A foundation for runtime monitoring by Francalanza, Adrian et al.
A Foundation for Runtime Monitoring?
Adrian Francalanza1, Luca Aceto2, Antonis Achilleos2, Duncan Paul Attard1,2,
Ian Cassar1,2, Dario Della Monica3,4, and Anna Ingo´lfsdo´ttir2
1 Department of Computer Science, University of Malta, Msida, Malta
2 School of Computer Science, Reykjav´ık University, Iceland
3 Departamento de Sistemas Informa´ticos y Computacio´n, Universidad Complutense
de Madrid, Spain
4 Dipartimento di Ingegneria Elettrica e Tecnologie dell’Informazione, Universita`
“Federico II” di Napoli, Italy
Abstract. Runtime Verification is a lightweight technique that comple-
ments other verification methods in an effort to ensure software correct-
ness. The technique poses novel questions to software engineers: it is not
easy to identify which specifications are amenable to runtime monitor-
ing, nor is it clear which monitors effect the required runtime analysis
correctly. This exposition targets a foundational understanding of these
questions. Particularly, it considers an expressive specification logic (a
syntactic variant of the modal µ-calculus) that is agnostic of the veri-
fication method used, together with an elemental framework providing
an operational semantics for the runtime analysis performed by moni-
tors. The correspondence between the property satisfactions in the logic
on the one hand, and the verdicts reached by the monitors performing
the analysis on the other, is a central theme of the study. Such a corre-
spondence underpins the concept of monitorability, used to identify the
subsets of the logic that can be adequately monitored for by RV. Another
theme of the study is that of understanding what should be expected of
a monitor in order for the verification process to be correct. We show
how the monitor framework considered can constitute a basis whereby
various notions of monitor correctness may be defined and investigated.
0 Introduction
Runtime Verification (RV) [35] is a lightweight verification technique that checks
whether the System Under Scrutiny (SUS) satisfies a correctness property by
analysing its current execution. It has its origins in model checking, as a more
scalable (yet still formal) approach to program verification where state explosion
problems (which are inherent to model checking) are mitigated [34,35]. RV is of-
ten used to complement other verification techniques such as theorem proving,
model checking and testing, in a multi-pronged approach towards ensuring sys-
tem correctness [5,4,21,3]. The technique has fostered a number of verification
? This work was supported by the project “TheoFoMon: Theoretical Foundations for
Monitorability” (nr.163406-051) of the Icelandic Research Fund and the Marie Curie
INDAM-COFUND-2012 Outgoing Fellowship.
High-Level Specification ϕ
x
monitor synthesis
Monitorϕ e1 e2 e3 e4 e5 · · ·
execution trace
system events
System
3
?
7
satisfaction violation
inconclusive
runtime
design time
analyses exhibits
Fig. 1. Runtime monitor synthesis and operational set-up.
tools such as [30,12,19,10,16,37,21,18,39,27,20,6,38], to name but a few. It has
also been used for a variety of applications, ranging from checking the executions
of the NASA Mars Rover software [12] and other autonomous research vehicles
[28], to more mundane tasks such as checking for rule violations in financial
systems [8], video games [40] and electronic examinations [29].
At its core, RV generally assumes a logic describing the correctness specifi-
cations that are expected to be satisfied by the SUS. From these specifications,
programs called monitors are generated and instrumented to run with the SUS,
so as to analyse its current execution (expressed as a trace of events) and infer
any system violations or satisfactions w.r.t. these specifications (see Figure 1).
Violation and satisfaction verdicts are typically considered to be definite, i.e.,
cannot be retracted upon observing further system events. Monitors are them-
selves computational entities that incur runtime costs, and considerable amounts
of effort in RV is devoted to the engineering necessary to keep runtime overheads
at feasible levels. Yet, a RV set-up such as the one depicted in Figure 1 raises
additional questions that warrant equal consideration.
We need to talk about monitors. The expressiveness of the verification tech-
nique w.r.t. the correctness properties that can be described by the logic—an
attribute often termed as monitorability—should be a central question in RV. In
fact, specification logics that are not necessarily wedded to the RV technique may
express properties that cannot be monitored for at runtime. Particularly, cer-
tain aspects of a chosen specification logic can potentially reduce the analytical
capabilities of the monitors, such as the ability to express properties describing
multiple or infinite executions of a system. In such cases, the (finite) trace exhib-
ited by the running system (see Figure 1) may not contain sufficient execution
information so as to enable the monitor to determine whether a property under
analysis is violated or satisfied by the SUS. Therefore, being able to identify
which properties are monitorable is essential for devising an effective strategy in
a multi-pronged verification approach that tailors the verification method used
to each correctness specification.
Another fundamental question raised by RV concerns monitor correctness.
Generally, monitors are considered to be part of the trusted computing base, and
are thus expected to exhibit correct behaviour. When this is not the case, er-
roneous monitors could invalidate any runtime analysis performed, irrespective
of the low overheads a monitor may brandish. On top of that, what is actually
expected of these monitors is seldom defined in precise terms, making it hard
to ascertain monitor correctness. For instance, in a typical RV set-up such as
that of Figure 1, one would expect detection soundness, whereby any rejections
(resp. acceptances) flagged by the monitor imply that the system indeed violates
(resp. satisfies) the property being monitored. Other settings may also stipulate
detection completeness, by which all property violations (resp. satisfactions) are
flagged accordingly by the monitor observing the SUS. One may also require
attributes that are independent of the specification logic chosen, such as passiv-
ity (i.e., the absence of monitor interference with execution of the SUS), and
determinism (i.e., whether the monitor consistently yields the same verification
outcome for the same observations).
This paper sheds light on one possible approach for addressing these ques-
tions. In particular, it showcases the work embarked upon in Theoretical Foun-
dations for Monitorability (TheoFoMon), a three-year project funded by the
Icelandic Research Fund with the aim of investigating the expressiveness and
correctness issues outlined above. To maintain a general approach, the afore-
mentioned questions are studied in the context of the Hennessy-Milner Logic
with recursion (µHML) [33], a reformulation of the expressive and well-studied
modal µ-calculus [32]—the logic is agnostic of the verification technique used,
and can embed widely used temporal logics such as CTL∗ [17,9]. Labelled Transi-
tion Systems (LTSs) [2], formalisms that have been used to describe a vast range
of computational phenomena, are employed to abstractly model the behaviour
of systems and monitors in terms of graphs. This generality serves two goals. On
the one hand, the LTS operational formalism abstracts away instance details of
specific RV settings, facilitating the distillation of the core concepts at play. On
the other hand, the considerable expressiveness of the logic immediately extends
any findings and observations to other logics that can be embedded within it.
Paper Overview. The preliminaries in Section 1 present the basics for mod-
elling systems and provide an introduction to our touchstone logic. Section 2
presents our monitor and instrumentation models. Section 3 links the properties
specified by the logic and the verdicts reached by monitors, whereas Section 4
discusses notions of monitor correctness. Section 5 surveys extensions on the
monitorability and correctness results presented, and Section 6 concludes.
p p′
req
ack
q q′′q′
req
ack
lim
r r′ r′′
req
ack
req
ack
Fig. 2. The LTS depicting the behaviour of three server implementations p, q and r.
1 Preliminaries: Groundhog Day
We provide a brief outline of the main technical machinery used by our expo-
sition, namely, the system model and the specification logic. Interested readers
are encouraged to consult [33,2] for more details.
