Adventures in Monitorability: From Branching to Linear Time and Back Again
Luca Aceto, Antonis Achilleos, Adrian Francalanza, Anna, Ing\'olfsd\'ottir, Karoliina Lehtinen

TL;DR
This paper develops a comprehensive theory of runtime monitorability for a highly expressive modal logic, comparing linear and branching time settings, and providing a hierarchy of monitorable fragments with guarantees.
Contribution
It introduces an expressiveness hierarchy of monitorable fragments of Hennessy-Milner logic with recursion in linear time, and characterizes what properties can be monitored within each fragment.
Findings
Established a hierarchy of monitorable logic fragments.
Identified exactly which properties are monitorable in each fragment.
Provided a framework for automatic synthesis of correct monitors.
Abstract
This paper establishes a comprehensive theory of runtime monitorability for Hennessy-Milner logic with recursion, a very expressive variant of the modal -calculus. It investigates the monitorability of that logic with a linear-time semantics and then compares the obtained results with ones that were previously presented in the literature for a branching-time setting. Our work establishes an expressiveness hierarchy of monitorable fragments of Hennessy-Milner logic with recursion in a linear-time setting and exactly identifies what kinds of guarantees can be given using runtime monitors for each fragment in the hierarchy. Each fragment is shown to be complete, in the sense that it can express all properties that can be monitored under the corresponding guarantees. The study is carried out using a principled approach to monitoring that connects the semantics of the logic and the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Adventures in Monitorability:
From Branching to Linear Time and Back Again
Luca Aceto
Gran Sasso Science InstituteL’AquilaItaly
School of Computer ScienceReykjavik UniversityReykjavikIceland
,
Antonis Achilleos
School of Computer ScienceReykjavik UniversityReykjavikIceland
,
Adrian Francalanza
Department of Computer Science, ICTUniversity of MaltaMsidaMalta
,
Anna Ingólfsdóttir
School of Computer ScienceReykjavik UniversityReykjavikIceland
and
Karoliina Lehtinen
Kiel UniversityKielGermany
University of LiverpoolLiverpoolUnited Kingdom
(2019)
Abstract.
This paper establishes a comprehensive theory of runtime monitorability for Hennessy-Milner logic with recursion, a very expressive variant of the modal -calculus. It investigates the monitorability of that logic with a linear-time semantics and then compares the obtained results with ones that were previously presented in the literature for a branching-time setting. Our work establishes an expressiveness hierarchy of monitorable fragments of Hennessy-Milner logic with recursion in a linear-time setting and exactly identifies what kinds of guarantees can be given using runtime monitors for each fragment in the hierarchy. Each fragment is shown to be complete, in the sense that it can express all properties that can be monitored under the corresponding guarantees. The study is carried out using a principled approach to monitoring that connects the semantics of the logic and the operational semantics of monitors. The proposed framework supports the automatic, compositional synthesis of correct monitors from monitorable properties.
monitorability, linear-time and branching-time logics, monitor synthesis
††copyright: rightsretained††journal: PACMPL††journalyear: 2019††journalvolume: 3††journalnumber: POPL††article: 52††publicationmonth: 1††doi: 10.1145/3290365††ccs: Theory of computation Logic and verification††ccs: Theory of computation Modal and temporal logics††ccs: Theory of computation Automata over infinite objects††ccs: Theory of computation Complexity theory and logic
1. Introduction
The ubiquitous proliferation of software—from high-frequency stock market trading and autonomous vehicles, down to mundane objects such as mobile phones and household appliances—makes a strong case for stringent software correctness requirements. This proliferation has also substantially altered the manner in which software is developed and deployed. Today’s software often consists of multiple components (e.g., third-party libraries, mobile apps, microservices, cloud services etc.) that are developed and maintained by independent software organisations. In this setting, access to the components’ internal workings varies (e.g., open-source versus proprietary code) and different components may be subject to diverse quality controls. Moreover, time-to-market constraints often impose multiple deployment phases where software is rolled out in stages and third-party components change without notice from one deployment phase to the next. Requirements from various stakeholders may also evolve between deployment phases and occasionally become conflicting. These realities suggest that there is no silver bullet for ensuring software correctness. Any adequate solution will most likely need to employ multiple verification techniques (e.g., testing, model checking, theorem proving, log analysis, type checking, monitoring etc.) in a coherent manner, spanning the various stages of the software development lifecyle.
Runtime Verification (RV) (Bartocci et al., 2018) is a lightweight verification technique that checks for the correctness of the system under scrutiny by analysing the current execution exhibited by the system. RV generally assumes a logic (or some other formal language) for describing the correctness specifications of the system. From these specifications, (online) RV generates computational entities called monitors that are then instrumented to run with the system so as to incrementally analyse its execution (expressed as a trace of captured events) and reach (irrevocable) judgements relating to system violations or satisfactions for these specifications. These characteristics make RV an ideal candidate to be used in a multi-pronged approach towards ensuring software correctness: it can verify the correctness of components that are either not available for inspection prior to deployment, or are too expensive to check via more exhaustive and less scalable verification techniques such as model checking (Baier et al., 2008; Clarke et al., 1999). Importantly, in settings where multiple verification techniques are used, one cannot necessarily expect specifications to be expressed in a language tailored specifically to RV. Indeed, the use of disparate specification logics specific to every verification technique that is used for validating system correctness is expensive. Moreover, an RV-specific property language leads to a poor separation of concerns between the effort required to formulate the specifications and the engineering endeavour needed to determine how to best verify them. Therefore it is natural and important to develop RV foundations that are based on general-purpose specification languages, which subsume application-specific verification concerns.
In order for RV to be used effectively in this way, a few foundational questions need to be addressed. Principal among them is the question of monitorability: for sufficiently expressive specification logics, it is often the case that some specifications cannot be monitored at runtime. For example, the observation of finite executions does not give sufficient information to decide whether the specification “every request is eventually followed by an answer” is satisfied. It is thus important to identify which specifiable properties are monitorable and which are not, since this directly impinges on whether to use RV or some other verification technique instead. Another fundamental question is that of monitor correctness. Monitors are often considered part of the trusted computing base and any errors in their code could either invalidate the runtime analysis they perform or, even worse, compromise the execution of the system itself. In order to ensure monitor correctness, one must first establish what it means for a monitor to adequately verify a specification at runtime. In fact, there may be a number of plausible definitions for this notion, each contributing to different monitor implementations. The question of what it means to adequately verify a specification at runtime directly impacts the question of monitorability as well, and guides the design of algorithms for the synthesis of correct monitors from monitorable properties. A third fundamental question concerns the limits of monitor expressiveness. After one has established the monitorability of a set of properties from a reasonably general specification logic, it is important to know whether this set contains all properties that can be expressed in the logic and can, at the same time, be monitored at runtime. This is the question of maximality of the monitorable fragment of the specification language, and its importance lies in the knowledge that one can identify a logical sub-language that syntactically characterises all monitorable properties: syntactic characterisations of monitorable properties provide a core calculus for conducting further studies and facilitate tool construction.
In prior work (Francalanza et al., 2015, 2017b; Aceto et al., 2017a; Francalanza et al., 2017a; Aceto et al., 2018a), these foundational questions have been investigated for a highly expressive logic called Hennessy-Milner Logic with recursion (recHML) (Larsen, 1990), a variant of the modal -calculus (Kozen, 1983), that can embed a variety of widely used logics such as LTL and CTL, thus guaranteeing a good level of generality for the obtained results. A distinctive aspect of this programme of study is the differentiation between the semantics of the logic on the one hand, and the operational semantics of monitors on the other, which mirrors the separation of concerns required for the multi-pronged verification approach advocated earlier. Within the proposed framework, the definitions of monitorability and correctness emerge naturally as relationships between the two semantics. That is, the relationship between the verdicts reached by a monitor and the satisfaction of a specification by the observed system naturally characterises both the monitor’s correctness and the specification’s monitorability.
Despite its merits, that body of work remains rather disconnected from the more established classical results on monitorability (Manna and Pnueli, 1991; Chang et al., 1992; Pnueli and Zaks, 2006; Bauer et al., 2010; Falcone et al., 2012a). One major complication obstructing a unified understanding of all these monitoring theories is the fact that the former work on recHML is carried out for a branching-time semantics, whereas the classical theories target specifications for a linear-time semantics. Propitiously, however, the modal -calculus also has a well-established linear-time semantics, which can be easily adapted to recHML. This provides us with an opportunity to extend the principled framework developed in Aceto et al. (2017a) and Francalanza et al. (2015, 2017b) to a linear-time setting, offering an ideal basis to better understand the connections between monitorability for branching-time and linear-time specifications. We contend that this framework is general enough to lay the foundations for a potential unified theory of monitorability.
Contributions and Synopsis.
This paper sets out to establish a comprehensive theory of monitorability for recHML, by investigating the monitorability of that logic with a linear-time semantics and then comparing the obtained results with those presented in the literature in a branching-time setting. We identify the trade-offs between monitoring guarantees and expressiveness: In general, the more we expect from monitors, the fewer specifications can be monitored. Here we establish an expressiveness hierarchy within linear-time recHML and identify exactly what kind of guarantees can be given for each type of specification.
- •
We show that, compared to branching time, linear time allows for a much stronger notion of monitorability requiring that a monitor correctly report both the satisfaction and the violation of the property it checks on all system executions. We identify a fragment of recHML that captures exactly linear-time properties with such monitors (Prop. 4.7), and show how to synthesise monitors from them (Def. 4.4).
- •
For any collection of monitors with irrevocable acceptance and rejection verdicts, which are reported after examining a finite prefix of the observed execution, we show a strong maximality result for the above-mentioned logical fragment (Thm. 4.8), which guarantees that all monitorable properties of traces can be expressed in that fragment of recHML.
- •
We apply the weaker notion of monitorability called partial monitorability from Francalanza et al. (2017b), which guarantees that a monitor does not reach an incorrect verdict and reaches a verdict for either all violations or all satisfactions. Again, we give a syntactic characterisation of linear-time properties that can be monitored with such monitors (Prop. 4.18), we show how to synthesise correct monitors from them (Def. 4.12), and prove maximality results.
- •
We establish a relationship between specifications that are partially monitorable in branching-time and in linear-time semantics (Sec. 5). To establish this result, we study how considering specifications over both finite and infinite executions affects monitorability. Our main observation here is that the syntactic fragment identified as partially monitorable with respect to branching-time semantics and the one identified as partially monitorable with respect to linear-time semantics are equally expressive under linear-time semantics over a finite set of actions. This bridges the gap in the treatment of monitorability on linear- versus branching-time domains.
Our results establish a unified foundation for an increasingly important verification technique, covering both branching-time and linear-time specifications. We establish simple syntactic characterisations for specifications that can be monitored at runtime for various monitor requirements. For each characterisation, we provide a synthesis function that automates the generation of the corresponding monitors, whose correctness proofs depend on delicate arguments about the monitor semantics. This approach facilitates the design and implementation of correct monitors, along the lines of previous work on tool construction (Attard and Francalanza, 2016; Attard et al., 2017; Francalanza and Seychell, 2015). Throughout our technical development, we also highlight the subtle aspects of moving between semantics of branching processes, infinite traces, and potentially finite traces, and provide ample discussion on how they affect monitorability. Crucially, our results are not just limited to our line of work. For instance, the syntactic characterisations of monitorable properties set maximality limits to a number of existing RV tools using popular logics such as LTL since these logics can be embedded in our general language recHML.
The proofs of all the results in the paper may be found in the appendix.
2. Preliminaries
We provide a brief overview of our touchstone logic, recHML (Larsen, 1990; Aceto et al., 2007), a reformulation of the highly expressive and extensively studied modal -calculus (Kozen, 1983).
2.1. The Syntax
The logic described in Fig. 1 is a mild generalisation of recHML (Larsen, 1990; Aceto et al., 2007). It assumes a set of actions, , together with a distinguished internal action , where . We refer to the actions in Act as external actions, as opposed to the action , and use to refer to either. The metavariables range over sets of (external) actions, where the convenient notation is occasionally used to denote ; whenever the context allows us to do so unambiguously, singleton sets are also occasionally denoted as , and is occasionally denoted as .
The grammar in Fig. 1 also assumes a countable set of logical variables . Apart from the standard constructs for truth, falsehood, conjunction and disjunction, the logic is equipped with existential and universal modal operators that use sets of actions, . A hallmark of the logic is the use of two recursion operators that express least or greatest fixpoints: formulae and bind free instances of the logical variable in , inducing the usual notions of open/closed formulae and formula equality up to alpha-conversion. A formula is said to be guarded if every fixpoint variable appears within the scope of a modality within its fixpoint binding. All formulae are assumed to be guarded (without loss of expressiveness (Kupferman et al., 2000)). For a formula , we use to denote the length of as a string of symbols.
2.2. The models
We provide linear- and branching-time interpretations for the logic. The metavariables range over infinite sequences of external actions, abstractly representing complete system runs; the metavariable ranges over sets of traces. Finite traces, denoted as , represent finite prefixes of a system run or finite executions. Explicit traces, denoted as , represent detailed finite prefixes of a system run that also include its internal transitions; the function returns the finite trace that is left after dropping all the -actions from . We say that two explicit traces agree on the external actions, denoted as , whenever . A trace (resp., finite trace) with action at its head is denoted as (resp., ). An explicit trace with action at its head is denoted as . Similarly, a trace with a prefix and continuation is denoted as .
The denotational semantic function in Fig. 1 maps a formula to a set of traces, and is referred to as the linear-time semantics of recHML. It uses valuations that map logical variables to sets of traces, , to define the semantics by induction on the structure of the formulae. Intuitively, is the set of traces assumed to satisfy . The cases for truth, falsehood, disjunction and conjunction are straightforward. An existential modal formula denotes all traces with a prefix action from the action set and a continuation that satisfies . A universal modal formula denotes all traces that are either not prefixed by any in , or have a continuation satisfying . The sets of traces satisfying the least and greatest fixpoint formulae, and , are defined as intersection (resp., union) of all the pre-fixpoints (resp., post-fixpoints) of the function induced by the formula .
The second interpretation of recHML, denoted by , is defined in terms of processes, Prc, and is referred to as the branching-time semantics. It assumes a set of process states, where , and a transition relation, . The triple forms a Labelled Transition System (LTS) (Keller, 1976). The suggestive notation denotes ; we also write to denote . We employ the usual notation for weak transitions and write in lieu of and for , referring to as a -derivative of . As we have done for strong transitions, for weak transitions we use to denote and to denote . Sequences of weak transitions are written as , where . Similarly, for strong transitions, is written as , where . We say that produces a trace if there are processes such that and . While an LTS can be used to model a single system, it can also model all possible system behaviours.
The branching-time semantics in Fig. 1 follows the linear-time semantics for most cases, using a valuation from variables to sets of processes, , instead. The main differences are with respect to the modal formulae. A universal modal formula requires all -derivatives of a process, where , to satisfy . By contrast, an existential modal formula requires the existence of at least one -derivative, for some , that satisfies .
For closed formulae, we use and in lieu of and (for some and ) resp., since the semantics is independent of the valuation. We also write instead of or , whenever the correct interpretation can be discerned from the context or the specific interpretation is unimportant. Unless otherwise stated, we assume that the formulae we consider are all closed.
Example 2.1 (Expressiveness).
For arbitrary formulae , we can encode the following characteristic LTL operators (Clarke et al., 1999) as:
[TABLE]
Example 2.2 (Comparison).
Assume . Consider the two formulae
[TABLE]
together with the trace (denoted by the -regular expression) , and the (non-deterministic) process (described by the regular CCS syntax (Milner, 1989)) . In particular, we note that can produce the infinite trace .
