An operational guide to monitorability with applications to regular properties

Abstract

Monitorability underpins the technique of runtime verification because it delineates what properties can be verified at runtime. Although many monitorability definitions exist, few are defined explicitly in terms of the operational guarantees provided by monitors, i.e. the computational entities carrying out the verification. We view monitorability as a spectrum, where the fewer guarantees that are required of monitors, the more properties become monitorable. Accordingly, we present a monitorability hierarchy based on this trade-off. For regular specifications, we give syntactic characterisations in Hennessy–Milner logic with recursion for its levels. Finally, we map existing monitorability definitions into our hierarchy. Hence, our work gives a unified framework that makes the operational assumptions and guarantees of each definition explicit. This provides a rigorous foundation that can inform design choices and correctness claims for runtime verification tools.

A Appendix: The proof of Theorem 5.3

In this appendix, we present the proof of Theorem 5.3, which was omitted from the main text.

We first define a notion for monitors that is similar to the one of Definition 5.3.

Definition A.1

Let \(m \) be a closed monitor and let \(n \) be a submonitor of \(m \). We say that:

• \(n \) can reject (resp., accept) in \(m \) in 0 unfoldings, when \(\textsf {no}\) (resp., \(\textsf {yes}\)) appears in \(n \), and that

• \(n \) can reject (resp., accept) in \(m \) in \(k+1\) unfoldings, when it can reject (resp., accept) in k unfoldings, or x appears in \(n \) and \(n \) is in the scope of a submonitor \(\textsf {rec}\,X.n '\) that can reject (resp., accept) in k unfoldings.

We simply say that \(n \) can reject (resp., accept) in \(m \) when it can reject (resp., accept) in \(m\) in k unfoldings, for some \(k \ge 0\). We may also simply say that \(n \) can reject (resp., accept) when \(m \) is evident or not relevant. \(\square \)

We now make explicit two straightforward lemmata that we will use.

Lemma A.1

Let \(\varphi = \textsf {max}\, X.\psi \) or \(\varphi = \textsf {min}\, X.\psi \). If \(\varphi \) can refute (resp., verify) in \(\varphi \), then it is also the case that \(\psi [\varphi /X]\) can refute (resp., verify) in \(\psi [\varphi /X]\).

Lemma A.2

• If all subformulas of \({[}\alpha {]}\varphi \) or \(\varphi \wedge \psi \) or \(\psi \wedge \varphi \) or \({\langle }\alpha {\rangle }\varphi \) or \(\varphi \vee \psi \) or \(\psi \vee \varphi \) can refute (or, respectively, verify), then all subformulas of \(\varphi \) can refute (or verify).

• Let \(\varphi = \textsf {max}\, X.\psi \) or \(\varphi = \textsf {min}\, X.\psi \). If all subformulas of \(\varphi \) can refute (resp., verify), then all subformulas of \(\psi [\varphi /X]\) can refute (resp., verify).

We define the box-depth of a formula from \(\textsc {eHML}\cap \textsc {sHML} \) recursively:

$$\begin{aligned} d_{B}\left( \bigwedge _{\gamma \in {Act} }{[}\gamma {]}\varphi _\gamma \right)&~=~ d_{B}(\textsf {ff}) ~=~ 0 ;\\ d_{B}(X)&~=~ d_{B}(\textsf {tt}) ~=~ \infty ;\\ d_{B}(\varphi _1 \wedge \varphi _2)&~=~ \min \{d_{B}(\varphi _1), d_{B}(\varphi _2)\} + 1; ~~~~~\text { and }\\ d_{B}(\max X.\varphi ')&~=~ d_{B}(\varphi ') + 1 . \end{aligned}$$

The box-depth of a formula measures how deep in the syntactic tree of the formula one can find a box or \(\textsf {ff} \).

Lemma A.3

For all possibly open \(\varphi , \psi \in \textsc {eHML}\cap \textsc {sHML} \), \(d_{B}(\varphi [\psi /X]) \le d_{B}(\varphi )\).

Proof

Straightforward induction on \(\varphi \). \(\square \)

Lemma A.4

Let \(\alpha \in {Act} \).

• Let \(\varphi \in \textsc {eHML}\cap \textsc {sHML} \), where all subformulas of \(\varphi \) can refute. There is some \(\psi \in \textsc {eHML}\cap \textsc {sHML} \), such that all subformulas of \(\psi \) can refute, and for every \(f\in {{Act} ^\infty } \), \(\alpha f\in \llbracket \varphi \rrbracket \) implies that \(f\in \llbracket \psi \rrbracket \).