The model. LTSs are directed graphs with labelled edges modelling the possi-
ble behaviours that can be exhibited by an executing system. Formally, a LTS
consists of the triple 〈Sys, (Act ∪ {τ}),−→〉 comprised of:
– a set of system states p, q, r ∈ Sys (every system state may also be used to
denote a system that starts executing from that state),
– a set of visible actions α ∈ Act and a distinguished silent action τ , where
τ 6∈ Act and µ ranges over (Act ∪ {τ}), and finally,
– a ternary transition relation between states labelled by actions; we write
p
µ−→q in lieu of 〈p, µ, q〉 ∈−→.
The notation p
µX−→ is written when p µ−→ q for no system state q. Additionally,
p=⇒q denotes a sequence of silent actions p( τ−→)∗q from state p to q, whereas
p
α
=⇒q, is written in place of p =⇒ · α−→· =⇒ q, to represent a visible action α
that may be padded by preceding and succeeding silent actions. We occasionally
use the notation 0 to refer to a system (state) that is deadlocked and exhibits no
actions (not even silent ones). We let traces, t, u ∈ Act∗, range over sequences
of visible actions and write sequences of transitions p
α1=⇒ . . . αn=⇒ pn as p t=⇒ pn,
where t = α1, . . . , αn. As usual,  denotes the empty trace.
Example 1. The directed graph in Figure 2 depicts a LTS describing the im-
plementation of three servers whose events are represented by the set of visible
actions Act = {req, ack, lim}. State p shows the simplest possible implemen-
tation of a server that receives (req) and acknowledges (ack) client requests
repeatedly. State q denotes an extension on this implementation that may reach
a termination limit (transition lim) after a number or serviced requests (i.e.,
req followed by ack). Finally state r represents an unpredictable server imple-
mentation that occasionally acknowledges a preceding client request twice. 
Syntax
ϕ, φ ∈ µHML ::= ff (falsity) | tt (truth)
| ϕ ∧ φ (conjunction) | ϕ ∨ φ (disjunction)
| [α]ϕ (necessity) | 〈α〉ϕ (possibility)
| maxX.ϕ (max. fixpoint) | minX.ϕ (min. fixpoint)
| X (recursive variable)
SemanticsJff, ρK def= ∅ Jtt, ρK def= SysJϕ ∧ φ, ρK def= Jϕ, ρK ∩ Jφ, ρK Jϕ ∨ φ, ρK def= Jϕ, ρK ∪ Jφ, ρK
J[α]ϕ, ρK def= {p | ∀p′. p α=⇒p′ implies p′∈Jϕ, ρK}
J〈α〉ϕ, ρK def= {p | ∃p′. p α=⇒p′ and p′∈Jϕ, ρK}
JmaxX.ϕ, ρK def= ⋃ {S | S ⊆ Jϕ, ρ[X 7→ S]K}
JminX.ϕ, ρK def= ⋂ {S | Jϕ, ρ[X 7→ S]K ⊆ S}
JX, ρK def= ρ(X)
Fig. 3. The syntax and semantics of µHML.
The logic. µHML [33,2] is a branching-time logic that can be used to specify
correctness properties over systems modelled in terms of LTSs. Its syntax, given
in Figure 3, assumes a countable set of logical variables X,Y ∈ LVar, thereby
allowing formulae to recursively express largest and least fixpoints using maxX.ϕ
and minX.ϕ resp.; these constructs bind free instances of the variable X in ϕ
and induce the usual notions of free and closed formulae—we work up to alpha-
conversion of bound variables. In addition to the standard constructs for truth,
falsity, conjunction and disjunction, the µHML syntax includes the necessity
and possibility modalities, one of main distinctive features of the logic.
The semantics of µHML is defined in terms of the function mapping for-
mulae ϕ to the set of LTS states S ⊆ Sys satisfying them. Figure 3 describes
the semantics for open and closed formulae, and uses a map ρ ∈ LVar ⇀ 2Sys
from variables to sets of system states to enable an inductive definition on the
structure of the formula ϕ. The formula tt is satisfied by all processes, while ff is
satisfied by none; conjunctions and disjunctions bear the standard set-theoretic
meaning of intersection and union. Necessity formulae [α]ϕ state that for all sys-
tem executions producing event α (possibly none), the subsequent system state
must then satisfy ϕ (i.e., ∀p′, p α=⇒p′ implies p′ ∈ Jϕ, ρK must hold). Possibility
formulae 〈α〉ϕ require the existence of at least one system execution with event
α whereby the subsequent state then satisfies ϕ (i.e., ∃p′, p α=⇒p′ and p′ ∈ Jϕ, ρK
must hold). The recursive formulae maxX.ϕ and minX.ϕ are resp. satisfied by
the largest and least set of system states satisfying ϕ. The semantics of recursive
variables X w.r.t. an environment instance ρ is given by the mapping of X in
ρ, i.e., the set of processes associated with X. Closed formulae (i.e., formulae
containing no free variables) are interpreted independently of the environment
ρ, and the shorthand JϕK is used to denote Jϕ, ρK, i.e., the set of system states in
Sys that satisfy ϕ. In view of this, we say that a system (state) p satisfies some
closed formula ϕ whenever p ∈ JϕK, and conversely, that it violates ϕ whenever
p /∈ JϕK. We highlight two basic formulae that are used pervasively in µHML:
〈α〉tt describes systems that can produce action α, while [α]ff describes systems
that cannot produce action α. Note also that [α]tt is semantically equivalent to
tt whereas 〈α〉ff equates to ff.
Example 2. Recall the server implementations p, q and r depicted in Figure 2.
ϕ1 = 〈req〉〈ack〉〈req〉tt ϕ2 = [lim][req]ff
ϕ3 = [req][ack]〈req〉tt ϕ4 = [req][ack]〈req〉tt ∧ 〈lim〉tt
ϕ5 = maxX.
(
[req]([ack]X ∧ [ack][ack]ff))
ϕ6 = minX.(〈req〉〈ack〉X ∨ 〈lim〉tt)
Formula ϕ1 describes systems that can produce a req after some serviced request
(i.e., a req followed by a ack); all server implementations p, q and r satisfy this
property. Formula ϕ2 states that whenever a system produces the event lim,
it cannot produce any req actions. Again all three implementations satisfy this
property where, in particular, p and r satisfy this trivially since both never
produce a lim event. Formula ϕ3 strengthens property ϕ1 by requiring that a
system can produce a req after any serviced request. While p and q satisfy
this requirement, implementation r violates this property at any time it (non-
deterministically) transitions to state r′′. Formula ϕ4 strengthens this property
further, by requiring the implementation to be capable of producing the lim
event; only q satisfies this property.
Formula ϕ5 specifies a (recursive) safety property that prohibits a system
from producing duplicate acknowledgements in answer to client requests after
any number of serviced requests. System r violates ϕ5 via any trace in the regular
language (req.ack)+.ack. Finally, ϕ6 describes systems that can reach a service
limit after a number (possibly zero) of serviced requests. System q satisfies ϕ6 im-
mediately, as opposed to p and r, which never reach such a state after any number
of serviced requests. We note that if the minimal fixpoint recursion operator in
ϕ6 is substituted with a maximal fixpoint, i.e., maxX.(〈req〉〈ack〉X ∨ 〈lim〉tt),
implementations p and r would also satisfy it via the infinite sequence of events
req.ack.req.ack . . . 
