Monitoring Assumptions in Assume-Guarantee Contracts

TL;DR

This paper presents a method for constructing and verifying runtime monitors for assume-guarantee contracts in software components, addressing challenges in ensuring assumptions hold during execution.

Contribution

It introduces a novel approach for building and verifying environment monitors, including handling input transformations and ensuring alarm correctness.

Findings

Proposes a method for monitor construction and verification.

Addresses challenges of input transformation in monitoring.

Discusses limitations and potential solutions for instrumentation-based monitoring.

Abstract

Pre-deployment verification of software components with respect to behavioral specifications in the assume-guarantee form does not, in general, guarantee absence of errors at run time. This is because assumptions about the environment cannot be discharged until the environment is fixed. An intuitive approach is to complement pre-deployment verification of guarantees, up to the assumptions, with post-deployment monitoring of environment behavior to check that the assumptions are satisfied at run time. Such a monitor is typically implemented by instrumenting the application code of the component. An additional challenge for the monitoring step is that environment behaviors are typically obtained through an I/O library, which may alter the component's view of the input format. This transformation requires us to introduce a second pre-deployment verification step to ensure that alarms raised by the monitor would indeed correspond to violations of the environment assumptions. In this paper, we describe an approach for constructing monitors and verifying them against the component assumption. We also discuss limitations of instrumentation-based monitoring and potential ways to overcome it.