Lectures on Runtime Verification. Introductory and Advanced Topics Ezio Bartocci, Yliès Falcone To cite this version: Ezio Bartocci, Yliès Falcone. Lectures on Runtime Verification. Introductory and Advanced Topics. Springer, 10457, pp.1-240, In press, LNCS, 978-3-319-75632-5. 10.1007/978-3-319-75632-5. hal- 01762298 HAL Id: hal-01762298 https://hal.inria.fr/hal-01762298 Submitted on 9 May 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Preface Runtime verification (RV) is a lightweight, yet rigorous, formal method for the monitoring and analysis of the runtime behaviour of software and hardware sys- tems. RV complements classical exhaustive verification techniques (such as model checking and theorem proving) with a more practical approach that analyses a single execution trace of a system. At the price of a limited execution coverage, RV can give very precise information on the runtime behaviour of the monitored system. RV is now widely employed in both academia and industry both before system deployment, for testing, verification, and debugging purposes, and after deployment to ensure reliability, safety, robustness and security. The interest on this field of research has grown since 2001 when the first international workshop on RV was organized. This venue has occurred each year since then, becoming a conference in 2010. In 2014, we have initiated the in- ternational Competition on Runtime Verification (CRV) with the goal to foster the comparison and evaluation of software runtime verification tools. In the same year, a European scientific network for the COoperation in Science and Technology (COST) on ”Runtime Verification beyond Monitoring (ARVI)” was approved and funded within the European framework programme Horizon 2020. ARVI currently includes the participation of scientists from 26 European coun- tries and Australia. In 2016, together with other partners of ARVI, we have also started to organize the first of a series of Schools on RV. Our aim is to train the researchers from academia and industry introducing them first to the basic concepts and then to the advanced topics of this exciting research area. The idea of this book originated from the need to have an handbook for students to support their training with several tutorials on di↵erent aspects of RV. The volume has been organized into seven chapters and the topics covered include an introduction on runtime verification, dynamic analysis of concurrency errors, monitoring events that carry data, runtime error reaction and prevention, monitoring of cyber-physical systems, runtime verification for decentralized and distributed systems and an industrial application of runtime verification tech- niques in financial transaction systems. November 30, 2017 Ezio Bartocci Ylies Falcone v Table of Contents Chapter 1 - An Introduction to Runtime Verification .................. 1 Ezio Bartocci, Ylies Falcone, Adrian Francalanza and Giles Reger Chapter 2 - Discovering Concurrency Errors .......................... 2 Jo˜ao Louren¸co, Jan Fiedor, Bohuslav Kˇrena and Tom´aˇsVojnar Chapter 3 - Monitoring Events that Carry Data ...................... 29 Klaus Havelund, Giles Reger, Eugen Zalinescu and Daniel Thoma Chapter 4 - Runtime Error Reaction and Prevention .................. 67 Yli`esFalcone, Leonardo Mariani, Antoine Rollet and Saikat Saha Chapter 5 - Specification-based Monitoring of Cyber-Physical Systems: A Survey on Theory, Tools and Applications ......................... 97 Ezio Bartocci, Jyotirmoy Deshmukh, Alexandre Donz´e,Georgios Fainekos, Oded Maler, Dejan Nickovic and Sriram Sankaranarayanan Chapter 6 - Runtime Verification for Decentralized and Distributed Systems ......................................................... 138 Adrian Francalanza, Jorge A. Perez and Cesar Sanchez Chapter 7 - Industrial Experiences with Runtime Verification of Financial Transaction Systems: Lessons Learnt and Standing Challenges . 