2 Dial M for Monitor
In [25,26], monitors are also perceived as LTSs, expressed through the syntax of
Figure 5. It consists of three verdict constructs, yes, no and end, resp. denot-
ing acceptance, rejection and termination (i.e., an inconclusive outcome). The
m1
ack.ack.yes ack.yes yes
no
req ack ack
req,ack,lim
lim
req,ack,lim
Fig. 4. The LTS representation for monitor m1 = (req.ack.ack.yes+ lim.no).
syntax also includes action α prefixing, mutually-exclusive (external) choice and
recursion, denoted by recx.m, acting as a binder for the recursion variables x
in m. All recursive monitors are assumed to be guarded, meaning that all oc-
currences of bound variables occur under the context of an action prefix. In
the sequel, we assume closed monitor terms, where all variable occurrences are
bound.
Every monitor term may be given a LTS semantics via the transition rules
shown in Figure 5. The rules are fairly standard: for example, m1+m2
µ−−→ m3
(for some m3) if either m1
µ−−→ m3 or m2 µ−−→ m3 (by rules SelL or SelR). The
only transition rule worth drawing attention to, Ver, specifies that verdicts v
may transition with any α ∈ Act to return to the same state, modelling the
assumed requirement from Figure 1 that verdicts are irrevocable.
Example 3. Monitor m1 = (req.ack.ack.yes+ lim.no) can be represented dia-
grammatically via the LTS depicted in Figure 5. This LTS is derived using the
monitor dynamics from Figure 5, by applying the rules that match the edge label
and the structure of the term under consideration. Every term that results from
each rule application essentially represents a LTS state. For example, the edge
labelled lim from node m1 to node no in Figure 4 follows from the transition
req.ack.ack.yes+ lim.no
lim−−−→ no
derived by applying rule SelR and rule Act. From the LTS in Figure 4, we
can see that monitor m1 reaches an acceptance verdict whenever it analyses the
sequence of events req.ack.ack, and a rejection verdict when the single event
lim is analysed. 
In [26], a system p can be instrumented with a monitor m (referred to here-
after as a monitored system and denoted as m/ s) by composing their respective
LTSs. The semantics of m/ s is defined by the instrumentation rules in Figure 5.
We highlight the generality of the instrumentation relation / . It is parametric
w.r.t. the system and monitor abstract LTSs and is largely independent of their
specific syntax: it only requires the monitor LTS to contain an inconclusive (per-
sistent) verdict state, end. Instrumentation is asymmetric, and the monitored
system transitions with an observable event only when the system is able to
exhibit said event. The suggestive symbol / alludes to this unidirectional com-
position, indicating that trace events flow from the system into the monitor.
Syntax
m,n ∈Mon ::= v | α.m | m+n | recx.m | x
v, u ∈ Verd ::= end | no | yes
Dynamics
Act
α.m
α−−→ m
Rec
recx.m
τ−−→ m[recx.m/x]
SelL m
µ−−→ m′
m+n
µ−−→ m′
SelR n
µ−−→ n′
m+n
µ−−→ n′
Ver
v
α−−→ v
Instrumentation
Mon
p
α−−→ p′ m α−−→ m′
m / p
α−−→ m′ / p′
Ter
p
α−−→ p′ m 6 α−−→ m 6 τ−−→
m / p
α−−→ end / p′
AsS
p
τ−−→ p′
m / p
τ−−→ m / p′
AsM m
τ−−→ m′
m / p
τ−−→ m′ / p
Fig. 5. Monitors and instrumentation.
The monitor is in this sense passive as it does not interact with the system, but
transitions in tandem with it according to the rules in Figure 5. When the sys-
tem exhibits an observable event that can be analysed by the monitor, the two
synchronise and transition in lockstep according to their respective LTSs via the
rule Mon. When the monitor cannot analyse the aforementioned event,5 and is
it not able to transition internally to a state that permits it to do so (i.e., it is al-
ready stable, m 6 τ−→), the system is not blocked by the instrumentation. Instead,
it is allowed to transition, whereas the monitor is aborted to the inconclusive
verdict end, as per rule Ter. The system-monitor synchronisation is limited to
visible actions, and both system and monitor can transition independently w.r.t.
their own internal τ -action (rules AsS and AsM).
Example 4. Figure 6 depicts the LTS of the monitored system m1/ r that results
from the composition of system r from Figure 2 with monitor m1 from Figure 4.
Any verdict that m1 arrives at is subject to the execution path that r decides
to follow at runtime. In Figure 6, an acceptance can never be reached since r
does not produce event lim. Furthermore, when event req is exhibited by r, the
monitored system may non-deterministically transition to either ack.ack.yes/ r′
or ack.ack.yes/ r′′ (cases A and B in Figure 6)—this impinges on whether m1
reaches an acceptance verdict or not.
For case A, state r′ generates an ack event followed by req; the monitor at
this stage, ack.yes, is not expecting a req event, but ack instead. It therefore
5 This may be due to event knowledge gaps from the instrumentation-side or knowl-
edge disagreements between the monitors and the instrumentation [11].
m1 / r
ack.ack.yes/ r′′ ack.yes/ r′ yes / r yes / r′ yes / r′′
ack.ack.yes/ r′ ack.yes/ r end / r end / r′ end / r′′
Case B: r transitions to r′′
Case A: r transitions to r′
req
ack ack
req
ack
req
ack
req ack
req
req
req
ack
req
ack
Fig. 6. The LTS depicting the behaviour of the monitored system m / r.
aborts monitoring, reaching the inconclusive verdict end using the instrumenta-
tion rule Ter (Figure 5). If instead, the monitored system m1 / r transitions to
ack.ack.yes/ r′′ (case B), it then reaches an acceptance verdict after analysing
two consecutive ack events. In either outcome, the monitor verdict is preserved
once it is reached via rule Ver. 
3 Sense and Monitorability
To understand monitorability in our setting, we need to relate acceptances (yes)
and rejections (no) reached by a monitor m when monitoring a system p with
satisfactions (p ∈ JϕK) and violations (p 6∈ JϕK) for that system w.r.t. some closed
µHML formula ϕ. This will, in turn, allow us to determine when a monitor m
represents (in some precise sense) a property ϕ.
Example 5. Consider the simple monitor m2 = lim.no which rejects all the sys-
tems that produce the event lim. Since any such system p would necessarily
violate the property ϕ7 = [lim]ff, i.e., p 6∈ J[lim]ffK, there exists a tight corre-
spondence between any system rejected by m2 and the systems violating ϕ7. By
contrast, the more elaborate monitor m3 = recx.(req.ack.x+ lim.yes) reaches
the acceptance verdict for systems that exhibit a trace consisting of a sequence
of serviced requests (req.ack)∗ followed by the event lim. It turns out that
this monitor can only reach an acceptance for systems that satisfy the property
ϕ6 = minX.(〈req〉〈ack〉X ∨ 〈lim〉tt) from Example 2. Stated otherwise, there
is a correspondence between the systems satisfying ϕ6, i.e., p ∈ Jϕ6K, and those
accepted by monitor m3. 
However such correspondences are not so clear for certain monitors.