Whereas , we have because along one branch we have and . In linear-time semantics, the equality holds for each . One can also easily deduce that for both linear- and branching-time semantics from the semantics of Fig. 1. Hence, in our case (where ), we obtain by instantiating with . As a result, is equivalent to under linear-time semantics and we have for every trace . However, under branching-time semantics (one witness for the inequality is the deadlocked process nil, ). In fact, and thus .
Remark*.*
Action sets in and are typically expressed using predicates in tools such as those described in Attard and Francalanza (2016), Attard et al. (2017) and Aceto et al. (2018b). For example, modalities can be labelled by an output action on port carrying payload where the data variables and are constrained by conditions, as in . In the sequel, we shall assume that Act (and thus any action set ) is a finite set of actions. This helps to simplify our technical development and enables us to focus on the core issues being studied. However, finite action sets are not necessarily a limitation since, in most cases, infinite data sets can be treated in a finite manner using standard symbolic techniques (e.g., see Francalanza (2017) for a recent treatment of the subject in the context of monitors).
Remark*.*
For a finite set of indices, the (standard) notation denotes when , and a conjunction of the formulae in when . Similarly denotes when , and a disjunction of the formulae in when . These notations are justified by the fact that and are commutative and associative with respect to all the semantics considered in the paper. We also observe that, for both semantics, is equivalent to , and is equivalent to for finite , so we use these equivalent notations interchangeably.
3. A monitoring framework
A distinctive feature of the work in Aceto et al. (2017a, 2018a) and Francalanza et al. (2017b) is the full description of the monitoring setup used, which incorporates the monitor definition together with the system instrumentation mechanism—monitor compositionality results have shown that the semantics of monitors in an instrumented setup differs substantially from that given for monitors in isolation (Francalanza, 2016, 2017). Here we follow this comprehensive approach.
3.1. Regular Monitors
Regular monitors are LTSs defined by the grammar and transition rules in Fig. 2, used already in Aceto et al. (2017a) and Francalanza et al. (2017b). A transition denotes that the monitor in state can analyse the (external) action and transition to state . Monitors may reach any one of three verdicts after analysing a finite trace: acceptance, yes, rejection, no, and the inconclusive verdict end. We highlight the transition rule for verdicts in Fig. 2, describing the fact that from a verdict state any action can be analysed by transitioning to the same state; verdicts are thus irrevocable. The remaining constructs and transitions are standard. If at most one of the verdicts appears in , then is called a single-verdict monitor. Otherwise, is called a dual-verdict monitor. Just like for formulae, we use to denote the length of as a string of symbols. In the sequel, for a finite nonempty set of indices , we use notation to denote a combination of the monitors in using the operator . The notation is justified, because is commutative and associative with respect to the transitions that a resulting monitor can exhibit. We also use the shorthand notation A.$$m to denote (for finite non-empty ). The regular monitors in Fig. 2 have an important property, namely that their state space, i.e., the set of reachable states, is finite. This is a valuable property for ensuring reasonable overheads in terms of the amount of memory the monitor will use at runtime (see Prop. 3.2, whose proof is in Sec. A.1).
Lemma 3.1** (Verdict Persistence).**
∎
Definition 3.1 (Monitor Reachable States).
Proposition 3.2**.**
Regular monitors are finite state i.e., for all , is finite. ∎
We define the following behavioural predicate on monitors, which relates to their correctness.
Definition 3.2 (Monitor Consistency).
A monitor is consistent when there is no finite trace such that and .
Monitors are intended to run in conjunction with the system (i.e., process) they are analysing. Following Francalanza (2016, 2017) and Francalanza et al. (2017b), Fig. 2 defines a transition relation for a process instrumented with a monitor , denoted as . The relation is parametric with respect to the transition semantics of the process and the monitor, as long as the latter includes the inconclusive verdict end (e.g., the monitor transition semantics given in Fig. 2 does). The semantics relegates the monitor to a passive role in an instrumented system , meaning that transitions with an external action only when transitions with that action. For instance, when transitions with action to some , and can analyse this action and transition to state , the instrumented pair transitions in lockstep to ; see rule iMon. Conversely, if wants to transition with an action that the instrumented monitor is not able to analyse (perhaps due to underspecification), the instrumented system is still allowed to transition with , but the monitor analysis is prematurely aborted to the inconclusive state; see rule iTer. The other rules allow monitors and processes to execute independently of one another with respect to internal (-)moves.
Example 3.1.
When the monitor is instrumented with the process , it can reach an acceptance verdict thus:
[TABLE]
However, if the same process is instrumented with a slightly different monitor we obtain a different verdict.
[TABLE]
The last transition is obtained via rule iTer, whereby the process exhibited an action that the current monitor state was unable to analyse (i.e., it could only analyse action , not ).
The following lemmata describe how the respective monitor and system LTSs can be composed and decomposed according to instrumentation (Francalanza, 2016; Francalanza et al., 2017b).
Lemma 3.3** **(General Unzipping
).
* implies*
- •
* and*
- •
* or ( and and and ). ∎*
Lemma 3.4** **(Zipping
).
* implies . ∎*
Within this framework, we can formalise our understanding of process and trace acceptance and rejection by a monitor. Acceptances and rejections will constitute the monitoring counterpart to formula satisfactions and violations from Sec. 2 when we consider our definitions of monitorability.
Definition 3.3 (Process and Trace Acceptance and Rejection).
A monitor rejects along , denoted as , if for some . Similarly, accepts along , denoted as , if for some .
- •
A monitor rejects (resp., accepts) , using the abuse of notation (resp., ), if such that and (resp., ).
- •
A monitor rejects (resp., accepts) , using the abuse of notation (resp., ), if such that (resp., ).
We also say that rejects as a shorthand for , and similarly, accepts is a shorthand for .
As Defs. 3.3, 3.3 and 3.4 make clear, a monitor accepts or rejects a finite trace iff it can transition to the appropriate verdict by reading . This hints at the fact that each monitor might be “equivalent to a deterministic one”. As we will see in Prop. 3.11, this is indeed the case.
3.2. Parallel Composition of Monitors
When relating monitors to formulae, it may be convenient not to view monitors as one monolithic entity but rather as a system of sub-monitors where the constituent submonitors are concerned with checking specific subformulae. For instance, the use of sub-monitors executing in parallel facilitates the synthesis of monitors from formulae in a compositional fashion. Monitors with parallel composition, , are defined by the grammar and transition rules in Fig. 3. In particular, we endow monitors with conjunctive parallelism, , and disjunctive parallelism, . We use the notation to range over either or (i.e., ).
Fig. 3 also outlines the behaviour of parallel monitors. Rule mPar states that both submonitors need to be able to analyse an external action for their parallel composition to transition with that action. The rules in Fig. 3 also allow -transitions for the reconfiguration of parallel compositions of monitors. For instance, rules mVrC1 and mVrC2 describe the fact that, whereas yes verdicts are uninfluential in conjunctive parallel compositions, no verdicts supersede the verdicts of other monitors in a conjunctive parallel compositions (Fig. 3 omits the obvious symmetric rules). The dual applies for yes and no verdicts in a disjunctive parallel composition, as described by rules mVrD1 and mVrD2. Rule mVrE applies to both forms of parallel composition and consolidates multiple inconclusive verdicts. Finally, rules mTauL and its dual mTauR (omitted) are contextual rules for these monitor reconfiguration steps.
We identify a useful monitor predicate that obviates the need for the rule iTer of Fig. 2 that prematurely terminates monitors; see 3.1. In the case of parallel monitors, it also allows us to neatly decompose the monitor behaviour in terms of the respective sub-monitors.
Definition 3.4 (Monitor Reactivity).
We call a monitor reactive when for every and , there is some such that .
3.2 below indicates why the assumption that and are reactive is needed in Lem. 3.5, which states that parallel monitors behave as expected with respect to the acceptance and rejection of traces as long as the consitituent submonitors are reactive.
Example 3.2.
Assume that . The monitors and are both reactive. The monitor , however, is not reactive. Since the submonitor can only transition with , according to the rules of Fig. 3, cannot transition with any action that is not . Similarly, as the submonitor can only transition with , cannot transition with any action that is not . Thus, cannot transition to any monitor, and therefore it cannot reject or accept any trace. By contrast, the monitor is reactive, because its constituent submonitors are reactive as well.
Lemma 3.5** (Monitor Composition and Decomposition).**
For reactive and :
- •
* rejects if and only if either or rejects .*
- •
* accepts if and only if both and accept .*
- •
* rejects if and only if both and reject .*
- •
* accepts if and only if either or accepts . ∎*
Parallel monitors are a convenient formalism for constructing monitors in a compositional fashion and facilitate the definition of monitor synthesis functions from a specification logic. However, these monitors are only as expressive as regular monitors, as Prop. 3.8 demonstrates. Sec. 3.3 is devoted to the proof of this result.
3.3. Monitor Transformations: Parallel to Regular
We describe how one can transform a parallel monitor to a verdict-equivalent regular one. For this, we use known results about alternating finite automata, restated here for completeness.
Definition 3.5 (Alternating Automata).
An alternating finite automaton is a quintuple , where is a finite set of states, is a finite alphabet, is the starting state, is the set of accepting/final states, and is the transition function. An alternating finite automaton is non-deterministic (NFA) if for each and , there is some , such that for all , if and only if .
Intuitively, given a state and a symbol , returns a boolean function on that evaluates, given a truth-assignment on the states of (represented by a subset of ), an assigned truth-value for . We can extend the transition function to , so that iff , and . We say that the automaton accepts when , and that it recognizes when is the set of strings accepted by the automaton.
Definition 3.6 (Monitor Language Acceptance and Rejection).
A monitor accepts (resp., rejects) a set of finite traces (i.e., a language) when for every , if and only if accepts (resp., rejects) . We call the set that accepts (resp., rejects) (resp., ).
Proposition 3.6**.**
*For every reactive parallel monitor , there is an alternating automaton that accepts and one that accepts . *
Proof.
We describe the process of constructing an alternating automaton that accepts — the case for is similar. We assume that for every variable that appears in , there is a unique submonitor of of the form , such that appears in . The automaton for is , where
- •
is the set of submonitors of ;
- •
;
- •
Let for every , iff ; is the closure of under the following conditions. For every :
- –
if , then ;
- –
if or , then ;
- –
if or , and and , then ;
- –
if and , then ;
- –
if and , then .
In Sec. A.4, we present the remaining proof, that accepts if and only if . ∎
Remark*.*
The assumption that the monitor is reactive is necessary for the construction in the proof of Prop. 3.6 to be correct. Consider, for example, the monitor . Although , the monitor does not accept any trace since . By the construction, in the resulting alternating automaton, , and therefore , implying that , in turn implying that , according to the closure conditions for . Therefore, is a finite trace that the automaton accepts and the monitor does not.
In light of our assumption that monitor in Prop. 3.6 is reactive, the third condition for in the construction in the proof of the proposition may seem superfluous. However, reactivity does not transfer to submonitors. For example, let . Reasoning similarly to the above argument for , is a reactive parallel monitor, which accepts no traces. On the other hand, a more naive construction that ensures that whenever or , would result in an automaton that accepts the finite trace .
As we see in the remainder of this section, Prop. 3.6 implies that potentially infinite-state parallel monitors are equivalent to finite-state regular monitors. The subtleties that we pointed out are the trade-off for keeping the construction of the alternating automaton straightforward.
Corollary 3.7**.**
For every reactive parallel monitor , there is an NFA that accepts and an NFA that accepts , and each has at most states.
Proof.
The alternating automaton that is constructed in the proof of Prop. 3.6 has at most as many states as there are submonitors in which, in turn, are not more than . Furthermore, it is a known result that every alternating automaton with states can be converted into an NFA with at most states that accepts the same language (Chandra et al., 1981; Fellah et al., 1990). ∎
We now have all the ingredients to complete the proof of Prop. 3.8. This relies on a notion of monitor equivalence from Aceto et al. (2017b) that focusses on how monitors can reach verdicts.
Definition 3.7 (Verdict Equivalence).
Monitors and are acceptance equivalent (resp., rejection equivalent), denoted as (resp., ), if for every finite trace , iff (resp., iff ). They are verdict equivalent, denoted as , if they are both acceptance- and rejection-equivalent.
Proposition 3.8**.**
For all reactive parallel monitors , there exist regular monitors , and such that and are single-verdict monitors that are respectively acceptance-equivalent and rejection-equivalent to , and and are verdict equivalent, and .
Proof.
Let be an NFA for with at most states, and let be an NFA for with at most states, which exist by Cor. 3.7. From these NFAs, we can construct regular monitors and , such that accepts and rejects , and (Aceto et al., 2016). Therefore, and , and is regular and verdict-equivalent to , and . ∎
The techniques of Aceto et al. (2016) can also be used to produce deterministic monitors.
Definition 3.8 ((Aceto et al., 2016)).
A regular monitor is syntactically deterministic iff every sum of at least two summands which appears in is of the form , where .
Example 3.3.
The monitor is not syntactically deterministic while the verdict-equivalent monitor () is syntactically deterministic.
One can also consider non-syntactic notions of determinism, such as if and , then . Lem. 3.9 shows that syntactic determinism implies this semantic notion. Henceforth we will simply say deterministic to mean syntactically deterministic.
Lemma 3.9** ((Aceto et al., 2016)).**
If is deterministic, , and , then . ∎
Theorem 3.10** ((Aceto et al., 2016)).**
For every consistent regular monitor , there is a verdict-equivalent deterministic regular monitor such that . ∎
Proposition 3.11**.**
For every consistent reactive parallel monitor , there is a verdict-equivalent deterministic regular monitor such that .
Proof.
Using Prop. 3.8, can be translated into a (possibly nondeterministic) verdict-equivalent (hence consistent) regular monitor , such that . Thm. 3.10 can then be used to convert into a verdict-equivalent deterministic regular monitor , such that . Therefore, . ∎
4. Monitorability for recHML
Monitorability is the study of the relationship between the semantics of a logic on the one hand (i.e., satisfactions and violations), and the verdicts that can be discerned by the monitoring setup on the other (i.e., acceptances and rejections). The concept relies on what a correct monitor for a particular formula is, which, in turn, defines what it means for a formula to be monitorable. In this section we focus on the monitorability of recHML. Based on the definition of trace acceptance and rejection of Def. 3.3, we adapt the concepts of monitor soundness and completeness (with respect to a formula) from Francalanza et al. (2017b) to the linear-time setting.
Definition 4.1 (Linear-time Monitor Soundness and Completeness).
- •
A monitor is sound for a (closed) formula of recHML over traces if, for all :
- –
implies ;
- –
implies .
- •
A monitor is violation-complete for a (closed) formula of recHML over traces if for all , implies . It is satisfaction-complete if implies .
- •
A monitor is complete for a (closed) formula of recHML if it is both violation- and satisfaction-complete for it.
The definition of soundness and completeness for monitors depends on the semantics given to the formulae. Since we focus on linear-time semantics in this section, instead of saying that a monitor is sound or violation- or satisfaction-complete, or complete for a formula over traces, we respectively simply say that it is sound or violation- or satisfaction-complete, or complete for the formula. In Sec. 5, we will introduce variations of Def. 4.1 that depend on different semantics for recHML. Observe that a monitor that is sound for some formula must be consistent.