175 Christian Colombo and Gordon J. Pace vi Author Index B Bartocci, Ezio 1, 97 C Colombo, Christian 175 D Deshmukh, Jyotirmoy 97 Donz´e, Alexandre 97 F Fainekos, Georgios 97 Falcone, Ylies 1 Falcone, Yli`es 67 Fiedor, Jan 2 Francalanza, Adrian 1, 138 H Havelund, Klaus 29 J J. Pace, Gordon 175 K Kˇrena, Bohuslav 2 L Louren¸co, Jo˜ao 2 M Maler, Oded 97 Mariani, Leonardo 67 N Nickovic, Dejan 97 P Perez, Jorge A. 138 R Reger, Giles 1, 29 Rollet, Antoine 67 S Saha, Saikat 67 Sanchez, Cesar 138 Sankaranarayanan, Sriram 97 T Thoma, Daniel 29 V Vojnar, Tom´aˇs 2 Z Zalinescu, Eugen 29 Additional Reviewers A Arts, Thomas Aydin Gol, Ebru B Bauer, Andreas C Colombo, Christian H Hu, Raymond K Kofron, Jan Kong, Zhaodan N Nenzi, Laura P Pace, Gordon Purandare, Rahul R Reger, Giles S Sokolsky, Oleg U Ur, Shmuel vii Introduction to Runtime Verification Ezio Bartocci1, Ylies` Falcone2, Adrian Francalanza3, and Giles Reger4 1 TU Wien, Austria 2 Univ. Grenoble Alpes, Inria, CNRS, Grenoble INP, Laboratoire d’Informatique de Grenoble, F-38000 Grenoble, France 3 University of Malta, Msida MSD2080, Malta 4 University of Manchester, Manchester, UK Abstract. The aim of this chapter is to act as a primer for those wanting to learn about Runtime Verification (RV). We start by providing an overview of the main specification languages used for RV. We then introduce the standard terminology necessary to describe the monitoring problem, covering the pragmatic issues of monitoring and instrumentation, and discussing extensively the monitorability problem. 1 Introduction The field of Runtime Verification (RV) has been, and is still, referred to by many names such as runtime mon- itoring, trace analysis, dynamic analysis etc. The term verification implies a notion of correctness with respect to some property. This is somewhat different from the term monitoring (the other popular term) which only suggests that there is some form of behaviour being observed. Some view the notion of monitoring as being more specific than that of verification as they take it to imply some interaction with the system, whereas ver- ification is passive in nature. At this early point in this chapter we would like to note that the community is not in agreement about the various meanings of certain terminology, such as the difference between runtime verification and runtime monitoring. We take a popular interpretation in this chapter, but the reader will most likely encounter alternative views in the literature. RV is a lightweight, yet rigorous, formal method that complements classical exhaustive verification tech- niques (such as model checking and theorem proving) with a more practical approach that analyses a single execution trace of a system. At the price of a limited execution coverage, RV can give very precise information on the runtime behaviour of the monitored system. The system considered can be a software system, hard- ware or cyber-physical system, a sensor network, or any system in general whose dynamic behaviour can be observed. The archetypal analysis that can be performed on runtime behaviour is to check for correctness of that behaviour. This is also the main activity considered in this chapter. However, there are many other analyses (e.g., falsification analysis [22]) or activities (e.g., runtime enforcement [81]) that can be performed, as it will be discussed elsewhere in this handbook. RV is now widely employed in both academia and industry both before system deployment, for testing, verification, and debugging purposes, and after deployment to ensure reliability, safety, robustness and security. The RV field as a self-named community grew out of the RV workshop established in 2001, which became a conference in 2010 and occurs each year since then. In 2014, we have initiated the international Competition on Runtime Verification (CRV) [17, 23] with the aim to foster the comparison and evaluation of software runtime verification tools. In the same year, a European scientific network for the COoperation in Science and Technol- ogy (COST) on Runtime Verification beyond Monitoring (ARVI) was approved and funded within the European framework programme Horizon 2020. ARVI currently includes the participation of scientists from 26 European countries and Australia. In 2016, together with other partners of ARVI, we have also started to organize the first of a series of Schools on RV. However, it is worth noting that the research on monitoring techniques has been around for a very long time and it is present in other communities where it is not referred to in the same terms as it is here, even if the process is the same. In this chapter we introduce the field of RV covering the basic concepts and the standard notions of mon- itoring. We have not attempted to make a full survey of all related work, but we refer to the main relevant literature [78, 101, 113, 141]. When considering how to check whether the runtime behaviour of a system conforms to some specification there are three necessary steps to be taken: 1. Specifying (Un)Desired System Behaviour. Section 2 considers how system behaviour can be abstracted in terms of events and traces and