Example 6. Monitor m1 from Example 3 reaches an acceptance verdict when
composed with a system p⊥ that exhibits the trace req.ack.ack, and a rejection
verdict for the same system p⊥ when it exhibits the trace lim (i.e., m1 / p⊥
req.ack.ack
=======⇒yes/ 0 and m1/ p⊥ lim==⇒no/ 0). If we associate m1 with a correctness
property such as ϕ8 = 〈req〉〈ack〉〈ack〉tt ∧ [lim]ff and attempt to link accep-
tances to satisfactions and rejections to violations (as in Example 5) we end up
with a logical contradiction, namely that p⊥ ∈ Jϕ8K and p⊥ 6∈ Jϕ8K. 
A correspondence between monitor judgements and µHML properties that
relies on the following predicates is established in [26]:
acc(p,m)
def
= ∃t, p′ such that m / p t=⇒ yes / p′ (acceptance)
rej(p,m)
def
= ∃t, p′ such that m / p t=⇒ no / p′ (rejection)
Definition 1 (Sound Monitoring). A monitor m monitors soundly for the
property represented by the formula ϕ, denoted as smon(m,ϕ), whenever for ev-
ery system p ∈ Sys the following conditions hold: (i) acc(p,m) implies p ∈ JϕK ,
(ii) rej(p,m) implies p 6∈ JϕK. 
Definition 1 universally quantifies over all system states p satisfying a for-
mula ϕ that is soundly monitored by a monitor m (this may, in general, be an
infinite set). It also rules out contradicting monitor verdicts. For whenever the
predicate smon(m,ϕ) holds for some monitor m and formula ϕ, and there exists
some system p where acc(p,m), it must be the case that p ∈ JϕK by Defini-
tion 1. Thus, from the logical satisfaction definition we have ¬(p 6∈ JϕK), and by
the contrapositive of Definition 1, we must also have ¬rej(p,m). A symmetric
argument also applies for any system p where rej(p,m), from which ¬acc(p,m)
follows. Sound monitoring is arguably the least requirement for relating a mon-
itor with a logical property. Further to this, the obvious additional stipulation
would be to ask for the dual of Definition 1, namely complete monitoring for m
and ϕ. Intuitively, this would state that for all p, p ∈ JϕK implies acc(p,m), and
also that p 6∈ JϕK implies rej(p,m). However, such a demand turns out to be too
stringent for a large part of the logic presented in Figure 3.
Example 7. Consider the core basic formula 〈α〉tt, describing processes that can
perform action α. One could demonstrate that the simple monitor α.yes satisfies
the condition that, for all systems p, p ∈ JϕK implies acc(p,m). However, for this
formula, no sound monitor exists satisfying the condition that whenever p 6∈ JϕK
then rej(p,m). For assume that one such (sound) monitor m exists satisfying
this condition. Since 0 6∈ J〈α〉ttK, then rej(0,m) follows by our assumption. This
means that this particular monitor can reach a rejection without needing to
observe any actions (i.e., since 0 does not produce any actions, we have m=⇒
no). Such a statement would, in turn, imply that rej(α.0,m) also holds (because
m is able to reach a rejection verdict for any system) although, clearly, α.0 ∈J〈α〉ttK. This makes m unsound, contradicting our initial assumption that m was
sound. 
A dual argument to that of Example 7 can be carried out for another core
basic formula in µHML, namely [α]ff, describing the property of not being able
to produce action α. Although there are sound monitors m satisfying the condi-
tion that for all systems p, if p 6∈ J[α]ffK then rej(p,m), there are none that also
satisfy the condition that for any system p, if p ∈ J[α]ffK then acc(p,m).
The counterarguments posed for the core formulae 〈α〉tt and [α]ff are enough
evidence to convince us that requiring complete monitoring would exclude a
large number of useful formulae in µHML. In fact, the complete monitoring re-
quirement would severely limit correspondence to formulae that are semantically
equivalent to tt and ff only—admittedly, this would not be very useful. In view
of this, we define a weaker form of completeness where we require completeness
w.r.t. either logical satisfactions or violations, but not both.
Definition 2 (Partially-Complete Monitoring). A monitor m can monitor
for a property ϕ in a satifaction-complete, scmon(m,ϕ), or a violation-complete,
vcmon(m,ϕ), manner. These are defined as follows:
scmon(m,ϕ)
def
= ∀p. p ∈ JϕK implies acc(p,m) (satisfaction-complete)
vcmon(m,ϕ)
def
= ∀p. p 6∈ JϕK implies rej(p,m) (violation-complete)
A monitor m monitors for formula ϕ in a partially-complete manner, denoted
as cmon(m,ϕ), when either scmon(m,ϕ) or vcmon(m,ϕ) holds. 
By defining the partially-complete monitoring predicate cmon(m,ϕ) of Def-
inition 2 and the sound monitoring predicate of Definition 1, we are now in a
position to formalise our touchstone notion for monitor-formula correspondence.
Definition 3 (Monitor-Formula Correspondence). A monitor m is said
to monitor for a formula ϕ, denoted as mon(m,ϕ), if it can do it soundly, and
in a partially-complete manner:
mon(m,ϕ)
def
= smon(m,ϕ) and cmon(m,ϕ) 
Example 8. Consider the monitor α.yes and the basic formula 〈α〉tt. One can
verify that α.yes monitors for 〈α〉tt, i.e., mon(α.yes, 〈α〉tt). Intuitively, this is
because every system that α.yes accepts must generate the trace α, which is
precisely the evidence required to show that the system satisfies 〈α〉tt. From
this information, we can deduce that both requirements of Definition 3, i.e.,
smon(α.yes, 〈α〉tt) and cmon(α.yes, 〈α〉tt), hold.
Consider now the same monitor compared to the formula 〈α〉〈β〉tt. According
to Definition 3, α.yes does not monitor for 〈α〉〈β〉tt. We can show this via the
counterexample system α.0: it is not hard to see that the assertion acc(α.0, α.yes)
holds, but the system being monitored for does not satisfy the formula, i.e., α.0 6∈J〈α〉〈β〉ttK. This makes the monitor α.yes unsound, i.e., ¬smon(α.yes, 〈α〉〈β〉tt)
from Definition 1.
By Definition 3, the monitor α.no+β.no monitors for [α]ff∧[β]ff by rejecting
all the systems that violate the property. This is the case because a system
violates [α]ff ∧ [β]ff if and only if it exhibits either trace α or trace β. Such
systems are precisely those that are rejected by the monitor α.no+β.no. 
Definition 3 describes the relationship between monitors and logical formulae
from the monitor’s perspective. Dually, monitorability is an attribute of a logical
formula, describing its ability to be adequately analysed at runtime by a monitor.
The concept of monitorability can also be lifted to sets of formulae (i.e., a
sublogic). In this sense, the definition of monitorability is dependent on the
monitoring set-up assumed (i.e., the semantics of Figure 5) and the conditions
that constitute an adequate runtime analysis. In what follows, we discuss the
monitorability of our logic µHML assuming Definition 3 as our base notion for
adequate monitoring.
Definition 4 (Monitorability). A formula ϕ ∈ µHML is monitorable iff
there exists a monitor m such that mon(m,ϕ). A set of formulae L ⊆ µHML is
monitorable iff every formula in the set, ϕ ∈ L, is monitorable. 