Following Francalanza et al. (2017b), we assume that the minimum requirement for a monitor to correctly correlate to a formula is for it to be sound. It can be however argued that, depending on the circumstance of the application requirements, different notions of completeness may be deemed adequate enough. It turns out that not all formulae can be monitored adequately at runtime. Moreover, the more stringent the requirement for adequate monitoring, the more are the formulae that cannot be monitored. In the remainder of the section, we consider different definitions for adequate monitoring and establish recHML monitorability results in each case.
In Sec. 4.1, we present monitorability results with respect to complete monitors. In Sec. 4.2, we introduce the additional requirement of tightness for a monitor, under which the monitor reaches a verdict as soon as it has read sufficient information from the input trace and not later. We explain what one needs to do to construct a tight monitor. In Sec. 4.3, we establish monitorability results for partially complete monitors, which are satisfaction-complete or violation-complete for their respective formulae, but are not required to be both. This relaxation allows us to monitor for more formulae. Finally, in Sec. 4.4, we examine what one must do to construct tight partially complete monitors, and we explain why the methods of Sec. 4.2 are not likely to apply for this case.
4.1. Complete Monitorability
We first consider (sound and) complete monitors as our notion of adequate monitoring for a particular formula. This induces the following definition of monitorable formula and (sub)logic.
Definition 4.2 (Complete Monitorability).
A formula is complete-monitorable over traces iff there exists a monitor that is sound and complete for it. A (sub)logic is complete-monitorable over traces iff each formula is complete-monitorable.
Remark*.*
In this section we only use Def. 4.2 for the linear-time interpretation of recHML. However, its general form allows it to be used for other interpretations of the logic, with the appropriate adaptation of complete monitors (e.g., along the lines of Francalanza et al. (2017b)).
As the following results highlight, soundness and completeness for monitors are invariant under verdict equivalence.
Proposition 4.1**.**
If is sound and complete for then
- (1)
* implies is sound and complete for ;* 2. (2)
* is a sound and complete monitor for implies . ∎*
In line with other works on monitorability (Manna and Pnueli, 1991; Chang et al., 1992; Pnueli and Zaks, 2006; Bauer et al., 2010; Falcone et al., 2012a; Cini and Francalanza, 2015; Francalanza et al., 2017b), not all properties in recHML are complete monitorable.
Example 4.1.
The formula is not complete-monitorable. For if, by contradiction, we assume that it was then there must exist some sound and complete monitor for . Since the trace , this monitor rejects which, by Def. 3.3, means that it must reach a violation after observing a finite prefix (for ). But this would also mean that rejects all traces of the form , which clearly satisfy , thereby contradicting the assumption that is sound. Similarly, it can be argued that the formula is not complete-monitorable either. For if it was, a sound and complete monitor would accept the trace after analysing some prefix of it; this would also mean that this monitor would also accept any trace of the form , which clearly violates the property. Thus, no such monitor exists.
4.1 raises the question as to which recHML properties can be monitored according to Def. 4.2. To answer this question, we first identify a fragment of recHML that is guaranteed to be complete-monitorable and then show its maximality.
Definition 4.3 (The complete-monitorable fragment of recHML).
The recursion-free syntactic fragment of recHML (a syntactic variant of HML (Hennessy and Milner, 1985)) is defined as:
[TABLE]
For every formula , we can define a monitor synthesis function as follows.
Definition 4.4 (Complete Monitor Synthesis).
The function is defined inductively as follows:
[TABLE]
Lemma 4.2**.**
For all , is reactive. ∎
Example 4.2.
Assuming , the synthesised monitor for , where , is
[TABLE]
When we compose with , we observe the following monitored behaviour:
[TABLE]
We show that, for each formula , the monitor is the witness sound and complete monitor for it. This, in turn, shows that HML is complete-monitorable, in the sense of Def. 4.2.
Proposition 4.3**.**
For all , is a sound and complete monitor for .
Proof.
From Def. 4.1, soundness requires us to show that implies and implies . Completeness, requires us to show implies and implies . See Sec. B.1. ∎
Corollary 4.4**.**
HML* is complete monitorable. ∎*
Following Francalanza et al. (2017b), we go one step further and show that the fragment HML of Def. 4.3 is maximally expressive with respect to sound and complete monitors. By this we mean that every formula that is complete-monitorable, in the sense of Def. 4.2, is semantically equivalent to a formula from HML. Thus, we can limit ourselves to the syntactic fragment HML without sacrificing any expressiveness in terms of complete-monitorable properties.
We show this claim in two steps. First, we tighten expressiveness results from Sec. 3 for the specific case of complete monitoring. Concretely, we argue that every complete-monitorable formula (Def. 4.2) can be monitored adequately by a recursion-free syntactically deterministic monitor (see Def. 3.8). This is shown via Lem. 4.5, which relies on Def. 4.5. In the second step, we devise an inverse synthesis function to obtain complete-monitorable HML formulae from recursion-free deterministic monitors, Lem. 4.6. This formula synthesis function is then used for Prop. 4.7, the last main result of Sec. 4.1.
Definition 4.5 (Removing Monitor Recursion).
For each monitor , we define thus:
[TABLE]
Lemma 4.5**.**
If is a syntactically deterministic monitor that is sound and complete for , then is also a sound and complete monitor for .
Proof.
Using Prop. 4.1, the result follows if we show that . See Sec. B.1. ∎
The next step towards proving Prop. 4.7 is that of synthesising formulae from any recursion-free syntactically deterministic monitor, which can be described by the following grammar.
Definition 4.6 (Recursion-free
Deterministic Monitors).
[TABLE]
We now show how to convert any recursion-free monitor into an HML formula . We then argue that a reactive monitors soundly and completely for .
Definition 4.7.
The synthesis function is defined as follows:
[TABLE]
Lemma 4.6**.**
Every reactive monitor is a sound and complete monitor for . ∎
We are now in a position to prove the expressive maximality of HML from Def. 4.3.
Proposition 4.7** (Maximality for HML).**
For each , if is complete-monitorable, then there exists some such that .
Proof.
From the results in Sec. 3 and Lem. 4.5, each complete-monitorable has a recursion-free deterministic monitor that is sound and complete for it. By Lem. 4.6, is sound and complete for as well which is in HML. Prop. 4.1 thus yields as required. See Sec. B.1 for more details. ∎
The proof of Prop. 4.7 is constructive. We are also able to prove (albeit in a non-constructive manner) an even stronger result (Thm. 4.8) with respect to complete monitoring for any arbitrary logic defined over traces. This increases the importance of the fragment identified in Def. 4.3 for the linear-time interpretation. The proof of Thm. 4.8 can be found in Sec. B.1.
Theorem 4.8**.**
Let be a monitor from a monitoring system with the following two properties:
- (1)
verdicts are irrevocable, that is, if accepts (respectively, rejects) a finite trace , then it accepts (respectively, rejects) all its extensions, and 2. (2)
* accepts (respectively, rejects) a trace if, and only if, it accepts (respectively, rejects) some finite prefix of .*
For any property with a trace interpretation (not necessarily syntactically represented using recHML), if is sound and complete for then can be expressed via the syntactic fragment HML of Def. 4.3. ∎
4.2. Tightly-Complete Monitors
The sound and complete monitoring studied in Sec. 4.1 does not specify when a monitor should reach a verdict while it analyses a trace, as illustrated by the following example.
Example 4.3.
Assume and consider the formula , which is equivalent to . Following Def. 4.4, the synthesised monitor for is . After at most two consecutive actions, will definitely reject, and therefore it correctly rejects all traces. However, a more “efficient” correct monitor for is no, which rejects immediately.
A finite trace for which every extension violates (resp., satisfies) a property is often called a bad prefix (resp., a good prefix) for (Alpern and Schneider, 1985; Pnueli and Zaks, 2006; Bauer et al., 2010); good/bad prefixes provide sufficient finite information for acceptance/rejection.
Example 4.4.
is equivalent to , and thus is a good prefix for it. But from Def. 4.4 would first need to observe one action before accepting. Similarly, is equivalent to and is a valid bad prefix. Yet the synthesised monitor only rejects after observing one action.
Although the monitors synthesised in Sec. 4.1 are complete, there may be a delay from the moment a good/bad prefix is seen to the point when a verdict is reached. This observation does not affect monitor completeness: the assurance that the stream of events is infinite guarantees that any delay in reporting a verdict will not affect the formula’s monitorability. However, it may be important for a monitor to report a verdict as soon as it gathers sufficient information to do so.
Definition 4.8.
A monitor is tight when, for every , if rejects (resp., accepts) for every , then (resp., ).
Although, as 4.3 demonstrates, Def. 4.4 does not always yield tight monitors we can identify a fragment of HML for which it does.
Definition 4.9.
A slim formula is defined by the following grammar:
[TABLE]
where , , , either or , and either or .
All slim formulae are HML formulae. However, the conditions imposed on their syntax exclude redundancies that yield non-tight monitors. We proceed to show that if is slim, then is tight. To this end, we prove a lemma showing the absence of redundancy in slim formulae.
Lemma 4.9**.**
If is slim and (resp., ), then (resp., ). ∎
Lemma 4.10**.**
If is a slim HML formula, then is tight.
Proof.
By Prop. 4.3, implies that there is a finite prefix of such that . We prove by induction on that if , then (the case for acceptance is symmetric). See Sec. B.3 for details. ∎
We can transform every HML formula into an equivalent slim formula. This transformation is based on a set of rewrite rules of the form , given in Fig. 4, that allows us to iteratively replace the formula on the left-hand side with that on the right-hand side.
Lemma 4.11**.**
* implies and ∎*
Proposition 4.12** (HML normalisation).**
For every formula , there exists such that where is slim and . ∎
Example 4.5.
Assume and consider the non-slim HML formula . The synthesised monitor is not tight. However, we can apply the transformations based on the given equivalences to obtain an equivalent slim formula thus:
4.3. Partially-Complete Monitors
As opposed to the branching-time semantics of recHML, where only properties that are semantically equivalent to and have sound and complete monitors (Francalanza et al., 2017b), the linear-time semantics permits a far richer class of complete-monitorable properties, namely HML. By some measures, however, this monitorable fragment is still quite restrictive. For example, whereas the property “initialise occurs within the first ten actions” can be expressed in terms of HML, the property “initialise eventually occurs”—which can be expressed using least fixpoints—cannot. In fact, although the latter property cannot be monitored for in a complete manner, it can be monitored completely for satisfaction. In this section, we relax the notion of monitorability to partial-completeness, which only requires a monitor to be either violation- or satisfaction-complete.
Definition 4.10.
A formula is monitorable for satisfaction (resp., for violation) iff there exists a monitor that is a sound and satisfaction-complete (resp., and violation-complete) monitor for . It is partially-monitorable when it is monitorable for satisfaction or for violation.
We can extend these definitions to fragments of recHML in a similar way to that in Def. 4.2. Here, the trade-off between the guarantees we expect from monitors and the monitorable specifications is clear: for the linear-time interpretation, recursion can be traded for partial-completeness, while no such option exists for branching-time. We can extend the observations of Sec. 4.1 to the context of partial monitorability.
Proposition 4.13**.**
If is sound and satisfaction-complete (resp., violation-complete) for , then
- (1)
* implies is sound and satisfaction-complete (resp., violation-complete) for .* 2. (2)
If for all , implies , then is sound for . 3. (3)
* (resp., ) implies is satisfaction-complete (resp., violation-complete) for .* 4. (4)
* is sound and satisfaction-complete (resp., violation-complete) for implies . ∎*
Example 4.6.
Let and , which is satisfied by traces of the form (a+c)^{\omega}+\bigl{(}(a+b)^{*}c(a+b+c)^{\omega}\bigr{)}, i.e., traces where either does not appear, or does appear. We show that is not partially-monitorable. For if there was some that is sound and satisfaction-complete for , it should accept ; this means that must reach yes after analysing for some . In this case, the trace , which does not satisfy , must also be accepted by , resulting in a contradiction. If, on the other hand, there was some that is sound and violation-complete for , then it should reject . Again, must reach no after for some , but satisfies . Therefore, cannot be partially monitorable.
For partial monitorability, we can identify two fragments of recHML, namely minHML, which is monitorable for satisfaction, and maxHML, which is monitorable for violation.
Definition 4.11 (MAX and MIN Fragments of recHML).
The greatest-fixed-point and least-fixed point fragments of recHML are, respectively, defined as:
[TABLE]
Both maxHML and minHML are extensions of HML. We can extend the monitor synthesis from Def. 4.4 to these fragments by using the recursion that is available for monitors.
Definition 4.12 (Monitor Synthesis).
The monitor synthesis for maxHML and minHML results by simply extending the definition of from Def. 4.4 with the cases for the respective fixed-point of each fragment: and .
We observe that the extended monitor synthesis function still produces reactive monitors. We also show the first important result of this subsection, namely that Def. 4.12 yields the required witness monitors to prove that the syntactic fragment is partially-monitorable.
Proposition 4.14**.**
For every , is reactive. ∎
Proposition 4.15**.**
For every , is a sound and violation-complete monitor for . For every , is a sound and satisfaction-complete monitor for .
Proof.
This requires us to prove soundness and violation/satisfaction-completeness for every and resp., as stated in Def. 4.1. See Sec. B.4. ∎
As in the case of Sec. 4.1, we now turn our attention to the maximality of the syntactic fragment for partial-monitorability. Particularly, we can define two formula synthesis functions that produce partially monitorable formulae from monitors: one maps monitors to formulae in maxHML, and the other one to formulae in minHML. Depending on the fragment, we then show that if is mapped to , then is sound and violation-complete, or satisfaction-complete resp., for . Here we only present the synthesis function for maxHML; the case for minHML is dual.
Definition 4.13 (maxHML Formula Synthesis).
[TABLE]
Example 4.7.
Let . Then, (which is equivalent to just ). The monitor rejects traces of the form which are exactly all the traces violating . Thus is sound and violation-complete for .
Note that , for any . However, when we apply the formula synthesis function from Def. 4.13 to a consistent monitor to generate a formula , and then apply the monitor synthesis from Def. 4.12 to , we will generate a monitor that has similar parts to , but it will be somewhat different due to the asymmetry of the resp., syntheses. For example, for , , and . The following lemma allows us to abstract from these discrepancies, thereby enabling the proof of Prop. 4.17.
Lemma 4.16**.**
* rejects the same traces as . ∎*
Proposition 4.17**.**
If is consistent, then is a sound and violation-complete monitor for .
Proof.
From Lem. 4.16, rejects the same traces as , and therefore, by Props. 4.13 and 4.15, is violation-complete for . Since rejects the same traces as , if rejects a trace , then . Since is consistent, if accepts a trace , then it does not reject , and because rejects the same traces as , does not reject either. Since is also violation-complete by Prop. 4.15, this yields that . Therefore, is also sound for . ∎
The following proposition tells us that, up to logical equivalence, maxHML is the largest fragment of recHML that is monitorable for violation. Dually, minHML is the largest fragment of recHML that is monitorable for satisfaction.
Proposition 4.18**.**
If a formula has a sound and violation-complete monitor over infinite traces, then it is equivalent to a formula over infinite traces.
Proof.
Let be a sound and violation-complete monitor for and let be the witness formula. Since is sound for , it must be consistent, and by Prop. 4.17, is a sound and violation-complete monitor for . Therefore, by Prop. 4.13, . ∎
Remark*.*
Thm. 4.8 demonstrates that HML can express any property of infinite traces that has a complete monitor in any monitoring system, assuming that verdicts remain irrevocable. Unfortunately, this result cannot be replicated for partial completeness. For instance, let be a non-regular language, where is some distinguished action, and . If could be expressed in minHML, then there would be a sound and satisfaction-complete monitor for , and by a straightforward use of Prop. 3.6, we could construct a finite automaton that recognizes , which contradicts the assumption that is non-regular. Yet, we could imagine appropriate choices for and monitoring systems in which is monitorable. For instance, suppose that monitors are described using pushdown automata and let contain exactly the finite words on that have the same number of occurrences of [math] and of .