• Let \(\varphi \in \textsc {eHML}\cap \textsc {cHML} \), where all subformulas of \(\varphi \) can verify. There is some \(\psi \in \textsc {eHML}\cap \textsc {cHML} \), such that all subformulas of \(\psi \) can verify, and for every \(f\in {{Act} ^\infty } \), \(f\in \llbracket \psi \rrbracket \) implies that \(\alpha f\in \llbracket \varphi \rrbracket \).

Proof

We assume that \(\varphi \in \textsc {eHML}\cap \textsc {sHML} \), as the case for \(\varphi \in \textsc {eHML}\cap \textsc {cHML} \) is similar. Since \(\varphi \) is a closed formula and can refute, \(\textsf {ff} \) appears in \(\varphi \), and therefore \(d_{B}(\varphi ) < \infty \). We proceed to prove the lemma by strong numerical induction on \(d_{B}(\varphi )\), similarly to the proof of Theorem 5.2.

If:

\(\varphi = \textsf {ff} \), then we are done immediately by taking \(\psi = \textsf {ff} \).

If:

\(\varphi = \bigwedge _{\gamma \in {Act} }{[}\gamma {]}\varphi _\gamma \), then we can set \(\psi = \varphi _\alpha \).

If:

\(\varphi = \varphi _1 \wedge \varphi _2\), then either \(d_{a}(\varphi _1) < \infty \) or \(d_{a}(\varphi _2) < \infty \), and we are done by the inductive hypothesis on one of the two subformulas.

If:

\(\varphi = \max X.\varphi '\), then \(\varphi '[\varphi /X] \in \textsc {eHML}\cap \textsc {sHML} \) and all subformulas of \(\varphi '[\varphi /X]\) can refute, by Lemma A.2. Furthermore, \(\llbracket \varphi \rrbracket = \llbracket \varphi '[\varphi /X]\rrbracket \), and we are done by the inductive hypothesis. \(\square \)

Lemma A.5

If \(\varphi \in \textsc {spHML}\) or \(\varphi \in \textsc {cpHML}\), then there is a regular monitor that is sound for \(\varphi \) and persistently rejecting, or, respectively, persistently accepting.

Proof

We assume that \(\varphi \in \textsc {spHML}\), as the case for \(\varphi \in \textsc {cpHML}\) is similar. Let \(\varphi = \psi \wedge \psi _*\), where \(\psi \in \textsc {eHML}\cap \textsc {sHML} \) and all of its subformulas can refute, and \(\psi _* \in \textsc {recHML} \). By Theorem 4.4, it suffices to prove that for every \(s\in {Act} ^*\), there is some \(r\in {Act} ^*\), such that \(sr\) negatively determines \(\varphi \). We prove this by structural induction on \(s\). If \(s= \varepsilon \), then as in the proof of Theorem 5.2, we can show that there is a finite trace that negatively determines \(\psi \). If \(s= a s'\), then by Lemma A.4. there is some \(\psi ' \in \textsc {eHML}\cap \textsc {sHML} \), such that all subformulas of \(\psi '\) can refute, and for every \(f\in {{Act} ^\infty } \), \(a f\in \llbracket \psi \rrbracket \) implies that \(f\in \llbracket \psi '\rrbracket \). By the inductive hypothesis, there is some \(r\), such that \(s'r\) negatively determines \(\psi '\), and therefore, \(sr\) negatively determines \(\psi \). \(\square \)

We define the depth of a variable x in a regular monitor \(m \) recursively:

$$\begin{aligned} d_x(x)&= 0; \\ d_x(y)&= d(\textsf {no}) = d(\textsf {yes}) = d(\textsf {end}) = \infty ,\\&\text { where } y \ne x; \\ d_{x}(m _1 + m _2)&= \min \{d_{x}(m _1), d_{x}(m _2)\}+1; \\ d_{x}(\alpha .m)&= d_{x}(m) + 1;&\text { and}\\ d_{x}(\textsf {rec}\,x.~m)&= d_{x}(\textsf {rec}\,y.~m) = d_{x}(m) + 1. \end{aligned}$$

Lemma A.6

Let \(m \) be a persistently rejecting, deterministic regular monitor. If \(A \subsetneq {Act} \), then \(\sum _{\alpha \in A}\alpha .m _\alpha \) can only appear in \(m \) as a submonitor of a larger sum.