Showing that a set of formulae is monitorable is, in general, non-trivial since
proving Definition 4 entails two universal quantifications: one for all the formulae
in the formula set, and another one for all the systems of the LTS over which
the semantics of the formulae is defined. In both cases, the respective sets may
be infinite. We immediately note that not all logical formulae in µHML are
monitorable. The following example substantiates this claim.
Example 9. Through the witness monitor α.no+β.no discussed in Example 8,
we can show that formula [α]ff ∧ [β]ff is monitorable with a violation-complete
monitor. By contrast, the variant formula [α]ff ∨ [β]ff (swapping the conjunc-
tion with a disjunction operator) is not. This can be shown by arguing to-
wards a contradiction. Assume that there exists some monitor m such that
mon(m, [α]ff ∨ [β]ff). From Definition 3 we know that smon(m, [α]ff ∨ [β]ff) and
cmon(m, [α]ff∨[β]ff) hold, and by Definition 2, there are two subcases to consider
for cmon(m, [α]ff ∨ [β]ff):
– If m is satisfaction-complete, scmon(m, [α]ff ∨ [β]ff), then acc(β.0,m) for
the specific system β.0 since β.0 ∈ J[α]ffK. By the semantics of the logic in
Figure 3 we have β.0 ∈ J[α]ff ∨ [β]ffK. From the acceptance acc(β.0,m), we
know that m must either be able to reach a satisfaction, either autonomously,
m =⇒ yes, or after observing action β, m β=⇒ yes. For both cases we can
argue that m also accepts the system α.0+β.0, since there exists a trace
that leads the monitored system m / α.0+β.0 to an acceptance verdict.
This is unsound (Definition 1) since α.0+β.0 6∈ J[α]ff ∨ [β]ffK, contradicting
smon(m, [α]ff ∨ [β]ff).
– If m is violation-complete, vcmon(m, [α]ff ∨ [β]ff), then, for the specific sys-
tem α.0+β.0, we must have rej(α.0+β.0,m) since, by the logic semantics,
we know α.0+β.0 6∈ J[α]ff ∨ [β]ffK. Now, from the structure of α.0+β.0, we
can deduce that m can reach verdict no along one of the traces , α or β:
• If it is the empty trace , then m must also reject the system 0. However
0 ∈ J[α]ff ∨ [β]ffK since 0 cannot produce any action; this makes the
monitor unsound, contradicting smon(m, [α]ff ∨ [β]ff).
• If the trace is α, m must also reject the system α.0 along the same trace
α. This also makes the monitor unsound: from α.0 ∈ J[β]ffK and the
semantics of Figure 3 we deduce α.0 ∈ J[α]ff ∨ [β]ffK. The case for β is
analogous. 
Definition 5 (Monitorable Logic). Let mHML = cHML ∪ sHML, where
pi,$ ∈ cHML ::= tt | ff | pi ∨$ | 〈α〉pi | minX.pi | X
θ, ϑ ∈ sHML ::= tt | ff | θ ∧ ϑ | [α]θ | maxX.θ | X 
In [25,26], the syntactic subset mHML of Definition 5 is shown to be moni-
torable. At an intuitive level, mHML consists of the co-safe and safe syntactic
subsets of µHML, resp. labelled as cHML and sHML. The logical subset cHML
describes properties whose satisfying systems can provide a witness trace that
enables the monitor to conclusively determine that they are included in the prop-
erty. Dually, sHML captures properties whose systems are unable to provide a
single witness trace that permits the monitor to conclude that they violate the
property. Note that, for both cHML and sHML, any extension of a witness trace
used to reach a verdict is a witness trace itself.
Example 10. Recall formulae ϕ1, ϕ2, ϕ5 and ϕ6 from Example 2. We can estab-
lish that these are indeed monitorable in the sense of Definition 4 by performing
a simple syntactic check against the grammar in Definition 5. This avoids com-
plicated semantic reasoning that is usually harder to automate, such as that
shown in Example 8 and Example 9. 
The work in [25,26] goes even further, and shows that the syntactic subset
identified in Definition 5 is maximally expressive w.r.t. the monitorability of
Definition 4. This means that all the properties that are monitorable can be
expressed in terms of the syntactic fragment described in Definition 5. We are
unaware of any other maximality results for monitorability in the field of RV.
Example 11. The formula 〈α〉tt ∧ 〈α〉tt is not part of the monitorable syntactic
fragment of Definition 5, as the cHML syntax prohibits possibility modalities
(i.e., 〈α〉) from being combined using conjunctions. However, it turns out that
the property denoted by the formula 〈α〉tt∧〈α〉tt is indeed monitorable because it
can be monitored for by the monitor α.yes (see Definition 3). In fact, 〈α〉tt∧〈α〉tt
is semantically equivalent to the formula 〈α〉tt which is, in turn, included in the
syntactic fragment of Definition 5. More generally, the apparently restrictive
mHML fragment of Definition 5 still allows us to describe all the monitorable
properties expressible in µHML. 
4 The Rocky Error Picture Show
A tenet of the basic RV set-up depicted in Figure 1 is that the monitor used
in the configuration is itself correct. Yet, it is perilous to assume that monitors
are immune to errors, for erroneous monitors pose a number of risks. To begin
with, they could invalidate the runtime analysis performed, resulting in wasted
computational overhead (irrespective of how low this might be). Even worse,
erroneous monitors may jeopardise the execution of the SUS itself, and a system
that originally satisfies a correctness specification ends up violating the same
specification after it is instrumented with a monitor. Even though these risks
could prove to be as detrimental as that of having high monitoring overheads, few
monitors come equipped with correctness assurances. In many cases, is it even
unclear what these assurances should be, giving rise to discrepancies between
the expected monitor behaviour and the actual monitor implementation.
A formal development such as the monitorability formulation in Section 3
may help towards mitigating this. For instance, a synthesis function for the
sublogic in Definition 5 was given as a by-product of the monitorability proofs
in [25,26]; this synthesis function was shown to generate monitors that satisfy the
correspondence requirements of Definition 3. However, these assurances (which
mainly focus on the expressiveness of monitors) may not suffice for certain ap-
plications. To illustrate, the monitor α.yes+α.end adequately monitors for the
formula 〈α〉tt according to Definition 3. Yet, it is not hard to see that this does
not always yield an acceptance verdict when the SUS produces the witness trace
α. In this respect, the monitor α.yes mentioned earlier in Example 8 may be
seen as a better, or even, a more correct implementation than α.yes+α.end
that monitors for 〈α〉tt.
The work in [23] studies a possible basis for comparing monitors, that is in-
dependent of the specification language used. It develops a number of preorders
of the form m1 v m2. Intuitively, these denote the fact that, when instrumented
with any arbitrary system p, if the monitored system m1 / p exhibits certain
characteristics, then m2 / p exhibits them as well. For different monitoring char-
acteristics, one obtains different preorders. Such preorders may be used in a
variety of ways. They may be employed as notions of refinement, where m1 rep-
resents a monitor specification whose behaviour is preserved by the concrete
implementation m2. Preorders may also be used to determine when one monitor
implementation can be safely substituted with another, without affecting the ex-
isting characteristics of a monitoring set-up. Importantly, however, they provide
a foundation for understanding monitor errors whenever the relation m1 v m2
does not hold.