4.4. Tightly-Complete Monitors for Recursion
To synthesise a tight monitor for a formula of maxHML (or minHML), one can synthesise a parallel monitor , then, using the methods of Subsection 3.3, turn into a verdict-equivalent deterministic regular monitor, and, finally, consecutively replace instances of and by no and instances of and by yes. The resulting monitor is tight.
Lemma 4.19**.**
Let be a deterministic regular monitor, where , , , and do not occur as submonitors. Then, is tight. ∎
We would like to be able to apply a convenient method to process the formula or the monitor, so that right after the monitor synthesis we could produce a tight monitor. However, as we will see, a more reasonable monitor synthesis function that produces tight monitors is unlikely, as one could use it to solve the satisfiability problem for maxHML— by checking whether a produced monitor for the formula immediately evaluates to no (or to yes, for its negation), — which is PSPACE-complete.
Proposition 4.20**.**
For , the satisfiability problem for maxHML is PSPACE-complete.
Proof.
Satisfiability for recHML (and therefore for maxHML as well) is known to be in PSPACE (Vardi, 1988). That satisfiability for maxHML is PSPACE-hard results from the observation that maxHML with at least two actions can encode the -variable, diamond-free fragment of , which is PSPACE-complete (Achilleos, 2016). The reduction can be found in Appendix B.2. ∎
Remark*.*
For singleton , recHML-satisfiability is a lot simpler, as there is only one trace, . Therefore, satisfiability for maxHML can be reduced to model-checking on . A more direct way to solve satisfiability is to reduce the given formula by using the following straightforward rewrite rules: , , , , and ; the cases for are symmetric. After applying these formula simplifications, we will either reach one of , in which case the answer to satisfiability is obvious, or we will reach a formula without these constants. In the latter case, we can easily see that can never reach a verdict, and therefore it will never reject a trace, which, from Prop. 4.15, implies that .
5. Branching-Time Monitorability
Monitorability over branching-time semantics has been examined in Aceto et al. (2017a, 2018a) and Francalanza et al. (2017b) for various frameworks. In this section we compare the results of Francalanza et al. (2017b), the closest to our setting, with those of Sec. 4. We begin by revisiting the basic definitions and results for branching-time monitorability. Then, in Sec. 5.1 and Sec. 5.2, we extend the study of monitorability to a domain that allows both finite and infinite traces, and conclude, in Sec. 5.3, by comparing the monitorable fragments in this domain to those in the branching-time setting. All omitted proofs are in Appendix C.
Definition 5.1 (Branching-time Monitor Soundness and Completeness).
- •
A monitor is sound for a (closed) formula over processes if, for all of every LTS, i.e., a triple :
- –
implies ;
- –
implies .
- •
A monitor is violation-complete for a formula over processes if for all of every LTS, implies . It is satisfaction-complete if implies .
Remark*.*
The LTS is often omitted when it is clear from the context. As before, a monitor is complete for if it is violation- and satisfaction-complete for it. A rejection monitor is a monitor without the verdict yes; an acceptance monitor is one without the verdict no.
In the branching-time setting, monitors with both yes and no verdicts are unsound for any formula, as whenever one trace leads to an acceptance and another to a rejection, one can easily construct a process that can emit both traces. As a single-verdict (uni-verdict (Francalanza et al., 2017b)) monitor can only be either satisfaction- or violation-complete for a formula (except monitors for and which can be both), one cannot hope for complete monitors for recHML, and therefore the best one can do is to identify its fragments for which partially complete monitors exist. These are sHML and cHML, defined by the following grammars:
Definition 5.2 (Safety and Cosafety Fragments for Branching-time recHML).
[TABLE]
Theorem 5.1** (Branching-time Monitorability (Francalanza et al., 2017b)).**
For every , there is a regular rejection monitor that is sound and violation-complete for . For every , there is a regular acceptance monitor that is sound and satisfaction-complete for . ∎
Theorem 5.2** (Maximality of sHML and cHML (Francalanza et al., 2017b)).**
For every regular rejection monitor , there is a formula , such that is sound and violation-complete for . For every regular acceptance monitor , there is a formula , such that is sound and satisfaction-complete for . ∎
One can identify two key differences between the linear-time and the branching-time semantics introduced in Sec. 2. The first and most characteristic difference is that for branching-time semantics, where formulae are interpreted over processes, a process is allowed to emit more than one trace. In other words, a process may exhibit different behaviour each time it runs, and therefore, a trace does not give the whole picture of its possible executions. By contrast, for linear-time semantics, if one observes an action or a finite trace, then there is no possibility that another one could have been exhibited instead. This allows for constructs such as parallel monitors to monitor for conjunctions and disjunctions at the same time: simply decompose the formula as the monitor synthesis function directs in Defs. 4.4 and 4.12, and let each monitor component examine the trace until a conclusion is reached. For branching-time semantics, this method does not help to monitor a conjunction for satisfaction or a disjunction for rejection, as Francalanza et al. (2017b) demonstrates.
Example 5.1.
Consider . In contrast to the linear-time setting, is not monitorable for violation under a branching-time interpretation. For assume, towards a contradiction, that there is a rejection monitor for . Assume an LTS with a process that has two transitions, and . Then, and can produce three possible traces: . If a monitor rejected one of these, say , then it would reject , but also process that has exactly one transition, . But we observe that , meaning that the monitor would not be sound for . The formula is however monitorable in a linear-time setting (Defs. 4.3 and 4.11).
The second difference is that, in the linear-time semantics, formulae are only interpreted over infinite traces while, in branching-time semantics, a trace is allowed to end. Unlike the first difference, this one is not inherent to the linear- versus branching-time distinction, but it is one we have lifted from standard LTL-style semantics (Vardi, 1988; Bradfield and Stirling, 2001). Therefore, as a first step to reconcile the two semantics, we focus on this less essential difference for our logic.
5.1. The Finfinite Domain
We introduce an alternative linear-time semantics for our logic, where formulae are interpreted over traces that are allowed to be either finite or infinite. For convenience, we call these kinds of traces finfinite and the resulting semantics finfinite linear-time semantics, or just finfinite semantics. (A semantics akin to ours for a linear-time temporal logic may be found in, for instance, Schneider (1997). Falcone et al. (2012b) define linear-time properties over finite and infinite traces, but do not consider a specific logic.) The finfinite semantics, , is presented in Fig. 5. The set of finfinite traces is and we use (resp., ) to range over (resp., sets of) finfinite traces.
Remark*.*
For recHML, and can be seen as the strong and weak next operators, and from LTL (Clarke et al., 1999). In this same setting, may be seen as shorthand for . However the encoding does not work for the finfinite interpretation of Fig. 5.
The two linear-time semantics for recHML still correspond in some sense; see Lem. 5.3. In particular, formula equivalence over finfinite traces implies equivalence over infinite traces.
Lemma 5.3**.**
For all , . ∎
We consider the same monitoring systems of regular and parallel monitors that were introduced in Sec. 3. However, what it means for to monitor for depends on the semantics that we use for the formulae: the definition used in Sec. 4 is therefore not sufficient for the finfinite domain.
Definition 5.3 (Finfinite Linear-time Monitor Soundness and Completeness).
- •
A monitor is sound for a (closed) formula over finfinite traces if, for all :
- –
implies ;
- –
implies .
- •
A monitor is violation-complete for a formula over finfinite traces if for all , implies . It is satisfaction-complete if implies . It is complete for a formula over finfinite traces if it is both violation- and satisfaction complete for it.
Monitorability of formulae and logics can be adjusted to finfinite traces analogously.
5.2. Monitorability over Finfinite Traces
We now identify the complete- and partial-monitorable fragments of recHML over finfinite traces. Our first observation is that under finfinite semantics, there are no complete-monitorable formulae, except the ones equivalent to or .
Lemma 5.4**.**
If is sound and complete for over finfinite traces, then or . ∎
Remark*.*
Lem. 5.4 holds regardless of the considered logic: due to verdict-persistence (Lem. 3.1), a logical fragment that is complete-monitorable over finfinite traces must be trivial for any logic interpreted over finfinite traces.
The concept of tightness, as defined in Def. 4.8, does not apply for the finfinite interpretation since there is no guarantee that a finfinite trace will have a continuation. A definition of tightness might stipulate that a rejection-monitor is tight for a formula when it is guaranteed to reject any finite trace as long as the trace and all of its (finfinite) continuations violate the formula (i.e., bad prefixes). However, this notion of tightness is implied by partial completeness.
Example 5.2.
In contrast to the infinite trace semantics, is not monitorable for violation under finfinite semantics. For assume towards a contradiction that is a monitor that is sound and violation-complete for . Then, must reject the empty trace, , and thus all of its extensions, including , making unsound. Similarly, is not monitorable for satisfaction.
Our next goal is to characterize the expressive power of monitors in finfinite semantics. To this end, we identify the following fragments of recHML. Only one type of modality is kept in each of these fragments. This is because, as observed in 5.2, the two modalities are not mutually expressive and even simple formulae using them are not monitorable for violation or satisfaction.
Definition 5.4.
[TABLE]
The next lemma formalises the property that formulae in unHML denote prefix-closed sets of (finfinite) traces whereas formulae in exHML denote suffix-closed sets of traces.
Lemma 5.5**.**
For all and , if and , then ; if and , then . ∎
Interestingly, for unHML and exHML over finfinite traces, we can use the same monitor synthesis function that we used to generate monitors for maxHML and minHML over infinite traces.
Proposition 5.6**.**
For every , is sound and violation-complete for over finfinite traces. For every , is sound and satisfaction-complete for over finfinite traces. ∎
To facilitate our comparisons between the finfinite and the branching-time interpretations of recHML, we define the notion of trace-processes.
Definition 5.5.
Process is a trace-process when and implies , and is a trace-process. A (trace) process represents a finfinite when iff is a prefix of .
For a trace , we can assume the existence of a trace-process that represents : one can construct such a trace-process whereby its states are all the prefixes of and its transitions are those of the form , where and are prefixes of .
Remark*.*
We note that, unlike for monitors, we have not assumed any specific syntax for processes, which can come from an arbitrary LTS. This makes it possible to represent every finfinite trace, even one without a finite representation, by a process.
Example 5.3.
A process representing is the three-state process , with just the transitions and . A process representing is that has exactly one transition, .
Lem. 5.7 shows that, for recHML, (finfinite) traces and trace-processes are different descriptions of the same model.
Lemma 5.7**.**
If represents , then iff . ∎
Coincidentally, all formulae that are monitorable for violation or satisfaction over a finfinite semantics are equivalent to sHML or cHML formulae resp., from Def. 5.2. Since unHML and exHML syntactically subsume sHML and cHML resp., they are maximally monitorable fragments of recHML when interpreted over finfinite traces.
Proposition 5.8**.**
If has a sound and violation-complete (resp., satisfaction-complete) reactive parallel monitor over finfinite traces, then there is some (resp., ) that is equivalent to over finfinite traces.
Proof.
Let be a sound and violation-complete reactive parallel monitor for over finfinite traces. By Prop. 3.8, there is a regular monitor that is verdict-equivalent to , so it is also sound and violation-complete for over finfinite traces. We can then obtain a single-verdict monitor from that is rejection equivalent to it by swapping any yes with end. is thus still sound and violation-complete for over finfinite traces. From Thm. 5.2 there is a formula , such that is sound and violation-complete for over all LTSs, including the LTS of trace-processes. Since is sound and violation-complete for on trace processes, is equivalent to claiming that does not reject any trace that can produce. However, this is equivalent to saying that does not reject which, by violation-completeness, is equivalent to . By Lem. 5.7, iff , and the proof is complete. The case for a satisfaction-complete monitor is similar. ∎
5.3. Monitorable Formulae Across Semantics
So far, we have identified a different pair of partial-monitorable syntactic fragments for each of the three semantics that we have presented in this paper. However, as the reader may suspect from Prop. 5.8, we may be able to further restrict the syntax that we allow for our formulae, and still be able to express all monitorable formulae, and therefore, an identified maximally monitorable fragment of recHML may be equally expressive as a syntactic fragment of its own.
Here we show that for each of the semantics that we have presented, i.e., over infinite traces, finfinite traces, and processes, sHML and cHML are equally expressive as the corresponding identified partially monitorable fragment. That is to say, sHML is as expressive as unHML over finfinite traces and as expressive as maxHML over infinite traces — and dually, cHML is as expressive as exHML over finfinite traces and as expressive as minHML over infinite traces.
Proposition 5.9**.**
If (resp., ), then there is some (resp., ) that is equivalent to over finfinite traces. ∎
Proposition 5.10**.**
If (resp., ), then there is some (resp., ) that is equivalent to over infinite traces. ∎
The proofs of both of these propositions proceed by considering a sound and partially complete monitor for a formula in unHML, maxHML or their duals, and using the formula synthesis to find an sHML formula that is equivalent to the original formula on finfinite and infinite traces respectively. The full proofs can be found in Appendix C.
The import of Props. 5.9 and 5.10 is that, in settings where Act is finite, logical fragment can be used to syntactically characterise the class of monitorable properties (for sound and partial-completeness) for all three interpretations (i.e., traces, finfinite traces and processes). In spite of this felicitous (and somewhat surprising) result, one should nevertheless stress that their interpretation is still semantically different. In fact, the synthesised monitors presented here in Defs. 4.4 and 4.12 yield behaviourally different monitors to those obtained by the synthesis in Francalanza et al. (2017b). Moreover, they can not be used interchangeably: Defs. 4.4 and 4.12 produce multi-verdict monitors, even when applied to the syntactic fragment , which makes them immediately unsound for a branching-time interpretation. In Prop. 5.11, we can however show that the monitors synthesised by the procedure of Francalanza et al. (2017b) for the sHML fragment qualify also as correct monitors for the finfinite interpretation of the logic. This means that the tools developed in Attard et al. (2017) and Attard and Francalanza (2016), which are based on the branching-time synthesis of Francalanza et al. (2017b), can be used out of the box to monitor for finfinite properties.
Proposition 5.11**.**
For a process and a formula , the following are equivalent: and If produces a finfinite trace , then . ∎
6. Conclusion
We have presented a systematic study of the monitorability of recHML, a highly expressive specification logic: we have developed results relating to its linear-time interpretation and established correspondences with previous monitorability results for the branching-time interpretation of the logic. This allows us to use existing RV tools (developed for branching-time) to monitor linear-time recHML properties. To our knowledge, this is the first study of monitorability that spans across the linear-time/branching-time spectrum. Moreover, although monitorability has been studied extensively for linear-time specifications, we are unaware of any maximality results such as those presented in Props. 4.7, 4.8, 4.18, 5.8, 5.9 and 5.10.
Concretely, in Sec. 3, we introduce parallel monitors and we gave a way to construct a deterministic regular monitor (introduced in Aceto et al. (2017b) and Francalanza et al. (2017b)) from a parallel one, establishing that the two monitoring frameworks are equivalent with respect to the properties they can monitor. In Sec. 4, we give a natural monitor synthesis from three fragments of recHML to parallel monitors, and establish that the resulting monitors satisfy the requirement of soundness and a version of the requirement for completeness. For complete monitors, we identify the requirement of tightness and show how one can satisfy it. In Sec. 5, we see how these findings apply in the intermediate finfinite setting, and we establish that sHML has the same expressive power as the respective maximal monitorable fragments of recHML in the finfinite and infinite-trace settings.