Proof

Let \(a \in {Act} \setminus A\) and let \(m '\) be an open monitor and x a variable that does not appear in \(m \), such that \(m = m '[\sum _{\alpha \in A}\alpha .m _\alpha /x]\). It is clear that . Therefore, it suffices to prove that for every deterministic \(n \) with free variable x, if , then there is a finite trace \(s\), such that there is no regular monitor \(o \) for which . We proceed to prove this claim by induction on \(d_{x}(n)\), and the case for \(n = x\) is immediate. If \(n = n _1 + n _2\), then, as \(n \) is deterministic, \(n = b.n _1' + c.n _2'\), where \(b \ne c\), and we are done by the inductive hypothesis on either \(n _1'\) or \(n _2'\), and \(n '\). If \(n = b.n _1\), then if the inductive hypothesis on \(n _1'\) and \(n '\) gives trace \(r\), then we can set \(s=b r\). If \(n = \textsf {rec}\,y.n _1\), then we are done by the inductive hypothesis on \(n _1[n/y]\) (notice that \(d_x(n _1[n/y] < d_x(m)\)) and \(n '[n/y]\). \(\square \)

Here, we call a regular monitor explicit when it is generated by the grammar:

$$\begin{aligned} m \mathrel {::=}\textsf {end}~~\vert ~~ \textsf {no}~~\vert ~~ x ~~\vert ~~ \sum _{a \in Act}a.m _a ~~\vert ~~ \textsf {rec}\,x.m. \end{aligned}$$

Corollary A.1

Every persistently rejecting, deterministic regular monitor is explicit.

Proof

A consequence of Lemma A.6. \(\square \)

Lemma A.7

Let \(m \) be an explicit deterministic regular monitor, such that all of its submonitors can reject. Then, \(\textsf {f}(m) \in \textsc {eHML}\) and all of its subformulas can refute.

Proof

By induction on the construction of \(m\). \(\square \)

Lemma A.8

If \(\varphi \in \textsc {recHML} \) and there is a monitor that is sound for \(\varphi \) and persistently rejecting or persistently accepting, then there is some \(\psi \in \textsc {spHML}\), or, respectively, \(\psi \in \textsc {cpHML}\), such that \(\llbracket \psi \rrbracket = \llbracket \varphi \rrbracket \).

Proof

We treat the case where the monitor is persistently rejecting, as the case for a persistently accepting monitor is similar. From Theorem 4.1, there is a regular monitor, \(m \), that is sound for \(\varphi \) and persistently rejecting. By Theorem 4.1, we can assume that \(m \) is deterministic (Definition 4.2). From Corollary A.1, \(m \) is explicit. If there is a submonitor of \(m \) that cannot reject, then we can prove by induction on \(m \) that there is a finite trace \(s\), for which there is no finite trace \(r\), such that , which is a contradiction. Observe that \(\textsf {f}(m)\in \textsc {sHML} \). Then, from Lemma A.7, the sHML formula \(\textsf {f}(m)\) is in \(\textsc {eHML}\), and all of its subformulas can refute. Since \(m \) is sound for \(\varphi \) and sound and violation complete for \(\textsf {f}(m)\), it is the case that \({{Act} ^\infty } \setminus \llbracket \textsf {f}(m)\rrbracket \subseteq {{Act} ^\infty } \setminus \llbracket \varphi \rrbracket \), and therefore \(\textsf {f}(m) \wedge \varphi \in \textsc {spHML}\) and \(\llbracket \textsf {f}(m) \wedge \varphi \rrbracket = \llbracket \varphi \rrbracket \). \(\square \)

Theorem 5.3

Let \(\varphi \in \textsc {recHML} \). Then, \(\varphi \) is persistently informatively monitorable for violation if and only if there is some \(\psi \in \textsc {spHML}\), such that \(\llbracket \psi \rrbracket = \llbracket \varphi \rrbracket \); \(\varphi \) is persistently informatively monitorable for satisfaction if and only if there is some \(\psi \in \textsc {cpHML}\), such that \(\llbracket \psi \rrbracket = \llbracket \varphi \rrbracket \).

Proof

A consequence of Lemmata A.5 and A.8. \(\square \)