We review the salient aspects of this work in the context of our foundational
theory for monitors. To simplify the material that follows, we restrict ourselves
to monitors that only reach rejections. This allows us to side-step issues related
to soundness (discussed earlier in Section 3) and focus on orthogonal behavioural
aspects. Note that our preference for rejections over acceptances is arbitrary. We
begin by capturing the (complete) execution of a monitored system, which may
be described in our setting via the notion of a computation, defined below. In
Definition 6 the trailing τ -transitions permit the monitor to stabilise and reach
a verdict after a number of internal computational steps.
Definition 6. The transition sequence with trace t, m / p
t
=⇒ m0 / p0 τ−→
m1/ p1
τ−→ m2/ p2 τ−→ . . ., is called a t-computation if it is maximal (i.e., either
it is infinite or it is finite and cannot be extended further using τ -transitions).
A t-computation is called rejected (or a rejected computation along t) iff there
exists some n ∈ N in the transition sequence where mn = no. 
Following Definition 3, a criterion for comparing monitors considers the pos-
sible verdicts that may be reached after observing a specific execution trace pro-
duced by the SUS. In this sense, a monitor is as good as another monitor if it
can match all of the rejected computations of the other monitor.
Definition 7. A monitor m potentially-rejects system p along trace t, denoted
as pr(m, p, t), iff there exists a rejecting t-computation from m/ p. Monitor m2
is as good as m1 w.r.t. potential rejections, denoted as m1 vpr m2, iff
for all systems p, and all traces t, pr(m1, p, t) implies pr(m2, p, t).
The preorder induces the expected kernel equivalence m1∼=pr m2 def= (m1 vpr m2
and m2vpr m1). We write m1@pr m2 in lieu of (m1vpr m2 and m2 6vpr m1). 
Example 12. Consider the following monitor descriptions:
m1 = α.β.no m2 = α.no m3 = α.no+β.no m4 = α.no+β.no+β.end
We have m1 @pr m2 since, for any p, any rejected t-computation of m1 (which
must have prefix αβ) is also rejected by m2, but the inverse is not: for some
p
α−→p′ we have pr(m2, p, α) but not pr(m1, p, α). For similar reasons, we have
m2 @pr m3 ∼=pr m4
Observe that m3 and m4 are considered to be potential-rejection equivalent. 
Potential rejections may be too weak for certain mission critical applications.
For instance, although m4 can reject traces that start with β, it does not mean
that it will, because it may (non-deterministically) follow the branch β.end that
does not lead to a rejection. An alternative criterion would thus be to compare
monitors w.r.t. their deterministic rejections.
Definition 8. A monitor m deterministically-rejects system p along trace t, de-
noted as dr(m, p, t), iff all t-computations from m/ p are rejecting. Monitor m2
is as good as m1 w.r.t. deterministic rejections, denoted as m1 vdr m2, iff
for all systems p, and all traces t, dr(m1, p, t) implies dr(m2, p, t).
The respective kernel equivalence, m1 ∼=dr m2, and irreflexive preorder, m1 @dr
m2, induced by deterministic rejections are as expected. 
Example 13. We have the following following relationships w.r.t. deterministic
rejections for the monitors m1 to m4 from Example 12:
m1 @dr m2 ∼=dr m4 @dr m3
We note that, whereas in Example 12, m4 was considered to be strictly better
than m2 w.r.t. potential rejections, it is considered equivalent w.r.t. deterministic
rejections, since the rejections of m4 for traces commencing with a β action are
not deterministic and thus ignored. 
It is worth mentioning that defining the preorders of Definitions 7 and 8
in terms of instrumented system executions (instead of just considering the re-
spective monitor traces in isolation) reveals subtleties that would otherwise be
missed. These would nevertheless manifest themselves at runtime.
Example 14. Consider the construct τ.m, describing a monitor that performs an
internal computation τ before behaving like m. Using the syntax of Figure 5,
this may be encoded as recx.m, where x is not a free variable in the continua-
tion m (see rule Rec). We have the following relations between a monitor that
immediately rejects (no), and another that performs some internal computation
before yielding reject (τ.no):
no ∼=pr τ.no but τ.no @dr no
It is not hard to see why the monitor no is a top element for both preorders vpr
and vdr, since it immediately rejects all traces for any given system p (i.e., for
any m, we have m vpr no and m vdr no). The monitor τ.no exhibits the exact
behaviour w.r.t. potential rejections and is thus a top element for vpr as well.
Interestingly, τ.no is not a top element for vdr however. Consider, as a counter
example, the system p that goes into an infinite (internal) loop p
τ−→ p τ−→ . . ..
When instrumented with the monitor τ.no, the monitored system can exhibit
the -computation τ.no / p
τ−→ τ.no / p τ−→ τ.no / p τ−→ . . . effectively starving
the monitor τ.no, and preventing it from ever reaching its rejection verdict, no.
Thus, we do not have dr(τ.no, p, ) and, as a result, the inequality no vdr τ.no
does not hold. 
Formulating Definitions 7 and 8 in terms of instrumented system executions
also facilitates the classification of anomalous monitor behaviour.
Example 15. Consider the unresponsive monitor mω, that goes into an infinite
loop without exhibiting any other behaviour (i.e., mω
τ−→mω τ−→ . . .). Whereas
for the potentially-rejecting preorder, this monitor is clearly a bottom element
(i.e., for any m we have mω vpr m) it is, perhaps surprisingly, not a bottom ele-
ment for the deterministic-rejection preorder. In fact, according to Definition 8,
we obtain seemingly peculiar orderings such as the one below (using monitor m2
defined earlier in Example 12):
m2 @dr mω @dr no
Note that, according to the instrumentation semantics of Figure 5, mω pre-
vents any system that is composed with it from generating observable events:
for arbitrary p, whenever p
α−→ p′ given some α, rule Mon cannot be applied
(since mω 6 α−−→) and neither can rule Ter (since mω τ−→). This means that that
dr(mω, p, t) holds for any system p and trace t that is not empty (i.e., t 6= ).
This condition holds trivially because no such trace exists, thus explaining why
m2 @dr mω. The only case where dr(mω, p, t) does not hold is precisely when
t = , leaving us with mω @dr no. 
Using the two preorders vpr and vdr, we can define a third (more refined)
preorder that is an intersection of the two presented thus far, taking into con-
sideration both of their respective criteria when comparing monitors.
Definition 9. A monitor m2 is as good as a monitor m1 w.r.t. rejections, de-
noted as m1 vrej m2, iff m1 vpr m2 and m1 vdr m2. 
Whenever we have m1 vrej m2, we can substitute m1 with m2 safe in the
knowledge that, all potential and deterministic rejections made by m1 are pre-
served by m2 irrespective of the system these are composed with. Alternatively,
should we consider missed rejections as our notion of error, then whenever
m1 6vrej m2 we know that when instrumented with a common system, m2 may
not exhibit all the rejections that m1 produces.
Example 16. We obtain the following strict ordering w.r.t. Definition 9:
m1 @rej m2 @rej m4 @rej m3 
In [23], additional monitor preorders are considered based on other correct-
ness criteria. For instance, monitors are compared w.r.t. to their capability of
interfering with the execution of a system, as outlined briefly in Example 15.
Apart from devising correctness preorders, the aforementioned work also de-
velops sound compositional techniques that can check for preorder inequalities
without relying on universal quantifications on systems. Although this is essen-
tial for any automated checking of said preorder inequalities, such compositional
techniques are outside the scope of this presentation. Interested readers should
nevertheless consult [23] for more details.