Multiple Ways to Monitor
These results show that there is more than one way to monitor for a property that is monitorable for violation. If is already in sHML, or if we want to make the effort to write the property as an sHML formula, we can use the monitor synthesis in Francalanza et al. (2017b) to synthesise a single-verdict, sound and violation-complete regular monitor for that will work in all (infinite-trace, finfinite, and branching-time) semantics. Alternatively, if we are interested in the linear-time domain (for either infinite or finfinite traces), we can synthesise a parallel monitor with the synthesis function from Def. 4.12, hoping that the possibly dual-verdict monitor may occasionally report the satisfaction of the formula, providing us with more information. In the latter case, we may choose to deploy the parallel monitor as is, or use the construction from Prop. 3.8 to obtain a verdict-equivalent regular monitor. An advantage of using the parallel monitor is that it can be significantly more concise than a regular monitor, at least at the early stages of the computation. An advantage of using a regular monitor is that it is guaranteed to be finite state (Prop. 3.2). Furthermore, regular monitors can be determinized and then minimized (see Prop. 3.11 and Aceto et al. (2016)), making their implementation more straightforward. Therefore, one can think of maxHML as a high-level specification language for properties that are monitorable for violation in the linear-time setting. From maxHML, we can generate parallel monitors that can then be compiled into (deterministic, minimized) regular monitors that can be implemented and deployed to monitor the system. On the other hand, sHML can be thought of as a lower-level language that is closer to regular monitors and can allow for better fine-tuning of the monitor’s behaviour, and avoids the cost of constructing a regular monitor.
Future Work
We are interested in a detailed taxonomy and comparison of different notions of monitorability, and this work is a first step in that direction. Additionally, in Aceto et al. (2018a), the authors examine how the set of monitorable properties can be extended by encoding additional information into the trace that describes a system execution. Noticeably, their framework allows for the interaction of multiple verification methods, and this is an approach we would like to explore for our own framework.
Related Work on Runtime Verification
RV has been applied in the computer-aided verification of complex programs and models written in a variety of high-level languages. For example, RV has been used in the verification of properties written in an extension of PSL and SVA over SystemC models in Tabakov et al. (2012) (but see Pnueli and Zaks (2006) and references in Tabakov et al. (2012) for earlier work on monitor synthesis for PSL). Like we do in this paper, Tabakov et al. argue for the algorithmic generation of “correct” monitors from properties. However, their focus is on an experimental study of monitor-generation procedures that offer the best performance in terms of runtime overhead at simulation time. In order to do so, they employ the CHIMP tool (Dutta et al., 2014) to generate monitors (represented as DFAs) from LTL properties using a number of workflows that take into account various options regarding state minimization, alphabet representation, alphabet minimization and the representation of the transition function of the monitor.
Diagnosability
It is worth mentioning here work on diagnosability, e.g., Sampath et al. (1995); Bertrand et al. (2014). Diagnosability is a similar notion to the one of monitorability. What is different is that, for diagnosability one knows a model of the system, and then, by observing the visible events of a system run, infers whether an unobservable fault event has occurred during this run. A further goal is to diagnose the kind of fault event that has occurred. Typically, the detection and diagnosis of fault events is performed by a diagnoser, which is synthesised from the model of the system. Although RV and diagnosability appear, at first glance, to work in different ways, one can view diagnosability as the runtime monitoring of a set of trace-properties (the occurrence of different types of fault events), using information about the system’s branching structure, in a framework that considers unobservable events — as in Francalanza et al. (2017b); Aceto et al. (2017a). We feel that there is significant potential in addressing the two areas in a more unified manner. This is an interesting avenue for future research.
Related Work on Specification logics
recHML is a multi-modal variant of the -calculus that is interpreted over edge-labelled LTSs rather than node-labelled ones. The distinction is mainly a question of presentation; how to go between the two types of models is discussed by De Nicola and Vaandrager (1990). The -calculus itself is a logic which subsumes CTL, CTL*, LTL, as well as more exotic variations thereof. Its links to automata theory are well established (Wilke, 2001) and can be used in the implementation of verification tools. This makes the -calculus well suited for foundational research on verification, even though logics with more intuitive syntax may appeal to practitioners. recHML over traces is similar to the linear-time -calculus. The main difference is that in the linear-time -calculus, which is usually interpreted over infinite traces, it is common to have only one successor-modality: the difference between and only manifests itself over finite traces. Here we have chosen to keep the two modalities, to enable the syntactic comparison between branching-time and linear-time monitorability. From an implementation point of view, recHML formulae, like those in the linear time -calculus, can be represented by weak automata (Lange, 2005), which benefit from lower-complexity decision procedures than the more general parity automata, which are necessary to capture the expressiveness of the -calculus in a branching-time setting. Note, however, that, as shown in Markey and Schnoebelen (2006), the -calculus model-checking problem over paths of the form is, surprisingly, as hard as the general model-checking problem for that logic.
In the context of RV, many-valued logics (Barringer et al., 2004; d’Angelo et al., 2005; Drusinsky, 2003; Bauer et al., 2010) have also emerged as a way to reconcile the infinitary semantics of, for example, LTL specifications with the finite observations of a monitor. Our concept of monitor can itself also be understood as a logic with three-valued semantics, consisting of accepted traces, rejected traces and traces on which the monitor remains indecisive. Conversely, these many-valued logics can also be seen as describing monitor behaviour, albeit without an operational semantics as in our case. Our parallel monitors are reminiscent of alternating automata. The use of alternating automata for RV is not new: Finkbeiner and Sipma (2004) propose this for the verification of their finite-trace semantics for LTL. The main difference in their approach is that their semantics is not suffix closed: for whether “infinitely often ” holds in a finite trace according to their semantics will depend on whether holds in the last position. In contrast, our verdicts are irrevocable, so a sound monitor for “infinitely often ” in our setting will never reach a verdict.
Related Work on Monitorability
The question of exactly which specifications can be verified at runtime is very natural in the RV context. It is perhaps surprising that there is no consensus on what exactly it means for a specification to be monitorable.
The class of the arithmetic hierarchy — the class of co-recursively enumerable safety properties — was proposed as the set of monitorable properties by Viswanathan and Kim (2004). It seems that our notion of partial monitorability matches well with this classical definition. In this sense, partial monitorability could be seen as an operational account of Viswanathan and Kim’s monitorability. On the other hand, Pnueli and Zaks (2006) and Bauer et al. (2011) propose a definition of monitorability that includes more properties: roughly, they call a property monitorable if every prefix has a finite continuation of which either all infinite continuations are in the property, or none is. This means that a monitor, although it does not necessarily ever reach a verdict, can never give up hope of reaching a verdict. Our definitions of monitorability appear to be stronger. For example, specifications such as “never and eventually ” is monitorable according to Pnueli and Zaks (2006) and Bauer et al. (2011) but not according to our notions of monitorability and partial monitorability.
Diekert and Leucker have studied monitorability in a topological setting in Diekert and Leucker (2014), where they show that all -regular languages that are deterministic and co-deterministic are monitorable. Using their topological framework, they also establish that some deterministic liveness properties, such as “infinitely many a’s”, cannot be written as a countable union of monitorable languages. Diekert et al. (2015) discuss monitor constructions for deterministic -regular languages. They isolate a collection of deterministic -regular languages that properly includes all the languages that are deterministic and codeterministic, and for which one can construct accepting monitors. These classical definitions of monitorability are independent of how a monitor might be implemented. Conversely, implementations of LTL monitors (Giannakopoulou and Havelund, 2001; Havelund and Rosu, 2002) do not seem to refer to the concept of monitorability at all. In line with previous work (Francalanza et al., 2017b), our operational approach bridges this gap by defining what can be monitored explicitly in terms of how specifications are monitored.
Acknowledgements.
The authors thank Orna Kupferman and Moshe Vardi for clarifying remarks about guarded formulae and pointers to the literature. We thank the anonymous reviewers for their thorough reading of our paper and their insightful comments. This research was partially supported by the projects “TheoFoMon: Theoretical Foundations for Monitorability” (grant number: Grant #163406-051) and “Epistemic Logic for Distributed Runtime Monitoring” (grant number: Grant #184940-051) of the Icelandic Research Fund, by the BMBF project “Aramis II” (project number: Grant #01IS160253) and the EPSRC project “Solving parity games in theory and practice” (project number: Grant #EP/P020909/1).
Appendix
Appendix A Properties of Monitors
We first present the omitted proof from Sec. 3
A.1. Regular Monitor Properties
Def. A.1 attempts to characterise the set of reachable states for a monitor. Def. A.3 maps every monitor to a finite positive integer, which can be used to put an upperbound on the size of our state-space approximation of Def. A.1; see Lem. A.1.
Definition A.1 (Monitor State Space Characterisation).
[TABLE]
Definition A.2 (Skip Reachability).
Definition A.3 (Monitor Measure).
[TABLE]
Lemma A.1**.**
**
Proof.
By structural induction on . ∎
Lem. A.4 shows that the state-space approximation of Def. A.1 characterises precisely the actual state-space of a monitor. It however relies on a few technical lemmata.
Lemma A.2**.**
For all (possibly open) :
- (1)
m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime}\* implies \ (\exists m^{\prime\prime}\cdot m\xrightarrow{\;\mu\;}m^{\prime\prime}\text{ and }m^{\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime}) or .* 2. (2)
m\xrightarrow{\;\mu\;}m^{\prime}\* implies \ (\exists m^{\prime\prime}\cdot m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime\prime}\text{ and }m^{\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime\prime})*
Proof.
Both clauses are proved by structural induction on . The main cases for the first clause are:
**Case = y:: **
Since y[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime}, it must be the case that (hence a summand of ) and y[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=n from which we obtain as required.
**Case = :: **
We have m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])+(m_{2}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]), meaning that the transition was inferred using eSel. Without loss of generality, assume that m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime}. By the I.H. we obtain the following subcases:
- **•: **
Either (\exists m^{\prime\prime}\cdot m_{1}\xrightarrow{\;\mu\;}m^{\prime\prime}\text{ and }m^{\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime}). By eSel we deduce as required.
- **•: **
Or is a summand of and , which is precisely the required result since is then also a summand of .
**Case = :: **
By mRec, we have m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=\textsf{rec}\,y.(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])\xrightarrow{\;\tau\;}m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}][\raisebox{2.15277pt}{\small\textsf{rec},y.(m_{1}[\raisebox{1.93748pt}{\small}!/!\mbox{\small}])}\!/\!\mbox{\smally}]. Again, by mRec, the required transition is \textsf{rec}\,y.m_{1}\xrightarrow{\;\tau\;}m_{1}[\raisebox{2.15277pt}{\small\textsf{rec},y.m_{1}}\!/\!\mbox{\smally}], since we can infer the equality m_{1}[\raisebox{2.15277pt}{\small\textsf{rec},y.m_{1}}\!/\!\mbox{\smally}][\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}][\raisebox{2.15277pt}{\small\textsf{rec},y.(m_{1}[\raisebox{1.93748pt}{\small}!/!\mbox{\small}])}\!/\!\mbox{\smally}].
For the second clause, the main cases are:
**Case = y:: **
The implication holds trivially since variables do not transition.
**Case = :: **
By mSel, we have either or . Without loss of generality, pick . By the I.H. we have m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime\prime} for some where m^{\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime\prime}. Again, using mSel we deduce m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])+(m_{2}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])\xrightarrow{\;\mu\;}m^{\prime\prime} as required.
**Case = :: **
By mRec, we have \textsf{rec}\,y.m_{1}\xrightarrow{\;\tau\;}m_{1}[\raisebox{2.15277pt}{\small\textsf{rec},y.m_{1}}\!/\!\mbox{\smally}]. The required transition for m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=\textsf{rec}\,y.(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]) is again obtained by the rule mRec in the form of \textsf{rec}\,y.(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])\xrightarrow{\;\tau\;}(m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])[\raisebox{2.15277pt}{\small\textsf{rec},y.(m_{1}[\raisebox{1.93748pt}{\small}!/!\mbox{\small}])}\!/\!\mbox{\smally}], since (m_{1}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}])[\raisebox{2.15277pt}{\small\textsf{rec},y.(m_{1}[\raisebox{1.93748pt}{\small}!/!\mbox{\small}])}\!/\!\mbox{\smally}]=(m_{1}[\raisebox{2.15277pt}{\small\textsf{rec},y.m_{1}}\!/\!\mbox{\smally}])[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]. ∎
Lemma A.3**.**
For all (possibly open) :
- (1)
m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow[]{\;e\;}\mathrel{\mkern-14.0mu}\rightarrow m^{\prime}* implies that*
- •
Either \exists m^{\prime\prime}\cdot m\xrightarrow[]{\;e\;}\mathrel{\mkern-14.0mu}\rightarrow m^{\prime\prime}\text{ and }m^{\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime}
- •
Or and and where is a summand of and . 2. (2)
* implies \exists m^{\prime\prime}\cdot(m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow[]{\;e\;}\mathrel{\mkern-14.0mu}\rightarrow m^{\prime\prime}\text{ and }m^{\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime\prime})*
Proof.
The proof for the second clause is by a straightforward induction on the structure of , where the inductive step relies Lem. A.2(2).
The proof for the first clause is also by induction on , but it is slightly more involved.
**Case :: **
Immediate, since m^{\prime}=m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}] and .
**Case :: **
We thus have
[TABLE]
By m[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow{\;\mu\;}m^{\prime\prime} and Lem. A.2(1) we have to consider either of two cases:
- **(1): **
Either there exists some such that and m^{\prime\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime\prime}. By m^{\prime\prime}=m^{\prime\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]\xrightarrow[]{\;f\;}\mathrel{\mkern-14.0mu}\rightarrow m^{\prime} from Eq. 9 and the I.H. we have two possibilities:
- **(a): **
Either there exists some such that where m^{\prime\prime\prime\prime}[\raisebox{2.15277pt}{\smalln}\!/\!\mbox{\smallx}]=m^{\prime}. By prefixing this with gives us as required. 2. **(b): **
Or for some and where for some with a summand and . Again, by contacting with as gives us the result required. 2. **(2): **
Or is a summand of and . Using of Eq. 9, this would satisfy the second clause with and since . ∎
We prove the required property for closed monitors. Note that closed monitors are closed with respect to transitions.
Lemma A.4**.**
**
Proof.
By structural induction on :
**Case = :: **
It follows from Lem. 3.1.
**Case = x:: **
Immediate since .
**Case = \alpha.$$n:: **
By Def. 3.1 and mAct from Fig. 2, . By the I.H. we have , and thus (by Def. A.1). For the second property, we know that by Def. A.2, and that by Def. A.1. By the I.H. we then obtain as required.
**Case = :: **
For the first property, we deduce that by Def. 3.1 and mSel from Fig. 2. By Def. A.1, we akso know that . The rest of the proof uses the I.H. to obtain the required result, in analogous fashion to the previous case. For the second property we need to show that . By mSel from Fig. 2 we know that . By the I.H., we also know that for . The required result thus follows since, by Def. A.1 we have .
