necessarily finite. • While... |

18 | Past is for free: On the complexity of verifying linear temporal properties with past
- Markey
(Show Context)
Citation Context .... In contrast, runtime verification deals with the word problem. For most logical frameworks, the word problem is of far lower complexity than the inclusion problem, e. g. in case of LTL see [14] and =-=[15]-=-. • While model checking, especially when considering LTL, considers infinite traces, runtime verification deals with finite traces—as non-idealised executions are necessarily finite. • While in model... |

18 | A logical characterisation of event clock automata
- D’Souza
- 2003
(Show Context)
Citation Context ... timed lineartime temporal logic (TLTL), a logic originally introduced by Raskin in [28]. TLTL, as argued by D’Souza, can be considered a natural counterpart of LTL in the timed setting: He showed in =-=[29]-=- that, over timed traces, TLTL is equally expressive as first-order logic, transferring Kamp’s famous result that, over words, LTL and first-order logic coincide with respect to expressiveness [16] to... |

18 |
The C++ programming Language, Special ed
- Stroustrup
- 2000
(Show Context)
Citation Context ..., all static objects of an executable are initialised before the main method is entered, however, their order is undefined, and their initialisation is thus performed in a nondeterministic order (cf. =-=[43]-=-). In consequence, if threads get spawned before executing main, it is difficult to ensure that all resources necessary to synchronise those threads are already initialised, such as globally available... |

17 |
Synthesizing monitors for safety properties. In Tools and Algorithms for the Construction and Analysis of Systems,
- Havelund, Rosu
- 2002
(Show Context)
Citation Context ...ntime verification specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in [5], [6], [7], =-=[8]-=-, [9], [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Universität München... |

17 |
Efficient Monitoring of omegaLanguages,”
- d’Amorim, Rosu
- 2005
(Show Context)
Citation Context ...im or her to carry out a translation manually—and not necessary when following our construction. 6 Though debatable, we consider monitors checking exclusively for informative bad prefixes, such as in =-=[23]-=-, inferior to our monitors which check for bad and good prefixes, as the latter follow the maxim of reporting a violation (or satisfaction) as early as possible. IV. THREE-VALUED LTL IN THE REAL-TIME ... |

13 | Runtime analysis of linear temporal logic specifications. In: - Giannakopoulou, Havelund - 2001 |

13 | Insights to Angluin’s learning
- Berg, Jonsson, et al.
- 2003
(Show Context)
Citation Context ...n is summarised in the following rationale: Pnueli’s LTL [4] is a well-accepted lineartime temporal logic used for specifying properties of infinite 1 Note, that it is possible to automatically learn =-=[17]-=- and verify a system model, thereby applying model checking techniques to an a priori unknown system [18]. traces. In runtime verification, our goal is to check LTL properties given finite prefixes of... |

10 |
C++ Gotchas: Avoiding Common Problems in Coding and Design
- Dewhurst, C
- 2002
(Show Context)
Citation Context ... synchronise those threads are already initialised, such as globally available and statically initialised mutex objects. This problem is generally known as the static initialisation order fiasco (cf. =-=[44]-=-). The “fiasco” is an especially complicated one when large applications are builtsBAUER et al.: RUNTIME VERIFICATION FOR LTL AND TLTL 7 from a number of different frameworks which must remain indepen... |

7 | The logic of event clocks: Decidability, complexity and expressiveness - Raskin, Schobbens - 1998 |

7 | Towards a unified framework for the monitoring and recovery of bpel processes - Baresi, Guinea, et al. - 2008 |

6 |
The good, the bad, and the ugly—but how ugly is ugly
- Bauer, Leucker, et al.
- 2007
(Show Context)
Citation Context ...o be monitored has been satisfied while in the latter case, no satisfaction or violation can be shown by considering continuations of u. Note, that the notion of non-monitorable fits well to LTL3. In =-=[46]-=-, however, we suggest a more precise semantics of LTLformulae with respect to finite words allowing to differentiate ugly prefixes. The idea is based on using a strong as well as a weak version of the... |

4 |
linear (interval) temporal logic { translation to LTL and monitor synthesis
- Ro, Bensalem, et al.
- 2006
(Show Context)
Citation Context ...inistic automaton as monitor procedure, and use instead an alternative concept such as synchronising automata, hereby trading the size of automaton with an increased computational overhead at runtime =-=[41]-=-. Moreover, we have implemented the above construction of the finite-state automaton M ϕ partly in an on-the-fly fashion. That is, for a given property ϕ, we construct the two NFAs, but we do not dete... |

1 |
verification of temporal properties on running programs.” in ASE
- “Automata-based
(Show Context)
Citation Context ...in runtime verification specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in [5], [6], =-=[7]-=-, [8], [9], [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Universität Mü... |

1 |
monitoring of safety properties
- “Efficient
- 2004
(Show Context)
Citation Context ... verification specify all admissible individual executions of a system and are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in [5], [6], [7], [8], =-=[9]-=-, [10]. But also linear µ-calculus variants are used, for example in [11]. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Universität München, Ger... |

1 |
runtime monitoring of synchronous systems,” in TIME
- D’Angelo, Sankaranarayanan, et al.
(Show Context)
Citation Context ...nd are usually formulated in some variant of linear temporal logic, such as LTL [4], as seen for example in [5], [6], [7], [8], [9], [10]. But also linear µ-calculus variants are used, for example in =-=[11]-=-. A preliminary version of this paper appeared at FSTTCS 2006 [1]. The authors are with the Technische Universität München, Germany. Andreas Bauer, Martin Leucker, Christian Schallhart Runtime verific... |

1 |
Model-based runtime analysis of reactive distributed systems
- Bauer, Leucker, et al.
- 2006
(Show Context)
Citation Context ...iented programming [12], for example, aims at a programming methodology that allows for the execution of code whenever monitors observe a violation of a given correctness property. Runtime reflection =-=[13]-=-, to name a further example, is an architecture pattern that is applicable for systems in which monitors are enriched with a diagnosis and reconfiguration layer. A. Runtime Verification versus Model C... |

1 |
Model-based testing - a glossary,” in Model-Based Testing of Reactive Systems, ser
- Pretschner, Leucker
- 2004
(Show Context)
Citation Context ...st a single or a finite subset, it shares similarities with testing: both are usually incomplete. Typically, in testing one considers a finite set of finite inputoutput sequences forming a test suite =-=[19]-=-. Test-case execution is then checking whether the output of a system agrees with the predicted one, when giving the input sequence to the system under test. A different form of testing, however, is c... |

1 |
Modelling and verifying software product lines
- Gruler, Leucker, et al.
(Show Context)
Citation Context ...es and the resulting logics and model checking approaches are completely different from LTL3. Moreover, these logics are helpful in model checking abstractions of systems or of software product lines =-=[27]-=-, and we do not see any benefit of the developed ideas in the setting of runtime verification. D. Monitoring of Real-time Properties In the second part of the paper, we address real-time systems. We b... |

1 | Generati ng online test oracles from temporal logic specifications - akansson, Jonsson, et al. - 2003 |

1 | y, mm 20yy. · TOSEM - No - 1994 |