5 Monitorability and Correctness Now Redux
The concepts outlined in Sections 3 and 4 served as a basis for various other
work related to RV, monitors and monitorability. We here discuss a subset of
this work.
Tools. In [6], the monitorability results presented in Section 3 (and their re-
spective proofs reported in [26]) were used for the construction of a monitoring
tool called detectEr. In this tool, monitorable correctness properties for reac-
tive Erlang programs can be specified using the monitorable syntactic subset
Monitorϕ e
1
1 e
2
1 e
1
2 e
1
3 e
2
2 · · ·
execution trace
e11 e
1
2 e
1
3 e
2
1 e
2
2 · · ·
e21 e
2
2 e
1
1 e
1
2 e
1
3 · · ·
alternate plausible traces
C1
C2
C2 C1
C1
C2
system
analyses
exhibi
ts
exhibitsinfers
Fig. 7. Monitoring components C1 and C2 and inferring their other plausible traces.
of Definition 5. From these logical specifications, detectEr automatically synthe-
sises monitors that are then instrumented to execute alongside an Erlang SUS,
reporting satisfaction or violation verdicts depending on the behaviour exhib-
ited. The need for a more comprehensive instrumentation mechanism for the
target language (Erlang), resulted in the development of an aspect-oriented util-
ity called eAOP [15]. This tool is incorporated into the detectEr toolchain, and
its development and features (e.g. its pointcut definitions) are largely guided
by the RV requirements for detectEr. Nevertheless, eAOP can also be used as a
standalone utility for other purposes such as Erlang code refactoring.
Monitorability. The work of [7] considers a slightly different monitoring setup
to that presented in Figure 1. Interestingly, it shows how the maximality results
for monitorability of Section 3 can be extended when working with the new setup.
This work views the SUS as a collection of components (instead of treating it as
one monolithic block) whereby certian trace events can be attributed to specific
components, as shown in Figure 7. The monitor is equipped with this static
information about the SUS to permit it to extend its analytical capabilities.
In the case of [7], certain components are known to be execution-independent
to one another, meaning that from a particular trace interleaving observed in
the current execution trace, the monitor could infer additional (plausible) traces
that can also be used for verification purposes.
For instance, in Example 9 we earlier argued why the property [α]ff ∨ [β]ff
in the basic setup of Figure 1 is not monitorable. The formula states that a SUS
satisfies the property if it either cannot perform α or it cannot perform β. A
trace can however only provide us with enough evidence to deduce that only one
of the execution subbranches is violated, not both. Yet, if we know that actions
α and β can be produced exclusively by independently-executing components
C1 and C2 resp., from a witness trace of the form αβ . . ., a monitor in the setup
of Figure 7 could infer that the trace βα . . . can also be generated by the system
(for a different execution interleaving of components C1 and C2). This allows the
monitor to analyse two execution traces instead of one: the witness and inferred
traces can then be used together to obtain enough evidence to be able to deduce
a violation of the property [α]ff ∨ [β]ff, making it monitorable.
In other work [22], the authors show how the monitorable subset of Definition 5
can be used to devise a strategy that apportions the verification process be-
tween the pre-deployment (via standard techniques such as Model Checking)
and post-deployment (using RV) phases of software development. To illustrate,
consider the property 〈α〉([β]ff ∨ 〈α〉tt) which clearly does not belong to the
monitorable subset of Definition 5. Reformulating it into its semantic equiva-
lent, 〈α〉[β]ff∨〈α〉〈α〉tt, allows us to isolate the runtime-monitorable subformula
〈α〉〈α〉tt. One could then check for subformula 〈α〉[β]ff prior to deployment, and
in cases where this is not satisfied, monitor for the 〈α〉〈α〉tt at runtime.
Monitor Correctness. In [1], the authors consider the use of standard deter-
minisation techniques borrowed from automata theory to determinise monitors
and their respective verdicts. The approach would enable a tool to take (non-
deterministic) monitor descriptions such as α.β.yes+α.γ.yes (e.g. produced by
the detectEr tool of [6] when synthesising monitors from the monitorable formula
〈α〉〈β〉tt ∨ 〈α〉〈γ〉tt) and obtain the monitor α.(β.yes+ γ.yes) instead. The key
contribution of this work is the establishment of complexity upper bounds (more
or less known) and, more interestingly, complexity lower bounds whereby con-
verting a non-deterministic monitor of n states to a deterministic one requires a
space complexity of at least 22
Ω
√
n logn
.
A fully deterministic monitor behaviour (where every event analysed leads
exclusively to one possible monitor state) is too rigid in practice to describe
the behaviour of certain monitor implementations. A case in point is monitor-
ing that is conducted via a number of concurrent submonitors [27] that may
be subject to different thread interleaving every time they are executed. The
monitor framework discussed in Section 4 served as a basis for the formula-
tion of a definition for consistently-detecting monitors [24] that allows degrees
of non-deterministic behaviour as long as these are not externally observable
via inconsistent detections. The work in [24] borrows from the compositional-
ity techniques studied in [23] to define an alternative coinductive definition for
consistent monitor behaviour based on the notion of controllability [31]. It also
develops symbolic techniques that facilitate the construction of analysis tools for
determining monitor controllability.
Language Design. The work presented in [14] uses the safety fragment sHML
from Definition 5 as a basis for defining a scripting language for describing adap-
tation procedures in a monitor-oriented programming paradigm. It specifically
targets systems that are constructed in a layered fashion, with the outer layers
adding degrees of functionality in response to the behaviour observed from the
inner layers. In this setup, the monitors produced are not passive in the sense
that they merely analyse behaviour, but actively engage with the observed sys-
tem via adaptations so as to change its behaviour and mitigate system faults.
Despite of their benefits, runtime adaptations induced by monitors may intro-
duce certain errors themselves. For this reason, in [13] the authors also define
language-based methods in the form of a type system to assist monitor con-
struction and to statically detect erroneous adaptations declared in the monitor
scripts at design time.
6 Conclusion
In this paper we surveyed a body of work that strives to establish a formal
foundation for the RV technique. It focusses on addressing two main ques-
tions, namely monitorability for system specifications and monitor correctness.
Although the account concentrated mainly on unifying the work presented in
[25,26] and [23], it also showed how this preliminary work has served as a ba-
sis for subsequent developments on the subject, such as [13,14,1,7,24]. We are
currently working on extending these results even further, by investigating moni-
torability for diverse monitoring set-ups along the lines of [7], and by considering
monitors with augmented capabilities such as those that perform property en-
forcement [36].
References
1. L. Aceto, A. Achilleos, A. Francalanza, A. Ingo´lfsdo´ttir, and S. O¨. Kjartansson.
On the Complexity of Determinizing Monitors. In CIAA, volume 10329 of LNCS,
pages 1–13, 2017.
2. L. Aceto, A. Ingo´lfsdo´ttir, K. G. Larsen, and J. Srba. Reactive Systems: Modelling,
Specification and Verification. Cambridge University Press, 2007.
3. W. Ahrendt, J. M. Chimento, G. J. Pace, and G. Schneider. A Specification
Language for Static and Runtime Verification of Data and Control Properties. In
FM, volume 9109 of LNCS, pages 108–125, 2015.