**Case = :: **
By Def. 3.1 and mRec from Fig. 2 we have \textsf{reach}(\textsf{rec}\,x.n)=\left\{\textsf{rec}\,x.n\right\}\cup\textsf{reach}(n[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]). By the I.H. we also know that which means that (\textsf{reach}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}])=(\textsf{states}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]) . From Lem. A.3 we deduce \textsf{reach}(n[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}])=\textsf{reach}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}] thus \left\{\textsf{rec}\,x.n\right\}\cup\textsf{reach}(n[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}])=\left\{\textsf{rec}\,x.n\right\}\cup\textsf{states}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]=\textsf{states}(\textsf{rec}\,x.n) by Def. A.1, as required. For the second property, we know, by mRec and Def. A.2 that \textsf{skip\_reach}(\textsf{rec}\,x.n)=\textsf{reach}(n[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]). By Def. A.1, we also know that \textsf{skip\_states}(\textsf{rec}\,x.n)=\textsf{states}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]. Recall that by Lem. A.3 we already established that \textsf{reach}(n[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}])=\textsf{reach}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]. Now by the I.H. we know that , from which we obtain \textsf{reach}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}]=\textsf{states}(n)[\raisebox{2.15277pt}{\small\textsf{rec},x.n}\!/\!\mbox{\smallx}], which is the result required. ∎
A.2. Reactive Parallel Monitors
Lemma A.5** (Monitor Combinators).**
- (1)
If and are reactive, then iff or . 2. (2)
* iff and .* 3. (3)
If and are reactive, then iff or . 4. (4)
* iff and .* 5. (5)
If or , then iff or .
Proof.
We first prove the “only if” directions for the five statements. If , then there is an explicit trace that agrees with on the external actions, such that . We prove by induction on that or .
The base case is , which is a contradiction, because it implies that . For the inductive step, let and . We distinguish the following cases:
**Case :: **
Then, , where and , and rule mPar was used, so the claim follows by the inductive hypothesis applied to .
**Case and , where or : **
(that is, rule mTauL or rule mTauR was used). Then, again, the claim follows by the inductive hypothesis.
**Otherwise:: **
The only possibilities are that and rule mVrC1 or mVrC2 were used, so respectively, or , so or ; or and either or . In all cases, we have that or .
The “only if” directions for the other cases are proven in a similar way.
We now prove the “if” directions of the statements of the lemma, and specifically we prove that if and is reactive, then ; the remaining cases are analogous. Assume that . Then, there is an explicit trace that agrees with on the external actions, such that — fix to be the shortest such explicit trace for and . We proceed by induction on the length of .
**Case :: **
Then and .
**Case :: **
Then, . By rule mTauL, , and by the inductive hypothesis, .
**Case :: **
Then, . Since is reactive, there is a reactive , such that , and by successive applications of rule mTauR and then rule mPar, and the inductive hypothesis, .
Statements (2), (3), and (4) are proven similarly. For (5), we observe that if , then there is an explicit trace that agrees with on the external actions, such that , and since , ; therefore, there is some such that . According to the monitor rules, for some , , and thus, . For the other direction, if, say, , then there is an explicit trace , such that ; since or , we see that , and the remaining argument is as above. ∎
Remark*.*
Lem. A.5 indirectly describes three different kinds of non-determinism for reactive parallel monitors. Operator can be thought of as an existential monitor choice, as will accept (resp., reject) iff either (resp., both) of its components accepts (resp., reject). Dually, can be thought of as a universal choice. The operator is a different choice that favours neither acceptance nor rejection, but generates either verdict, as long as one of its component monitors can reach it.
Remark*.*
3.2 indicates that the assumption that and are reactive are needed in statements (1) and (3) of the above lemma. However, as the following lemma demonstrates, that assumption is only necessary to prove one (the “if”) direction of statements (1) and (3) in Lem. A.5.
Lemma A.6**.**
- (1)
If , then or , where agrees with on the external actions and is strictly shorter than . 2. (2)
If , then and , where agree with on the external actions and are strictly shorter than . 3. (3)
If , then or , where agrees with on the external actions and is strictly shorter than . 4. (4)
If , then and , where agree with on the external actions and are strictly shorter than .
Proof.
We can use the same induction as for the “only if” direction of the proof of Lemma A.5, noticing that the explicit traces for the submonitors are shorter than . ∎
In the technical developments that follow, we will require the following version of statements (1) and (3) of Lems. A.5 and A.6.
Lemma A.7**.**
- (1)
If is minimal such that , then there are , such that and , and or . 2. (2)
If is minimal such that , then there are , such that and , and or .
Proof.
We prove the first part of the lemma, as the second one is similar. Since , there must be an external trace that agrees with on the external actions, so that . We can use a similar induction on as for the first direction of the proof for Lemma A.5. The base case is , which is immediate, because, by Lemma A.6, it implies that or . For the inductive step, let , , and . We distinguish the following cases:
**Case : **
(that is, rule mPar was used): Then, , where and , and the induction is complete by the inductive hypothesis.
**Case and , where or : **
(that is, one of the rules mTauL and mTauR was used): Then, again, the induction is complete by the inductive hypothesis.
**Case and rule mVrC1 was used:: **
Then, without loss of generality, and , in which case we have that and .
**Case and rule mVrC2 was used:: **
Then, without loss of generality, , which is a contradiction, because either or it is not minimal, which violates our assumptions. ∎
Remark*.*
We remark that although Lem. A.7 seems to be an immediate consequence of Lems. A.5 and A.6, this is not the case. Notice that Lem. A.7 asserts that both components are able to follow the finite trace , and this is the reason the minimality of is important. Otherwise, a counterexample would be , as cannot transition with a .
A.3. An Equivalence of Two Monitoring Systems
To prove Prop. 3.6, we assume a different set of rules for parallel and regular monitors. These rules are the ones that result by replacing mRec with the following rules:
[TABLE]
Here, we assume that for every monitor variable , there is a unique monitor of such that appears in . Therefore, the rules above are well-defined. By substituting rule mRec by mRecF and mRecB, we get an equivalent monitoring system, where reactive monitors remain reactive. This is partly shown in Aceto et al. (2016) for regular monitors and here we prove these claims in the context of parallel monitors. Thus, in the rest of this section we assume that the rules above are used.
We call System O the system of rules given in Table 2, while System N is the result of replacing rule mRec by the rules mRecF and mRecB. The reader is encouraged to read Aceto et al. (2016) for a discussion of the two systems.
For System N, we assume the fixed mappings and , such that and is the only monitor of the form that we allow. Derivations and are defined as before, but the resulting relations are called and , and and , respectively for systems O and N. We prove that systems O and N are equivalent. That is, for any monitor , finite trace , and verdict ,
[TABLE]
Lemma A.8**.**
For every , is simple.
Proof.
Immediate from the definition. ∎
Lemma A.9**.**
If is a free variable in , then is inside the scope of .
Proof.
An immediate observation. ∎
There is an ordering of monitor variables: iff is in the scope of . We note that if we only consider a finite number of variables (say, the ones that appear in a specific monitor), then is a well-order. This ordering allows us to define when a submonitor can substitute a variable for its corresponding recursive formula. We recursively define when is an unfolding of : ; or , where is an unfolding of and is -minimal among the variables that occur free in .
Lemma A.10**.**
If is an unfolding of , then
- (1)
* if and only if ;* 2. (2)
for every and , if , then there some , such that and is an unfolding of ; 3. (3)
for every and , if , then there some , such that and is an unfolding of ; 4. (4)
if , then there some , such that and is an unfolding of ; 5. (5)
if , then there some , such that and is an unfolding of .
Proof.
The proof is by induction on the number of substitutions required to construct from . The base case of is trivial. To complete the inductive step, it suffices to prove the lemma for the case of . This is done by induction on the structure of .
- •
If is a verdict or a variable , then and we are done.
- •
If , then . Since can transition exactly to with a , and if , then . Similarly, if , then either , so we can have , or , in which case ; if , then .
- •
If , then and . The only possible transitions for and are then and , respectively. Therefore, iff and iff ; iff and iff .
- •
If , then , as and is bound in ; therefore, this case is complete.
- •
If for , then and . The only possible strong transitions for and are then and , respectively. Then, and . If , then either and we are done, or , so ; the case for is symmetric.
- •
If , then , where for . Then, if , then or , so or , implying and we are done by the inductive hypothesis; the remaining cases are similar.
- •
If , then , where , for . The remaining argument is similar to the above.
- •
If , then , where , for . The remaining argument is similar to the above. ∎
As Lemma A.10 demonstrates, the unfolding relation is a kind of bisimulation for System N — although we do not define such a notion here. It is not hard to see that this relation is reflexive and transitive.
Corollary A.11**.**
If is an unfolding of , then for every finite trace ,
- (1)
if , then , where is an unfolding of . 2. (2)
Furthermore, if , then , where is an unfolding of .
Proof.
By straightforward induction on . ∎
Lemma A.12**.**
For every closed monitor ,
- (1)
* if and only if ;* 2. (2)
if , then , where is an unfolding of ; 3. (3)
if , then , where is an unfolding of .
Proof.
Immediate from the rules. ∎
Corollary A.13**.**
For every , where is closed and an unfolding of ,
- (1)
if , then , where is an unfolding of ; 2. (2)
if , then where is an unfolding of ; 3. (3)
if , then , where is an unfolding of ; 4. (4)
if , then , where is an unfolding of .
Proof.
A consequence of Lemmata A.10 and A.12. ∎
Lemma A.14**.**
For every closed monitor , if and only if .
Proof.
Specifically, we prove that the more general claim that if is an unfolding of , then if and only if . We prove each direction separately. If , then there is an explicit trace that agrees with on the external actions, such that . Using induction on , the first part of Lemma A.10, and Corollary A.13, it is not hard to prove that . The other direction is similar. ∎
Corollary A.15**.**
If is reactive for System O, then it is also reactive for System N.
Proof.
From Corollary A.13 and straightforward induction on the number of transitions to reach a monitor in . ∎
A.4. Monitor Transformations
To prove Proposition 3.6, we use the following lemmata.
Lemma A.16**.**
- •
If and , then either , or and .
- •
If and , then either , or and .
Proof.
We prove the first case, as the second one is similar. If , then we can assume that . We prove the claim by induction on . The case for is immediate from rule mPar. If , then one of the following rules was used:
**mTauL or mTauR: **
In this case, we are done by the inductive hypothesis.
**mVrE: **
In this case, .
**mVrC1: **
In this case, without loss of generality, and .
**mVrC2: **
In this case, without loss of generality, and therefore, . ∎
Definition A.4.
We can define that is an immediate submonitor of recursively: is a immediate submonitor of , and the immediate submonitors of are also immediate submonitors of , , , and .
Lemma A.17**.**
Let be an immediate submonitor of a reactive monitor . Then, for every for which , is reactive.
Proof.
The proof is by induction on and the base case is , which is trivial. If is an immediate submonitor of , then , so by the inductive hypothesis, is reactive and , so is also reactive. The case is similar for : by the inductive hypothesis, is reactive and , so is also reactive. If or , and is an immediate submonitor of , then, implies that and we are done by the inductive hypothesis. ∎
- Proposition 3.6
*For every reactive parallel monitor , there is an alternating automaton that accepts and one that accepts . *
Proof.
For completeness of exposition, we describe here, as well, the process of constructing an alternating automaton that accepts — the case for is similar. The automaton for is , where
- •
is the set of submonitors of ;
- •
;
- •
Let for every , iff ; is the closure of under the following conditions. For every :
- –
if , then ;
- –
if or , then ;
- –
if or , and and , then ;
- –
if and , then ;
- –
if , then .
We consider the parallel extension of a set of monitors in , which is the smallest set such that , and if , then , and if , then . We prove the following claims:
Claim 1:
If , then . By induction on the closure conditions for . The base case is that , which implies that . The remaining cases are straightforward.
Claim 2:
If , then . We observe that is monotone with respect to (i.e., if and , then ). The claim follows by a straightforward induction on .
Claim 3:
If and is reactive, then . The proof is by induction on . If , then , which implies that . If , then . Since is reactive, there is some such that . Therefore, by Lemma A.16, either , or there is some , such that . Therefore, , and we are done by the inductive hypothesis.
Claim 4:
If every accepts , then every reactive accepts . The proof is by induction on the construction of from monitors in . If , then by our assumptions, accepts . If where , then by the inductive hypothesis, ; using the rules for parallel monitors and induction on , we can complete the proof. If where , then by the inductive hypothesis, . Then, the proof is complete by Claim 3.
Using the above claims, we now prove that accepts if and only if . We prove each implication separately for the submonitors of .
We first prove that if accepts , then .
By Claim 2, we can assume that is minimal such that . If accepts , then there is an explicit trace that agrees with on the external actions, such that . Thus, we prove that for every explicit trace , if is a finite trace that agrees with on the external actions, , and is minimal such that , then . We prove this claim by induction on :
**Case :: **
Then accepts , so by the definition of , .
**Case and :: **
Let . Since , by Lemma A.6, there are explicit traces that agree with (and with ) on the external actions and are strictly shorter than , such that and . By the inductive hypothesis, . Let ; by the definition of , , and thus, by the closure properties of , we have that .
**Case and , : **
let . Since , by Lemma A.6, (without loss of generality) there is an explicit trace that agrees with (and with ) on the external actions and is strictly shorter than , such that . Therefore, , and by the minimality of and Lemma A.7, . By the inductive hypothesis, . Let ; by the definition of , we have that . Thus, by the closure properties of , we can conclude that .
**Case and :: **
Then for some that agrees with on the external actions. By the inductive hypothesis, . We prove by induction on the derivation of that :
**Case was derived by rule mRecF or mRecB:: **
Then either and , or and . Let . Since , by the definition of , we have that and therefore, by the closure conditions of , we can conclude that
**Case was derived by mTauL, mVrE, mVrC1, mVrC2, mVrD1, or mVrD2:: **
Then we are in the case of , which was handled above.
**Case was derived by rule mSelL or mSelR:: **
Then and or . By the inductive hypothesis (for the derivation of ), or , and similarly to the previous cases, from the closure conditions of , .
**Final case and ,: **
where agrees with on the external actions: Then for some . By the inductive hypothesis, . By the definition of , we have that , where . We observe that . We now prove, by induction on the derivation of from the rules of Figs. 2 and 3, that , or, equivalently, that .
**The base case is that is produced by rule mAct or mVerd:: **
Then, or . If , then , and by the definition of , we have that . If , then, since , by the first closure condition, we infer that .
**Case is produced by rule mSeL or mSeR:: **
Then the argument is similar to the analogous case for above.
**Case is produced by rule mPar:: **
Then , which has been handled above.
For the other direction,
we prove that for every immediate submonitor of a reactive submonitor , if , then accepts . Since is reactive, this is enough to complete the proof. We prove that accepts , by induction on .
**Case :: **
Then , and thus, accepts .
**Case :: **
Then , where . Therefore, either , or can be derived from the closure conditions for ; therefore, we can use induction on this derivation of . We observe that, from the inductive hypothesis, for every , accepts . By Claim 4, for every reactive , accepts .
**The base case is :: **
In this case , and thus, accepts and all its extensions, including .
**Case , where :: **
Then and accepts ; by Lemma A.17, is reactive, therefore, by the inductive hypothesis, accepts , and so accepts .
**Case , where or ,: **
then are also immediate submonitors of , so by the inductive hypothesis, or , and by Lemma A.5, .
**Case or and :: **
Then in either case, since , by Lemma A.17, is reactive, and therefore by the inductive hypothesis, , but , and the proof is thus complete.
**Case , where or , and and :: **
Then by Claim 1 and rule mPar, there is some , where or — therefore, also . By Lemma A.17, is reactive. Hence, from the observation above about and , accepts , and thus accepts .
**The case for : **
is similar. ∎
Appendix B Linear-Time Monitorability
We now present the omitted proofs of Sec. 4.
B.1. Complete Monitoring
- Proposition 4.1
If is sound and complete for then
- (1)
* implies is sound and complete for .* 2. (2)
* is a sound and complete monitor for implies *
Proof.
For the first clause, we need to prove soundness and completeness for .
For soundness, Def. 4.1, assume , i.e., and is a prefix of . By Def. 3.3 and Lem. 3.3, it follows that . By we know that which, in turn, implies that . Since is sound (and complete) for , it must be the case that , which is the result we want. The case for is analogous.
The argument for completeness, Def. 4.1, is similar. Pick a trace . Since is complete for , we prove that . Using the fact that , Def. 3.3 and Lem. 3.3, we can then deduce that which is the required result. The case for is analogous.
For the second clause, pick a without loss of generality. By completeness, Def. 4.1, , and by soundness, Def. 4.1, . ∎
We now present the proof demonstrating the complete-monitorability of the syntactic fragment HML from Def. 4.3. To prove Prop. 4.3, we first show that all the synthesised monitors are reactive, as defined in Def. 3.4.
- Lemma 4.2.
For all , is reactive.
Proof.
The proof proceeds by structural induction on . The cases for ,, and are immediate. For the case of , we know from Def. 4.4 that . By the inductive hypothesis we know that both and are reactive and, by mPar of Fig. 3, it follows that is reactive as well. The case for is analogous. ∎
- Proposition 4.3
For all , is a sound and complete monitor for .
Proof.
For soundness, Def. 4.1, we need to show that implies and implies . We proceed by structural induction on , and the main cases are:
**Case and :: **
By Def. 4.4 we know that . If , by Def. 3.3, there exist such that is a prefix of and . Using Def. 3.3 and Lem. 3.3 we know that for some . By Lem. A.5, this implies that either or , which means that either or . By the I.H., we deduce that either or which is enough to conclude that . If , then by Def. 3.3, Lems. 3.3 and A.5 and the I.H. we obtain and , and therefore we conclude . The case for is analogous.
**Case and :: **
In the case of , by Def. 4.4 we know that . If then there exist such that is a prefix of and . From Defs. 3.3 and 3.3 we know that and, from the structure of the monitor and Lem. A.5, it must be the case that . This means that where and , which in turn implies that and . By the I.H., implies that which suffices to conclude that . If , then by Def. 3.3, Lems. 3.3 and A.5 we know that either or for some is a prefix of . In the latter case, we deduce that for some where , which trivially implies that . In the former case, we know that for some where and which, by the I.H., implies that and hence . The case for is similar.
For completeness, Def. 4.1, we need to show that violation-completeness, i.e., implies and satisfaction-completeness, i.e., implies . Again, we proceed by structural induction on , and the main cases are:
**Case and :: **
If , then or . Without loss of generality, assume the former, i.e., . By the I.H., we have which, by Defs. 3.3 and 3.3 means that there exists a prefix of such that . Since, , by Lem. A.5, we conclude that . The proof for follows a similar structure, using the fact that both or . The case for is analogous.
**Case and :: **
If then, by Fig. 1, it must be the case that for some and . By the I.H., we know that , from which one can then conclude that where , via Lems. 3.3 and A.5. If then, by Fig. 1, it must be one of two cases. Either where , which implies that , since . Else where and . By I.H., we deduce that , and by Lems. 3.3 and A.5 we are able to construct an acceptance computation for , hence . The case for is similar. ∎
We now procede to give the proof for the maximality of HML from Def. 4.3. The following are technical lemmata leading up to Lem. 4.5.
Lemma B.1**.**
For each :
- (1)
If is a syntactically deterministic monitor, then is also syntactically deterministic. 2. (2)
If is a reactive and syntactically deterministic monitor, then is also reactive.
Proof.
By structural induction on . ∎
Lemma B.2**.**
Suppose that the syntactically deterministic monitor is sound and complete for some formula and that for some finite trace . Then .
Proof.
From \textsf{rec}\,x.m\xrightarrow{\;\tau\;}m[\raisebox{2.15277pt}{\small\textsf{rec},x.m}\!/\!\mbox{\smallx}]\xRightarrow{\;s\;}v and Lem. A.3 we have the following two cases to consider.
- (1)
Assume that there exists some such that and m^{\prime}[\raisebox{2.15277pt}{\small\textsf{rec},x.m}\!/\!\mbox{\smallx}]=v. This immediately yields the claim, since m^{\prime}[\raisebox{2.15277pt}{\small\textsf{rec},x.m}\!/\!\mbox{\smallx}]=v can only hold if . 2. (2)
Assume that there exist and where (and ) and (because is syntactically deterministic) and . Stated otherwise, we have
[TABLE]
We show that we can reach a contradiction, and therefore this case cannot occur.
If , then for some , and therefore for all , . By Lem. B.5, we then have that for all , if then , and therefore , which is a contradiction. Therefore, must be non-empty.
Consider the trace . We must have either or ; without loss of generality, assume the former. Since is sound and complete for , for some where is a prefix of . By Lem. 3.1, this yields that , and by Lem. 3.9, it must be the case that , and therefore , and by Cor. B.8, , which is also a contradiction. ∎
- Lemma 4.5.
If is a syntactically deterministic monitor that is sound and complete , then is also a sound and complete monitor for .
Proof.
Using Prop. 4.1, the required result follows if we can show that .
In one direction, we have to show that, for , implies . We proceed by structural induction on the string where and .
**Case :: **
which implies that by Def. 4.5. We therefore obtain , since .
**Case :: **
By Lem. B.1(1) and Def. 4.5, since is a syntactically deterministic regular monitor and it does not contain any recursion, for some . Thus we know that for some . There are three subcases to consider.
**Case or :: **
The proof is analogous to that of the base case.
**Case :: **
By Lem. 3.1, this would contradict for .
**Case :: **
From the structure of the monitor , we deduce that
[TABLE]
Again, from the structure the monitor and the fact that is syntactically deterministic (Def. 3.8), we use Def. 4.5 to conclude that
[TABLE]
Now, from Eq. 12, we can derive where, clearly, . By Eq. 13, of Eq. 11 and the inductive hypothesis we obtain that . Thus, we deduce that as required.
For the other direction, we have to show that, for , implies . Again, we proceed by structural induction on where and .
**Case :: **
Trivially true, since implies that by Def. 4.5.
**Case :: **
We have two subcases to consider:
**Case :: **
By Def. 3.8 we know that for some . By Lem. B.2, we deduce that . By the inductive hypothesis we obtain . The required results follows by Def. 4.5, since , and thus .
**Case :: **
By Def. 3.8 we deduce that where . By Def. 4.5 we know that , where we can derive . The required result follows from and the inductive hypothesis, from which we obtain where and . ∎
The following lemmata relate to properties of the formula synthesis function of Def. 4.7.
Corollary B.3**.**
For any , ∎
- Lemma 4.6.
Any reactive monitor is a sound and complete monitor for .
Proof.
We treat soudness and completeness spearately and proceed by induction on the structure of . The main case is when where .
**Soundness:: **
Pick a . From the structure of the monitor , implies that for some and where . By the inductive hypothesis we know that which implies that violates since . The argument for is analogous where we note that, since , any subformula where is satisfied trivially by .
**Completeness:: **
Pick a ; it must be of the form If then it must be because . By the inductive hypothesis, we obtain that which in turn implies that . The case for is analogous. ∎
Prop. 4.7 also makes use of the following technical lemma stating that a deterministic monitor that is complete with respect to some formula must necessarily be reactive.
Lemma B.4**.**
If is a deterministic complete monitor for some formula , then it must be reactive.
Proof.
Let and let . By Def. 3.4, it suffices to prove that . Since, , there must be some , such that . Let for some . Since is complete for , there is a verdict and a finite prefix of , such that . If is a prefix of , then by Lem. 3.1, , and therefore by Lem. 3.9, . If is a prefix of , then for some and for some , . Therefore, by Lem. 3.9, , so , yielding that . ∎
We are now in a position to give a proof of maximality for HML. We actually give two proofs: the first one is constructive as reported in Sec. 4.1, whereas the other one is stronger (albeit non-constructive) and shows that this expressivity result holds for any logic, not just recHML.
- Proposition 4.7
(Maximality for HML). * For any if is complete-monitorable, then there exists such that .*
Proof.
Pick any that is complete-monitorable. By Def. 4.2, there exists a monitor that is sound and complete for . By Prop. 3.8 and Prop. 3.11, there exists a syntactically deterministic regular monitor that is verdict-equivalent to . By Prop. 4.1, monitor is also sound and complete for . Moreover, by Lem. B.4, monitor must also be reactive. By Lem. 4.5 and Lem. B.1, there exists a reactive recursion-free deterministic regular monitor that is verdict-equivalent to . Again, by Prop. 4.1, monitor is also sound and complete for .
Now, by Lem. 4.6, is sound and complete for as well. By Cor. B.3, we know that . Thus, by Prop. 4.1 we conclude that as required. ∎
Remark*.*
The proof of Prop. 4.7 is constructive. We are able to prove (albeit in a non-constructive manner) an even stronger result with respect to complete monitoring for an arbitrary logic that is defined over traces. This increases the importance of the logic identified in Def. 4.3 with the linear-time interpretation of Fig. 1.
- Theorem 4.8
Let be a monitor from a monitoring system with the following two properties:
- (1)
verdicts are irrevocable, that is, if accepts (respectively, rejects) a finite trace , then it accepts (respectively, rejects) all its extensions, and 2. (2)
* accepts (respectively, rejects) a trace if, and only if, it accepts (respectively, rejects) some finite prefix of .*
For any property with a trace interpretation (not necessarily syntactically represented using recHML), if is sound and complete for then can be expressed via the syntactic fragment HML of Def. 4.3.
Proof.
A monitor, irrespective of its syntactic structure, is a computational entity that reaches a verdict after a finite sequence of observations/actions: at this point verdicts are irrevocable meaning that further actions observed would not change the status of the monitor.
Let be such a monitor that is sound and complete for . Let accepts and rejects . Due to soundness, . Now, let
[TABLE]
We observe that both and are suffix-closed, meaning that if a finite trace is in or , then so are all of its finite extensions. Therefore, and . We can define recursively thus: and . If both and are finite, then we can define regular monitor
[TABLE]
and it is not hard to see that accepts and rejects exactly the same traces as : if rejects , then it rejects a finite prefix of , so , and therefore for some , which is then rejected by . The other direction and the case for acceptance are similar.
Therefore, it suffices to prove that is finite. If , then we can immediately see that , which is a finite set. Otherwise, let . We can observe that can neither accept nor reject , because otherwise, without loss of generality, , so if , then is not minimal in and we have a contradiction, while if , then , which is also a contradiction. Therefore , where is the set of finite traces that does not accept or reject. Therefore, it suffices to prove that is finite, which we proceed to do.
To reach a contradiction, we assume that is infinite. Let be the tree-LTS where for every and all , if and only if . As we have established above, does not accept or reject , therefore . It is not hard to see that for every , if , then , by easy induction on . Similarly, if , then . Since Act is finite, is finitely-brancing, and therefore, by König’s Lemma, since is infinite, it must be the case that there is an infinite path (trace) in from . For every finite prefix of , , and therefore, . Therefore, neither accepts nor rejects , which is a contradiction, because is complete for . ∎
Lemma B.5**.**
For any deterministic monitor , if and , then and .
Proof.
From Def. 3.8, if , then for some , and thus the only transition can perform is . ∎
Corollary B.6**.**
If is deterministic, and and , then .
Corollary B.7**.**
If is deterministic and , and , then .
Proof.
Let be such that and If , then by Cor. B.6,
[TABLE]
But then, because and by our assumptions, and by Lem. B.5, , which is a contradiction. Therefore, , and by Cor. B.6, , and by Lem. 3.1, . ∎
Corollary B.8**.**
If is deterministic and , and , where , then .
Proof.
A consequence of Cors. B.7 and 3.1. ∎
B.2. The PSPACE-hardness of maxHML
Here we prove that satisfiability for maxHML is PSPACE-hard. The reduction that we use is from the one-variable, diamond-free fragment of , which is PSPACE-complete (Achilleos, 2016).
is a modal logic with two modalities, and , based on a serial transition relation (i.e., ) and a transitive transition relation (i.e., ), such that . Given a set of propositional variables Prop, is interpreted over Kripke structures of the form , where is a non-empty set of states, the transition relations satisfy the above-mentioned properties, and maps states to sets of propositional variables. Here, we focus on the one-variable, diamond-free fragment of , and therefore and the syntax of the fragment is given by the following grammar:
[TABLE]
The semantics of is defined in terms of a satisfaction relation , where means that is satisfied at state of , in a similar way to the branching-time semantics for recHML, with the additional condition that if and only if . Constants can be either included to the syntax or constructed as and , respectively.
Let , where . We can define the mapping from formulae without diamond modalities and that use only one propositional variable that maps to
[TABLE]
where is such that , it commutes with the boolean operators, and
[TABLE]
The construction of ensures that it can only be satisfied by traces of the form . In such a trace, a following action marks the satisfaction of propositional variable , so states-transitions are represented by actions. As such, in the translation above, we use greatest fixed points (least fixed points would have worked too) to allow the modalities for to skip any occurrences of and only be affected by the occurrences of . The transition relation for can simply be the transitive closure of the one for , and therefore in the translation, the modalities are allowed to skip any finite prefix and activate right after any occurrence.
Lemma B.9**.**
For every formula from the one-variable, diamond-free fragment of , is satisfiable if and only if is satisfiable over Trc.
Proof.
Given a trace , let be a Kripke structure, where is the set of finite prefixes of that do not end with , iff or , and .
Given a Kripke structure and state , fix a path in , where ; , where if , then , and otherwise.
It is not too hard to observe that the following hold for all of , , , and :
- (1)
if and only if is of the form and , by the definition of ; 2. (2)
if and only if , by the construction of ; 3. (3)
if and only if ; 4. (4)
if and only if ; 5. (5)
if and only if ; 6. (6)
if and only if ; 7. (7)
if and only if .
From these observations, it is not hard to conclude, by induction on , that for every of , if , then . Furthermore, if , then by the first observation, and . Therefore, it suffices to prove that for all subformulae of and , where does not end with , if , then . This can be done by induction on , using the observations above. ∎
Then, the PSPACE-hardness of maxHML follows as a corollary of Lemma B.9.
B.3. Tight Complete Monitoring
In the following, we use the notations and to denote a combination of monitors using the parallel operator since the particular way the monitors are combined does not matter. Furthermore, since we are dealing with reactive monitors—and, as a consequence of Prop. 3.6, the parallel operators are associative with respect to verdict-equivalence—any way we combine the monitors with will reach the same verdict for the same (finite) trace.
- Lemma 4.9.
If is slim and (resp., ), then (resp., ).
Proof.
We prove the contrapositive statement, that if , then there is some . The proof is by induction on . The case for is immediate. If , then we have two cases.
**Case :: **
Then there must be some , such that . By the inductive hypothesis, there is some , and therefore, , which completes the proof.
**Case :: **
Then there is some , and therefore, , which completes the proof.
If , then . Let . Since is slim, and by the inductive hypothesis there is some . Therefore, , which completes the proof. ∎
- Lemma 4.10.
If is a slim HML formula, then is tight.
Proof.
By Prop. 4.3, implies that there is a finite prefix of such that . We prove, by induction on , that if , then (the case for acceptance is symmetric). If , then by Lemma 4.3, for every trace , , thus by Lemma 4.9, , and therefore . Since , we are done. If , if , then we have two cases:
- •
If , then , , and
[TABLE]
Therefore, using the inductive hypothesis and rule mVrC1,
[TABLE]
- •
If , then
[TABLE]
If , then . If , then, using the inductive hypothesis and rule mVrD1,
[TABLE]
and the proof is complete. ∎
- Proposition 4.12
(HML normalisation). * For every formula , there exists such that where is slim and . *
Proof.