4. I. Aktug and K. Naliuka. ConSpec - A formal language for policy specification.
Sci. Comput. Program., 74(1-2):2–12, 2008.
5. C. Artho, H. Barringer, A. Goldberg, K. Havelund, S. Khurshid, M. R. Lowry,
C. S. Pasareanu, G. Rosu, K. Sen, W. Visser, and R. Washington. Combining Test
Case Generation and Runtime Verification. Theor. Comput. Sci., 336(2-3):209–
234, 2005.
6. D. P. Attard and A. Francalanza. A Monitoring Tool for a Branching-Time Logic.
In RV, volume 10012 of LNCS, pages 473–481, 2016.
7. D. P. Attard and A. Francalanza. Trace Partitioning and Local Monitoring for
Asynchronous Components. In SEFM, LNCS, 2017. (to appear).
8. S. Azzopardi, C. Colombo, G. J. Pace, and B. Vella. Compliance Checking in the
Open Payments Ecosystem. In SEFM, volume 9763 of LNCS, pages 337–343, 2016.
9. C. Baier and J. P. Katoen. Principles of Model Checking. MIT Press, New York,
2008.
10. H. Barringer, A. Goldberg, K. Havelund, and K. Sen. Rule-Based Runtime Verifi-
cation. In VMCAI, volume 2937 of LNCS, pages 44–57. 2004.
11. D. A. Basin, F. Klaedtke, S. Marinovic, and E. Zalinescu. Monitoring Compliance
Policies over Incomplete and Disagreeing Logs. In RV, volume 7687 of LNCS, pages
151–167, 2012.
12. G. P. Brat, D. Drusinsky, D. Giannakopoulou, A. Goldberg, K. Havelund, M. R.
Lowry, C. S. Pasareanu, A. Venet, W. Visser, and R. Washington. Experimen-
tal Evaluation of Verification and Validation Tools on Martian Rover Software.
Formal Methods in System Design, 25(2-3):167–198, 2004.
13. I. Cassar and A. Francalanza. Runtime Adaptation for Actor Systems. In RV,
volume 9333 of LNCS, pages 38–54, 2015.
14. I. Cassar and A. Francalanza. On Implementing a Monitor-Oriented Programming
Framework for Actor Systems. In IFM, volume 9681 of LNCS, pages 176–192, 2016.
15. I. Cassar, A. Francalanza, L. Aceto, and A. Ingo´lfsdo´ttir. eAOP - An Aspect
Oriented Programming Framework for Erlang. In Erlang Workshop, 2017. (to
appear).
16. F. Chen and G. Rosu. MOP: An Efficient and Generic Runtime Verification Frame-
work. In OOPSLA, pages 569–588, 2007.
17. E. M. Clarke, Jr., O. Grumberg, and D. A. Peled. Model Checking. MIT Press,
Cambridge, MA, USA, 1999.
18. C. Colombo, A. Francalanza, R. Mizzi, and G. J. Pace. polyLarva: Runtime Ver-
ification with Configurable Resource-Aware Monitoring Boundaries. In SEFM,
volume 7504 of LNCS, pages 218–232, 2012.
19. B. D’Angelo, S. Sankaranarayanan, C. Sa´nchez, W. Robinson, B. Finkbeiner, H. B.
Sipma, S. Mehrotra, and Z. Manna. LOLA: Runtime Monitoring of Synchronous
Systems. In TIME, pages 166–174, 2005.
20. S. Debois, T. T. Hildebrandt, and T. Slaats. Safety, Liveness and Run-Time Re-
finement for Modular Process-Aware Information Systems with Dynamic Sub Pro-
cesses. In FM, volume 9109 of LNCS, pages 143–160, 2015.
21. N. Decker, M. Leucker, and D. Thoma. jUnitRV-Adding Runtime Verification to
jUnit. In NFM, volume 7871 of LNCS, pages 459–464, 2013.
22. D. Della Monica and A. Francalanza. Towards a Hybrid Approach to Software
Verification. In NWPT, number SCS16001 in RUTR, pages 51–54, 2015.
23. A. Francalanza. A Theory of Monitors - (Extended Abstract). In FoSSaCS, volume
9634 of LNCS, pages 145–161, 2016.
24. A. Francalanza. Consistently-Detecting Monitors. In CONCUR, LNCS, 2017. (to
appear).
25. A. Francalanza, L. Aceto, and A. Ingo´lfsdo´ttir. On Verifying Hennessy-Milner
Logic with Recursion at Runtime. In RV, volume 9333 of LNCS, pages 71–86,
2015.
26. A. Francalanza, L. Aceto, and A. Ingolfsdottir. Monitorability for the Hennessy–
Milner Logic with Recursion. Formal Methods in System Design, pages 1–30, 2017.
27. A. Francalanza and A. Seychell. Synthesising Correct Concurrent Runtime Moni-
tors. Formal Methods in System Design, 46(3):226–261, 2015.
28. A. Kane, O. Chowdhury, A. Datta, and P. Koopman. A Case Study on Runtime
Monitoring of an Autonomous Research Vehicle (ARV) System. In RV, volume
9333 of LNCS, pages 102–117, 2015.
29. A. Kassem, Y. Falcone, and P. Lafourcade. Monitoring Electronic Exams. In RV,
volume 9333 of LNCS, pages 118–135, 2015.
30. M. Kim, M. Viswanathan, S. Kannan, I. Lee, and O. Sokolsky. Java-MaC: A Run-
Time Assurance Approach for Java Programs. Formal Methods in System Design,
24(2):129–155, 2004.
31. J. Klamka. Control System, Robotics and Automation, volume 7, chapter System
Characteristics: Stability, Controllability, Observability. EOLLS, 2009.
32. D. Kozen. Results on the Propositional mu-Calculus. Theor. Comput. Sci., 27:333–
354, 1983.
33. K. G. Larsen. Proof Systems for Satisfiability in Hennessy-Milner Logic with
Recursion. Theor. Comput. Sci., 72(2&3):265–288, 1990.
34. F. Lerda and W. Visser. Addressing Dynamic Issues of Program Model Checking.
In SPIN, volume 2057 of LNCS, pages 80–102, 2001.
35. M. Leucker and C. Schallhart. A Brief Account of Runtime Verification. J. Log.
Algebr. Program., 78(5):293–303, 2009.
36. J. Ligatti, L. Bauer, and D. Walker. Edit automata: enforcement mechanisms for
run-time security policies. Int. J. Inf. Secur., 4(1-2):2–16, 2005.
37. P. O. Meredith, D. Jin, D. Griffith, F. Chen, and G. Rosu. An Overview of the
MOP Runtime Verification Framework. STTT, 14(3):249–289, 2012.
38. R. Neykova and N. Yoshida. Let it Recover: Multiparty Protocol-Induced Recovery.
In CC, pages 98–108, 2017.
39. G. Reger, H. C. Cruz, and D. E. Rydeheard. MarQ: Monitoring at Runtime with
QEA. In TACAS, volume 9035 of LNCS, pages 596–610, 2015.
40. S. Varvaressos, D. Vaillancourt, S. Gaboury, A. B. Masse´, and S. Halle´. Runtime
Monitoring of Temporal Logic Properties in a Platform Game. In RV, volume 8174
of LNCS, pages 346–351, 2013.
View publication stats