We observe that if is not slim, then one of its subformulas is not in a form that can be produced by the grammar of Def. 4.9, and therefore it must have the form of one of the left-hand-side formulas from Fig. 4. Therefore, for the proposition it suffices to prove for each of these equivalences that it is sound and that the left-hand-side has a smaller length than the right-hand-side, which ensures that the rewriting of formulae terminates after at most substitutions. The cases for Eqs. 1 and 2 are immediate. The remaining cases are also not that hard to handle, and we describe the representative case of Eq. 7.
We can observe that and represent respectively a sequence of conjunctions and disjunctions. Therefore, . As such,
[TABLE]
[TABLE]
because . To prove that Eq. 7 is sound, we observe that if and only if and if and only if and and and if and only if and and , or and if and only if . ∎
B.4. Partially-Complete Monitoring
A useful measure for guarded formulae is that measures the longest distance from the root of the syntax tree of to either a constant , or to a modality.
Definition B.1 (Measure for guarded recHML formulae).
[TABLE]
- Proposition 4.14
For any , is reactive.
Proof.
The proof is by straightforward induction on , using the fact that is guarded, and that therefore for the case of , . ∎
- Proposition 4.15
For every , is a sound and violation-complete monitor for . For every , is a sound and satisfaction-complete monitor for .
Proof.
We prove the lemma for the maxHML fragment; the proof for minHML is dual. For soundness, we need to show that if (resp., ) then (resp., ). We here show the case for rejection; the case for acceptance is symmetric.
If then there is an explicit trace that agrees with a prefix of on external actions, such that . By structural induction on , we prove that for every and , if and is a prefix of , then .
**Case :: **
and thus, where holds trivially.
**Case :: **
We take cases for . Since is closed, we do not consider the case for .
**Case :: **
Immediate.
**Case :: **
We have and Lem. 3.1 ensures that the premise cannot ever hold.
**Case :: **
By Def. 4.12, we have . This monitor cannot take a -transition, so it must be the case that . Therefore , it must be the case that where and for some such that is a prefix of . From the IH, , and thus, by , we obtain .
**Case :: **
By Def. 4.12, we have . Similar to the previous case, if , then and where
- **•: **
either , which immediately gives us ;
- **•: **
or where . By the IH, we obtain and thus .
**Case :: **
so and . Noting that , and since is a prefix of , by the inductive hypothesis, .
**Cases and :: **
We proceed by induction on the number of boolean connectives in the formula. If has no boolean connectives, this is handled by one of the previous cases. If then . From Lem. 3.5, if and only if either or . By the inductive hypothesis, this is the case only if or , and therefore . The case for is similar.
For completeness: we need to show that if (resp., ) then (resp., ). Again, we prove the case for rejection since the case for acceptance is symmetric.
Since is closed, we can assume that each formula variable appears in the scope of a unique greatest-fixed-point operator . We assume a mapping of variables that appear in to subformulae of , such that for every , for some . We can extend the definition of monitor synthesis from Def. 4.12 to also apply on pairs , where and is a set of formula variables that appear in , by altering the case for , so that
[TABLE]
We observe that . Therefore, to complete the proof of completeness, it suffices to prove that for all (possibly open) subformulae of , if is the set of free variables in and for some environment such that for all , is the set of traces that does not reject, then rejects . We proceed to prove this claim by induction on .
**cases :: **
immediate.
**case :: **
Note that if and only if , , and . By the IH, implies that rejects . As a result, the monitor rejects .
**case :: **
if and only if either and , or else . In the former case clearly rejects ; in the later case, by the IH we know that rejects , in which case rejects .
**cases and :: **
We proceed by induction on the number of boolean connectives. The case without boolean connectives is handled by one of the previous cases. If , then . If , then it must be the case that either or . By the IH we obtain either or . Therefore, from Props. 4.14 and 3.5, . The disjunctive case is similar.
**case :: **
From Fig. 1, if and only if there is some set of traces , such that and . Let be the set of traces not rejected by . By the IH, for every trace ,
[TABLE]
By Def. 4.12, we have where every transition sequence must therefore start as \textsf{rec}\,x.\textsf{m}(\psi^{\prime},S)\xrightarrow{\;\tau\;}\textsf{m}(\psi^{\prime},S)[\raisebox{2.15277pt}{\small\textsf{m}(\psi,S)}\!/\!\mbox{\smallx}]. We also have that \textsf{m}(\psi^{\prime},S)[\raisebox{2.15277pt}{\small\textsf{m}(\psi,S)}\!/\!\mbox{\smallx}]=\textsf{m}(\psi^{\prime},S\cup\{X\}). This means that, if , then \textsf{m}(\psi^{\prime},S)[\raisebox{2.15277pt}{\small\textsf{m}(\psi,S)}\!/\!\mbox{\smallx}] rejects , which in turn yields that rejects , which is the result that we want. Therefore, for every trace ,
[TABLE]
hence . If does not reject , then and thus, ; in other words, if , then rejects . ∎
The following definition, Def. B.2, lead up to Lem. 4.16, which handles the discrepancies between our synthesis functions.
Definition B.2.
For parallel monitor , we define recursively on , such that for , it commutes with the parallel composition operators, , , and .
Lemma B.10**.**
For every , .
Proof.
By straightforward induction on . ∎
- Lemma 4.16.
* rejects the same traces as .*
Proof.
From Lem. B.10, . We can decompose to three separate operators, , , and that respectively replace end with yes, with , and with , and commute with all other monitor operations and leave other constants unchanged. We can see that . Thus, it suffices to prove that for all and , rejects the same finite traces as . But this can be proven by straightforward induction on the finite trace. ∎
B.5. Tight Partially-Complete Monitoring
- Lemma 4.19.
Let be a deterministic regular monitor, where , , , and do not occur as submonitors. Then, is tight.
Proof.
Let be a deterministic regular monitor, where , , , and do not occur as submonitors, and let be such that rejects for every . We prove that . For this, we use the alternative monitor rules that were introduced in Subsection 3.3 and the following auxiliary lemma.
Lemma** ((Aceto et al., 2016)).**
In a transition-sequence , such that is bound in and is deterministic, must appear.
Let be such that . We prove that if , then there is some that does not reject, and this suffices due to Lemma 3.9. We use induction on . If is a verdict, then the proof is complete. If , then can only transition to ; but then, by the lemma, there are some , such that and , and therefore does not reject . If , then if , does not reject , therefore we assume that . If rejects all traces, then so do all of , and therefore by the inductive hypothesis, , which contradicts the lemma’s assumptions. Finally, if , then by the inductive hypothesis, either does not reject all traces, or , which is a contradiction. ∎
Appendix C Monitorability Across Semantics
We now present the omitted proofs of Sec. 5.
C.1. The Finfinite Domain
- Lemma 5.3.
For all ,
Proof.
Given an environment on finfinite traces, let be the restriction of on Trc. Then, we can prove by induction on that if and only if , for all and . ∎
C.2. Monitorability over Finfinite Traces
- Lemma 5.4.
Over finfinite traces, if is sound and complete for , then is equivalent to either or to .
Proof.
If is complete for , then it must either accept or reject and thus all of its extensions, that is all finfinite traces. If is also sound, then is equivalent to or . ∎
To facilitate some of the proofs to follow, we define to measure the distance from the root of the syntax tree of to either a constant , or to a modality.
Definition C.1.
[TABLE]
- Lemma 5.5.
For all and , if and , then ; if and , then .
Proof.
We prove the lemma for the case of , as the case of is dual, and, as usual, we assume that is a guarded formula. We use induction on . Let . We proceed by a case analysis on the form of . The interesting cases are the ones for and . If , then, if for some , then , so it must be the case that , therefore by the inductive hypothesis, , so ; otherwise, immediately by the finfinite semantics, . If , then and since is guarded, , so the proof is complete by the inductive hypothesis. ∎
Definition C.2.
We say that is propositionally inconsistent if , or and one of is propositionally inconsistent, or and both of are propositionally inconsistent, or or , and is propositionally inconsistent. We can dually define that is a propositional tautology.
Lemma C.1**.**
If a guarded (closed) is equivalent to under finfinite semantics, then it is propositionally inconsistent. If a guarded (closed) is equivalent to under finfinite semantics, then it is a propositional tautology.
Proof.
We prove by induction on that if is not propositionally inconsistent, then . The cases for or are vacuous or trivial. If , then by definition, . If , then, since is not propositionally inconsistent, neither is ; but , and by the inductive hypothesis . We can similarly prove that if is not a propositional tautology, then . ∎
Lemma C.2**.**
If is propositionally inconsistent, then .
Proof.
Straightforward induction on , using Lems. A.5, A.6 and 4.15. ∎
- Proposition 5.6
Given a closed formula , is sound and violation-complete for over finfinite traces. For , is sound and satisfaction-complete for over finfinite traces.
Proof.
Let — the case for is similar. The proof for Soundness is the same as in the proof of Prop. 4.15. To prove Completeness, if , then we have two cases. The first is that , in which case, by Lem. 5.3, , and therefore, by Prop. 4.15, rejects . The second case is that , in which case we use induction on . The base case is that , which, by Lem. 5.5, implies that is equivalent to , which in turn, by Lems. C.1 and C.2, implies that rejects . For , we use induction on . The cases for or are immediate. Since is closed, . If , then , and , and by the inductive hypothesis on , rejects , therefore rejects . If , then it is satisfied by . The boolean operator cases follow from Lems. A.5 and 4.2. Finally, if , then and ; but then, because of guardedness, , so by the inductive hypothesis on , since is equivalent to , rejects . As , rejects too.
∎
Lemma C.3**.**
If represents and , then represents .
Proof.
If , then . If , then , so is a prefix of . If and , then and , so . ∎
- Lemma 5.7.
If represents , then iff .
Proof.
Given an environment for finfinite traces, let be an environment on processes, such that for every ,
[TABLE]
given an environment on processes, we can similarly define
[TABLE]
We prove that if , then , by induction on . The cases for , and the boolean operators are immediate. The cases for or follow from Lem. C.3. If and , then there is some with . Let represents some . We can see that and by the inductive hypothesis, , which implies that . If , then . If for a set of processes , , then due to the monotonicity of , for the set of trace-processes from and is represented by some , . By the inductive hypothesis, if represents , then implies that , and therefore, , yielding that . Therefore, , and so . Thus, we proved that , and thus, .
We can similarly prove that if , then . ∎
C.3. Monitorable Formulae across Semantics
Lemma C.4**.**
*If has a sound and violation-complete (resp., satisfaction-complete) regular or reactive parallel monitor over infinite traces, then there is some (resp., ) that is equivalent to over infinite traces. *
Proof.
Let be a sound and violation-complete regular or reactive parallel monitor for over finfinite traces. By Proposition 3.8, there is a regular monitor that is verdict-equivalent to , so it is also sound and violation-complete for . From Thm. 5.1 there is a formula , such that is sound and violation-complete for over all LTSs, including the LTS of trace-processes. Since is sound and violation-complete for on trace processes, is equivalent to claiming that does not reject any trace that can produce. However, this is equivalent to saying that does not reject , which is equivalent to . By Lems. 5.7 and 5.3, iff , and the proof is complete. The case for a satisfaction-complete monitor is similar. ∎
- Proposition 5.9
If (resp., ), then there is some (resp., ) that is equivalent to over finfinite traces.
Proof.
If (resp., ), then from Prop. 5.6, there is a monitor that is sound and violation-complete (resp., satisfaction-complete) for over finfinite traces. From Prop. 5.8, is then equivalent to a formula in sHML (resp., cHML). ∎
- Proposition 5.10
If (resp., ), then there is some (resp., ) that is equivalent to over infinite traces.
Proof.
sHML is just maxHML without disjunctions or -operators. We first show that on infinite linear semantics, can be rewritten as . Indeed, if then for some and . Then . Conversely, if then and either or . In either case, .
This gives up a formula in unHML. From Prop. 5.8, this formula is then equivalent to a sHML formula over finfinite traces. From Lem. 5.3 this equivalence also holds over infinite traces. ∎
- Lemma C.5.
If for , and subsumes , then . Dually, if for , and subsumes then .
Proof.
Let for , and suppose that subsume . We claim that . Indeed, assume towards a contradiction, that . Since , from Thm. 5.1 there is a monitor that is sound and violation-complete for with respect to the branching-time semantics. As is violation-complete for and does not satisfy , we have that for some , that is . Then by unzipping (Lem. 3.3) and . Since subsumes , for some process . Then, from Lem. 3.4 , i.e., , which contradicts the soundness of for . The case of is obtained by duality. ∎
Definition C.3.
We say that a process subsumes a process if produces all the finfinite traces that produces.
Lemma C.5**.**
If for , and subsumes , then . Dually, if for , and subsumes then .
- Proposition 5.11
For a process and a formula , the following are equivalent:
- (1)
** 2. (2)
If produces a finfinite trace , then
Proof.
**Direction (1) implies (2): **
Assume and that produces a finfinite trace . Then subsumes the trace-process . From Lem. C.5, . Since is a trace process, from Lem. 5.7, .
**Direction (2) implies (1): **
Assume that . Let be a trace produced by . Again, subsumes , and from Lem. C.5 . Since is a trace process, from Lem. 5.7, . ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1)
- 2Aceto et al . (2017 a) Luca Aceto, Antonis Achilleos, Adrian Francalanza, and Anna Ingólfsdóttir. 2017 a. Monitoring for silent actions. In FSTTCS (LIP Ics) , Satya Lokam and R. Ramanujam (Eds.), Vol. 93. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 7:1–7:14.
- 3Aceto et al . (2018 a) Luca Aceto, Antonis Achilleos, Adrian Francalanza, and Anna Ingólfsdóttir. 2018 a. A Framework for Parametrized Monitorability. In FOSSACS (Lecture Notes in Computer Science) , Vol. 10803. Springer, 203–220.
- 4Aceto et al . (2016) Luca Aceto, Antonis Achilleos, Adrian Francalanza, Anna Ingólfsdóttir, and Sævar Örn Kjartansson. 2016. Determinizing Monitors for HML with Recursion. Co RR abs/1611.10212 (2016). ar Xiv:1611.10212 http://arxiv.org/abs/1611.10212
- 5Aceto et al . (2017 b) Luca Aceto, Antonis Achilleos, Adrian Francalanza, Anna Ingólfsdóttir, and Sævar Örn Kjartansson. 2017 b. On the Complexity of Determinizing Monitors. In Implementation and Application of Automata . Springer International Publishing, 1–13. https://doi.org/10.1007/978-3-319-60134-2_1 · doi ↗
- 6Aceto et al . (2018 b) Luca Aceto, Ian Cassar, Adrian Francalanza, and Anna Ingólfsdóttir. 2018 b. On Runtime Enforcement via Suppressions. In CONCUR (LIP Ics) , Vol. 118. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 34:1–34:17. https://doi.org/10.4230/LIP Ics.CONCUR.2018.34 · doi ↗
- 7Aceto et al . (2007) Luca Aceto, Anna Ingólfsdóttir, Kim Guldstrand Larsen, and Jiri Srba. 2007. Reactive Systems: Modelling, Specification and Verification . Cambridge Univ. Press, New York, NY, USA.
- 8Achilleos (2016) Antonis Achilleos. 2016. Modal Logics with Hard Diamond-Free Fragments. In Logical Foundations of Computer Science , Sergei Artemov and Anil Nerode (Eds.). Springer International Publishing, Cham, 1–13.
